Home | History | Annotate | Download | only in debuggerd
      1 /* system/debuggerd/debuggerd.c
      2 **
      3 ** Copyright 2006, The Android Open Source Project
      4 **
      5 ** Licensed under the Apache License, Version 2.0 (the "License");
      6 ** you may not use this file except in compliance with the License.
      7 ** You may obtain a copy of the License at
      8 **
      9 **     http://www.apache.org/licenses/LICENSE-2.0
     10 **
     11 ** Unless required by applicable law or agreed to in writing, software
     12 ** distributed under the License is distributed on an "AS IS" BASIS,
     13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14 ** See the License for the specific language governing permissions and
     15 ** limitations under the License.
     16 */
     17 
     18 #include <stdio.h>
     19 #include <errno.h>
     20 #include <signal.h>
     21 #include <pthread.h>
     22 #include <stdarg.h>
     23 #include <fcntl.h>
     24 #include <sys/types.h>
     25 #include <dirent.h>
     26 #include <time.h>
     27 
     28 #include <sys/ptrace.h>
     29 #include <sys/wait.h>
     30 #include <sys/exec_elf.h>
     31 #include <sys/stat.h>
     32 #include <sys/poll.h>
     33 
     34 #include <cutils/sockets.h>
     35 #include <cutils/logd.h>
     36 #include <cutils/logger.h>
     37 #include <cutils/properties.h>
     38 #include <cutils/debugger.h>
     39 
     40 #include <corkscrew/backtrace.h>
     41 
     42 #include <linux/input.h>
     43 
     44 #include <private/android_filesystem_config.h>
     45 
     46 #include "backtrace.h"
     47 #include "getevent.h"
     48 #include "tombstone.h"
     49 #include "utility.h"
     50 
     51 typedef struct {
     52     debugger_action_t action;
     53     pid_t pid, tid;
     54     uid_t uid, gid;
     55     uintptr_t abort_msg_address;
     56 } debugger_request_t;
     57 
     58 static int
     59 write_string(const char* file, const char* string)
     60 {
     61     int len;
     62     int fd;
     63     ssize_t amt;
     64     fd = open(file, O_RDWR);
     65     len = strlen(string);
     66     if (fd < 0)
     67         return -errno;
     68     amt = write(fd, string, len);
     69     close(fd);
     70     return amt >= 0 ? 0 : -errno;
     71 }
     72 
     73 static
     74 void init_debug_led(void)
     75 {
     76     // trout leds
     77     write_string("/sys/class/leds/red/brightness", "0");
     78     write_string("/sys/class/leds/green/brightness", "0");
     79     write_string("/sys/class/leds/blue/brightness", "0");
     80     write_string("/sys/class/leds/red/device/blink", "0");
     81     // sardine leds
     82     write_string("/sys/class/leds/left/cadence", "0,0");
     83 }
     84 
     85 static
     86 void enable_debug_led(void)
     87 {
     88     // trout leds
     89     write_string("/sys/class/leds/red/brightness", "255");
     90     // sardine leds
     91     write_string("/sys/class/leds/left/cadence", "1,0");
     92 }
     93 
     94 static
     95 void disable_debug_led(void)
     96 {
     97     // trout leds
     98     write_string("/sys/class/leds/red/brightness", "0");
     99     // sardine leds
    100     write_string("/sys/class/leds/left/cadence", "0,0");
    101 }
    102 
    103 static void wait_for_user_action(pid_t pid) {
    104     /* First log a helpful message */
    105     LOG(    "********************************************************\n"
    106             "* Process %d has been suspended while crashing.  To\n"
    107             "* attach gdbserver for a gdb connection on port 5039\n"
    108             "* and start gdbclient:\n"
    109             "*\n"
    110             "*     gdbclient app_process :5039 %d\n"
    111             "*\n"
    112             "* Wait for gdb to start, then press HOME or VOLUME DOWN key\n"
    113             "* to let the process continue crashing.\n"
    114             "********************************************************\n",
    115             pid, pid);
    116 
    117     /* wait for HOME or VOLUME DOWN key */
    118     if (init_getevent() == 0) {
    119         int ms = 1200 / 10;
    120         int dit = 1;
    121         int dah = 3*dit;
    122         int _       = -dit;
    123         int ___     = 3*_;
    124         int _______ = 7*_;
    125         const signed char codes[] = {
    126            dit,_,dit,_,dit,___,dah,_,dah,_,dah,___,dit,_,dit,_,dit,_______
    127         };
    128         size_t s = 0;
    129         struct input_event e;
    130         bool done = false;
    131         init_debug_led();
    132         enable_debug_led();
    133         do {
    134             int timeout = abs((int)(codes[s])) * ms;
    135             int res = get_event(&e, timeout);
    136             if (res == 0) {
    137                 if (e.type == EV_KEY
    138                         && (e.code == KEY_HOME || e.code == KEY_VOLUMEDOWN)
    139                         && e.value == 0) {
    140                     done = true;
    141                 }
    142             } else if (res == 1) {
    143                 if (++s >= sizeof(codes)/sizeof(*codes))
    144                     s = 0;
    145                 if (codes[s] > 0) {
    146                     enable_debug_led();
    147                 } else {
    148                     disable_debug_led();
    149                 }
    150             }
    151         } while (!done);
    152         uninit_getevent();
    153     }
    154 
    155     /* don't forget to turn debug led off */
    156     disable_debug_led();
    157     LOG("debuggerd resuming process %d", pid);
    158 }
    159 
    160 static int get_process_info(pid_t tid, pid_t* out_pid, uid_t* out_uid, uid_t* out_gid) {
    161     char path[64];
    162     snprintf(path, sizeof(path), "/proc/%d/status", tid);
    163 
    164     FILE* fp = fopen(path, "r");
    165     if (!fp) {
    166         return -1;
    167     }
    168 
    169     int fields = 0;
    170     char line[1024];
    171     while (fgets(line, sizeof(line), fp)) {
    172         size_t len = strlen(line);
    173         if (len > 6 && !memcmp(line, "Tgid:\t", 6)) {
    174             *out_pid = atoi(line + 6);
    175             fields |= 1;
    176         } else if (len > 5 && !memcmp(line, "Uid:\t", 5)) {
    177             *out_uid = atoi(line + 5);
    178             fields |= 2;
    179         } else if (len > 5 && !memcmp(line, "Gid:\t", 5)) {
    180             *out_gid = atoi(line + 5);
    181             fields |= 4;
    182         }
    183     }
    184     fclose(fp);
    185     return fields == 7 ? 0 : -1;
    186 }
    187 
    188 static int read_request(int fd, debugger_request_t* out_request) {
    189     struct ucred cr;
    190     int len = sizeof(cr);
    191     int status = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
    192     if (status != 0) {
    193         LOG("cannot get credentials\n");
    194         return -1;
    195     }
    196 
    197     XLOG("reading tid\n");
    198     fcntl(fd, F_SETFL, O_NONBLOCK);
    199 
    200     struct pollfd pollfds[1];
    201     pollfds[0].fd = fd;
    202     pollfds[0].events = POLLIN;
    203     pollfds[0].revents = 0;
    204     status = TEMP_FAILURE_RETRY(poll(pollfds, 1, 3000));
    205     if (status != 1) {
    206         LOG("timed out reading tid (from pid=%d uid=%d)\n", cr.pid, cr.uid);
    207         return -1;
    208     }
    209 
    210     debugger_msg_t msg;
    211     memset(&msg, 0, sizeof(msg));
    212     status = TEMP_FAILURE_RETRY(read(fd, &msg, sizeof(msg)));
    213     if (status < 0) {
    214         LOG("read failure? %s (pid=%d uid=%d)\n",
    215             strerror(errno), cr.pid, cr.uid);
    216         return -1;
    217     }
    218     if (status == sizeof(debugger_msg_t)) {
    219         XLOG("crash request of size %d abort_msg_address=%#08x\n", status, msg.abort_msg_address);
    220     } else {
    221         LOG("invalid crash request of size %d (from pid=%d uid=%d)\n",
    222             status, cr.pid, cr.uid);
    223         return -1;
    224     }
    225 
    226     out_request->action = msg.action;
    227     out_request->tid = msg.tid;
    228     out_request->pid = cr.pid;
    229     out_request->uid = cr.uid;
    230     out_request->gid = cr.gid;
    231     out_request->abort_msg_address = msg.abort_msg_address;
    232 
    233     if (msg.action == DEBUGGER_ACTION_CRASH) {
    234         /* Ensure that the tid reported by the crashing process is valid. */
    235         char buf[64];
    236         struct stat s;
    237         snprintf(buf, sizeof buf, "/proc/%d/task/%d", out_request->pid, out_request->tid);
    238         if(stat(buf, &s)) {
    239             LOG("tid %d does not exist in pid %d. ignoring debug request\n",
    240                     out_request->tid, out_request->pid);
    241             return -1;
    242         }
    243     } else if (cr.uid == 0
    244             || (cr.uid == AID_SYSTEM && msg.action == DEBUGGER_ACTION_DUMP_BACKTRACE)) {
    245         /* Only root or system can ask us to attach to any process and dump it explicitly.
    246          * However, system is only allowed to collect backtraces but cannot dump tombstones. */
    247         status = get_process_info(out_request->tid, &out_request->pid,
    248                 &out_request->uid, &out_request->gid);
    249         if (status < 0) {
    250             LOG("tid %d does not exist. ignoring explicit dump request\n",
    251                     out_request->tid);
    252             return -1;
    253         }
    254     } else {
    255         /* No one else is allowed to dump arbitrary processes. */
    256         return -1;
    257     }
    258     return 0;
    259 }
    260 
    261 static bool should_attach_gdb(debugger_request_t* request) {
    262     if (request->action == DEBUGGER_ACTION_CRASH) {
    263         char value[PROPERTY_VALUE_MAX];
    264         property_get("debug.db.uid", value, "-1");
    265         int debug_uid = atoi(value);
    266         return debug_uid >= 0 && request->uid <= (uid_t)debug_uid;
    267     }
    268     return false;
    269 }
    270 
    271 static void handle_request(int fd) {
    272     XLOG("handle_request(%d)\n", fd);
    273 
    274     debugger_request_t request;
    275     memset(&request, 0, sizeof(request));
    276     int status = read_request(fd, &request);
    277     if (!status) {
    278         XLOG("BOOM: pid=%d uid=%d gid=%d tid=%d\n",
    279             request.pid, request.uid, request.gid, request.tid);
    280 
    281         /* At this point, the thread that made the request is blocked in
    282          * a read() call.  If the thread has crashed, then this gives us
    283          * time to PTRACE_ATTACH to it before it has a chance to really fault.
    284          *
    285          * The PTRACE_ATTACH sends a SIGSTOP to the target process, but it
    286          * won't necessarily have stopped by the time ptrace() returns.  (We
    287          * currently assume it does.)  We write to the file descriptor to
    288          * ensure that it can run as soon as we call PTRACE_CONT below.
    289          * See details in bionic/libc/linker/debugger.c, in function
    290          * debugger_signal_handler().
    291          */
    292         if (ptrace(PTRACE_ATTACH, request.tid, 0, 0)) {
    293             LOG("ptrace attach failed: %s\n", strerror(errno));
    294         } else {
    295             bool detach_failed = false;
    296             bool attach_gdb = should_attach_gdb(&request);
    297             if (TEMP_FAILURE_RETRY(write(fd, "\0", 1)) != 1) {
    298                 LOG("failed responding to client: %s\n", strerror(errno));
    299             } else {
    300                 char* tombstone_path = NULL;
    301 
    302                 if (request.action == DEBUGGER_ACTION_CRASH) {
    303                     close(fd);
    304                     fd = -1;
    305                 }
    306 
    307                 int total_sleep_time_usec = 0;
    308                 for (;;) {
    309                     int signal = wait_for_signal(request.tid, &total_sleep_time_usec);
    310                     if (signal < 0) {
    311                         break;
    312                     }
    313 
    314                     switch (signal) {
    315                     case SIGSTOP:
    316                         if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) {
    317                             XLOG("stopped -- dumping to tombstone\n");
    318                             tombstone_path = engrave_tombstone(request.pid, request.tid,
    319                                     signal, request.abort_msg_address, true, true, &detach_failed,
    320                                     &total_sleep_time_usec);
    321                         } else if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE) {
    322                             XLOG("stopped -- dumping to fd\n");
    323                             dump_backtrace(fd, -1,
    324                                     request.pid, request.tid, &detach_failed,
    325                                     &total_sleep_time_usec);
    326                         } else {
    327                             XLOG("stopped -- continuing\n");
    328                             status = ptrace(PTRACE_CONT, request.tid, 0, 0);
    329                             if (status) {
    330                                 LOG("ptrace continue failed: %s\n", strerror(errno));
    331                             }
    332                             continue; /* loop again */
    333                         }
    334                         break;
    335 
    336                     case SIGILL:
    337                     case SIGABRT:
    338                     case SIGBUS:
    339                     case SIGFPE:
    340                     case SIGSEGV:
    341                     case SIGPIPE:
    342 #ifdef SIGSTKFLT
    343                     case SIGSTKFLT:
    344 #endif
    345                         {
    346                         XLOG("stopped -- fatal signal\n");
    347                         /*
    348                          * Send a SIGSTOP to the process to make all of
    349                          * the non-signaled threads stop moving.  Without
    350                          * this we get a lot of "ptrace detach failed:
    351                          * No such process".
    352                          */
    353                         kill(request.pid, SIGSTOP);
    354                         /* don't dump sibling threads when attaching to GDB because it
    355                          * makes the process less reliable, apparently... */
    356                         tombstone_path = engrave_tombstone(request.pid, request.tid,
    357                                 signal, request.abort_msg_address, !attach_gdb, false,
    358                                 &detach_failed, &total_sleep_time_usec);
    359                         break;
    360                     }
    361 
    362                     default:
    363                         XLOG("stopped -- unexpected signal\n");
    364                         LOG("process stopped due to unexpected signal %d\n", signal);
    365                         break;
    366                     }
    367                     break;
    368                 }
    369 
    370                 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) {
    371                     if (tombstone_path) {
    372                         write(fd, tombstone_path, strlen(tombstone_path));
    373                     }
    374                     close(fd);
    375                     fd = -1;
    376                 }
    377                 free(tombstone_path);
    378             }
    379 
    380             XLOG("detaching\n");
    381             if (attach_gdb) {
    382                 /* stop the process so we can debug */
    383                 kill(request.pid, SIGSTOP);
    384 
    385                 /* detach so we can attach gdbserver */
    386                 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) {
    387                     LOG("ptrace detach from %d failed: %s\n", request.tid, strerror(errno));
    388                     detach_failed = true;
    389                 }
    390 
    391                 /*
    392                  * if debug.db.uid is set, its value indicates if we should wait
    393                  * for user action for the crashing process.
    394                  * in this case, we log a message and turn the debug LED on
    395                  * waiting for a gdb connection (for instance)
    396                  */
    397                 wait_for_user_action(request.pid);
    398             } else {
    399                 /* just detach */
    400                 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) {
    401                     LOG("ptrace detach from %d failed: %s\n", request.tid, strerror(errno));
    402                     detach_failed = true;
    403                 }
    404             }
    405 
    406             /* resume stopped process (so it can crash in peace). */
    407             kill(request.pid, SIGCONT);
    408 
    409             /* If we didn't successfully detach, we're still the parent, and the
    410              * actual parent won't receive a death notification via wait(2).  At this point
    411              * there's not much we can do about that. */
    412             if (detach_failed) {
    413                 LOG("debuggerd committing suicide to free the zombie!\n");
    414                 kill(getpid(), SIGKILL);
    415             }
    416         }
    417 
    418     }
    419     if (fd >= 0) {
    420         close(fd);
    421     }
    422 }
    423 
    424 static int do_server() {
    425     int s;
    426     struct sigaction act;
    427     int logsocket = -1;
    428 
    429     /*
    430      * debuggerd crashes can't be reported to debuggerd.  Reset all of the
    431      * crash handlers.
