win: Retrieve thread context for x64

snapshot/win/process_reader_win.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 46 matching lines @@
   static NtOpenThreadFunction nt_open_thread =
       reinterpret_cast<NtOpenThreadFunction>(
           GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtOpenThread"));
   DCHECK(nt_open_thread);
   return nt_open_thread(thread_handle,
                         desired_access,
                         object_attributes,
                         static_cast<const void*>(client_id));
 }
 
-NTSTATUS NtQueryInformationThread(HANDLE thread_handle,
-                                  THREADINFOCLASS thread_information_class,
-                                  PVOID thread_information,
-                                  ULONG thread_information_length,
-                                  PULONG return_length) {
-  static decltype(::NtQueryInformationThread)* nt_query_information_thread =
-      reinterpret_cast<decltype(::NtQueryInformationThread)*>(GetProcAddress(
-          LoadLibrary(L"ntdll.dll"), "NtQueryInformationThread"));
-  DCHECK(nt_query_information_thread);
-  return nt_query_information_thread(thread_handle,
-                                     thread_information_class,
-                                     thread_information,
-                                     thread_information_length,
-                                     return_length);
-}
-
 // Copied from ntstatus.h because um/winnt.h conflicts with general inclusion of
 // ntstatus.h.
 #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
 
 // Gets a pointer to the process information structure after a given one, or
 // null when iteration is complete, assuming they've been retrieved in a block
 // via NtQuerySystemInformation().
 template <class Traits>
 process_types::SYSTEM_PROCESS_INFORMATION<Traits>* NextProcess(
@@ skipping 53 matching lines @@
   do {
     if (process->UniqueProcessId == process_id)
       return process;
   } while (process = NextProcess(process));
 
   LOG(ERROR) << "process " << process_id << " not found";
   return nullptr;
 }
 
 template <class Traits>
-uint32_t GetThreadSuspendCount(
-    const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<Traits>&
-        thread_info) {
-  // Wait reason values are from KWAIT_REASON in wdm.h. We don't need all of
-  // them, so just declare the one we need.
-  const ULONG kWaitReasonSuspended = 5;
-
-  // Kernel mode enumerations for thread state come from
-  // http://www.nirsoft.net/kernel_struct/vista/KTHREAD_STATE.html and
-  // https://msdn.microsoft.com/en-us/library/system.diagnostics.threadstate(v=vs.110).aspx
-  const ULONG kThreadStateWaiting = 5;
-  const ULONG kThreadStateGateWait = 8;
-
-  bool suspended = (thread_info.ThreadState == kThreadStateWaiting ||
-                    thread_info.ThreadState == kThreadStateGateWait) &&
-                   thread_info.WaitReason == kWaitReasonSuspended;
-  if (!suspended)
-    return 0;
-
-  HANDLE thread_handle;
-  ACCESS_MASK query_access = THREAD_QUERY_LIMITED_INFORMATION;
+HANDLE OpenThread(const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<
+    Traits>& thread_info) {
+  HANDLE handle;
+  ACCESS_MASK query_access = THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME;
   OBJECT_ATTRIBUTES object_attributes;
   InitializeObjectAttributes(&object_attributes, nullptr, 0, nullptr, nullptr);
   NTSTATUS status = crashpad::NtOpenThread(
-      &thread_handle, query_access, &object_attributes, &thread_info.ClientId);
+      &handle, query_access, &object_attributes, &thread_info.ClientId);
   if (!NT_SUCCESS(status)) {
-    LOG(WARNING) << "couldn't open thread to retrieve suspend count";
-    // Fall back to something semi-reasonable. We know we're suspended at this
-    // point, so just return 1.
-    return 1;
+    LOG(ERROR) << "NtOpenThread failed";
+    return nullptr;
+  }
+  return handle;
+}
+
+// It's necessary to suspend the thread to grab CONTEXT. SuspendThread has a
+// side-effect of returning the SuspendCount of the thread on success, so we
+// fill out these two pieces of semi-unrelated data in the same function.
+template <class Traits>
+void FillThreadContextAndSuspendCount(
+    const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<Traits>&
+        thread_info,
+    ProcessReaderWin::Thread* thread) {
+
+  // Don't suspend the thread if it's this thread. This is really only for test
+  // binaries, as we won't be walking ourselves, in general.
+  bool is_current_thread = thread_info.ClientId.UniqueThread ==
+                           reinterpret_cast<process_types::TEB<Traits>*>(
+                               NtCurrentTeb())->ClientId.UniqueThread;
+
+  ScopedKernelHANDLE thread_handle(OpenThread(thread_info));
+
+  if (is_current_thread) {
+    thread->suspend_count = 0;
+  } else {
+    DWORD previous_suspend_count = SuspendThread(thread_handle.get());
+    if (previous_suspend_count == -1) {
+      PLOG(ERROR) << "SuspendThread failed";
+      return;
+    }
+
+    thread->suspend_count = previous_suspend_count;
   }
 
-  // Take ownership of this handle so we close on exit. NtClose and CloseHandle
-  // are identical.
-  ScopedKernelHANDLE handle(thread_handle);
+  // TODO(scottmg): Handle cross-bitness here.
 
