blob: 21bfe3ff299ef5ae732151fffb340fad9f523ffe [file] [log] [blame]
// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "crash-reporter/crash_collector.h"
#include <dirent.h>
#include <fcntl.h> // For file creation modes.
#include <inttypes.h>
#include <linux/limits.h> // PATH_MAX
#include <sys/types.h> // for mode_t.
#include <sys/utsname.h> // For uname.
#include <sys/wait.h> // For waitpid.
#include <unistd.h> // For execv and fork.
#include <ctime>
#include <map>
#include <set>
#include <vector>
#include <pcrecpp.h>
#include <base/files/file_util.h>
#include <base/files/scoped_file.h>
#include <base/logging.h>
#include <base/posix/eintr_wrapper.h>
#include <base/scoped_clear_errno.h>
#include <base/strings/string_number_conversions.h>
#include <base/strings/string_split.h>
#include <base/strings/string_util.h>
#include <base/strings/stringprintf.h>
#include <brillo/key_value_store.h>
#include <brillo/process.h>
#include <brillo/userdb_utils.h>
#include "crash-reporter/paths.h"
#include "crash-reporter/util.h"
namespace {
const char kCollectChromeFile[] =
const char kDefaultLogConfig[] = "/etc/crash_reporter_logs.conf";
const char kDefaultUserName[] = "chronos";
const char kShellPath[] = "/bin/sh";
const char kUploadVarPrefix[] = "upload_var_";
const char kUploadTextPrefix[] = "upload_text_";
const char kUploadFilePrefix[] = "upload_file_";
const char kCollectorNameKey[] = "collector";
// Key of the lsb-release entry containing the OS version.
const char kLsbOsVersionKey[] = "CHROMEOS_RELEASE_VERSION";
// Key of the lsb-release entry containing the OS description.
const char kLsbOsDescriptionKey[] = "CHROMEOS_RELEASE_DESCRIPTION";
// Directory mode of the user crash spool directory.
const mode_t kUserCrashPathMode = 0700;
// Directory mode of the system crash spool directory.
const mode_t kSystemCrashDirectoryMode = 0700;
// Directory mode of the run time state directory.
// Since we place flag files in here for checking by tests, we make it readable.
constexpr mode_t kSystemRunStateDirectoryMode = 0755;
// Directory mode of /var/lib/crash_reporter.
constexpr mode_t kCrashReporterStateDirectoryMode = 0700;
const uid_t kRootGroup = 0;
// Buffer size for reading a log into memory.
constexpr size_t kMaxLogSize = 1024 * 1024;
// Limit how many processes we walk back up. This avoids any possible races
// and loops, and we probably don't need that many in the first place.
constexpr size_t kMaxParentProcessLogs = 8;
} // namespace
const char* const CrashCollector::kUnknownValue = "unknown";
// Maximum crash reports per crash spool directory. Note that this is
// a separate maximum from the maximum rate at which we upload these
// diagnostics. The higher this rate is, the more space we allow for
// core files, minidumps, and kcrash logs, and equivalently the more
// processor and I/O bandwidth we dedicate to handling these crashes when
// many occur at once. Also note that if core files are configured to
// be left on the file system, we stop adding crashes when either the
// number of core files or minidumps reaches this number.
const int CrashCollector::kMaxCrashDirectorySize = 32;
const uid_t CrashCollector::kRootUid = 0;
using base::FilePath;
using base::StringPrintf;
// Create a directory using the specified mode/user/group, and make sure it
// is actually a directory with the specified permissions.
// static
bool CrashCollector::CreateDirectoryWithSettings(const FilePath& dir,
mode_t mode,
uid_t owner,
gid_t group,
int* dirfd_out) {
std::vector<FilePath::StringType> components;
const FilePath parent_dir = dir.DirName();
const FilePath final_dir = dir.BaseName();
int dirfd, parentfd;
// Walk the directory tree to make sure we avoid symlinks.
