/*++ Copyright (c) 1991 Microsoft Corporation Module Name: stktrace.c Abstract: This module implements routines to snapshot a set of stack back traces in a data base. Useful for heap allocators to track allocation requests cheaply. Author: Steve Wood (stevewo) 29-Jan-1992 Revision History: 17-May-1999 (silviuc) : added RtlWalkFrameChain that replaces the unsafe RtlCaptureStackBackTrace. 29-Jul-2000 (silviuc) : added RtlCaptureStackContext. 6-Nov-2000 (silviuc): IA64 runtime stack traces. 18-Feb-2001 (silviuc) : moved all x86 specific code into i386 directory. 03-May-2002 (silviuc) : switched to a resource instead of a lock. Traces that are in the database can be found by locking the resource in shared mode. Only a real addition to the database will require exclusive acquisition. --*/ #include #include #include "ntrtlp.h" #include #include #include #include #include // // Number of buckets used for the simple chaining hash table. // #define NUMBER_OF_BUCKETS 1567 // // Macros to hide the different synchronization routines for // user mode and kernel mode runtimes. For kernel runtime // the OKAY_TO_LOCK macro points to a real function that makes // sure current thread is not executing a DPC routine. // #ifdef NTOS_KERNEL_RUNTIME typedef struct _KSPIN_LOCK_EX { KSPIN_LOCK Lock; KIRQL OldIrql; PKTHREAD Owner; } KSPIN_LOCK_EX, *PKSPIN_LOCK_EX; NTSTATUS KeInitializeSpinLockEx ( PKSPIN_LOCK_EX Lock ) { KeInitializeSpinLock (&(Lock->Lock)); Lock->OldIrql = 0; Lock->Owner = NULL; return STATUS_SUCCESS; } VOID KeAcquireSpinLockEx ( PKSPIN_LOCK_EX Lock ) { KeAcquireSpinLock (&(Lock->Lock), &(Lock->OldIrql)); Lock->Owner = KeGetCurrentThread(); } VOID KeReleaseSpinLockEx ( PKSPIN_LOCK_EX Lock ) { Lock->Owner = NULL; KeReleaseSpinLock (&(Lock->Lock), (Lock->OldIrql)); } #define INITIALIZE_DATABASE_LOCK(R) KeInitializeSpinLockEx((PKSPIN_LOCK_EX)R) #define ACQUIRE_DATABASE_LOCK(R) KeAcquireSpinLockEx((PKSPIN_LOCK_EX)R) #define RELEASE_DATABASE_LOCK(R) KeReleaseSpinLockEx((PKSPIN_LOCK_EX)R) #define OKAY_TO_LOCK_DATABASE(R) ExOkayToLockRoutine(&(((PKSPIN_LOCK_EX)R)->Lock)) BOOLEAN ExOkayToLockRoutine ( IN PVOID Lock ); #else //#ifdef NTOS_KERNEL_RUNTIME #define INITIALIZE_DATABASE_LOCK(R) RtlInitializeCriticalSection(R) #define ACQUIRE_DATABASE_LOCK(R) RtlEnterCriticalSection(R) #define RELEASE_DATABASE_LOCK(R) RtlLeaveCriticalSection(R) #define OKAY_TO_LOCK_DATABASE(R) (RtlDllShutdownInProgress() == FALSE) #endif // #ifdef NTOS_KERNEL_RUNTIME // // Globals from elsewhere refered here. // extern BOOLEAN RtlpFuzzyStackTracesEnabled; // // Forward declarations of private functions. // USHORT RtlpLogStackBackTraceEx( ULONG FramesToSkip ); LOGICAL RtlpCaptureStackTraceForLogging ( PRTL_STACK_TRACE_ENTRY Trace, PULONG Hash, ULONG FramesToSkip, LOGICAL UserModeStackFromKernelMode ); USHORT RtlpLogCapturedStackTrace( PRTL_STACK_TRACE_ENTRY Trace, ULONG Hash ); PRTL_STACK_TRACE_ENTRY RtlpExtendStackTraceDataBase( IN PRTL_STACK_TRACE_ENTRY InitialValue, IN SIZE_T Size ); // // Global per process (user mode) or system wide (kernel mode) // stack trace database. // PSTACK_TRACE_DATABASE RtlpStackTraceDataBase; // // Resource used to control access to stack trace database. We opted for // this solution so that we kept change in the database structure to an // absolute minimal. This way the tools that depend on this structure // (at least umhd and oh) will not need a new version and will not // introduce backcompatibility issues. // #ifdef NTOS_KERNEL_RUNTIME KSPIN_LOCK_EX RtlpStackTraceDataBaseLock; #else RTL_CRITICAL_SECTION RtlpStackTraceDataBaseLock; #endif ///////////////////////////////////////////////////////////////////// //////////////////////////////////////// Runtime stack trace database ///////////////////////////////////////////////////////////////////// // // The following section implements a trace database used to store // stack traces captured with RtlCaptureStackBackTrace(). The database // is implemented as a hash table and does not allow deletions. It is // sensitive to "garbage" in the sense that spurios garbage (partially // correct stacks) will hash in different buckets and will tend to fill // the whole table. This is a problem only on x86 if "fuzzy" stack traces // are used. The typical function used to log the trace is // RtlLogStackBackTrace. One of the worst limitations of this package // is that traces are refered using a ushort index which means we cannot // ever store more than 65535 traces (remember we never delete traces). // PSTACK_TRACE_DATABASE RtlpAcquireStackTraceDataBase( ) { PSTACK_TRACE_DATABASE DataBase; DataBase = RtlpStackTraceDataBase; // // Sanity checks. // if (DataBase == NULL) { return NULL; } if (! OKAY_TO_LOCK_DATABASE (DataBase->Lock)) { return NULL; } ACQUIRE_DATABASE_LOCK (DataBase->Lock); if (DataBase->DumpInProgress) { RELEASE_DATABASE_LOCK (DataBase->Lock); return NULL; } else { return DataBase; } } VOID RtlpReleaseStackTraceDataBase( ) { PSTACK_TRACE_DATABASE DataBase; DataBase = RtlpStackTraceDataBase; // // Sanity checks. // if (DataBase == NULL) { return; } RELEASE_DATABASE_LOCK (DataBase->Lock); } NTSTATUS RtlInitializeStackTraceDataBase( IN PVOID CommitBase, IN SIZE_T CommitSize, IN SIZE_T ReserveSize ) { NTSTATUS Status; PSTACK_TRACE_DATABASE DataBase; // // On x86 where runtime stack tracing algorithms are unreliable // if we have a big enough trace database then we can enable fuzzy // stack traces that do not hash very well and have the potential // to fill out the trace database. // #if defined(_X86_) && !defined(NTOS_KERNEL_RUNTIME) if (ReserveSize >= 16 * RTL_MEG) { RtlpFuzzyStackTracesEnabled = TRUE; } #endif DataBase = (PSTACK_TRACE_DATABASE)CommitBase; if (CommitSize == 0) { // // Initially commit enough pages to accomodate the increased // number of hash chains (for improved performance we switched from ~100 // to ~1000 in the hope that the hash chains will decrease ten-fold in // length). // CommitSize = ROUND_TO_PAGES (NUMBER_OF_BUCKETS * sizeof (DataBase->Buckets[ 0 ])); Status = ZwAllocateVirtualMemory (NtCurrentProcess(), (PVOID *)&CommitBase, 0, &CommitSize, MEM_COMMIT, PAGE_READWRITE); if (! NT_SUCCESS(Status)) { KdPrint (("RTL: Unable to commit space to extend stack " "trace data base - Status = %lx\n", Status)); return Status; } DataBase->PreCommitted = FALSE; } else if (CommitSize == ReserveSize) { RtlZeroMemory (DataBase, sizeof( *DataBase )); DataBase->PreCommitted = TRUE; } else { return STATUS_INVALID_PARAMETER; } DataBase->CommitBase = CommitBase; DataBase->NumberOfBuckets = NUMBER_OF_BUCKETS; DataBase->NextFreeLowerMemory = (PCHAR)(&DataBase->Buckets[ DataBase->NumberOfBuckets ]); DataBase->NextFreeUpperMemory = (PCHAR)CommitBase + ReserveSize; if (! DataBase->PreCommitted) { DataBase->CurrentLowerCommitLimit = (PCHAR)CommitBase + CommitSize; DataBase->CurrentUpperCommitLimit = (PCHAR)CommitBase + ReserveSize; } else { RtlZeroMemory (&DataBase->Buckets[ 0 ], DataBase->NumberOfBuckets * sizeof (DataBase->Buckets[ 0 ])); } DataBase->EntryIndexArray = (PRTL_STACK_TRACE_ENTRY *)DataBase->NextFreeUpperMemory; // // Initialize the database lock. // DataBase->Lock = &RtlpStackTraceDataBaseLock; Status = INITIALIZE_DATABASE_LOCK (DataBase->Lock); if (! NT_SUCCESS(Status)) { KdPrint(("RTL: Unable to initialize stack trace database lock (status %X)\n", Status)); return Status; } RtlpStackTraceDataBase = DataBase; return STATUS_SUCCESS; } PRTL_STACK_TRACE_ENTRY RtlpExtendStackTraceDataBase( IN PRTL_STACK_TRACE_ENTRY InitialValue, IN SIZE_T Size ) /*++ Routine Description: This routine extends the stack trace database in order to accomodate the new stack trace that has to be saved. Arguments: InitialValue - stack trace to be saved. Size - size of the stack trace in bytes. Note that this is not the depth of the trace but rather `Depth * sizeof(PVOID)'. Return Value: The address of the just saved stack trace or null in case we have hit the maximum size of the database or we get commit errors. Environment: User mode. Note. In order to make all this code work in kernel mode we have to rewrite this function that relies on VirtualAlloc. --*/ { NTSTATUS Status; PRTL_STACK_TRACE_ENTRY p, *pp; SIZE_T CommitSize; PSTACK_TRACE_DATABASE DataBase; DataBase = RtlpStackTraceDataBase; // // We will try to find space for one stack trace entry in the // upper part of the database. // pp = (PRTL_STACK_TRACE_ENTRY *)DataBase->NextFreeUpperMemory; if ((! DataBase->PreCommitted) && ((PCHAR)(pp - 1) < (PCHAR)DataBase->CurrentUpperCommitLimit)) { // // No more committed space in the upper part of the database. // We need to extend it downwards. // DataBase->CurrentUpperCommitLimit = (PVOID)((PCHAR)DataBase->CurrentUpperCommitLimit - PAGE_SIZE); if (DataBase->CurrentUpperCommitLimit < DataBase->CurrentLowerCommitLimit) { // // No more space at all. We have got over the lower part of the db. // We failed therefore increase back the UpperCommitLimit pointer. // DataBase->CurrentUpperCommitLimit = (PVOID)((PCHAR)DataBase->CurrentUpperCommitLimit + PAGE_SIZE); return( NULL ); } CommitSize = PAGE_SIZE; Status = ZwAllocateVirtualMemory( NtCurrentProcess(), (PVOID *)&DataBase->CurrentUpperCommitLimit, 0, &CommitSize, MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS( Status )) { // // We tried to increase the upper part of the db by one page. // We failed therefore increase back the UpperCommitLimit pointer // DataBase->CurrentUpperCommitLimit = (PVOID)((PCHAR)DataBase->CurrentUpperCommitLimit + PAGE_SIZE); return NULL; } } // // We managed to make sure we have usable space in the upper part // therefore we take out one stack trace entry address. // DataBase->NextFreeUpperMemory -= sizeof( *pp ); // // Now we will try to find space in the lower part of the database for // for the eactual stack trace. // p = (PRTL_STACK_TRACE_ENTRY)DataBase->NextFreeLowerMemory; if ((! DataBase->PreCommitted) && (((PCHAR)p + Size) > (PCHAR)DataBase->CurrentLowerCommitLimit)) { // // We need to extend the lower part. // if (DataBase->CurrentLowerCommitLimit >= DataBase->CurrentUpperCommitLimit) { // // We have hit the maximum size of the database. // return( NULL ); } // // Extend the lower part of the database by one page. // CommitSize = Size; Status = ZwAllocateVirtualMemory( NtCurrentProcess(), (PVOID *)&DataBase->CurrentLowerCommitLimit, 0, &CommitSize, MEM_COMMIT, PAGE_READWRITE ); if (! NT_SUCCESS( Status )) { return NULL; } DataBase->CurrentLowerCommitLimit = (PCHAR)DataBase->CurrentLowerCommitLimit + CommitSize; } // // Take out the space for the stack trace. // DataBase->NextFreeLowerMemory += Size; // // Deal with a precommitted database case. If the lower and upper // pointers have crossed each other then rollback and return failure. // if (DataBase->PreCommitted && DataBase->NextFreeLowerMemory >= DataBase->NextFreeUpperMemory) { DataBase->NextFreeUpperMemory += sizeof( *pp ); DataBase->NextFreeLowerMemory -= Size; return( NULL ); } // // Save the stack trace in the database // RtlMoveMemory( p, InitialValue, Size ); p->HashChain = NULL; p->TraceCount = 0; p->Index = (USHORT)(++DataBase->NumberOfEntriesAdded); // // Save the address of the new stack trace entry in the // upper part of the databse. // *--pp = p; // // Return address of the saved stack trace entry. // return( p ); } #pragma optimize("y", off) // disable FPO USHORT RtlLogStackBackTrace( VOID ) /*++ Routine Description: This routine will capture the current stacktrace (skipping the present function) and will save it in the global (per process) stack trace database. It should be noted that we do not save duplicate traces. Arguments: None. Return Value: Index of the stack trace saved. The index can be used by tools to access quickly the trace data. This is the reason at the end of the database we save downwards a list of pointers to trace entries. This index can be used to find this pointer in constant time. A zero index will be returned for error conditions (e.g. stack trace database not initialized). Environment: User mode. --*/ { return RtlpLogStackBackTraceEx (1); } #pragma optimize("y", off) // disable FPO USHORT RtlpLogStackBackTraceEx( ULONG FramesToSkip ) /*++ Routine Description: This routine will capture the current stacktrace (skipping the present function) and will save it in the global (per process) stack trace database. It should be noted that we do not save duplicate traces. Arguments: FramesToSkip - no of frames that are not interesting and should be skipped. Return Value: Index of the stack trace saved. The index can be used by tools to access quickly the trace data. This is the reason at the end of the database we save downwards a list of pointers to trace entries. This index can be used to find this pointer in constant time. A zero index will be returned for error conditions (e.g. stack trace database not initialized). Environment: User mode. --*/ { RTL_STACK_TRACE_ENTRY Trace; USHORT TraceIndex; NTSTATUS Status; ULONG Hash; PSTACK_TRACE_DATABASE DataBase; // // Check the context in which we are running. // DataBase = RtlpStackTraceDataBase; if (DataBase == NULL) { return 0; } if (! OKAY_TO_LOCK_DATABASE (DataBase->Lock)) { return 0; } // // Capture stack trace. // if (RtlpCaptureStackTraceForLogging (&Trace, &Hash, FramesToSkip + 1, FALSE) == FALSE) { return 0; } // // Add the trace if it is not already there. // Return trace index. // TraceIndex = RtlpLogCapturedStackTrace (&Trace, Hash); return TraceIndex; } #if defined(NTOS_KERNEL_RUNTIME) #pragma optimize("y", off) // disable FPO USHORT RtlLogUmodeStackBackTrace( VOID ) /*++ Routine Description: This routine will capture the user mode stacktrace and will save it in the global (per system) stack trace database. It should be noted that we do not save duplicate traces. Arguments: None. Return Value: Index of the stack trace saved. The index can be used by tools to access quickly the trace data. This is the reason at the end of the database we save downwards a list of pointers to trace entries. This index can be used to find this pointer in constant time. A zero index will be returned for error conditions (e.g. stack trace database not initialized). Environment: User mode. --*/ { RTL_STACK_TRACE_ENTRY Trace; ULONG Hash; // // No database => nothing to do. // if (RtlpStackTraceDataBase == NULL) { return 0; } // // Capture user mode stack trace. // if (RtlpCaptureStackTraceForLogging (&Trace, &Hash, 1, TRUE) == FALSE) { return 0; } // // Add the trace if it is not already there. // Return trace index. // return