Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

881 lines
19 KiB

  1. /*++
  2. Copyright (c) 1991 Microsoft Corporation
  3. Module Name:
  4. x86trace.c
  5. Abstract:
  6. This module contains routines to get runtime stack traces
  7. for the x86 architecture.
  8. Author:
  9. Silviu Calinoiu (silviuc) 18-Feb-2001
  10. Revision History:
  11. --*/
  12. #include <ntos.h>
  13. #include <ntrtl.h>
  14. #include "ntrtlp.h"
  15. #include <nturtl.h>
  16. #include <zwapi.h>
  17. #include <stktrace.h>
  18. #include <heap.h>
  19. #include <heappriv.h>
  20. //
  21. // Forward declarations.
  22. //
  23. BOOLEAN
  24. RtlpCaptureStackLimits (
  25. ULONG_PTR HintAddress,
  26. PULONG_PTR StartStack,
  27. PULONG_PTR EndStack);
  28. BOOLEAN
  29. RtlpStkIsPointerInDllRange (
  30. ULONG_PTR Value
  31. );
  32. BOOLEAN
  33. RtlpStkIsPointerInNtdllRange (
  34. ULONG_PTR Value
  35. );
  36. VOID
  37. RtlpCaptureContext (
  38. OUT PCONTEXT ContextRecord
  39. );
  40. BOOLEAN
  41. NtdllOkayToLockRoutine(
  42. IN PVOID Lock
  43. );
  44. //
  45. // Fuzzy stack traces
  46. //
  47. #if !defined(NTOS_KERNEL_RUNTIME)
  48. BOOLEAN RtlpFuzzyStackTracesEnabled;
  49. ULONG RtlpWalkFrameChainFuzzyCalls;
  50. #endif
  51. ULONG
  52. RtlpWalkFrameChainFuzzy (
  53. OUT PVOID *Callers,
  54. IN ULONG Count
  55. );
  56. #if !defined(RtlGetCallersAddress) && (!NTOS_KERNEL_RUNTIME)
  57. VOID
  58. RtlGetCallersAddress(
  59. OUT PVOID *CallersAddress,
  60. OUT PVOID *CallersCaller
  61. )
  62. /*++
  63. Routine Description:
  64. This routine returns the first two callers on the current stack. It should be
  65. noted that the function can miss some of the callers in the presence of FPO
  66. optimization.
  67. Arguments:
  68. CallersAddress - address to save the first caller.
  69. CallersCaller - address to save the second caller.
  70. Return Value:
  71. None. If the function does not succeed in finding the two callers
  72. it will zero the addresses where it was supposed to write them.
  73. Environment:
  74. X86, user mode and w/o having a macro with same name defined.
  75. --*/
  76. {
  77. PVOID BackTrace[ 2 ];
  78. ULONG Hash;
  79. USHORT Count;
  80. Count = RtlCaptureStackBackTrace(
  81. 2,
  82. 2,
  83. BackTrace,
  84. &Hash
  85. );
  86. if (ARGUMENT_PRESENT( CallersAddress )) {
  87. if (Count >= 1) {
  88. *CallersAddress = BackTrace[ 0 ];
  89. }
  90. else {
  91. *CallersAddress = NULL;
  92. }
  93. }
  94. if (ARGUMENT_PRESENT( CallersCaller )) {
  95. if (Count >= 2) {
  96. *CallersCaller = BackTrace[ 1 ];
  97. }
  98. else {
  99. *CallersCaller = NULL;
  100. }
  101. }
  102. return;
  103. }
  104. #endif // !defined(RtlGetCallersAddress) && (!NTOS_KERNEL_RUNTIME)
  105. /////////////////////////////////////////////////////////////////////
  106. //////////////////////////////////////////// RtlCaptureStackBackTrace
  107. /////////////////////////////////////////////////////////////////////
  108. USHORT
  109. RtlCaptureStackBackTrace(
  110. IN ULONG FramesToSkip,
  111. IN ULONG FramesToCapture,
  112. OUT PVOID *BackTrace,
  113. OUT PULONG BackTraceHash
  114. )
  115. /*++
  116. Routine Description:
  117. This routine walks up the stack frames, capturing the return address from
  118. each frame requested.
  119. Arguments:
  120. FramesToSkip - frames detected but not included in the stack trace
  121. FramesToCapture - frames to be captured in the stack trace buffer.
  122. One of the frames will be for RtlCaptureStackBackTrace.
  123. BackTrace - stack trace buffer
  124. BackTraceHash - very simple hash value that can be used to organize
  125. hash tables. It is just an arithmetic sum of the pointers in the
  126. stack trace buffer. If NULL then no hash value is computed.
  127. Return Value:
  128. Number of return addresses returned in the stack trace buffer.
  129. --*/
  130. {
  131. PVOID Trace [2 * MAX_STACK_DEPTH];
  132. ULONG FramesFound;
  133. ULONG HashValue;
  134. ULONG Index;
  135. //
  136. // One more frame to skip for the "capture" function (RtlWalkFrameChain).
  137. //
  138. FramesToSkip += 1;
  139. //
  140. // Sanity checks.
  141. //
  142. if (FramesToCapture + FramesToSkip >= 2 * MAX_STACK_DEPTH) {
  143. return 0;
  144. }
  145. #if defined(NTOS_KERNEL_RUNTIME)
  146. FramesFound = RtlWalkFrameChain (Trace,
  147. FramesToCapture + FramesToSkip,
  148. 0);
  149. #else
  150. if (RtlpFuzzyStackTracesEnabled) {
  151. FramesFound = RtlpWalkFrameChainFuzzy (Trace,
  152. FramesToCapture + FramesToSkip);
  153. }
  154. else {
  155. FramesFound = RtlWalkFrameChain (Trace,
  156. FramesToCapture + FramesToSkip,
  157. 0);
  158. }
  159. #endif
  160. if (FramesFound <= FramesToSkip) {
  161. return 0;
  162. }
  163. #if defined(NTOS_KERNEL_RUNTIME)
  164. Index = 0;
  165. #else
  166. //
  167. // Mark fuzzy stack traces with a FF...FF value.
  168. //
  169. if (RtlpFuzzyStackTracesEnabled) {
  170. BackTrace[0] = (PVOID)((ULONG_PTR)-1);
  171. Index = 1;
  172. }
  173. else {
  174. Index = 0;
  175. }
  176. #endif
  177. for (HashValue = 0; Index < FramesToCapture; Index++) {
  178. if (FramesToSkip + Index >= FramesFound) {
  179. break;
  180. }
  181. BackTrace[Index] = Trace[FramesToSkip + Index];
  182. HashValue += PtrToUlong(BackTrace[Index]);
  183. }
  184. if (BackTraceHash != NULL) {
  185. *BackTraceHash = HashValue;
  186. }
  187. return (USHORT)Index;
  188. }
  189. /////////////////////////////////////////////////////////////////////
  190. /////////////////////////////////////////////////// RtlWalkFrameChain
  191. /////////////////////////////////////////////////////////////////////
  192. #define SIZE_1_KB ((ULONG_PTR) 0x400)
  193. #define SIZE_1_GB ((ULONG_PTR) 0x40000000)
  194. #define PAGE_START(address) (((ULONG_PTR)address) & ~((ULONG_PTR)PAGE_SIZE - 1))
  195. #if FPO
  196. #pragma optimize( "y", off ) // disable FPO
  197. #endif
  198. ULONG
  199. RtlWalkFrameChain (
  200. OUT PVOID *Callers,
  201. IN ULONG Count,
  202. IN ULONG Flags
  203. )
  204. /*++
  205. Routine Description:
  206. This function tries to walk the EBP chain and fill out a vector of
  207. return addresses. It is possible that the function cannot fill the
  208. requested number of callers. In this case the function will just return
  209. with a smaller stack trace. In kernel mode the function should not take
  210. any exceptions (page faults) because it can be called at all sorts of
  211. irql levels.
  212. The `Flags' parameter is used for future extensions. A zero value will be
  213. compatible with new stack walking algorithms.
  214. A value of 1 for `Flags' means we are running in K-mode and we want to get
  215. the user mode stack trace.
  216. Return value:
  217. The number of identified return addresses on the stack. This can be less
  218. then the Count requested.
  219. --*/
  220. {
  221. ULONG_PTR Fp, NewFp, ReturnAddress;
  222. ULONG Index;
  223. ULONG_PTR StackEnd, StackStart;
  224. BOOLEAN Result;
  225. BOOLEAN InvalidFpValue;
  226. //
  227. // Get the current EBP pointer which is supposed to
  228. // be the start of the EBP chain.
  229. //
  230. _asm mov Fp, EBP;
  231. StackStart = Fp;
  232. InvalidFpValue = FALSE;
  233. if (Flags == 0) {
  234. if (! RtlpCaptureStackLimits (Fp, &StackStart, &StackEnd)) {
  235. return 0;
  236. }
  237. }
  238. try {
  239. #if defined(NTOS_KERNEL_RUNTIME)
  240. //
  241. // If we need to get the user mode stack trace from kernel mode
  242. // figure out the proper limits.
  243. //
  244. if (Flags == 1) {
  245. PTEB Teb = NtCurrentTeb();
  246. PKTHREAD Thread = KeGetCurrentThread ();
  247. //
  248. // If this is a system thread, it has no Teb and no kernel mode
  249. // stack, so check for it so we don't dereference NULL.
  250. //
  251. if (Teb == NULL) {
  252. return 0;
  253. }
  254. StackStart = (ULONG_PTR)(Teb->NtTib.StackLimit);
  255. StackEnd = (ULONG_PTR)(Teb->NtTib.StackBase);
  256. Fp = (ULONG_PTR)(Thread->TrapFrame->Ebp);
  257. if (StackEnd <= StackStart) {
  258. return 0;
  259. }
  260. ProbeForRead (StackStart, StackEnd - StackStart, sizeof (UCHAR));
  261. }
  262. #endif
  263. for (Index = 0; Index < Count; Index += 1) {
  264. if (Fp >= StackEnd || StackEnd - Fp < sizeof(ULONG_PTR) * 2) {
  265. break;
  266. }
  267. NewFp = *((PULONG_PTR)(Fp + 0));
  268. ReturnAddress = *((PULONG_PTR)(Fp + sizeof(ULONG_PTR)));
  269. //
  270. // Figure out if the new frame pointer is ok. This validation
  271. // should avoid all exceptions in kernel mode because we always
  272. // read within the current thread's stack and the stack is
  273. // guaranteed to be in memory (no page faults). It is also guaranteed
  274. // that we do not take random exceptions in user mode because we always
  275. // keep the frame pointer within stack limits.
  276. //
  277. if (! (Fp < NewFp && NewFp < StackEnd)) {
  278. InvalidFpValue = TRUE;
  279. }
  280. //
  281. // Figure out if the return address is ok. If return address
  282. // is a stack address or <64k then something is wrong. There is
  283. // no reason to return garbage to the caller therefore we stop.
  284. //
  285. if (StackStart < ReturnAddress && ReturnAddress < StackEnd) {
  286. break;
  287. }
  288. #if defined(NTOS_KERNEL_RUNTIME)
  289. if (Flags == 0 && ReturnAddress < 0x80000000) {
  290. #else
  291. // if (ReturnAddress < 0x1000000 || ReturnAddress >= 0x80000000) {
  292. if (! RtlpStkIsPointerInDllRange(ReturnAddress)) {
  293. #endif
  294. break;
  295. }
  296. //
  297. // Store new fp and return address and move on.
  298. // If the new FP value is bogus but the return address
  299. // looks ok then we still save the address.
  300. //
  301. if (InvalidFpValue) {
  302. Callers[Index] = (PVOID)ReturnAddress;
  303. Index += 1;
  304. break;
  305. }
  306. else {
  307. Fp = NewFp;
  308. Callers[Index] = (PVOID)ReturnAddress;
  309. }
  310. }
  311. }
  312. except (EXCEPTION_EXECUTE_HANDLER) {
  313. Index = 0;
  314. }
  315. //
  316. // Return the number of return addresses identified on the stack.
  317. //
  318. return Index;
  319. }
  320. #if FPO
  321. #pragma optimize( "y", off ) // disable FPO
  322. #endif
  323. #if !defined(NTOS_KERNEL_RUNTIME)
  324. ULONG
  325. RtlpWalkFrameChainFuzzy (
  326. OUT PVOID *Callers,
  327. IN ULONG Count
  328. )
  329. /*++
  330. Routine Description:
  331. This function tries to walk the EBP chain and fill out a vector of
  332. return addresses. The function works only on x86. If the EBP chain ends
  333. it will try to pick up the start of the next one. Therefore this will not
  334. give an accurate stack trace but rather something that a desperate developer
  335. might find useful in chasing a leak.
  336. Return value:
  337. The number of identified return addresses on the stack.
  338. --*/
  339. {
  340. ULONG_PTR Fp, NewFp, ReturnAddress, NextPtr;
  341. ULONG Index;
  342. ULONG_PTR StackEnd, StackStart;
  343. BOOLEAN Result;
  344. ULONG_PTR Esp, LastEbp;
  345. //
  346. // Get the current EBP pointer which is supposed to
  347. // be the start of the EBP chain.
  348. //
  349. _asm mov Fp, EBP;
  350. if (! RtlpCaptureStackLimits (Fp, &StackStart, &StackEnd)) {
  351. return 0;
  352. }
  353. try {
  354. for (Index = 0; Index < Count; Index += 1) {
  355. NextPtr = Fp + sizeof(ULONG_PTR);
  356. if (NextPtr >= StackEnd) {
  357. break;
  358. }
  359. NewFp = *((PULONG_PTR)Fp);
  360. if (! (Fp < NewFp && NewFp < StackEnd)) {
  361. NewFp = NextPtr;
  362. }
  363. ReturnAddress = *((PULONG_PTR)NextPtr);
  364. #if defined(NTOS_KERNEL_RUNTIME)
  365. //
  366. // If the return address is a stack address it may point to where on the stack
  367. // the real return address is (FPO) so as long as we are within stack limits lets loop
  368. // hoping to find a pointer to a real address.
  369. //
  370. if (StackStart < ReturnAddress && ReturnAddress < StackEnd) {
  371. Fp = NewFp;
  372. Index -= 1;
  373. continue;
  374. }
  375. if (ReturnAddress < 0x80000000) {
  376. #else
  377. if (! RtlpStkIsPointerInDllRange(ReturnAddress)) {
  378. #endif
  379. Fp = NewFp;
  380. Index -= 1;
  381. continue;
  382. }
  383. //
  384. // Store new fp and return address and move on.
  385. // If the new FP value is bogus but the return address
  386. // looks ok then we still save the address.
  387. //
  388. Fp = NewFp;
  389. Callers[Index] = (PVOID)ReturnAddress;
  390. }
  391. }
  392. except (EXCEPTION_EXECUTE_HANDLER) {
  393. #if DBG
  394. DbgPrint ("Unexpected exception in RtlpWalkFrameChainFuzzy ...\n");
  395. DbgBreakPoint ();
  396. #endif
  397. }
  398. //
  399. // Return the number of return addresses identified on the stack.
  400. //
  401. return Index;
  402. }
  403. #endif // #if !defined(NTOS_KERNEL_RUNTIME)
  404. /////////////////////////////////////////////////////////////////////
  405. ////////////////////////////////////////////// RtlCaptureStackContext
  406. /////////////////////////////////////////////////////////////////////
  407. #if FPO
  408. #pragma optimize( "y", off ) // disable FPO
  409. #endif
  410. ULONG
  411. RtlCaptureStackContext (
  412. OUT PULONG_PTR Callers,
  413. OUT PRTL_STACK_CONTEXT Context,
  414. IN ULONG Limit
  415. )
  416. /*++
  417. Routine Description:
  418. This routine will detect up to `Limit' potential callers from the stack.
  419. A potential caller is a pointer (PVOID) that points into one of the
  420. regions occupied by modules loaded into the process space (user mode -- dlls)
  421. or kernel space (kernel mode -- drivers).
