Issue 1364053002: win: Save contents of PEB to minidump

Issue 1364053002: win: Save contents of PEB to minidump (Closed)

Created:
5 years, 3 months ago by scottmg

Modified:
5 years, 2 months ago

Reviewers:
Mark Mentovai

CC:
crashpad-dev_chromium.org

Base URL:
https://chromium.googlesource.com/crashpad/crashpad@save-teb

Target Ref:
refs/heads/master

Project:
crashpad

Visibility:
Public.

More Reviews

Description

win: Save contents of PEB to minidump to start making !peb work This makes the basics of !peb work in windbg, however, pointed-to things are not yet retrieved. For full functionality, a variety of pointers in the PEB also needs to be walked and captured. e.g. Previously: 0:000> .ecxr eax=00000007 ebx=7e383000 ecx=c3f9a943 edx=00000000 esi=006d62d0 edi=003c9280 eip=00384828 esp=005bf634 ebp=005bf638 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 crashy_program!crashpad::`anonymous namespace'::SomeCrashyFunction+0x28: 00384828 c7002a000000 mov dword ptr [eax],2Ah ds:002b:00000007=???????? 0:000> !peb PEB at 7e383000 error 1 InitTypeRead( nt!_PEB at 7e383000)... Now: 0:000> .ecxr eax=00000007 ebx=7f958000 ecx=02102f4d edx=00000000 esi=00e162d0 edi=01389280 eip=01344828 esp=00c2fb64 ebp=00c2fb68 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 crashy_program!crashpad::`anonymous namespace'::SomeCrashyFunction+0x28: 01344828 c7002a000000 mov dword ptr [eax],2Ah ds:002b:00000007=???????? 0:000> !peb PEB at 7f958000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 01340000 Ldr 77ec8b40 *** unable to read Ldr table at 77ec8b40 SubSystemData: 00000000 ProcessHeap: 00e10000 ProcessParameters: 00e114e0 CurrentDirectory: '< Name not readable >' WindowTitle: '< Name not readable >' ImageFile: '< Name not readable >' CommandLine: '< Name not readable >' DllPath: '< Name not readable >' Environment: 00000000 Unable to read Environment string. R=mark@chromium.org BUG=crashpad:46 Committed: https://chromium.googlesource.com/crashpad/crashpad/+/0758dbde9a39fcc965d18f1791082daa6add40aa

Patch Set 1 #

Patch Set 2 : test #

Total comments: 12

Patch Set 3 : . #

Patch Set 4 : . #

Patch Set 5 : mac #

Patch Set 6 : mac2 #

Total comments: 17

Patch Set 7 : fixes #

Total comments: 2

Created: 5 years, 2 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+116 lines, -15 lines)			Patch
M	minidump/minidump_file_writer.cc	View	1 2 3 4 5 6	1 chunk	+2 lines, -0 lines	2 comments	Download
M	minidump/minidump_file_writer_test.cc	View	1 2 3 4 5 6	3 chunks	+16 lines, -0 lines	0 comments	Download
M	snapshot/mac/process_snapshot_mac.h	View	1 2 3 4	1 chunk	+1 line, -0 lines	0 comments	Download
M	snapshot/mac/process_snapshot_mac.cc	View	1 2 3 4	1 chunk	+5 lines, -0 lines	0 comments	Download
M	snapshot/minidump/process_snapshot_minidump.h	View	1 2 3 4 5 6	2 chunks	+2 lines, -0 lines	0 comments	Download
M	snapshot/minidump/process_snapshot_minidump.cc	View	1 2 3	1 chunk	+7 lines, -0 lines	0 comments	Download
M	snapshot/process_snapshot.h	View	1 2 3 4 5 6	2 chunks	+10 lines, -0 lines	0 comments	Download
M	snapshot/test/test_process_snapshot.h	View	1 2 3 4 5 6	4 chunks	+11 lines, -0 lines	0 comments	Download
M	snapshot/test/test_process_snapshot.cc	View	1 2 3 4 5 6	2 chunks	+9 lines, -1 line	0 comments	Download
M	snapshot/win/process_reader_win.h	View	1 2 3	2 chunks	+3 lines, -3 lines	0 comments	Download
M	snapshot/win/process_reader_win.cc	View	1 2 3	1 chunk	+5 lines, -0 lines	0 comments	Download
M	snapshot/win/process_reader_win_test.cc	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	snapshot/win/process_snapshot_win.h	View	1 2	3 chunks	+4 lines, -0 lines	0 comments	Download
M	snapshot/win/process_snapshot_win.cc	View	1 2 3	3 chunks	+13 lines, -2 lines	0 comments	Download
M	util/win/process_info.h	View	1 2 3	3 chunks	+11 lines, -1 line	0 comments	Download
M	util/win/process_info.cc	View	1 2 3	7 chunks	+16 lines, -7 lines	0 comments	Download

Depends on Patchset:

Issue 1364803004 Patch 20001

Messages

Total messages: 12 (1 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Mark Mentovai

I’m curious about these: CurrentDirectory: '< Name not readable >' Are the addresses for those ...

