| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome_frame/vtable_patch_manager.h" | |
| 6 | |
| 7 #include <atlcomcli.h> | |
| 8 | |
| 9 #include <algorithm> | |
| 10 | |
| 11 #include "base/atomicops.h" | |
| 12 #include "base/logging.h" | |
| 13 #include "base/memory/scoped_ptr.h" | |
| 14 #include "base/synchronization/lock.h" | |
| 15 #include "chrome_frame/function_stub.h" | |
| 16 #include "chrome_frame/pin_module.h" | |
| 17 | |
| 18 namespace vtable_patch { | |
| 19 | |
| 20 // The number of times we retry a patch/unpatch operation in case of | |
| 21 // VM races with other 3rd party software trying to patch the same thing. | |
| 22 const int kMaxRetries = 3; | |
| 23 | |
| 24 // We hold a lock over all patching operations to make sure that we don't | |
| 25 // e.g. race on VM operations to the same patches, or to physical pages | |
| 26 // shared across different VTABLEs. | |
| 27 base::Lock patch_lock_; | |
| 28 | |
| 29 namespace internal { | |
| 30 // Because other parties in our process might be attempting to patch the same | |
| 31 // virtual tables at the same time, we have a race to modify the VM protections | |
| 32 // on the pages. We also need to do a compare/swap type operation when we | |
| 33 // modify the function, so as to be sure that we grab the most recent value. | |
| 34 // Hence the SEH blocks and the nasty-looking compare/swap operation. | |
| 35 bool ReplaceFunctionPointer(void** entry, void* new_proc, void* curr_proc) { | |
| 36 __try { | |
| 37 base::subtle::Atomic32 prev_value; | |
| 38 | |
| 39 prev_value = base::subtle::NoBarrier_CompareAndSwap( | |
| 40 reinterpret_cast<base::subtle::Atomic32 volatile*>(entry), | |
| 41 reinterpret_cast<base::subtle::Atomic32>(curr_proc), | |
| 42 reinterpret_cast<base::subtle::Atomic32>(new_proc)); | |
| 43 | |
| 44 return curr_proc == reinterpret_cast<void*>(prev_value); | |
| 45 } __except(EXCEPTION_EXECUTE_HANDLER) { | |
| 46 // Oops, we took exception on access. | |
| 47 } | |
| 48 | |
| 49 return false; | |
| 50 } | |
| 51 | |
| 52 } // namespace | |
| 53 | |
| 54 // Convenient definition of a VTABLE | |
| 55 typedef PROC* Vtable; | |
| 56 | |
| 57 // Returns a pointer to the VTable of a COM interface. | |
| 58 // @param unknown [in] The pointer of the COM interface. | |
| 59 inline Vtable GetIFVTable(void* unknown) { | |
| 60 return reinterpret_cast<Vtable>(*reinterpret_cast<void**>(unknown)); | |
| 61 } | |
| 62 | |
| 63 HRESULT PatchInterfaceMethods(void* unknown, MethodPatchInfo* patches) { | |
| 64 // Do some sanity checking of the input arguments. | |
| 65 if (NULL == unknown || NULL == patches) { | |
| 66 NOTREACHED(); | |
| 67 return E_INVALIDARG; | |
| 68 } | |
| 69 | |
| 70 Vtable vtable = GetIFVTable(unknown); | |
| 71 DCHECK(vtable); | |
| 72 | |
| 73 // All VM operations, patching and manipulation of MethodPatchInfo | |
| 74 // is done under a global lock, to ensure multiple threads don't | |
| 75 // race, whether on an individual patch, or on VM operations to | |
| 76 // the same physical pages. | |
| 77 base::AutoLock lock(patch_lock_); | |
| 78 | |
| 79 for (MethodPatchInfo* it = patches; it->index_ != -1; ++it) { | |
| 80 if (it->stub_ != NULL) { | |
