For dynamically generated code that requires stack unwinding using
RtlVirtualUnwind, we need to call a function RtlAddFunctionTable.
However, looking at MSDN today I saw RtlAddGrowableFunctionTable. The
documentation is quite blank, and just says you need this for dynamic
code, but why is RtlAddFunctionTable not sufficient?
https://msdn.microsoft.com/en-us/library/windows/desktop/hh405352(v=vs.85).aspx
Setting aside your question for the moment, the documentation page for RtlAddGrowableFunctionTable is a true work of art. I particularly like the Return Value section (the return value is of type NTSTATUS):
The link is to the entire list of defined NTSTATUS values.
The entire doc page is a work of art… highly recommended reading.
Peter
OSR
@OSRDrivers
RtlAddGrowableFunctionTable informs the kernel (in addition to the user mode portion of the process) of the existence of a dynamic unwind region, such that kernel mode stack trace facilities such as Etw are able to trace through the dynamically generated code, in addition to user mode exception/unwind supporting the dynamic code region.
As the name implies, the newer API also better supports scenarios where one might allocate a region with code in it and populate some functions up front, then a few more later, then yet more even later, with facilities to inform the system that the dynamic function table size has changed. This is a typical pattern, for example, for JIT systems where the set of dynamic code content isn’t necessarily known completely up front (i.e., dynamic scripting languages like JavaScript).
I would suggest using the growable function table facility in preference wherever it’s available. You will need to ensure that you sort the function table entries in ascending address order (which is not a problem for the old API) as binary searches are used internally when scanning the function table.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Wednesday, July 22, 2015 5:29 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] RtlAddFunctionTable vs RtlAddGrowableFunctionTable?
Setting aside your question for the moment, the documentation page for RtlAddGrowableFunctionTable is a true work of art. I particularly like the Return Value section (the return value is of type NTSTATUS):
The link is to the entire list of defined NTSTATUS values.
The entire doc page is a work of art… highly recommended reading.
Peter
OSR
@OSRDrivers
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Is there any sample code at all that would demonstrate using this? I
can imagine crafting a test case where I hand-write assembly that
simulates says calls to functions and then see that the debugger and
as you say other facilities can unwind the stack?
Suppose shouldn’t be too hard, I just want to know that I have the
complete set of information (i.e. how to do it) before I embark on
implementing this for my toy language.
On Tue, Jul 28, 2015 at 8:42 PM, Skywing wrote:
> RtlAddGrowableFunctionTable informs the kernel (in addition to the user mode portion of the process) of the existence of a dynamic unwind region, such that kernel mode stack trace facilities such as Etw are able to trace through the dynamically generated code, in addition to user mode exception/unwind supporting the dynamic code region.
>
> As the name implies, the newer API also better supports scenarios where one might allocate a region with code in it and populate some functions up front, then a few more later, then yet more even later, with facilities to inform the system that the dynamic function table size has changed. This is a typical pattern, for example, for JIT systems where the set of dynamic code content isn’t necessarily known completely up front (i.e., dynamic scripting languages like JavaScript).
>
> I would suggest using the growable function table facility in preference wherever it’s available. You will need to ensure that you sort the function table entries in ascending address order (which is not a problem for the old API) as binary searches are used internally when scanning the function table.
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
> Sent: Wednesday, July 22, 2015 5:29 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] RtlAddFunctionTable vs RtlAddGrowableFunctionTable?
>
> Setting aside your question for the moment, the documentation page for RtlAddGrowableFunctionTable is a true work of art. I particularly like the Return Value section (the return value is of type NTSTATUS):
>
>
>
> The link is to the entire list of defined NTSTATUS values.
>
> The entire doc page is a work of art… highly recommended reading.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I don’t know offhand if there are SDK samples for this facility.
The way that I would typically test this sort of thing is precisely as you describe - set the scenario up and trace through it in the debugger at each relevant point in the function for which you’ve registered unwinder information for, and verify that the unwind is properly completing. WinDbg (at least as far back as the Win8 flavor - I didn’t look further back) understands how to walk the dynamic function table list of the process being debugged for interactive user mode debugging. On platforms with a full unwinder (i.e. not x86), the debugger’s unwinder is just as restrictive as the OS’s unwinder, with the exception that it has the checks that you are on the correct stack disabled. You can use “.frame /c” to perform a full unwind to a previous frame in the debugger.
For AMD64, I would suggest https://msdn.microsoft.com/en-us/library/7kcdt6fy.aspx (“x64 Software Conventions”) as a reference for the mechanics of constructing an unwind information description of your dynamic code. You’ll also find the “.fnent” command in the debugger, and the “link -dump -unwindinfo” tool, as valuable reference sources for examining how the compiler typically constructs unwind information descriptions for various scenarios.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Hayden Livingston
Sent: Tuesday, July 28, 2015 10:13 PM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] RtlAddFunctionTable vs RtlAddGrowableFunctionTable?
Is there any sample code at all that would demonstrate using this? I can imagine crafting a test case where I hand-write assembly that simulates says calls to functions and then see that the debugger and as you say other facilities can unwind the stack?
Suppose shouldn’t be too hard, I just want to know that I have the complete set of information (i.e. how to do it) before I embark on implementing this for my toy language.
On Tue, Jul 28, 2015 at 8:42 PM, Skywing wrote:
> RtlAddGrowableFunctionTable informs the kernel (in addition to the user mode portion of the process) of the existence of a dynamic unwind region, such that kernel mode stack trace facilities such as Etw are able to trace through the dynamically generated code, in addition to user mode exception/unwind supporting the dynamic code region.
>
> As the name implies, the newer API also better supports scenarios where one might allocate a region with code in it and populate some functions up front, then a few more later, then yet more even later, with facilities to inform the system that the dynamic function table size has changed. This is a typical pattern, for example, for JIT systems where the set of dynamic code content isn’t necessarily known completely up front (i.e., dynamic scripting languages like JavaScript).
>
> I would suggest using the growable function table facility in preference wherever it’s available. You will need to ensure that you sort the function table entries in ascending address order (which is not a problem for the old API) as binary searches are used internally when scanning the function table.
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@osr.com
> Sent: Wednesday, July 22, 2015 5:29 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] RtlAddFunctionTable vs RtlAddGrowableFunctionTable?
>
> Setting aside your question for the moment, the documentation page for RtlAddGrowableFunctionTable is a true work of art. I particularly like the Return Value section (the return value is of type NTSTATUS):
>
>
>
> The link is to the entire list of defined NTSTATUS values.
>
> The entire doc page is a work of art… highly recommended reading.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer