+ struct additional_panic_data_buffer *new_panic_data_buffer = kalloc(sizeof(struct additional_panic_data_buffer));
+ new_panic_data_buffer->producer_name = producer_name;
+ new_panic_data_buffer->buf = buf;
+ new_panic_data_buffer->len = len;
+
+ if (!OSCompareAndSwapPtr(NULL, new_panic_data_buffer, &panic_data_buffers)) {
+ panic("register_additional_panic_data_buffer called with buffer already registered");
+ }
+
+ return;
+}
+#endif /* !defined (__x86_64__) */
+
+/*
+ * An overview of the xnu panic path:
+ *
+ * Several panic wrappers (panic(), panic_with_options(), etc.) all funnel into panic_trap_to_debugger().
+ * panic_trap_to_debugger() sets the panic state in the current processor's processor_data_t prior
+ * to trapping into the debugger. Once we trap to the debugger, we end up in handle_debugger_trap()
+ * which tries to acquire the panic lock by atomically swapping the current CPU number into debugger_cpu.
+ * debugger_cpu acts as a synchronization point, from which the winning CPU can halt the other cores and
+ * continue to debugger_collect_diagnostics() where we write the paniclog, corefile (if appropriate) and proceed
+ * according to the device's boot-args.
+ */
+#undef panic
+void
+panic(const char *str, ...)
+{
+ va_list panic_str_args;
+
+ va_start(panic_str_args, str);
+ panic_trap_to_debugger(str, &panic_str_args, 0, NULL, 0, NULL, (unsigned long)(char *)__builtin_return_address(0));
+ va_end(panic_str_args);
+}
+
+void
+panic_with_options(unsigned int reason, void *ctx, uint64_t debugger_options_mask, const char *str, ...)
+{
+ va_list panic_str_args;
+
+ va_start(panic_str_args, str);
+ panic_trap_to_debugger(str, &panic_str_args, reason, ctx, (debugger_options_mask & ~DEBUGGER_INTERNAL_OPTIONS_MASK),
+ NULL, (unsigned long)(char *)__builtin_return_address(0));
+ va_end(panic_str_args);
+}
+
+#if defined (__x86_64__)
+/*
+ * panic_with_thread_context() is used on x86 platforms to specify a different thread that should be backtraced in the paniclog.
+ * We don't generally need this functionality on embedded platforms because embedded platforms include a panic time stackshot
+ * from customer devices. We plumb the thread pointer via the debugger trap mechanism and backtrace the kernel stack from the
+ * thread when writing the panic log.
+ *
+ * NOTE: panic_with_thread_context() should be called with an explicit thread reference held on the passed thread.
+ */
+void
+panic_with_thread_context(unsigned int reason, void *ctx, uint64_t debugger_options_mask, thread_t thread, const char *str, ...)
+{
+ va_list panic_str_args;
+ __assert_only os_ref_count_t th_ref_count;
+
+ assert_thread_magic(thread);
+ th_ref_count = os_ref_get_count(&thread->ref_count);
+ assertf(th_ref_count > 0, "panic_with_thread_context called with invalid thread %p with refcount %u", thread, th_ref_count);
+
+ /* Take a reference on the thread so it doesn't disappear by the time we try to backtrace it */
+ thread_reference(thread);
+
+ va_start(panic_str_args, str);
+ panic_trap_to_debugger(str, &panic_str_args, reason, ctx, ((debugger_options_mask & ~DEBUGGER_INTERNAL_OPTIONS_MASK) | DEBUGGER_INTERNAL_OPTION_THREAD_BACKTRACE),
+ thread, (unsigned long)(char *)__builtin_return_address(0));
+
+ va_end(panic_str_args);
+}
+#endif /* defined (__x86_64__) */
