|
|
/*++
Copyright (c) 2001 Microsoft Corporation
Module Name:
verifier.c
Abstract:
Application verifier debugger extension for both ntsd and kd.
Author:
Silviu Calinoiu (SilviuC) 4-Mar-2001
Environment:
User Mode.
Revision History:
--*/
#include "precomp.h"
#pragma hdrstop
ULONGVrfGetArguments ( PCHAR ArgsString, PCHAR Args[], ULONG NoOfArgs );
VOIDVrfHelp ( );
BOOLEANVrfTraceInitialize ( );
ULONG64VrfTraceAddress ( ULONG TraceIndex );
VOIDVrfTraceDump ( ULONG TraceIndex );
VOIDVrfDumpSettings ( );
VOIDVrfDumpVspaceLog ( ULONG NoOfEntries, ULONG64 Address );
VOIDVrfDumpHeapLog ( ULONG NoOfEntries, ULONG64 Address );
DECLARE_API( avrf )
/*++
Routine Description:
Application verifier debugger extension.
Arguments:
args -
Return Value:
None
--*/{ PCHAR Args[16]; ULONG NoOfArgs, I;
INIT_API();
//
// Parse arguments.
//
NoOfArgs = VrfGetArguments ((PCHAR)args, Args, 16);#if 0
for (I = 0; I < NoOfArgs; I += 1) { dprintf ("%02u: %s\n", I, Args[I]); }#endif
//
// Check if help needed
//
if (NoOfArgs > 0 && strstr (Args[0], "?") != NULL) { VrfHelp (); goto Exit; }
if (VrfTraceInitialize() == FALSE) { goto Exit; }
if (NoOfArgs > 1 && _stricmp (Args[0], "-trace") == 0) { VrfTraceDump (atoi(Args[1])); goto Exit; } if (NoOfArgs > 1 && _stricmp (Args[0], "-vs") == 0) {
if (NoOfArgs > 2 && _stricmp (Args[1], "-a") == 0) {
ULONG64 Address; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[2], &Address, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an address.\n", Args[2]); goto Exit; }
// sscanf (Args[2], "%I64X", &Address);
dprintf ("Searching in vspace log for address %I64X ...\n\n", Address); VrfDumpVspaceLog (0, Address); goto Exit; } else {
VrfDumpVspaceLog (atoi(Args[1]), 0); goto Exit; } } if (NoOfArgs > 1 && _stricmp (Args[0], "-hp") == 0) {
if (NoOfArgs > 2 && _stricmp (Args[1], "-a") == 0) {
ULONG64 Address; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[2], &Address, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an address.\n", Args[2]); goto Exit; }
// sscanf (Args[2], "%I64X", &Address);
dprintf ("Searching in vspace log for address %I64X ...\n\n", Address); VrfDumpHeapLog (0, Address); goto Exit; } else {
VrfDumpHeapLog (atoi(Args[1]), 0); goto Exit; } } //
// If no option specified then we just print current settings.
//
VrfDumpSettings ();
Exit:
EXIT_API(); return S_OK;}
VOIDVrfHelp ( ){ dprintf ("Application verifier debugger extension \n" " \n" "!avrf displays current settings and stop \n" " data if a verifier stop happened. \n" "!avrf -vs N dumps last N entries from vspace log. \n" "!avrf -vs -a ADDR searches ADDR in the vspace log. \n" "!avrf -hp N dumps last N entries from heap log. \n" "!avrf -hp -a ADDR searches ADDR in the heap log. \n" " \n");}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////// Argument parsing routines
/////////////////////////////////////////////////////////////////////
PCHAR VrfGetArgument ( PCHAR Args, PCHAR * Next ){ PCHAR Start;
if (Args == NULL) { return NULL; }
while (*Args == ' ' || *Args == '\t') { Args += 1; }
if (*Args == '\0') { return NULL; }
Start = Args;
while (*Args != ' ' && *Args != '\t' && *Args != '\0') { Args += 1; }
if (*Args == '\0') { *Next = NULL; } else { *Args = '\0'; *Next = Args + 1; }
return Start;}
ULONGVrfGetArguments ( PCHAR ArgsString, PCHAR Args[], ULONG NoOfArgs ){ PCHAR Arg = ArgsString; PCHAR Next; ULONG Index; for (Index = 0; Index < NoOfArgs; Index += 1) {
Arg = VrfGetArgument (Arg, &Next);
if (Arg) { Args[Index] = Arg; } else { break; }
Arg = Next; }
return Index;}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////// Dump stack traces
/////////////////////////////////////////////////////////////////////