// All parent parts must already exist else we abort.
parentfd = AT_FDCWD;
for (const auto& component : components) {
dirfd = openat(parentfd, component.c_str(),
if (dirfd < 0) {
PLOG(ERROR) << "Unable to access crash path: " << dir.value() << " ("
<< component << ")";
if (parentfd != AT_FDCWD)
return false;
if (parentfd != AT_FDCWD)
parentfd = dirfd;
// Now handle the final part of the crash dir. This one we can initialize.
// Note: We omit O_CLOEXEC on purpose as children will use it.
const char* final_dir_str = final_dir.value().c_str();
dirfd = openat(parentfd, final_dir_str, O_DIRECTORY | O_NOFOLLOW | O_RDONLY);
if (dirfd < 0) {
if (errno != ENOENT) {
// Delete whatever is there.
if (unlinkat(parentfd, final_dir_str, 0) < 0) {
PLOG(ERROR) << "Unable to clean up crash path: " << dir.value();
return false;
// It doesn't exist, so create it! We'll recheck the mode below.
if (mkdirat(parentfd, final_dir_str, mode) < 0) {
if (errno != EEXIST) {
PLOG(ERROR) << "Unable to create crash directory: " << dir.value();
return false;
// Try once more before we give up.
// Note: We omit O_CLOEXEC on purpose as children will use it.
dirfd =
openat(parentfd, final_dir_str, O_DIRECTORY | O_NOFOLLOW | O_RDONLY);
if (dirfd < 0) {
PLOG(ERROR) << "Unable to open crash directory: " << dir.value();
return false;
// Make sure the ownership/permissions are correct in case they got reset.
// We stat it to avoid pointless metadata updates in the common case.
struct stat st;
if (fstat(dirfd, &st) < 0) {
PLOG(ERROR) << "Unable to stat crash path: " << dir.value();
return false;
// Change the ownership before we change the mode.
if (st.st_uid != owner || st.st_gid != group) {
if (fchown(dirfd, owner, group)) {
PLOG(ERROR) << "Unable to chown crash directory: " << dir.value();
return false;
// Update the mode bits.
if ((st.st_mode & 07777) != mode) {
if (fchmod(dirfd, mode)) {
PLOG(ERROR) << "Unable to chmod crash directory: " << dir.value();
return false;
if (dirfd_out)
*dirfd_out = dirfd;
return true;
CrashCollector::CrashCollector(const std::string& collector_name)
: CrashCollector(collector_name, false) {}
CrashCollector::CrashCollector(const std::string& collector_name,
bool force_user_crash_dir)
: lsb_release_(FilePath(paths::kEtcDirectory).Append(paths::kLsbRelease)),
force_user_crash_dir_(force_user_crash_dir) {
AddCrashMetaUploadData(kCollectorNameKey, collector_name);
CrashCollector::~CrashCollector() {
if (bus_)
void CrashCollector::Initialize(
CrashCollector::IsFeedbackAllowedFunction is_feedback_allowed_function) {
is_feedback_allowed_function_ = is_feedback_allowed_function;
void CrashCollector::SetUpDBus() {
if (bus_)
dbus::Bus::Options options;
options.bus_type = dbus::Bus::SYSTEM;
bus_ = new dbus::Bus(options);
new org::chromium::SessionManagerInterfaceProxy(bus_));
int CrashCollector::WriteNewFile(const FilePath& filename,
const char* data,
int size) {
// The O_NOFOLLOW is redundant with O_CREAT|O_EXCL, but doesn't hurt.
int fd = HANDLE_EINTR(open(
if (fd < 0) {
return -1;
int rv = base::WriteFileDescriptor(fd, data, size) ? size : -1;
base::ScopedClearErrno restore_error;
return rv;
std::string CrashCollector::Sanitize(const std::string& name) {
// Make sure the sanitized name does not include any periods.
