1 /* Copyright (c) 2018, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include "abi_test.h"
16 
17 #include <stdarg.h>
18 #include <stdio.h>
19 
20 #include <algorithm>
21 #include <array>
22 
23 #include <openssl/buf.h>
24 #include <openssl/mem.h>
25 #include <openssl/rand.h>
26 #include <openssl/span.h>
27 
28 #if defined(OPENSSL_X86_64) && defined(SUPPORTS_ABI_TEST)
29 #if defined(OPENSSL_LINUX) && defined(BORINGSSL_HAVE_LIBUNWIND)
30 #define SUPPORTS_UNWIND_TEST
31 #define UNW_LOCAL_ONLY
32 #include <errno.h>
33 #include <fcntl.h>
34 #include <libunwind.h>
35 #include <pthread.h>
36 #include <signal.h>
37 #include <stdlib.h>
38 #include <string.h>
39 #include <sys/stat.h>
40 #include <sys/types.h>
41 #include <unistd.h>
42 #elif defined(OPENSSL_WINDOWS)
43 #define SUPPORTS_UNWIND_TEST
44 OPENSSL_MSVC_PRAGMA(warning(push, 3))
45 #include <windows.h>
46 #include <dbghelp.h>
47 OPENSSL_MSVC_PRAGMA(warning(pop))
48 #endif
49 #endif  // X86_64 && SUPPORTS_ABI_TEST
50 
51 
52 namespace abi_test {
53 
54 namespace internal {
55 
56 static bool g_unwind_tests_enabled = false;
57 
FixVAArgsString(const char * str)58 std::string FixVAArgsString(const char *str) {
59   std::string ret = str;
60   size_t idx = ret.find(',');
61   if (idx == std::string::npos) {
62     return ret + "()";
63   }
64   size_t idx2 = idx + 1;
65   while (idx2 < ret.size() && ret[idx2] == ' ') {
66     idx2++;
67   }
68   while (idx > 0 && ret[idx - 1] == ' ') {
69     idx--;
70   }
71   return ret.substr(0, idx) + "(" + ret.substr(idx2) + ")";
72 }
73 
74 #if defined(SUPPORTS_ABI_TEST)
75 // ForEachMismatch calls |func| for each register where |a| and |b| differ.
76 template <typename Func>
ForEachMismatch(const CallerState & a,const CallerState & b,const Func & func)77 static void ForEachMismatch(const CallerState &a, const CallerState &b,
78                             const Func &func) {
79 #define CALLER_STATE_REGISTER(type, name) \
80   if (a.name != b.name) {                 \
81     func(#name);                          \
82   }
83   LOOP_CALLER_STATE_REGISTERS()
84 #undef CALLER_STATE_REGISTER
85 }
86 
87 // ReadUnwindResult adds the results of the most recent unwind test to |out|.
88 static void ReadUnwindResult(Result *out);
89 
RunTrampoline(Result * out,crypto_word_t func,const crypto_word_t * argv,size_t argc,bool unwind)90 crypto_word_t RunTrampoline(Result *out, crypto_word_t func,
91                             const crypto_word_t *argv, size_t argc,
92                             bool unwind) {
93   CallerState state;
94   RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
95 
96   unwind &= g_unwind_tests_enabled;
97   CallerState state2 = state;
98   crypto_word_t ret = abi_test_trampoline(func, &state2, argv, argc, unwind);
99 #if defined(OPENSSL_X86_64) || defined(OPENSSL_X86)
100   // Query and clear the direction flag early, so negative tests do not
101   // interfere with |malloc|.
102   bool direction_flag = abi_test_get_and_clear_direction_flag();
103 #endif  // OPENSSL_X86_64 || OPENSSL_X86
104 
105   *out = Result();
106   ForEachMismatch(state, state2, [&](const char *reg) {
107     out->errors.push_back(std::string(reg) + " was not restored after return");
108   });
109 #if defined(OPENSSL_X86_64) || defined(OPENSSL_X86)
110   // Linux and Windows ABIs for x86 require the direction flag be cleared on
111   // return. (Some OpenSSL assembly preserves it, which is stronger, but we only
112   // require what is specified by the ABI so |CHECK_ABI| works with C compiler
113   // output.)
114   if (direction_flag) {
115     out->errors.emplace_back("Direction flag set after return");
116   }
117 #endif  // OPENSSL_X86_64 || OPENSSL_X86
118   if (unwind) {
119     ReadUnwindResult(out);
120   }
121   return ret;
122 }
123 #endif  // SUPPORTS_ABI_TEST
124 
125 #if defined(SUPPORTS_UNWIND_TEST)
126 // We test unwind metadata by running the function under test with the trap flag
127 // set. This results in |SIGTRAP| and |EXCEPTION_SINGLE_STEP| on Linux and
128 // Windows, respectively. We hande these and verify libunwind or the Windows
129 // unwind APIs unwind successfully.
130 
131 // IsAncestorStackFrame returns true if |a_sp| is an ancestor stack frame of
132 // |b_sp|.
IsAncestorStackFrame(crypto_word_t a_sp,crypto_word_t b_sp)133 static bool IsAncestorStackFrame(crypto_word_t a_sp, crypto_word_t b_sp) {
134 #if defined(OPENSSL_X86_64)
135   // The stack grows down, so ancestor stack frames have higher addresses.
136   return a_sp > b_sp;
137 #else
138 #error "unknown architecture"
139 #endif
140 }
141 
142 // Implement some string formatting utilties. Ideally we would use |snprintf|,
143 // but this is called in a signal handler and |snprintf| is not async-signal-
144 // safe.
145 
146 #if !defined(OPENSSL_WINDOWS)
WordToDecimal(crypto_word_t v)147 static std::array<char, DECIMAL_SIZE(crypto_word_t) + 1> WordToDecimal(
148     crypto_word_t v) {
149   std::array<char, DECIMAL_SIZE(crypto_word_t) + 1> ret;
150   size_t len = 0;
151   do {
152     ret[len++] = '0' + v % 10;
153     v /= 10;
154   } while (v != 0);
155   for (size_t i = 0; i < len / 2; i++) {
156     std::swap(ret[i], ret[len - 1 - i]);
157   }
158   ret[len] = '\0';
159   return ret;
160 }
161 #endif  // !OPENSSL_WINDOWS
162 
WordToHex(crypto_word_t v)163 static std::array<char, sizeof(crypto_word_t) * 2 + 1> WordToHex(
164     crypto_word_t v) {
165   static const char kHex[] = "0123456789abcdef";
166   std::array<char, sizeof(crypto_word_t) * 2 + 1> ret;
167   for (size_t i = sizeof(crypto_word_t) - 1; i < sizeof(crypto_word_t); i--) {
168     uint8_t b = v & 0xff;
169     v >>= 8;
170     ret[i * 2] = kHex[b >> 4];
171     ret[i * 2 + 1] = kHex[b & 0xf];
172   }
173   ret[sizeof(crypto_word_t) * 2] = '\0';
174   return ret;
175 }
176 
StrCatSignalSafeImpl(bssl::Span<char> out)177 static void StrCatSignalSafeImpl(bssl::Span<char> out) {}
178 
179 template <typename... Args>
StrCatSignalSafeImpl(bssl::Span<char> out,const char * str,Args...args)180 static void StrCatSignalSafeImpl(bssl::Span<char> out, const char *str,
181                                  Args... args) {
182   BUF_strlcat(out.data(), str, out.size());
183   StrCatSignalSafeImpl(out, args...);
184 }
185 
186 template <typename... Args>
StrCatSignalSafe(bssl::Span<char> out,Args...args)187 static void StrCatSignalSafe(bssl::Span<char> out, Args... args) {
188   if (out.empty()) {
189     return;
190   }
191   out[0] = '\0';
192   StrCatSignalSafeImpl(out, args...);
193 }
194 
195 template <typename... Args>
FatalError(Args...args)196 [[noreturn]] static void FatalError(Args... args) {
197   // We cannot use |snprintf| here because it is not async-signal-safe.
