Use frame pointer to walk ARM stack on iOS.

src/processor/stackwalker_arm.cc

 // Copyright (c) 2010 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 15 matching lines @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // stackwalker_arm.cc: arm-specific stackwalker.
 //
 // See stackwalker_arm.h for documentation.
 //
 // Author: Mark Mentovai, Ted Mielczarek, Jim Blandy
 
-
 #include "google_breakpad/processor/call_stack.h"
 #include "google_breakpad/processor/memory_region.h"
 #include "google_breakpad/processor/source_line_resolver_interface.h"
 #include "google_breakpad/processor/stack_frame_cpu.h"
 #include "processor/cfi_frame_info.h"
 #include "processor/logging.h"
 #include "processor/scoped_ptr.h"
 #include "processor/stackwalker_arm.h"
 
 namespace google_breakpad {
 
 
 StackwalkerARM::StackwalkerARM(const SystemInfo *system_info,
                                const MDRawContextARM *context,
+                               int fp_register,
                                MemoryRegion *memory,
                                const CodeModules *modules,
                                SymbolSupplier *supplier,
                                SourceLineResolverInterface *resolver)
     : Stackwalker(system_info, memory, modules, supplier, resolver),
-      context_(context), 
+      context_(context), fp_register_(fp_register),
       context_frame_validity_(StackFrameARM::CONTEXT_VALID_ALL) { }
 
 
 StackFrame* StackwalkerARM::GetContextFrame() {
   if (!context_ || !memory_) {
     BPLOG(ERROR) << "Can't get context frame without context or memory";
     return NULL;
   }
 
   StackFrameARM *frame = new StackFrameARM();
 
   // The instruction pointer is stored directly in a register (r15), so pull it
   // straight out of the CPU context structure.
   frame->context = *context_;
   frame->context_validity = context_frame_validity_;
   frame->trust = StackFrame::FRAME_TRUST_CONTEXT;
-  frame->instruction = frame->context.iregs[15];
+  frame->instruction = frame->context.iregs[MD_CONTEXT_ARM_REG_PC];
 
   return frame;
 }
 
 StackFrameARM *StackwalkerARM::GetCallerByCFIFrameInfo(
     const vector<StackFrame *> &frames,
     CFIFrameInfo *cfi_frame_info) {
   StackFrameARM *last_frame = static_cast<StackFrameARM *>(frames.back());
 
   static const char *register_names[] = {
@@ skipping 63 matching lines @@
 
   frame->trust = StackFrame::FRAME_TRUST_CFI;
   return frame.release();
 }
 
 StackFrameARM *StackwalkerARM::GetCallerByStackScan(
     const vector<StackFrame *> &frames) {
   StackFrameARM *last_frame = static_cast<StackFrameARM *>(frames.back());
   u_int32_t last_sp = last_frame->context.iregs[MD_CONTEXT_ARM_REG_SP];
   u_int32_t caller_sp, caller_pc;
-  
+
   if (!ScanForReturnAddress(last_sp, &caller_sp, &caller_pc)) {
     // No plausible return address was found.
     return NULL;
   }
 
   // ScanForReturnAddress found a reasonable return address. Advance
   // %sp to the location above the one where the return address was
   // found.
   caller_sp += 4;
 
   // Create a new stack frame (ownership will be transferred to the caller)
   // and fill it in.
   StackFrameARM *frame = new StackFrameARM();
 
   frame->trust = StackFrame::FRAME_TRUST_SCAN;
   frame->context = last_frame->context;
   frame->context.iregs[MD_CONTEXT_ARM_REG_PC] = caller_pc;
   frame->context.iregs[MD_CONTEXT_ARM_REG_SP] = caller_sp;
   frame->context_validity = StackFrameARM::CONTEXT_VALID_PC |
                             StackFrameARM::CONTEXT_VALID_SP;
 
   return frame;
 }
 
+StackFrameARM *StackwalkerARM::GetCallerByFramePointer(
+    const vector<StackFrame *> &frames) {
+  StackFrameARM *last_frame = static_cast<StackFrameARM *>(frames.back());
+
+  if (last_frame->context.iregs[MD_CONTEXT_ARM_REG_LR] == 0) {
+    StackFrameARM *frame = new StackFrameARM();

[Mark Mentovai, 2011/10/14 16:34:31]

This is what you encounter at the end of a walk, right? Why not just return NULL
here to signal the end? What you’re returning now is a totally bogus frame.

+    frame->trust = StackFrame::FRAME_TRUST_FP;
+    frame->context = last_frame->context;
+    frame->context.iregs[MD_CONTEXT_ARM_REG_PC] = 0;
+    return frame;
+  }
+
+  u_int32_t last_fp = last_frame->context.iregs[fp_register_];
+  u_int32_t caller_fp;
+  if (!memory_->GetMemoryAtAddress(last_fp, &caller_fp)) {
+    BPLOG(ERROR) << "Unable to read caller_fp from last_fp";
+    return NULL;
+  }
+
+  u_int32_t caller_lr;

[Mark Mentovai, 2011/10/14 16:34:31]

Don’t declare this ’til you use it (below), but I’m still not sure it’s right.

+  if (caller_fp == 0) {
+    // This is the last frame. We do not care about anything but giving back a
+    // correct pc and lr.
+    StackFrameARM *frame = new StackFrameARM();
+    frame->trust = StackFrame::FRAME_TRUST_FP;
+    frame->context = last_frame->context;
+    frame->context.iregs[MD_CONTEXT_ARM_REG_PC] =
+        last_frame->context.iregs[MD_CONTEXT_ARM_REG_LR];
+    frame->context.iregs[MD_CONTEXT_ARM_REG_LR] = 0;
+    frame->context_validity = StackFrameARM::CONTEXT_VALID_PC;
+    return frame;
+  }
+
+  if (!memory_->GetMemoryAtAddress(caller_fp + 4, &caller_lr)) {

[Mark Mentovai, 2011/10/14 16:34:31]

Is this right?

