From ad592bbbbdb78cafac28b789600b7fdd86adbb91 Mon Sep 17 00:00:00 2001 From: "siggi@chromium.org" Date: Thu, 1 Mar 2012 01:01:05 +0000 Subject: Support the Syzygy instrumenting profiler. This change depends on a new API in V8 to support return-address rewriting profilers, landed at http://code.google.com/p/v8/source/detail?r=10845. BUG=None TEST=None Review URL: http://codereview.chromium.org/9477002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@124319 0039d316-1c4b-4281-b951-d872f2087c98 --- base/debug/profiler.cc | 90 +++++++++++++++++++++++++++++++++++++++++++++- base/debug/profiler.h | 30 +++++++++++++++- chrome/DEPS | 4 ++- chrome/browser/DEPS | 1 - chrome/common/profiling.cc | 12 +++++++ chrome/renderer/DEPS | 1 - chrome/test/DEPS | 1 - 7 files changed, 133 insertions(+), 6 deletions(-) diff --git a/base/debug/profiler.cc b/base/debug/profiler.cc index be442cf..4195057 100644 --- a/base/debug/profiler.cc +++ b/base/debug/profiler.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -10,6 +10,10 @@ #include "base/string_util.h" #include "base/stringprintf.h" +#if defined(OS_WIN) +#include "base/win/pe_image.h" +#endif // defined(OS_WIN) + #if defined(ENABLE_PROFILING) && !defined(NO_TCMALLOC) #include "third_party/tcmalloc/chromium/src/google/profiler.h" #endif @@ -68,5 +72,89 @@ void RestartProfilingAfterFork() { #endif +#if !defined(OS_WIN) + +bool IsBinaryInstrumented() { + return false; +} + +ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() { + return NULL; +} + +#else // defined(OS_WIN) + +// http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx +extern "C" IMAGE_DOS_HEADER __ImageBase; + +bool IsBinaryInstrumented() { + HMODULE this_module = reinterpret_cast(&__ImageBase); + base::win::PEImage image(this_module); + + // This should be self-evident, soon as we're executing. + DCHECK(image.VerifyMagic()); + + // Syzygy-instrumented binaries contain a PE image section named ".thunks", + // and all Syzygy-modified binaries contain the ".syzygy" image section. + // This is a very fast check, as it only looks at the image header. + return (image.GetImageSectionHeaderByName(".thunks") != NULL) && + (image.GetImageSectionHeaderByName(".syzygy") != NULL); +} + +// Callback function to PEImage::EnumImportChunks. +static bool FindResolutionFunctionInImports( + const base::win::PEImage &image, const char* module_name, + PIMAGE_THUNK_DATA unused_name_table, PIMAGE_THUNK_DATA import_address_table, + PVOID cookie) { + // Our import address table contains pointers to the functions we import + // at this point. Let's retrieve the first such function and use it to + // find the module this import was resolved to by the loader. + const wchar_t* function_in_module = + reinterpret_cast(import_address_table->u1.Function); + + // Retrieve the module by a function in the module. + const DWORD kFlags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | + GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT; + HMODULE module = NULL; + if (!::GetModuleHandleEx(kFlags, function_in_module, &module)) { + // This can happen if someone IAT patches us to a thunk. + return true; + } + + // See whether this module exports the function we're looking for. + ReturnAddressLocationResolver exported_func = + reinterpret_cast( + ::GetProcAddress(module, "ResolveReturnAddressLocation")); + + if (exported_func != NULL) { + ReturnAddressLocationResolver* resolver_func = + reinterpret_cast(cookie); + DCHECK(resolver_func != NULL); + DCHECK(*resolver_func == NULL); + + // We found it, return the function and terminate the enumeration. + *resolver_func = exported_func; + return false; + } + + // Keep going. + return true; +} + +ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() { + if (!IsBinaryInstrumented()) + return NULL; + + HMODULE this_module = reinterpret_cast(&__ImageBase); + base::win::PEImage image(this_module); + + ReturnAddressLocationResolver resolver_func = NULL; + image.EnumImportChunks(FindResolutionFunctionInImports, &resolver_func); + + return resolver_func; +} + +#endif // defined(OS_WIN) + } // namespace debug } // namespace base diff --git a/base/debug/profiler.h b/base/debug/profiler.h index 69795a5..d880324 100644 --- a/base/debug/profiler.h +++ b/base/debug/profiler.