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wmissing-noreturn"
+void
+panic_trap_to_debugger(const char *panic_format_str, va_list *panic_args, unsigned int reason, void *ctx,
+ uint64_t panic_options_mask, void *panic_data_ptr, unsigned long panic_caller)
+{
+#pragma clang diagnostic pop
+
+#if defined(__x86_64__) && (DEVELOPMENT || DEBUG)
+ /* Turn off I/O tracing once we've panicked */
+ mmiotrace_enabled = 0;
+#endif
+
+ if (ml_wants_panic_trap_to_debugger()) {
+ ml_panic_trap_to_debugger(panic_format_str, panic_args, reason, ctx, panic_options_mask, panic_caller);
+ __builtin_trap();
+ }
+
+ CPUDEBUGGERCOUNT++;
+
+ if (CPUDEBUGGERCOUNT > max_debugger_entry_count) {
+ static boolean_t in_panic_kprintf = FALSE;
+
+ /* Notify any listeners that we've started a panic */
+ PEHaltRestart(kPEPanicBegin);
+
+ if (!in_panic_kprintf) {
+ in_panic_kprintf = TRUE;
+ kprintf("Detected nested debugger entry count exceeding %d\n",
+ max_debugger_entry_count);
+ in_panic_kprintf = FALSE;
+ }
+
+ if (!panicDebugging) {
+ kdp_machine_reboot_type(kPEPanicRestartCPU, panic_options_mask);
+ }
+
+ panic_spin_forever();
+ }
+
+#if DEVELOPMENT || DEBUG
+ DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((panic_options_mask & DEBUGGER_OPTION_RECURPANIC_ENTRY));
+#endif
+
+ PE_panic_hook(panic_format_str);
+
+#if defined (__x86_64__)
+ plctrace_disable();
+#endif
+
+ if (write_trace_on_panic && kdebug_enable) {
+ if (get_preemption_level() == 0 && !ml_at_interrupt_context()) {
+ ml_set_interrupts_enabled(TRUE);
+ KDBG_RELEASE(TRACE_PANIC);
+ kdbg_dump_trace_to_file(KDBG_TRACE_PANIC_FILENAME);
+ }
+ }
+
+ ml_set_interrupts_enabled(FALSE);
+ disable_preemption();
+
+#if defined (__x86_64__)
+ pmSafeMode(x86_lcpu(), PM_SAFE_FL_SAFE);
+#endif /* defined (__x86_64__) */
+
+ /* Never hide pointers from panic logs. */
+ doprnt_hide_pointers = FALSE;
+
+ if (ctx != NULL) {
+ /*
+ * We called into panic from a trap, no need to trap again. Set the
+ * state on the current CPU and then jump to handle_debugger_trap.
+ */
+ DebuggerSaveState(DBOP_PANIC, "panic",
+ panic_format_str, panic_args,
+ panic_options_mask, panic_data_ptr, TRUE, panic_caller);
+ handle_debugger_trap(reason, 0, 0, ctx);
+ }
+
+#if defined(__arm64__)
+ /*
+ * Signal to fastsim that it should open debug ports (nop on hardware)
+ */
+ __asm__ volatile ("HINT 0x45");
+#endif /* defined(__arm64__) */
+
+ DebuggerTrapWithState(DBOP_PANIC, "panic", panic_format_str,
+ panic_args, panic_options_mask, panic_data_ptr, TRUE, panic_caller);
+
+ /*
+ * Not reached.
+ */
+ panic_stop();
+ __builtin_unreachable();
+}
+
+void
+panic_spin_forever(void)
+{
+ paniclog_append_noflush("\nPlease go to https://panic.apple.com to report this panic\n");
+
+ for (;;) {
+ }
+}
+
+static void
+kdp_machine_reboot_type(unsigned int type, uint64_t debugger_flags)
+{
+ printf("Attempting system restart...");
+ if ((type == kPEPanicRestartCPU) && (debugger_flags & DEBUGGER_OPTION_SKIP_PANICEND_CALLOUTS)) {
+ PEHaltRestart(kPEPanicRestartCPUNoPanicEndCallouts);
+ } else {
+ PEHaltRestart(type);
+ }
+ halt_all_cpus(TRUE);
+}
+
+void
+kdp_machine_reboot(void)
+{
+ kdp_machine_reboot_type(kPEPanicRestartCPU, 0);
+}
+
+/*
+ * Gather and save diagnostic information about a panic (or Debugger call).
