[Konstantin Mandrika] NDK Crash Handling. The What, The Where, And The How

Transcript

1. NDK Crash Handling The What, The Where, And The How

2. “ NDK crash handling is easy! - No one, ever

   “

3. Java Crash Handling

4. #dfua Thread.setDefaultUncaughtExceptionHandler(handler);

5. #dfua public class Handler implements UncaughtExceptionHandler { @Override public void

   uncaughtException(Thread t, Throwable ex) { ... } }

6. #dfua java.lang.RuntimeException: Uh-oh! at playground.google.kman.com.androidplayground.MainActivity.javaCrash(MainActivity.java:53) at playground.google.kman.com.androidplayground.MainActivity.access$000(MainActivity.java:12) at playground.google.kman.com.androidplayground.MainActivity$1.onClick(MainActivity.java:47) at

   android.view.View.performClick(View.java:5198) at android.view.View$PerformClick.run(View.java:21147) at android.os.Handler.handleCallback(Handler.java:739) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:148) at android.app.ActivityThread.main(ActivityThread.java:5417) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)

7. #dfua java.lang.RuntimeException: Uh-oh! at playground.google.kman.com.androidplayground.MainActivity.javaCrash(MainActivity.java:53) at playground.google.kman.com.androidplayground.MainActivity.access$000(MainActivity.java:12) at playground.google.kman.com.androidplayground.MainActivity$1.onClick(MainActivity.java:47) at

   android.view.View.performClick(View.java:5198) at android.view.View$PerformClick.run(View.java:21147) at android.os.Handler.handleCallback(Handler.java:739) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:148) at android.app.ActivityThread.main(ActivityThread.java:5417) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)

8. Uncaught exceptions do not crash the JVM

9. Native Crash Handling

10. #dfua void format_the_hdd() { int x = NULL; *x =

    42; } void format_the_hdd() { using namespace std; throw new runtime_error(“uh-oh”); } C C++

11. #dfua kmandrika[~/]: ./a.out Segmentation fault (core dumped) Build fingerprint: '...'

    Revision: '0' ABI: 'x86' pid: 3281, tid: 3281, name: droidplayground >>> androidplayground <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 eax aaaf1e38 ebx aaaf1e38 ecx 00000037 edx 00000000 esi aab07f59 edi bfb60f74 xcs 00000073 xds 0000007b xes 0000007b xfs 00000007 xss 0000007b eip aaaca9dd ebp bfb60d38 esp bfb60d10 flags 00210292

12. The most broad strategy is to install a signal handler

13. #dfua signal::sigaction_t action = {}; ... action.sa_flags = SA_SIGINFO; action.sa_sigaction

    = make_invocation_wrapper( std::bind(signal::detail::restore_handlers, saved), std::bind(signal::handler, ...) ); ... sigaction(SIGSEGV, action, &previous);

14. Very little information is passed into the handler

15. #dfua void handler(int signum, siginfo_t* info, void* context) { ...

    }

16. Additionally, there is a list of constraints to consider...

17. Async- Safety Static Storage Duration

18. All function calls must be reentrant Async- Safety

19. Can’t allocate any memory... Async- Safety

20. … can’t pass state into the signal handler Static Storage

    Duration

21. Just one though!

22. #dfua // At global scope volatile sigatomic_t signal;

23. This is something that most all crash handlers violate.

24. #dfua sigatomic_t std::atomic<state *>

25. The stack needs to be unwound manually.

26. Some Android API levels ship with unwinding libraries

27. Static and Dynamic Linking, and Loading

28. Native Binary Library Linker Loader Native Binary Library

29. Native Binary Library Linker Loader Native Binary

30. #dfua void* dlopen(const char* lib_name, ...); void* dlsym(void* lib, const

    char* symbol);

31. libcrashlytics.so dlopen(); libcrashlytics-envelope.so libcorkscrew.so libbacktrace.so DEVICE SDK

32. libcrashlytics.so dlopen(); libcrashlytics-envelope.so libbacktrace.so DEVICE SDK libcorkscrew.so

33. Using an unwinding library inside the signal handler is not

    reliable

34. Doing too much in the signal handler is not reliable

35. #dfua pid_t fork(void); int execve(const char *filename, ...); long ptrace(__ptrace_request

    request, ...);

36. Capture the process memory now, unwind later

37. Breakpad

38. #dfua #00 pc 000049dd #01 pc 000047d9 #02 pc 0000479c

    #03 pc 0000499a #04 pc 0013d8c7 #05 pc 00137a82 #06 pc 001435c4 #07 pc 005e06ae #08 pc 00328b5d #09 pc 0032ebf9 #10 pc 000fc955 #11 pc 00300700 #12 pc 00667c73 #13 pc 0013d98d #14 pc 7335a840

39. Symbolication

40. Executable and Linkable Format (ELF)

41. #dfua typedef struct { Elf32_Word st_name; Elf32_Addr st_value; Elf32_Word st_size;

    unsigned char st_info; unsigned char st_other; Elf32_Half st_shndx; } Elf32_Sym;

42. my_function() 22344 22344 + 48

43. my_function() 22344 22396 22376 PC

44. #dfua inline int* generate() { int* x = NULL; *x

    = 42; return x; } void my_function() { int* result = generate(); ... } Crash!

