This is an archive of the discontinued LLVM Phabricator instance.

Differential D157640

[lldb] Improve error message when trying to debug a non-debuggable process
ClosedPublic

Authored by JDevlieghere on Aug 10 2023, 11:24 AM.

Details

Reviewers
jasonmolenda
aprantl
Commits
rGbe237b76da7e: [lldb] Improve error message when trying to debug a non-debuggable process
Summary

On the Swift forums [1][2], people are disabling SIP in order to debug process that are missing the get-task-allow entitlement. Improve the error to give developers a hint at the potential issues.

[1] https://forums.swift.org/t/yo-apple-xcode-debugging-swift-is-still-horribly-broken/62702/26
[2] https://forums.swift.org/t/finding-cycles-with-the-memory-graph-debugger-with-swift-pm-projects/62769/7

rdar://113704200

Diff Detail

Event Timeline

JDevlieghere created this revision.Aug 10 2023, 11:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 10 2023, 11:24 AM
JDevlieghere requested review of this revision.Aug 10 2023, 11:24 AM
Harbormaster completed remote builds in B251750: Diff 549119.Aug 10 2023, 11:28 AM
jasonmolenda added a comment.Aug 10 2023, 12:51 PM

I'm fine with this but on macOS I believe it's com.apple.security.get-task-allow v. "Entitlements on macOS"
https://developer.apple.com/documentation/technotes/tn3125-inside-code-signing-provisioning-profiles

jasonmolenda added a comment.Aug 10 2023, 12:51 PM

Maybe get-task-allow is allowed (lol) on macOS too.

jasonmolenda accepted this revision.Aug 10 2023, 12:51 PM
This revision is now accepted and ready to land.Aug 10 2023, 12:51 PM
jasonmolenda added a comment.Aug 10 2023, 12:59 PM

Maybe

const char *ent_name = 
#if TARGET_OS_OSX
"com.apple.security.get-task-allow";
#else
"get-task-allow";
#endif

debugserver is running on the target device so compile time checks are fine.

jingham added a subscriber: jingham.Aug 10 2023, 2:08 PM

In this function we have the path to the binary. We could spawn codesign -d -entitlements - and then we would know whether it had that entitlement.

Maybe that's more work than you wanted to do here, however.

jingham added a comment.Aug 10 2023, 2:09 PM

Not sure if codesign exists on iOS devices, but at least we could do this on macOS.

I thought we'd be able to tell from the Team Identifier whether it was a platform binary, but for /bin/ls & Co I get "not set" for the Team Identifier.

JDevlieghere added a comment.Aug 11 2023, 10:36 AM
In D157640#4578198, @jingham wrote:

In this function we have the path to the binary. We could spawn codesign -d -entitlements - and then we would know whether it had that entitlement.

Maybe that's more work than you wanted to do here, however.

Yeah I'm not sure that being able to be more precise is a huge improvement over the current error message. If we still see a lot of people struggling with this we can easily reconsider.

Closed by commit rGbe237b76da7e: [lldb] Improve error message when trying to debug a non-debuggable process (authored by JDevlieghere). · Explain WhyAug 11 2023, 10:47 AM
This revision was automatically updated to reflect the committed changes.
JDevlieghere added a commit: rGbe237b76da7e: [lldb] Improve error message when trying to debug a non-debuggable process.
Herald added a project: Restricted Project. · View Herald TranscriptAug 11 2023, 10:47 AM

Revision Contents

PathSize
lldb/
tools/
debugserver/
source/
15 lines

Diff 549459

lldb/tools/debugserver/source/DNB.cpp

Show First 20 LinesShow All 376 Lines▼ Show 20 Lines if (pid != INVALID_NUB_PROCESS) {
// point and get reparented to someone else and never go away. // point and get reparented to someone else and never go away.
DNBLog("Could not get task port for process, sending SIGKILL and " DNBLog("Could not get task port for process, sending SIGKILL and "
"exiting."); "exiting.");
kill(SIGKILL, pid); kill(SIGKILL, pid);
if (err_str && err_len > 0) { if (err_str && err_len > 0) {
if (launch_err.AsString()) { if (launch_err.AsString()) {
::snprintf(err_str, err_len, ::snprintf(err_str, err_len,
"failed to get the task for process %i (%s)", pid, "failed to get the task for process %i: %s", pid,
launch_err.AsString()); launch_err.AsString());
} else { } else {
const char *ent_name =
#if TARGET_OS_OSX
"com.apple.security.get-task-allow";
#else
"get-task-allow";
#endif
::snprintf(err_str, err_len, ::snprintf(err_str, err_len,
"failed to get the task for process %i", pid); "failed to get the task for process %i: this likely "
"means the process cannot be debugged, either because "
"it's a system process or because the process is "
"missing the %s entitlement.",
pid, ent_name);
} }
} }
} else { } else {
bool res = AddProcessToMap(pid, processSP); bool res = AddProcessToMap(pid, processSP);
UNUSED_IF_ASSERT_DISABLED(res); UNUSED_IF_ASSERT_DISABLED(res);
assert(res && "Couldn't add process to map!"); assert(res && "Couldn't add process to map!");
return pid; return pid;
} }
▲ Show 20 LinesShow All 1,463 LinesShow Last 20 Lines