summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsiggi@chromium.org <siggi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-03-01 01:01:05 +0000
committersiggi@chromium.org <siggi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-03-01 01:01:05 +0000
commitad592bbbbdb78cafac28b789600b7fdd86adbb91 (patch)
tree81c55beb720b97d9fb051d2155d9154975a43495
parentcc36c2c22e74ed768cfdf716a2486cdfd5e933d7 (diff)
downloadchromium_src-ad592bbbbdb78cafac28b789600b7fdd86adbb91.zip
chromium_src-ad592bbbbdb78cafac28b789600b7fdd86adbb91.tar.gz
chromium_src-ad592bbbbdb78cafac28b789600b7fdd86adbb91.tar.bz2
Support the Syzygy instrumenting profiler.
This change depends on a new API in V8 to support return-address rewriting profilers, landed at http://code.google.com/p/v8/source/detail?r=10845. BUG=None TEST=None Review URL: http://codereview.chromium.org/9477002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@124319 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--base/debug/profiler.cc90
-rw-r--r--base/debug/profiler.h30
-rw-r--r--chrome/DEPS4
-rw-r--r--chrome/browser/DEPS1
-rw-r--r--chrome/common/profiling.cc12
-rw-r--r--chrome/renderer/DEPS1
-rw-r--r--chrome/test/DEPS1
7 files changed, 133 insertions, 6 deletions
diff --git a/base/debug/profiler.cc b/base/debug/profiler.cc
index be442cf..4195057 100644
--- a/base/debug/profiler.cc
+++ b/base/debug/profiler.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
@@ -10,6 +10,10 @@
#include "base/string_util.h"
#include "base/stringprintf.h"
+#if defined(OS_WIN)
+#include "base/win/pe_image.h"
+#endif // defined(OS_WIN)
+
#if defined(ENABLE_PROFILING) && !defined(NO_TCMALLOC)
#include "third_party/tcmalloc/chromium/src/google/profiler.h"
#endif
@@ -68,5 +72,89 @@ void RestartProfilingAfterFork() {
#endif
+#if !defined(OS_WIN)
+
+bool IsBinaryInstrumented() {
+ return false;
+}
+
+ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
+ return NULL;
+}
+
+#else // defined(OS_WIN)
+
+// http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
+extern "C" IMAGE_DOS_HEADER __ImageBase;
+
+bool IsBinaryInstrumented() {
+ HMODULE this_module = reinterpret_cast<HMODULE>(&__ImageBase);
+ base::win::PEImage image(this_module);
+
+ // This should be self-evident, soon as we're executing.
+ DCHECK(image.VerifyMagic());
+
+ // Syzygy-instrumented binaries contain a PE image section named ".thunks",
+ // and all Syzygy-modified binaries contain the ".syzygy" image section.
+ // This is a very fast check, as it only looks at the image header.
+ return (image.GetImageSectionHeaderByName(".thunks") != NULL) &&
+ (image.GetImageSectionHeaderByName(".syzygy") != NULL);
+}
+
+// Callback function to PEImage::EnumImportChunks.
+static bool FindResolutionFunctionInImports(
+ const base::win::PEImage &image, const char* module_name,
+ PIMAGE_THUNK_DATA unused_name_table, PIMAGE_THUNK_DATA import_address_table,
+ PVOID cookie) {
+ // Our import address table contains pointers to the functions we import
+ // at this point. Let's retrieve the first such function and use it to
+ // find the module this import was resolved to by the loader.
+ const wchar_t* function_in_module =
+ reinterpret_cast<const wchar_t*>(import_address_table->u1.Function);
+
+ // Retrieve the module by a function in the module.
+ const DWORD kFlags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
+ GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT;
+ HMODULE module = NULL;
+ if (!::GetModuleHandleEx(kFlags, function_in_module, &module)) {
+ // This can happen if someone IAT patches us to a thunk.
+ return true;
+ }
+
+ // See whether this module exports the function we're looking for.
+ ReturnAddressLocationResolver exported_func =
+ reinterpret_cast<ReturnAddressLocationResolver>(
+ ::GetProcAddress(module, "ResolveReturnAddressLocation"));
+
+ if (exported_func != NULL) {
+ ReturnAddressLocationResolver* resolver_func =
+ reinterpret_cast<ReturnAddressLocationResolver*>(cookie);
+ DCHECK(resolver_func != NULL);
+ DCHECK(*resolver_func == NULL);
+
+ // We found it, return the function and terminate the enumeration.
+ *resolver_func = exported_func;
+ return false;
+ }
+
+ // Keep going.
+ return true;
+}
+
+ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
+ if (!IsBinaryInstrumented())
+ return NULL;
+
+ HMODULE this_module = reinterpret_cast<HMODULE>(&__ImageBase);
+ base::win::PEImage image(this_module);
+
+ ReturnAddressLocationResolver resolver_func = NULL;
+ image.EnumImportChunks(FindResolutionFunctionInImports, &resolver_func);
+
+ return resolver_func;
+}
+
+#endif // defined(OS_WIN)
+
} // namespace debug
} // namespace base
diff --git a/base/debug/profiler.h b/base/debug/profiler.h
index 69795a5..d880324 100644
--- a/base/debug/profiler.h
+++ b/base/debug/profiler.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
@@ -9,6 +9,7 @@
#include <string>
#include "base/base_export.h"
+#include "base/basictypes.h"
// The Profiler functions allow usage of the underlying sampling based
// profiler. If the application has not been built with the necessary
@@ -34,6 +35,33 @@ BASE_EXPORT bool BeingProfiled();
// Reset profiling after a fork, which disables timers.
