2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 * @brief Various functions to aid in debugging
21 * @copyright 2013 The FreeRADIUS server project
22 * @copyright 2013 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
25 #include <freeradius-devel/libradius.h>
29 * runtime backtrace functions are not POSIX but are included in
30 * glibc, OSX >= 10.5 and various BSDs
33 # include <execinfo.h>
36 #ifdef HAVE_SYS_PRCTL_H
37 # include <sys/prctl.h>
40 #ifdef HAVE_SYS_RESOURCE_H
41 # include <sys/resource.h>
45 # define PTHREAD_MUTEX_LOCK pthread_mutex_lock
46 # define PTHREAD_MUTEX_UNLOCK pthread_mutex_unlock
48 # define PTHREAD_MUTEX_LOCK(_x)
49 # define PTHREAD_MUTEX_UNLOCK(_x)
53 # define MAX_BT_FRAMES 128
54 # define MAX_BT_CBUFF 65536 //!< Should be a power of 2
56 # ifdef HAVE_PTHREAD_H
57 static pthread_mutex_t fr_debug_init = PTHREAD_MUTEX_INITIALIZER;
60 typedef struct fr_bt_info {
61 void *obj; //!< Memory address of the block of allocated memory.
62 void *frames[MAX_BT_FRAMES]; //!< Backtrace frame data
63 int count; //!< Number of frames stored
67 void *obj; //!< Pointer to the parent object, this is our needle
68 //!< when we iterate over the contents of the circular buffer.
69 fr_cbuff_t *cbuff; //!< Where we temporarily store the backtraces
73 static char panic_action[512]; //!< The command to execute when panicking.
74 static fr_fault_cb_t panic_cb = NULL; //!< Callback to execute whilst panicking, before the
76 static fr_fault_log_t fr_fault_log = NULL; //!< Function to use to process logging output.
77 static int fr_fault_log_fd = STDERR_FILENO; //!< Where to write debug output.
79 static int fr_debugger_present = -1; //!< Whether were attached to by a debugger.
81 #ifdef HAVE_SYS_RESOURCE_H
82 static struct rlimit core_limits;
85 /** Stub callback to see if the SIGTRAP handler is overriden
87 * @param signum signal raised.
89 static void _sigtrap_handler(UNUSED int signum)
91 fr_debugger_present = 0;
92 signal(SIGTRAP, SIG_DFL);
95 /** Break in debugger (if were running under a debugger)
97 * If the server is running under a debugger this will raise a
98 * SIGTRAP which will pause the running process.
100 * If the server is not running under debugger then this will do nothing.
102 void fr_debug_break(void)
104 if (fr_debugger_present == -1) {
105 fr_debugger_present = 0;
106 signal(SIGTRAP, _sigtrap_handler);
108 } else if (fr_debugger_present == 1) {
114 /** Generate a backtrace for an object during destruction
116 * If this is the first entry being inserted
118 static int _fr_do_bt(fr_bt_marker_t *marker)
122 if (!fr_assert(marker->obj) || !fr_assert(marker->cbuff)) {
126 bt = talloc_zero(marker->cbuff, fr_bt_info_t);
130 bt->count = backtrace(bt->frames, MAX_BT_FRAMES);
131 fr_cbuff_rp_insert(marker->cbuff, bt);
136 /** Print backtrace entry for a given object
138 * @param cbuff to search in.
139 * @param obj pointer to original object
141 void backtrace_print(fr_cbuff_t *cbuff, void *obj)
148 while ((p = fr_cbuff_rp_next(cbuff, NULL))) {
149 if ((p == obj) || !obj) {
151 frames = backtrace_symbols(p->frames, p->count);
153 fprintf(stderr, "Stacktrace for: %p\n", p);
154 for (i = 0; i < p->count; i++) {
155 fprintf(stderr, "%s\n", frames[i]);
158 /* We were only asked to look for one */
166 fprintf(stderr, "No backtrace available for %p", obj);
170 /** Inserts a backtrace marker into the provided context
172 * Allows for maximum laziness and will initialise a circular buffer if one has not already been created.
