1 /* 2 * Copyright 2006 The Android Open Source Project 3 */ 4 5 #include <dirent.h> 6 #include <sys/ptrace.h> 7 #include <stdint.h> 8 #include <thread_db.h> 9 #include <stdlib.h> 10 #include <stdio.h> 11 #include <unistd.h> 12 #include <fcntl.h> 13 #include <errno.h> 14 15 #define DEBUG 0 16 #if DEBUG 17 # include <string.h> /* for strerror() */ 18 # define D(...) fprintf(stderr, "libthread_db:%s: ", __FUNCTION__), fprintf(stderr, __VA_ARGS__) 19 #else 20 # define D(...) do{}while(0) 21 #endif 22 23 extern int ps_pglobal_lookup (void *, const char *obj, const char *name, void **sym_addr); 24 25 struct ps_prochandle 26 { 27 pid_t pid; 28 }; 29 30 31 /* 32 * This is the list of "special" symbols we care about whose addresses are 33 * cached by gdbserver from the host at init time. 34 */ 35 enum { 36 SYM_TD_CREATE, 37 SYM_THREAD_LIST, 38 NUM_SYMS 39 }; 40 41 static char const * gSymbols[] = { 42 [SYM_TD_CREATE] = "_thread_created_hook", 43 NULL 44 }; 45 46 47 char const ** 48 td_symbol_list(void) 49 { 50 return gSymbols; 51 } 52 53 54 /* Extract the permitted capabilities of a given task */ 55 static int 56 _get_task_permitted_caps(int pid, int tid, uint64_t *cap) 57 { 58 char path[64]; 59 char buff[1024]; 60 int len; 61 int fd; 62 int result = -1; 63 char* perm; 64 char* end; 65 66 /* Open task status file */ 67 snprintf(path, sizeof path, "/proc/%d/task/%d/status", pid, tid); 68 fd = open(path, O_RDONLY); 69 if (fd < 0) { 70 D("Could not open %s: %s\n", path, strerror(errno)); 71 return -1; 72 } 73 74 /* Read its content, up to sizeof buff-1, then zero-terminate */ 75 do { 76 len = read(fd, buff, sizeof buff-1); 77 } while (len < 0 && errno == EINTR); 78 79 if (len < 0) { 80 D("Could not read %s: %s\n", path, strerror(errno)); 81 goto EXIT; 82 } 83 84 buff[len] = 0; 85 86 /* Look for "CapPrm: " in it */ 87 perm = strstr(buff, "CapPrm:"); 88 if (perm == NULL) { 89 D("Could not find CapPrm in %s!\n---- cut here ----\n%.*s\n----- cut here -----\n", 90 path, len, buff); 91 errno = EINVAL; 92 goto EXIT; 93 } 94 95 /* Now read the hexadecimal value after 'CapPrm: ' */ 96 errno = 0; 97 *cap = (uint64_t) strtoull(perm+8, &end, 16); 98 if (errno == 0) { 99 D("Found CapPerm of %lld in %s\n", *cap, path); 100 result = 0; 101 } else { 102 D("Cannot read CapPerm from %s: '%.*s'\n", path, 24, perm); 103 } 104 EXIT: 105 close(fd); 106 return result; 107 } 108 109 td_err_e 110 td_ta_new(struct ps_prochandle const * proc_handle, td_thragent_t ** agent_out) 111 { 112 td_thragent_t * agent; 113 114 /* Platforms before Android 2.3 contain a system bug that prevents 115 * gdbserver to attach to all threads in a target process when 116 * it is run as the same userID than the target (works fine if 117 * run as root). 118 * 119 * Due to the way gdbserver is coded, this makes gdbserver exit() 120 * immediately (see linux_attach_lwp in linux-low.c). Even if we 121 * modify the source code to not exit(), then signals will not 122 * be properly rerouted to gdbserver, preventing breakpoints from 123 * working correctly. 124 * 125 * The following code is here to test for this problematic condition. 126 * If it is detected, we return TD_NOLIBTHREAD to indicate that there 127 * are no threads to attach to (gdbserver will attach to the main thread 128 * though). 