+ *
+ * On embedded, Debugger and Panic are treated very similarly -- WDT uses Debugger so we can
+ * theoretically return from it. On desktop, Debugger is treated as a conventional debugger -- i.e no
+ * paniclog is written and no core is written unless we request a core on NMI.
+ *
+ * This routine handles kicking off local coredumps, paniclogs, calling into the Debugger/KDP (if it's configured),
+ * and calling out to any other functions we have for collecting diagnostic info.
+ */
+static void
+debugger_collect_diagnostics(unsigned int exception, unsigned int code, unsigned int subcode, void *state)
+{
+#if DEVELOPMENT || DEBUG
+ DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_panic_options & DEBUGGER_OPTION_RECURPANIC_PRELOG));
+#endif
+
+#if defined(__x86_64__)
+ kprintf("Debugger called: <%s>\n", debugger_message ? debugger_message : "");
+#endif
+ /*
+ * DB_HALT (halt_in_debugger) can be requested on startup, we shouldn't generate
+ * a coredump/paniclog for this type of debugger entry. If KDP isn't configured,
+ * we'll just spin in kdp_raise_exception.
+ */
+ if (debugger_current_op == DBOP_DEBUGGER && halt_in_debugger) {
+ kdp_raise_exception(exception, code, subcode, state);
+ if (debugger_safe_to_return && !debugger_is_panic) {
+ return;
+ }
+ }
+
+ if ((debugger_current_op == DBOP_PANIC) ||
+ ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) {
+ /*
+ * Attempt to notify listeners once and only once that we've started
+ * panicking. Only do this for Debugger() calls if we're treating
+ * Debugger() calls like panic().
+ */
+ PEHaltRestart(kPEPanicBegin);
+
+ /*
+ * Set the begin pointer in the panic log structure. We key off of this
+ * static variable rather than contents from the panic header itself in case someone
+ * has stomped over the panic_info structure. Also initializes the header magic.
+ */
+ static boolean_t began_writing_paniclog = FALSE;
+ if (!began_writing_paniclog) {
+ PE_init_panicheader();
+ began_writing_paniclog = TRUE;
+ } else {
+ /*
+ * If we reached here, update the panic header to keep it as consistent
+ * as possible during a nested panic
+ */
+ PE_update_panicheader_nestedpanic();
+ }
+ }
+
+ /*
+ * Write panic string if this was a panic.
+ *
+ * TODO: Consider moving to SavePanicInfo as this is part of the panic log.
+ */
+ if (debugger_current_op == DBOP_PANIC) {
+ paniclog_append_noflush("panic(cpu %d caller 0x%lx): ", (unsigned) cpu_number(), debugger_panic_caller);
+ if (debugger_panic_str) {
+ _doprnt(debugger_panic_str, debugger_panic_args, consdebug_putc, 0);
+ }
+ paniclog_append_noflush("\n");
+ }
+#if defined(__x86_64__)
+ else if (((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) {
+ paniclog_append_noflush("Debugger called: <%s>\n", debugger_message ? debugger_message : "");
+ }
+
+ /*
+ * Debugger() is treated like panic() on embedded -- for example we use it for WDT
+ * panics (so we need to write a paniclog). On desktop Debugger() is used in the
+ * conventional sense.
+ */
+ if (debugger_current_op == DBOP_PANIC || ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic))
+#endif
+ {
+ kdp_callouts(KDP_EVENT_PANICLOG);
+
+ /*
+ * Write paniclog and panic stackshot (if supported)
+ * TODO: Need to clear panic log when return from debugger
+ * hooked up for embedded
+ */
+ SavePanicInfo(debugger_message, debugger_panic_data, debugger_panic_options);
+
+#if DEVELOPMENT || DEBUG
+ DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_panic_options & DEBUGGER_OPTION_RECURPANIC_POSTLOG));
+#endif
+
+ /* DEBUGGER_OPTION_PANICLOGANDREBOOT is used for two finger resets on embedded so we get a paniclog */
+ if (debugger_panic_options & DEBUGGER_OPTION_PANICLOGANDREBOOT) {
+ PEHaltRestart(kPEPanicRestartCPUNoCallouts);
+ }
+ }
+
+#if CONFIG_KDP_INTERACTIVE_DEBUGGING
+ /*
+ * If reboot on panic is enabled and the caller of panic indicated that we should skip
+ * local coredumps, don't try to write these and instead go straight to reboot. This
+ * allows us to persist any data that's stored in the panic log.
