From 1208a8e369e459ec42b94ec1760eb7c80839864a Mon Sep 17 00:00:00 2001 From: "ivan.penkov@gmail.com" Date: Tue, 12 Jun 2012 21:18:45 +0000 Subject: [PATCH] This is a fix for a stackwalker_x86 issue which has to do with FPO (frame-pointer-omission) optimized context frames where the context frame represents a Windows System call stub. git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@971 4c0a9323-5329-0410-9bdc-e9ce6186880e --- .../basic_source_line_resolver_unittest.cc | 4 + src/processor/fast_source_line_resolver.cc | 14 +- .../fast_source_line_resolver_unittest.cc | 3 + src/processor/module_comparer.cc | 1 + src/processor/simple_serializer-inl.h | 3 + src/processor/stackwalker_x86.cc | 22 +- src/processor/stackwalker_x86_unittest.cc | 778 +++++++++++------- src/processor/windows_frame_info.h | 16 +- 8 files changed, 547 insertions(+), 294 deletions(-) diff --git a/src/processor/basic_source_line_resolver_unittest.cc b/src/processor/basic_source_line_resolver_unittest.cc index c241ea0a..5fda6f5b 100644 --- a/src/processor/basic_source_line_resolver_unittest.cc +++ b/src/processor/basic_source_line_resolver_unittest.cc @@ -200,6 +200,7 @@ TEST_F(TestBasicSourceLineResolver, TestLoadAndResolve) ASSERT_EQ(frame.source_line_base, 0x1000); windows_frame_info.reset(resolver.FindWindowsFrameInfo(&frame)); ASSERT_TRUE(windows_frame_info.get()); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_FRAME_DATA); ASSERT_FALSE(windows_frame_info->allocates_base_pointer); ASSERT_EQ(windows_frame_info->program_string, "$eip 4 + ^ = $esp $ebp 8 + = $ebp $ebp ^ ="); @@ -219,6 +220,7 @@ TEST_F(TestBasicSourceLineResolver, TestLoadAndResolve) ASSERT_EQ(frame.source_line, 0); windows_frame_info.reset(resolver.FindWindowsFrameInfo(&frame)); ASSERT_TRUE(windows_frame_info.get()); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_UNKNOWN); ASSERT_FALSE(windows_frame_info->allocates_base_pointer); ASSERT_TRUE(windows_frame_info->program_string.empty()); @@ -228,6 +230,7 @@ TEST_F(TestBasicSourceLineResolver, TestLoadAndResolve) ASSERT_TRUE(frame.source_file_name.empty()); ASSERT_EQ(frame.source_line, 0); windows_frame_info.reset(resolver.FindWindowsFrameInfo(&frame)); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_FRAME_DATA); ASSERT_TRUE(windows_frame_info.get()); ASSERT_FALSE(windows_frame_info->allocates_base_pointer); ASSERT_FALSE(windows_frame_info->program_string.empty()); @@ -351,6 +354,7 @@ TEST_F(TestBasicSourceLineResolver, TestLoadAndResolve) ASSERT_EQ(frame.source_line_base, 0x2180); windows_frame_info.reset(resolver.FindWindowsFrameInfo(&frame)); ASSERT_TRUE(windows_frame_info.get()); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_FRAME_DATA); ASSERT_EQ(windows_frame_info->prolog_size, 1); frame.instruction = 0x216f; diff --git a/src/processor/fast_source_line_resolver.cc b/src/processor/fast_source_line_resolver.cc index 45c1f0f0..9224ffa2 100644 --- a/src/processor/fast_source_line_resolver.cc +++ b/src/processor/fast_source_line_resolver.cc @@ -107,10 +107,15 @@ void FastSourceLineResolver::Module::LookupAddress(StackFrame *frame) const { // WFI: WindowsFrameInfo. // Returns a WFI object reading from a raw memory chunk of data WindowsFrameInfo FastSourceLineResolver::CopyWFI(const char *raw) { - // The first 4Bytes of int data are unused. - // They corresponds to "int valid;" data member of WFI. + const WindowsFrameInfo::StackInfoTypes type = + static_cast( + *reinterpret_cast(raw)); + + // The first 8 bytes of int data are unused. + // They correspond to "StackInfoTypes type_;" and "int valid;" + // data member of WFI. const u_int32_t *para_uint32 = reinterpret_cast( - raw + sizeof(int32_t)); + raw + 2 * sizeof(int32_t)); u_int32_t prolog_size = para_uint32[0];; u_int32_t epilog_size = para_uint32[1]; @@ -122,7 +127,8 @@ WindowsFrameInfo FastSourceLineResolver::CopyWFI(const char *raw) { bool allocates_base_pointer = (*boolean != 0); std::string program_string = boolean + 1; - return WindowsFrameInfo(prolog_size, + return WindowsFrameInfo(type, + prolog_size, epilog_size, parameter_size, saved_register_size, diff --git a/src/processor/fast_source_line_resolver_unittest.cc b/src/processor/fast_source_line_resolver_unittest.cc index a4a92097..d36d4ba6 100644 --- a/src/processor/fast_source_line_resolver_unittest.cc +++ b/src/processor/fast_source_line_resolver_unittest.cc @@ -248,6 +248,7 @@ TEST_F(TestFastSourceLineResolver, TestLoadAndResolve) { ASSERT_EQ(frame.source_line, 0); windows_frame_info.reset(fast_resolver.FindWindowsFrameInfo(&frame)); ASSERT_TRUE(windows_frame_info.get()); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_UNKNOWN); ASSERT_FALSE(windows_frame_info->allocates_base_pointer); ASSERT_TRUE(windows_frame_info->program_string.empty()); @@ -258,6 +259,7 @@ TEST_F(TestFastSourceLineResolver, TestLoadAndResolve) { ASSERT_EQ(frame.source_line, 0); windows_frame_info.reset(fast_resolver.FindWindowsFrameInfo(&frame)); ASSERT_TRUE(windows_frame_info.get()); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_FRAME_DATA); ASSERT_FALSE(windows_frame_info->allocates_base_pointer); ASSERT_FALSE(windows_frame_info->program_string.empty()); @@ -380,6 +382,7 @@ TEST_F(TestFastSourceLineResolver, TestLoadAndResolve) { ASSERT_EQ(frame.source_line_base, 0x2180); windows_frame_info.reset(fast_resolver.FindWindowsFrameInfo(&frame)); ASSERT_TRUE(windows_frame_info.get()); + ASSERT_EQ(windows_frame_info->type_, WindowsFrameInfo::STACK_INFO_FRAME_DATA); ASSERT_EQ(windows_frame_info->prolog_size, 1); frame.instruction = 0x216f; diff --git a/src/processor/module_comparer.cc b/src/processor/module_comparer.cc index 837d854b..09b85e03 100644 --- a/src/processor/module_comparer.cc +++ b/src/processor/module_comparer.cc @@ -240,6 +240,7 @@ bool ModuleComparer::ComparePubSymbol(const BasicPubSymbol* basic_ps, bool ModuleComparer::CompareWFI(const WindowsFrameInfo& wfi1, const WindowsFrameInfo& wfi2) const { + ASSERT_TRUE(wfi1.type_ == wfi2.type_); ASSERT_TRUE(wfi1.valid == wfi2.valid); ASSERT_TRUE(wfi1.prolog_size == wfi2.prolog_size); ASSERT_TRUE(wfi1.epilog_size == wfi2.epilog_size); diff --git a/src/processor/simple_serializer-inl.h b/src/processor/simple_serializer-inl.h index a6f54961..1faf5ef5 100644 --- a/src/processor/simple_serializer-inl.h +++ b/src/processor/simple_serializer-inl.h @@ -132,6 +132,7 @@ class SimpleSerializer { public: static size_t SizeOf(const WindowsFrameInfo &wfi) { unsigned int size = 0; + size += sizeof(int32_t); // wfi.type_ size += SimpleSerializer::SizeOf(wfi.valid); size += SimpleSerializer::SizeOf(wfi.prolog_size); size += SimpleSerializer::SizeOf(wfi.epilog_size); @@ -144,6 +145,8 @@ class SimpleSerializer { return size; } static char *Write(const WindowsFrameInfo &wfi, char *dest) { + dest = SimpleSerializer::Write( + static_cast(wfi.type_), dest); dest = SimpleSerializer::Write(wfi.valid, dest); dest = SimpleSerializer::Write(wfi.prolog_size, dest); dest = SimpleSerializer::Write(wfi.epilog_size, dest); diff --git a/src/processor/stackwalker_x86.cc b/src/processor/stackwalker_x86.cc index 3c35b082..ba3b8396 100644 --- a/src/processor/stackwalker_x86.cc +++ b/src/processor/stackwalker_x86.cc @@ -208,11 +208,27 @@ StackFrameX86 *StackwalkerX86::GetCallerByWindowsFrameInfo( last_frame_callee_parameter_size + last_frame_info->local_size + last_frame_info->saved_register_size; - u_int32_t found; // dummy value + + u_int32_t raSearchStartOld = raSearchStart; + u_int32_t found = 0; // dummy value // Scan up to three words above the calculated search value, in case // the stack was aligned to a quadword boundary. - ScanForReturnAddress(raSearchStart, &raSearchStart, &found, 3); - + if (ScanForReturnAddress(raSearchStart, &raSearchStart, &found, 3) && + last_frame->trust == StackFrame::FRAME_TRUST_CONTEXT && + last_frame->windows_frame_info != NULL && + last_frame_info->type_ == WindowsFrameInfo::STACK_INFO_FPO && + raSearchStartOld == raSearchStart && + found == last_frame->context.eip) { + // The context frame represents an FPO-optimized Windows system call. + // On the top of the stack we have a pointer to the current instruction. + // This means that the callee has returned but the return address is still + // on the top of the stack which is very atypical situaltion. + // Skip one slot from the stack and do another scan in order to get the + // actual return address. + raSearchStart += 4; + ScanForReturnAddress(raSearchStart, &raSearchStart, &found, 3); + } + // The difference between raSearch and raSearchStart is unknown, // but making them the same seems to work well in practice. dictionary[".raSearchStart"] = raSearchStart; diff --git a/src/processor/stackwalker_x86_unittest.cc b/src/processor/stackwalker_x86_unittest.cc index 04d264bd..e57311e8 100644 --- a/src/processor/stackwalker_x86_unittest.cc +++ b/src/processor/stackwalker_x86_unittest.cc @@ -69,7 +69,11 @@ class StackwalkerX86Fixture { // Give the two modules reasonable standard locations and names // for tests to play with. module1(0x40000000, 0x10000, "module1", "version1"), - module2(0x50000000, 0x10000, "module2", "version2") { + module2(0x50000000, 0x10000, "module2", "version2"), + module3(0x771d0000, 0x180000, "module3", "version3"), + module4(0x75f90000, 0x46000, "module4", "version4"), + module5(0x75730000, 0x110000, "module5", "version5"), + module6(0x647f0000, 0x1ba8000, "module6", "version6") { // Identify the system as a Linux system. system_info.os = "Linux"; system_info.os_short = "linux"; @@ -83,6 +87,10 @@ class StackwalkerX86Fixture { // Create some modules with some stock debugging information. modules.Add(&module1); modules.Add(&module2); + modules.Add(&module3); + modules.Add(&module4); + modules.Add(&module5); + modules.Add(&module6); // By default, none of the modules have symbol info; call // SetModuleSymbols to override this. @@ -122,6 +130,10 @@ class StackwalkerX86Fixture { MockMemoryRegion stack_region; MockCodeModule module1; MockCodeModule module2; + MockCodeModule module3; + MockCodeModule module4; + MockCodeModule module5; + MockCodeModule module6; MockCodeModules