The Tor Browser / file comparison

comparison: mfbt/Poison.cpp

mfbt/Poison.cpp

branch
TOR_BUG_9701
changeset 8
97036ab72558
equal deleted inserted replaced
-1:000000000000 0:de6d87244b78
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 /*
8 * A poison value that can be used to fill a memory space with
9 * an address that leads to a safe crash when dereferenced.
10 */
11
12 #include "mozilla/Poison.h"
13
14 #include "mozilla/Assertions.h"
15 #ifdef _WIN32
16 # include <windows.h>
17 #elif !defined(__OS2__)
18 # include <unistd.h>
19 # include <sys/mman.h>
20 # ifndef MAP_ANON
21 # ifdef MAP_ANONYMOUS
22 # define MAP_ANON MAP_ANONYMOUS
23 # else
24 # error "Don't know how to get anonymous memory"
25 # endif
26 # endif
27 #endif
28
29 extern "C" {
30 uintptr_t gMozillaPoisonValue;
31 uintptr_t gMozillaPoisonBase;
32 uintptr_t gMozillaPoisonSize;
33 }
34
35 // Freed memory is filled with a poison value, which we arrange to
36 // form a pointer either to an always-unmapped region of the address
37 // space, or to a page that has been reserved and rendered
38 // inaccessible via OS primitives. See tests/TestPoisonArea.cpp for
39 // extensive discussion of the requirements for this page. The code
40 // from here to 'class FreeList' needs to be kept in sync with that
41 // file.
42
43 #ifdef _WIN32
44 static void *
45 ReserveRegion(uintptr_t region, uintptr_t size)
46 {
47 return VirtualAlloc((void *)region, size, MEM_RESERVE, PAGE_NOACCESS);
48 }
49
50 static void
51 ReleaseRegion(void *region, uintptr_t size)
52 {
53 VirtualFree(region, size, MEM_RELEASE);
54 }
55
56 static bool
57 ProbeRegion(uintptr_t region, uintptr_t size)
58 {
59 SYSTEM_INFO sinfo;
60 GetSystemInfo(&sinfo);
61 if (region >= (uintptr_t)sinfo.lpMaximumApplicationAddress &&
62 region + size >= (uintptr_t)sinfo.lpMaximumApplicationAddress) {
63 return true;
64 } else {
65 return false;
66 }
67 }
68
69 static uintptr_t
70 GetDesiredRegionSize()
71 {
72 SYSTEM_INFO sinfo;
73 GetSystemInfo(&sinfo);
74 return sinfo.dwAllocationGranularity;
75 }
76
77 #define RESERVE_FAILED 0
78
79 #elif defined(__OS2__)
80 static void *
81 ReserveRegion(uintptr_t region, uintptr_t size)
82 {
83 // OS/2 doesn't support allocation at an arbitrary address,
84 // so return an address that is known to be invalid.
85 return (void*)0xFFFD0000;
86 }
87
88 static void
89 ReleaseRegion(void *region, uintptr_t size)
90 {
91 return;
92 }
93
94 static bool
95 ProbeRegion(uintptr_t region, uintptr_t size)
96 {
97 // There's no reliable way to probe an address in the system
98 // arena other than by touching it and seeing if a trap occurs.
99 return false;
100 }
101
102 static uintptr_t
103 GetDesiredRegionSize()
104 {
105 // Page size is fixed at 4k.
106 return 0x1000;
107 }
108
109 #define RESERVE_FAILED 0
110
111 #else // Unix
112
113 static void *
114 ReserveRegion(uintptr_t region, uintptr_t size)
115 {
116 return mmap(reinterpret_cast<void*>(region), size, PROT_NONE, MAP_PRIVATE|MAP_ANON, -1, 0);
117 }
118
119 static void
120 ReleaseRegion(void *region, uintptr_t size)
121 {
122 munmap(region, size);
123 }
124
125 static bool
126 ProbeRegion(uintptr_t region, uintptr_t size)
127 {
128 if (madvise(reinterpret_cast<void*>(region), size, MADV_NORMAL)) {
129 return true;
130 } else {
131 return false;
132 }
133 }
134
135 static uintptr_t
136 GetDesiredRegionSize()
137 {
138 return sysconf(_SC_PAGESIZE);
139 }
140
141 #define RESERVE_FAILED MAP_FAILED
142
143 #endif // system dependencies
144
145 static_assert(sizeof(uintptr_t) == 4 || sizeof(uintptr_t) == 8, "");
146 static_assert(sizeof(uintptr_t) == sizeof(void *), "");
147
148 static uintptr_t
149 ReservePoisonArea(uintptr_t rgnsize)
150 {
151 if (sizeof(uintptr_t) == 8) {
152 // Use the hardware-inaccessible region.
153 // We have to avoid 64-bit constants and shifts by 32 bits, since this
154 // code is compiled in 32-bit mode, although it is never executed there.
155 return
156 (((uintptr_t(0x7FFFFFFFu) << 31) << 1 | uintptr_t(0xF0DEAFFFu))
157 & ~(rgnsize-1));
158
159 } else {
160 // First see if we can allocate the preferred poison address from the OS.
161 uintptr_t candidate = (0xF0DEAFFF & ~(rgnsize-1));
162 void *result = ReserveRegion(candidate, rgnsize);
163 if (result == (void *)candidate) {
164 // success - inaccessible page allocated
165 return candidate;
166 }
167
168 // That didn't work, so see if the preferred address is within a range
169 // of permanently inacessible memory.
170 if (ProbeRegion(candidate, rgnsize)) {
171 // success - selected page cannot be usable memory
172 if (result != RESERVE_FAILED)
173 ReleaseRegion(result, rgnsize);
174 return candidate;
175 }
176
177 // The preferred address is already in use. Did the OS give us a
178 // consolation prize?
179 if (result != RESERVE_FAILED) {
180 return uintptr_t(result);
181 }
182
183 // It didn't, so try to allocate again, without any constraint on
184 // the address.
185 result = ReserveRegion(0, rgnsize);
186 if (result != RESERVE_FAILED) {
187 return uintptr_t(result);
188 }
189
190 // no usable poison region identified
191 MOZ_CRASH();
192 return 0;
193 }
194 }
195
196 void
197 mozPoisonValueInit()
198 {
199 gMozillaPoisonSize = GetDesiredRegionSize();
200 gMozillaPoisonBase = ReservePoisonArea(gMozillaPoisonSize);
201
202 if (gMozillaPoisonSize == 0) // can't happen
203 return;
204
205 gMozillaPoisonValue = gMozillaPoisonBase + gMozillaPoisonSize/2 - 1;
206 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial