1 /* system/debuggerd/debuggerd.c 2 ** 3 ** Copyright 2006, The Android Open Source Project 4 ** 5 ** Licensed under the Apache License, Version 2.0 (the "License"); 6 ** you may not use this file except in compliance with the License. 7 ** You may obtain a copy of the License at 8 ** 9 ** http://www.apache.org/licenses/LICENSE-2.0 10 ** 11 ** Unless required by applicable law or agreed to in writing, software 12 ** distributed under the License is distributed on an "AS IS" BASIS, 13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 ** See the License for the specific language governing permissions and 15 ** limitations under the License. 16 */ 17 18 #include <stdio.h> 19 #include <errno.h> 20 #include <signal.h> 21 #include <pthread.h> 22 #include <stdarg.h> 23 #include <fcntl.h> 24 #include <sys/types.h> 25 #include <dirent.h> 26 #include <time.h> 27 28 #include <sys/ptrace.h> 29 #include <sys/wait.h> 30 #include <sys/exec_elf.h> 31 #include <sys/stat.h> 32 #include <sys/poll.h> 33 34 #include <log/logd.h> 35 #include <log/logger.h> 36 37 #include <cutils/sockets.h> 38 #include <cutils/properties.h> 39 #include <cutils/debugger.h> 40 41 #include <corkscrew/backtrace.h> 42 43 #include <linux/input.h> 44 45 #include <private/android_filesystem_config.h> 46 47 #include "backtrace.h" 48 #include "getevent.h" 49 #include "tombstone.h" 50 #include "utility.h" 51 52 typedef struct { 53 debugger_action_t action; 54 pid_t pid, tid; 55 uid_t uid, gid; 56 uintptr_t abort_msg_address; 57 } debugger_request_t; 58 59 static int 60 write_string(const char* file, const char* string) 61 { 62 int len; 63 int fd; 64 ssize_t amt; 65 fd = open(file, O_RDWR); 66 len = strlen(string); 67 if (fd < 0) 68 return -errno; 69 amt = write(fd, string, len); 70 close(fd); 71 return amt >= 0 ? 0 : -errno; 72 } 73 74 static 75 void init_debug_led(void) 76 { 77 // trout leds 78 write_string("/sys/class/leds/red/brightness", "0"); 79 write_string("/sys/class/leds/green/brightness", "0"); 80 write_string("/sys/class/leds/blue/brightness", "0"); 81 write_string("/sys/class/leds/red/device/blink", "0"); 82 // sardine leds 83 write_string("/sys/class/leds/left/cadence", "0,0"); 84 } 85 86 static 87 void enable_debug_led(void) 88 { 89 // trout leds 90 write_string("/sys/class/leds/red/brightness", "255"); 91 // sardine leds 92 write_string("/sys/class/leds/left/cadence", "1,0"); 93 } 94 95 static 96 void disable_debug_led(void) 97 { 98 // trout leds 99 write_string("/sys/class/leds/red/brightness", "0"); 100 // sardine leds 101 write_string("/sys/class/leds/left/cadence", "0,0"); 102 } 103 104 static void wait_for_user_action(pid_t pid) { 105 /* First log a helpful message */ 106 LOG( "********************************************************\n" 107 "* Process %d has been suspended while crashing. To\n" 108 "* attach gdbserver for a gdb connection on port 5039\n" 109 "* and start gdbclient:\n" 110 "*\n" 111 "* gdbclient app_process :5039 %d\n" 112 "*\n" 113 "* Wait for gdb to start, then press HOME or VOLUME DOWN key\n" 114 "* to let the process continue crashing.\n" 115 "********************************************************\n", 116 pid, pid); 117 118 /* wait for HOME or VOLUME DOWN key */ 119 if (init_getevent() == 0) { 120 int ms = 1200 / 10; 121 int dit = 1; 122 int dah = 3*dit; 123 int _ = -dit; 124 int ___ = 3*_; 125 int _______ = 7*_; 126 const signed char codes[] = { 127 dit,_,dit,_,dit,___,dah,_,dah,_,dah,___,dit,_,dit,_,dit,_______ 128 }; 129 size_t s = 0; 130 struct input_event e; 131 bool done = false; 132 init_debug_led(); 133 enable_debug_led(); 134 do { 135 int timeout = abs((int)(codes[s])) * ms; 136 int res = get_event(&e, timeout); 137 if (res == 0) { 138 if (e.type == EV_KEY 139 && (e.code == KEY_HOME || e.code == KEY_VOLUMEDOWN) 140 && e.value == 0) { 141 done = true; 142 } 143 } else if (res == 1) { 144 if (++s >= sizeof(codes)/sizeof(*codes)) 145 s = 0; 146 if (codes[s] > 0) { 147 enable_debug_led(); 148 } else { 149 disable_debug_led(); 150 } 151 } 152 } while (!done); 153 uninit_getevent(); 154 } 155 156 /* don't forget to turn debug led off */ 157 disable_debug_led(); 158 LOG("debuggerd resuming process %d", pid); 159 } 160 161 static int get_process_info(pid_t tid, pid_t* out_pid, uid_t* out_uid, uid_t* out_gid) { 162 char path[64]; 163 snprintf(path, sizeof(path), "/proc/%d/status", tid); 164 165 FILE* fp = fopen(path, "r"); 166 if (!fp) { 167 return -1; 168 } 169 170 int fields = 0; 171 char line[1024]; 172 while (fgets(line, sizeof(line), fp)) { 173 size_t len = strlen(line); 174 if (len > 6 && !memcmp(line, "Tgid:\t", 6)) { 175 *out_pid = atoi(line + 6); 176 fields |= 1; 177 } else if (len > 5 && !memcmp(line, "Uid:\t", 5)) { 178 *out_uid = atoi(line + 5); 179 fields |= 2; 180 } else if (len > 5 && !memcmp(line, "Gid:\t", 5)) { 181 *out_gid = atoi(line + 5); 182 fields |= 4; 183 } 184 } 185 fclose(fp); 186 return fields == 7 ? 0 : -1; 187 } 188 189 static int read_request(int fd, debugger_request_t* out_request) { 190 struct ucred cr; 191 int len = sizeof(cr); 192 int status = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &len); 193 if (status != 0) { 194 LOG("cannot get credentials\n"); 195 return -1; 196 } 197 198 XLOG("reading tid\n"); 199 fcntl(fd, F_SETFL, O_NONBLOCK); 200 201 struct pollfd pollfds[1]; 202 pollfds[0].fd = fd; 203 pollfds[0].events = POLLIN; 204 pollfds[0].revents = 0; 205 status = TEMP_FAILURE_RETRY(poll(pollfds, 1, 3000)); 206 if (status != 1) { 207 LOG("timed out reading tid (from pid=%d uid=%d)\n", cr.pid, cr.uid); 208 return -1; 209 } 210 211 debugger_msg_t msg; 212 memset(&msg, 0, sizeof(msg)); 213 status = TEMP_FAILURE_RETRY(read(fd, &msg, sizeof(msg))); 214 if (status < 0) { 215 LOG("read failure? %s (pid=%d uid=%d)\n", 216 strerror(errno), cr.pid, cr.uid); 217 return -1; 218 } 219 if (status == sizeof(debugger_msg_t)) { 220 XLOG("crash request of size %d abort_msg_address=%#08x\n", status, msg.abort_msg_address); 221 } else { 222 LOG("invalid crash request of size %d (from pid=%d uid=%d)\n", 223 status, cr.pid, cr.uid); 224 return -1; 225 } 226 227 out_request->action = msg.action; 228 out_request->tid = msg.tid; 229 out_request->pid = cr.pid; 230 out_request->uid = cr.uid; 231 out_request->gid = cr.gid; 232 out_request->abort_msg_address = msg.abort_msg_address; 233 234 if (msg.action == DEBUGGER_ACTION_CRASH) { 235 /* Ensure that the tid reported by the crashing process is valid. */ 236 char buf[64]; 237 struct stat s; 238 snprintf(buf, sizeof buf, "/proc/%d/task/%d", out_request->pid, out_request->tid); 239 if(stat(buf, &s)) { 240 LOG("tid %d does not exist in pid %d. ignoring debug request\n", 241 out_request->tid, out_request->pid); 242 return -1; 243 } 244 } else if (cr.uid == 0 245 || (cr.uid == AID_SYSTEM && msg.action == DEBUGGER_ACTION_DUMP_BACKTRACE)) { 246 /* Only root or system can ask us to attach to any process and dump it explicitly. 247 * However, system is only allowed to collect backtraces but cannot dump tombstones. */ 248 status = get_process_info(out_request->tid, &out_request->pid, 249 &out_request->uid, &out_request->gid); 250 if (status < 0) { 251 LOG("tid %d does not exist. ignoring explicit dump request\n", 252 out_request->tid); 253 return -1; 254 } 255 } else { 256 /* No one else is allowed to dump arbitrary processes. */ 257 return -1; 258 } 259 return 0; 260 } 261 262 static bool should_attach_gdb(debugger_request_t* request) { 263 if (request->action == DEBUGGER_ACTION_CRASH) { 264 char value[PROPERTY_VALUE_MAX]; 265 property_get("debug.db.uid", value, "-1"); 266 int debug_uid = atoi(value); 267 return debug_uid >= 0 && request->uid <= (uid_t)debug_uid; 