1 // Copyright 2019 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef PARTITION_ALLOC_PARTITION_ALLOC_BASE_IMMEDIATE_CRASH_H_
6 #define PARTITION_ALLOC_PARTITION_ALLOC_BASE_IMMEDIATE_CRASH_H_
7 
8 #include "build/build_config.h"
9 
10 // Crashes in the fastest possible way with no attempt at logging.
11 // There are several constraints; see http://crbug.com/664209 for more context.
12 //
13 // - PA_TRAP_SEQUENCE_() must be fatal. It should not be possible to ignore the
14 //   resulting exception or simply hit 'continue' to skip over it in a debugger.
15 // - Different instances of PA_TRAP_SEQUENCE_() must not be folded together, to
16 //   ensure crash reports are debuggable. Unlike __builtin_trap(), asm volatile
17 //   blocks will not be folded together.
18 //   Note: PA_TRAP_SEQUENCE_() previously required an instruction with a unique
19 //   nonce since unlike clang, GCC folds together identical asm volatile
20 //   blocks.
21 // - PA_TRAP_SEQUENCE_() must produce a signal that is distinct from an invalid
22 //   memory access.
23 // - PA_TRAP_SEQUENCE_() must be treated as a set of noreturn instructions.
24 //   __builtin_unreachable() is used to provide that hint here. clang also uses
25 //   this as a heuristic to pack the instructions in the function epilogue to
26 //   improve code density.
27 //
28 // Additional properties that are nice to have:
29 // - PA_TRAP_SEQUENCE_() should be as compact as possible.
30 // - The first instruction of PA_TRAP_SEQUENCE_() should not change, to avoid
31 //   shifting crash reporting clusters. As a consequence of this, explicit
32 //   assembly is preferred over intrinsics.
33 //   Note: this last bullet point may no longer be true, and may be removed in
34 //   the future.
35 
36 // Note: PA_TRAP_SEQUENCE Is currently split into two macro helpers due to the
37 // fact that clang emits an actual instruction for __builtin_unreachable() on
38 // certain platforms (see https://crbug.com/958675). In addition, the
39 // int3/bkpt/brk will be removed in followups, so splitting it up like this now
40 // makes it easy to land the followups.
41 
42 #if defined(COMPILER_GCC)
43 
44 #if defined(ARCH_CPU_X86_FAMILY)
45 
46 // TODO(https://crbug.com/958675): In theory, it should be possible to use just
47 // int3. However, there are a number of crashes with SIGILL as the exception
48 // code, so it seems likely that there's a signal handler that allows execution
49 // to continue after SIGTRAP.
50 #define PA_TRAP_SEQUENCE1_() asm volatile("int3")
51 
52 #if BUILDFLAG(IS_APPLE)
53 // Intentionally empty: __builtin_unreachable() is always part of the sequence
54 // (see PA_IMMEDIATE_CRASH below) and already emits a ud2 on Mac.
55 #define PA_TRAP_SEQUENCE2_() asm volatile("")
56 #else
57 #define PA_TRAP_SEQUENCE2_() asm volatile("ud2")
58 #endif  // BUILDFLAG(IS_APPLE)
59 
60 #elif defined(ARCH_CPU_ARMEL)
61 
62 // bkpt will generate a SIGBUS when running on armv7 and a SIGTRAP when running
63 // as a 32 bit userspace app on arm64. There doesn't seem to be any way to
64 // cause a SIGTRAP from userspace without using a syscall (which would be a
65 // problem for sandboxing).
66 // TODO(https://crbug.com/958675): Remove bkpt from this sequence.
67 #define PA_TRAP_SEQUENCE1_() asm volatile("bkpt #0")
68 #define PA_TRAP_SEQUENCE2_() asm volatile("udf #0")
69 
70 #elif defined(ARCH_CPU_ARM64)
71 
72 // This will always generate a SIGTRAP on arm64.
73 // TODO(https://crbug.com/958675): Remove brk from this sequence.