198   char buf[512];
199   StrCatSignalSafe(buf, args..., "\n");
200 #if defined(OPENSSL_WINDOWS)
201   HANDLE stderr_handle = GetStdHandle(STD_ERROR_HANDLE);
202   if (stderr_handle != INVALID_HANDLE_VALUE) {
203     DWORD unused;
204     WriteFile(stderr_handle, buf, strlen(buf), &unused, nullptr);
205   }
206 #else
207   write(STDERR_FILENO, buf, strlen(buf));
208 #endif
209   abort();
210 }
211 
212 class UnwindStatus {
213  public:
UnwindStatus()214   UnwindStatus() : err_(nullptr) {}
UnwindStatus(const char * err)215   explicit UnwindStatus(const char *err) : err_(err) {}
216 
ok() const217   bool ok() const { return err_ == nullptr; }
Error() const218   const char *Error() const { return err_; }
219 
220  private:
221   const char *err_;
222 };
223 
224 template<typename T>
225 class UnwindStatusOr {
226  public:
UnwindStatusOr(UnwindStatus status)227   UnwindStatusOr(UnwindStatus status) : status_(status) {
228     assert(!status_.ok());
229   }
230 
UnwindStatusOr(const T & value)231   UnwindStatusOr(const T &value) : status_(UnwindStatus()), value_(value) {}
232 
ok() const233   bool ok() const { return status_.ok(); }
Error() const234   const char *Error() const { return status_.Error(); }
235 
ValueOrDie(const char * msg="Unexpected error") const236   const T &ValueOrDie(const char *msg = "Unexpected error") const {
237     if (!ok()) {
238       FatalError(msg, ": ", Error());
239     }
240     return value_;
241   }
242 
243  private:
244   UnwindStatus status_;
245   T value_;
246 };
247 
248 // UnwindCursor abstracts between libunwind and Windows unwind APIs. It is
249 // async-signal-safe.
250 #if defined(OPENSSL_WINDOWS)
251 class UnwindCursor {
252  public:
UnwindCursor(const CONTEXT & ctx)253   explicit UnwindCursor(const CONTEXT &ctx) : ctx_(ctx) {
254     starting_ip_ = ctx_.Rip;
255   }
256 
starting_ip() const257   crypto_word_t starting_ip() const { return starting_ip_; }
258 
259   // Step unwinds the cursor by one frame. On success, it returns whether there
260   // were more frames to unwind.
Step()261   UnwindStatusOr<bool> Step() {
262     bool is_top = is_top_;
263     is_top_ = false;
264 
265     DWORD64 image_base;
266     RUNTIME_FUNCTION *entry =
267         RtlLookupFunctionEntry(ctx_.Rip, &image_base, nullptr);
268     if (entry == nullptr) {
269       // This is a leaf function. Leaf functions do not touch stack or
270       // callee-saved registers, so they may be unwound by simulating a ret.
271       if (!is_top) {
272         return UnwindStatus("leaf function found below the top frame");
273       }
274       memcpy(&ctx_.Rip, reinterpret_cast<const void *>(ctx_.Rsp),
275              sizeof(ctx_.Rip));
276       ctx_.Rsp += 8;
277       return true;
278     }
279 
280     // This is a frame function. Call into the Windows unwinder.
281     void *handler_data;
282     DWORD64 establisher_frame;
283     RtlVirtualUnwind(UNW_FLAG_NHANDLER, image_base, ctx_.Rip, entry, &ctx_,
284                      &handler_data, &establisher_frame, nullptr);
285     return ctx_.Rip != 0;
286   }
287 
288   // GetIP returns the instruction pointer at the current frame.
GetIP()289   UnwindStatusOr<crypto_word_t> GetIP() { return ctx_.Rip; }
290 
291   // GetSP returns the stack pointer at the current frame.
GetSP()292   UnwindStatusOr<crypto_word_t> GetSP() { return ctx_.Rsp; }
293 
294   // GetCallerState returns the callee-saved registers at the current frame.
GetCallerState()295   UnwindStatusOr<CallerState> GetCallerState() {
296     CallerState state;
297     state.rbx = ctx_.Rbx;
298     state.rbp = ctx_.Rbp;
299     state.rdi = ctx_.Rdi;
300     state.rsi = ctx_.Rsi;
301     state.r12 = ctx_.R12;
302     state.r13 = ctx_.R13;
303     state.r14 = ctx_.R14;
304     state.r15 = ctx_.R15;
305     memcpy(&state.xmm6, &ctx_.Xmm6, sizeof(Reg128));
306     memcpy(&state.xmm7, &ctx_.Xmm7, sizeof(Reg128));
307     memcpy(&state.xmm8, &ctx_.Xmm8, sizeof(Reg128));
308     memcpy(&state.xmm9, &ctx_.Xmm9, sizeof(Reg128));
309     memcpy(&state.xmm10, &ctx_.Xmm10, sizeof(Reg128));
310     memcpy(&state.xmm11, &ctx_.Xmm11, sizeof(Reg128));
311     memcpy(&state.xmm12, &ctx_.Xmm12, sizeof(Reg128));
312     memcpy(&state.xmm13, &ctx_.Xmm13, sizeof(Reg128));
313     memcpy(&state.xmm14, &ctx_.Xmm14, sizeof(Reg128));
314     memcpy(&state.xmm15, &ctx_.Xmm15, sizeof(Reg128));
315     return state;
316   }
317 
318   // ToString returns a human-readable representation of the address the cursor
319   // started at.
ToString()320   const char *ToString() {
321     StrCatSignalSafe(starting_ip_buf_, "0x", WordToHex(starting_ip_).data());
322     return starting_ip_buf_;
323   }
324 
325  private:
326   CONTEXT ctx_;
327   crypto_word_t starting_ip_;
328   char starting_ip_buf_[64];
329   bool is_top_ = true;
330 };
331 #else  // !OPENSSL_WINDOWS
332 class UnwindCursor {
333  public:
UnwindCursor(unw_context_t * ctx)334   explicit UnwindCursor(unw_context_t *ctx) : ctx_(ctx) {
335     int ret = InitAtSignalFrame(&cursor_);
336     if (ret < 0) {
337       FatalError("Error getting unwind context: ", unw_strerror(ret));
338     }
339     starting_ip_ = GetIP().ValueOrDie("Error getting instruction pointer");
340   }
341 
342   // Step unwinds the cursor by one frame. On success, it returns whether there
343   // were more frames to unwind.
Step()344   UnwindStatusOr<bool> Step() {
345     int ret = unw_step(&cursor_);
346     if (ret < 0) {
347       return UNWError(ret);
348     }
349     return ret != 0;
350   }
351 
352   // GetIP returns the instruction pointer at the current frame.
GetIP()353   UnwindStatusOr<crypto_word_t> GetIP() {
354     crypto_word_t ip;
355     int ret = GetReg(&ip, UNW_REG_IP);
356     if (ret < 0) {
357       return UNWError(ret);
358     }
359     return ip;
360   }
361 
362   // GetSP returns the stack pointer at the current frame.
GetSP()363   UnwindStatusOr<crypto_word_t> GetSP() {
364     crypto_word_t sp;
365     int ret = GetReg(&sp, UNW_REG_SP);
366     if (ret < 0) {
367       return UNWError(ret);
368     }
369     return sp;
370   }
371 
372   // GetCallerState returns the callee-saved registers at the current frame.
GetCallerState()373   UnwindStatusOr<CallerState> GetCallerState() {
374     CallerState state;
375     int ret = 0;
376 #if defined(OPENSSL_X86_64)
377     ret = ret < 0 ? ret : GetReg(&state.rbx, UNW_X86_64_RBX);
378     ret = ret < 0 ? ret : GetReg(&state.rbp, UNW_X86_64_RBP);
379     ret = ret < 0 ? ret : GetReg(&state.r12, UNW_X86_64_R12);
380     ret = ret < 0 ? ret : GetReg(&state.r13, UNW_X86_64_R13);
381     ret = ret < 0 ? ret : GetReg(&state.r14, UNW_X86_64_R14);
382     ret = ret < 0 ? ret : GetReg(&state.r15, UNW_X86_64_R15);
383 #else
384 #error "unknown architecture"
385 #endif
386     if (ret < 0) {
387       return UNWError(ret);
388     }
389     return state;
390   }
391 
392   // ToString returns a human-readable representation of the address the cursor
393   // started at, using debug information if available.
ToString()394   const char *ToString() {
395     // Use a new cursor. |cursor_| has already been unwound, and
396     // |unw_get_proc_name| is slow so we do not sample it unconditionally in the
397     // constructor.
398     unw_cursor_t cursor;
399     unw_word_t off;
400     if (InitAtSignalFrame(&cursor) != 0 ||
401         unw_get_proc_name(&cursor, starting_ip_buf_, sizeof(starting_ip_buf_),
402                           &off) != 0) {
403       StrCatSignalSafe(starting_ip_buf_, "0x", WordToHex(starting_ip_).data());
404       return starting_ip_buf_;
405     }
406     size_t len = strlen(starting_ip_buf_);
407     // Print the offset in decimal, to match gdb's disassembly output and ease
408     // debugging.
409     StrCatSignalSafe(bssl::Span<char>(starting_ip_buf_).subspan(len), "+",
410                      WordToDecimal(off).data(), " (0x",
411                      WordToHex(starting_ip_).data(), ")");
412     return starting_ip_buf_;
413   }
414 
415  private:
UNWError(int ret)416   static UnwindStatus UNWError(int ret) {
417     assert(ret < 0);
418     const char *msg = unw_strerror(ret);
419     return UnwindStatus(msg == nullptr ? "unknown error" : msg);
420   }
421 
InitAtSignalFrame(unw_cursor_t * cursor)422   int InitAtSignalFrame(unw_cursor_t *cursor) {
423     // Work around a bug in libunwind which breaks rax and rdx recovery. This
424     // breaks functions which temporarily use rax as the CFA register. See
425     // https://git.savannah.gnu.org/gitweb/?p=libunwind.git;a=commit;h=819bf51bbd2da462c2ec3401e8ac9153b6e725e3
426     OPENSSL_memset(cursor, 0, sizeof(*cursor));
427     int ret = unw_init_local(cursor, ctx_);
428     if (ret < 0) {
429       return ret;
430     }
431     for (;;) {
432       ret = unw_is_signal_frame(cursor);
433       if (ret < 0) {
434         return ret;
435       }
436       if (ret != 0) {
437         return 0;  // Found the signal frame.
438       }
439       ret = unw_step(cursor);
440       if (ret < 0) {
441         return ret;
442       }
443     }
444   }
445 
GetReg(crypto_word_t * out,unw_regnum_t reg)446   int GetReg(crypto_word_t *out, unw_regnum_t reg) {
447     unw_word_t val;
448     int ret = unw_get_reg(&cursor_, reg, &val);
449     if (ret >= 0) {
450       static_assert(sizeof(crypto_word_t) == sizeof(unw_word_t),
451                     "crypto_word_t and unw_word_t are inconsistent");
452       *out = val;
453     }
454     return ret;
455   }
456 
457   unw_context_t *ctx_;
458   unw_cursor_t cursor_;
459   crypto_word_t starting_ip_;
460   char starting_ip_buf_[64];
461 };
462 #endif  // OPENSSL_WINDOWS
463 
464 // g_in_trampoline is true if we are in an instrumented |abi_test_trampoline|
465 // call, in the region that triggers |SIGTRAP|.
466 static bool g_in_trampoline = false;
467 // g_unwind_function_done, if |g_in_trampoline| is true, is whether the function
468 // under test has returned. It is undefined otherwise.
469 static bool g_unwind_function_done;
470 // g_trampoline_state, if |g_in_trampoline| is true, is the state the function
471 // under test must preserve. It is undefined otherwise.
472 static CallerState g_trampoline_state;
473 // g_trampoline_sp, if |g_in_trampoline| is true, is the stack pointer of the
474 // trampoline frame. It is undefined otherwise.
475 static crypto_word_t g_trampoline_sp;
476 
477 // kMaxUnwindErrors is the maximum number of unwind errors reported per
478 // function. If a function's unwind tables are wrong, we are otherwise likely to
479 // repeat the same error at multiple addresses.
480 static constexpr size_t kMaxUnwindErrors = 10;
481 
482 // Errors are saved in a signal handler. We use a static buffer to avoid
483 // allocation.
484 static size_t g_num_unwind_errors = 0;
485 
486 struct UnwindError {
487 #if defined(OPENSSL_WINDOWS)
488   crypto_word_t ip;
489 #endif
490   char str[512];
491 };
492 
493 static UnwindError g_unwind_errors[kMaxUnwindErrors];
494 
495 template <typename... Args>
AddUnwindError(UnwindCursor * cursor,Args...args)496 static void AddUnwindError(UnwindCursor *cursor, Args... args) {
497   if (g_num_unwind_errors >= kMaxUnwindErrors) {
498     return;
499   }
500 #if defined(OPENSSL_WINDOWS)
501   // Windows symbol functions should not be called when handling an
502   // exception. Stash the instruction pointer, to be symbolized later.
503   g_unwind_errors[g_num_unwind_errors].ip = cursor->starting_ip();
504   StrCatSignalSafe(g_unwind_errors[g_num_unwind_errors].str, args...);
505 #else
506   StrCatSignalSafe(g_unwind_errors[g_num_unwind_errors].str,
507                    "unwinding at ", cursor->ToString(), ": ", args...);
508 #endif
509   g_num_unwind_errors++;
510 }
511 
CheckUnwind(UnwindCursor * cursor)512 static void CheckUnwind(UnwindCursor *cursor) {
513   const crypto_word_t kStartAddress =
514       reinterpret_cast<crypto_word_t>(&abi_test_unwind_start);
515   const crypto_word_t kReturnAddress =
516       reinterpret_cast<crypto_word_t>(&abi_test_unwind_return);
517   const crypto_word_t kStopAddress =
518       reinterpret_cast<crypto_word_t>(&abi_test_unwind_stop);
519 
520   crypto_word_t sp = cursor->GetSP().ValueOrDie("Error getting stack pointer");
521   crypto_word_t ip =
522       cursor->GetIP().ValueOrDie("Error getting instruction pointer");
523   if (!g_in_trampoline) {
524     if (ip != kStartAddress) {
525       FatalError("Unexpected SIGTRAP at ", cursor->ToString());
526     }
527 
528     // Save the current state and begin.
529     g_in_trampoline = true;
530     g_unwind_function_done = false;
531     g_trampoline_sp = sp;
532     g_trampoline_state = cursor->GetCallerState().ValueOrDie(
533         "Error getting initial caller state");
534   } else {
535     if (sp == g_trampoline_sp || g_unwind_function_done) {
536       // |g_unwind_function_done| should imply |sp| is |g_trampoline_sp|, but
537       // clearing the trap flag in x86 briefly displaces the stack pointer.
538       //
539       // Also note we check both |ip| and |sp| below, in case the function under
540       // test is also |abi_test_trampoline|.
541       if (ip == kReturnAddress && sp == g_trampoline_sp) {
542         g_unwind_function_done = true;
543       }
544       if (ip == kStopAddress && sp == g_trampoline_sp) {
545         // |SIGTRAP| is fatal again.
546         g_in_trampoline = false;
547       }
548     } else if (IsAncestorStackFrame(sp, g_trampoline_sp)) {
549       // This should never happen. We went past |g_trampoline_sp| without
550       // stopping at |kStopAddress|.
551       AddUnwindError(cursor, "stack frame is before caller");
552       g_in_trampoline = false;
553     } else if (g_num_unwind_errors < kMaxUnwindErrors) {
554       for (;;) {
555         UnwindStatusOr<bool> step_ret = cursor->Step();
556         if (!step_ret.ok()) {
557           AddUnwindError(cursor, "error unwinding: ", step_ret.Error());
558           break;
559         }
560         // |Step| returns whether there was a frame to unwind.
561         if (!step_ret.ValueOrDie()) {
562           AddUnwindError(cursor, "could not unwind to starting frame");
563           break;
564         }
565 
566         UnwindStatusOr<crypto_word_t> cur_sp = cursor->GetSP();
567         if (!cur_sp.ok()) {
568           AddUnwindError(cursor,
569                          "error recovering stack pointer: ", cur_sp.Error());
570           break;
571         }
572         if (IsAncestorStackFrame(cur_sp.ValueOrDie(), g_trampoline_sp)) {
573           AddUnwindError(cursor, "unwound past starting frame");
574           break;
575         }
576         if (cur_sp.ValueOrDie() == g_trampoline_sp) {
577           // We found the parent frame. Check the return address.
578           UnwindStatusOr<crypto_word_t> cur_ip = cursor->GetIP();
579           if (!cur_ip.ok()) {
580             AddUnwindError(cursor,
581                            "error recovering return address: ", cur_ip.Error());
582           } else if (cur_ip.ValueOrDie() != kReturnAddress) {
583             AddUnwindError(cursor, "wrong return address");
584           }
585 
586           // Check the remaining registers.
587           UnwindStatusOr<CallerState> state = cursor->GetCallerState();
588           if (!state.ok()) {
589             AddUnwindError(cursor,
590                            "error recovering registers: ", state.Error());
591           } else {
592             ForEachMismatch(state.ValueOrDie(), g_trampoline_state,
593                             [&](const char *reg) {
594                               AddUnwindError(cursor, reg, " was not recovered");
595                             });
596           }
597           break;
598         }
599       }
600     }
601   }
602 }
603 
ReadUnwindResult(Result * out)604 static void ReadUnwindResult(Result *out) {
605   for (size_t i = 0; i < g_num_unwind_errors; i++) {
606 #if defined(OPENSSL_WINDOWS)
607     const crypto_word_t ip = g_unwind_errors[i].ip;
608     char buf[256];
609     DWORD64 displacement;
610     struct {
611       SYMBOL_INFO info;
612       char name_buf[128];
613     } symbol;
614     memset(&symbol, 0, sizeof(symbol));
615     symbol.info.SizeOfStruct = sizeof(symbol.info);
616     symbol.info.MaxNameLen = sizeof(symbol.name_buf);
617     if (SymFromAddr(GetCurrentProcess(), ip, &displacement, &symbol.info)) {
618       snprintf(buf, sizeof(buf), "unwinding at %s+%llu (0x%s): %s",
619                symbol.info.Name, displacement, WordToHex(ip).data(),
620                g_unwind_errors[i].str);
621     } else {
622       snprintf(buf, sizeof(buf), "unwinding at 0x%s: %s",
623                WordToHex(ip).data(), g_unwind_errors[i].str);
624     }
625     out->errors.emplace_back(buf);
626 #else
627     out->errors.emplace_back(g_unwind_errors[i].str);
628 #endif
629   }
630   if (g_num_unwind_errors == kMaxUnwindErrors) {
631     out->errors.emplace_back("(additional errors omitted)");
632   }
633   g_num_unwind_errors = 0;
634 }
635 
636 #if defined(OPENSSL_WINDOWS)
637 static DWORD g_main_thread;
638 
ExceptionHandler(EXCEPTION_POINTERS * info)639 static long ExceptionHandler(EXCEPTION_POINTERS *info) {
640   if (info->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP ||
641       GetCurrentThreadId() != g_main_thread) {
642     return EXCEPTION_CONTINUE_SEARCH;
643   }
644 
645   UnwindCursor cursor(*info->ContextRecord);
646   CheckUnwind(&cursor);
647   if (g_in_trampoline) {
648     // Windows clears the trap flag, so we must restore it.
649     info->ContextRecord->EFlags |= 0x100;
650   }
651   return EXCEPTION_CONTINUE_EXECUTION;
652 }
653 
EnableUnwindTestsImpl()654 static void EnableUnwindTestsImpl() {
655   if (IsDebuggerPresent()) {
656     // Unwind tests drive logic via |EXCEPTION_SINGLE_STEP|, which conflicts with
657     // debuggers.
658     fprintf(stderr, "Debugger detected. Disabling unwind tests.\n");
659     return;
660   }
661 
662   g_main_thread = GetCurrentThreadId();
663 
664   SymSetOptions(SYMOPT_DEFERRED_LOADS);
665   if (!SymInitialize(GetCurrentProcess(), nullptr, TRUE)) {
666     fprintf(stderr, "Could not initialize symbols.\n");
667   }
668 
669   if (AddVectoredExceptionHandler(0, ExceptionHandler) == nullptr) {
670     fprintf(stderr, "Error installing exception handler.\n");
671     abort();
672   }
673 
674   g_unwind_tests_enabled = true;
675 }
676 #else  // !OPENSSL_WINDOWS
677 // HandleEINTR runs |func| and returns the result, retrying the operation on
678 // |EINTR|.