| 81 // If this DCHECK fires it means that we are using the same VTable | |
| 82 // information to patch two different interfaces, or we've lost a | |
| 83 // race with another thread who's patching the same interface. | |
| 84 DLOG(WARNING) << "Attempting to patch two different VTables with the " | |
| 85 "same VTable information, or patching the same interface on " | |
| 86 "multiple threads"; | |
| 87 continue; | |
| 88 } | |
| 89 | |
| 90 PROC original_fn = vtable[it->index_]; | |
| 91 FunctionStub* stub = NULL; | |
| 92 | |
| 93 #ifndef NDEBUG | |
| 94 stub = FunctionStub::FromCode(original_fn); | |
| 95 if (stub != NULL) { | |
| 96 DLOG(ERROR) << "attempt to patch a function that's already patched"; | |
| 97 DCHECK(stub->destination_function() == | |
| 98 reinterpret_cast<uintptr_t>(it->method_)) << | |
| 99 "patching the same method multiple times with different hooks?"; | |
| 100 continue; | |
| 101 } | |
| 102 #endif | |
| 103 | |
| 104 stub = FunctionStub::Create(reinterpret_cast<uintptr_t>(original_fn), | |
| 105 it->method_); | |
| 106 if (!stub) { | |
| 107 NOTREACHED(); | |
| 108 return E_OUTOFMEMORY; | |
| 109 } | |
| 110 | |
| 111 // Do the VM operations and the patching in a loop, to try and ensure | |
| 112 // we succeed even if there's a VM operation or a patch race against | |
| 113 // other 3rd parties patching. | |
| 114 bool succeeded = false; | |
| 115 for (int i = 0; !succeeded && i < kMaxRetries; ++i) { | |
| 116 DWORD protect = 0; | |
| 117 if (!::VirtualProtect(&vtable[it->index_], sizeof(PROC), | |
| 118 PAGE_EXECUTE_READWRITE, &protect)) { | |
| 119 HRESULT hr = AtlHresultFromLastError(); | |
| 120 DLOG(ERROR) << "VirtualProtect failed 0x" << std::hex << hr; | |
| 121 | |
| 122 // Go around again in the feeble hope that this is | |
| 123 // a temporary problem. | |
| 124 continue; | |
| 125 } | |
| 126 original_fn = vtable[it->index_]; | |
| 127 stub->set_argument(reinterpret_cast<uintptr_t>(original_fn)); | |
| 128 succeeded = internal::ReplaceFunctionPointer( | |
| 129 reinterpret_cast<void**>(&vtable[it->index_]), stub->code(), | |
| 130 original_fn); | |
| 131 | |
| 132 if (!::VirtualProtect(&vtable[it->index_], sizeof(PROC), protect, | |
| 133 &protect)) { | |
| 134 DLOG(ERROR) << "VirtualProtect failed to restore protection"; | |
| 135 } | |
| 136 } | |
| 137 | |
| 138 if (!succeeded) { | |
| 139 FunctionStub::Destroy(stub); | |
| 140 stub = NULL; | |
| 141 | |
| 142 DLOG(ERROR) << "Failed to patch VTable."; | |
| 143 return E_FAIL; | |
| 144 } else { | |
| 145 // Success, save the stub we created. | |
| 146 it->stub_ = stub; | |
| 147 chrome_frame::PinModule(); | |
| 148 } | |
| 149 } | |
| 150 | |
| 151 return S_OK; | |
| 152 } | |
| 153 | |
| 154 HRESULT UnpatchInterfaceMethods(MethodPatchInfo* patches) { | |
| 155 base::AutoLock lock(patch_lock_); | |
| 156 | |
| 157 for (MethodPatchInfo* it = patches; it->index_ != -1; ++it) { | |
| 158 if (it->stub_) { | |
| 159 DCHECK(it->stub_->destination_function() == | |
| 160 reinterpret_cast<uintptr_t>(it->method_)); | |
| 161 // Modify the stub to just jump directly to the original function. | |
| 162 it->stub_->BypassStub(reinterpret_cast<void*>(it->stub_->argument())); | |