// The logic in crash_sender relies on this.
std::string result = name;
for (size_t i = 0; i < name.size(); ++i) {
if (!isalnum(result[i]) && result[i] != '_')
result[i] = '_';
return result;
void CrashCollector::StripSensitiveData(std::string* contents) {
// At the moment, the only sensitive data we strip is MAC addresses and
// emails.
void CrashCollector::StripMacAddresses(std::string* contents) {
std::ostringstream result;
pcrecpp::StringPiece input(*contents);
std::string pre_re_str;
std::string re_str;
// Get rid of things that look like MAC addresses, since they could possibly
// give information about where someone has been. This is strings that look
// like this: 11:22:33:44:55:66
// Complications:
// - Within a given log, we want to be able to tell when the same MAC
// was used more than once. Thus, we'll consistently replace the first
// MAC found with 00:00:00:00:00:01, the second with ...:02, etc.
// - ACPI commands look like MAC addresses. We'll specifically avoid getting
// rid of those.
std::map<std::string, std::string> mac_map;
// This RE will find the next MAC address and can return us the data preceding
// the MAC and the MAC itself.
pcrecpp::RE mac_re(
// This RE will identify when the 'pre_mac_str' shows that the MAC address
// was really an ACPI cmd. The full string looks like this:
// ata1.00: ACPI cmd ef/10:03:00:00:00:a0 (SET FEATURES) filtered out
pcrecpp::RE acpi_re(
"ACPI cmd ef/$",
// Keep consuming, building up a result string as we go.
while (mac_re.Consume(&input, &pre_re_str, &re_str)) {
if (acpi_re.PartialMatch(pre_re_str)) {
// We really saw an ACPI command; add to result w/ no stripping.
result << pre_re_str << re_str;
} else {
// Found a MAC address; look up in our hash for the mapping.
std::string replacement_mac = mac_map[re_str];
if (replacement_mac == "") {
// It wasn't present, so build up a replacement string.
int mac_id = mac_map.size();
// Handle up to 2^32 unique MAC address; overkill, but doesn't hurt.
replacement_mac = StringPrintf(
"00:00:%02x:%02x:%02x:%02x", (mac_id & 0xff000000) >> 24,
(mac_id & 0x00ff0000) >> 16, (mac_id & 0x0000ff00) >> 8,
(mac_id & 0x000000ff));
mac_map[re_str] = replacement_mac;
// Dump the string before the MAC and the fake MAC address into result.
result << pre_re_str << replacement_mac;
// One last bit of data might still be in the input.
result << input;
// We'll just assign right back to |contents|.
*contents = result.str();
void CrashCollector::StripEmailAddresses(std::string* contents) {
std::ostringstream result;
pcrecpp::StringPiece input(*contents);
std::string pre_re_str;
std::string re_str;
// Email regex according RFC 5322. I feel dirty after this...
pcrecpp::RE email_re(
CHECK_EQ("", email_re.error());
while (email_re.Consume(&input, &pre_re_str, &re_str)) {
result << pre_re_str << "<redacted email address>";
result << input;
*contents = result.str();
std::string CrashCollector::FormatDumpBasename(const std::string& exec_name,
time_t timestamp,
pid_t pid) {
struct tm tm;
localtime_r(&timestamp, &tm);
std::string sanitized_exec_name = Sanitize(exec_name);
return StringPrintf("%s.%04d%02d%02d.%02d%02d%02d.%d",
sanitized_exec_name.c_str(), tm.tm_year + 1900,
tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min,
tm.tm_sec, pid);
FilePath CrashCollector::GetCrashPath(const FilePath& crash_directory,
const std::string& basename,
const std::string& extension) {
return crash_directory.Append(
StringPrintf("%s.%s", basename.c_str(), extension.c_str()));
bool CrashCollector::GetUserCrashDirectories(
std::vector<FilePath>* directories) {
return util::GetUserCrashDirectories(session_manager_proxy_.get(),
FilePath CrashCollector::GetUserCrashDirectory() {
FilePath user_directory = FilePath(paths::kFallbackUserCrashDirectory);
// When testing, store crashes in the fallback crash directory; otherwise,
// the test framework can't get to them after logging the user out.
if (ShouldHandleChromeCrashes()) {
return user_directory;
// In this multiprofile world, there is no one-specific user dir anymore.
