Support the Syzygy instrumenting profiler.

This change depends on a new API in V8 to support return-address rewriting profilers, landed at http://code.google.com/p/v8/source/detail?r=10845.

BUG=None
TEST=None


Review URL: http://codereview.chromium.org/9477002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@124319 0039d316-1c4b-4281-b951-d872f2087c98

base/debug/profiler.cc

@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,6 +10,10 @@
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 
+#if defined(OS_WIN)
+#include "base/win/pe_image.h"
+#endif  // defined(OS_WIN)
+
 #if defined(ENABLE_PROFILING) && !defined(NO_TCMALLOC)
 #include "third_party/tcmalloc/chromium/src/google/profiler.h"
 #endif
@@ -68,5 +72,89 @@ void RestartProfilingAfterFork() {
 
 #endif
 
+#if !defined(OS_WIN)
+
+bool IsBinaryInstrumented() {
+  return false;
+}
+
+ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
+  return NULL;
+}
+
+#else  // defined(OS_WIN)
+
+// http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
+extern "C" IMAGE_DOS_HEADER __ImageBase;
+
+bool IsBinaryInstrumented() {
+  HMODULE this_module = reinterpret_cast<HMODULE>(&__ImageBase);
+  base::win::PEImage image(this_module);
+
+  // This should be self-evident, soon as we're executing.
+  DCHECK(image.VerifyMagic());
+
+  // Syzygy-instrumented binaries contain a PE image section named ".thunks",
+  // and all Syzygy-modified binaries contain the ".syzygy" image section.
+  // This is a very fast check, as it only looks at the image header.
+  return (image.GetImageSectionHeaderByName(".thunks") != NULL) &&
+      (image.GetImageSectionHeaderByName(".syzygy") != NULL);
+}
+
+// Callback function to PEImage::EnumImportChunks.
+static bool FindResolutionFunctionInImports(
+    const base::win::PEImage &image, const char* module_name,
+    PIMAGE_THUNK_DATA unused_name_table, PIMAGE_THUNK_DATA import_address_table,
+    PVOID cookie) {
+  // Our import address table contains pointers to the functions we import
+  // at this point. Let's retrieve the first such function and use it to
+  // find the module this import was resolved to by the loader.
+  const wchar_t* function_in_module =
+      reinterpret_cast<const wchar_t*>(import_address_table->u1.Function);
+
+  // Retrieve the module by a function in the module.
+  const DWORD kFlags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
+                       GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT;
+  HMODULE module = NULL;
+  if (!::GetModuleHandleEx(kFlags, function_in_module, &module)) {
+    // This can happen if someone IAT patches us to a thunk.
+    return true;
+  }
+
+  // See whether this module exports the function we're looking for.
+  ReturnAddressLocationResolver exported_func =
+      reinterpret_cast<ReturnAddressLocationResolver>(
+          ::GetProcAddress(module, "ResolveReturnAddressLocation"));
+
+  if (exported_func != NULL) {
+    ReturnAddressLocationResolver* resolver_func =
+        reinterpret_cast<ReturnAddressLocationResolver*>(cookie);
+    DCHECK(resolver_func != NULL);
+    DCHECK(*resolver_func == NULL);
+
+    // We found it, return the function and terminate the enumeration.
+    *resolver_func = exported_func;
+    return false;
+  }
+
+  // Keep going.
+  return true;
+}
+
+ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
+  if (!IsBinaryInstrumented())
+    return NULL;
+
+  HMODULE this_module = reinterpret_cast<HMODULE>(&__ImageBase);
+  base::win::PEImage image(this_module);
+
+  ReturnAddressLocationResolver resolver_func = NULL;
+  image.EnumImportChunks(FindResolutionFunctionInImports, &resolver_func);
+
+  return resolver_func;
+}
+
+#endif  // defined(OS_WIN)
+
 }  // namespace debug
 }  // namespace base

base/debug/profiler.h

@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,6 +9,7 @@
 #include <string>
 
 #include "base/base_export.h"
+#include "base/basictypes.h"
 
 // The Profiler functions allow usage of the underlying sampling based
 // profiler. If the application has not been built with the necessary
@@ -34,6 +35,33 @@ BASE_EXPORT bool BeingProfiled();
 // Reset profiling after a fork, which disables timers.
 BASE_EXPORT void RestartProfilingAfterFork();
 
