(core) add ANR / livelock protection

This one has quite far-reaching consequences. The privilege-separated
part will now monitor a shared timestamp counter. If that counter stalls
for more than a fixed threshold of about 5 seconds, an interrupt signal
is sent.

This interrupt signal hooks into the lua state machine and generates a
scripting error, prompting the normal script error recover.  If that
does not resolve the situation, the child is forcibly killed and we move
into hard crash recovery.

Next iterations to consider for this tactic is to also have a SIGINT per
time-out restriction, and a chain-loader version used by the _lwa stage.

Author: letoram

HACKING.md

@@ -158,6 +158,17 @@ debugging quickly becomes very disruptive, and tracing sources becomes more
 important to get valuable information. In this section a few such sources and
 tactics are listed.
 
+## Watchdog
+
+When running a low level platform where arcan acts as the display server,
+there is a watchdog active that will first SIGINT (causing the Lua VM to reset)
+and if watchdog still isn't set, SIGKILL. When attaching a debugger, disable
+the watchdog with:
+
+    set arcan_watchdog_ping=0
+
+which is allocated in arcan\_conductor\_enable\_watchdog().
+
 ## Engine invocation
 
 The -q and -g arguments are useful tools for improving debugging. The -q

src/engine/arcan_conductor.c

@@ -14,6 +14,7 @@
 #include <stdbool.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <stdatomic.h>
 
 #include "arcan_math.h"
 #include "arcan_general.h"
@@ -30,6 +31,16 @@
 #include "../platform/platform.h"
 #include "../platform/video_platform.h"
 
+/* defined in platform.h, used in psep open */
+uint64_t* _Atomic volatile arcan_watchdog_ping = NULL;
+
+void arcan_conductor_enable_watchdog()
+{
+	arcan_watchdog_ping = arcan_alloc_mem(system_page_size,
+		ARCAN_MEM_SHARED, ARCAN_MEM_BZERO, ARCAN_MEMALIGN_NATURAL);
+	atomic_store(arcan_watchdog_ping, arcan_timemillis());
+}
+
 /*
  * checklist:
  *  [ ] actual setup to realtime- plot the different timings and stages
@@ -545,6 +556,9 @@ static void conductor_cycle(int nticks)
  *
  * and tag transforms handlers being one tick off
  */
+	if (arcan_watchdog_ping)
+		atomic_store(arcan_watchdog_ping, arcan_timemillis());
+
 	arcan_lua_tick(main_lua_context, nticks, conductor.tick_count);
 	outcb(nticks);
 

src/engine/arcan_conductor.h

@@ -19,6 +19,9 @@ enum synch_method {
 int arcan_conductor_run(arcan_tick_cb cb);
 #endif
 
+/* [ called from platform ] */
+void arcan_conductor_enable_watchdog();
+
 /* [ called from platform ]
  * Specify the relationship between display, gpu, synch and object - displays
  * are never 'lost' though they can be disabled with a bad vobj. */

src/engine/arcan_lua.c

@@ -349,6 +349,7 @@ static bool tgtevent(arcan_vobj_id dst, arcan_event ev);
 static int alua_exposefuncs(lua_State* ctx, unsigned char debugfuncs);
 static bool grabapplfunction(lua_State* ctx, const char* funame, size_t funlen);
 static void rectrigger(const char* msg, ...);
+static void wraperr(lua_State* ctx, int errc, const char* src);
 
 static char* colon_escape(char* in)
 {
@@ -7195,6 +7196,22 @@ void arcan_lua_dostring(lua_State* ctx, const char* code)
 	(void)luaL_dostring(ctx, code);
 }
 
+
+static jmp_buf watchdog_dst;
+static void error_hook(lua_State* ctx, lua_Debug* ar)
+{
+/* will longjump into the pcall error handler which will trigger recovery */
+	luaL_error(ctx, "ANR - Application Not Responding");
+}
+
+static void sig_watchdog(int sig, siginfo_t* info, void* unused)
+{
+	if (getppid() == info->si_pid){
+/* set a hook that we can use to then invoke our error handler path */
+		lua_sethook(luactx.last_ctx, error_hook, LUA_MASKCOUNT, 1);
+	}
+}
+
 lua_State* arcan_lua_alloc()
 {
 	lua_State* res = luaL_newstate();
@@ -7204,6 +7221,14 @@ lua_State* arcan_lua_alloc()
 	if (res)
 		luaL_openlibs(res);
 