  422. Note. Based on experiments you need to save at least 64 pointers to be sure you
  423. get a complete stack.
  424. Arguments:
  425. Callers - vector to be filled with potential return addresses. Its size is
  426. expected to be `Limit'. If it is not null then Context should be null.
  427. Context - if not null the caller wants the stack context to be saved here
  428. as opposed to the Callers parameter.
  429. Limit - # of pointers that can be written into Callers and Offsets.
  430. Return value:
  431. The number of potential callers detected and written into the
  432. `Callers' buffer.
  433. --*/
  434. {
  435. ULONG_PTR Current;
  436. ULONG_PTR Value;
  437. ULONG Index;
  438. ULONG_PTR Offset;
  439. ULONG_PTR StackStart;
  440. ULONG_PTR StackEnd;
  441. ULONG_PTR Hint;
  442. ULONG_PTR Caller;
  443. ULONG_PTR ContextSize;
  444. #ifdef NTOS_KERNEL_RUNTIME
  445. //
  446. // Avoid weird conditions. Doing this in an ISR is never a good idea.
  447. //
  448. if (KeGetCurrentIrql() > DISPATCH_LEVEL) {
  449. return 0;
  450. }
  451. #endif
  452. if (Limit == 0) {
  453. return 0;
  454. }
  455. Caller = (ULONG_PTR)_ReturnAddress();
  456. if (Context) {
  457. Context->Entry[0].Data = Caller;
  458. ContextSize = sizeof(RTL_STACK_CONTEXT) + (Limit - 1) * sizeof (RTL_STACK_CONTEXT_ENTRY);
  459. }
  460. else {
  461. Callers[0] = Caller;
  462. }
  463. //
  464. // Get stack limits
  465. //
  466. _asm mov Hint, EBP;
  467. if (! RtlpCaptureStackLimits (Hint, &StackStart, &StackEnd)) {
  468. return 0;
  469. }
  470. //
  471. // Synchronize stack traverse pointer to the next word after the first
  472. // return address.
  473. //
  474. for (Current = StackStart; Current < StackEnd; Current += sizeof(ULONG_PTR)) {
  475. if (*((PULONG_PTR)Current) == Caller) {
  476. break;
  477. }
  478. }
  479. if (Context) {
  480. Context->Entry[0].Address = Current;
  481. }
  482. //
  483. // Iterate the stack and pickup potential callers on the way.
  484. //
  485. Current += sizeof(ULONG_PTR);
  486. Index = 1;
  487. for ( ; Current < StackEnd; Current += sizeof(ULONG_PTR)) {
  488. //
  489. // If potential callers buffer is full then wrap this up.
  490. //
  491. if (Index == Limit) {
  492. break;
  493. }
  494. //
  495. // Skip `Callers' buffer because it will give false positives.
  496. // It is very likely for this to happen because most probably the buffer
  497. // is allocated somewhere upper in the call chain.
  498. //
  499. if (Context) {
  500. if (Current >= (ULONG_PTR)Context && Current < (ULONG_PTR)Context + ContextSize ) {
  501. continue;
  502. }
  503. }
  504. else {
  505. if ((PULONG_PTR)Current >= Callers && (PULONG_PTR)Current < Callers + Limit ) {
  506. continue;
  507. }
  508. }
  509. Value = *((PULONG_PTR)Current);
  510. //
  511. // Skip small numbers.
  512. //
  513. if (Value <= 0x10000) {
  514. continue;
  515. }
  516. //
  517. // Skip stack pointers.
  518. //
  519. if (Value >= StackStart && Value <= StackEnd) {
  520. continue;
  521. }
  522. //
  523. // Check if `Value' points inside one of the loaded modules.