BASE_EXPORT void RestartProfilingAfterFork();
+// Returns true iff this executable is instrumented with the Syzygy profiler.
+BASE_EXPORT bool IsBinaryInstrumented();
+
+// There's a class of profilers that use "return address swizzling" to get a
+// hook on function exits. This class of profilers uses some form of entry hook,
+// like e.g. binary instrumentation, or a compiler flag, that calls a hook each
+// time a function is invoked. The hook then switches the return address on the
+// stack for the address of an exit hook function, and pushes the original
+// return address to a shadow stack of some type. When in due course the CPU
+// executes a return to the exit hook, the exit hook will do whatever work it
+// does on function exit, then arrange to return to the original return address.
+// This class of profiler does not play well with programs that look at the
+// return address, as does e.g. V8. V8 uses the return address to certain
+// runtime functions to find the JIT code that called it, and from there finds
+// the V8 data structures associated to the JS function involved.
+// A return address resolution function is used to fix this. It allows such
+// programs to resolve a location on stack where a return address originally
+// resided, to the shadow stack location where the profiler stashed it.
+typedef uintptr_t (*ReturnAddressLocationResolver)(
+ uintptr_t return_addr_location);
+
+// If this binary is instrumented and the instrumentation supplies a return
+// address resolution function, finds and returns the address resolution
+// function. Otherwise returns NULL.
+BASE_EXPORT ReturnAddressLocationResolver
+ GetProfilerReturnAddrResolutionFunc();
+
} // namespace debug
} // namespace base
diff --git a/chrome/DEPS b/chrome/DEPS
index 27889df..7795bf0 100644
--- a/chrome/DEPS
+++ b/chrome/DEPS
@@ -5,6 +5,9 @@ include_rules = [
"+net",
"+printing",
"+sql",
+ # Browser, renderer, common and tests access V8 for various purposes.
+ "-v8",
+ "+v8/include",
# The subdirectories in chrome/ will manually allow their own include
# directories in chrome/ so we disallow all of them.
@@ -22,7 +25,6 @@ include_rules = [
"+content/public/browser/native_web_keyboard_event.h",
# Don't allow inclusion of these other libs we shouldn't be calling directly.
- "-v8",
"-webkit",
"-tools",
diff --git a/chrome/browser/DEPS b/chrome/browser/DEPS
index 3d1fa9b..50c09c9 100644
--- a/chrome/browser/DEPS
+++ b/chrome/browser/DEPS
@@ -99,7 +99,6 @@ include_rules = [
"+third_party/protobuf/src/google/protobuf",
"+third_party/sqlite",
"+third_party/undoview",
- "+v8/include", # Browser uses V8 to get the version and run the debugger.
# FIXME: these should probably not be here, we need to find a better
# structure for these includes.
diff --git a/chrome/common/profiling.cc b/chrome/common/profiling.cc
index b15cc96..bc67873 100644
--- a/chrome/common/profiling.cc
+++ b/chrome/common/profiling.cc
@@ -13,6 +13,7 @@
#include "base/string_util.h"
#include "base/threading/thread.h"
#include "chrome/common/chrome_switches.h"
+#include "v8/include/v8.h"
namespace {
std::string GetProfileName() {
@@ -102,6 +103,17 @@ void Profiling::ProcessStarted() {
std::string process_type =
command_line.GetSwitchValueASCII(switches::kProcessType);
+ // Establish the V8 return address resolution hook if we're
+ // an instrumented binary.
+ if (base::debug::IsBinaryInstrumented()) {
+ base::debug::ReturnAddressLocationResolver resolve_func =
+ base::debug::GetProfilerReturnAddrResolutionFunc();
+
+ if (resolve_func != NULL) {
+ v8::V8::SetReturnAddressLocationResolver(resolve_func);
+ }
+ }
+
if (command_line.HasSwitch(switches::kProfilingAtStart)) {
std::string process_type_to_start =
command_line.GetSwitchValueASCII(switches::kProfilingAtStart);
diff --git a/chrome/renderer/DEPS b/chrome/renderer/DEPS
index 5876b28..d7c75d9 100644
--- a/chrome/renderer/DEPS
+++ b/chrome/renderer/DEPS
@@ -18,7 +18,6 @@ include_rules = [
"+webkit/gpu",
"+webkit/media",
"+webkit/plugins",
- "+v8/include",
"+third_party/cld/encodings/compact_lang_det/win",
"+third_party/npapi/bindings",
"+third_party/sqlite",
diff --git a/chrome/test/DEPS b/chrome/test/DEPS
index 57b3473..5b58843 100644
--- a/chrome/test/DEPS
+++ b/chrome/test/DEPS
@@ -7,5 +7,4 @@ include_rules = [
"+sandbox/tests",
"+webkit/glue",
"+webkit/plugins",
- "+v8/include", # We have unit tests which use v8 to exercise JavaScript.
]