crasher.c revision f1a8dfa0ebfc233e569ffa83e21e37d0a829b94c
1da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <assert.h> 2da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <errno.h> 3da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <pthread.h> 4da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <sched.h> 5da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <signal.h> 6dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project#include <stdio.h> 7dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project#include <stdlib.h> 8dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project#include <string.h> 9f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzyn#include <sys/cdefs.h> 10dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project#include <sys/ptrace.h> 11dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project#include <sys/socket.h> 12da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <sys/wait.h> 13da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes#include <unistd.h> 14dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 15dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project#include <cutils/sockets.h> 16f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzyn#include <log/log.h> 17f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzyn 18f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzyn#ifndef __unused 19f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzyn#define __unused __attribute__((__unused__)) 20f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzyn#endif 21dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 223808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughesextern const char* __progname; 233808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes 24dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Projectvoid crash1(void); 25dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Projectvoid crashnostack(void); 266f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughesstatic int do_action(const char* arg); 27dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 28da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughesstatic void maybe_abort() { 29da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes if (time(0) != 42) { 306f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes abort(); 316f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes } 326f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes} 336f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes 34f1a8dfa0ebfc233e569ffa83e21e37d0a829b94cMark Salyzynstatic int smash_stack(int i __unused) { 35df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes printf("crasher: deliberately corrupting stack...\n"); 36df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes // Unless there's a "big enough" buffer on the stack, gcc 37df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes // doesn't bother inserting checks. 38df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes char buf[8]; 39b1be27e29b01009d66ac66c20e275506673e962cElliott Hughes // If we don't write something relatively unpredictable 40df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes // into the buffer and then do something with it, gcc 41df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes // optimizes everything away and just returns a constant. 42df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes *(int*)(&buf[7]) = (uintptr_t) &buf[0]; 43df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes return *(int*)(&buf[0]); 44df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes} 45df4200e8c255fca1d03855b971b57036b9ccaa94Elliott Hughes 46b1be27e29b01009d66ac66c20e275506673e962cElliott Hughesstatic void* global = 0; // So GCC doesn't optimize the tail recursion out of overflow_stack. 47b1be27e29b01009d66ac66c20e275506673e962cElliott Hughes 486f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes__attribute__((noinline)) static void overflow_stack(void* p) { 493808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes void* buf[1]; 503808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes buf[0] = p; 51b1be27e29b01009d66ac66c20e275506673e962cElliott Hughes global = buf; 523808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes overflow_stack(&buf); 53dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project} 54dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 556f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughesstatic void *noisy(void *x) 56dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project{ 575d9fe779c8ec2705865a23061834ad8cdbee5b82Elliott Hughes char c = (uintptr_t) x; 58dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project for(;;) { 59dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project usleep(250*1000); 60dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project write(2, &c, 1); 61dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project if(c == 'C') *((unsigned*) 0) = 42; 62dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project } 635d9fe779c8ec2705865a23061834ad8cdbee5b82Elliott Hughes return NULL; 64dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project} 65dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 666f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughesstatic int ctest() 67dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project{ 68dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_t thr; 69dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_attr_t attr; 70dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_attr_init(&attr); 71dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); 72dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_create(&thr, &attr, noisy, (void*) 'A'); 73dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_create(&thr, &attr, noisy, (void*) 'B'); 74dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project pthread_create(&thr, &attr, noisy, (void*) 'C'); 75dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project for(;;) ; 76dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project return 0; 77dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project} 78dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 79aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughesstatic void* thread_callback(void* raw_arg) 80aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes{ 815d9fe779c8ec2705865a23061834ad8cdbee5b82Elliott Hughes return (void*) (uintptr_t) do_action((const char*) raw_arg); 82aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes} 83aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes 846f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughesstatic int do_action_on_thread(const char* arg) 85dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project{ 86aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes pthread_t t; 87aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes pthread_create(&t, NULL, thread_callback, (void*) arg); 88aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes void* result = NULL; 89aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes pthread_join(t, &result); 905d9fe779c8ec2705865a23061834ad8cdbee5b82Elliott Hughes return (int) (uintptr_t) result; 91aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes} 92aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes 936f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes__attribute__((noinline)) static int crash3(int a) { 946f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes *((int*) 0xdead) = a; 956f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes return a*4; 966f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes} 976f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes 986f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes__attribute__((noinline)) static int crash2(int a) { 996f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes a = crash3(a) + 2; 1006f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes return a*3; 101af2cb3667ba24d1ef3037aa5a7b3bc0a238cf040Pavel Chupin} 102af2cb3667ba24d1ef3037aa5a7b3bc0a238cf040Pavel Chupin 1036f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes__attribute__((noinline)) static int crash(int a) { 1046f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes a = crash2(a) + 1; 1056f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes return a*2; 106af2cb3667ba24d1ef3037aa5a7b3bc0a238cf040Pavel Chupin} 107af2cb3667ba24d1ef3037aa5a7b3bc0a238cf040Pavel Chupin 1086f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughesstatic void abuse_heap() { 1096f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes char buf[16]; 1106f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes free((void*) buf); // GCC is smart enough to warn about this, but we're doing it deliberately. 111af2cb3667ba24d1ef3037aa5a7b3bc0a238cf040Pavel Chupin} 112af2cb3667ba24d1ef3037aa5a7b3bc0a238cf040Pavel Chupin 1136f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughesstatic int do_action(const char* arg) 114aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes{ 1153808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes fprintf(stderr,"crasher: init pid=%d tid=%d\n", getpid(), gettid()); 1163808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes 1173808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes if (!strncmp(arg, "thread-", strlen("thread-"))) { 118aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes return do_action_on_thread(arg + strlen("thread-")); 119da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "smash-stack")) { 1203808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes return smash_stack(42); 121da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "stack-overflow")) { 1223808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes overflow_stack(NULL); 123da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "nostack")) { 1243808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes crashnostack(); 125da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "ctest")) { 1263808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes return ctest(); 127da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "exit")) { 1283808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes exit(1); 129855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes } else if (!strcmp(arg, "crash") || !strcmp(arg, "SIGSEGV")) { 1303808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes return crash(42); 131da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "abort")) { 132da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes maybe_abort(); 133da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "assert")) { 134da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes __assert("some_file.c", 123, "false"); 135da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "assert2")) { 136da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes __assert2("some_file.c", 123, "some_function", "false"); 137da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "LOG_ALWAYS_FATAL")) { 138da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes LOG_ALWAYS_FATAL("hello %s", "world"); 139da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes } else if (!strcmp(arg, "LOG_ALWAYS_FATAL_IF")) { 140da6b2e2fd79c9aac12127b2c2f512e9555fdd06dElliott Hughes LOG_ALWAYS_FATAL_IF(true, "hello %s", "world"); 141855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes } else if (!strcmp(arg, "SIGPIPE")) { 142855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes int pipe_fds[2]; 143855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes pipe(pipe_fds); 144855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes close(pipe_fds[0]); 145855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes write(pipe_fds[1], "oops", 4); 146855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes return EXIT_SUCCESS; 1476f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes } else if (!strcmp(arg, "heap-usage")) { 1486f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes abuse_heap(); 149aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes } 150aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes 1513808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes fprintf(stderr, "%s OP\n", __progname); 1523808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes fprintf(stderr, "where OP is:\n"); 153855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " smash-stack overwrite a stack-guard canary\n"); 154855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " stack-overflow recurse until the stack overflows\n"); 155855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " heap-corruption cause a libc abort by corrupting the heap\n"); 156855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " heap-usage cause a libc abort by abusing a heap function\n"); 157855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " nostack crash with a NULL stack pointer\n"); 158855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " ctest (obsoleted by thread-crash?)\n"); 159855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " exit call exit(1)\n"); 160855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " abort call abort()\n"); 161855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " assert call assert() without a function\n"); 162855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " assert2 call assert() with a function\n"); 163855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " LOG_ALWAYS_FATAL call LOG_ALWAYS_FATAL\n"); 164855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " LOG_ALWAYS_FATAL_IF call LOG_ALWAYS_FATAL\n"); 165855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " SIGPIPE cause a SIGPIPE\n"); 166855fcc3114c20ff9fd286fe1723d1413fec9685aElliott Hughes fprintf(stderr, " SIGSEGV cause a SIGSEGV (synonym: crash)\n"); 1673808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes fprintf(stderr, "prefix any of the above with 'thread-' to not run\n"); 1683808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes fprintf(stderr, "on the process' main thread.\n"); 1693808c4ecb4c2d4f05261e6631a765464b055d8b1Elliott Hughes return EXIT_SUCCESS; 170aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes} 171dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 172aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughesint main(int argc, char **argv) 173aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes{ 174aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes fprintf(stderr,"crasher: built at " __TIME__ "!@\n"); 175dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 176dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project if(argc > 1) { 177aa4213057ba1723e4f164e54f80bb7621c3cb6b3Elliott Hughes return do_action(argv[1]); 178dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project } else { 179dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project crash1(); 180dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project } 181dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project 1826f40cafd9fe90fb83536c31d84273bf3572e5a32Elliott Hughes return 0; 183dd7bc3319deb2b77c5d07a51b7d6cd7e11b5beb0The Android Open Source Project} 184