modules; MockSymbolSupplier supplier; BasicSourceLineResolver resolver; @@ -196,24 +208,28 @@ TEST_F(GetCallerFrame, Traditional) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - EXPECT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x4000c7a5U, frame0->instruction); - EXPECT_EQ(0x4000c7a5U, frame0->context.eip); - EXPECT_EQ(frame0_ebp.Value(), frame0->context.ebp); - EXPECT_EQ(NULL, frame0->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + EXPECT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x4000c7a5U, frame0->instruction); + EXPECT_EQ(0x4000c7a5U, frame0->context.eip); + EXPECT_EQ(frame0_ebp.Value(), frame0->context.ebp); + EXPECT_EQ(NULL, frame0->windows_frame_info); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_FP, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x40008679U, frame1->instruction + 1); - EXPECT_EQ(0x40008679U, frame1->context.eip); - EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_FP, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x40008679U, frame1->instruction + 1); + EXPECT_EQ(0x40008679U, frame1->context.eip); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } } // Walk a traditional frame, but use a bogus %ebp value, forcing a scan @@ -247,30 +263,34 @@ TEST_F(GetCallerFrame, TraditionalScan) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x4000f49dU, frame0->instruction); - EXPECT_EQ(0x4000f49dU, frame0->context.eip); - EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); - EXPECT_EQ(0xd43eed6eU, frame0->context.ebp); - EXPECT_EQ(NULL, frame0->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x4000f49dU, frame0->instruction); + EXPECT_EQ(0x4000f49dU, frame0->context.eip); + EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); + EXPECT_EQ(0xd43eed6eU, frame0->context.ebp); + EXPECT_EQ(NULL, frame0->windows_frame_info); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_SCAN, frame1->trust); - // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the - // walker does not actually fetch the EBP after a scan (forcing the - // next frame to be scanned as well). But let's grandfather the existing - // behavior in for now. - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x4000129dU, frame1->instruction + 1); - EXPECT_EQ(0x4000129dU, frame1->context.eip); - EXPECT_EQ(0x80000014U, frame1->context.esp); - EXPECT_EQ(0xd43eed6eU, frame1->context.ebp); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_SCAN, frame1->trust); + // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the + // walker does not actually fetch the EBP after a scan (forcing the + // next frame to be scanned as well). But let's grandfather the existing + // behavior in for now. + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x4000129dU, frame1->instruction + 1); + EXPECT_EQ(0x4000129dU, frame1->context.eip); + EXPECT_EQ(0x80000014U, frame1->context.esp); + EXPECT_EQ(0xd43eed6eU, frame1->context.ebp); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } } // Force scanning for a return address a long way down the stack @@ -304,30 +324,34 @@ TEST_F(GetCallerFrame, TraditionalScanLongWay) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x4000f49dU, frame0->instruction); - EXPECT_EQ(0x4000f49dU, frame0->context.eip); - EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); - EXPECT_EQ(0xd43eed6eU, frame0->context.ebp); - EXPECT_EQ(NULL, frame0->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x4000f49dU, frame0->instruction); + EXPECT_EQ(0x4000f49dU, frame0->context.eip); + EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); + EXPECT_EQ(0xd43eed6eU, frame0->context.ebp); + EXPECT_EQ(NULL, frame0->windows_frame_info); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_SCAN, frame1->trust); - // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the - // walker does not actually fetch the EBP after a scan (forcing the - // next frame to be scanned as well). But let's grandfather the existing - // behavior in for now. - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x4000129dU, frame1->instruction + 1); - EXPECT_EQ(0x4000129dU, frame1->context.eip); - EXPECT_EQ(0x80000064U, frame1->context.esp); - EXPECT_EQ(0xd43eed6eU, frame1->context.ebp); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_SCAN, frame1->trust); + // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the + // walker does not actually fetch the EBP after a scan (forcing the + // next frame to be scanned as well). But let's grandfather the existing + // behavior in for now. + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x4000129dU, frame1->instruction + 1); + EXPECT_EQ(0x4000129dU, frame1->context.eip); + EXPECT_EQ(0x80000064U, frame1->context.esp); + EXPECT_EQ(0xd43eed6eU, frame1->context.ebp); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } } // Use Windows frame data (a "STACK WIN 4" record, from a @@ -371,32 +395,36 @@ TEST_F(GetCallerFrame, WindowsFrameData) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x4000aa85U, frame0->instruction); - EXPECT_EQ(0x4000aa85U, frame0->context.eip); - EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); - EXPECT_EQ(0xf052c1deU, frame0->context.ebp); - EXPECT_TRUE(frame0->windows_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x4000aa85U, frame0->instruction); + EXPECT_EQ(0x4000aa85U, frame0->context.eip); + EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); + EXPECT_EQ(0xf052c1deU, frame0->context.ebp); + EXPECT_TRUE(frame0->windows_frame_info != NULL); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP - | StackFrameX86::CONTEXT_VALID_EBX - | StackFrameX86::CONTEXT_VALID_ESI - | StackFrameX86::CONTEXT_VALID_EDI), - frame1->context_validity); - EXPECT_EQ(0x40001350U, frame1->instruction + 1); - EXPECT_EQ(0x40001350U, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); - EXPECT_EQ(0x9068a878U, frame1->context.ebx); - EXPECT_EQ(0xa7120d1aU, frame1->context.esi); - EXPECT_EQ(0x630891beU, frame1->context.edi); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP + | StackFrameX86::CONTEXT_VALID_EBX + | StackFrameX86::CONTEXT_VALID_ESI + | StackFrameX86::CONTEXT_VALID_EDI), + frame1->context_validity); + EXPECT_EQ(0x40001350U, frame1->instruction + 1); + EXPECT_EQ(0x40001350U, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_EQ(0x9068a878U, frame1->context.ebx); + EXPECT_EQ(0xa7120d1aU, frame1->context.esi); + EXPECT_EQ(0x630891beU, frame1->context.edi); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } } // Use Windows frame data (a "STACK WIN 4" record, from a @@ -438,26 +466,30 @@ TEST_F(GetCallerFrame, WindowsFrameDataAligned) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x4000aa85U, frame0->instruction); - EXPECT_EQ(0x4000aa85U, frame0->context.eip); - EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); - EXPECT_EQ(0xf052c1deU, frame0->context.ebp); - EXPECT_TRUE(frame0->windows_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x4000aa85U, frame0->instruction); + EXPECT_EQ(0x4000aa85U, frame0->context.eip); + EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); + EXPECT_EQ(0xf052c1deU, frame0->context.ebp); + EXPECT_TRUE(frame0->windows_frame_info != NULL); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x5000129dU, frame1->instruction + 1); - EXPECT_EQ(0x5000129dU, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x5000129dU, frame1->instruction + 1); + EXPECT_EQ(0x5000129dU, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } } // Use Windows frame data (a "STACK WIN 4" record, from a @@ -516,56 +548,66 @@ TEST_F(GetCallerFrame, WindowsFrameDataParameterSize) { frames = call_stack.frames(); ASSERT_EQ(3U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x40001004U, frame0->instruction); - EXPECT_EQ(0x40001004U, frame0->context.eip); - EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); - EXPECT_EQ(frame0_ebp.Value(), frame0->context.ebp); - EXPECT_EQ(&module1, frame0->module); - EXPECT_EQ("module1::wheedle", frame0->function_name); - EXPECT_EQ(0x40001000U, frame0->function_base); - // The FUNC record for module1::wheedle should have produced a - // WindowsFrameInfo structure with only the parameter size valid. - ASSERT_TRUE(frame0->windows_frame_info != NULL); - EXPECT_EQ(WindowsFrameInfo::VALID_PARAMETER_SIZE, - frame0->windows_frame_info->valid); - EXPECT_EQ(12U, frame0->windows_frame_info->parameter_size); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x40001004U, frame0->instruction); + EXPECT_EQ(0x40001004U, frame0->context.eip); + EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); + EXPECT_EQ(frame0_ebp.Value(), frame0->context.ebp); + EXPECT_EQ(&module1, frame0->module); + EXPECT_EQ("module1::wheedle", frame0->function_name); + EXPECT_EQ(0x40001000U, frame0->function_base); + // The FUNC record for module1::wheedle should have produced a + // WindowsFrameInfo structure with only the parameter size valid. + ASSERT_TRUE(frame0->windows_frame_info != NULL); + EXPECT_EQ(WindowsFrameInfo::VALID_PARAMETER_SIZE, + frame0->windows_frame_info->valid); + EXPECT_EQ(WindowsFrameInfo::STACK_INFO_UNKNOWN, + frame0->windows_frame_info->type_); + EXPECT_EQ(12U, frame0->windows_frame_info->parameter_size); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_FP, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x5000aa95U, frame1->instruction + 1); - EXPECT_EQ(0x5000aa95U, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_EQ(0x6fa902e0U, frame1->context.ebp); - EXPECT_EQ(&module2, frame1->module); - EXPECT_EQ("module2::whine", frame1->function_name); - EXPECT_EQ(0x5000aa85U, frame1->function_base); - ASSERT_TRUE(frame1->windows_frame_info != NULL); - EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame1->windows_frame_info->valid); - // This should not see the 0xbeef parameter size from the FUNC - // record, but should instead see the STACK WIN record. - EXPECT_EQ(4U, frame1->windows_frame_info->parameter_size); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_FP, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x5000aa95U, frame1->instruction + 