679 template <typename Func>
HandleEINTR(const Func & func)680 static auto HandleEINTR(const Func &func) -> decltype(func()) {
681   decltype(func()) ret;
682   do {
683     ret = func();
684   } while (ret < 0 && errno == EINTR);
685   return ret;
686 }
687 
ReadFileToString(std::string * out,const char * path)688 static bool ReadFileToString(std::string *out, const char *path) {
689   out->clear();
690 
691   int fd = HandleEINTR([&] { return open(path, O_RDONLY); });
692   if (fd < 0) {
693     return false;
694   }
695 
696   for (;;) {
697     char buf[1024];
698     ssize_t ret = HandleEINTR([&] { return read(fd, buf, sizeof(buf)); });
699     if (ret < 0) {
700       close(fd);
701       return false;
702     }
703     if (ret == 0) {
704       close(fd);
705       return true;
706     }
707     out->append(buf, static_cast<size_t>(ret));
708   }
709 }
710 
IsBeingDebugged()711 static bool IsBeingDebugged() {
712   std::string status;
713   if (!ReadFileToString(&status, "/proc/self/status")) {
714     perror("error reading /proc/self/status");
715     return false;
716   }
717   std::string key = "\nTracerPid:\t";
718   size_t idx = status.find(key);
719   if (idx == std::string::npos) {
720     return false;
721   }
722   idx += key.size();
723   return idx < status.size() && status[idx] != '0';
724 }
725 
726 static pthread_t g_main_thread;
727 
TrapHandler(int sig)728 static void TrapHandler(int sig) {
729   // Note this is a signal handler, so only async-signal-safe functions may be
730   // used here. See signal-safety(7). libunwind promises local unwind is
731   // async-signal-safe.
732 
733   // |pthread_equal| is not listed as async-signal-safe, but this is clearly an
734   // oversight.
735   if (!pthread_equal(g_main_thread, pthread_self())) {
736     FatalError("SIGTRAP on background thread");
737   }
738 
739   unw_context_t ctx;
740   int ret = unw_getcontext(&ctx);
741   if (ret < 0) {
742     FatalError("Error getting unwind context: ", unw_strerror(ret));
743   }
744 
745   UnwindCursor cursor(&ctx);
746   CheckUnwind(&cursor);
747 }
748 
EnableUnwindTestsImpl()749 static void EnableUnwindTestsImpl() {
750   if (IsBeingDebugged()) {
751     // Unwind tests drive logic via |SIGTRAP|, which conflicts with debuggers.
752     fprintf(stderr, "Debugger detected. Disabling unwind tests.\n");
753     return;
754   }
755 
756   g_main_thread = pthread_self();
757 
758   struct sigaction trap_action;
759   OPENSSL_memset(&trap_action, 0, sizeof(trap_action));
760   sigemptyset(&trap_action.sa_mask);
761   trap_action.sa_handler = TrapHandler;
762   if (sigaction(SIGTRAP, &trap_action, NULL) != 0) {
763     perror("sigaction");
764     abort();
765   }
766 
767   g_unwind_tests_enabled = true;
768 }
769 #endif  // OPENSSL_WINDOWS
770 
771 #else  // !SUPPORTS_UNWIND_TEST
772 
773 #if defined(SUPPORTS_ABI_TEST)
ReadUnwindResult(Result *)774 static void ReadUnwindResult(Result *) {}
775 #endif
EnableUnwindTestsImpl()776 static void EnableUnwindTestsImpl() {}
777 
778 #endif  // SUPPORTS_UNWIND_TEST
779 
780 }  // namespace internal
781 
EnableUnwindTests()782 void EnableUnwindTests() { internal::EnableUnwindTestsImpl(); }
783 
UnwindTestsEnabled()784 bool UnwindTestsEnabled() { return internal::g_unwind_tests_enabled; }
785 
786 }  // namespace abi_test
787