// Ask the session manager for the active ones, then just run with the
// first result we get back.
std::vector<FilePath> directories;
if (!GetUserCrashDirectories(&directories) || directories.empty()) {
LOG(ERROR) << "Could not get user crash directories, using default.";
return user_directory;
user_directory = directories[0];
return user_directory;
FilePath CrashCollector::GetCrashDirectoryInfo(uid_t process_euid,
uid_t default_user_id,
gid_t default_user_group,
mode_t* mode,
uid_t* directory_owner,
gid_t* directory_group) {
// User crashes should go into the cryptohome, since they may contain PII.
// For system crashes, there may not be a cryptohome mounted, so we use the
// system crash path.
if (process_euid == default_user_id || force_user_crash_dir_) {
*mode = kUserCrashPathMode;
*directory_owner = default_user_id;
*directory_group = default_user_group;
return GetUserCrashDirectory();
} else {
*mode = kSystemCrashDirectoryMode;
*directory_owner = kRootUid;
*directory_group = kRootGroup;
return system_crash_path_;
bool CrashCollector::GetCreatedCrashDirectoryByEuid(uid_t euid,
FilePath* crash_directory,
bool* out_of_capacity) {
base::FilePath full_path;
uid_t default_user_id;
gid_t default_user_group;
if (out_of_capacity)
*out_of_capacity = false;
// For testing.
if (!forced_crash_directory_.empty()) {
*crash_directory = forced_crash_directory_;
return true;
if (!brillo::userdb::GetUserInfo(kDefaultUserName, &default_user_id,
&default_user_group)) {
LOG(ERROR) << "Could not find default user info";
return false;
mode_t directory_mode;
uid_t directory_owner;
gid_t directory_group;
full_path = GetCrashDirectoryInfo(euid, default_user_id, default_user_group,
&directory_mode, &directory_owner,
// Note: We "leak" dirfd to children so the /proc symlink below stays valid
// in their own context. We can't pass other /proc paths as they might not
// be accessible in the children (when dropping privs), and we don't want to
// pass the direct path in the filesystem as it'd be subject to TOCTOU.
int dirfd;
if (!CreateDirectoryWithSettings(full_path, directory_mode, directory_owner,
directory_group, &dirfd)) {
return false;
// Have all the rest of the tools access the directory by file handle. This
// avoids any TOCTOU races in case the underlying dir is changed on us.
const FilePath crash_dir_procfd =
LOG(INFO) << "Accessing crash dir '" << full_path.value()
<< "' via symlinked handle '" << crash_dir_procfd.value() << "'";
if (!CheckHasCapacity(crash_dir_procfd, full_path.value())) {
if (out_of_capacity)
*out_of_capacity = true;
return false;
*crash_directory = crash_dir_procfd;
return true;
// static
FilePath CrashCollector::GetProcessPath(pid_t pid) {
return FilePath(StringPrintf("/proc/%d", pid));
// static
bool CrashCollector::GetUptime(base::TimeDelta* uptime) {
timespec boot_time;
if (clock_gettime(CLOCK_BOOTTIME, &boot_time) != 0) {
PLOG(ERROR) << "Failed to get boot time.";
return false;
*uptime = base::TimeDelta::FromSeconds(boot_time.tv_sec) +
boot_time.tv_nsec / base::Time::kNanosecondsPerMicrosecond);
return true;
// static
bool CrashCollector::GetUptimeAtProcessStart(pid_t pid,
base::TimeDelta* uptime) {
std::string stat;
if (!base::ReadFileToString(GetProcessPath(pid).Append("stat"), &stat)) {
PLOG(ERROR) << "Failed to read process status.";
return false;
uint64_t ticks;
if (!ParseProcessTicksFromStat(stat, &ticks)) {
LOG(ERROR) << "Failed to parse process status: " << stat;
return false;
*uptime = base::TimeDelta::FromSecondsD(static_cast<double>(ticks) /
return true;
bool CrashCollector::GetExecutableBaseNameFromPid(pid_t pid,
std::string* base_name) {
FilePath target;
FilePath process_path = GetProcessPath(pid);
FilePath exe_path = process_path.Append("exe");
if (!base::ReadSymbolicLink(exe_path, &target)) {
LOG(INFO) << "ReadSymbolicLink failed - Path " << process_path.value()
<< " DirectoryExists: " << base::DirectoryExists(process_path);
// Try to further diagnose exe readlink failure cause.
struct stat buf;
int stat_result = stat(exe_path.value().c_str(), &buf);
int saved_errno = errno;
if (stat_result < 0) {
LOG(INFO) << "stat " << exe_path.value() << " failed: " << stat_result
<< " " << saved_errno;
} else {
LOG(INFO) << "stat " << exe_path.value()
<< " succeeded: st_mode=" << buf.st_mode;
return false;
*base_name = target.BaseName().value();
return true;
// Return true if the given crash directory has not already reached
// maximum capacity.
bool CrashCollector::CheckHasCapacity(const FilePath& crash_directory,
const std::string& display_path) {
DIR* dir = opendir(crash_directory.value().c_str());
if (!dir) {
PLOG(ERROR) << "Unable to open directory to check capacity: "
<< crash_directory.value();
return false;
struct dirent* ent;
bool full = false;
std::set<std::string> basenames;
// readdir_r is deprecated from glibc and we need to use readdir instead.
// readdir is safe for glibc because it guarantees readdir is thread safe,
// and atm we aren't supporting other C libraries
while ((ent = readdir(dir))) {
// Only count crash reports. Ignore all other supplemental files.
// We define "crash reports" as .meta, .dmp, or .core files.
// This does mean that we ignore random files that might accumulate but
// didn't come from us, but not a lot we can do about that. Our crash
// sender process should clean up unknown files independently.
const base::FilePath filename(ent->d_name);
const std::string ext = filename.FinalExtension();
if (ext != ".core" && ext != ".dmp" && ext != ".meta")
// Track the basenames as our unique identifiers. When the core/dmp files
// are part of a single report, this will count them as one report.
const std::string basename = filename.RemoveFinalExtension().value();
if (basenames.size() >= static_cast<size_t>(kMaxCrashDirectorySize)) {
LOG(WARNING) << "Crash directory " << display_path
<< " already full with " << kMaxCrashDirectorySize
<< " pending reports";
full = true;
return !full;
bool CrashCollector::CheckHasCapacity(const FilePath& crash_directory) {
return CheckHasCapacity(crash_directory, crash_directory.value());
bool CrashCollector::GetLogContents(const FilePath& config_path,
const std::string& exec_name,
const FilePath& output_file) {
brillo::KeyValueStore store;
if (!store.Load(config_path)) {
LOG(WARNING) << "Unable to read log configuration file "
<< config_path.value();
return false;
std::string command;
if (!store.GetString(exec_name, &command))
return false;
FilePath raw_output_file;
if (!base::CreateTemporaryFile(&raw_output_file)) {
PLOG(WARNING) << "Failed to create temporary file for raw log output.";
return false;
brillo::ProcessImpl diag_process;
diag_process.AddStringOption("-c", command);
const int result = diag_process.Run();
std::string log_contents;
const bool fully_read = base::ReadFileToStringWithMaxSize(
raw_output_file, &log_contents, max_log_size_);
base::DeleteFile(raw_output_file, false);
if (!fully_read) {
if (log_contents.empty()) {
LOG(WARNING) << "Failed to read raw log contents.";
return false;
// If ReadFileToStringWithMaxSize returned false and log_contents is
// non-empty, this means the log is larger than max_log_size_.
LOG(WARNING) << "Log is larger than " << max_log_size_
<< " bytes. Truncating.";
// If the registered command failed, we include any (partial) output it might
// have produced to improve crash reports. But make a note of the failure.
if (result != 0) {
const std::string warning = StringPrintf(
"\nLog command \"%s\" exited with %i\n", command.c_str(), result);
LOG(WARNING) << warning;
// Always do this after log_contents is "finished" so we don't accidentally
// leak data.
