win: Add thread snapshot and memory snapshot for stacks

snapshot/win/process_reader_win.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
 #include "snapshot/win/process_reader_win.h"
 
+#include <winternl.h>
+
+#include "base/memory/scoped_ptr.h"
 #include "base/numerics/safe_conversions.h"
+#include "util/win/process_structs.h"
 #include "util/win/time.h"
 
 namespace crashpad {
 
+namespace {
+
+NTSTATUS NtQuerySystemInformation(
+    SYSTEM_INFORMATION_CLASS system_information_class,
+    PVOID system_information,
+    ULONG system_information_length,
+    PULONG return_length) {
+  static decltype(::NtQuerySystemInformation)* nt_query_system_information =
+      reinterpret_cast<decltype(::NtQuerySystemInformation)*>(GetProcAddress(
+          LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation"));
+  DCHECK(nt_query_system_information);
+  return nt_query_system_information(system_information_class,
+                                     system_information,
+                                     system_information_length,
+                                     return_length);
+}
+
+// Copied from ntstatus.h because um/winnt.h conflicts with general inclusion of
+// ntstatus.h.
+#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
+
+// Kernel mode enumerations for thread state.
+// See http://www.nirsoft.net/kernel_struct/vista/KTHREAD_STATE.html and
+// https://msdn.microsoft.com/en-us/library/system.diagnostics.threadstate(v=vs.110).aspx
+enum class KTHREAD_STATE : uint32_t {

[Mark Mentovai, 2015/05/08 20:30:21]

KTHREAD_STATE intentional instead of KThreadState?

[scottmg, 2015/05/08 21:05:44]

That was to match the standard kernel/ntinternals format, but I guess since we
renamed the values, it might as well go to our style.

+  kkInitialized,
+  kReady,
+  kRunning,
+  kStandby,
+  kTerminated,
+  kWaiting,
+  kTransition,
+  kDeferredReady,
+  kGateWait,
+};
+
+// Gets a pointer to the process information structure after a given one, or
+// null when iteration is complete, assuming they've been retrieved in a block
+// via NtQuerySystemInformation().
+template <class Traits>
+process_types::SYSTEM_PROCESS_INFORMATION<Traits>* NextProcess(
+    process_types::SYSTEM_PROCESS_INFORMATION<Traits>* process) {
+  ULONG offset = process->NextEntryOffset;
+  if (offset == 0)
+    return nullptr;
+  return reinterpret_cast<process_types::SYSTEM_PROCESS_INFORMATION<Traits>*>(
+      reinterpret_cast<uint8_t*>(process) + offset);
+}
+
+//! \brief Retrieves the SYSTEM_PROCESS_INFORMATION for a given process.
+//!
+//! The returned pointer points into the memory block stored by \a buffer.
+//! Ownership of \a buffer is transferred to the caller.
+//!
+//! \return Pointer to the process' data, or nullptr if it was not found or on
+//!     error. On error, a message will be logged.
+template <class Traits>
+process_types::SYSTEM_PROCESS_INFORMATION<Traits>* GetProcessInformation(
+    HANDLE process_handle,
+    scoped_ptr<uint8_t[]>* buffer) {
+  ULONG buffer_size = 16384;
+  buffer->reset(new uint8_t[buffer_size]);
+  NTSTATUS status;
+  // This must be in retry loop, as we're racing with process creation on the
+  // system to find a buffer large enough to hold all process information.
+  for (int tries = 0; tries < 20; ++tries) {
+    const int kSystemExtendedProcessInformation = 57;
+    status = crashpad::NtQuerySystemInformation(
+        static_cast<SYSTEM_INFORMATION_CLASS>(
+            kSystemExtendedProcessInformation),
+        reinterpret_cast<void*>(buffer->get()),
+        buffer_size,
+        &buffer_size);
+    if (status == STATUS_BUFFER_TOO_SMALL ||
+        status == STATUS_INFO_LENGTH_MISMATCH) {
+      buffer->reset(new uint8_t[buffer_size]);

[Mark Mentovai, 2015/05/08 20:30:21]

No slop? (It’s OK if you’re against doing it, but you said “done” to this and I
don’t see it.)

