1 // Copyright 2021 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 // This file is copied from //base/immediate_crash.h.
6 
7 #ifndef BUILD_RUST_STD_IMMEDIATE_CRASH_H_
8 #define BUILD_RUST_STD_IMMEDIATE_CRASH_H_
9 
10 #include "build/build_config.h"
11 
12 // Crashes in the fastest possible way with no attempt at logging.
13 // There are several constraints; see http://crbug.com/664209 for more context.
14 //
15 // - TRAP_SEQUENCE_() must be fatal. It should not be possible to ignore the
16 //   resulting exception or simply hit 'continue' to skip over it in a debugger.
17 // - Different instances of TRAP_SEQUENCE_() must not be folded together, to
18 //   ensure crash reports are debuggable. Unlike __builtin_trap(), asm volatile
19 //   blocks will not be folded together.
20 //   Note: TRAP_SEQUENCE_() previously required an instruction with a unique
21 //   nonce since unlike clang, GCC folds together identical asm volatile
22 //   blocks.
23 // - TRAP_SEQUENCE_() must produce a signal that is distinct from an invalid
24 //   memory access.
25 // - TRAP_SEQUENCE_() must be treated as a set of noreturn instructions.
26 //   __builtin_unreachable() is used to provide that hint here. clang also uses
27 //   this as a heuristic to pack the instructions in the function epilogue to
28 //   improve code density.
29 //
30 // Additional properties that are nice to have:
31 // - TRAP_SEQUENCE_() should be as compact as possible.
32 // - The first instruction of TRAP_SEQUENCE_() should not change, to avoid
33 //   shifting crash reporting clusters. As a consequence of this, explicit
34 //   assembly is preferred over intrinsics.
35 //   Note: this last bullet point may no longer be true, and may be removed in
36 //   the future.
37 
38 // Note: TRAP_SEQUENCE Is currently split into two macro helpers due to the fact
39 // that clang emits an actual instruction for __builtin_unreachable() on certain
40 // platforms (see https://crbug.com/958675). In addition, the int3/bkpt/brk will
41 // be removed in followups, so splitting it up like this now makes it easy to
42 // land the followups.
43 
44 #if defined(COMPILER_GCC)
45 
46 #if defined(OS_NACL)
47 
48 // Crash report accuracy is not guaranteed on NaCl.
49 #define TRAP_SEQUENCE1_() __builtin_trap()
50 #define TRAP_SEQUENCE2_() asm volatile("")
51 
52 #elif defined(ARCH_CPU_X86_FAMILY)
53 
54 // TODO(https://crbug.com/958675): In theory, it should be possible to use just
55 // int3. However, there are a number of crashes with SIGILL as the exception
56 // code, so it seems likely that there's a signal handler that allows execution
57 // to continue after SIGTRAP.
58 #define TRAP_SEQUENCE1_() asm volatile("int3")
59 
60 #if defined(OS_APPLE)
61 // Intentionally empty: __builtin_unreachable() is always part of the sequence
62 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Mac.
63 #define TRAP_SEQUENCE2_() asm volatile("")
64 #else
65 #define TRAP_SEQUENCE2_() asm volatile("ud2")
66 #endif  // defined(OS_APPLE)
67 
68 #elif defined(ARCH_CPU_ARMEL)
69 
70 // bkpt will generate a SIGBUS when running on armv7 and a SIGTRAP when running
71 // as a 32 bit userspace app on arm64. There doesn't seem to be any way to
72 // cause a SIGTRAP from userspace without using a syscall (which would be a
73 // problem for sandboxing).
74 // TODO(https://crbug.com/958675): Remove bkpt from this sequence.
75 #define TRAP_SEQUENCE1_() asm volatile("bkpt #0")
76 #define TRAP_SEQUENCE2_() asm volatile("udf #0")
77 
78 #elif defined(ARCH_CPU_ARM64)
79 
80 // This will always generate a SIGTRAP on arm64.
81 // TODO(https://crbug.com/958675): Remove brk from this sequence.
82 #define TRAP_SEQUENCE1_() asm volatile("brk #0")
83 #define TRAP_SEQUENCE2_() asm volatile("hlt #0")
84 
85 #else
86 
87 // Crash report accuracy will not be guaranteed on other architectures, but at
88 // least this will crash as expected.
89 #define TRAP_SEQUENCE1_() __builtin_trap()
90 #define TRAP_SEQUENCE2_() asm volatile("")
91 
92 #endif  // ARCH_CPU_*
93 
94 #elif defined(COMPILER_MSVC)
95 
96 #if !defined(__clang__)
97 
98 // MSVC x64 doesn't support inline asm, so use the MSVC intrinsic.
99 #define TRAP_SEQUENCE1_() __debugbreak()
100 #define TRAP_SEQUENCE2_()
101 
102 #elif defined(ARCH_CPU_ARM64)
103 
104 // Windows ARM64 uses "BRK #F000" as its breakpoint instruction, and
105 // __debugbreak() generates that in both VC++ and clang.
106 #define TRAP_SEQUENCE1_() __debugbreak()
107 // Intentionally empty: __builtin_unreachable() is always part of the sequence
108 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Win64,
109 // https://crbug.com/958373
110 #define TRAP_SEQUENCE2_() __asm volatile("")
111 
112 #else
113 
114 #define TRAP_SEQUENCE1_() asm volatile("int3")
115 #define TRAP_SEQUENCE2_() asm volatile("ud2")
116 
117 #endif  // __clang__
118 
119 #else
120 
121 #error No supported trap sequence!
122 
123 #endif  // COMPILER_GCC
124 
125 #define TRAP_SEQUENCE_() \
126   do {                   \
127     TRAP_SEQUENCE1_();   \
128     TRAP_SEQUENCE2_();   \
129   } while (false)
130 
131 // CHECK() and the trap sequence can be invoked from a constexpr function.
132 // This could make compilation fail on GCC, as it forbids directly using inline
133 // asm inside a constexpr function. However, it allows calling a lambda
134 // expression including the same asm.
135 // The side effect is that the top of the stacktrace will not point to the
136 // calling function, but to this anonymous lambda. This is still useful as the
137 // full name of the lambda will typically include the name of the function that
138 // calls CHECK() and the debugger will still break at the right line of code.
139 #if !defined(COMPILER_GCC)
140 
141 #define WRAPPED_TRAP_SEQUENCE_() TRAP_SEQUENCE_()
142 
143 #else
144 
145 #define WRAPPED_TRAP_SEQUENCE_() \
146   do {                           \
147     [] { TRAP_SEQUENCE_(); }();  \
148   } while (false)
149 
150 #endif  // !defined(COMPILER_GCC)
151 
152 #if defined(__clang__) || defined(COMPILER_GCC)
153 
154 // __builtin_unreachable() hints to the compiler that this is noreturn and can
155 // be packed in the function epilogue.
156 #define IMMEDIATE_CRASH()     \
157   ({                          \
158     WRAPPED_TRAP_SEQUENCE_(); \
159     __builtin_unreachable();  \
160   })
161 
162 #else
163 
164 // This is supporting non-chromium user of logging.h to build with MSVC, like
165 // pdfium. On MSVC there is no __builtin_unreachable().
166 #define IMMEDIATE_CRASH() WRAPPED_TRAP_SEQUENCE_()
167 
168 #endif  // defined(__clang__) || defined(COMPILER_GCC)
169 
170 #endif  // BUILD_RUST_STD_IMMEDIATE_CRASH_H_
171