+/* watchdog has triggered with an ANR, continue the bouncy castle towards
+ * the 'normal' scripting recovery stage so we get information on where
+ * this comes from */
+	sigaction(SIGUSR1, &(struct sigaction){
+		.sa_sigaction = &sig_watchdog,
+		.sa_flags = SA_SIGINFO
+	}, NULL);
+
 	luactx.last_ctx = res;
 	return res;
 }
@@ -7266,11 +7291,13 @@ static int alua_shutdown(lua_State *ctx)
 }
 
 /*
- * There are three error functions,
- * [wraperr] is called on a lua_pcall() failure or from panic()
+ * There are four error paths,
+ * [wraperr] is called on a lua_pcall() failure, panic or parent watchdog
  * [panic]   is called by the lua VM on an internal failure
  * [rectrigger] is called on C API functions from Lua with bad arguments
  *              (through arcan_fatal redefinition)
+ * [SIGINT-handler] is used by the parent process if we fail to ping the
+ *                  watchdog (conductor processing)
  *
  * + the special 'alua_call' wrapper that may forward here with
  * the results from calling either _fatal entry point or debug:traceback
@@ -7380,7 +7407,6 @@ static void rectrigger(const char* msg, ...)
 	longjmp(arcanmain_recover_state, ARCAN_LUA_RECOVERY_SWITCH);
 }
 
-
 static void alua_call(
 	struct arcan_luactx* ctx, int nargs, int retc, const char* src)
 {

src/engine/arcan_main.c

@@ -61,18 +61,6 @@ static struct arcan_strarr arr_hooks = {0};
  * This allows a simpler recovery script to adopt orphaned frameservers.
  */
 jmp_buf arcanmain_recover_state;
-
-/*
- * default, probed / replaced on some systems
- */
-extern int system_page_size;
-
-/*
- * set manually from debugger to disable as much timing sensitive
- * behavior as posible in order to minimise effects of breakpoints
- */
-bool arcan_in_debug;
-
 struct arcan_luactx* main_lua_context;
 
 static const struct option longopts[] = {
@@ -332,6 +320,10 @@ static void add_hookscript(const char* instr)
 
 int MAIN_REDIR(int argc, char* argv[])
 {
+/* needed first as device_init might fork and need some shared mem */
+	system_page_size = sysconf(_SC_PAGE_SIZE);
+	arcan_conductor_enable_watchdog();
+
 /*
  * these are, in contrast to normal video_init/event_init, only set once
  * and not rerun on appl- switch etc. typically no-ops but may be used to
@@ -675,7 +667,6 @@ int MAIN_REDIR(int argc, char* argv[])
 
 /* setup device polling, cleanup, ... */
 	arcan_led_init();
-	system_page_size = sysconf(_SC_PAGE_SIZE);
 
 /*
  * fallback implementation resides here and a little further down in the "if

src/engine/arcan_mem.h

@@ -77,6 +77,11 @@ enum arcan_memtypes {
  */
 	ARCAN_MEM_STRINGBUF,
 
+/*
+ * Used for memory that needs to be shared/forked into a child process
+ */
+	ARCAN_MEM_SHARED,
+
 /*
  * Use- specific buffer associated with a video object (container
  * for 3d model, container for frameserver etc.) SMALL to TINY

src/platform/platform.h

@@ -31,6 +31,26 @@ unsigned long long arcan_timemillis();
  * existing ones due to platform specific expansion rules
  */
 
+/*
+ * Updated in the conductor stage with the latest known timestamp, Checked in
+ * the platform/posix/psep_open and is used to either send SIGINT (first) then
+ * if another timeout arrives, SIGKILL.
+ *
+ * The SIGINT is used in arcan_lua.c and used to trigger wraperr, which in turn
+ * will log the event and rebuild the VM.
+ *
+ * This serves to protect against livelocks in general, but in particular for
+ * the worst sinners, lua scripts getting stuck in while- loops from bad
+ * programming, and complex interactions in the egl-dri platform.
+ */
+extern uint64_t* _Atomic volatile arcan_watchdog_ping;
+#define WATCHDOG_ANR_TIMEOUT_MS 5000
+
+/*
+ * default, probed / replaced on some systems
+ */
+extern int system_page_size;
+
 /*
  * Execute and wait- for completion for the specified target.  This will shut
  * down as much engine- locked resources as possible while still possible to

src/platform/posix/mem.c

@@ -156,6 +156,16 @@ void* arcan_alloc_mem(size_t nb,
 	size_t total;
 
 	switch (type){
+/* this is not safe to _free at the moment since we don't track metadata yet,
+ * the refactor adding obsd/musl-new heap allocator should take this into account */
+	case ARCAN_MEM_SHARED:
+		rptr = mmap(NULL, system_page_size,
+			PROT_READ | PROT_WRITE,
+			MAP_SHARED | MAP_ANONYMOUS, -1, 0
+		);
+		total = system_page_size;
+
+	break;
 	case ARCAN_MEM_BINDING:
 	case ARCAN_MEM_THREADCTX:
 	case ARCAN_MEM_VBUFFER:
@@ -289,7 +299,6 @@ void arcan_mem_free(void* inptr)
  * automatically shrink, but rather reset and flag
  * as unused */
 