[scottmg, 2015/05/08 21:05:44]

Oops, I did it, then undid it when I added the range check, and then forgot to
readd it. I think it makes sense to add a bit.

+    } else {
+      break;
+    }
+  }
+
+  if (!NT_SUCCESS(status)) {
+    LOG(ERROR) << "NtQuerySystemInformation failed: " << std::hex << status;
+    return nullptr;
+  }
+
+  process_types::SYSTEM_PROCESS_INFORMATION<Traits>* process =
+      reinterpret_cast<process_types::SYSTEM_PROCESS_INFORMATION<Traits>*>(
+          buffer->get());
+  DWORD process_id = GetProcessId(process_handle);
+  do {
+    if (process->UniqueProcessId == process_id)
+      return process;
+  } while (process = NextProcess(process));
+
+  LOG(ERROR) << "process " << process_id << " not found";
+  return nullptr;
+}
+
+}  // namespace
+
+ProcessReaderWin::Thread::Thread()
+    : id(0),
+      teb(0),
+      stack_region_address(0),
+      stack_region_size(0),
+      suspend_count(0),
+      priority_class(0),
+      priority(0) {
+}
+
 ProcessReaderWin::ProcessReaderWin()
     : process_(INVALID_HANDLE_VALUE),
       process_info_(),
       modules_(),

[Mark Mentovai, 2015/05/08 20:30:21]

threads_(),

[scottmg, 2015/05/08 21:05:44]

Done.

+      initialized_threads_(false),
       initialized_() {
 }
 
 ProcessReaderWin::~ProcessReaderWin() {
 }
 
 bool ProcessReaderWin::Initialize(HANDLE process) {
   INITIALIZATION_STATE_SET_INITIALIZING(initialized_);
 
   process_ = process;
@@ skipping 34 matching lines @@
   FILETIME creation, exit, kernel, user;
   if (!GetProcessTimes(process_, &creation, &exit, &kernel, &user)) {
     PLOG(ERROR) << "GetProcessTimes";
     return false;
   }
   *user_time = FiletimeToTimevalInterval(user);
   *system_time = FiletimeToTimevalInterval(kernel);
   return true;
 }
 
+const std::vector<ProcessReaderWin::Thread>& ProcessReaderWin::Threads() {
+  INITIALIZATION_STATE_DCHECK_VALID(initialized_);
+  
+  if (initialized_threads_)
+    return threads_;
+

[Mark Mentovai, 2015/05/08 20:30:21]

Set initialized_threads_ to true here, so that if an early return is ever
introduced, it won’t cause subsequent calls to Threads() to try again.

[scottmg, 2015/05/08 21:05:44]

Done.

+  DCHECK(threads_.empty());
+
+#if ARCH_CPU_32_BITS
+  using SizeTraits = process_types::internal::Traits32;
+#else
+  using SizeTraits = process_types::internal::Traits64;
+#endif
+  process_types::SYSTEM_PROCESS_INFORMATION<SizeTraits>* process_information;

[Mark Mentovai, 2015/05/08 20:30:21]

No need to declare this until you initialize it, a couple of lines later.

[scottmg, 2015/05/08 21:05:45]

Done.

+  scoped_ptr<uint8_t[]> buffer;
+  process_information = GetProcessInformation<SizeTraits>(process_, &buffer);
+  if (!process_information)
+    return threads_;
+
+  for (unsigned i = 0; i < process_information->NumberOfThreads; ++i) {

[Mark Mentovai, 2015/05/08 20:30:21]

“unsigned long” to match decltype(process_information->NumberOfThreads)

[scottmg, 2015/05/08 21:05:44]

Done.