ULONG64 TraceDbArrayEnd;ULONG PvoidSize;
BOOLEANVrfTraceInitialize ( ){ ULONG64 TraceDatabaseAddress; ULONG64 TraceDatabase;
//
// Stack trace database address
//
TraceDatabaseAddress = GetExpression("ntdll!RtlpStackTraceDataBase"); if ( TraceDatabaseAddress == 0 ) { dprintf( "Unable to resolve ntdll!RtlpStackTraceDataBase symbolic name.\n"); return FALSE; }
if (ReadPtr (TraceDatabaseAddress, &TraceDatabase ) != S_OK) { dprintf( "Cannot read pointer at ntdll!RtlpStackTraceDataBase\n" ); return FALSE; }
if (TraceDatabase == 0) { dprintf( "Stack traces not enabled (ntdll!RtlpStackTraceDataBase is null).\n" ); return FALSE; }
//
// Find the array of stack traces
//
if (InitTypeRead(TraceDatabase, ntdll!_STACK_TRACE_DATABASE)) { dprintf("Unable to read type ntdll!_STACK_TRACE_DATABASE @ %p\n", TraceDatabase); return FALSE; }
TraceDbArrayEnd = ReadField (EntryIndexArray);
PvoidSize = GetTypeSize ("ntdll!PVOID");
return TRUE;}
ULONG64VrfTraceAddress ( ULONG TraceIndex ){ ULONG64 TracePointerAddress; ULONG64 TracePointer;
TracePointerAddress = TraceDbArrayEnd - TraceIndex * PvoidSize;
if (ReadPtr (TracePointerAddress, &TracePointer) != S_OK) { dprintf ("Cannot read stack trace address @ %p\n", TracePointerAddress); return 0; }
return TracePointer;}
VOIDVrfTraceDump ( ULONG TraceIndex ){ ULONG64 TraceAddress; ULONG64 TraceArray; ULONG TraceDepth; ULONG Offset; ULONG Index; ULONG64 ReturnAddress; CHAR Symbol[ 1024 ]; ULONG64 Displacement;
//
// Get real address of the trace.
//
TraceAddress = VrfTraceAddress (TraceIndex);
if (TraceAddress == 0) { return; }
//
// Read the stack trace depth
//
if (InitTypeRead(TraceAddress, ntdll!_RTL_STACK_TRACE_ENTRY)) { dprintf("Unable to read type ntdll!_RTL_STACK_TRACE_ENTRY @ %p\n", TraceAddress); return; }
TraceDepth = (ULONG)ReadField (Depth);
//
// Limit the depth to 20 to protect ourselves from corrupted data
//
TraceDepth = __min (TraceDepth, 16);
//
// Get a pointer to the BackTrace array
//
GetFieldOffset ("ntdll!_RTL_STACK_TRACE_ENTRY", "BackTrace", &Offset); TraceArray = TraceAddress + Offset;
//
// Dump this stack trace. Skip first two entries.
//
TraceArray += 2 * PvoidSize;
for (Index = 2; Index < TraceDepth; Index += 1) {
if (ReadPtr (TraceArray, &ReturnAddress) != S_OK) { dprintf ("Cannot read address @ %p\n", TraceArray); return; }
GetSymbol (ReturnAddress, Symbol, &Displacement);
dprintf ("\t%p: %s+0x%I64X\n", ReturnAddress, Symbol, Displacement );
TraceArray += PvoidSize; }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////// Dump settings
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpSettings ( ){ ULONG64 FlagsAddress; ULONG Flags; ULONG BytesRead; ULONG64 StopAddress; ULONG64 StopData[5]; ULONG I; ULONG UlongPtrSize;
UlongPtrSize = GetTypeSize ("ntdll!ULONG_PTR"); FlagsAddress = GetExpression("ntdll!AVrfpVerifierFlags"); if (FlagsAddress == 0) { dprintf( "Unable to resolve ntdll!AVrfpVerifierFlags symbolic name.\n"); return; }
if (ReadMemory (FlagsAddress, &Flags, sizeof Flags, &BytesRead) == FALSE) { dprintf ("Cannot read value @ %p (ntdll!AVrfpVerifierFlags) \n", FlagsAddress); return; }
dprintf ("Application verifier settings (%08X): \n\n", Flags);
if (Flags & RTL_VRF_FLG_FULL_PAGE_HEAP) { dprintf (" - full page heap\n"); } else { dprintf (" - light page heap\n"); } if (Flags & RTL_VRF_FLG_LOCK_CHECKS) { dprintf (" - lock checks (critical section verifier)\n"); } if (Flags & RTL_VRF_FLG_HANDLE_CHECKS) { dprintf (" - handle checks\n"); } if (Flags & RTL_VRF_FLG_STACK_CHECKS) { dprintf (" - stack checks (disable automatic stack extensions)\n"); }
dprintf ("\n");
//
// Check if a verifier stop has been encountered.
//
StopAddress = GetExpression("ntdll!AVrfpStopData"); if (StopAddress == 0) { dprintf( "Unable to resolve ntdll!AVrfpStopData symbolic name.\n"); return; }
for (I = 0; I < 5; I += 1) {
if (ReadPtr (StopAddress + I * UlongPtrSize, &(StopData[I])) != S_OK) { dprintf ("Cannot read value @ %p \n", StopAddress + I * UlongPtrSize); } }
if (StopData[0] != 0) {
dprintf ("Stop %p: %p %p %p %p \n", StopData[0], StopData[1], StopData[2], StopData[3], StopData[4]);
// silviuc: dump more text info about the verifier_stop
}}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////// Dump vspace log
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpVspaceLog ( ULONG NoOfEntries, ULONG64 Address ){ ULONG64 IndexAddress; ULONG Index; ULONG64 LogAddress; ULONG EntrySize; ULONG MaxIndex = 8192; // silviuc: should not be hard coded
ULONG BytesRead; ULONG64 EntryAddress; ULONG TraceIndex; ULONG I; PCHAR OpName; BOOLEAN Found = FALSE;
if (Address) { NoOfEntries = MaxIndex; } else { if (NoOfEntries == 0) { NoOfEntries = 8; } }
EntrySize = GetTypeSize ("verifier!_VS_CALL"); IndexAddress = GetExpression("verifier!VsCallsIndex"); LogAddress = GetExpression("verifier!VsCalls"); if (IndexAddress == 0 || LogAddress == 0 || EntrySize == 0) { dprintf( "Incorrect symbols for verifier.dll.\n"); return; }
if (ReadMemory (IndexAddress, &Index, sizeof Index, &BytesRead) == FALSE) { dprintf ("Cannot read value @ %p (verifier!VsCallsIndex) \n", IndexAddress); return; }
for (I = 0; I < NoOfEntries; I += 1) {
ULONG64 VsAddress; ULONG64 VsSize; BOOLEAN PrintTrace;
EntryAddress = LogAddress + EntrySize * ((Index - I) % MaxIndex);
if (InitTypeRead (EntryAddress, verifier!_VS_CALL)) { dprintf("Unable to read type verifier!_VS_CALL @ %p\n", EntryAddress); return; }
switch ((ULONG)ReadField(Type)) { case 0: OpName = "VirtualAlloc"; break; case 1: OpName = "VirtualFree"; break; case 2: OpName = "MapView"; break; case 3: OpName = "UnmapView"; break; default:OpName = "Unknown?"; break; }
VsAddress = ReadField(Address); VsSize = ReadField (Size);
if (Address) { if (VsAddress <= Address && Address < VsAddress + VsSize) { PrintTrace = TRUE; } else { PrintTrace = FALSE; } } else { PrintTrace = TRUE; }
if (PrintTrace) {
Found = TRUE;
dprintf ("%s (tid: 0x%X): \n" "address: %p \n" "size: %p\n" "operation: %X\n" "protection: %X\n", OpName, (ULONG)ReadField(Thread), VsAddress, VsSize, (ULONG)ReadField(Operation), (ULONG)ReadField(Protection));
TraceIndex = (ULONG) ReadField (Trace); VrfTraceDump (TraceIndex); dprintf ("\n"); } } if (! Found) { dprintf ("No entries found. \n"); }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////// Dump heap log
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpHeapLog ( ULONG NoOfEntries, ULONG64 Address ){ ULONG64 IndexAddress; ULONG Index; ULONG64 LogAddress; ULONG EntrySize; ULONG MaxIndex = 8192; // silviuc: should not be hard coded
ULONG BytesRead; ULONG64 EntryAddress; ULONG TraceIndex; ULONG I; PCHAR OpName; BOOLEAN Found = FALSE;
if (Address) { NoOfEntries = MaxIndex; } else { if (NoOfEntries == 0) { NoOfEntries = 8; } }
EntrySize = GetTypeSize ("verifier!_HEAP_CALL"); IndexAddress = GetExpression("verifier!HeapCallsIndex"); LogAddress = GetExpression("verifier!HeapCalls"); if (IndexAddress == 0 || LogAddress == 0 || EntrySize == 0) { dprintf( "Incorrect symbols for verifier.dll.\n"); return; }
if (ReadMemory (IndexAddress, &Index, sizeof Index, &BytesRead) == FALSE) { dprintf ("Cannot read value @ %p (verifier!HeapCallsIndex) \n", IndexAddress); return; }
for (I = 0; I < NoOfEntries; I += 1) {
ULONG64 VsAddress; ULONG64 VsSize; BOOLEAN PrintTrace;
EntryAddress = LogAddress + EntrySize * ((Index - I) % MaxIndex);
if (InitTypeRead (EntryAddress, verifier!_HEAP_CALL)) { dprintf("Unable to read type verifier!_HEAP_CALL @ %p\n", EntryAddress); return; }
VsAddress = ReadField(Address); VsSize = ReadField (Size);
if (VsSize == 0) { OpName = "free"; } else { OpName = "alloc"; }
if (Address) { if (VsAddress <= Address && Address <= VsAddress + VsSize) { PrintTrace = TRUE; } else { PrintTrace = FALSE; } } else { PrintTrace = TRUE; }
if (PrintTrace) {
Found = TRUE;
dprintf ("%s (tid: 0x%X): \n" "address: %p \n" "size: %p\n", OpName, (ULONG)ReadField(Thread), VsAddress, VsSize);
TraceIndex = (ULONG) ReadField (Trace); VrfTraceDump (TraceIndex); dprintf ("\n"); } }
if (! Found) { dprintf ("No entries found. \n"); }}
|