268 } 269 return false; 270 } 271 272 static void handle_request(int fd) { 273 XLOG("handle_request(%d)\n", fd); 274 275 debugger_request_t request; 276 memset(&request, 0, sizeof(request)); 277 int status = read_request(fd, &request); 278 if (!status) { 279 XLOG("BOOM: pid=%d uid=%d gid=%d tid=%d\n", 280 request.pid, request.uid, request.gid, request.tid); 281 282 /* At this point, the thread that made the request is blocked in 283 * a read() call. If the thread has crashed, then this gives us 284 * time to PTRACE_ATTACH to it before it has a chance to really fault. 285 * 286 * The PTRACE_ATTACH sends a SIGSTOP to the target process, but it 287 * won't necessarily have stopped by the time ptrace() returns. (We 288 * currently assume it does.) We write to the file descriptor to 289 * ensure that it can run as soon as we call PTRACE_CONT below. 290 * See details in bionic/libc/linker/debugger.c, in function 291 * debugger_signal_handler(). 292 */ 293 if (ptrace(PTRACE_ATTACH, request.tid, 0, 0)) { 294 LOG("ptrace attach failed: %s\n", strerror(errno)); 295 } else { 296 bool detach_failed = false; 297 bool attach_gdb = should_attach_gdb(&request); 298 if (TEMP_FAILURE_RETRY(write(fd, "\0", 1)) != 1) { 299 LOG("failed responding to client: %s\n", strerror(errno)); 300 } else { 301 char* tombstone_path = NULL; 302 303 if (request.action == DEBUGGER_ACTION_CRASH) { 304 close(fd); 305 fd = -1; 306 } 307 308 int total_sleep_time_usec = 0; 309 for (;;) { 310 int signal = wait_for_signal(request.tid, &total_sleep_time_usec); 311 if (signal < 0) { 312 break; 313 } 314 315 switch (signal) { 316 case SIGSTOP: 317 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { 318 XLOG("stopped -- dumping to tombstone\n"); 319 tombstone_path = engrave_tombstone(request.pid, request.tid, 320 signal, request.abort_msg_address, true, true, &detach_failed, 321 &total_sleep_time_usec); 322 } else if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE) { 323 XLOG("stopped -- dumping to fd\n"); 324 dump_backtrace(fd, -1, 325 request.pid, request.tid, &detach_failed, 326 &total_sleep_time_usec); 327 } else { 328 XLOG("stopped -- continuing\n"); 329 status = ptrace(PTRACE_CONT, request.tid, 0, 0); 330 if (status) { 331 LOG("ptrace continue failed: %s\n", strerror(errno)); 332 } 333 continue; /* loop again */ 334 } 335 break; 336 337 case SIGILL: 338 case SIGABRT: 339 case SIGBUS: 340 case SIGFPE: 341 case SIGSEGV: 342 case SIGPIPE: 343 #ifdef SIGSTKFLT 344 case SIGSTKFLT: 345 #endif 346 { 347 XLOG("stopped -- fatal signal\n"); 348 /* 349 * Send a SIGSTOP to the process to make all of 350 * the non-signaled threads stop moving. Without 351 * this we get a lot of "ptrace detach failed: 352 * No such process". 353 */ 354 kill(request.pid, SIGSTOP); 355 /* don't dump sibling threads when attaching to GDB because it 356 * makes the process less reliable, apparently... */ 357 tombstone_path = engrave_tombstone(request.pid, request.tid, 358 signal, request.abort_msg_address, !attach_gdb, false, 359 &detach_failed, &total_sleep_time_usec); 360 break; 361 } 362 363 default: 364 XLOG("stopped -- unexpected signal\n"); 365 LOG("process stopped due to unexpected signal %d\n", signal); 366 break; 367 } 368 break; 369 } 370 371 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { 372 if (tombstone_path) { 373 write(fd, tombstone_path, strlen(tombstone_path)); 374 } 375 close(fd); 376 fd = -1; 377 } 378 free(tombstone_path); 379 } 380 381 XLOG("detaching\n"); 382 if (attach_gdb) { 383 /* stop the process so we can debug */ 384 kill(request.pid, SIGSTOP); 385 386 /* detach so we can attach gdbserver */ 387 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) { 388 LOG("ptrace detach from %d failed: %s\n", request.tid, strerror(errno)); 389 detach_failed = true; 390 } 391 392 /* 393 * if debug.db.uid is set, its value indicates if we should wait 394 * for user action for the crashing process. 395 * in this case, we log a message and turn the debug LED on 396 * waiting for a gdb connection (for instance) 397 */ 398 wait_for_user_action(request.pid); 399 } else { 400 /* just detach */ 401 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) { 402 LOG("ptrace detach from %d failed: %s\n", request.tid, strerror(errno)); 403 detach_failed = true; 404 } 405 } 406 407 /* resume stopped process (so it can crash in peace). */ 408 kill(request.pid, SIGCONT); 409 410 /* If we didn't successfully detach, we're still the parent, and the 411 * actual parent won't receive a death notification via wait(2). At this point 412 * there's not much we can do about that. */ 413 if (detach_failed) { 414 LOG("debuggerd committing suicide to free the zombie!\n"); 415 kill(getpid(), SIGKILL); 416 } 417 } 418 419 } 420 if (fd >= 0) { 421 close(fd); 422 } 423 } 424 425 static int do_server() { 426 int s; 427 struct sigaction act; 428 int logsocket = -1; 429 430 /* 431 * debuggerd crashes can't be reported to debuggerd. Reset all of the 432 * crash handlers. 433 */ 434 signal(SIGILL, SIG_DFL); 435 signal(SIGABRT, SIG_DFL); 436 signal(SIGBUS, SIG_DFL); 437 signal(SIGFPE, SIG_DFL); 438 signal(SIGSEGV, SIG_DFL); 439 #ifdef SIGSTKFLT 440 signal(SIGSTKFLT, SIG_DFL); 441 #endif 442 443 // Ignore failed writes to closed sockets 444 signal(SIGPIPE, SIG_IGN); 445 446 logsocket = socket_local_client("logd", 447 ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_DGRAM); 448 if(logsocket < 0) { 449 logsocket = -1; 450 } else { 451 fcntl(logsocket, F_SETFD, FD_CLOEXEC); 452 } 453 454 act.sa_handler = SIG_DFL; 455 sigemptyset(&act.sa_mask); 456 sigaddset(&act.sa_mask,SIGCHLD); 457 act.sa_flags = SA_NOCLDWAIT; 458 sigaction(SIGCHLD, &act, 0); 459 460 s = socket_local_server(DEBUGGER_SOCKET_NAME, 461 ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM); 462 if(s < 0) return 1; 463 fcntl(s, F_SETFD, FD_CLOEXEC); 464 465 LOG("debuggerd: " __DATE__ " " __TIME__ "\n"); 466 467 for(;;) { 468 struct sockaddr addr; 469 socklen_t alen; 470 int fd; 471 472 alen = sizeof(addr); 473 XLOG("waiting for connection\n"); 474 fd = accept(s, &addr, &alen); 475 if(fd < 0) { 476 XLOG("accept failed: %s\n", strerror(errno)); 477 continue; 478 } 479 480 fcntl(fd, F_SETFD, FD_CLOEXEC); 481 482 handle_request(fd); 483 } 484 return 0; 485 } 486 487 static int do_explicit_dump(pid_t tid, bool dump_backtrace) { 488 fprintf(stdout, "Sending request to dump task %d.\n", tid); 489 490 if (dump_backtrace) { 491 fflush(stdout); 492 if (dump_backtrace_to_file(tid, fileno(stdout)) < 0) { 493 fputs("Error dumping backtrace.\n", stderr); 494 return 1; 495 } 496 } else { 497 char tombstone_path[PATH_MAX]; 498 if (dump_tombstone(tid, tombstone_path, sizeof(tombstone_path)) < 0) { 499 fputs("Error dumping tombstone.\n", stderr); 500 return 1; 501 } 502 fprintf(stderr, "Tombstone written to: %s\n", tombstone_path); 503 } 504 return 0; 505 } 506 507 static void usage() { 508 fputs("Usage: -b [<tid>]\n" 509 " -b dump backtrace to console, otherwise dump full tombstone file\n" 510 "\n" 511 "If tid specified, sends a request to debuggerd to dump that task.\n" 512 "Otherwise, starts the debuggerd server.\n", stderr); 513 } 514 515 int main(int argc, char** argv) { 516 if (argc == 1) { 517 return do_server(); 518 } 519 520 bool dump_backtrace = false; 521 bool have_tid = false; 522 pid_t tid = 0; 523 for (int i = 1; i < argc; i++) { 524 if (!strcmp(argv[i], "-b")) { 525 dump_backtrace = true; 526 } else if (!have_tid) { 527 tid = atoi(argv[i]); 528 have_tid = true; 529 } else { 530 usage(); 531 return 1; 532 } 533 } 534 if (!have_tid) { 535 usage(); 536 return 1; 537 } 538 return do_explicit_dump(tid, dump_backtrace); 539 } 540