  524. //
  525. if (RtlpStkIsPointerInDllRange (Value)) {
  526. if (Context) {
  527. Context->Entry[Index].Address = Current;
  528. Context->Entry[Index].Data = Value;
  529. }
  530. else {
  531. Callers[Index] = Value;
  532. }
  533. Index += 1;
  534. }
  535. }
  536. if (Context) {
  537. Context->NumberOfEntries = Index;
  538. }
  539. return Index;
  540. }
  541. /////////////////////////////////////////////////////////////////////
  542. /////////////////////////////////////////////////// Dll ranges bitmap
  543. /////////////////////////////////////////////////////////////////////
  544. //
  545. // DLL ranges bitmap
  546. //
  547. // This range scheme is needed in order to capture stack contexts on x86
  548. // machines fast. On IA64 there are totally different algorithms for getting
  549. // stack traces.
  550. //
  551. // Every bit represents 1Mb of virtual space. Since we use the code either
  552. // in user mode or kernel mode the first bit of a pointer is not interesting.
  553. // Therefore we have to represent 2Gb / 1Mb regions. This totals 256 bytes.
  554. //
  555. // The bits are set only in loader code paths when a DLL (or driver) gets loaded.
  556. // The writing is protected by the loader lock. The bits are read in stack
  557. // capturing function.The reading does not require lock protection.
  558. //
  559. UCHAR RtlpStkDllRanges [2048 / 8];
  560. #if !defined(NTOS_KERNEL_RUNTIME)
  561. ULONG_PTR RtlpStkNtdllStart;
  562. ULONG_PTR RtlpStkNtdllEnd;
  563. BOOLEAN
  564. RtlpStkIsPointerInNtdllRange (
  565. ULONG_PTR Value
  566. )
  567. {
  568. if (RtlpStkNtdllStart == 0) {
  569. return FALSE;
  570. }
  571. if (RtlpStkNtdllStart <= Value && Value < RtlpStkNtdllEnd) {
  572. return TRUE;
  573. }
  574. else {
  575. return FALSE;
  576. }
  577. }
  578. #endif
  579. BOOLEAN
  580. RtlpStkIsPointerInDllRange (
  581. ULONG_PTR Value
  582. )
  583. {
  584. ULONG Index;
  585. Value &= ~0x80000000;
  586. Index = (ULONG)(Value >> 20);
  587. if (RtlpStkDllRanges[Index >> 3] & (UCHAR)(1 << (Index & 7))) {
  588. return TRUE;
  589. }
  590. else {
  591. return FALSE;
  592. }
  593. }
  594. VOID
  595. RtlpStkMarkDllRange (
  596. PLDR_DATA_TABLE_ENTRY DllEntry
  597. )
  598. /*++
  599. Routine description:
  600. This routine marks the corresponding bits for the loaded dll in the
  601. RtlpStkDllRanges variable. This global is used within RtlpDetectDllReferences
  602. to save a stack context.
  603. Arguments:
  604. Loader structure for a loaded dll.
  605. Return value:
  606. None.
  607. Environment:
  608. In user mode this function is called from loader code paths. The Peb->LoaderLock
  609. is always held while executing this function.
  610. --*/
  611. {
  612. PVOID Base;
  613. ULONG Size;
  614. PCHAR Current, Start;
  615. ULONG Index;
  616. ULONG_PTR Value;
  617. Base = DllEntry->DllBase;
  618. Size = DllEntry->SizeOfImage;
  619. //
  620. // Find out where is ntdll loaded if we do not know yet.
  621. //
  622. #if !defined(NTOS_KERNEL_RUNTIME)
  623. if (RtlpStkNtdllStart == 0) {
  624. UNICODE_STRING NtdllName;
  625. RtlInitUnicodeString (&NtdllName, L"ntdll.dll");
  626. if (RtlEqualUnicodeString (&(DllEntry->BaseDllName), &NtdllName, TRUE)) {
  627. RtlpStkNtdllStart = (ULONG_PTR)Base;
  628. RtlpStkNtdllEnd = (ULONG_PTR)Base + Size;
  629. }
  630. }
  631. #endif
  632. Start = (PCHAR)Base;
  633. for (Current = Start; Current < Start + Size; Current += 0x100000) {
  634. Value = (ULONG_PTR)Current & ~0x80000000;
  635. Index = (ULONG)(Value >> 20);
  636. RtlpStkDllRanges[Index >> 3] |= (UCHAR)(1 << (Index & 7));
  637. }
  638. }