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,6 +9,7 @@ #include #include "base/base_export.h" +#include "base/basictypes.h" // The Profiler functions allow usage of the underlying sampling based // profiler. If the application has not been built with the necessary @@ -34,6 +35,33 @@ BASE_EXPORT bool BeingProfiled(); // Reset profiling after a fork, which disables timers. BASE_EXPORT void RestartProfilingAfterFork(); +// Returns true iff this executable is instrumented with the Syzygy profiler. +BASE_EXPORT bool IsBinaryInstrumented(); + +// There's a class of profilers that use "return address swizzling" to get a +// hook on function exits. This class of profilers uses some form of entry hook, +// like e.g. binary instrumentation, or a compiler flag, that calls a hook each +// time a function is invoked. The hook then switches the return address on the +// stack for the address of an exit hook function, and pushes the original +// return address to a shadow stack of some type. When in due course the CPU +// executes a return to the exit hook, the exit hook will do whatever work it +// does on function exit, then arrange to return to the original return address. +// This class of profiler does not play well with programs that look at the +// return address, as does e.g. V8. V8 uses the return address to certain +// runtime functions to find the JIT code that called it, and from there finds +// the V8 data structures associated to the JS function involved. +// A return address resolution function is used to fix this. It allows such +// programs to resolve a location on stack where a return address originally +// resided, to the shadow stack location where the profiler stashed it. +typedef uintptr_t (*ReturnAddressLocationResolver)( + uintptr_t return_addr_location); + +// If this binary is instrumented and the instrumentation supplies a return +// address resolution function, finds and returns the address resolution +// function. Otherwise returns NULL. +BASE_EXPORT ReturnAddressLocationResolver + GetProfilerReturnAddrResolutionFunc(); + } // namespace debug } // namespace base diff --git a/chrome/DEPS b/chrome/DEPS index 27889df..7795bf0 100644 --- a/chrome/DEPS +++ b/chrome/DEPS @@ -5,6 +5,9 @@ include_rules = [ "+net", "+printing", "+sql", + # Browser, renderer, common and tests access V8 for various purposes. + "-v8", + "+v8/include", # The subdirectories in chrome/ will manually allow their own include # directories in chrome/ so we disallow all of them. @@ -22,7 +25,6 @@ include_rules = [ "+content/public/browser/native_web_keyboard_event.h", # Don't allow inclusion of these other libs we shouldn't be calling directly. - "-v8", "-webkit", "-tools", diff --git a/chrome/browser/DEPS b/chrome/browser/DEPS index 3d1fa9b..50c09c9 100644 --- a/chrome/browser/DEPS +++ b/chrome/browser/DEPS @@ -99,7 +99,6 @@ include_rules = [ "+third_party/protobuf/src/google/protobuf", "+third_party/sqlite", "+third_party/undoview", - "+v8/include", # Browser uses V8 to get the version and run the debugger. # FIXME: these should probably not be here, we need to find a better # structure for these includes. diff --git a/chrome/common/profiling.cc b/chrome/common/profiling.cc index b15cc96..bc67873 100644 --- a/chrome/common/profiling.cc +++ b/chrome/common/profiling.cc @@ -13,6 +13,7 @@ #include "base/string_util.h" #include "base/threading/thread.h" #include "chrome/common/chrome_switches.h" +#include "v8/include/v8.h" namespace { std::string GetProfileName() { @@ -102,6 +103,17 @@ void Profiling::ProcessStarted() { std::string process_type = command_line.GetSwitchValueASCII(switches::kProcessType); + // Establish the V8 return address resolution hook if we're + // an instrumented binary. + if (base::debug::IsBinaryInstrumented()) { + base::debug::ReturnAddressLocationResolver resolve_func = + base::debug::GetProfilerReturnAddrResolutionFunc(); + + if (resolve_func != NULL) { + v8::V8::SetReturnAddressLocationResolver(resolve_func); + } + } + if (command_line.HasSwitch(switches::kProfilingAtStart)) { std::string process_type_to_start = command_line.GetSwitchValueASCII(switches::kProfilingAtStart); diff --git a/chrome/renderer/DEPS b/chrome/renderer/DEPS index 5876b28..d7c75d9 100644 --- a/chrome/renderer/DEPS +++ b/chrome/renderer/DEPS @@ -18,7 +18,6 @@ include_rules = [ "+webkit/gpu", "+webkit/media", "+webkit/plugins", - "+v8/include", "+third_party/cld/encodings/compact_lang_det/win", "+third_party/npapi/bindings", "+third_party/sqlite", diff --git a/chrome/test/DEPS b/chrome/test/DEPS index 57b3473..5b58843 100644 --- a/chrome/test/DEPS +++ b/chrome/test/DEPS @@ -7,5 +7,4 @@ include_rules = [ "+sandbox/tests", "+webkit/glue", "+webkit/plugins", - "+v8/include", # We have unit tests which use v8 to exercise JavaScript. ] -- cgit v1.1