// Copyright 2015 Ted Mielczarek. See the COPYRIGHT // file at the top-level directory of this distribution.
// NOTE: arm64_old.rs and arm64.rs should be identical except for the names of // their context types.
usesuper::impl_prelude::*; use minidump::{
CpuContext, MinidumpContext, MinidumpContextValidity, MinidumpModuleList, MinidumpRawContext,
Module,
}; use std::collections::HashSet; use tracing::trace;
type ArmContext = minidump::format::CONTEXT_ARM64; type Pointer = <ArmContext as CpuContext>::Register; type Registers = minidump::format::Arm64RegisterNumbers;
let caller_pc = stack_walker.caller_ctx.get_register_always(PROGRAM_COUNTER); let caller_sp = stack_walker.caller_ctx.get_register_always(STACK_POINTER); let new_valid = MinidumpContextValidity::Some(stack_walker.caller_validity);
// Apply ptr auth stripping let caller_pc = ptr_auth_strip(args.modules, caller_pc);
stack_walker
.caller_ctx
.set_register(PROGRAM_COUNTER, caller_pc); // Nothing should really ever restore lr, but CFI is more magic so whatever sure iflet Some(lr) = stack_walker
.caller_ctx
.get_register(LINK_REGISTER, &new_valid)
{
stack_walker
.caller_ctx
.set_register(LINK_REGISTER, ptr_auth_strip(args.modules, lr));
} iflet Some(fp) = stack_walker
.caller_ctx
.get_register(FRAME_POINTER, &new_valid)
{
stack_walker
.caller_ctx
.set_register(FRAME_POINTER, ptr_auth_strip(args.modules, fp));
}
// Do absolutely NO validation! Yep! As long as CFI evaluation succeeds // (which does include pc and sp resolving), just blindly assume the // values are correct. I Don't Like This, but it's what breakpad does and // we should start with a baseline of parity.
// FIXME?: for whatever reason breakpad actually does block on the address // being canonical *ONLY* for arm64, which actually rejects null pc early! // Let's not do that to keep our code more uniform.
fn get_caller_by_frame_pointer<P>(
ctx: &ArmContext,
args: &GetCallerFrameArgs<'_, P>,
) -> Option<StackFrame> where
P: SymbolProvider + Sync,
{
trace!("trying frame pointer"); // Ok so there exists 3 kinds of stackframes in ARM64: // // * stackless leaves // * stackful leaves // * normal frames // // // # Normal Frames // // Let's start with normal frames. In the standard calling convention, the following happens: // // lr := return_address (performed implicitly by ARM's function call instruction) // PUSH fp, lr (save fp and lr to the stack -- ARM64 pushes in pairs) // fp := sp (update the frame pointer to the current stack pointer) // // So to restore the caller's registers, we have: // // pc := *(fp + ptr) (this will get the return address, usual offset caveats apply) // sp := fp + ptr*2 // fp := *fp // // Note that although we push lr, we don't restore lr. That's because lr is just our // return address, and is therefore essentially a "saved" pc. lr is caller-saved *and* // automatically overwritten by every CALL, so the callee (the frame we're unwinding right now) // has no business ever knowing it, let alone restoring it. lr is generally just saved // immediately and then used as a free general purpose register, and therefore will generally // contain random garbage unrelated to unwinding. // // // # Leaf Functions // // Now leaf functions are a bit messier. These are functions which don't call other functions // and therefore don't actually ever need to save lr or fp. As such, they can be entirely // stackless, although they don't have to be. So calling a leaf function is just: // // lr := return_address // <possibly some pushes, but maybe not> // // And to restore the caller's registers, we have: // // pc := lr // sp := sp - <some arbitrary value> // fp := fp // // Unfortunately, we're unaware of any way to "detect" that a function is a leaf or not // without symbols/cfi just telling you that. Since we're in frame pointer unwinding, // we probably don't have those available! And even if we did, we still wouldn't know if // the frame was stackless or not, so we wouldn't know how to restore sp reliably and might // get the stack in a weird state for subsequent (possibly CFI-based) frames. // Also, if we incorrectly guess a frame is a leaf, we'll also use a probably-random-garbage // lr as a pc and potentially halluncinate a bunch. // // // # Conclusion // // At the moment we think it's safest/best to just always assume we're unwinding a normal // frame. Statistically this is true (most frames are, even if they happen to be at the // top of the stack when we crash), and if the frame *is* a leaf then our `fp` is likely // to be the correct fp of the next frame. This will effectively result in us unwinding // our caller instead of ourselves, causing the caller to be omitted from the backtrace // but otherwise perfectly syncing up for the rest of the frames. let last_fp = ctx.get_register(FRAME_POINTER, args.valid())?; let last_sp = ctx.get_register(STACK_POINTER, args.valid())?;
if last_fp >= u64::MAX - POINTER_WIDTH * 2 { // Although this code generally works fine if the pointer math overflows, // debug builds will still panic, and this guard protects against it without // drowning the rest of the code in checked_add. return None;
}
let (caller_fp, caller_pc, caller_sp) = if last_fp == 0 { // In this case we want unwinding to stop. One of the termination conditions in get_caller_frame // is that caller_sp <= last_sp. Therefore we can force termination by setting caller_sp = last_sp.
(0, 0, last_sp)
} else {
(
args.stack_memory.get_memory_at_address(last_fp)?,
args.stack_memory
.get_memory_at_address(last_fp + POINTER_WIDTH)?,
last_fp + POINTER_WIDTH * 2,
)
}; let caller_fp = ptr_auth_strip(args.modules, caller_fp); let caller_pc = ptr_auth_strip(args.modules, caller_pc);
// Don't accept obviously wrong instruction pointers. if is_non_canonical(caller_pc) {
trace!("rejecting frame pointer result for unreasonable instruction pointer"); return None;
}
// Don't actually validate that the stack makes sense (duplicating breakpad behaviour).
fn ptr_auth_strip(modules: &MinidumpModuleList, ptr: Pointer) -> Pointer { // ARMv8.3 introduced a code hardening system called "Pointer Authentication" // which is used on Apple platforms. It adds some extra high bits to the // several pointers when they get pushed to memory, including the return // address (lr) and frame pointer (fp), which both get pushed at the start // of most non-leaf functions. // // We lack some of the proper context to implement the "strip" primitive, because // the amount of bits that are "real" pointer depends on various extensions like // pointer tagging and how big page tables are. If we allocate too many bits to // "real" then we can get ptr_auth bits in our pointers, and if we allocate too // few we can end up truncating our pointers. Thankfully we'll usually have a bit // of margin from pointers not having the highest real bits set. // // To help us guess, we have a few pieces of information: // // * Apple seems to default to a 17/47 split, so 47 bits for "real" is a good baseline // * We know the address ranges of various loaded (and unloaded modules) // * We know the address range of the stacks // * We *can* know the address range of some sections of the heap (MemoryList) // * We *can* know the page mappings (MemoryInfo) // // Right now we only incorporate the first two. Ideally we would process all those sources // once at the start of stack walking and pass it down to the ARM stackwalker but that's // a lot of annoying rewiring that won't necessarily improve results. let apple_default_max_addr = (1 << 47) - 1; let max_module_addr = modules
.by_addr()
.next_back()
.map(|last_module| {
last_module
.base_address()
.saturating_add(last_module.size())
})
.unwrap_or(0); let max_addr = u64::max(apple_default_max_addr, max_module_addr);
// We can convert a "highest" address into a suitable mask by getting the next_power_of_two // (a single bit >= the max) and subtracting one from it (producing all 1's <= that bit). // There are two corner cases to this: // // * the next_power_of_two being 2^65, in which case our mask should be !0 (all ones) // * the max addr being a power of two already means we will actually lose that one value // // The first case is handled by using checked_next_power_of_two. The second case isn't really // handled by it very improbable. We do however make sure the apple max isn't a power of two. let mask = max_addr
.checked_next_power_of_two()
.map(|high_bit| high_bit - 1)
.unwrap_or(!0);
// In principle, if we've done a good job of computing the mask, we can apply it regardless // of if there's any ptr auth bits. Either it will clear the auth or be a noop. We don't // check if this messes up, because there's too many subtleties like JITed code to reliably // detect this going awry.
ptr & mask
}
asyncfn get_caller_by_scan<P>(
ctx: &ArmContext,
args: &GetCallerFrameArgs<'_, P>,
) -> Option<StackFrame> where
P: SymbolProvider + Sync,
{
trace!("trying scan"); // Stack scanning is just walking from the end of the frame until we encounter // a value on the stack that looks like a pointer into some code (it's an address // in a range covered by one of our modules). If we find such an instruction, // we assume it's an pc value that was pushed by the CALL instruction that created // the current frame. The next frame is then assumed to end just before that // pc value. let last_sp = ctx.get_register(STACK_POINTER, args.valid())?;
// Number of pointer-sized values to scan through in our search. let default_scan_range = 40; let extended_scan_range = default_scan_range * 4;
// Breakpad devs found that the first frame of an unwind can be really messed up, // and therefore benefits from a longer scan. Let's do it too. let scan_range = iflet FrameTrust::Context = args.callee_frame.trust {
extended_scan_range
} else {
default_scan_range
};
for i in0..scan_range { let address_of_pc = last_sp.checked_add(i * POINTER_WIDTH)?; let caller_pc = args.stack_memory.get_memory_at_address(address_of_pc)?; if instruction_seems_valid(caller_pc, args.modules, args.symbol_provider).await { // pc is pushed by CALL, so sp is just address_of_pc + ptr let caller_sp = address_of_pc.checked_add(POINTER_WIDTH)?;
// Don't do any more validation, and don't try to restore fp // (that's what breakpad does!)