174 * Code augmentation should look something like:
176 // Create a static cbuffer pointer, the first call to backtrace_attach will initialise it
177 static fr_cbuff *my_obj_bt;
179 my_obj_t *alloc_my_obj(TALLOC_CTX *ctx) {
182 this = talloc(ctx, my_obj_t);
184 // Attach backtrace marker to object
185 backtrace_attach(&my_obj_bt, this);
191 * Then, later when a double free occurs:
193 (gdb) call backtrace_print(&my_obj_bt, <pointer to double freed memory>)
196 * which should print a limited backtrace to stderr. Note, this backtrace will not include any argument
197 * values, but should at least show the code path taken.
199 * @param cbuff this should be a pointer to a static *fr_cbuff.
200 * @param obj we want to generate a backtrace for.
202 fr_bt_marker_t *fr_backtrace_attach(fr_cbuff_t **cbuff, TALLOC_CTX *obj)
204 fr_bt_marker_t *marker;
206 if (*cbuff == NULL) {
207 PTHREAD_MUTEX_LOCK(&fr_debug_init);
208 /* Check again now we hold the mutex - eww*/
209 if (*cbuff == NULL) {
212 ctx = fr_autofree_ctx();
213 *cbuff = fr_cbuff_alloc(ctx, MAX_BT_CBUFF, true);
215 PTHREAD_MUTEX_UNLOCK(&fr_debug_init);
218 marker = talloc(obj, fr_bt_marker_t);
223 marker->obj = (void *) obj;
224 marker->cbuff = *cbuff;
226 talloc_set_destructor(marker, _fr_do_bt);
231 void backtrace_print(UNUSED fr_cbuff_t *cbuff, UNUSED void *obj)
233 fprintf(stderr, "Server built without fr_backtrace_* support, requires execinfo.h and possibly -lexecinfo\n");
235 fr_bt_marker_t *fr_backtrace_attach(UNUSED fr_cbuff_t **cbuff, UNUSED TALLOC_CTX *obj)
237 fprintf(stderr, "Server built without fr_backtrace_* support, requires execinfo.h and possibly -lexecinfo\n");
240 #endif /* ifdef HAVE_EXECINFO */
242 /** Set the dumpable flag, also controls whether processes can PATTACH
244 * @param dumpable whether we should allow core dumping
246 #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
247 static int fr_set_dumpable_flag(bool dumpable)
249 if (prctl(PR_SET_DUMPABLE, dumpable ? 1 : 0) < 0) {
250 fr_strerror_printf("Cannot re-enable core dumps: prctl(PR_SET_DUMPABLE) failed: %s",
258 static int fr_set_dumpable_flag(UNUSED bool dumpable)
260 fr_strerror_printf("Changing value of PR_DUMPABLE not supported on this system");
265 /** Get the processes dumpable flag
268 #if defined(HAVE_SYS_PRCTL_H) && defined(PR_GET_DUMPABLE)
269 static int fr_get_dumpable_flag(void)
273 ret = prctl(PR_GET_DUMPABLE);
275 fr_strerror_printf("Cannot get dumpable flag: %s", fr_syserror(errno));
280 * Linux is crazy and prctl sometimes returns 2 for disabled
282 if (ret != 1) return 0;
286 static int fr_get_dumpable_flag(void)
288 fr_strerror_printf("Getting value of PR_DUMPABLE not supported on this system");
294 /** Get the current maximum for core files
296 * Do this before anything else so as to ensure it's properly initialized.
298 int fr_set_dumpable_init(void)
300 #ifdef HAVE_SYS_RESOURCE_H
301 if (getrlimit(RLIMIT_CORE, &core_limits) < 0) {
302 fr_strerror_printf("Failed to get current core limit: %s", fr_syserror(errno));
309 /** Enable or disable core dumps
311 * @param allow_core_dumps whether to enable or disable core dumps.
313 int fr_set_dumpable(bool allow_core_dumps)
316 * If configured, turn core dumps off.
318 if (!allow_core_dumps) {
319 #ifdef HAVE_SYS_RESOURCE_H
320 struct rlimit no_core;
322 no_core.rlim_cur = 0;
323 no_core.rlim_max = 0;
325 if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
326 fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
334 if (fr_set_dumpable_flag(true) < 0) return -1;
337 * Reset the core dump limits to their original value.
339 #ifdef HAVE_SYS_RESOURCE_H
340 if (setrlimit(RLIMIT_CORE, &core_limits) < 0) {
341 fr_strerror_printf("Cannot update core dump limit: %s", fr_syserror(errno));
349 /** Check to see if panic_action file is world writeable
351 * @return 0 if file is OK, else -1.
353 static int fr_fault_check_permissions(void)
361 * Try and guess which part of the command is the binary, and check to see if
362 * it's world writeable, to try and save the admin from their own stupidity.
364 * @fixme we should do this properly and take into account single and double
367 if ((q = strchr(panic_action, ' '))) {
369 * need to use a static buffer, because mallocing memory in a signal handler
370 * is a bad idea and can result in deadlock.
372 len = snprintf(filename, sizeof(filename), "%.*s", (int)(q - panic_action), panic_action);
373 if (is_truncated(len, sizeof(filename))) {
374 fr_strerror_printf("Failed writing panic_action to temporary buffer (truncated)");
382 if (stat(p, &statbuf) == 0) {
384 if ((statbuf.st_mode & S_IWOTH) != 0) {
385 fr_strerror_printf("panic_action file \"%s\" is globally writable", p);
394 /** Prints a simple backtrace (if execinfo is available) and calls panic_action if set.
398 void fr_fault(int sig)
400 char cmd[sizeof(panic_action) + 20];
402 size_t left = sizeof(cmd), ret;
404 char const *p = panic_action;
409 fr_fault_log("CAUGHT SIGNAL: %s\n", strsignal(sig));
412 * Check for administrator sanity.
414 if (fr_fault_check_permissions() < 0) {
415 fr_fault_log("Refusing to execute panic action: %s\n", fr_strerror());
420 * Run the callback if one was registered
422 if (panic_cb && (panic_cb(sig) < 0)) goto finish;
425 * Produce a simple backtrace - They've very basic but at least give us an
426 * idea of the area of the code we hit the issue in.
430 size_t frame_count, i;
431 void *stack[MAX_BT_FRAMES];
434 frame_count = backtrace(stack, MAX_BT_FRAMES);
436 fr_fault_log("Backtrace of last %zu frames:\n", frame_count);
439 * Only use backtrace_symbols() if we don't have a logging fd.
440 * If the server has experienced memory corruption, there's
441 * a high probability that calling backtrace_symbols() which
442 * mallocs more memory, will fail.
444 if (fr_fault_log_fd < 0) {
445 strings = backtrace_symbols(stack, frame_count);
446 for (i = 0; i < frame_count; i++) {
447 fr_fault_log("%s\n", strings[i]);
451 backtrace_symbols_fd(stack, frame_count, fr_fault_log_fd);
456 /* No panic action set... */
457 if (panic_action[0] == '\0') {
458 fr_fault_log("No panic action set\n");
462 /* Substitute %p for the current PID (useful for attaching a debugger) */
463 while ((q = strstr(p, "%p"))) {
464 out += ret = snprintf(out, left, "%.*s%d", (int) (q - p), p, (int) getpid());
467 fr_fault_log("Panic action too long");
473 if (strlen(p) >= left) goto oob;
474 strlcpy(out, p, left);
476 fr_fault_log("Calling: %s\n", cmd);
479 bool disable = false;
482 * Here we temporarily enable the dumpable flag so if GBD or LLDB
483 * is called in the panic_action, they can pattach tot he running
486 if (fr_get_dumpable_flag() == 0) {
487 if ((fr_set_dumpable_flag(true) < 0) || !fr_get_dumpable_flag()) {
488 fr_fault_log("Failed setting dumpable flag, pattach may not work: %s", fr_strerror());
492 fr_fault_log("Temporarily setting PR_DUMPABLE to 1");
498 * We only want to error out here, if dumpable was originally disabled
499 * and we managed to change the value to enabled, but failed
500 * setting it back to disabled.
503 fr_fault_log("Resetting PR_DUMPABLE to 0");
504 if (fr_set_dumpable_flag(false) < 0) {
505 fr_fault_log("Failed reseting dumpable flag to off: %s", fr_strerror());
506 fr_fault_log("Exiting due to insecure process state");
512 fr_fault_log("Panic action exited with %i", code);
516 if (sig == SIGUSR1) {
524 /** Work around debuggers which can't backtrace past the signal handler
526 * At least this provides us some information when we get talloc errors.
528 static void _fr_talloc_fault(char const *reason)
530 fr_fault_log("talloc abort: %s\n", reason);
535 /** Wrapper to pass talloc log output to our fr_fault_log function
538 static void _fr_talloc_log(char const *msg)
540 fr_fault_log("%s\n", msg);
543 /** Generate a talloc memory report for a context and print to stderr/stdout
545 * @param ctx to generate a report for, may be NULL in which case the root context is used.
547 int fr_log_talloc_report(TALLOC_CTX *ctx)
550 char const *null_ctx = NULL;
554 fd = dup(fr_fault_log_fd);
556 fr_strerror_printf("Couldn't write memory report, failed to dup log fd: %s", fr_syserror(errno));
559 log = fdopen(fd, "w");
562 fr_strerror_printf("Couldn't write memory report, fdopen failed: %s", fr_syserror(errno));
566 fprintf(log, "Current state of talloced memory:\n");
568 null_ctx = talloc_get_name(NULL);
572 talloc_report_full(NULL, log);
574 fprintf(log, "Context level %i", i++);
576 talloc_report_full(ctx, log);
577 } while ((ctx = talloc_parent(ctx)) && (talloc_get_name(ctx) != null_ctx)); /* Stop before we hit NULL ctx */
584 /** Signal handler to print out a talloc memory report
588 static void _fr_fault_mem_report(int sig)
590 fr_fault_log("CAUGHT SIGNAL: %s\n", strsignal(sig));
592 if (fr_log_talloc_report(NULL) < 0) fr_perror("memreport");
595 static int _fr_disable_null_tracking(UNUSED bool *p)
597 talloc_disable_null_tracking();
601 /** Registers signal handlers to execute panic_action on fatal signal
603 * May be called multiple time to change the panic_action/program.
605 * @param cmd to execute on fault. If present %p will be substituted
606 * for the parent PID before the command is executed, and %e
607 * will be substituted for the currently running program.
608 * @param program Name of program currently executing (argv[0]).
609 * @return 0 on success -1 on failure.
611 int fr_fault_setup(char const *cmd, char const *program)
613 static bool setup = false;
615 char *out = panic_action;
616 size_t left = sizeof(panic_action), ret;
622 /* Substitute %e for the current program */
623 while ((q = strstr(p, "%e"))) {
624 out += ret = snprintf(out, left, "%.*s%s", (int) (q - p), p, program ? program : "");
627 fr_strerror_printf("Panic action too long");
633 if (strlen(p) >= left) goto oob;
634 strlcpy(out, p, left);
636 *panic_action = '\0';
640 * Check for administrator sanity.
