OLD | NEW |
(Empty) | |
| 1 Official builds of Chrome support crash dumping and reporting using the Google c
rash servers. This is a guide to how this works. |
| 2 |
| 3 ## Breakpad |
| 4 |
| 5 Breakpad is an open source library which we use for crash reporting across all t
hree platforms (Linux, Mac and Windows). For Linux, a substantial amount of work
was required to support cross-process dumping. At the time of writing this code
is currently forked from the upstream breakpad repo. While this situation remai
ns, the forked code lives in <tt>breakpad/linux</tt>. The upstream repo is mirro
red in <tt>breakpad/src</tt>. |
| 6 |
| 7 The code currently supports i386 only. Getting x86-64 to work should only be a m
inor amount of work. |
| 8 |
| 9 ### Minidumps |
| 10 |
| 11 Breakpad deals in a file format called 'minidumps'. This is a Microsoft format a
nd thus is defined by in-memory structures which are dumped, raw, to disk. The m
ain header file for this file format is <tt>breakpad/src/google_breakpad/common/
minidump_format.h</tt>. |
| 12 |
| 13 At the top level, the minidump file format is a list of key-value pairs. Many of
the keys are defined by the minidump format and contain cross-platform represen
tations of stacks, threads etc. For Linux we also define a number of custom keys
containing <tt>/proc/cpuinfo</tt>, <tt>lsb-release</tt> etc. These are defined
in <tt>breakpad/linux/minidump_format_linux.h</tt>. |
| 14 |
| 15 ### Catching exceptions |
| 16 |
| 17 Exceptional conditions (such as invalid memory references, floating point except
ions, etc) are signaled by synchronous signals to the thread which caused them.
Synchronous signals are always run on the thread which triggered them as opposed
to asynchronous signals which can be handled by any thread in a thread-group wh
ich hasn't masked that signal. |
| 18 |
| 19 All the signals that we wish to catch are synchronous except SIGABRT, and we can
always arrange to send SIGABRT to a specific thread. Thus, we find the crashing
thread by looking at the current thread in the signal handler. |
| 20 |
| 21 The signal handlers run on a pre-allocated stack in case the crash was triggered
by a stack overflow. |
| 22 |
| 23 Once we have started handling the signal, we have to assume that the address spa
ce is compromised. In order not to fall prey to this and crash (again) in the cr
ash handler, we observe some rules: |
| 24 1. We don't enter the dynamic linker. This, observably, can trigger crashes in
the crash handler. Unfortunately, entering the dynamic linker is very easy and
can be triggered by calling a function from a shared library who's resolution ha
sn't been cached yet. Since we can't know which functions have been cached we av
oid calling any of these functions with one exception: <tt>memcpy</tt>. Since th
e compiler can emit calls to <tt>memcpy</tt> we can't really avoid it. |
| 25 1. We don't allocate memory via malloc as the heap may be corrupt. Instead we
use a custom allocator (in <tt>breadpad/linux/memory.h</tt>) which gets clean pa
ges directly from the kernel. |
| 26 |
| 27 In order to avoid calling into libc we have a couple of header files which wrap
the system calls (<tt>linux_syscall_support.h</tt>) and reimplement a tiny subse
t of libc (<tt>linux_libc_support.h</tt>). |
| 28 |
| 29 ### Self dumping |
| 30 |
| 31 The simple case occurs when the browser process crashes. Here we catch the signa
l and <tt>clone</tt> a new process to perform the dumping. We have to use a new
process because a process cannot ptrace itself. |
| 32 |
| 33 The dumping process then ptrace attaches to all the threads in the crashed proce
ss and writes out a minidump to <tt>/tmp</tt>. This is generic breakpad code. |
| 34 |
| 35 Then we reach the Chrome specific parts in <tt>chrome/app/breakpad_linux.cc</tt>
. Here we construct another temporary file and write a MIME wrapping of the cras
h dump ready for uploading. We then fork off <tt>wget</tt> to upload the file. B
ased on Debian popcorn, <tt>wget</tt> is very commonly installed (much more so t
han <tt>libcurl</tt>) and <tt>wget</tt> handles the HTTPS gubbins for us. |
| 36 |
| 37 ### Renderer dumping |
| 38 |
| 39 In the case of a crash in the renderer, we don't want the renderer handling the
crash dumping itself. In the future we will sandbox the renderer and allowing it
the authority to crash dump itself is too much. |
| 40 |
| 41 Thus, we split the crash dumping in two parts: the gathering of information whic
h is done in process and the external dumping which is done out of process. In t
he case above, the latter half was done in a <tt>clone</tt>d child. In this case
, the browser process handles it. |
| 42 |
| 43 When renderers are forked off, they have a UNIX DGRAM socket in file descriptor
4. The signal handler then calls into Chrome specific code (<tt>chrome/renderer/
render_crash_handler_linux.cc</tt>) when it would otherwise <tt>clone</tt>. The
Chrome specific code sends a datagram to the socket which contains: |
| 44 * Information which is only available to the signal handler (such as the <tt>u
context</tt> structure). |
| 45 * A file descriptor to a pipe which it then blocks on reading from. |
| 46 * A <tt>CREDENTIALS</tt> structure giving its PID. |
| 47 |
| 48 The kernel enforces that the renderer isn't lying in the <tt>CREDENTIALS</tt> st
ructure so it can't ask the browser to crash dump another process. |
| 49 |
| 50 The browser then performs the ptrace and minidump writing which would otherwise
be performed in the <tt>clone</tt>d process and does the MIME wrapping the uploa
ding as normal. |
| 51 |
| 52 Once the browser has finished getting information from the crashed renderer via
ptrace, it writes a byte to the file descriptor which was passed from the render
er. The renderer than wakes up (because it was blocking on reading from the othe
r end) and rethrows the signal to itself. It then appears to crash 'normally' an
d other parts of the browser notice the abnormal termination and display the sad
tab. |
| 53 |
| 54 ## How to test Breakpad support in Chromium |
| 55 |
| 56 * Build Chromium with the gyp option `-Dlinux_breakpad=1`. |
| 57 ``` |
| 58 ./build/gyp_chromium -Dlinux_breakpad=1 |
| 59 ninja -C out/Debug chrome |
| 60 ``` |
| 61 * Run the browser with the environment variable [CHROME\_HEADLESS=1](http://co
de.google.com/p/chromium/issues/detail?id=19663). This enables crash dumping bu
t prevents crash dumps from being uploaded and deleted. |
| 62 ``` |
| 63 env CHROME_HEADLESS=1 ./out/Debug/chrome-wrapper |
| 64 ``` |
| 65 * Visit the special URL `about:crash` to trigger a crash in the renderer proce
ss. |
| 66 * A crash dump file should appear in the directory `~/.config/chromium/Crash R
eports`. |
OLD | NEW |