129 */ 130 do { 131 char path[64]; 132 DIR* dir; 133 struct dirent *entry; 134 pid_t my_pid = getpid(); 135 int target_pid = proc_handle->pid; 136 uint64_t my_caps, tid_caps; 137 138 D("Probing system for platform bug.\n"); 139 140 /* nothing to do if we run as root */ 141 if (geteuid() == 0) { 142 D("Running as root, nothing to do.\n"); 143 break; 144 } 145 146 /* First, get our own permitted capabilities */ 147 if (_get_task_permitted_caps(my_pid, my_pid, &my_caps) < 0) { 148 /* something is really fishy here */ 149 D("Could not get gdbserver permitted caps!\n"); 150 return TD_NOLIBTHREAD; 151 } 152 153 /* Now, for each thread in the target process, compare the 154 * permitted capabilities set to our own. If they differ, 155 * the thread attach will fail. Booo... 156 */ 157 snprintf(path, sizeof path, "/proc/%d/task", target_pid); 158 dir = opendir(path); 159 if (!dir) { 160 D("Could not open %s: %s\n", path, strerror(errno)); 161 break; 162 } 163 while ((entry = readdir(dir)) != NULL) { 164 int tid; 165 166 if (entry->d_name[0] == '.') /* skip . and .. */ 167 continue; 168 169 tid = atoi(entry->d_name); 170 if (tid == 0) /* should not happen - be safe */ 171 continue; 172 173 if (_get_task_permitted_caps(target_pid, tid, &tid_caps) < 0) { 174 /* again, something is fishy */ 175 D("Could not get permitted caps for thread %d\n", tid); 176 closedir(dir); 177 return TD_NOLIBTHREAD; 178 } 179 180 if (tid_caps != my_caps) { 181 /* AAAARGH !! The permitted capabilities set differ. */ 182 D("AAAAAH, Can't debug threads!\n"); 183 fprintf(stderr, "Thread debugging is unsupported on this Android platform!\n"); 184 closedir(dir); 185 return TD_NOLIBTHREAD; 186 } 187 } 188 closedir(dir); 189 D("Victory: We can debug threads!\n"); 190 } while (0); 191 192 /* We now return to our regularly scheduled program */ 193 194 agent = (td_thragent_t *)malloc(sizeof(td_thragent_t)); 195 if (!agent) { 196 return TD_MALLOC; 197 } 198 199 agent->pid = proc_handle->pid; 200 *agent_out = agent; 201 202 return TD_OK; 203 } 204 205 206 td_err_e 207 td_ta_set_event(td_thragent_t const * agent, td_thr_events_t * events) 208 { 209 return TD_OK; 210 } 211 212 213 static td_thrhandle_t gEventMsgHandle; 214 215 static int 216 _event_getmsg_helper(td_thrhandle_t const * handle, void * bkpt_addr) 217 { 218 #if defined(__arm__) 219 void* pc = (void *)ptrace(PTRACE_PEEKUSR, handle->tid, (void *)60 /* r15/pc */, NULL); 220 if (pc == bkpt_addr) { 221 // The hook function takes the id of the new thread as it's first param, 222 // so grab it from r0. 223 gEventMsgHandle.pid = ptrace(PTRACE_PEEKUSR, handle->tid, (void *)0 /* r0 */, NULL); 224 gEventMsgHandle.tid = gEventMsgHandle.pid; 225 return 0x42; 226 } 227 #elif defined(__i386__) 228 // Get the eip from offset 12*4 = 48 as defined in the struct 229 // user_regs_struct in user_32.h 230 void* pc = (void *)ptrace(PTRACE_PEEKUSR, handle->tid, (void *)48 /* eip */, NULL); 231 // FIXME - pc is a non-decremented breakpoint address, hence the 232 // addition of 1 on test. This seems to work for the thread hook 233 // function in libc.so but should be properly fixed. 