642 if (fr_fault_check_permissions() < 0) return -1;
644 /* Unsure what the side effects of changing the signal handler mid execution might be */
647 if (fr_set_signal(SIGSEGV, fr_fault) < 0) return -1;
650 if (fr_set_signal(SIGBUS, fr_fault) < 0) return -1;
653 if (fr_set_signal(SIGABRT, fr_fault) < 0) return -1;
655 * Use this instead of abort so we get a
656 * full backtrace with broken versions of LLDB
658 talloc_set_abort_fn(_fr_talloc_fault);
661 if (fr_set_signal(SIGFPE, fr_fault) < 0) return -1;
665 if (fr_set_signal(SIGUSR1, fr_fault) < 0) return -1;
669 if (fr_set_signal(SIGUSR2, _fr_fault_mem_report) < 0) return -1;
673 * Setup the default logger
675 if (!fr_fault_log) fr_fault_set_log_fn(NULL);
676 talloc_set_log_fn(_fr_talloc_log);
679 * Needed for memory reports
681 * Disable null tracking on exit, else valgrind complains
684 TALLOC_CTX *autofree;
687 talloc_enable_null_tracking();
689 autofree = talloc_autofree_context();
690 marker = talloc(autofree, bool);
691 talloc_set_destructor(marker, _fr_disable_null_tracking);
699 /** Set a callback to be called before fr_fault()
701 * @param func to execute. If callback returns < 0
702 * fr_fault will exit before running panic_action code.
704 void fr_fault_set_cb(fr_fault_cb_t func)
709 /** Default logger, logs output to stderr
712 static void CC_HINT(format (printf, 1, 2)) _fr_fault_log(char const *msg, ...)
717 vfprintf(stderr, msg, ap);
722 /** Set a file descriptor to log panic_action output to.
724 * @param func to call to output log messages.
726 void fr_fault_set_log_fn(fr_fault_log_t func)
728 fr_fault_log = func ? func : _fr_fault_log;
731 /** Set a file descriptor to log memory reports to.
733 * @param fd to write output to.
735 void fr_fault_set_log_fd(int fd)
737 fr_fault_log_fd = fd;
741 #ifdef WITH_VERIFY_PTR
744 * Verify a VALUE_PAIR
746 inline void fr_verify_vp(VALUE_PAIR const *vp)
748 (void) talloc_get_type_abort(vp, VALUE_PAIR);
750 if (vp->data.ptr) switch (vp->da->type) {
756 if (!talloc_get_type(vp->data.ptr, uint8_t)) {
757 fr_perror("Type check failed for attribute \"%s\"", vp->da->name);
758 (void) talloc_get_type_abort(vp->data.ptr, uint8_t);
761 len = talloc_array_length(vp->vp_octets);
762 if (vp->length > len) {
763 fr_perror("VALUE_PAIR length %zu does not equal uint8_t buffer length %zu", vp->length, len);
774 if (!talloc_get_type(vp->data.ptr, char)) {
775 fr_perror("Type check failed for attribute \"%s\"", vp->da->name);
776 (void) talloc_get_type_abort(vp->data.ptr, char);
779 len = (talloc_array_length(vp->vp_strvalue) - 1);
780 if (vp->length > len) {
781 fr_perror("VALUE_PAIR %s length %zu is too small for char buffer length %zu",
782 vp->da->name, vp->length, len);
786 if (vp->vp_strvalue[vp->length] != '\0') {
787 fr_perror("VALUE_PAIR %s buffer not \\0 terminated", vp->da->name);
802 void fr_verify_list(TALLOC_CTX *expected, VALUE_PAIR *vps)
808 for (vp = fr_cursor_init(&cursor, &vps);
810 vp = fr_cursor_next(&cursor)) {
813 parent = talloc_parent(vp);
814 if (expected && (parent != expected)) {
815 fr_perror("Expected VALUE_PAIR (%s) to be parented by %p (%s), "
816 "but parented by %p (%s)",
818 expected, talloc_get_name(expected),
819 parent, parent ? talloc_get_name(parent) : "NULL");
821 fr_log_talloc_report(expected);
822 if (parent) fr_log_talloc_report(parent);