+// Returns true iff this executable is instrumented with the Syzygy profiler.
+BASE_EXPORT bool IsBinaryInstrumented();
+
+// There's a class of profilers that use "return address swizzling" to get a
+// hook on function exits. This class of profilers uses some form of entry hook,
+// like e.g. binary instrumentation, or a compiler flag, that calls a hook each
+// time a function is invoked. The hook then switches the return address on the
+// stack for the address of an exit hook function, and pushes the original
+// return address to a shadow stack of some type. When in due course the CPU
+// executes a return to the exit hook, the exit hook will do whatever work it
+// does on function exit, then arrange to return to the original return address.
+// This class of profiler does not play well with programs that look at the
+// return address, as does e.g. V8. V8 uses the return address to certain
+// runtime functions to find the JIT code that called it, and from there finds
+// the V8 data structures associated to the JS function involved.
+// A return address resolution function is used to fix this. It allows such
+// programs to resolve a location on stack where a return address originally
+// resided, to the shadow stack location where the profiler stashed it.
+typedef uintptr_t (*ReturnAddressLocationResolver)(
+    uintptr_t return_addr_location);
+
+// If this binary is instrumented and the instrumentation supplies a return
+// address resolution function, finds and returns the address resolution
+// function. Otherwise returns NULL.
+BASE_EXPORT ReturnAddressLocationResolver
+    GetProfilerReturnAddrResolutionFunc();
+
 }  // namespace debug
 }  // namespace base
 

chrome/DEPS

@@ -5,6 +5,9 @@ include_rules = [
   "+net",
   "+printing",
   "+sql",
+  # Browser, renderer, common and tests access V8 for various purposes.
+  "-v8",
+  "+v8/include",
 
   # The subdirectories in chrome/ will manually allow their own include
   # directories in chrome/ so we disallow all of them.
@@ -22,7 +25,6 @@ include_rules = [
   "+content/public/browser/native_web_keyboard_event.h",
 
   # Don't allow inclusion of these other libs we shouldn't be calling directly.
-  "-v8",
   "-webkit",
   "-tools",
 

chrome/browser/DEPS

@@ -99,7 +99,6 @@ include_rules = [
   "+third_party/protobuf/src/google/protobuf",
   "+third_party/sqlite",
   "+third_party/undoview",
-  "+v8/include",  # Browser uses V8 to get the version and run the debugger.
 
   # FIXME: these should probably not be here, we need to find a better
   # structure for these includes.

chrome/common/profiling.cc

@@ -13,6 +13,7 @@
 #include "base/string_util.h"
 #include "base/threading/thread.h"
 #include "chrome/common/chrome_switches.h"
+#include "v8/include/v8.h"
 
 namespace {
 std::string GetProfileName() {
@@ -102,6 +103,17 @@ void Profiling::ProcessStarted() {
   std::string process_type =
       command_line.GetSwitchValueASCII(switches::kProcessType);
 
+  // Establish the V8 return address resolution hook if we're
+  // an instrumented binary.
+  if (base::debug::IsBinaryInstrumented()) {
+    base::debug::ReturnAddressLocationResolver resolve_func =
+        base::debug::GetProfilerReturnAddrResolutionFunc();
+
+    if (resolve_func != NULL) {
+      v8::V8::SetReturnAddressLocationResolver(resolve_func);
+    }
+  }
+
   if (command_line.HasSwitch(switches::kProfilingAtStart)) {
     std::string process_type_to_start =
         command_line.GetSwitchValueASCII(switches::kProfilingAtStart);

chrome/renderer/DEPS

@@ -18,7 +18,6 @@ include_rules = [
   "+webkit/gpu",
   "+webkit/media",
   "+webkit/plugins",
-  "+v8/include",
   "+third_party/cld/encodings/compact_lang_det/win",
   "+third_party/npapi/bindings",
   "+third_party/sqlite",

chrome/test/DEPS

@@ -7,5 +7,4 @@ include_rules = [
   "+sandbox/tests",
   "+webkit/glue",
   "+webkit/plugins",
-  "+v8/include", # We have unit tests which use v8 to exercise JavaScript.
 ]