+ */
+ if ((debugger_panic_options & DEBUGGER_OPTION_SKIP_LOCAL_COREDUMP) &&
+ (debug_boot_arg & DB_REBOOT_POST_CORE)) {
+ kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
+ }
+
+ /*
+ * Consider generating a local corefile if the infrastructure is configured
+ * and we haven't disabled on-device coredumps.
+ */
+ if (on_device_corefile_enabled()) {
+ if (!kdp_has_polled_corefile()) {
+ if (debug_boot_arg & (DB_KERN_DUMP_ON_PANIC | DB_KERN_DUMP_ON_NMI)) {
+ paniclog_append_noflush("skipping local kernel core because core file could not be opened prior to panic (error : 0x%x)",
+ kdp_polled_corefile_error());
+#if CONFIG_EMBEDDED
+ panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED;
+ paniclog_flush();
+#else /* CONFIG_EMBEDDED */
+ if (panic_info->mph_panic_log_offset != 0) {
+ panic_info->mph_panic_flags |= MACOS_PANIC_HEADER_FLAG_COREDUMP_FAILED;
+ paniclog_flush();
+ }
+#endif /* CONFIG_EMBEDDED */
+ }
+ } else {
+ int ret = -1;
+
+#if defined (__x86_64__)
+ /* On x86 we don't do a coredump on Debugger unless the DB_KERN_DUMP_ON_NMI boot-arg is specified. */
+ if (debugger_current_op != DBOP_DEBUGGER || (debug_boot_arg & DB_KERN_DUMP_ON_NMI))
+#endif
+ {
+ /*
+ * Doing an on-device coredump leaves the disk driver in a state
+ * that can not be resumed.
+ */
+ debugger_safe_to_return = FALSE;
+ begin_panic_transfer();
+ ret = kern_dump(KERN_DUMP_DISK);
+ abort_panic_transfer();
+
+#if DEVELOPMENT || DEBUG
+ DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_panic_options & DEBUGGER_OPTION_RECURPANIC_POSTCORE));
+#endif
+ }
+
+ /*
+ * If DB_REBOOT_POST_CORE is set, then reboot if coredump is sucessfully saved
+ * or if option to ignore failures is set.
+ */
+ if ((debug_boot_arg & DB_REBOOT_POST_CORE) &&
+ ((ret == 0) || (debugger_panic_options & DEBUGGER_OPTION_ATTEMPTCOREDUMPANDREBOOT))) {
+ kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
+ }
+ }
+ }
+
+ if (debug_boot_arg & DB_REBOOT_ALWAYS) {
+ kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
+ }
+
+ /* If KDP is configured, try to trap to the debugger */
+ if (current_debugger != NO_CUR_DB) {
+ kdp_raise_exception(exception, code, subcode, state);
+ /*
+ * Only return if we entered via Debugger and it's safe to return
+ * (we halted the other cores successfully, this isn't a nested panic, etc)
+ */
+ if (debugger_current_op == DBOP_DEBUGGER &&
+ debugger_safe_to_return &&
+ kernel_debugger_entry_count == 1 &&
+ !debugger_is_panic) {
+ return;
+ }
+ }
+
+#if CONFIG_EMBEDDED
+ if (panicDebugging) {
+ /* If panic debugging is configured, spin for astris to connect */
+ panic_spin_shmcon();
+ }
+#endif /* CONFIG_EMBEDDED */
+#endif /* CONFIG_KDP_INTERACTIVE_DEBUGGING */
+
+ if (!panicDebugging) {
+ kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
+ }
+
+ panic_spin_forever();
+}
+
+#if INTERRUPT_MASKED_DEBUG
+uint64_t debugger_trap_timestamps[9];
+# define DEBUGGER_TRAP_TIMESTAMP(i) debugger_trap_timestamps[i] = mach_absolute_time();
+#else
+# define DEBUGGER_TRAP_TIMESTAMP(i)
+#endif
projects / apple / xnu.git / blobdiff