// We must use WriteNewFile instead of base::WriteFile as we
// do not want to write with root access to a symlink that an attacker
// might have created.
if (WriteNewFile(output_file,, log_contents.size()) !=
static_cast<int>(log_contents.length())) {
PLOG(WARNING) << "Error writing sanitized log to "
<< output_file.value().c_str();
return false;
return true;
bool CrashCollector::GetProcessTree(pid_t pid,
const base::FilePath& output_file) {
std::ostringstream stream;
// Grab a limited number of parent process details.
for (size_t depth = 0; depth < kMaxParentProcessLogs; ++depth) {
std::string contents;
stream << "### Process " << pid << std::endl;
const FilePath proc_path = GetProcessPath(pid);
const FilePath status_path = proc_path.Append("status");
// Read the command line and append it to the log.
if (!base::ReadFileToString(proc_path.Append("cmdline"), &contents))
base::ReplaceChars(contents, std::string(1, '\0'), " ", &contents);
stream << "cmdline: " << contents << std::endl;
// Read the status file and append it to the log.
if (!base::ReadFileToString(proc_path.Append("status"), &contents))
stream << contents << std::endl;
// Pull out the parent pid from the status file. The line will look like:
// PPid:\t1234
base::StringPairs pairs;
if (!base::SplitStringIntoKeyValuePairs(contents, ':', '\n', &pairs))
pid = 0;
for (const auto& key_value : pairs) {
if (key_value.first == "PPid") {
std::string value;
int ppid;
// Parse the parent pid. Set it only if it's valid.
base::TrimWhitespaceASCII(key_value.second, base::TRIM_ALL, &value);
if (base::StringToInt(value, &ppid))
pid = ppid;
// If we couldn't find the parent pid, break out.
if (pid == 0)
// Always do this after log collection is "finished" so we don't accidentally
// leak data.
std::string log = stream.str();
if (WriteNewFile(output_file,, log.size()) !=
static_cast<int>(log.size())) {
PLOG(WARNING) << "Error writing sanitized log to " << output_file.value();
return false;
return true;
void CrashCollector::AddCrashMetaData(const std::string& key,
const std::string& value) {
extra_metadata_.append(StringPrintf("%s=%s\n", key.c_str(), value.c_str()));
void CrashCollector::AddCrashMetaUploadFile(const std::string& key,
const std::string& path) {
if (!path.empty()) {
// TODO(vapier): Make it fatal if the name is not relative.
FilePath file_path = FilePath(path);
if (!NormalizeFilePath(file_path, &file_path))
PLOG(WARNING) << "Could not normalize " << path;
AddCrashMetaData(kUploadFilePrefix + key, file_path.value());
void CrashCollector::AddCrashMetaUploadData(const std::string& key,
const std::string& value) {
if (!value.empty())
AddCrashMetaData(kUploadVarPrefix + key, value);
void CrashCollector::AddCrashMetaUploadText(const std::string& key,
const std::string& path) {
if (!path.empty()) {
// TODO(vapier): Make it fatal if the name is not relative.
FilePath file_path = FilePath(path);
if (!NormalizeFilePath(file_path, &file_path))
PLOG(WARNING) << "Could not normalize " << path;
AddCrashMetaData(kUploadTextPrefix + key, file_path.value());
std::string CrashCollector::GetLsbReleaseValue(const std::string& key) const {
std::vector<base::FilePath> directories = {crash_reporter_state_path_,
std::string value;
if (util::GetCachedKeyValue(lsb_release_.BaseName(), key, directories,
&value)) {
return value;
return kUnknownValue;
std::string CrashCollector::GetOsVersion() const {
return GetLsbReleaseValue(kLsbOsVersionKey);
std::string CrashCollector::GetOsDescription() const {
return GetLsbReleaseValue(kLsbOsDescriptionKey);
std::string CrashCollector::GetKernelName() const {
struct utsname buf;
if (!test_kernel_name_.empty())
return test_kernel_name_;
if (uname(&buf))
return kUnknownValue;
return std::string(buf.sysname);
std::string CrashCollector::GetKernelVersion() const {
struct utsname buf;
if (!test_kernel_version_.empty())
return test_kernel_version_;
if (uname(&buf))
return kUnknownValue;
// 0.0.0 Linux 3.8.11 #1 SMP Wed Aug 22 02:18:30 PDT 2018 x86_64
return StringPrintf("0.0.0 %s %s %s %s", buf.sysname, buf.release,
buf.version, buf.machine);
void CrashCollector::WriteCrashMetaData(const FilePath& meta_path,
const std::string& exec_name,
const std::string& payload_name) {
// TODO(vapier): Make it fatal if the name is not relative.
