Update comments in IsExceptionNonfatalResource() given 10.12 source

With reference to 10.12 source, commentary regarding RESOURCE_TYPE_IO can be authoritative. Cursory examination of 10.12 source reveals that RESOURCE_TYPE_MEMORY can now be fatal, although deeper examination reveals that this is impossible on macOS. State this authoritatively as well. BUG=crashpad:124 Change-Id: I52124c68fe017015983ab46e54006ba97ecd0142 Reviewed-on: https://chromium-review.googlesource.com/434297 Reviewed-by: Robert Sesek <rsesek@chromium.org>
2017-01-27 18:17:05 -05:00 · 2017-01-27 18:17:05 -05:00 · 3e5ae2dc87
--- a/util/mach/exception_types.cc
+++ b/util/mach/exception_types.cc
@ -309,15 +309,32 @@ bool IsExceptionNonfatalResource(exception_type_t exception,

  if (resource_type == RESOURCE_TYPE_MEMORY &&
      resource_flavor == FLAVOR_HIGH_WATERMARK) {
-    // These exceptions are never fatal. See 10.10
+    // These exceptions were never fatal prior to 10.12. See 10.10
    // xnu-2782.1.97/osfmk/kern/task.c
    // THIS_PROCESS_CROSSED_HIGH_WATERMARK__SENDING_EXC_RESOURCE().
+    //
+    // A superficial examination of 10.12 shows that these exceptions may be
+    // fatal, as determined by the P_MEMSTAT_FATAL_MEMLIMIT bit of the
+    // kernel-internal struct proc::p_memstat_state. See 10.12.3
+    // xnu-3789.41.3/osfmk/kern/task.c task_footprint_exceeded(). This bit is
+    // not exposed to user space, which makes it difficult to determine whether
+    // the kernel considers a given instance of this exception fatal. However, a
+    // close read reveals that it is only possible for this bit to become set
+    // when xnu-3789.41.3/bsd/kern/kern_memorystatus.c
+    // memorystatus_cmd_set_memlimit_properties() is called, which is only
+    // possible when the kernel is built with CONFIG_JETSAM set, or if the
+    // kern.memorystatus_highwater_enabled sysctl is used, which is only
+    // possible when the kernel is built with DEVELOPMENT or DEBUG set. Although
+    // CONFIG_JETSAM is used on iOS, it is not used on macOS. DEVELOPMENT and
+    // DEBUG are also not set for production kernels. It therefore remains
+    // impossible for these exceptions to be fatal, even on 10.12.
    return true;
  }

  if (resource_type == RESOURCE_TYPE_IO) {
-    // These exceptions don’t ever appear to be fatal. See
-    // https://crashpad.chromium.org/bug/124.
+    // These exceptions are never fatal. See 10.12.3
+    // xnu-3789.41.3/osfmk/kern/task.c
+    // SENDING_NOTIFICATION__THIS_PROCESS_IS_CAUSING_TOO_MUCH_IO().
    return true;
  }