234 if (pc == ((int)bkpt_addr + 1)) { 235 // The hook function takes the id of the new thread as it's first 236 // param, so grab it from ecx at offset 4 in struct user_regs_struct 237 // (using fastcall convention for x86) 238 gEventMsgHandle.pid = ptrace(PTRACE_PEEKUSR, handle->tid, (void *)4 /* ecx */, NULL); 239 gEventMsgHandle.tid = gEventMsgHandle.pid; 240 return 0x42; 241 } 242 #elif defined(__mips__) 243 void* pc = (void *)ptrace(PTRACE_PEEKUSR, handle->tid, (void *)(64*4) /* pc */, NULL); 244 if (pc == bkpt_addr) { 245 // The hook function takes the id of the new thread as it's first param, 246 // so grab it from a0 247 gEventMsgHandle.pid = ptrace(PTRACE_PEEKUSR, handle->tid, (void *)(4*4) /* a0 */, NULL); 248 gEventMsgHandle.tid = gEventMsgHandle.pid; 249 return 0x42; 250 } 251 #endif 252 return 0; 253 } 254 255 td_err_e 256 td_ta_event_getmsg(td_thragent_t const * agent, td_event_msg_t * event) 257 { 258 td_err_e err; 259 void * bkpt_addr; 260 261 err = ps_pglobal_lookup(NULL, NULL, gSymbols[SYM_TD_CREATE], &bkpt_addr); 262 if (err) { 263 return err; 264 } 265 266 err = td_ta_thr_iter(agent, _event_getmsg_helper, bkpt_addr, 0, 0, NULL, 0); 267 if (err != 0x42) { 268 return TD_NOMSG; 269 } 270 271 event->event = TD_CREATE; 272 event->th_p = &gEventMsgHandle; // Nasty hack, but it's the only way! 273 274 return TD_OK; 275 } 276 277 278 td_err_e 279 td_thr_get_info(td_thrhandle_t const * handle, td_thrinfo_t * info) 280 { 281 info->ti_tid = handle->tid; 282 info->ti_lid = handle->tid; // Our pthreads uses kernel ids for tids 283 info->ti_state = TD_THR_SLEEP; /* XXX this needs to be read from /proc/<pid>/task/<tid>. 284 This is only used to see if the thread is a zombie or not */ 285 return TD_OK; 286 } 287 288 289 td_err_e 290 td_thr_event_enable(td_thrhandle_t const * handle, td_event_e event) 291 { 292 // I don't think we need to do anything here... 293 return TD_OK; 294 } 295 296 297 td_err_e 298 td_ta_event_addr(td_thragent_t const * agent, td_event_e event, td_notify_t * notify_out) 299 { 300 int32_t err; 301 302 /* 303 * This is nasty, ps_pglobal_lookup is implemented in gdbserver and looks up 304 * the symbol from it's cache, which is populated at start time with the 305 * symbols returned from td_symbol_list via calls back to the host. 306 */ 307 308 switch (event) { 309 case TD_CREATE: 310 err = ps_pglobal_lookup(NULL, NULL, gSymbols[SYM_TD_CREATE], ¬ify_out->u.bptaddr); 311 if (err) { 312 return TD_NOEVENT; 313 } 314 return TD_OK; 315 } 316 return TD_NOEVENT; 317 } 318 319 320 td_err_e 321 td_ta_thr_iter(td_thragent_t const * agent, td_thr_iter_f * func, void * cookie, 322 td_thr_state_e state, int32_t prio, sigset_t * sigmask, uint32_t user_flags) 323 { 324 td_err_e err = TD_OK; 325 char path[32]; 326 DIR * dir; 327 struct dirent * entry; 328 td_thrhandle_t handle; 329 330 snprintf(path, sizeof(path), "/proc/%d/task/", agent->pid); 331 dir = opendir(path); 332 if (!dir) { 333 return TD_NOEVENT; 334 } 335 336 handle.pid = agent->pid; 337 while ((entry = readdir(dir)) != NULL) { 338 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) { 339 continue; 340 } 341 handle.tid = atoi(entry->d_name); 342 err = func(&handle, cookie); 343 if (err) { 344 break; 345 } 346 } 347 348 closedir(dir); 349 350 return err; 351 } 352 353
