Hooking signals and dumping the callstack


Published on

Hooking signals and dumping the callstack

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hooking signals and dumping the callstack

  1. 1. Hooking the signals and dumping the backtraces Thierry GAYET
  2. 2. GOAL  The main goal of this document is to provide some information about the signal handling used for dumping the bacltrace due after a crash.
  3. 3. A backtrace is a list of the function calls that are currently active in a thread. The usual way to inspect a backtrace of a program is to use an external debugger such as gdb. H owever, sometimes it is useful to obtain a backtrace programmatically from within a program, e.g., for the purposes of logging or diagnostics. The header file `execinfo.h' declares three functions that obtain and manipulate backtraces of the current thread.  Function: int backtrace(void **buffer, int size) The backtrace function obtains a backtrace for the current thread, as a list of pointers, and places the information into buffer. The argument size should be the number of void * elements that will fit into buffer. The return value is the actual number of entries of buffer that are obtained, and is at most size. The pointers placed in buffer are actually return addresses obtained by inspecting the stack, one return address per stack frame. Note that certain compiler optimizations may interfere with obtaining a valid backtrace. Function inlining causes the inlined function to not have a stack frame; tail call optimization replaces one stack frame with another; frame pointer elimination will stop backtrace from interpreting the stack contents correctly. Usage
  4. 4.  Function: char ** backtrace_symbols (void *const *buffer, int size) The backtrace_symbols function translates the information obtained from the backtrace function into an array of strings. The argument buffer should be a pointer to an array of addresses obtained via the backtrace function, and size is the number of entries in that array (the return value of backtrace). The return value is a pointer to an array of strings, which has size entries just like the array buffer. Each string contains a printable representation of the corresponding element of buffer. It includes the function name (if this can be determined), an offset into the function, and the actual return address (in hexadecimal). Currently, the function name and offset only be obtained on systems that use the ELF binary format for programs and libraries. On other systems, only the hexadecimal return address will be present. Also, you may need to pass additional flags to the linker to make the function names available to the program. (For example, on systems using GNU ld, you must pass (-rdynamic.) The return value of backtrace_symbols is a pointer obtained via the malloc function, and it is the responsibility of the caller to free that pointer. Note that only the return value need be freed, not the individual strings. The return value is NULL if sufficient memory for the strings cannot be obtained. Usage
  5. 5.  Function: void backtrace_symbols_fd (void *const *buffer, int size, int fd) The backtrace_symbols_fd function performs the same translation as the function backtrace_symbols function. Instead of returning the strings to the caller, it writes the strings to the file descriptor fd, one per line. It does not use the malloc function, and can therefore be used in situations where that function might fail. The following program illustrates the use of these functions. Note that the array to contain the return addresses returned by backtrace is allocated on the stack. Therefore code like this can be used in situations where the memory handling via malloc does not work anymore (in which case the backtrace_symbols has to be replaced by a backtrace_symbols_fd call as well). The number of return addresses is normally not very large. Even complicated programs rather seldom have a nesting level of more than, say, 50 and with 200 possible entries probably all programs should be covered. Usage
  6. 6. #include <execinfo.h> #include <stdio.h> #include <stdlib.h> /* Obtain a backtrace and print it to stdout. */ void print_trace(void) { void* array[10]; size_t size; char** strings; size_t i; size = backtrace(array, 10); strings = backtrace_symbols(array, size); printf (&quot;Obtained %zd stack frames.n&quot;, size); for (i = 0; i < size; i++) { printf (&quot;%sn&quot;, strings[i]); } /* FOR */ free (strings); } /* print_trace */ /* A dummy function to make the backtrace more interesting. */ void dummy_function(void) { print_trace(); } /* dummy_function */ Int main(void) { dummy_function (); return 0; } First example
  7. 7. #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <unistd.h> #include <sys/times.h> #include <sys/ucontext.h> #include <asm/unistd.h> #include <execinfo.h> struct dict_entry { int num; const char *s; }; #define DICT_ENTRY_END { -1, NULL } #define PRINTF(fmt...) fprintf(stderr,fmt); static int mainpid=0; /* * Simple dictionary * Search an array terminated by an entry with s field set to NULL * If number not found, return &quot;(unknown)&quot; string */ static const char * search_dict(const struct dict_entry *dict, int num) { const struct dict_entry *p = dict; while (p->s) { if (num == p->num) return p->s; p++; } return &quot;(unknown)&quot;; } Second example 1/6
  8. 8. static const struct dict_entry sig_names[] = { {SIGHUP, &quot;SIGHUP&quot;}, {SIGINT, &quot;SIGINT&quot;}, {SIGQUIT, &quot;SIGQUIT&quot;}, {SIGILL, &quot;SIGILL&quot;}, {SIGTRAP, &quot;SIGTRAP&quot;}, {SIGABRT, &quot;SIGABRT&quot;}, {SIGBUS, &quot;SIGBUS&quot;}, {SIGFPE, &quot;SIGFPE&quot;}, {SIGKILL, &quot;SIGKILL&quot;}, {SIGSEGV, &quot;SIGSEGV&quot;}, {SIGPIPE, &quot;SIGPIPE&quot;}, {SIGALRM, &quot;SIGALRM&quot;}, {SIGTERM, &quot;SIGTERM&quot;}, {SIGSTKFLT, &quot;SIGSTKFLT&quot;}, {SIGCHLD, &quot;SIGCHLD&quot;}, {SIGCONT, &quot;SIGCONT&quot;}, {SIGSTOP, &quot;SIGSTOP&quot;}, {SIGTSTP, &quot;SIGTSTP&quot;}, {SIGTTIN, &quot;SIGTTIN&quot;}, {SIGTTOU, &quot;SIGTTOU&quot;}, {SIGURG, &quot;SIGURG&quot;}, {SIGXCPU, &quot;SIGXCPU&quot;}, {SIGXFSZ, &quot;SIGXFSZ&quot;}, {SIGVTALRM, &quot;SIGVTALRM&quot;}, {SIGPROF, &quot;SIGPROF&quot;}, {SIGWINCH, &quot;SIGWINCH&quot;}, {SIGPOLL, &quot;SIGPOLL&quot;}, {SIGPWR, &quot;SIGPWR&quot;}, {SIGSYS, &quot;SIGSYS&quot;}, DICT_ENTRY_END }; Second example 2/6
  9. 9. static void show_stack() { void *trace[16]; char **messages = (char **)NULL; int i, trace_size = 0; trace_size = backtrace(trace, 16); /* overwrite sigaction with caller's address */ messages = backtrace_symbols(trace, trace_size); /* skip first stack frame (points here) */ printf(&quot;CALLSTACK:n&quot;); for (i=1; i<trace_size; ++i) printf(&quot;%sn&quot;, messages[i]); free (messages); } Second example 3/6
  10. 10. Second example 4/6 void sigdemux(int sig, struct siginfo *si, void *v) { const char *signame; //struct ucontext *sc=(struct ucontext *)v; //struct sigcontext *regs; int si_code; si_code = si->si_code & 0xffff; signame = search_dict(sig_names, sig); if (sig != SIGINT) { PRINTF(&quot;n!==========================!n&quot;); PRINTF(&quot;SIG %s (#%i) received in PID %ldn&quot;,signame,sig,syscall(__NR_gettid)); PRINTF(&quot;Errnot%inPIDt%inaddrt0x%08xnn&quot;, (int)si->si_errno, (int)si->si_pid, (int)si->si_addr); show_stack(); PRINTF(&quot;n!==========================!n&quot;); kill(mainpid,SIGINT); exit(-1); } if (getpid()==mainpid) { exit(0); } return; }
  11. 11. Second example 5/6 int sig_init(int pid) { struct sigaction si_segv; int rc; si_segv.sa_sigaction = sigdemux; si_segv.sa_flags = SA_SIGINFO; mainpid=pid; rc = sigaction(SIGINT,&si_segv,NULL); if (rc<0) { goto sig_error; } rc = sigaction(SIGSEGV,&si_segv,NULL); if (rc<0) { goto sig_error; } rc = sigaction(SIGILL,&si_segv,NULL); if (rc<0) { goto sig_error; } rc = sigaction(SIGFPE,&si_segv,NULL); if (rc<0) { goto sig_error; } rc = sigaction(SIGBUS,&si_segv,NULL); if (rc<0) { goto sig_error; } rc = sigaction(SIGPIPE,&si_segv,NULL); if (rc<0) { goto sig_error; } sig_error: return rc; }
  12. 12. <ul><li> The behavior is quite easy, 'cos there is just a registry at the beginning of the process : </li></ul><ul><li>int main(int argc, char* argv[], char* env[]) </li></ul><ul><ul><li>(...) </li></ul></ul><ul><ul><li>sig_init(getpid()) </li></ul></ul><ul><ul><li>(...) </li></ul></ul>Usage of the second source code (6/6)
  13. 13. <ul><li>The processed crashed I got automatically following stack trace: </li></ul><ul><li>  </li></ul><ul><ul><li>!==========================! </li></ul></ul><ul><ul><li>SIG SIGSEGV (#11) received in PID 2794 </li></ul></ul><ul><ul><li>Errno   0 </li></ul></ul><ul><ul><li>PID     0 </li></ul></ul><ul><ul><li>addr    0x00000000 </li></ul></ul><ul><ul><li>  </li></ul></ul><ul><ul><li>Got signal faulty address is (nil), from 0xb750bca4 </li></ul></ul><ul><ul><li>[bt] Execution path: </li></ul></ul><ul><ul><li>[bt] /usr/lib/libsystem_api_adapter_configuration_repository.so.1(_ZN26DbusLocalStorageRepository7getItemERKSs+0x3a) [0xb750bca4] </li></ul></ul><ul><ul><li>[bt] [0xffffe40c] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libsystem_api_adapter_configuration_repository.so.1(_ZN26DbusLocalStorageRepository7getItemERKSs+0x3a) [0xb750bca4] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libsystem_api_adapter_configuration_repository.so.1(_ZN3com11Technicolor23ConfigurationRepository30LocalStorageRepository_adaptor13_getItem_stubERKN4DBus11CallMessageE+0x6d) [0xb750cac9] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libsystem_api_adapter_configuration_repository.so.1(_ZNK4DBus8CallbackIN3com11Technicolor23ConfigurationRepository30LocalStorageRepository_adaptorENS_7MessageERKNS_11CallMessageEE4callES8_+0x60) [0xb750f23c] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(_ZN4DBus16InterfaceAdaptor15dispatch_methodERKNS_11CallMessageE+0x135) [0xb6f669f5] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(_ZN4DBus13ObjectAdaptor14handle_messageERKNS_7MessageE+0xd0) [0xb6f6d0a0] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(_ZN4DBus13ObjectAdaptor7Private21message_function_stubEP14DBusConnectionP11DBusMessagePv+0xb9) [0xb6f6b509] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-1.so.3(+0x1822f) [0xb6f3122f] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-1.so.3(dbus_connection_dispatch+0x365) [0xb6f244cd] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(+0x1c280) [0xb6f73280] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(_ZN4DBus10Dispatcher16dispatch_pendingEv+0x4e) [0xb6f7b94e] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(_ZN4DBus13BusDispatcher12do_iterationEv+0x23) [0xb6f82653] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libdbus-c++-1.so.0(_ZN4DBus13BusDispatcher5enterEv+0x40) [0xb6f82370] </li></ul></ul><ul><ul><li>[bt] /usr/lib/libsystem_api_adapter_dbus.so.1(+0x6e0f) [0xb703ce0f] </li></ul></ul><ul><ul><li>[bt] [0x12] </li></ul></ul><ul><ul><li>[bt] /lib/libc.so.6(clone+0x5e) [0xb6cec8de] </li></ul></ul><ul><li>  </li></ul><ul><li>I can see that function that crashed was well DbusLocalStorageRepositorygetItem function. </li></ul>Result
  14. 14. More help <ul><li>http://www.delorie.com/gnu/docs/glibc/libc_665.html </li></ul>