1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_FRAME_CRASH_REPORTING_VECTORED_HANDLER_IMPL_H_ 6 #define CHROME_FRAME_CRASH_REPORTING_VECTORED_HANDLER_IMPL_H_ 7 8 #include "base/logging.h" 9 #include "chrome_frame/crash_reporting/vectored_handler.h" 10 #include "chrome_frame/crash_reporting/nt_loader.h" 11 12 #if !defined(_M_IX86) 13 #error only x86 is supported for now. 14 #endif 15 16 #ifndef EXCEPTION_CHAIN_END 17 #define EXCEPTION_CHAIN_END ((struct _EXCEPTION_REGISTRATION_RECORD*)-1) 18 #if !defined(_WIN32_WINNT_WIN8) 19 typedef struct _EXCEPTION_REGISTRATION_RECORD { 20 struct _EXCEPTION_REGISTRATION_RECORD* Next; 21 PVOID Handler; 22 } EXCEPTION_REGISTRATION_RECORD; 23 // VEH handler flags settings. 24 // These are grabbed from winnt.h for PocketPC. 25 // Only EXCEPTION_NONCONTINUABLE in defined in "regular" winnt.h 26 // #define EXCEPTION_NONCONTINUABLE 0x1 // Noncontinuable exception 27 #define EXCEPTION_UNWINDING 0x2 // Unwind is in progress 28 #define EXCEPTION_EXIT_UNWIND 0x4 // Exit unwind is in progress 29 #define EXCEPTION_STACK_INVALID 0x8 // Stack out of limits or unaligned 30 #define EXCEPTION_NESTED_CALL 0x10 // Nested exception handler call 31 #define EXCEPTION_TARGET_UNWIND 0x20 // Target unwind in progress 32 #define EXCEPTION_COLLIDED_UNWIND 0x40 // Collided exception handler call 33 34 #define EXCEPTION_UNWIND (EXCEPTION_UNWINDING | EXCEPTION_EXIT_UNWIND | \ 35 EXCEPTION_TARGET_UNWIND | EXCEPTION_COLLIDED_UNWIND) 36 37 #define IS_UNWINDING(Flag) (((Flag) & EXCEPTION_UNWIND) != 0) 38 #define IS_DISPATCHING(Flag) (((Flag) & EXCEPTION_UNWIND) == 0) 39 #define IS_TARGET_UNWIND(Flag) ((Flag) & EXCEPTION_TARGET_UNWIND) 40 #endif // !defined(_WIN32_WINNT_WIN8) 41 #endif // EXCEPTION_CHAIN_END 42 43 template <typename E> 44 VectoredHandlerT<E>::VectoredHandlerT(E* api) : exceptions_seen_(0), api_(api) { 45 } 46 47 template <typename E> 48 VectoredHandlerT<E>::~VectoredHandlerT() { 49 } 50 51 template <typename E> 52 LONG VectoredHandlerT<E>::Handler(EXCEPTION_POINTERS* exceptionInfo) { 53 // TODO(stoyan): Consider reentrancy 54 const DWORD exceptionCode = exceptionInfo->ExceptionRecord->ExceptionCode; 55 56 // Not interested in non-error exceptions. In this category falls exceptions 57 // like: 58 // 0x40010006 - OutputDebugStringA. Seen when no debugger is attached 59 // (otherwise debugger swallows the exception and prints 60 // the string). 61 // 0x406D1388 - DebuggerProbe. Used by debug CRT - for example see source 62 // code of isatty(). Used to name a thread as well. 63 // RPC_E_DISCONNECTED and Co. - COM IPC non-fatal warnings 64 // STATUS_BREAKPOINT and Co. - Debugger related breakpoints 65 if ((exceptionCode & ERROR_SEVERITY_ERROR) != ERROR_SEVERITY_ERROR) { 66 return ExceptionContinueSearch; 67 } 68 69 // Ignore custom exception codes. 70 // MSXML likes to raise 0xE0000001 while parsing. 71 // Note the C++ SEH (0xE06D7363) also fails in that range. 72 if (exceptionCode & APPLICATION_ERROR_MASK) { 73 return ExceptionContinueSearch; 74 } 75 76 exceptions_seen_++; 77 78 // If the exception code is STATUS_STACK_OVERFLOW then proceed as usual - 79 // we want to report it. Otherwise check whether guard page in stack is gone - 80 // i.e. stack overflow has been already observed and most probably we are 81 // seeing the follow-up STATUS_ACCESS_VIOLATION(s). See bug 32441. 82 if (exceptionCode != STATUS_STACK_OVERFLOW && api_->CheckForStackOverflow()) { 83 return ExceptionContinueSearch; 84 } 85 86 // Check whether exception will be handled by the module that cuased it. 87 // This should automatically handle the case of IsBadReadPtr and family. 