3party/crashpad
0
0
Fork 0
mirror of https://github.com/chromium/crashpad.git synced 2025-03-10 06:36:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
crashpad/util/win/registration_protocol_win.h
Scott Graham 76ef9b5c2b win: Address failure-to-start-handler case for async startup 
Second follow up to https://chromium-review.googlesource.com/c/400015/

The ideal would be that if we fail to start the handler, then we don't
end up passing through our unhandled exception filter at all.

In the case of the non-initial client (i.e. renderers) we can do this by
not setting our UnhandledExceptionFilter until after we know we've
connected successfully (because those connections are synchronous from
its point of view). We also change WaitForNamedPipe in the connection
message to block forever, so as long as the precreated pipe exists,
they'll wait to connect. After the initial client has passed the server
side of that pipe to the handler, the handler has the only handle to it.
So, if the handler has disappeared for whatever reason, pipe-connecting
clients will fail with FILE_NOT_FOUND, and will not stick around in the
connection loop. This means non-initial clients do not need additional
logic to avoid getting stuck in our UnhandledExceptionFilter.

For the initial client, it would be ideal to avoid passing through our
UEF too, but none of the 3 options are great:
1. Block until we find out if we started, and then install the filter.
   We don't want to do that, because we don't want to wait.
2. Restore the old filter if it turns out we failed to start. We can't
   do that because Chrome disables ::SetUnhandledExceptionFilter()
   immediately after StartHandler/SetHandlerIPCPipe returns.
3. Don't install our filter until we've successfully started. We don't
   want to do that because we'd miss early crashes, negating the benefit
   of deferred startup.

So, we do need to pass through our UnhandledExceptionFilter. I don't
want more Win32 API calls during the vulnerable filter function. So, at
any point during async startup where there's a failure, set a global
atomic that allows the filter function to abort without trying to signal
a handler that's known to not exist.

One further improvement we might want to look at is unexpected
termination of the handler (as opposed to a failure to start) which
would still result in a useless Sleep(60s). This isn't new behaviour,
but now we have a clear thing to do if we detect the handler is gone.

(Also a missing DWORD/size_t cast for the _x64 bots.)

R=mark@chromium.org
BUG=chromium:567850,chromium:656800

Change-Id: I5be831ca39bd8b2e5c962b9647c8bd469e2be878
Reviewed-on: https://chromium-review.googlesource.com/400985
Reviewed-by: Mark Mentovai <mark@chromium.org>
2016-11-02 21:39:52 +00:00

151 lines
5.5 KiB
C++
Raw Blame History

// Copyright 2015 The Crashpad Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef CRASHPAD_UTIL_WIN_REGISTRATION_PROTOCOL_WIN_H_
#define CRASHPAD_UTIL_WIN_REGISTRATION_PROTOCOL_WIN_H_
#include <windows.h>
#include <stdint.h>
#include "base/strings/string16.h"
#include "util/win/address_types.h"
namespace crashpad {
#pragma pack(push, 1)
//! \brief Structure read out of the client process by the crash handler when an
//! exception occurs.
struct ExceptionInformation {
//! \brief The address of an EXCEPTION_POINTERS structure in the client
//! process that describes the exception.
WinVMAddress exception_pointers;
//! \brief The thread on which the exception happened.
DWORD thread_id;
};
//! \brief A client registration request.
struct RegistrationRequest {
//! \brief The expected value of `version`. This should be changed whenever
//! the messages or ExceptionInformation are modified incompatibly.
enum { kMessageVersion = 1 };
//! \brief Version field to detect skew between client and server. Should be
//! set to kMessageVersion.
int version;
//! \brief The PID of the client process.
DWORD client_process_id;
//! \brief The address, in the client process's address space, of an
//! ExceptionInformation structure, used when handling a crash dump
//! request.
WinVMAddress crash_exception_information;
//! \brief The address, in the client process's address space, of an
//! ExceptionInformation structure, used when handling a non-crashing dump
//! request.
WinVMAddress non_crash_exception_information;
//! \brief The address, in the client process's address space, of a
//! `CRITICAL_SECTION` allocated with a valid .DebugInfo field. This can
//! be accomplished by using
//! InitializeCriticalSectionWithDebugInfoIfPossible() or equivalent. This
//! value can be `0`, however then limited lock data will be available in
//! minidumps.
WinVMAddress critical_section_address;
};
//! \brief A message only sent to the server by itself to trigger shutdown.
struct ShutdownRequest {
//! \brief A randomly generated token used to validate the the shutdown
//! request was not sent from another process.
uint64_t token;
};
//! \brief The message passed from client to server by
//! SendToCrashHandlerServer().
struct ClientToServerMessage {
//! \brief Indicates which field of the union is in use.
enum Type : uint32_t {
//! \brief For RegistrationRequest.
kRegister,
//! \brief For ShutdownRequest.
kShutdown,
//! \brief An empty message sent by the initial client in asynchronous mode.
//! No data is required, this just confirms that the server is ready to
//! accept client registrations.
kPing,
} type;
union {
RegistrationRequest registration;
ShutdownRequest shutdown;
};
};
//! \brief A client registration response.
struct RegistrationResponse {
//! \brief An event `HANDLE`, valid in the client process, that should be
//! signaled to request a crash report. Clients should convert the value
//! to a `HANDLE` by calling IntToHandle().
int request_crash_dump_event;
//! \brief An event `HANDLE`, valid in the client process, that should be
//! signaled to request a non-crashing dump be taken. Clients should
//! convert the value to a `HANDLE` by calling IntToHandle().
int request_non_crash_dump_event;
//! \brief An event `HANDLE`, valid in the client process, that will be
//! signaled by the server when the non-crashing dump is complete. Clients
//! should convert the value to a `HANDLE` by calling IntToHandle().
int non_crash_dump_completed_event;
};
//! \brief The response sent back to the client via SendToCrashHandlerServer().
union ServerToClientMessage {
RegistrationResponse registration;
};
#pragma pack(pop)
//! \brief Connect over the given \a pipe_name, passing \a message to the
//! server, storing the server's reply into \a response.
//!
//! Typically clients will not use this directly, instead using
//! CrashpadClient::SetHandler().
//!
//! \sa CrashpadClient::SetHandler()
bool SendToCrashHandlerServer(const base::string16& pipe_name,
const ClientToServerMessage& message,
ServerToClientMessage* response);
//! \brief Wraps CreateNamedPipe() to create a single named pipe instance.
//!
//! \param[in] pipe_name The name to use for the pipe.
//! \param[in] first_instance If `true`, the named pipe instance will be
//! created with `FILE_FLAG_FIRST_PIPE_INSTANCE`. This ensures that the the
//! pipe name is not already in use when created. The first instance will be
//! created with an untrusted integrity SACL so instances of this pipe can
//! be connected to by processes of any integrity level.
HANDLE CreateNamedPipeInstance(const std::wstring& pipe_name,
bool first_instance);
} // namespace crashpad
#endif // CRASHPAD_UTIL_WIN_REGISTRATION_PROTOCOL_WIN_H_
Reference in New Issue View Git Blame Copy Permalink