/// The most strict validation we have for instruction pointers. /// /// This is only used for stack-scanning, because it's explicitly /// trying to distinguish between total garbage and correct values. /// cfi and frame_pointer approaches do not use this validation /// because by default they're working with plausible/trustworthy /// data. /// /// Specifically, not using this validation allows cfi/fp methods /// to unwind through frames we don't have mapped modules for (such as /// OS APIs). This may seem confusing since we obviously don't have cfi /// for unmapped modules! /// /// The way this works is that we will use cfi to unwind some frame we /// know about and *end up* in a function we know nothing about, but with /// all the right register values. At this point, frame pointers will /// often do the correct thing even though we don't know what code we're /// in -- until we get back into code we do know about and cfi kicks back in. /// At worst, this sets scanning up in a better position for success! /// /// If we applied this more rigorous validation to cfi/fp methods, we /// would just discard the correct register values from the known frame /// and immediately start doing unreliable scans. asyncfn instruction_seems_valid<P>(
instruction: Pointer,
modules: &MinidumpModuleList,
symbol_provider: &P,
) -> bool where
P: SymbolProvider + Sync,
{ if is_non_canonical(instruction) || instruction == 0 { returnfalse;
}
fn is_non_canonical(instruction: Pointer) -> bool { // Reject instructions in the first page or above the user-space threshold.
!(0x1000..=0x000fffffffffffff).contains(&instruction)
}
/* // ARM64 is currently hyper-permissive, so we don't use this, // but here it is in case we change our minds! fnstack_seems_valid( caller_sp:Pointer, callee_sp:Pointer, stack_memory:UnifiedMemory<'_,'_>, )->bool{ // The stack shouldn't *grow* when we unwind ifcaller_sp<callee_sp{ returnfalse; }
// The stack pointer should be in the stack stack_memory .get_memory_at_address::<Pointer>(caller_spasu64) .is_some() }
*/
pubasyncfn get_caller_frame<P>(
ctx: &ArmContext,
args: &GetCallerFrameArgs<'_, P>,
) -> Option<StackFrame> where
P: SymbolProvider + Sync,
{ // .await doesn't like closures, so don't use Option chaining letmut frame = None; if frame.is_none() {
frame = get_caller_by_cfi(ctx, args).await;
} if frame.is_none() {
frame = get_caller_by_frame_pointer(ctx, args);
} if frame.is_none() {
frame = get_caller_by_scan(ctx, args).await;
} letmut frame = frame?;
// We now check the frame to see if it looks like unwinding is complete, // based on the frame we computed having a nonsense value. Returning // None signals to the unwinder to stop unwinding.
// if the instruction is within the first ~page of memory, it's basically // null, and we can assume unwinding is complete. if frame.context.get_instruction_pointer() < 4096 {
trace!("instruction pointer was nullish, assuming unwind complete"); return None;
}
// If the new stack pointer is at a lower address than the old, // then that's clearly incorrect. Treat this as end-of-stack to // enforce progress and avoid infinite loops.
let sp = frame.context.get_stack_pointer(); let last_sp = ctx.get_register_always("sp"); if sp <= last_sp { // Arm leaf functions may not actually touch the stack (thanks // to the link register allowing you to "push" the return address // to a register), so we need to permit the stack pointer to not // change for the first frame of the unwind. After that we need // more strict validation to avoid infinite loops. let is_leaf = args.callee_frame.trust == FrameTrust::Context && sp == last_sp; if !is_leaf {
trace!("stack pointer went backwards, assuming unwind complete"); return None;
}
}
// Ok, the frame now seems well and truly valid, do final cleanup.
// A caller's ip is the return address, which is the instruction // *after* the CALL that caused us to arrive at the callee. Set // the value to 4 less than that, so it points to the CALL instruction // (arm64 instructions are all 4 bytes wide). This is important because // we use this value to lookup the CFI we need to unwind the next frame. let ip = frame.context.get_instruction_pointer();
frame.instruction = ip - 4;
Some(frame)
}
Messung V0.5 in Prozent
¤ Dauer der Verarbeitung: 0.20 Sekunden
(vorverarbeitet am 2026-06-19)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.