-
 	free(inptr);
 }
 

src/platform/posix/psep_open.c

@@ -9,6 +9,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <stdint.h>
+#include <stdatomic.h>
 #include <inttypes.h>
 #include <ctype.h>
 #include <grp.h>
@@ -29,6 +30,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include "platform.h"
+
+static uint64_t watchdog_anr_sent;
 
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
 #include <sys/event.h>
@@ -378,7 +382,7 @@ static int access_device(const char* path, int arg, bool release, bool* keep)
 	struct stat devst;
 	*keep = false;
 
-/* special case, substitute TTY for the active tty device (if known) */
+/* special case 1, substitute TTY for the active tty device (if known) */
 	if (strcmp(path, "TTY") == 0){
 		if (!got_tty.active)
 			return -1;
@@ -388,7 +392,7 @@ static int access_device(const char* path, int arg, bool release, bool* keep)
 		}
 	}
 
-/* special case 2 - activate TTY (GRAPHICS switch) deferred to the first frame
+/* special case 3 - activate TTY (GRAPHICS switch) deferred to the first frame
  * so that any error output is actually visible after init but before first
  * composition, return this as an 'invalid file'. */
 	if (strcmp(path, "TTYGRAPHICS") == 0){
@@ -430,6 +434,8 @@ static int access_device(const char* path, int arg, bool release, bool* keep)
 			}
 			*keep = true;
 			if (whitelist[ind].mode & MODE_DRM){
+				if (arcan_watchdog_ping)
+					atomic_store(arcan_watchdog_ping, arcan_timemillis());
 				drmSetMaster(whitelist[ind].fd);
 			}
 			return whitelist[ind].fd;
@@ -573,13 +579,47 @@ static void check_child(pid_t child, bool die)
 		}
 	}
 /* or we want the child to soft-die? */
-	else if (die)
-		kill(SIGTERM, child);
-
-	if (die){
+	else if (die){
+		kill(child, SIGTERM);
 		release_devices();
 		_exit(WEXITSTATUS(st));
 	}
+
+/* first send a watchdog signal, SIGUSR1, child will check if it comes from
+ * ppid() or not - and use that as an 'ANR' (if it comes from the lua context,
+ * second time around, it's killing time */
+	uint64_t ts = arcan_watchdog_ping ? atomic_load(arcan_watchdog_ping) : 0;
+	if (ts && arcan_timemillis() - ts > WATCHDOG_ANR_TIMEOUT_MS){
+
+/* only trigger if there is a drm device open */
+		bool found = false;
+		for (size_t i = 0; i < COUNT_OF(whitelist); i++){
+			if (whitelist[i].fd != -1 && (whitelist[i].mode & MODE_DRM)){
+				found = true;
+				break;
+			}
+		}
+		if (!found)
+			return;
+
+/* the other option here would be to longjmp back into main, we ignore that as
+ * that would cause more complexity with pledge/unveil, so shutdown and assume
+ * an outer service manager would relaunch us if possible - we want explicit
+ * relaunch in order to not act as a fork() oracle for ASLR break */
+		if (watchdog_anr_sent){
+/*			if (arcan_timemillis() - watchdog_anr_sent > WATCHDOG_ANR_TIMEOUT_MS){
+				kill(child, SIGTERM);
+				release_devices();
+				_exit(EXIT_FAILURE);
+			}*/
+		}
+		else {
+			kill(child, SIGUSR1);
+			watchdog_anr_sent = arcan_timemillis();
+		}
+	}
+	else
+		watchdog_anr_sent = 0;
 }
 
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
@@ -664,7 +704,7 @@ static void parent_loop(pid_t child, int netlink)
 
 	int rv = poll(pfd, netlink == -1 ? 1 : 2, 1000);
 	if (-1 == rv && (errno != EAGAIN && errno != EINTR))
-		check_child(child, true); /* don't to stronger than this */
+		check_child(child, true); /* don't go stronger than this */
 
 	if (rv == 0)
 		return;
@@ -760,6 +800,7 @@ static bool drop_privileges()
 static int psock = -1;
 void platform_device_init()
 {
+
 /*
  * Signs of these environment variables indicate that we are in a context where
  * other display servers exist, drop out immediately so that we don't risk