5 years, 3 months ago (2015-09-23 21:40:50 UTC) #2

Mark Mentovai

This tells me that at least some of this stuff is pretty discontiguous: PEB at ...

5 years, 3 months ago (2015-09-23 21:41:51 UTC) #3

scottmg

On 2015/09/23 21:40:50, Mark Mentovai - August is over wrote: > I’m curious about these: ...

5 years, 3 months ago (2015-09-23 22:15:08 UTC) #4

On 2015/09/23 21:40:50, Mark Mentovai - August is over wrote:
> I’m curious about these:
> 
>     CurrentDirectory:  '< Name not readable >'
> 
> Are the addresses for those things just beyond the PEB itself, or can they be
> anywhere? If they’re just beyond the PEB, we may want to fudge the PEB size to
> include them.
> 
> On the other hand, if they can be anywhere and we want to capture them, we may
> want to pursue a more generic “extra memory regions to capture in a minidump”
> sort of thing, and we might want the PEB to be one such region rather than
> having it be its own first-class thing on ProcessSnapshot that just happens to
> be a memory region.

It looks like it points all over the place, though much of it seems to be at the
beginning of the main process heap. Here's a full one from a running process:

0:000> !peb
PEB at 7f7ce000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00c90000
    Ldr                       77ec8b40
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 01473660 . 01474928
    Ldr.InLoadOrderModuleList:           01473750 . 01474918
    Ldr.InMemoryOrderModuleList:         01473758 . 01474920
            Base TimeStamp                     Module
          c90000 56031848 Sep 23 14:23:20 2015
D:\src\crashpad\crashpad\out\Debug\crashy_program.exe
        77dc0000 55c599e1 Aug 07 22:55:45 2015 C:\Windows\SYSTEM32\ntdll.dll
        758e0000 559f3b21 Jul 09 20:25:21 2015 C:\Windows\SYSTEM32\KERNEL32.DLL
        76850000 559f3b2a Jul 09 20:25:30 2015
C:\Windows\SYSTEM32\KERNELBASE.dll
        6f2b0000 559f3b08 Jul 09 20:24:56 2015 C:\Windows\system32\apphelp.dll
    SubSystemData:     00000000
    ProcessHeap:       01470000
    ProcessParameters: 01471a80
    CurrentDirectory:  'd:\src\crashpad\crashpad\'
    WindowTitle:  'D:\src\crashpad\crashpad\out\Debug\crashy_program.exe'
    ImageFile:    'D:\src\crashpad\crashpad\out\Debug\crashy_program.exe'
    CommandLine:  'D:\src\crashpad\crashpad\out\Debug\crashy_program.exe'
    DllPath:      '< Name not readable >'
    Environment:  014705e8
        =D:=d:\src\crashpad\crashpad
        =ExitCode=00000000
        ALLUSERSPROFILE=C:\ProgramData
...


It does seem like we'll want to capture a variety of miscellaneous regions for
bug #46. I started on the TEB(s) too
(https://codereview.chromium.org/1364803004/) and it got a bit cumbersome. We'll
also want to capture near EIP/RIP, maybe the first page  of each module, some
some memory around registers that look like they contain pointer values, and so
on.

Did you have any design in mind for doing that? I'm not sure of a good place for
it to live.