1); + EXPECT_EQ(0x5000aa95U, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(0x6fa902e0U, frame1->context.ebp); + EXPECT_EQ(&module2, frame1->module); + EXPECT_EQ("module2::whine", frame1->function_name); + EXPECT_EQ(0x5000aa85U, frame1->function_base); + ASSERT_TRUE(frame1->windows_frame_info != NULL); + EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame1->windows_frame_info->valid); + EXPECT_EQ(WindowsFrameInfo::STACK_INFO_FRAME_DATA, + frame1->windows_frame_info->type_); + // This should not see the 0xbeef parameter size from the FUNC + // record, but should instead see the STACK WIN record. + EXPECT_EQ(4U, frame1->windows_frame_info->parameter_size); + } - StackFrameX86 *frame2 = static_cast(frames->at(2)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame2->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP - | StackFrameX86::CONTEXT_VALID_EBX), - frame2->context_validity); - EXPECT_EQ(0x2a179e38U, frame2->instruction + 1); - EXPECT_EQ(0x2a179e38U, frame2->context.eip); - EXPECT_EQ(frame2_esp.Value(), frame2->context.esp); - EXPECT_EQ(frame2_ebp.Value(), frame2->context.ebp); - EXPECT_EQ(0x2558c7f3U, frame2->context.ebx); - EXPECT_EQ(NULL, frame2->module); - EXPECT_EQ(NULL, frame2->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame2 = static_cast(frames->at(2)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame2->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP + | StackFrameX86::CONTEXT_VALID_EBX), + frame2->context_validity); + EXPECT_EQ(0x2a179e38U, frame2->instruction + 1); + EXPECT_EQ(0x2a179e38U, frame2->context.eip); + EXPECT_EQ(frame2_esp.Value(), frame2->context.esp); + EXPECT_EQ(frame2_ebp.Value(), frame2->context.ebp); + EXPECT_EQ(0x2558c7f3U, frame2->context.ebx); + EXPECT_EQ(NULL, frame2->module); + EXPECT_EQ(NULL, frame2->windows_frame_info); + } } // Use Windows frame data (a "STACK WIN 4" record, from a @@ -600,29 +642,33 @@ TEST_F(GetCallerFrame, WindowsFrameDataScan) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x40000c9cU, frame0->instruction); - EXPECT_EQ(0x40000c9cU, frame0->context.eip); - EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); - EXPECT_EQ(0x2ae314cdU, frame0->context.ebp); - EXPECT_TRUE(frame0->windows_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x40000c9cU, frame0->instruction); + EXPECT_EQ(0x40000c9cU, frame0->context.eip); + EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); + EXPECT_EQ(0x2ae314cdU, frame0->context.ebp); + EXPECT_TRUE(frame0->windows_frame_info != NULL); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_SCAN, frame1->trust); - // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the walker - // does not actually fetch the EBP after a scan (forcing the next frame - // to be scanned as well). But let's grandfather the existing behavior in - // for now. - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x50007ce9U, frame1->instruction + 1); - EXPECT_EQ(0x50007ce9U, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_TRUE(frame1->windows_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_SCAN, frame1->trust); + // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the walker + // does not actually fetch the EBP after a scan (forcing the next frame + // to be scanned as well). But let's grandfather the existing behavior in + // for now. + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x50007ce9U, frame1->instruction + 1); + EXPECT_EQ(0x50007ce9U, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_TRUE(frame1->windows_frame_info != NULL); + } } // Use Windows frame data (a "STACK WIN 4" record, from a @@ -679,30 +725,34 @@ TEST_F(GetCallerFrame, WindowsFrameDataBadEIPScan) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x40000700U, frame0->instruction); - EXPECT_EQ(0x40000700U, frame0->context.eip); - EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); - EXPECT_EQ(frame0_ebp.Value(), frame0->context.ebp); - EXPECT_TRUE(frame0->windows_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x40000700U, frame0->instruction); + EXPECT_EQ(0x40000700U, frame0->context.eip); + EXPECT_EQ(stack_section.start().Value(), frame0->context.esp); + EXPECT_EQ(frame0_ebp.Value(), frame0->context.ebp); + EXPECT_TRUE(frame0->windows_frame_info != NULL); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI_SCAN, frame1->trust); - // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the - // walker does not actually fetch the EBP after a scan (forcing the - // next frame to be scanned as well). But let's grandfather the existing - // behavior in for now. - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x5000d000U, frame1->instruction + 1); - EXPECT_EQ(0x5000d000U, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); - EXPECT_TRUE(frame1->windows_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI_SCAN, frame1->trust); + // I'd argue that CONTEXT_VALID_EBP shouldn't be here, since the + // walker does not actually fetch the EBP after a scan (forcing the + // next frame to be scanned as well). But let's grandfather the existing + // behavior in for now. + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x5000d000U, frame1->instruction + 1); + EXPECT_EQ(0x5000d000U, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_TRUE(frame1->windows_frame_info != NULL); + } } // Use Windows FrameTypeFPO data to walk a stack frame for a function that @@ -742,35 +792,41 @@ TEST_F(GetCallerFrame, WindowsFPOUnchangedEBP) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x4000e8b8U, frame0->instruction); - EXPECT_EQ(0x4000e8b8U, frame0->context.eip); - EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); - EXPECT_EQ(frame1_ebp.Value(), frame0->context.ebp); // unchanged from caller - EXPECT_EQ(&module1, frame0->module); - EXPECT_EQ("module1::discombobulated", frame0->function_name); - EXPECT_EQ(0x4000e8a8U, frame0->function_base); - // The STACK WIN record for module1::discombobulated should have - // produced a fully populated WindowsFrameInfo structure. - ASSERT_TRUE(frame0->windows_frame_info != NULL); - EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame0->windows_frame_info->valid); - EXPECT_EQ(0x10U, frame0->windows_frame_info->local_size); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x4000e8b8U, frame0->instruction); + EXPECT_EQ(0x4000e8b8U, frame0->context.eip); + EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame0->context.ebp); // unchanged from caller + EXPECT_EQ(&module1, frame0->module); + EXPECT_EQ("module1::discombobulated", frame0->function_name); + EXPECT_EQ(0x4000e8a8U, frame0->function_base); + // The STACK WIN record for module1::discombobulated should have + // produced a fully populated WindowsFrameInfo structure. + ASSERT_TRUE(frame0->windows_frame_info != NULL); + EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame0->windows_frame_info->valid); + EXPECT_EQ(WindowsFrameInfo::STACK_INFO_FPO, + frame0->windows_frame_info->type_); + EXPECT_EQ(0x10U, frame0->windows_frame_info->local_size); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x40009b5bU, frame1->instruction + 1); - EXPECT_EQ(0x40009b5bU, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); - EXPECT_EQ(&module1, frame1->module); - EXPECT_EQ("", frame1->function_name); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x40009b5bU, frame1->instruction + 1); + EXPECT_EQ(0x40009b5bU, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_EQ(&module1, frame1->module); + EXPECT_EQ("", frame1->function_name); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } } // Use Windows FrameTypeFPO data to walk a stack frame for a function @@ -812,36 +868,188 @@ TEST_F(GetCallerFrame, WindowsFPOUsedEBP) { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ(0x40009ab8U, frame0->instruction); - EXPECT_EQ(0x40009ab8U, frame0->context.eip); - EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); - EXPECT_EQ(0xecbdd1a5, frame0->context.ebp); - EXPECT_EQ(&module1, frame0->module); - EXPECT_EQ("module1::RaisedByTheAliens", frame0->function_name); - EXPECT_EQ(0x40009aa8U, frame0->function_base); - // The STACK WIN record for module1::RaisedByTheAliens should have - // produced a fully populated WindowsFrameInfo structure. - ASSERT_TRUE(frame0->windows_frame_info != NULL); - EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame0->windows_frame_info->valid); - EXPECT_EQ("", frame0->windows_frame_info->program_string); - EXPECT_TRUE(frame0->windows_frame_info->allocates_base_pointer); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x40009ab8U, frame0->instruction); + EXPECT_EQ(0x40009ab8U, frame0->context.eip); + EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); + EXPECT_EQ(0xecbdd1a5, frame0->context.ebp); + EXPECT_EQ(&module1, frame0->module); + EXPECT_EQ("module1::RaisedByTheAliens", frame0->function_name); + EXPECT_EQ(0x40009aa8U, frame0->function_base); + // The STACK WIN record for module1::RaisedByTheAliens should have + // produced a fully populated WindowsFrameInfo structure. + ASSERT_TRUE(frame0->windows_frame_info != NULL); + EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame0->windows_frame_info->valid); + EXPECT_EQ(WindowsFrameInfo::STACK_INFO_FPO, + frame0->windows_frame_info->type_); + EXPECT_EQ("", frame0->windows_frame_info->program_string); + EXPECT_TRUE(frame0->windows_frame_info->allocates_base_pointer); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP - | StackFrameX86::CONTEXT_VALID_ESP - | StackFrameX86::CONTEXT_VALID_EBP), - frame1->context_validity); - EXPECT_EQ(0x4000debeU, frame1->instruction + 1); - EXPECT_EQ(0x4000debeU, frame1->context.eip); - EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); - EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); - EXPECT_EQ(&module1, frame1->module); - EXPECT_EQ("", frame1->function_name); - EXPECT_EQ(NULL, frame1->windows_frame_info); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x4000debeU, frame1->instruction + 1); + EXPECT_EQ(0x4000debeU, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_EQ(&module1, frame1->module); + EXPECT_EQ("", frame1->function_name); + EXPECT_EQ(NULL, frame1->windows_frame_info); + } +} + +// This is a regression unit test which covers a bug which has to do with +// FPO-optimized