74 #define PA_TRAP_SEQUENCE1_() asm volatile("brk #0")
75 #define PA_TRAP_SEQUENCE2_() asm volatile("hlt #0")
76 
77 #else
78 
79 // Crash report accuracy will not be guaranteed on other architectures, but at
80 // least this will crash as expected.
81 #define PA_TRAP_SEQUENCE1_() __builtin_trap()
82 #define PA_TRAP_SEQUENCE2_() asm volatile("")
83 
84 #endif  // ARCH_CPU_*
85 
86 #elif defined(COMPILER_MSVC)
87 
88 #if !defined(__clang__)
89 
90 // MSVC x64 doesn't support inline asm, so use the MSVC intrinsic.
91 #define PA_TRAP_SEQUENCE1_() __debugbreak()
92 #define PA_TRAP_SEQUENCE2_()
93 
94 #elif defined(ARCH_CPU_ARM64)
95 
96 // Windows ARM64 uses "BRK #F000" as its breakpoint instruction, and
97 // __debugbreak() generates that in both VC++ and clang.
98 #define PA_TRAP_SEQUENCE1_() __debugbreak()
99 // Intentionally empty: __builtin_unreachable() is always part of the sequence
100 // (see PA_IMMEDIATE_CRASH below) and already emits a ud2 on Win64,
101 // https://crbug.com/958373
102 #define PA_TRAP_SEQUENCE2_() __asm volatile("")
103 
104 #else
105 
106 #define PA_TRAP_SEQUENCE1_() asm volatile("int3")
107 #define PA_TRAP_SEQUENCE2_() asm volatile("ud2")
108 
109 #endif  // __clang__
110 
111 #else
112 
113 #error No supported trap sequence!
114 
115 #endif  // COMPILER_GCC
116 
117 #define PA_TRAP_SEQUENCE_() \
118   do {                      \
119     PA_TRAP_SEQUENCE1_();   \
120     PA_TRAP_SEQUENCE2_();   \
121   } while (false)
122 
123 // CHECK() and the trap sequence can be invoked from a constexpr function.
124 // This could make compilation fail on GCC, as it forbids directly using inline
125 // asm inside a constexpr function. However, it allows calling a lambda
126 // expression including the same asm.
127 // The side effect is that the top of the stacktrace will not point to the
128 // calling function, but to this anonymous lambda. This is still useful as the
129 // full name of the lambda will typically include the name of the function that
130 // calls CHECK() and the debugger will still break at the right line of code.
131 #if !defined(COMPILER_GCC) || defined(__clang__)
132 
133 #define PA_WRAPPED_TRAP_SEQUENCE_() PA_TRAP_SEQUENCE_()
134 
135 #else
136 
137 #define PA_WRAPPED_TRAP_SEQUENCE_() \
138   do {                              \
139     [] { PA_TRAP_SEQUENCE_(); }();  \
140   } while (false)
141 
142 #endif  // !defined(COMPILER_GCC) || defined(__clang__)
143 
144 #if defined(__clang__) || defined(COMPILER_GCC)
145 
146 // __builtin_unreachable() hints to the compiler that this is noreturn and can
147 // be packed in the function epilogue.
148 #define PA_IMMEDIATE_CRASH() \
149   [] {                       \
150     PA_TRAP_SEQUENCE1_();    \
151     PA_TRAP_SEQUENCE2_();    \
152   }(),                       \
153       __builtin_unreachable()
154 
155 #else
156 
157 // This is supporting non-chromium user of logging.h to build with MSVC, like
158 // pdfium. On MSVC there is no __builtin_unreachable().
159 #define PA_IMMEDIATE_CRASH() PA_WRAPPED_TRAP_SEQUENCE_()
160 
161 #endif  // defined(__clang__) || defined(COMPILER_GCC)
162 
163 #endif  // PARTITION_ALLOC_PARTITION_ALLOC_BASE_IMMEDIATE_CRASH_H_
164