In the context frame, we take the lr as-is. That is, in that frame, we use the
value of lr as it exists at the crash site.

In the context frame’s caller, don’t we want to recover the lr that is saved in
the context frame? That would be at crash_fp + 4. I don’t see where else you
ever recover anything from crash_fp + 4. The walk seems to skip over that lr
value.

I think this may have something to do with your having to maintain two separate
blocks to create a new frame, the |caller_fp == 0| one above and the
“normal” one below.

[qsr, 2011/10/17 12:30:36]

Done.

+    BPLOG(ERROR) << "Unable to read caller_lr from caller_fp";
+    return NULL;
+  }
+
+  u_int32_t caller_sp = caller_fp + 8;
+
+  // Create a new stack frame (ownership will be transferred to the caller)
+  // and fill it in.
+  StackFrameARM *frame = new StackFrameARM();
+
+  frame->trust = StackFrame::FRAME_TRUST_FP;
+  frame->context = last_frame->context;
+  frame->context.iregs[fp_register_] = caller_fp;
+  frame->context.iregs[MD_CONTEXT_ARM_REG_SP] = caller_sp;
+  frame->context.iregs[MD_CONTEXT_ARM_REG_PC] =
+      last_frame->context.iregs[MD_CONTEXT_ARM_REG_LR];
+  frame->context.iregs[MD_CONTEXT_ARM_REG_LR] = caller_lr;
+  frame->context_validity = StackFrameARM::CONTEXT_VALID_PC |
+                            StackFrameARM::CONTEXT_VALID_LR |
+                            StackFrameARM::CONTEXT_VALID_SP;

[Mark Mentovai, 2011/10/14 16:34:31]

FP is valid too, right? For all of these, actually.

[qsr, 2011/10/17 07:28:28]

 Yes, but setting it breaks the code, because the CFI section then starts to
work, but seems incorrect. Here a CFI section I have:


STACK CFI INIT 7c023c 14 .cfa: sp 0 + .ra: lr
STACK CFI 7c023e .cfa: sp 8 + .ra: .cfa -4 + ^ r7: .cfa -8 + ^
STACK CFI 7c0240 .cfa: r7 8 +

 The important point is that this is reading lr, but never setting it back. I
can probably make it works by taking into account myself the interaction between
lr and pc, but I do not know how linux on arm works and I really fear to break
something.

[qsr, 2011/10/17 12:30:36]

Done.

+  return frame;
+}
+
 StackFrame* StackwalkerARM::GetCallerFrame(const CallStack *stack) {
   if (!memory_ || !stack) {
     BPLOG(ERROR) << "Can't get caller frame without memory or stack";
     return NULL;
   }
 
   const vector<StackFrame *> &frames = *stack->frames();
   StackFrameARM *last_frame = static_cast<StackFrameARM *>(frames.back());
   scoped_ptr<StackFrameARM> frame;
 
   // See if there is DWARF call frame information covering this address.
   scoped_ptr<CFIFrameInfo> cfi_frame_info(
       resolver_ ? resolver_->FindCFIFrameInfo(last_frame) : NULL);
   if (cfi_frame_info.get())
     frame.reset(GetCallerByCFIFrameInfo(frames, cfi_frame_info.get()));
 
   // If CFI failed, or there wasn't CFI available, fall back
   // to stack scanning.
   if (!frame.get()) {
-    frame.reset(GetCallerByStackScan(frames));
+    if (fp_register_ >= 0)
+      frame.reset(GetCallerByFramePointer(frames));
+    else
+      frame.reset(GetCallerByStackScan(frames));

[jimb, 2011/10/14 17:17:23]

If we have an fp_register, but GetCallerByFramePointer fails, does it make sense
to try GetCallerByStackStackScan?

That is, the structure of the code here is as a series of strategies, ordered
from most reliable to least reliable. If I understand correctly,
GetCallerByFramePointer falls between CFI and stack scanning. So it should read
something like:

if (!frame.get() && fp_register_ >= 0)
  frame.reset(GetCallerByFramePointer(frames))

if (!frame.get())
  frame.reset(GetCallerByStackScan);

[qsr, 2011/10/17 12:30:36]

Done.

   }
 
   // If nothing worked, tell the caller.
   if (!frame.get())
     return NULL;
 
 
   // An instruction address of zero marks the end of the stack.
   if (frame->context.iregs[MD_CONTEXT_ARM_REG_PC] == 0)
     return NULL;
 
   // If the new stack pointer is at a lower address than the old, then
   // that's clearly incorrect. Treat this as end-of-stack to enforce
   // progress and avoid infinite loops.
   if (frame->context.iregs[MD_CONTEXT_ARM_REG_SP]
       < last_frame->context.iregs[MD_CONTEXT_ARM_REG_SP])
     return NULL;
 
   // The new frame's context's PC is the return address, which is one
   // instruction past the instruction that caused us to arrive at the
   // callee. Set new_frame->instruction to one less than the PC. This won't
   // reference the beginning of the call instruction, but it's at least
   // within it, which is sufficient to get the source line information to
   // match up with the line that contains the function call. Callers that
   // require the exact return address value may access
   // frame->context.iregs[MD_CONTEXT_ARM_REG_PC].
-  frame->instruction = frame->context.iregs[MD_CONTEXT_ARM_REG_PC] - 1;
+  frame->instruction = frame->context.iregs[MD_CONTEXT_ARM_REG_PC] - 2;
 
   return frame.release();
 }
 
 
 }  // namespace google_breakpad