> 
>
https://codereview.chromium.org/1364053002/diff/20001/minidump/minidump_file_...
> File minidump/minidump_file_writer.cc (right):
> 
>
https://codereview.chromium.org/1364053002/diff/20001/minidump/minidump_file_...
> minidump/minidump_file_writer.cc:84: std::vector<const MemorySnapshot*>
> peb_vector;
> Use the (1, peb) constructor and skip the push_back.
> 
>
https://codereview.chromium.org/1364053002/diff/20001/minidump/minidump_file_...
> File minidump/minidump_file_writer_test.cc (right):
> 
>
https://codereview.chromium.org/1364053002/diff/20001/minidump/minidump_file_...
> minidump/minidump_file_writer_test.cc:260:
> process_snapshot.SetPeb(peb_snapshot.Pass());
> You never test that this had any effect on the output. Do you want to examine
> the memory stream to make sure that it’s got this?
> 
>
https://codereview.chromium.org/1364053002/diff/20001/snapshot/process_snapsh...
> File snapshot/process_snapshot.h (right):
> 
>
https://codereview.chromium.org/1364053002/diff/20001/snapshot/process_snapsh...
> snapshot/process_snapshot.h:141: //!
> Say that this is only a sensible thing on Windows.
> 
>
https://codereview.chromium.org/1364053002/diff/20001/snapshot/win/process_re...
> File snapshot/win/process_reader_win.h (right):
> 
>
https://codereview.chromium.org/1364053002/diff/20001/snapshot/win/process_re...
> snapshot/win/process_reader_win.h:116: const ProcessInfo& process_info() const
{
> Move this out-of-line (and rename ProcessInfo()) since it’s becoming less
simple
> now.
> 
> https://codereview.chromium.org/1364053002/diff/20001/util/win/process_info.cc
> File util/win/process_info.cc (right):
> 
>
https://codereview.chromium.org/1364053002/diff/20001/util/win/process_info.c...
> util/win/process_info.cc:266: peb_address_(),
> _(0), next line too.
> 
> https://codereview.chromium.org/1364053002/diff/20001/util/win/process_info.h
> File util/win/process_info.h (right):
> 
>
https://codereview.chromium.org/1364053002/diff/20001/util/win/process_info.h...
> util/win/process_info.h:83: 
> Missing //!

Mark Mentovai

Perhaps both ProcessSnapshot and ThreadSnapshot (and ModuleSnapshot, if you want the first few pages of ...

5 years, 3 months ago (2015-09-24 01:57:02 UTC) #5

scottmg

Thanks, ExtraMemory() seems like a good idea. I still only included the root of the ...

5 years, 3 months ago (2015-09-24 20:00:10 UTC) #6

Mark Mentovai

LGTM https://codereview.chromium.org/1364053002/diff/100001/minidump/minidump_file_writer.cc File minidump/minidump_file_writer.cc (right): https://codereview.chromium.org/1364053002/diff/100001/minidump/minidump_file_writer.cc#newcode82 minidump/minidump_file_writer.cc:82: memory_list->AddFromSnapshot(process_snapshot->ExtraMemory()); Was there a significance to this position? ...

5 years, 2 months ago (2015-09-25 17:05:35 UTC) #7

scottmg

https://codereview.chromium.org/1364053002/diff/100001/minidump/minidump_file_writer.cc File minidump/minidump_file_writer.cc (right): https://codereview.chromium.org/1364053002/diff/100001/minidump/minidump_file_writer.cc#newcode82 minidump/minidump_file_writer.cc:82: memory_list->AddFromSnapshot(process_snapshot->ExtraMemory()); On 2015/09/25 17:05:34, Mark Mentovai - August is ...

5 years, 2 months ago (2015-09-25 17:29:31 UTC) #9

scottmg

Committed patchset #7 (id:140001) manually as 0758dbde9a39fcc965d18f1791082daa6add40aa (presubmit successful).

5 years, 2 months ago (2015-09-25 17:31:09 UTC) #10

Mark Mentovai

https://codereview.chromium.org/1364053002/diff/100001/snapshot/process_snapshot.h File snapshot/process_snapshot.h (right): https://codereview.chromium.org/1364053002/diff/100001/snapshot/process_snapshot.h#newcode168 snapshot/process_snapshot.h:168: //! \return An std::vector<const MemorySnapshot*> that will be included ...

5 years, 2 months ago (2015-09-25 17:32:32 UTC) #11

scottmg

5 years, 2 months ago (2015-09-25 19:20:34 UTC) #12

Message was sent while issue was closed.

https://codereview.chromium.org/1364053002/diff/140001/minidump/minidump_file...
File minidump/minidump_file_writer.cc (right):

https://codereview.chromium.org/1364053002/diff/140001/minidump/minidump_file...
minidump/minidump_file_writer.cc:96:
memory_list->AddFromSnapshot(process_snapshot->ExtraMemory());
On 2015/09/25 17:32:32, Mark Mentovai - August is over wrote:
> It’s OK to do this after the crashpad_info stuff, but right here, it’s in the
> middle of the crashpad_info.

Hmm, you're right. OK, at the end it is:
https://codereview.chromium.org/1369823002.

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages