Add the crashpad_handler executable

handler/mac/exception_handler_server.cc

+// Copyright 2014 The Crashpad Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "handler/mac/exception_handler_server.h"
+
+#include "base/logging.h"
+#include "base/mac/mach_logging.h"
+#include "base/strings/stringprintf.h"
+#include "util/mach/composite_mach_message_server.h"
+#include "util/mach/exc_server_variants.h"
+#include "util/mach/exception_behaviors.h"
+#include "util/mach/mach_extensions.h"
+#include "util/mach/mach_message.h"
+#include "util/mach/mach_message_server.h"
+#include "util/mach/notify_server.h"
+
+namespace crashpad {
+
+namespace {
+
+class ExceptionHandlerServerRun
+    : public UniversalMachExcServer::Interface,
+      public NotifyServer::Interface {
+ public:
+  explicit ExceptionHandlerServerRun(mach_port_t exception_port)
+      : UniversalMachExcServer::Interface(),
+        NotifyServer::Interface(),
+        mach_exc_server_(this),
+        notify_server_(this),
+        composite_mach_message_server_(),
+        exception_port_(exception_port),
+        notify_port_(NewMachPort(MACH_PORT_RIGHT_RECEIVE)),
+        running_(true) {
+    CHECK_NE(notify_port_, kMachPortNull);
+
+    composite_mach_message_server_.AddHandler(&mach_exc_server_);
+    composite_mach_message_server_.AddHandler(&notify_server_);
+  }
+
+  ~ExceptionHandlerServerRun() {
+  }
+
+  void Run() {
+    DCHECK(running_);

[Robert Sesek, 2014/12/29 16:17:08]

To ensure that this method is only called once, why isn't running_ initialized
to false and then DCHECK(!running_) here before setting it to true?

[Mark Mentovai, 2014/12/29 17:08:07]

Robert Sesek wrote:
This DCHECK actually does ensure that the method is only called once.

When Run() returns, running_ will always be false. The constructor initializes
running_ to true to disambiguate, so that the DCHECK checks that it was not
called previously.

+
+    // Request that a no-senders notification for exception_port_ be sent to
+    // notify_port_.
+    mach_port_t previous;
+    kern_return_t kr =
+        mach_port_request_notification(mach_task_self(),
+                                       exception_port_,
+                                       MACH_NOTIFY_NO_SENDERS,
+                                       0,
+                                       notify_port_,
+                                       MACH_MSG_TYPE_MAKE_SEND_ONCE,
+                                       &previous);
+    MACH_CHECK(kr == KERN_SUCCESS, kr) << "mach_port_request_notification";
+
+    if (previous != MACH_PORT_NULL) {
+      kr = mach_port_deallocate(mach_task_self(), previous);
+      MACH_CHECK(kr == KERN_SUCCESS, kr) << "mach_port_deallocate";
+    }
+
+    // A single CompositeMachMessageServer will dispatch both exception messages
+    // and the no-senders notification. Put both receive rights into a port set.
+    //
+    // A single receive right can’t be used because the notification request
+    // requires a send-once right, which would prevent the no-senders condition
+    // from ever existing. Using distinct receive rights also allows the handler
+    // methods to ensure that the messages they process were sent by a holder of
+    // the proper send right.
+    base::mac::ScopedMachPortSet server_port_set(
+        NewMachPort(MACH_PORT_RIGHT_PORT_SET));
+
+    kr = mach_port_insert_member(
+        mach_task_self(), exception_port_, server_port_set);
+    MACH_CHECK(kr == KERN_SUCCESS, kr) << "mach_port_insert_member";
+
+    kr = mach_port_insert_member(
+        mach_task_self(), notify_port_, server_port_set);
+    MACH_CHECK(kr == KERN_SUCCESS, kr) << "mach_port_insert_member";
+
+    // Run the server in kOneShot mode so that running_ can be reevaluated after
+    // each message. Receipt of a valid no-senders notification causes it to be
+    // set to false.
+    while (running_) {
+      // This will result in a call to CatchMachException() or
+      // DoMachNotifyNoSenders() as appropriate.
+      mach_msg_return_t mr =
+          MachMessageServer::Run(&composite_mach_message_server_,
+                                 server_port_set,
+                                 MACH_MSG_OPTION_NONE,
+                                 MachMessageServer::kOneShot,
+                                 MachMessageServer::kReceiveLargeIgnore,
+                                 kMachMessageTimeoutWaitIndefinitely);
+      MACH_CHECK(mr == MACH_MSG_SUCCESS, mr) << "MachMessageServer::Run";

[Robert Sesek, 2014/12/29 16:17:08]

Won't this abort if an error occurs, contrary to the documentation for this
method?

[Mark Mentovai, 2014/12/29 17:08:07]

Robert Sesek wrote:
The documentation says

  //! If an unexpected condition that prevents this method from functioning is
  //! encountered, it will log a message and terminate execution. Receipt of an
  //! invalid message on \a receive_port_ will cause a message to be logged, but
  //! this method will continue running normally.

MachMessageServer::Run() doesn’t consider a demux failure (invalid message,
etc.) an error, it just reports the return value from mach_msg() send and
receive attempts. It ignores mach_msg() errors like MACH_RCV_TOO_LARGE because
that’s what it was asked to do. It doesn’t time out because it was asked to wait
indefinitely. So if MachMessageServer::Run() returns a non-success result, it’s
probably because it was invoked incorrectly.

+    }
+  }
+
+  // UniversalMachExcServer::Interface:
+
+  kern_return_t CatchMachException(exception_behavior_t behavior,
+                                   exception_handler_t exception_port,
+                                   thread_t thread,
+                                   task_t task,
+                                   exception_type_t exception,
+                                   const mach_exception_data_type_t* code,
+                                   mach_msg_type_number_t code_count,
+                                   thread_state_flavor_t* flavor,
+                                   const natural_t* old_state,
+                                   mach_msg_type_number_t old_state_count,
+                                   thread_state_t new_state,
+                                   mach_msg_type_number_t* new_state_count,
+                                   const mach_msg_trailer_t* trailer,
+                                   bool* destroy_complex_request) override {
+    *destroy_complex_request = true;
+
+    if (exception_port != exception_port_) {
+      LOG(WARNING) << "exception port mismatch";
+      return MIG_BAD_ID;

[Robert Sesek, 2014/12/29 16:17:08]

MIG_BAD_ARGUMENTS instead?

[Mark Mentovai, 2014/12/29 17:08:07]

Robert Sesek wrote:
This (exception_port != exception_port_) happens when someone with a send right
to something else (the notify server) in the port set sends a message that isn’t
appropriate for that send right. The fact that there’s a port set is an
implementation detail of this server. Normally, if there wasn’t a port set but
just an individual NotifyServer, any request of the notify subsystem would
result in the MIG_BAD_ID, because the notify subsystem’s only expected to handle
requests from that subsystem.

So MIG_BAD_ID is just saying “I don’t understand that message ID,” but the “I
don’t understand” part is nuanced, more like “the port you sent the message to
doesn’t understand that message ID.”

+    }
+
+    // The expected behavior is EXCEPTION_STATE_IDENTITY | MACH_EXCEPTION_CODES,
+    // but it’s possible to deal with any exception behavior as long as it
+    // carries identity information (valid thread and task ports).
+    if (!ExceptionBehaviorHasIdentity(behavior)) {
+      LOG(WARNING) << base::StringPrintf(
+          "unexpected exception behavior 0x%x, rejecting", behavior);
+      return KERN_FAILURE;
+    } else if (behavior != (EXCEPTION_STATE_IDENTITY | kMachExceptionCodes)) {
+      LOG(WARNING) << base::StringPrintf(
+          "unexpected exception behavior 0x%x, proceeding", behavior);
+    }
+
+    // TODO(mark): Implement.
+
+    return ExcServerSuccessfulReturnValue(behavior, false);
+  }
+
+  // NotifyServer::Interface:
+
+  kern_return_t DoMachNotifyPortDeleted(
+        notify_port_t notify,
+        mach_port_name_t name,
+        const mach_msg_trailer_t* trailer) override {
+    return UnimplementedNotifyRoutine(notify);
+  }
+
+  kern_return_t DoMachNotifyPortDestroyed(notify_port_t notify,
+                                          mach_port_t rights,
+                                          const mach_msg_trailer_t* trailer,
+                                          bool* destroy_request) override {
+    *destroy_request = true;
+    return UnimplementedNotifyRoutine(notify);
+  }
+
+  kern_return_t DoMachNotifyNoSenders(
+      notify_port_t notify,
+      mach_port_mscount_t mscount,
+      const mach_msg_trailer_t* trailer) override {
+    if (notify != notify_port_) {
+      // The message was received as part of a port set. This check ensures that
+      // only the authorized sender of the no-senders notification is able to
+      // stop the exception server. Otherwise, a malicious client would be able
+      // to craft and send a no-senders notification via its exception port, and
+      // cause the handler to stop processing exceptions and exit.
+      LOG(WARNING) << "notify port mismatch";
+      return MIG_BAD_ID;
+    }
+
+    running_ = false;
+
+    return KERN_SUCCESS;
+  }
+
+  kern_return_t DoMachNotifySendOnce(
+      notify_port_t notify,
+      const mach_msg_trailer_t* trailer) override {
+    return UnimplementedNotifyRoutine(notify);
+  }
+
+  kern_return_t DoMachNotifyDeadName(
+      notify_port_t notify,
+      mach_port_name_t name,
+      const mach_msg_trailer_t* trailer) override {
+    return UnimplementedNotifyRoutine(notify);
+  }
+
+ private:
+  kern_return_t UnimplementedNotifyRoutine(notify_port_t notify) {
+    // Most of the routines in the notify subsystem are not expected to be
+    // called.
+    if (notify != notify_port_) {
+      LOG(WARNING) << "notify port mismatch";
+      return MIG_BAD_ID;
+    }
+
+    NOTREACHED();
+    return KERN_FAILURE;
+  }
+
+  UniversalMachExcServer mach_exc_server_;
+  NotifyServer notify_server_;
+  CompositeMachMessageServer composite_mach_message_server_;
+  mach_port_t exception_port_;  // weak
+  base::mac::ScopedMachReceiveRight notify_port_;
+  bool running_;
+
+  DISALLOW_COPY_AND_ASSIGN(ExceptionHandlerServerRun);
+};
+
+}  // namespace
+
+ExceptionHandlerServer::ExceptionHandlerServer()
+    : receive_port_(NewMachPort(MACH_PORT_RIGHT_RECEIVE)) {
+  CHECK_NE(receive_port_, kMachPortNull);
+}
+
+ExceptionHandlerServer::~ExceptionHandlerServer() {
+}
+
+void ExceptionHandlerServer::Run() {
+  ExceptionHandlerServerRun run(receive_port_);
+  run.Run();
+}
+
+}  // namespace crashpad