45. DWARF

46. #dfua <1><afe40>: Abbrev Number: 96 (DW_TAG_subprogram) <afe41> DW_AT_external : 1

    <afe41> DW_AT_name : __deregister_frame_info <afe45> DW_AT_decl_file : 2 <afe46> DW_AT_decl_line : 221 <afe47> DW_AT_prototyped : 1 <afe47> DW_AT_type : <0xad841> <afe4b> DW_AT_low_pc : 0x2fd21 <afe4f> DW_AT_high_pc : 0x20 <afe53> DW_AT_frame_base : 1 byte block: 9c <afe55> DW_AT_GNU_all_call_sites: 1 <afe55> DW_AT_sibling : <0xafe71>

47. #dfua <1><afe40>: Abbrev Number: 96 (DW_TAG_subprogram) <afe41> DW_AT_external : 1

    <afe41> DW_AT_name : __deregister_frame_info <afe45> DW_AT_decl_file : 2 <afe46> DW_AT_decl_line : 221 <afe47> DW_AT_prototyped : 1 <afe47> DW_AT_type : <0xad841> <afe4b> DW_AT_low_pc : 0x2fd21 <afe4f> DW_AT_high_pc : 0x20 <afe53> DW_AT_frame_base : 1 byte block: 9c <afe55> DW_AT_GNU_all_call_sites: 1 <afe55> DW_AT_sibling : <0xafe71>

48. #dfua <7><1550a>: Abbrev Number: 131 (DW_TAG_inlined_subroutine) <1550c> DW_AT_abstract_origin: <0x151fd> <15510>

    DW_AT_entry_pc : 0xb659 <15514> DW_AT_ranges : 0x500 <15518> DW_AT_call_file : 1 <15519> DW_AT_call_line : 117 <1551a> DW_AT_GNU_discriminator: 7 <1551b> DW_AT_sibling : <0x157af>

49. #dfua <7><1550a>: Abbrev Number: 131 (DW_TAG_inlined_subroutine) <1550c> DW_AT_abstract_origin: <0x151fd> <15510>

    DW_AT_entry_pc : 0xb659 <15514> DW_AT_ranges : 0x500 <15518> DW_AT_call_file : 1 <15519> DW_AT_call_line : 117 <1551a> DW_AT_GNU_discriminator: 7 <1551b> DW_AT_sibling : <0x157af>

50. #dfua <5><13359>: Abbrev Number: 55 (DW_TAG_subprogram) <1335a> DW_AT_name : generate

    <13368> DW_AT_declaration : 1 <13368> ... <1><151fd>: Abbrev Number: 102 (DW_TAG_subprogram) <151fe> DW_AT_specification: <0x13359> <15203> ... <7><1550a>: Abbrev Number: 131 (DW_TAG_inlined_subroutine) <1550c> DW_AT_abstract_origin: <0x151fd> <15514> DW_AT_ranges : 0x500 <15518> ...

51. #dfua <5><13359>: Abbrev Number: 55 (DW_TAG_subprogram) <1335a> DW_AT_name : generate

    <13368> DW_AT_declaration : 1 <13368> ... <1><151fd>: Abbrev Number: 102 (DW_TAG_subprogram) <151fe> DW_AT_specification: <0x13359> <15203> ... <7><1550a>: Abbrev Number: 131 (DW_TAG_inlined_subroutine) <1550c> DW_AT_abstract_origin: <0x151fd> <15514> DW_AT_ranges : 0x500 <15518> ...

52. my_function() 22344 22396 22376 PC generate() 22350 22380

53. #dfua #00 pc 000049dd int* generate+45 #01 pc 000047d9 void

    my_function+41 #02 pc 0000479c nothing_special+44 #03 pc 0000499a Java_playground_..._androidplayground_MainActivity_crash+42 #04 pc 0013d8c7 art_quick_generic_jni_trampoline+71 #05 pc 00137a82 art_quick_invoke_stub+338 #06 pc 001435c4 art::ArtMethod::Invoke(...)+212 #07 pc 005e06ae artInterpreterToCompiledCodeBridge+190 #08 pc 00328b5d bool art::interpreter::DoCall<...>(...)+445 #09 pc 0032ebf9 bool art::interpreter::DoInvoke<...>(...)+297 #10 pc 000fc955 art::JValue art::interpreter::ExecuteGotoImpl<...>(...)+30485 #11 pc 00300700 art::interpreter::EnterInterpreterFromEntryPoint(...)+128 #12 pc 00667c73 artQuickToInterpreterBridge+808 #13 pc 0013d98d art_quick_to_interpreter_bridge+77 #14 pc 7335a840 offset 0x1eb2000

54. #dfua #00 pc 000049dd int* generate+45 #01 pc 000047d9 void

    my_function+41 #02 pc 0000479c nothing_special+44 #03 pc 0000499a Java_playground_..._androidplayground_MainActivity_crash+42 #04 pc 0013d8c7 art_quick_generic_jni_trampoline+71 #05 pc 00137a82 art_quick_invoke_stub+338 #06 pc 001435c4 art::ArtMethod::Invoke(...)+212 #07 pc 005e06ae artInterpreterToCompiledCodeBridge+190 #08 pc 00328b5d bool art::interpreter::DoCall<...>(...)+445 #09 pc 0032ebf9 bool art::interpreter::DoInvoke<...>(...)+297 #10 pc 000fc955 art::JValue art::interpreter::ExecuteGotoImpl<...>(...)+30485 #11 pc 00300700 art::interpreter::EnterInterpreterFromEntryPoint(...)+128 #12 pc 00667c73 artQuickToInterpreterBridge+808 #13 pc 0013d98d art_quick_to_interpreter_bridge+77 #14 pc 7335a840 offset 0x1eb2000

55. Conclusion

56. Thank you! Questions?