win: Retrieve thread context for x64

snapshot/win/process_reader_win.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 46 matching lines @@
   static NtOpenThreadFunction nt_open_thread =
       reinterpret_cast<NtOpenThreadFunction>(
           GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtOpenThread"));
   DCHECK(nt_open_thread);
   return nt_open_thread(thread_handle,
                         desired_access,
                         object_attributes,
                         static_cast<const void*>(client_id));
 }
 
-NTSTATUS NtQueryInformationThread(HANDLE thread_handle,
-                                  THREADINFOCLASS thread_information_class,
-                                  PVOID thread_information,
-                                  ULONG thread_information_length,
-                                  PULONG return_length) {
-  static decltype(::NtQueryInformationThread)* nt_query_information_thread =
-      reinterpret_cast<decltype(::NtQueryInformationThread)*>(GetProcAddress(
-          LoadLibrary(L"ntdll.dll"), "NtQueryInformationThread"));
-  DCHECK(nt_query_information_thread);
-  return nt_query_information_thread(thread_handle,
-                                     thread_information_class,
-                                     thread_information,
-                                     thread_information_length,
-                                     return_length);
-}
-
 // Copied from ntstatus.h because um/winnt.h conflicts with general inclusion of
 // ntstatus.h.
 #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
 
 // Gets a pointer to the process information structure after a given one, or
 // null when iteration is complete, assuming they've been retrieved in a block
 // via NtQuerySystemInformation().
 template <class Traits>
 process_types::SYSTEM_PROCESS_INFORMATION<Traits>* NextProcess(
@@ skipping 53 matching lines @@
   do {
     if (process->UniqueProcessId == process_id)
       return process;
   } while (process = NextProcess(process));
 
   LOG(ERROR) << "process " << process_id << " not found";
   return nullptr;
 }
 
 template <class Traits>
-uint32_t GetThreadSuspendCount(
-    const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<Traits>&
-        thread_info) {
-  // Wait reason values are from KWAIT_REASON in wdm.h. We don't need all of
-  // them, so just declare the one we need.
-  const ULONG kWaitReasonSuspended = 5;
-
-  // Kernel mode enumerations for thread state come from
-  // http://www.nirsoft.net/kernel_struct/vista/KTHREAD_STATE.html and
-  // https://msdn.microsoft.com/en-us/library/system.diagnostics.threadstate(v=vs.110).aspx
-  const ULONG kThreadStateWaiting = 5;
-  const ULONG kThreadStateGateWait = 8;
-
-  bool suspended = (thread_info.ThreadState == kThreadStateWaiting ||
-                    thread_info.ThreadState == kThreadStateGateWait) &&
-                   thread_info.WaitReason == kWaitReasonSuspended;
-  if (!suspended)
-    return 0;
-
-  HANDLE thread_handle;
-  ACCESS_MASK query_access = THREAD_QUERY_LIMITED_INFORMATION;
+HANDLE OpenThread(const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<
+    Traits>& thread_info) {
+  HANDLE handle;
+  ACCESS_MASK query_access = THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME;
   OBJECT_ATTRIBUTES object_attributes;
   InitializeObjectAttributes(&object_attributes, nullptr, 0, nullptr, nullptr);
   NTSTATUS status = crashpad::NtOpenThread(
-      &thread_handle, query_access, &object_attributes, &thread_info.ClientId);
+      &handle, query_access, &object_attributes, &thread_info.ClientId);
   if (!NT_SUCCESS(status)) {
-    LOG(WARNING) << "couldn't open thread to retrieve suspend count";
-    // Fall back to something semi-reasonable. We know we're suspended at this
-    // point, so just return 1.
-    return 1;
+    LOG(ERROR) << "NtOpenThread failed";
+    return nullptr;
+  }
+  return handle;
+}
+
+// It's necessary to suspend the thread to grab CONTEXT. SuspendThread has a
+// side-effect of returning the SuspendCount of the thread on success, so we
+// fill out these two pieces of semi-unrelated data in the same function.
+template <class Traits>
+void FillThreadContextAndSuspendCount(
+    const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<Traits>&
+        thread_info,
+    ProcessReaderWin::Thread* thread) {
+  ScopedKernelHANDLE thread_handle(OpenThread(thread_info));
+
+  DWORD previous_suspend_count = SuspendThread(thread_handle.get());
+  if (previous_suspend_count == -1) {
+    PLOG(ERROR) << "SuspendThread failed";
+    return;
   }
 
-  // Take ownership of this handle so we close on exit. NtClose and CloseHandle
-  // are identical.
-  ScopedKernelHANDLE handle(thread_handle);
+  thread->suspend_count = previous_suspend_count;
 
