Improve crash backtrace reliability

We're now able to pretty print a C++ backtrace upon crashing in pretty
much any runtime execution scenario. The default pledge sandbox policy
on Linux is now to return EPERM. If you call pledge and have debugging
functions linked (e.g. GetSymbolTable) then the symbol table shall get
loaded before any security policy is put in place. This change updates
build/bootstrap/fixupobj too and fixes some other sneaky build errors.

Author: jart

build/bootstrap/ape.aarch64

@@ -7,6 +7,7 @@
 │   • http://creativecommons.org/publicdomain/zero/1.0/            │
 ╚─────────────────────────────────────────────────────────────────*/
 #endif
+#include "libc/calls/calls.h"
 #include "libc/math.h"
 #include "libc/runtime/runtime.h"
 
@@ -18,6 +19,17 @@ void crash(long x0, long x1, long x2,  //
 void (*pCrash)(long, long, long, double, double, double) = crash;
 
 int main(int argc, char *argv[]) {
+
+  // // by default we launch an addr2line subprocess to print backtraces
+  // // with line numbers. you can force it to use the embedded solution
+  // setenv("ADDR2LINE", "", true);
+
+  // // using a seccomp sandbox is another way to force embedded backtraces
+  // pledge("stdio", NULL);
+
+  // enable the crash reporting feature
   ShowCrashReports();
+
+  // time to die
   pCrash(1, 2, 3, NAN, NAN, NAN);
 }

build/bootstrap/ape.elf

@@ -24,11 +24,13 @@
 #include "libc/calls/syscall-sysv.internal.h"
 #include "libc/dce.h"
 #include "libc/errno.h"
-#include "libc/intrin/kprintf.h"
 #include "libc/intrin/promises.internal.h"
 #include "libc/intrin/strace.internal.h"
+#include "libc/intrin/weaken.h"
 #include "libc/nexgen32e/vendor.internal.h"
 #include "libc/runtime/runtime.h"
+#include "libc/runtime/symbols.internal.h"
+#include "libc/runtime/zipos.internal.h"
 #include "libc/sysv/consts/pr.h"
 #include "libc/sysv/errfuns.h"
 
@@ -199,22 +201,22 @@
  * `__pledge_mode` is available to improve the experience of pledge() on
  * Linux. It should specify one of the following penalties:
  *
+ * - `PLEDGE_PENALTY_RETURN_EPERM` causes system calls to just return an
+ *   `EPERM` error instead of killing. This is the default on Linux.
+ *   This is a gentler solution that allows code to display a friendly
+ *   warning. Please note this may lead to weird behaviors if the
+ *   software being sandboxed is lazy about checking error results.
+ *
  * - `PLEDGE_PENALTY_KILL_THREAD` causes the violating thread to be
- *   killed. This is the default on Linux. It's effectively the same as
- *   killing the process, since redbean has no threads. The termination
- *   signal can't be caught and will be either `SIGSYS` or `SIGABRT`.
- *   Consider enabling stderr logging below so you'll know why your
- *   program failed. Otherwise check the system log.
+ *   killed. It's effectively the same as killing the process, since
+ *   redbean has no threads. The termination signal can't be caught and
+ *   will be either `SIGSYS` or `SIGABRT`. Consider enabling stderr
+ *   logging below so you'll know why your program failed. Otherwise
+ *   check the system log.
  *
  * - `PLEDGE_PENALTY_KILL_PROCESS` causes the process and all its
  *   threads to be killed. This is always the case on OpenBSD.
  *
- * - `PLEDGE_PENALTY_RETURN_EPERM` causes system calls to just return an
- *   `EPERM` error instead of killing. This is a gentler solution that
- *   allows code to display a friendly warning. Please note this may
- *   lead to weird behaviors if the software being sandboxed is lazy
- *   about checking error results.
- *
  * `mode` may optionally bitwise or the following flags:
  *
  * - `PLEDGE_STDERR_LOGGING` enables friendly error message logging
@@ -240,6 +242,8 @@
 int pledge(const char *promises, const char *execpromises) {
   int e, rc;
   unsigned long ipromises, iexecpromises;
+  if (_weaken(GetSymbolTable))
+    _weaken(GetSymbolTable)();
   if (!promises) {
     // OpenBSD says NULL argument means it doesn't change, i.e.
     // pledge(0,0) on OpenBSD does nothing. The Cosmopolitan Libc

build/bootstrap/ape.macho

@@ -21,6 +21,6 @@
 
 // XXX: should be inherited thread local
 //      see also sys_pledge_linux() which is 100% pure
-int __pledge_mode;
+int __pledge_mode = PLEDGE_PENALTY_RETURN_EPERM;
 unsigned long __promises;
 unsigned long __execpromises;

build/bootstrap/fixupobj

@@ -3,8 +3,8 @@
 COSMOPOLITAN_C_START_
 
 enum VendorSignatures {
-  SIG_INTEL = 0x756e6547,  // Genu
-  SIG_AMD = 0x68747541,    // Auth
+  SIG_INTEL = 0x756e6547, /* Genu */
+  SIG_AMD = 0x68747541,   /* Auth */
 };
 
 enum ProcessorVendors {
@@ -139,7 +139,7 @@ struct __processor_model {
   const char *__cpu_march;
 };
 
-struct __processor_model __cpu_model;
+extern struct __processor_model __cpu_model;
 
 const char *__cpu_march(unsigned);
 

examples/crashreport2.cc

@@ -37,9 +37,14 @@ static struct {
 } g_addr2line;
 
 void GetAddr2linePathInit(void) {
+  char *res;
   int e = errno;
-  const char *path;
-  if (!(path = getenv("ADDR2LINE"))) {
+  const char *env, *cmd, *path;
+  if ((env = getenv("ADDR2LINE"))) {
+    cmd = env;
+    path = env;
+  } else {
+    cmd = "addr2line";
     path = ADDR2LINE;
   }
   char *buf = g_addr2line.buf;
@@ -48,12 +53,11 @@ void GetAddr2linePathInit(void) {
       strlcat(buf, "/", PATH_MAX);
     }
     strlcat(buf, path, PATH_MAX);
-  }
-  if (*buf) {
-    g_addr2line.res = buf;
+    res = buf;
   } else {
-    g_addr2line.res = commandv("addr2line", buf, PATH_MAX);
+    res = commandv(cmd, buf, PATH_MAX);
   }
+  g_addr2line.res = res;
   errno = e;
 }
 

libc/calls/pledge.c

@@ -66,7 +66,7 @@ static int PrintBacktraceUsingAddr2line(int fd, const struct StackFrame *bp) {
   }
 
   if (!PLEDGED(STDIO) || !PLEDGED(EXEC) || !PLEDGED(EXEC)) {
-    ShowHint("won't print addr2line backtrace because pledge");
+    ShowHint("pledge() sandboxing makes backtraces not as good");
     return -1;
   }