-  // From ntddk.h. winternl.h defines THREADINFOCLASS, but only one value.
-  const int kThreadSuspendCount = 35;
-  ULONG suspend_count;
-  status = crashpad::NtQueryInformationThread(
-      handle.get(),
-      static_cast<THREADINFOCLASS>(kThreadSuspendCount),
-      &suspend_count,
-      sizeof(suspend_count),
-      nullptr);
-  if (!NT_SUCCESS(status)) {
-    LOG(WARNING) << "NtQueryInformationThread failed" << std::hex << status;
-    return 1;
+  memset(&thread->context, 0, sizeof(thread->context));
+  thread->context.ContextFlags = CONTEXT_ALL;
+  if (!GetThreadContext(thread_handle.get(), &thread->context)) {
+    PLOG(ERROR) << "GetThreadContext failed";
+    return;

[cpu_(ooo_6.6-7.5), 2015/05/13 00:58:29]

"If you call GetThreadContext for the current thread, the function returns
successfully; however, the context returned is not valid."

[scottmg, 2015/05/13 17:16:37]

Thanks. I switch to RtlCaptureContext when it's the current thread, and added a
test.

   }
 
-  return suspend_count;
+  if (!is_current_thread) {
+    if (!ResumeThread(thread_handle.get())) {
+      PLOG(ERROR) << "ResumeThread failed";
+    }
+  }
 }
 
 }  // namespace
 
 ProcessReaderWin::Thread::Thread()
-    : id(0),
+    : context(),
+      id(0),
       teb(0),
       stack_region_address(0),
       stack_region_size(0),
       suspend_count(0),
       priority_class(0),
       priority(0) {
 }
 
 ProcessReaderWin::ProcessReaderWin()
     : process_(INVALID_HANDLE_VALUE),
@@ skipping 20 matching lines @@
 bool ProcessReaderWin::ReadMemory(WinVMAddress at,
                                   WinVMSize num_bytes,
                                   void* into) {
   SIZE_T bytes_read;
   if (!ReadProcessMemory(process_,
                          reinterpret_cast<void*>(at),
                          into,
                          base::checked_cast<SIZE_T>(num_bytes),
                          &bytes_read) ||
       num_bytes != bytes_read) {
-    PLOG(ERROR) << "ReadMemory at " << at << " of " << num_bytes << " failed";
+    PLOG(ERROR) << "ReadMemory at 0x" << std::hex << at << std::dec << " of "
+                << num_bytes << " bytes failed";
     return false;
   }
   return true;
 }
 
 bool ProcessReaderWin::StartTime(timeval* start_time) const {
   FILETIME creation, exit, kernel, user;
   if (!GetProcessTimes(process_, &creation, &exit, &kernel, &user)) {
     PLOG(ERROR) << "GetProcessTimes";
     return false;
@@ skipping 33 matching lines @@
   process_types::SYSTEM_PROCESS_INFORMATION<SizeTraits>* process_information =
       GetProcessInformation<SizeTraits>(process_, &buffer);
   if (!process_information)
     return threads_;
 
   for (unsigned long i = 0; i < process_information->NumberOfThreads; ++i) {
     const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<SizeTraits>&
         thread_info = process_information->Threads[i];
     Thread thread;
     thread.id = thread_info.ClientId.UniqueThread;
-    thread.suspend_count = GetThreadSuspendCount(thread_info);
+
+    FillThreadContextAndSuspendCount(thread_info, &thread);
 
     // TODO(scottmg): I believe we could reverse engineer the PriorityClass from
     // the Priority, BasePriority, and
     // https://msdn.microsoft.com/en-us/library/windows/desktop/ms685100 .
     // MinidumpThreadWriter doesn't handle it yet in any case, so investigate
     // both of those at the same time if it's useful.
     thread.priority_class = NORMAL_PRIORITY_CLASS;
 
     thread.priority = thread_info.Priority;
     thread.teb = thread_info.TebBase;
 
     // While there are semi-documented fields in the thread structure called
     // StackBase and StackLimit, they don't appear to be correct in practice (or
     // at least, I don't know how to interpret them). Instead, read the TIB
     // (Thread Information Block) which is the first element of the TEB, and use
     // its stack fields.
     process_types::NT_TIB<SizeTraits> tib;
     if (ReadMemory(thread_info.TebBase, sizeof(tib), &tib)) {
-      thread.stack_region_address = tib.StackBase;
       // Note, "backwards" because of direction of stack growth.
+      thread.stack_region_address = tib.StackLimit;
       thread.stack_region_size = tib.StackBase - tib.StackLimit;
     }
     threads_.push_back(thread);
   }
 
   return threads_;
 }
 
 const std::vector<ProcessInfo::Module>& ProcessReaderWin::Modules() {
   INITIALIZATION_STATE_DCHECK_VALID(initialized_);
 
   if (!process_info_.Modules(&modules_)) {
     LOG(ERROR) << "couldn't retrieve modules";
   }
 
   return modules_;
 }
 
 }  // namespace crashpad