| 163 it->stub_ = NULL; | |
| 164 // Leave the stub in memory so that we won't break any possible chains. | |
| 165 | |
| 166 // TODO(siggi): why not restore the original VTBL pointer here, provided | |
| 167 // we haven't been chained? | |
| 168 } else { | |
| 169 DLOG(WARNING) << "attempt to unpatch a function that wasn't patched"; | |
| 170 } | |
| 171 } | |
| 172 | |
| 173 return S_OK; | |
| 174 } | |
| 175 | |
| 176 // Disabled for now as we're not using it atm. | |
| 177 #if 0 | |
| 178 | |
| 179 DynamicPatchManager::DynamicPatchManager(const MethodPatchInfo* patch_prototype) | |
| 180 : patch_prototype_(patch_prototype) { | |
| 181 DCHECK(patch_prototype_); | |
| 182 DCHECK(patch_prototype_->stub_ == NULL); | |
| 183 } | |
| 184 | |
| 185 DynamicPatchManager::~DynamicPatchManager() { | |
| 186 UnpatchAll(); | |
| 187 } | |
| 188 | |
| 189 HRESULT DynamicPatchManager::PatchObject(void* unknown) { | |
| 190 int patched_methods = 0; | |
| 191 for (; patch_prototype_[patched_methods].index_ != -1; patched_methods++) { | |
| 192 // If you hit this, then you are likely using the prototype instance for | |
| 193 // patching in _addition_ to this class. This is not a good idea :) | |
| 194 DCHECK(patch_prototype_[patched_methods].stub_ == NULL); | |
| 195 } | |
| 196 | |
| 197 // Prepare a new patch object using the patch info from the prototype. | |
| 198 int mem_size = sizeof(PatchedObject) + | |
| 199 sizeof(MethodPatchInfo) * patched_methods; | |
| 200 PatchedObject* entry = reinterpret_cast<PatchedObject*>(new char[mem_size]); | |
| 201 entry->vtable_ = GetIFVTable(unknown); | |
| 202 memcpy(entry->patch_info_, patch_prototype_, | |
| 203 sizeof(MethodPatchInfo) * (patched_methods + 1)); | |
| 204 | |
| 205 patch_list_lock_.Acquire(); | |
| 206 | |
| 207 // See if we've already patched this vtable before. | |
| 208 // The search is done via the == operator of the PatchedObject class. | |
| 209 PatchList::const_iterator it = std::find(patch_list_.begin(), | |
| 210 patch_list_.end(), entry); | |
| 211 HRESULT hr; | |
| 212 if (it == patch_list_.end()) { | |
| 213 hr = PatchInterfaceMethods(unknown, entry->patch_info_); | |
| 214 if (SUCCEEDED(hr)) { | |
| 215 patch_list_.push_back(entry); | |
| 216 entry = NULL; // Ownership transferred to the array. | |
| 217 } | |
| 218 } else { | |
| 219 hr = S_FALSE; | |
| 220 } | |
| 221 | |
| 222 patch_list_lock_.Release(); | |
| 223 | |
| 224 delete entry; | |
| 225 | |
| 226 return hr; | |
| 227 } | |
| 228 | |
| 229 bool DynamicPatchManager::UnpatchAll() { | |
| 230 patch_list_lock_.Acquire(); | |
| 231 PatchList::iterator it; | |
| 232 for (it = patch_list_.begin(); it != patch_list_.end(); it++) { | |
| 233 UnpatchInterfaceMethods((*it)->patch_info_); | |
| 234 delete (*it); | |
| 235 } | |
| 236 patch_list_.clear(); | |
| 237 patch_list_lock_.Release(); | |
| 238 | |
| 239 return true; | |
| 240 } | |
| 241 | |
| 242 #endif // disabled DynamicPatchManager | |
| 243 | |
| 244 } // namespace vtable_patch | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 126143005:
Remove Chrome Frame code and resources. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src