FilePath payload_path = FilePath(payload_name);
payload_path = meta_path.DirName().Append(payload_path.BaseName());
if (!NormalizeFilePath(payload_path, &payload_path))
PLOG(WARNING) << "Could not normalize " << payload_name;
const std::string version = GetOsVersion();
const std::string description = GetOsDescription();
const std::string kernel_name = GetKernelName();
const std::string kernel_version = GetKernelVersion();
base::Time now = test_clock_ ? test_clock_->Now() : base::Time::Now();
int64_t now_millis = (now - base::Time::UnixEpoch()).InMilliseconds();
base::Time os_timestamp = util::GetOsTimestamp();
std::string os_timestamp_str;
if (!os_timestamp.is_null()) {
os_timestamp_str =
StringPrintf("os_millis=%" PRId64 "\n",
(os_timestamp - base::Time::UnixEpoch()).InMilliseconds());
std::string meta_data =
StringPrintf("%supload_var_reportTimeMillis=%" PRId64
extra_metadata_.c_str(), now_millis, description.c_str(),
kernel_name.c_str(), kernel_version.c_str(),
exec_name.c_str(), version.c_str(),
payload_path.value().c_str(), os_timestamp_str.c_str());
// We must use WriteNewFile instead of base::WriteFile as we
// do not want to write with root access to a symlink that an attacker
// might have created.
if (WriteNewFile(meta_path, meta_data.c_str(), meta_data.size()) < 0) {
PLOG(ERROR) << "Unable to write " << meta_path.value();
bool CrashCollector::ShouldHandleChromeCrashes() {
// If we're testing crash reporter itself, we don't want to allow an
// override for chrome crashes. And, let's be conservative and only
// allow an override for developer images.
if (!util::IsCrashTestInProgress() && util::IsDeveloperImage()) {
// Check if there's an override to indicate we should indeed collect
// chrome crashes. This allows the crashes to still be tracked when
// they occur in autotests. See "".
if (base::PathExists(FilePath(kCollectChromeFile)))
return true;
// We default to ignoring chrome crashes.
return false;
// Hash a string to a number. We define our own hash function to not
// be dependent on a C++ library that might change. This function
// uses basically the same approach as tr1/functional_hash.h but with
// a larger prime number (16127 vs 131).
unsigned CrashCollector::HashString(base::StringPiece input) {
unsigned hash = 0;
for (auto c : input)
hash = hash * 16127 + c;
return hash;
bool CrashCollector::InitializeSystemCrashDirectories() {
if (!CreateDirectoryWithSettings(FilePath(paths::kSystemCrashDirectory),
kSystemCrashDirectoryMode, kRootUid,
kRootGroup, nullptr))
return false;
if (!CreateDirectoryWithSettings(FilePath(paths::kSystemRunStateDirectory),
kSystemRunStateDirectoryMode, kRootUid,
kRootGroup, nullptr))
return false;
if (!CreateDirectoryWithSettings(
kCrashReporterStateDirectoryMode, kRootUid, kRootGroup, nullptr))
return false;
return true;
// static
bool CrashCollector::ParseProcessTicksFromStat(base::StringPiece stat,
uint64_t* ticks) {
// Skip "pid" and "comm" fields. See format in proc(5).
const auto pos = stat.find_last_of(')');
if (pos == base::StringPiece::npos)
return false;
stat.remove_prefix(pos + 1);
const auto fields = base::SplitStringPiece(stat, " ", base::TRIM_WHITESPACE,
constexpr size_t kStartTimePos = 19;
return fields.size() > kStartTimePos &&
base::StringToUint64(fields[kStartTimePos], ticks);