-  // From ntddk.h. winternl.h defines THREADINFOCLASS, but only one value.
-  const int kThreadSuspendCount = 35;
-  ULONG suspend_count;
-  status = crashpad::NtQueryInformationThread(
-      handle.get(),
-      static_cast<THREADINFOCLASS>(kThreadSuspendCount),
-      &suspend_count,
-      sizeof(suspend_count),
-      nullptr);
-  if (!NT_SUCCESS(status)) {
-    LOG(WARNING) << "NtQueryInformationThread failed" << std::hex << status;
-    return 1;
+  // TODO(scottmg): Handle cross-bitness here.
+
+  memset(&thread->context, 0, sizeof(thread->context));
+  thread->context.ContextFlags = CONTEXT_ALL;
+  if (!GetThreadContext(thread_handle.get(), &thread->context)) {
+    PLOG(ERROR) << "GetThreadContext failed";
+    return;
   }
 
-  return suspend_count;
+  if (!ResumeThread(thread_handle.get())) {
+    PLOG(ERROR) << "ResumeThread failed";
+  }
 }
 
 }  // namespace
 
 ProcessReaderWin::Thread::Thread()
-    : id(0),
+    : context(),
+      id(0),
       teb(0),
       stack_region_address(0),
       stack_region_size(0),
       suspend_count(0),
       priority_class(0),
       priority(0) {
 }
 
 ProcessReaderWin::ProcessReaderWin()
     : process_(INVALID_HANDLE_VALUE),
@@ skipping 20 matching lines @@
 bool ProcessReaderWin::ReadMemory(WinVMAddress at,
                                   WinVMSize num_bytes,
                                   void* into) {
   SIZE_T bytes_read;
   if (!ReadProcessMemory(process_,
                          reinterpret_cast<void*>(at),
                          into,
                          base::checked_cast<SIZE_T>(num_bytes),
                          &bytes_read) ||
       num_bytes != bytes_read) {
-    PLOG(ERROR) << "ReadMemory at " << at << " of " << num_bytes << " failed";
+    PLOG(ERROR) << "ReadMemory at 0x" << std::hex << at << std::dec << " of "
+                << num_bytes << " bytes failed";
     return false;
   }
   return true;
 }
 
 bool ProcessReaderWin::StartTime(timeval* start_time) const {
   FILETIME creation, exit, kernel, user;
   if (!GetProcessTimes(process_, &creation, &exit, &kernel, &user)) {
     PLOG(ERROR) << "GetProcessTimes";
     return false;
@@ skipping 33 matching lines @@
   process_types::SYSTEM_PROCESS_INFORMATION<SizeTraits>* process_information =
       GetProcessInformation<SizeTraits>(process_, &buffer);
   if (!process_information)
     return threads_;
 
   for (unsigned long i = 0; i < process_information->NumberOfThreads; ++i) {
     const process_types::SYSTEM_EXTENDED_THREAD_INFORMATION<SizeTraits>&
         thread_info = process_information->Threads[i];
     Thread thread;
     thread.id = thread_info.ClientId.UniqueThread;
-    thread.suspend_count = GetThreadSuspendCount(thread_info);
+
+    FillThreadContextAndSuspendCount(thread_info, &thread);
 
     // TODO(scottmg): I believe we could reverse engineer the PriorityClass from
     // the Priority, BasePriority, and
     // https://msdn.microsoft.com/en-us/library/windows/desktop/ms685100 .
     // MinidumpThreadWriter doesn't handle it yet in any case, so investigate
     // both of those at the same time if it's useful.
     thread.priority_class = NORMAL_PRIORITY_CLASS;
 
     thread.priority = thread_info.Priority;
     thread.teb = thread_info.TebBase;
 
     // While there are semi-documented fields in the thread structure called
     // StackBase and StackLimit, they don't appear to be correct in practice (or
     // at least, I don't know how to interpret them). Instead, read the TIB
     // (Thread Information Block) which is the first element of the TEB, and use
     // its stack fields.
     process_types::NT_TIB<SizeTraits> tib;
     if (ReadMemory(thread_info.TebBase, sizeof(tib), &tib)) {
-      thread.stack_region_address = tib.StackBase;
       // Note, "backwards" because of direction of stack growth.
+      thread.stack_region_address = tib.StackLimit;

[scottmg, 2015/05/12 17:48:59]

This confused me as I naturally think of Base as the smaller number and Limit as
the larger one. But since the stack grows the other way, Limit is the smaller
one and Base is the bigger one. As we're converting this into a range which is a
standard base+size, we use Limit as the base, and Base-Limit as the size.

       thread.stack_region_size = tib.StackBase - tib.StackLimit;
     }
     threads_.push_back(thread);
   }
 
   return threads_;
 }
 
 const std::vector<ProcessInfo::Module>& ProcessReaderWin::Modules() {
   INITIALIZATION_STATE_DCHECK_VALID(initialized_);
 
   if (!process_info_.Modules(&modules_)) {
     LOG(ERROR) << "couldn't retrieve modules";
   }
 
   return modules_;
 }
 
 }  // namespace crashpad