+    const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<SizeTraits>&
+        thread_info = process_information->Threads[i];
+    Thread thread;
+    thread.id = thread_info.ClientId.UniqueThread;
+
+    // TODO(scottmg): I'm not sure how to get SuspendCount. A rough version is
+    // to set a suspended count if if's currently waiting.
+    thread.suspend_count =
+        thread_info.ThreadState == static_cast<ULONG>(KTHREAD_STATE::kGateWait)

[Mark Mentovai, 2015/05/08 20:30:21]

Not that Stack Overflow is known for correctness, but
http://stackoverflow.com/questions/22949725/how-to-get-thread-state-e-g-suspe...
made me think that you’d need to check ThreadState == kWaiting && WaitReason ==
kSuspended.

[scottmg, 2015/05/08 21:05:45]

I think that's "sort of" right, in that that is what's required to check if the
thread is literally "suspended". But I checked e.g. a blocked chrome thread pool
worker, and it's in state ThreadState == kWaiting && WaitReason == WrQueue.

That is, I think really we want to know when the thread is "waiting", not when
it's "suspended", even though the value is called suspend_count. (Unless you
disagree about the purpose of SuspendCount, in which case I agree with what you
wrote.)

Hopefully I can find the real SuspendCount at some point anyway.

[Mark Mentovai, 2015/05/08 21:15:00]

scottmg wrote:
Oh, OK, that’s the source of the discrepancy, then!

I think that this should be the real suspend count, the one that’s returned by
SuspendThread(). I don’t think that we’re really too interested in “waiting”
here. Normally it would be obvious enough from the backtrace that a thread’s
waiting, but there would otherwise be no way to tell that it had been explicitly
suspended. This was my understanding of the field as used in the minidump, and
it’s how I implemented suspend_count for Mac. I wouldn’t expect an ordinary
blocked thread to show up as suspended.

[scottmg, 2015/05/09 02:46:15]

I see, my mistake.

I created a thread with CREATE_SUSPENDED and wrote that via MiniDumpWriteDump,
and created another that was blocked on a CRITICAL_SECTION, and indeed the first
has a SuspendCount of 1 and the second is 0, so your interpretation is the right
one.

But then it annoyed me even more than I couldn't get that value... I windbg'd
dbghelp briefly and I believe it actually SuspendThread/ResumeThread's each
thread, but it's a bit complicated, so not entirely certain.

But I also was poking around found NtQueryInformationThread and an alternate
THREADINFOCLASS in ntddk.h. Calling that appears to return the correct value. I
also added a failure case of return 1 similar to what was here before.

So, please take another look since ps#10.

+            ? 1
+            : 0;
+
+    // TODO(scottmg): I believe we could reverse engineer the PriorityClass from
+    // the Priority, BasePriority, and
+    // https://msdn.microsoft.com/en-us/library/windows/desktop/ms685100 .
+    // MinidumpThreadWriter doesn't handle it yet in any case, so investigate
+    // both of those at the same time if it's useful.
+    thread.priority_class = NORMAL_PRIORITY_CLASS;
+
+    thread.priority = thread_info.Priority;
+    thread.teb = thread_info.TebBase;
+
+    // While there are semi-documented fields in the thread structure called
+    // StackBase and StackLimit, they don't appear to be correct in practice (or
+    // at least, I don't know how to interpret them). Instead, read the TIB
+    // (Thread Information Block) which is the first element of the TEB, and use
+    // its stack fields.
+    process_types::NT_TIB<SizeTraits> tib;
+    if (ReadMemory(thread_info.TebBase, sizeof(tib), &tib)) {
+      thread.stack_region_address = tib.StackBase;
+      // Note, "backwards" because of direction of stack growth.
+      thread.stack_region_size = tib.StackBase - tib.StackLimit;
+    }
+    threads_.push_back(thread);
+  }
+
+  initialized_threads_ = true;
+  return threads_;
+}
+
 const std::vector<ProcessInfo::Module>& ProcessReaderWin::Modules() {
   INITIALIZATION_STATE_DCHECK_VALID(initialized_);
 
   if (!process_info_.Modules(&modules_)) {
     LOG(ERROR) << "couldn't retrieve modules";
   }
 
   return modules_;
 }
 
 }  // namespace crashpad