88 const EXCEPTION_REGISTRATION_RECORD* seh = api_->RtlpGetExceptionList(); 89 if (api_->ShouldIgnoreException(exceptionInfo, seh)) { 90 return ExceptionContinueSearch; 91 } 92 93 const DWORD exceptionFlags = exceptionInfo->ExceptionRecord->ExceptionFlags; 94 // I don't think VEH is called on unwind. Just to be safe. 95 if (IS_DISPATCHING(exceptionFlags)) { 96 if (ModuleHasInstalledSEHFilter()) 97 return ExceptionContinueSearch; 98 99 if (api_->IsOurModule(exceptionInfo->ExceptionRecord->ExceptionAddress)) { 100 api_->WriteDump(exceptionInfo); 101 return ExceptionContinueSearch; 102 } 103 104 // See whether our module is somewhere in the call stack. 105 void* back_trace[E::max_back_trace] = {0}; 106 DWORD captured = api_->RtlCaptureStackBackTrace(0, api_->max_back_trace, 107 &back_trace[0], NULL); 108 for (DWORD i = 0; i < captured; ++i) { 109 if (api_->IsOurModule(back_trace[i])) { 110 api_->WriteDump(exceptionInfo); 111 return ExceptionContinueSearch; 112 } 113 } 114 } 115 116 return ExceptionContinueSearch; 117 } 118 119 template <typename E> 120 bool VectoredHandlerT<E>::ModuleHasInstalledSEHFilter() { 121 const EXCEPTION_REGISTRATION_RECORD* RegistrationFrame = 122 api_->RtlpGetExceptionList(); 123 // TODO(stoyan): Add the stack limits check and some sanity checks like 124 // decreasing addresses of registration records 125 while (RegistrationFrame != EXCEPTION_CHAIN_END) { 126 if (api_->IsOurModule(RegistrationFrame->Handler)) { 127 return true; 128 } 129 130 RegistrationFrame = RegistrationFrame->Next; 131 } 132 133 return false; 134 } 135 136 137 // Here comes the default Windows 32-bit implementation. 138 namespace { 139 __declspec(naked) 140 static EXCEPTION_REGISTRATION_RECORD* InternalRtlpGetExceptionList() { 141 __asm { 142 mov eax, fs:0 143 ret 144 } 145 } 146 147 __declspec(naked) 148 static char* GetStackTopLimit() { 149 __asm { 150 mov eax, fs:8 151 ret 152 } 153 } 154 } // end of namespace 155 156 // Class which methods simply forwards to Win32 API. 157 // Used as template (external interface) of VectoredHandlerT<E>. 158 class Win32VEHTraits { 159 public: 160 enum {max_back_trace = 62}; 161 162 static inline 163 EXCEPTION_REGISTRATION_RECORD* RtlpGetExceptionList() { 164 return InternalRtlpGetExceptionList(); 165 } 166 167 static inline WORD RtlCaptureStackBackTrace(DWORD FramesToSkip, 168 DWORD FramesToCapture, void** BackTrace, DWORD* BackTraceHash) { 169 return ::RtlCaptureStackBackTrace(FramesToSkip, FramesToCapture, 170 BackTrace, BackTraceHash); 171 } 172 173 static bool ShouldIgnoreException(const EXCEPTION_POINTERS* exceptionInfo, 174 const EXCEPTION_REGISTRATION_RECORD* seh_record) { 175 const void* address = exceptionInfo->ExceptionRecord->ExceptionAddress; 176 const DWORD flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT | 177 GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS; 178 HMODULE crashing_module = GetModuleHandleFromAddress(address); 179 if (!crashing_module) 180 return false; 181 182 HMODULE top_seh_module = NULL; 183 if (EXCEPTION_CHAIN_END != seh_record) 184 top_seh_module = GetModuleHandleFromAddress(seh_record->Handler); 185 186 // check if the crash address belongs in a module that's expecting 187 // and handling it. This should address cases like kernel32!IsBadXXX 188 // and urlmon!IsValidInterface 189 if (crashing_module == top_seh_module) 190 return true; 191 192 // We don't want to report exceptions that occur during DLL loading, 193 // as those are captured and ignored by the NT loader. If this thread 194 // is holding the loader's lock, there's a possiblity that the crash 195 // is occurring in a loading DLL, in which case we resolve the 196 // crash address to a module and check on the module's status. 197 if (nt_loader::OwnsLoaderLock()) { 198 nt_loader::LDR_DATA_TABLE_ENTRY* entry = 199 nt_loader::GetLoaderEntry(crashing_module); 200 201 // If: 202 // 1. we found the entry in question, and 203 // 2. the entry is a DLL (has the IMAGE_DLL flag set), and 204 // 3. the DLL has a non-null entrypoint, and 205 // 4. the loader has not tagged it with the process attached called flag 206 // we conclude that the crash is most likely during the loading of the 207 // module and bail on reporting the crash to avoid false positives 208 // during crashes that occur during module loads, such as e.g. when 209 // the hook manager attempts to load buggy window hook DLLs. 210 if (entry && 211 (entry->Flags & LDRP_IMAGE_DLL) != 0 && 212 (entry->EntryPoint != NULL) && 213 (entry->Flags & LDRP_PROCESS_ATTACH_CALLED) == 0) 214 return true; 215 } 216 217 return false; 218 } 219 220 static bool CheckForStackOverflow() { 221 MEMORY_BASIC_INFORMATION mi = {0}; 222 const DWORD kPageSize = 0x1000; 223 void* stack_top = GetStackTopLimit() - kPageSize; 224 ::VirtualQuery(stack_top, &mi, sizeof(mi)); 225 // The above call may result in moving the top of the stack. 226 // Check once more. 227 void* stack_top2 = GetStackTopLimit() - kPageSize; 228 if (stack_top2 != stack_top) 229 ::VirtualQuery(stack_top2, &mi, sizeof(mi)); 230 return !(mi.Protect & PAGE_GUARD); 231 } 232 233 private: 234 static inline const void* CodeOffset(const void* code, int offset) { 235 return reinterpret_cast<const char*>(code) + offset; 236 } 237 238 static HMODULE GetModuleHandleFromAddress(const void* p) { 239 HMODULE module_at_address = NULL; 240 MEMORY_BASIC_INFORMATION mi = {0}; 241 if (::VirtualQuery(p, &mi, sizeof(mi)) && (mi.Type & MEM_IMAGE)) { 242 module_at_address = reinterpret_cast<HMODULE>(mi.AllocationBase); 243 } 244 245 return module_at_address; 246 } 247 }; 248 249 250 // Use Win32 API; checks for single (current) module. Will call a specified 251 // CrashHandlerTraits::DumpHandler when taking a dump. 252 class CrashHandlerTraits : public Win32VEHTraits, 253 public ModuleOfInterestWithExcludedRegion { 254 public: 255 256 typedef bool (*DumpHandler)(EXCEPTION_POINTERS* p); 257 258 CrashHandlerTraits() : dump_handler_(NULL) {} 259 260 // Note that breakpad_lock must be held when this is called. 261 void Init(const void* veh_segment_start, const void* veh_segment_end, 262 DumpHandler dump_handler) { 263 DCHECK(dump_handler); 264 dump_handler_ = dump_handler; 265 ModuleOfInterestWithExcludedRegion::SetCurrentModule(); 266 // Pointers to static (non-extern) functions take the address of the 267 // function's first byte, as opposed to an entry in the compiler generated 268 // JMP table. In release builds /OPT:REF wipes away the JMP table, but debug 269 // builds are not so lucky. 270 ModuleOfInterestWithExcludedRegion::SetExcludedRegion(veh_segment_start, 271 veh_segment_end); 272 } 273 274 void Shutdown() { 275 } 276 277 inline bool WriteDump(EXCEPTION_POINTERS* p) { 278 if (dump_handler_) { 279 return dump_handler_(p); 280 } else { 281 return false; 282 } 283 } 284 285 private: 286 DumpHandler dump_handler_; 287 }; 288 289 #endif // CHROME_FRAME_CRASH_REPORTING_VECTORED_HANDLER_IMPL_H_ 290