RtlpLogCapturedStackTrace (&Trace, Hash); } #endif // #if defined(NTOS_KERNEL_RUNTIME) #pragma optimize("y", off) // disable FPO LOGICAL RtlpCaptureStackTraceForLogging ( PRTL_STACK_TRACE_ENTRY Trace, PULONG Hash, ULONG FramesToSkip, LOGICAL UserModeStackFromKernelMode ) { if (UserModeStackFromKernelMode == FALSE) { // // Capture stack trace. The try/except was useful // in the old days when the function did not validate // the stack frame chain. We keep it just to be defensive. // try { Trace->Depth = RtlCaptureStackBackTrace (FramesToSkip + 1, MAX_STACK_DEPTH, Trace->BackTrace, Hash); } except(EXCEPTION_EXECUTE_HANDLER) { Trace->Depth = 0; } if (Trace->Depth == 0) { return FALSE; } else { return TRUE; } } else { #ifdef NTOS_KERNEL_RUNTIME ULONG Index; // // Avoid weird situations. // if (KeAreAllApcsDisabled () == TRUE) { return FALSE; } // // Capture user mode stack trace and hash value. // Trace->Depth = (USHORT) RtlWalkFrameChain(Trace->BackTrace, MAX_STACK_DEPTH, 1); if (Trace->Depth == 0) { return FALSE; } else { *Hash = 0; for (Index = 0; Index < Trace->Depth; Index += 1) { *Hash += PtrToUlong (Trace->BackTrace[Index]); } return TRUE; } #else //#ifdef NTOS_KERNEL_RUNTIME return FALSE; #endif // #ifdef NTOS_KERNEL_RUNTIME } } USHORT RtlpLogCapturedStackTrace( PRTL_STACK_TRACE_ENTRY Trace, ULONG Hash ) { PSTACK_TRACE_DATABASE DataBase; PRTL_STACK_TRACE_ENTRY p, *pp; ULONG RequestedSize, DepthSize; USHORT ReturnValue; DataBase = RtlpStackTraceDataBase; // // Update statistics counters. Since they are used only for reference and do not // control decisions we increment them without protection even if this means we may // have numbers slightly out of sync. // DataBase->NumberOfEntriesLookedUp += 1; // // Lock the global per-process stack trace database. // if (RtlpAcquireStackTraceDataBase() == NULL) { // // Fail the log operation if we cannot acquire the lock. // This can happen only if there is a dump in progress or we are in // an invalid context (process shutdown (Umode) or DPC routine (Kmode). // return 0; } try { // // We will try to find out if the trace has been saved in the past. // We find the right hash chain and then traverse it. // DepthSize = Trace->Depth * sizeof (Trace->BackTrace[0]); pp = &DataBase->Buckets[ Hash % DataBase->NumberOfBuckets ]; while (p = *pp) { // // ISSUE: SilviuC: we should use hash values in comparing traces. // Comparing first hash values and depth should save us a lot of // compares pointer by pointer. // if (p->Depth == Trace->Depth) { if (RtlCompareMemory( &p->BackTrace[ 0 ], &Trace->BackTrace[ 0 ], DepthSize) == DepthSize) { break; } } pp = &p->HashChain; } if (p == NULL) { // // If we get here we did not find a similar trace in the database. We need // to add it. // // We got the `*pp' value (address of last chain element) while the // database lock was acquired shared so we need to take into consideration // the case where another thread managed to acquire database exclusively // and add a new trace at the end of the chain. Therefore if `*pp' is no longer // null we continue to traverse the chain until we get to the end. // p = NULL; if (*pp != NULL) { // // Somebody added some traces at the end of the chain while we // were trying to convert the lock from shared to exclusive. // while (p = *pp) { if (p->Depth == Trace->Depth) { if (RtlCompareMemory( &p->BackTrace[ 0 ], &Trace->BackTrace[ 0 ], DepthSize) == DepthSize) { break; } } pp = &p->HashChain; } } if (p == NULL) { // // Nobody added the trace and now `*pp' really points to the end // of the chain either because we traversed the rest of the chain // or it was at the end anyway. // RequestedSize = FIELD_OFFSET (RTL_STACK_TRACE_ENTRY, BackTrace) + DepthSize; p = RtlpExtendStackTraceDataBase (Trace, RequestedSize); if (p != NULL) { // // We added the trace no chain it as the last element. // *pp = p; } } else { // // Some other thread managed to add the same trace to the database // while we were trying to acquire the lock exclusive. `p' has the // address to the stack trace entry. // } } } except(EXCEPTION_EXECUTE_HANDLER) { // // We should never get here if the algorithm is correct. // p = NULL; } // // Release locks and return. At this stage we may return zero (failure) // if we did not manage to extend the database with a new trace (e.g. due to // out of memory conditions). // if (p != NULL) { p->TraceCount += 1; ReturnValue = p->Index; } else { ReturnValue = 0; } RtlpReleaseStackTraceDataBase(); return ReturnValue; } PVOID RtlpGetStackTraceAddress ( USHORT Index ) { if (RtlpStackTraceDataBase == NULL) { return NULL; } if (! (Index > 0 && Index <= RtlpStackTraceDataBase->NumberOfEntriesAdded)) { return NULL; } return (PVOID)(RtlpStackTraceDataBase->EntryIndexArray[-Index]); } BOOLEAN RtlpCaptureStackLimits ( ULONG_PTR HintAddress, PULONG_PTR StartStack, PULONG_PTR EndStack) /*++ Routine Description: This routine figures out what are the stack limits for the current thread. This is used in other routines that need to grovel the stack for various information (e.g. potential return addresses). The function is especially tricky in K-mode where the information kept in the thread structure about stack limits is not always valid because the thread might execute a DPC routine and in this case we use a different stack with different limits. Arguments: HintAddress - Address of a local variable or parameter of the caller of the function that should be the start of the stack. StartStack - start address of the stack (lower value). EndStack - end address of the stack (upper value). Return value: False if some weird condition is discovered, like an End lower than a Start. --*/ { #ifdef NTOS_KERNEL_RUNTIME // // Avoid weird conditions. Doing this in an ISR is never a good idea. // if (KeGetCurrentIrql() > DISPATCH_LEVEL) { return FALSE; } *StartStack = (ULONG_PTR)(KeGetCurrentThread()->StackLimit); *EndStack = (ULONG_PTR)(KeGetCurrentThread()->StackBase); if (*StartStack <= HintAddress && HintAddress <= *EndStack) { *StartStack = HintAddress; } else { #if defined(_WIN64) // // On Win64 we do not know yet where DPCs are executed. // return FALSE; #else *EndStack = (ULONG_PTR)(KeGetPcr()->Prcb->DpcStack); #endif *StartStack = *EndStack - KERNEL_STACK_SIZE; // // Check if this is within the DPC stack for the current // processor. // if (*EndStack && *StartStack <= HintAddress && HintAddress <= *EndStack) { *StartStack = HintAddress; } else { // // This is not current thread's stack and is not the DPC stack // of the current processor. Basically we have no idea on what // stack we are running. We need to investigate this. On free // builds we try to make the best out of it by using only one // page for stack limits. // // SilviuC: I disabled the code below because it seems under certain // conditions drivers do indeed switch execution to a different stack. // This function will need to be improved to deal with this too. // #if 0 DbgPrint ("RtlpCaptureStackLimits: mysterious stack (prcb @ %p) \n", KeGetPcr()->Prcb); DbgBreakPoint (); #endif *StartStack = HintAddress; *EndStack = (*StartStack + PAGE_SIZE) & ~((ULONG_PTR)PAGE_SIZE - 1); } } #else *StartStack = HintAddress; *EndStack = (ULONG_PTR)(NtCurrentTeb()->NtTib.StackBase); #endif return TRUE; }