Windows system call stubs in the context frame. There is +// a more recent Windows system call dispatch mechanism which differs from +// the one which is being tested here. The newer system call dispatch +// mechanism creates an extra context frame (KiFastSystemCallRet). +TEST_F(GetCallerFrame, WindowsFPOSystemCall) { + SetModuleSymbols(&module3, // ntdll.dll + "PUBLIC 1f8ac c ZwWaitForSingleObject\n" + "STACK WIN 0 1f8ac 1b 0 0 c 0 0 0 0 0\n"); + SetModuleSymbols(&module4, // kernelbase.dll + "PUBLIC 109f9 c WaitForSingleObjectEx\n" + "PUBLIC 36590 0 _except_handler4\n" + "STACK WIN 4 109f9 df c 0 c c 48 0 1 $T0 $ebp = $eip " + "$T0 4 + ^ = $ebp $T0 ^ = $esp $T0 8 + = $L " + "$T0 .cbSavedRegs - = $P $T0 8 + .cbParams + =\n" + "STACK WIN 4 36590 154 17 0 10 0 14 0 1 $T0 $ebp = $eip " + "$T0 4 + ^ = $ebp $T0 ^ = $esp $T0 8 + = $L $T0 " + ".cbSavedRegs - = $P $T0 8 + .cbParams + =\n"); + SetModuleSymbols(&module5, // kernel32.dll + "PUBLIC 11136 8 WaitForSingleObject\n" + "PUBLIC 11151 c WaitForSingleObjectExImplementation\n" + "STACK WIN 4 11136 16 5 0 8 0 0 0 1 $T0 $ebp = $eip " + "$T0 4 + ^ = $ebp $T0 ^ = $esp $T0 8 + = $L " + "$T0 .cbSavedRegs - = $P $T0 8 + .cbParams + =\n" + "STACK WIN 4 11151 7a 5 0 c 0 0 0 1 $T0 $ebp = $eip " + "$T0 4 + ^ = $ebp $T0 ^ = $esp $T0 8 + = $L " + "$T0 .cbSavedRegs - = $P $T0 8 + .cbParams + =\n"); + SetModuleSymbols(&module6, // chrome.dll + "FILE 7038 some_file_name.h\n" + "FILE 839776 some_file_name.cc\n" + "FUNC 217fda 17 4 function_217fda\n" + "217fda 4 102 839776\n" + "FUNC 217ff1 a 4 function_217ff1\n" + "217ff1 0 594 7038\n" + "217ff1 a 596 7038\n" + "STACK WIN 0 217ff1 a 0 0 4 0 0 0 0 0\n"); + + Label frame0_esp, frame1_esp; + Label frame1_ebp, frame2_ebp, frame3_ebp; + stack_section.start() = 0x002ff290; + stack_section + .Mark(&frame0_esp) + .D32(0x771ef8c1) // EIP in frame 0 (system call) + .D32(0x75fa0a91) // return address of frame 0 + .Mark(&frame1_esp) + .D32(0x000017b0) // args to child + .D32(0x00000000) + .D32(0x002ff2d8) + .D32(0x88014a2e) + .D32(0x002ff364) + .D32(0x000017b0) + .D32(0x00000000) + .D32(0x00000024) + .D32(0x00000001) + .D32(0x00000000) + .D32(0x00000000) + .D32(0x00000000) + .D32(0x00000000) + .D32(0x00000000) + .D32(0x00000000) + .D32(0x00000000) + .D32(0x9e3b9800) + .D32(0xfffffff7) + .D32(0x00000000) + .D32(0x002ff2a4) + .D32(0x64a07ff1) // random value to be confused with a return address + .D32(0x002ff8dc) + .D32(0x75fc6590) // random value to be confused with a return address + .D32(0xfdd2c6ea) + .D32(0x00000000) + .Mark(&frame1_ebp) + .D32(frame2_ebp) // Child EBP + .D32(0x75741194) // return address of frame 1 + .D32(0x000017b0) // args to child + .D32(0x0036ee80) + .D32(0x00000000) + .D32(0x65bc7d14) + .Mark(&frame2_ebp) + .D32(frame3_ebp) // Child EBP + .D32(0x75741148) // return address of frame 2 + .D32(0x000017b0) // args to child + .D32(0x0036ee80) + .D32(0x00000000) + .Mark(&frame3_ebp) + .D32(0) // saved %ebp (stack end) + .D32(0); // saved %eip (stack end) + + RegionFromSection(); + raw_context.eip = 0x771ef8c1; // in ntdll::ZwWaitForSingleObject + raw_context.esp = stack_section.start().Value(); + ASSERT_TRUE(raw_context.esp == frame0_esp.Value()); + raw_context.ebp = frame1_ebp.Value(); + + StackwalkerX86 walker(&system_info, &raw_context, &stack_region, &modules, + &supplier, &resolver); + ASSERT_TRUE(walker.Walk(&call_stack)); + frames = call_stack.frames(); + + ASSERT_EQ(4U, frames->size()); + + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ(0x771ef8c1U, frame0->instruction); + EXPECT_EQ(0x771ef8c1U, frame0->context.eip); + EXPECT_EQ(frame0_esp.Value(), frame0->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame0->context.ebp); + EXPECT_EQ(&module3, frame0->module); + EXPECT_EQ("ZwWaitForSingleObject", frame0->function_name); + // The STACK WIN record for module3!ZwWaitForSingleObject should have + // produced a fully populated WindowsFrameInfo structure. + ASSERT_TRUE(frame0->windows_frame_info != NULL); + EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame0->windows_frame_info->valid); + EXPECT_EQ(WindowsFrameInfo::STACK_INFO_FPO, + frame0->windows_frame_info->type_); + EXPECT_EQ("", frame0->windows_frame_info->program_string); + EXPECT_FALSE(frame0->windows_frame_info->allocates_base_pointer); + } + + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP + | StackFrameX86::CONTEXT_VALID_ESP + | StackFrameX86::CONTEXT_VALID_EBP), + frame1->context_validity); + EXPECT_EQ(0x75fa0a91U, frame1->instruction + 1); + EXPECT_EQ(0x75fa0a91U, frame1->context.eip); + EXPECT_EQ(frame1_esp.Value(), frame1->context.esp); + EXPECT_EQ(frame1_ebp.Value(), frame1->context.ebp); + EXPECT_EQ(&module4, frame1->module); + EXPECT_EQ("WaitForSingleObjectEx", frame1->function_name); + // The STACK WIN record for module4!WaitForSingleObjectEx should have + // produced a fully populated WindowsFrameInfo structure. + ASSERT_TRUE(frame1->windows_frame_info != NULL); + EXPECT_EQ(WindowsFrameInfo::VALID_ALL, frame1->windows_frame_info->valid); + EXPECT_EQ(WindowsFrameInfo::STACK_INFO_FRAME_DATA, + frame1->windows_frame_info->type_); + EXPECT_EQ("$T0 $ebp = $eip $T0 4 + ^ = $ebp $T0 ^ = $esp $T0 8 + = $L " + "$T0 .cbSavedRegs - = $P $T0 8 + .cbParams + =", + frame1->windows_frame_info->program_string); + EXPECT_FALSE(frame1->windows_frame_info->allocates_base_pointer); + } } struct CFIFixture: public StackwalkerX86Fixture { @@ -897,32 +1105,36 @@ struct CFIFixture: public StackwalkerX86Fixture { frames = call_stack.frames(); ASSERT_EQ(2U, frames->size()); - StackFrameX86 *frame0 = static_cast(frames->at(0)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); - ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); - EXPECT_EQ("enchiridion", frame0->function_name); - EXPECT_EQ(0x40004000U, frame0->function_base); - ASSERT_TRUE(frame0->windows_frame_info != NULL); - ASSERT_EQ(WindowsFrameInfo::VALID_PARAMETER_SIZE, - frame0->windows_frame_info->valid); - ASSERT_TRUE(frame0->cfi_frame_info != NULL); + { // To avoid reusing locals by mistake + StackFrameX86 *frame0 = static_cast(frames->at(0)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CONTEXT, frame0->trust); + ASSERT_EQ(StackFrameX86::CONTEXT_VALID_ALL, frame0->context_validity); + EXPECT_EQ("enchiridion", frame0->function_name); + EXPECT_EQ(0x40004000U, frame0->function_base); + ASSERT_TRUE(frame0->windows_frame_info != NULL); + ASSERT_EQ(WindowsFrameInfo::VALID_PARAMETER_SIZE, + frame0->windows_frame_info->valid); + ASSERT_TRUE(frame0->cfi_frame_info != NULL); + } - StackFrameX86 *frame1 = static_cast(frames->at(1)); - EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); - ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP | - StackFrameX86::CONTEXT_VALID_ESP | - StackFrameX86::CONTEXT_VALID_EBP | - StackFrameX86::CONTEXT_VALID_EBX | - StackFrameX86::CONTEXT_VALID_ESI | - StackFrameX86::CONTEXT_VALID_EDI), - frame1->context_validity); - EXPECT_EQ(expected.eip, frame1->context.eip); - EXPECT_EQ(expected.esp, frame1->context.esp); - EXPECT_EQ(expected.ebp, frame1->context.ebp); - EXPECT_EQ(expected.ebx, frame1->context.ebx); - EXPECT_EQ(expected.esi, frame1->context.esi); - EXPECT_EQ(expected.edi, frame1->context.edi); - EXPECT_EQ("epictetus", frame1->function_name); + { // To avoid reusing locals by mistake + StackFrameX86 *frame1 = static_cast(frames->at(1)); + EXPECT_EQ(StackFrame::FRAME_TRUST_CFI, frame1->trust); + ASSERT_EQ((StackFrameX86::CONTEXT_VALID_EIP | + StackFrameX86::CONTEXT_VALID_ESP | + StackFrameX86::CONTEXT_VALID_EBP | + StackFrameX86::CONTEXT_VALID_EBX | + StackFrameX86::CONTEXT_VALID_ESI | + StackFrameX86::CONTEXT_VALID_EDI), + frame1->context_validity); + EXPECT_EQ(expected.eip, frame1->context.eip); + EXPECT_EQ(expected.esp, frame1->context.esp); + EXPECT_EQ(expected.ebp, frame1->context.ebp); + EXPECT_EQ(expected.ebx, frame1->context.ebx); + EXPECT_EQ(expected.esi, frame1->context.esi); + EXPECT_EQ(expected.edi, frame1->context.edi); + EXPECT_EQ("epictetus", frame1->function_name); + } } // The values the stack walker should find for the caller's registers. diff --git a/src/processor/windows_frame_info.h b/src/processor/windows_frame_info.h index 067f3cfd..3aa7b3f6 100644 --- a/src/processor/windows_frame_info.h +++ b/src/processor/windows_frame_info.h @@ -72,7 +72,8 @@ struct WindowsFrameInfo { STACK_INFO_UNKNOWN = -1 }; - WindowsFrameInfo() : valid(VALID_NONE), + WindowsFrameInfo() : type_(STACK_INFO_UNKNOWN), + valid(VALID_NONE), prolog_size(0), epilog_size(0), parameter_size(0), @@ -82,7 +83,8 @@ struct WindowsFrameInfo { allocates_base_pointer(0), program_string() {} - WindowsFrameInfo(u_int32_t set_prolog_size, + WindowsFrameInfo(StackInfoTypes type, + u_int32_t set_prolog_size, u_int32_t set_epilog_size, u_int32_t set_parameter_size, u_int32_t set_saved_register_size, @@ -90,7 +92,8 @@ struct WindowsFrameInfo { u_int32_t set_max_stack_size, int set_allocates_base_pointer, const std::string set_program_string) - : valid(VALID_ALL), + : type_(type), + valid(VALID_ALL), prolog_size(set_prolog_size), epilog_size(set_epilog_size), parameter_size(set_parameter_size), @@ -140,7 +143,8 @@ struct WindowsFrameInfo { allocates_base_pointer = strtoul(tokens[10], NULL, 16); } - return new WindowsFrameInfo(prolog_size, + return new WindowsFrameInfo(static_cast(type), + prolog_size, epilog_size, parameter_size, saved_register_size, @@ -152,6 +156,7 @@ struct WindowsFrameInfo { // CopyFrom makes "this" WindowsFrameInfo object identical to "that". void CopyFrom(const WindowsFrameInfo &that) { + type_ = that.type_; valid = that.valid; prolog_size = that.prolog_size; epilog_size = that.epilog_size; @@ -166,10 +171,13 @@ struct WindowsFrameInfo { // Clears the WindowsFrameInfo object so that users will see it as though // it contains no information. void Clear() { + type_ = STACK_INFO_UNKNOWN; valid = VALID_NONE; program_string.erase(); } + StackInfoTypes type_; + // Identifies which fields in the structure are valid. This is of // type Validity, but it is defined as an int because it's not // possible to OR values into an enumerated type. Users must check