    432      */
    433     signal(SIGILL, SIG_DFL);
    434     signal(SIGABRT, SIG_DFL);
    435     signal(SIGBUS, SIG_DFL);
    436     signal(SIGFPE, SIG_DFL);
    437     signal(SIGSEGV, SIG_DFL);
    438     signal(SIGPIPE, SIG_DFL);
    439 #ifdef SIGSTKFLT
    440     signal(SIGSTKFLT, SIG_DFL);
    441 #endif
    442 
    443     logsocket = socket_local_client("logd",
    444             ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_DGRAM);
    445     if(logsocket < 0) {
    446         logsocket = -1;
    447     } else {
    448         fcntl(logsocket, F_SETFD, FD_CLOEXEC);
    449     }
    450 
    451     act.sa_handler = SIG_DFL;
    452     sigemptyset(&act.sa_mask);
    453     sigaddset(&act.sa_mask,SIGCHLD);
    454     act.sa_flags = SA_NOCLDWAIT;
    455     sigaction(SIGCHLD, &act, 0);
    456 
    457     s = socket_local_server(DEBUGGER_SOCKET_NAME,
    458             ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
    459     if(s < 0) return 1;
    460     fcntl(s, F_SETFD, FD_CLOEXEC);
    461 
    462     LOG("debuggerd: " __DATE__ " " __TIME__ "\n");
    463 
    464     for(;;) {
    465         struct sockaddr addr;
    466         socklen_t alen;
    467         int fd;
    468 
    469         alen = sizeof(addr);
    470         XLOG("waiting for connection\n");
    471         fd = accept(s, &addr, &alen);
    472         if(fd < 0) {
    473             XLOG("accept failed: %s\n", strerror(errno));
    474             continue;
    475         }
    476 
    477         fcntl(fd, F_SETFD, FD_CLOEXEC);
    478 
    479         handle_request(fd);
    480     }
    481     return 0;
    482 }
    483 
    484 static int do_explicit_dump(pid_t tid, bool dump_backtrace) {
    485     fprintf(stdout, "Sending request to dump task %d.\n", tid);
    486 
    487     if (dump_backtrace) {
    488         fflush(stdout);
    489         if (dump_backtrace_to_file(tid, fileno(stdout)) < 0) {
    490             fputs("Error dumping backtrace.\n", stderr);
    491             return 1;
    492         }
    493     } else {
    494         char tombstone_path[PATH_MAX];
    495         if (dump_tombstone(tid, tombstone_path, sizeof(tombstone_path)) < 0) {
    496             fputs("Error dumping tombstone.\n", stderr);
    497             return 1;
    498         }
    499         fprintf(stderr, "Tombstone written to: %s\n", tombstone_path);
    500     }
    501     return 0;
    502 }
    503 
    504 static void usage() {
    505     fputs("Usage: -b [<tid>]\n"
    506             "  -b dump backtrace to console, otherwise dump full tombstone file\n"
    507             "\n"
    508             "If tid specified, sends a request to debuggerd to dump that task.\n"
    509             "Otherwise, starts the debuggerd server.\n", stderr);
    510 }
    511 
    512 int main(int argc, char** argv) {
    513     if (argc == 1) {
    514         return do_server();
    515     }
    516 
    517     bool dump_backtrace = false;
    518     bool have_tid = false;
    519     pid_t tid = 0;
    520     for (int i = 1; i < argc; i++) {
    521         if (!strcmp(argv[i], "-b")) {
    522             dump_backtrace = true;
    523         } else if (!have_tid) {
    524             tid = atoi(argv[i]);
    525             have_tid = true;
    526         } else {
    527             usage();
    528             return 1;
    529         }
    530     }
    531     if (!have_tid) {
    532         usage();
    533         return 1;
    534     }
    535     return do_explicit_dump(tid, dump_backtrace);
    536 }
    537