1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* vim: set ts=8 sts=2 et sw=2 tw=80:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Memory poisoning.
*/
#ifndef util_Poison_h
#define util_Poison_h
#include "mozilla/Assertions.h"
#include "mozilla/Attributes.h"
#include "mozilla/MemoryChecking.h"
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include "jstypes.h"
#include "js/Value.h"
#include "util/DiagnosticAssertions.h"
/* Enable poisoning in crash-diagnostics and zeal builds. */
#if defined(JS_CRASH_DIAGNOSTICS) || defined(JS_GC_ZEAL)
# define JS_GC_POISONING 1
#endif
namespace mozilla {
/**
* Set the first |aNElem| T elements in |aDst| to |aSrc|.
*/
template <typename T>
static MOZ_ALWAYS_INLINE void PodSet(T* aDst, const T& aSrc, size_t aNElem) {
for (const T* dstend = aDst + aNElem; aDst < dstend; ++aDst) {
*aDst = aSrc;
}
}
} /* namespace mozilla */
/*
* Patterns used by SpiderMonkey to overwrite unused memory. If you are
* accessing an object with one of these pattern, you probably have a dangling
* pointer. These values should be odd, see the comment in IsThingPoisoned.
*
* Note: new patterns should also be added to the array in IsThingPoisoned!
*
* We try to keep our IRC bot, mrgiggles, up to date with these and other
* patterns:
* https://bitbucket.org/sfink/mrgiggles/src/default/plugins/knowledge/__init__.py
*/
const uint8_t JS_FRESH_NURSERY_PATTERN = 0x2F;
const uint8_t JS_SWEPT_NURSERY_PATTERN = 0x2B;
const uint8_t JS_ALLOCATED_NURSERY_PATTERN = 0x2D;
const uint8_t JS_FRESH_TENURED_PATTERN = 0x4F;
const uint8_t JS_MOVED_TENURED_PATTERN = 0x49;
const uint8_t JS_SWEPT_TENURED_PATTERN = 0x4B;
const uint8_t JS_ALLOCATED_TENURED_PATTERN = 0x4D;
const uint8_t JS_FREED_HEAP_PTR_PATTERN = 0x6B;
const uint8_t JS_FREED_CHUNK_PATTERN = 0x8B;
const uint8_t JS_FREED_ARENA_PATTERN = 0x9B;
const uint8_t JS_SWEPT_TI_PATTERN = 0x6F;
const uint8_t JS_FRESH_MARK_STACK_PATTERN = 0x9F;
const uint8_t JS_RESET_VALUE_PATTERN = 0xBB;
const uint8_t JS_POISONED_JSSCRIPT_DATA_PATTERN = 0xDB;
const uint8_t JS_OOB_PARSE_NODE_PATTERN = 0xFF;
const uint8_t JS_LIFO_UNDEFINED_PATTERN = 0xcd;
const uint8_t JS_LIFO_UNINITIALIZED_PATTERN = 0xce;
// Even ones
const uint8_t JS_NEW_NATIVE_ITERATOR_PATTERN = 0xCC;
const uint8_t JS_SCOPE_DATA_TRAILING_NAMES_PATTERN = 0xCC;
/*
* Ensure JS_SWEPT_CODE_PATTERN is a byte pattern that will crash immediately
* when executed, so either an undefined instruction or an instruction that's
* illegal in user mode.
*/
#if defined(JS_CODEGEN_X86) || defined(JS_CODEGEN_X64) || \
defined(JS_CODEGEN_NONE)
# define JS_SWEPT_CODE_PATTERN 0xED // IN instruction, crashes in user mode.
#elif defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_ARM64)
# define JS_SWEPT_CODE_PATTERN 0xA3 // undefined instruction
#elif defined(JS_CODEGEN_MIPS32) || defined(JS_CODEGEN_MIPS64)
# define JS_SWEPT_CODE_PATTERN 0x01 // undefined instruction
#else
# error "JS_SWEPT_CODE_PATTERN not defined for this platform"
#endif
enum class MemCheckKind : uint8_t {
// Marks a region as poisoned. Memory sanitizers like ASan will crash when
// accessing it (both reads and writes).
MakeNoAccess,
// Marks a region as having undefined contents. In ASan builds this just
// unpoisons the memory. MSan and Valgrind can also use this to find
// reads of uninitialized memory.
MakeUndefined,
};
static MOZ_ALWAYS_INLINE void SetMemCheckKind(void* ptr, size_t bytes,
MemCheckKind kind) {
switch (kind) {
case MemCheckKind::MakeUndefined:
MOZ_MAKE_MEM_UNDEFINED(ptr, bytes);
return;
case MemCheckKind::MakeNoAccess:
MOZ_MAKE_MEM_NOACCESS(ptr, bytes);
return;
}
MOZ_CRASH("Invalid kind");
}
namespace js {
static inline void PoisonImpl(void* ptr, uint8_t value, size_t num) {
// Without a valid Value tag, a poisoned Value may look like a valid
// floating point number. To ensure that we crash more readily when
// observing a poisoned Value, we make the poison an invalid ObjectValue.
// Unfortunately, this adds about 2% more overhead, so we can only enable
// it in debug.
#if defined(DEBUG)
uintptr_t poison;
memset(&poison, value, sizeof(poison));
# if defined(JS_PUNBOX64)
poison = poison & ((uintptr_t(1) << JSVAL_TAG_SHIFT) - 1);
# endif
JS::Value v = js::PoisonedObjectValue(poison);
# if defined(JS_NUNBOX32)
// On 32-bit arch, ptr may not be JS::Value-size aligned.
uintptr_t begin_count = uintptr_t(ptr) % sizeof(JS::Value);
if (begin_count) {
uint8_t* begin = static_cast<uint8_t*>(ptr);
mozilla::PodSet(begin, value, begin_count);
ptr = begin + begin_count;
num -= begin_count;
}
# endif
MOZ_ASSERT(uintptr_t(ptr) % sizeof(JS::Value) == 0);
size_t value_count = num / sizeof(v);
size_t byte_count = num % sizeof(v);
mozilla::PodSet(reinterpret_cast<JS::Value*>(ptr), v, value_count);
if (byte_count) {
uint8_t* bytes = static_cast<uint8_t*>(ptr);
uint8_t* end = bytes + num;
mozilla::PodSet(end - byte_count, value, byte_count);
}
#else // !DEBUG
memset(ptr, value, num);
#endif // !DEBUG
}
// Unconditionally poison a region on memory.
static inline void AlwaysPoison(void* ptr, uint8_t value, size_t num,
MemCheckKind kind) {
PoisonImpl(ptr, value, num);
SetMemCheckKind(ptr, num, kind);
}
// JSGC_DISABLE_POISONING environment variable
extern bool gDisablePoisoning;
// Poison a region of memory in debug and nightly builds (plus builds where GC
// zeal is configured). Can be disabled by setting the JSGC_DISABLE_POISONING
// environment variable.
static inline void Poison(void* ptr, uint8_t value, size_t num,
MemCheckKind kind) {
#if defined(JS_GC_POISONING)
if (!js::gDisablePoisoning) {
PoisonImpl(ptr, value, num);
}
#endif
SetMemCheckKind(ptr, num, kind);
}
// Poison a region of memory in debug builds. Can be disabled by setting the
// JSGC_DISABLE_POISONING environment variable.
static inline void DebugOnlyPoison(void* ptr, uint8_t value, size_t num,
MemCheckKind kind) {
#if defined(DEBUG)
Poison(ptr, value, num, kind);
#else
SetMemCheckKind(ptr, num, kind);
#endif
}
} // namespace js
#endif /* util_Poison_h */
|
