1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/mfbt/Poison.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,206 @@
1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
1.5 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +/*
1.11 + * A poison value that can be used to fill a memory space with
1.12 + * an address that leads to a safe crash when dereferenced.
1.13 + */
1.14 +
1.15 +#include "mozilla/Poison.h"
1.16 +
1.17 +#include "mozilla/Assertions.h"
1.18 +#ifdef _WIN32
1.19 +# include <windows.h>
1.20 +#elif !defined(__OS2__)
1.21 +# include <unistd.h>
1.22 +# include <sys/mman.h>
1.23 +# ifndef MAP_ANON
1.24 +# ifdef MAP_ANONYMOUS
1.25 +# define MAP_ANON MAP_ANONYMOUS
1.26 +# else
1.27 +# error "Don't know how to get anonymous memory"
1.28 +# endif
1.29 +# endif
1.30 +#endif
1.31 +
1.32 +extern "C" {
1.33 +uintptr_t gMozillaPoisonValue;
1.34 +uintptr_t gMozillaPoisonBase;
1.35 +uintptr_t gMozillaPoisonSize;
1.36 +}
1.37 +
1.38 +// Freed memory is filled with a poison value, which we arrange to
1.39 +// form a pointer either to an always-unmapped region of the address
1.40 +// space, or to a page that has been reserved and rendered
1.41 +// inaccessible via OS primitives. See tests/TestPoisonArea.cpp for
1.42 +// extensive discussion of the requirements for this page. The code
1.43 +// from here to 'class FreeList' needs to be kept in sync with that
1.44 +// file.
1.45 +
1.46 +#ifdef _WIN32
1.47 +static void *
1.48 +ReserveRegion(uintptr_t region, uintptr_t size)
1.49 +{
1.50 + return VirtualAlloc((void *)region, size, MEM_RESERVE, PAGE_NOACCESS);
1.51 +}
1.52 +
1.53 +static void
1.54 +ReleaseRegion(void *region, uintptr_t size)
1.55 +{
1.56 + VirtualFree(region, size, MEM_RELEASE);
1.57 +}
1.58 +
1.59 +static bool
1.60 +ProbeRegion(uintptr_t region, uintptr_t size)
1.61 +{
1.62 + SYSTEM_INFO sinfo;
1.63 + GetSystemInfo(&sinfo);
1.64 + if (region >= (uintptr_t)sinfo.lpMaximumApplicationAddress &&
1.65 + region + size >= (uintptr_t)sinfo.lpMaximumApplicationAddress) {
1.66 + return true;
1.67 + } else {
1.68 + return false;
1.69 + }
1.70 +}
1.71 +
1.72 +static uintptr_t
1.73 +GetDesiredRegionSize()
1.74 +{
1.75 + SYSTEM_INFO sinfo;
1.76 + GetSystemInfo(&sinfo);
1.77 + return sinfo.dwAllocationGranularity;
1.78 +}
1.79 +
1.80 +#define RESERVE_FAILED 0
1.81 +
1.82 +#elif defined(__OS2__)
1.83 +static void *
1.84 +ReserveRegion(uintptr_t region, uintptr_t size)
1.85 +{
1.86 + // OS/2 doesn't support allocation at an arbitrary address,
1.87 + // so return an address that is known to be invalid.
1.88 + return (void*)0xFFFD0000;
1.89 +}
1.90 +
1.91 +static void
1.92 +ReleaseRegion(void *region, uintptr_t size)
1.93 +{
1.94 + return;
1.95 +}
1.96 +
1.97 +static bool
1.98 +ProbeRegion(uintptr_t region, uintptr_t size)
1.99 +{
1.100 + // There's no reliable way to probe an address in the system
1.101 + // arena other than by touching it and seeing if a trap occurs.
1.102 + return false;
1.103 +}
1.104 +
1.105 +static uintptr_t
1.106 +GetDesiredRegionSize()
1.107 +{
1.108 + // Page size is fixed at 4k.
1.109 + return 0x1000;
1.110 +}
1.111 +
1.112 +#define RESERVE_FAILED 0
1.113 +
1.114 +#else // Unix
1.115 +
1.116 +static void *
1.117 +ReserveRegion(uintptr_t region, uintptr_t size)
1.118 +{
1.119 + return mmap(reinterpret_cast<void*>(region), size, PROT_NONE, MAP_PRIVATE|MAP_ANON, -1, 0);
1.120 +}
1.121 +
1.122 +static void
1.123 +ReleaseRegion(void *region, uintptr_t size)
1.124 +{
1.125 + munmap(region, size);
1.126 +}
1.127 +
1.128 +static bool
1.129 +ProbeRegion(uintptr_t region, uintptr_t size)
1.130 +{
1.131 + if (madvise(reinterpret_cast<void*>(region), size, MADV_NORMAL)) {
1.132 + return true;
1.133 + } else {
1.134 + return false;
1.135 + }
1.136 +}
1.137 +
1.138 +static uintptr_t
1.139 +GetDesiredRegionSize()
1.140 +{
1.141 + return sysconf(_SC_PAGESIZE);
1.142 +}
1.143 +
1.144 +#define RESERVE_FAILED MAP_FAILED
1.145 +
1.146 +#endif // system dependencies
1.147 +
1.148 +static_assert(sizeof(uintptr_t) == 4 || sizeof(uintptr_t) == 8, "");
1.149 +static_assert(sizeof(uintptr_t) == sizeof(void *), "");
1.150 +
1.151 +static uintptr_t
1.152 +ReservePoisonArea(uintptr_t rgnsize)
1.153 +{
1.154 + if (sizeof(uintptr_t) == 8) {
1.155 + // Use the hardware-inaccessible region.
1.156 + // We have to avoid 64-bit constants and shifts by 32 bits, since this
1.157 + // code is compiled in 32-bit mode, although it is never executed there.
1.158 + return
1.159 + (((uintptr_t(0x7FFFFFFFu) << 31) << 1 | uintptr_t(0xF0DEAFFFu))
1.160 + & ~(rgnsize-1));
1.161 +
1.162 + } else {
1.163 + // First see if we can allocate the preferred poison address from the OS.
1.164 + uintptr_t candidate = (0xF0DEAFFF & ~(rgnsize-1));
1.165 + void *result = ReserveRegion(candidate, rgnsize);
1.166 + if (result == (void *)candidate) {
1.167 + // success - inaccessible page allocated
1.168 + return candidate;
1.169 + }
1.170 +
1.171 + // That didn't work, so see if the preferred address is within a range
1.172 + // of permanently inacessible memory.
1.173 + if (ProbeRegion(candidate, rgnsize)) {
1.174 + // success - selected page cannot be usable memory
1.175 + if (result != RESERVE_FAILED)
1.176 + ReleaseRegion(result, rgnsize);
1.177 + return candidate;
1.178 + }
1.179 +
1.180 + // The preferred address is already in use. Did the OS give us a
1.181 + // consolation prize?
1.182 + if (result != RESERVE_FAILED) {
1.183 + return uintptr_t(result);
1.184 + }
1.185 +
1.186 + // It didn't, so try to allocate again, without any constraint on
1.187 + // the address.
1.188 + result = ReserveRegion(0, rgnsize);
1.189 + if (result != RESERVE_FAILED) {
1.190 + return uintptr_t(result);
1.191 + }
1.192 +
1.193 + // no usable poison region identified
1.194 + MOZ_CRASH();
1.195 + return 0;
1.196 + }
1.197 +}
1.198 +
1.199 +void
1.200 +mozPoisonValueInit()
1.201 +{
1.202 + gMozillaPoisonSize = GetDesiredRegionSize();
1.203 + gMozillaPoisonBase = ReservePoisonArea(gMozillaPoisonSize);
1.204 +
1.205 + if (gMozillaPoisonSize == 0) // can't happen
1.206 + return;
1.207 +
1.208 + gMozillaPoisonValue = gMozillaPoisonBase + gMozillaPoisonSize/2 - 1;
1.209 +}
