diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-22 03:37:45 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-22 03:37:45 +0000 |
| commit | 9a5d2a52a52bc167014d1e375208870278f451e0 (patch) | |
| tree | f5b64315fc48c8b6e27089445d95c6f0ee189c50 /chrome/renderer | |
| parent | 597725dc3391c9728461a2f93e1420bc8d386923 (diff) | |
| download | chromium_src-9a5d2a52a52bc167014d1e375208870278f451e0.zip chromium_src-9a5d2a52a52bc167014d1e375208870278f451e0.tar.gz chromium_src-9a5d2a52a52bc167014d1e375208870278f451e0.tar.bz2 | |
Linux: add Breakpad support
This commits a rewrite of the Breakpad Linux client.
The old code:
* Had a number of plain bugs in it, but those could just have been
fixed.
* Allocated memory from the heap, which is a no go.
* Made libc calls which can enter the dynamic linker - another source
of crashes.
* Didn't understand some of the tricks needed, like clone() via libc
will write to random areas of memory because it assumes that it's
only called from libpthread
Additionally, we had one more requirement which meant changing the
interface:
* We need to be able to crash dump the renderers from the browser
process.
And that last one really needed a rewrite.
We intend to try and upstream this new code into Breakpad.
The new Breakpad design works like this:
When a renderer crashes, a signal handler runs on an alternative stack
and collects information about the registers of the thread before the
crash. Then we enter Chromium specific code an send a datagram message
to a magic file descriptor (4) containing:
* the registers and tid of the crashing thread
* the active URL
* a file descriptor to a socket
* a CREDENTIALS structure giving the PID of the renderer.
On the other end of the socket is an object on the IO thread
(render_crash_handler_host_linux.cc) which reads and parses the
datagram. The CREDENTIALS structure is validated by the kernel, so the
renderer can't lie about it's PID and try and get the browser to crash
dump the wrong process.
The browser then ptraces the renderer and extracts all the needed
information to write a minidump to a temp file. Then we write a byte
to the file descriptor which the renderer gave the browser in the
datagram and that's the signal to the renderer to finish dying. It
dies by sending itself the same signal which trigger the crash dump in
the first place, so it will appear to crash as normal as far as kernel
core dumps and waitpid are concerned.
The browser then constucts a MIME message in a temp file for upload to
the crash service. We then fork out to /usr/bin/wget to actually do
the upload (since Debian numbers suggest that 99.8% of users have wget
installed.) A second forked child unlinks the temp files once wget has
completed.
For a browser crash, everything works pretty much the same except that
the datagram step is omitted and we clone() off a process to ptrace
ourselves and write the minidump.
This code is only enabled in Chrome branded builds. Stub source files
are substituted in the case of a Chromium build.
http://codereview.chromium.org/115526
BUG=9646,10772
TEST=Build a Chrome branded binary. Send SEGV to a renderer and verify that wget output appears on stderr. Send a SEGV to the main binary and verify the same.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16719 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/renderer')
| -rw-r--r-- | chrome/renderer/render_crash_handler_linux.cc | 85 | ||||
| -rw-r--r-- | chrome/renderer/render_crash_handler_linux.h | 16 | ||||
| -rw-r--r-- | chrome/renderer/render_crash_handler_linux_stub.cc | 9 | ||||
| -rw-r--r-- | chrome/renderer/renderer_logging_linux.cc | 8 | ||||
| -rw-r--r-- | chrome/renderer/renderer_main.cc | 7 |
5 files changed, 124 insertions, 1 deletions
diff --git a/chrome/renderer/render_crash_handler_linux.cc b/chrome/renderer/render_crash_handler_linux.cc new file mode 100644 index 0000000..0594f17 --- /dev/null +++ b/chrome/renderer/render_crash_handler_linux.cc @@ -0,0 +1,85 @@ +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <string> + +#include <unistd.h> +#include <sys/socket.h> +#include <sys/uio.h> + +#include "base/eintr_wrapper.h" +#include "breakpad/linux/exception_handler.h" +#include "breakpad/linux/linux_libc_support.h" +#include "breakpad/linux/linux_syscall_support.h" + +// This is defined in chrome/renderer/renderer_logging_linux.cc, it's the +// static string containing the current active URL. We send this in the crash +// report. +namespace renderer_logging { +extern std::string active_url; +} + +static bool +CrashHandler(const void* crash_context, size_t crash_context_size, + void* context) { + const int fd = (int) context; + int fds[2]; + pipe(fds); + + // The length of the control message: + static const unsigned kControlMsgSize = + CMSG_SPACE(sizeof(int)) + CMSG_SPACE(sizeof(struct ucred)); + + union { + struct kernel_msghdr msg; + struct msghdr sys_msg; + }; + my_memset(&msg, 0, sizeof(struct kernel_msghdr)); + struct kernel_iovec iov[2]; + iov[0].iov_base = const_cast<void*>(crash_context); + iov[0].iov_len = crash_context_size; + iov[1].iov_base = const_cast<char*>(renderer_logging::active_url.data()); + iov[1].iov_len = renderer_logging::active_url.size(); + + msg.msg_iov = iov; + msg.msg_iovlen = 2; + char cmsg[kControlMsgSize]; + memset(cmsg, 0, kControlMsgSize); + msg.msg_control = cmsg; + msg.msg_controllen = sizeof(cmsg); + + struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); + hdr->cmsg_level = SOL_SOCKET; + hdr->cmsg_type = SCM_RIGHTS; + hdr->cmsg_len = CMSG_LEN(sizeof(int)); + *((int*) CMSG_DATA(hdr)) = fds[1]; + hdr = CMSG_NXTHDR(&sys_msg, hdr); + hdr->cmsg_level = SOL_SOCKET; + hdr->cmsg_type = SCM_CREDENTIALS; + hdr->cmsg_len = CMSG_LEN(sizeof(struct ucred)); + struct ucred *cred = reinterpret_cast<struct ucred*>(CMSG_DATA(hdr)); + cred->uid = getuid(); + cred->gid = getgid(); + cred->pid = getpid(); + + HANDLE_EINTR(sys_sendmsg(fd, &msg, 0)); + sys_close(fds[1]); + + char b; + HANDLE_EINTR(sys_read(fds[0], &b, 1)); + + return true; +} + +void EnableRendererCrashDumping() { + // When the browser forks off our process, it installs the crash signal file + // descriptor in this slot: + static const int kMagicCrashSignalFd = 4; + + // We deliberately leak this object. + google_breakpad::ExceptionHandler* handler = + new google_breakpad::ExceptionHandler("" /* unused */, NULL, NULL, + (void*) kMagicCrashSignalFd, true); + handler->set_crash_handler(CrashHandler); +} diff --git a/chrome/renderer/render_crash_handler_linux.h b/chrome/renderer/render_crash_handler_linux.h new file mode 100644 index 0000000..7a3fa85 --- /dev/null +++ b/chrome/renderer/render_crash_handler_linux.h @@ -0,0 +1,16 @@ +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROME_RENDERER_CRASH_HANDLER_LINUX_H_ +#define CHROME_RENDERER_CRASH_HANDLER_LINUX_H_ + +#include "build/build_config.h" + +#if defined(OS_LINUX) + +extern void EnableRendererCrashDumping(); + +#endif // OS_LINUX + +#endif // CHROME_RENDERER_CRASH_HANDLER_LINUX_H_ diff --git a/chrome/renderer/render_crash_handler_linux_stub.cc b/chrome/renderer/render_crash_handler_linux_stub.cc new file mode 100644 index 0000000..2da4635 --- /dev/null +++ b/chrome/renderer/render_crash_handler_linux_stub.cc @@ -0,0 +1,9 @@ +// Copyright (c) 2009 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This is a stub file which is compiled in when we are building without +// breakpad support. + +void EnableRendererCrashDumping() { +} diff --git a/chrome/renderer/renderer_logging_linux.cc b/chrome/renderer/renderer_logging_linux.cc index 9322db1c..7812da1 100644 --- a/chrome/renderer/renderer_logging_linux.cc +++ b/chrome/renderer/renderer_logging_linux.cc @@ -4,15 +4,21 @@ #include "chrome/renderer/renderer_logging.h" +#include <string> + #include "base/logging.h" #include "googleurl/src/gurl.h" namespace renderer_logging { +// We use a static string to hold the most recent active url. If we crash, the +// crash handler code will send the contents of this string to the browser. +std::string active_url; + // Sets the URL that is logged if the renderer crashes. Use GURL() to clear // the URL. void SetActiveRendererURL(const GURL& url) { - // crbug.com/9646 + active_url = url.possibly_invalid_spec(); } } // namespace renderer_logging diff --git a/chrome/renderer/renderer_main.cc b/chrome/renderer/renderer_main.cc index fc4d291..97d633c 100644 --- a/chrome/renderer/renderer_main.cc +++ b/chrome/renderer/renderer_main.cc @@ -21,6 +21,9 @@ #include "chrome/common/logging_chrome.h" #include "chrome/common/main_function_params.h" #include "chrome/renderer/renderer_main_platform_delegate.h" +#if defined(OS_LINUX) +#include "chrome/renderer/render_crash_handler_linux.h" +#endif #include "chrome/renderer/render_process.h" #include "grit/chromium_strings.h" #include "grit/generated_resources.h" @@ -70,6 +73,10 @@ int RendererMain(const MainFunctionParams& parameters) { // whatever occurs before it. HandleRendererErrorTestParameters(parsed_command_line); +#if defined(OS_LINUX) + EnableRendererCrashDumping(); +#endif + RendererMainPlatformDelegate platform(parameters); StatsScope<StatsCounterTimer> |