summaryrefslogtreecommitdiffstats
path: root/mfbt/Poison.h
diff options
context:
space:
mode:
Diffstat (limited to 'mfbt/Poison.h')
-rw-r--r--mfbt/Poison.h109
1 files changed, 109 insertions, 0 deletions
diff --git a/mfbt/Poison.h b/mfbt/Poison.h
new file mode 100644
index 0000000000..5b1fae1fd1
--- /dev/null
+++ b/mfbt/Poison.h
@@ -0,0 +1,109 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * A poison value that can be used to fill a memory space with
+ * an address that leads to a safe crash when dereferenced.
+ */
+
+#ifndef mozilla_Poison_h
+#define mozilla_Poison_h
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Types.h"
+
+#include <stdint.h>
+#include <string.h>
+
+MOZ_BEGIN_EXTERN_C
+
+extern MFBT_DATA uintptr_t gMozillaPoisonValue;
+
+/**
+ * @return the poison value.
+ */
+inline uintptr_t mozPoisonValue() { return gMozillaPoisonValue; }
+
+/**
+ * Overwrite the memory block of aSize bytes at aPtr with the poison value.
+ * Only a multiple of sizeof(uintptr_t) bytes are overwritten, the last
+ * few bytes (if any) are not overwritten.
+ */
+inline void mozWritePoison(void* aPtr, size_t aSize) {
+ const uintptr_t POISON = mozPoisonValue();
+ char* p = (char*)aPtr;
+ char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
+ MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
+ for (; p < limit; p += sizeof(uintptr_t)) {
+ memcpy(p, &POISON, sizeof(POISON));
+ }
+}
+
+/* Values annotated by CrashReporter */
+extern MFBT_DATA uintptr_t gMozillaPoisonBase;
+extern MFBT_DATA uintptr_t gMozillaPoisonSize;
+
+MOZ_END_EXTERN_C
+
+#if defined(__cplusplus)
+
+namespace mozilla {
+
+/**
+ * A version of CorruptionCanary that is suitable as a member of objects that
+ * are statically allocated.
+ */
+class CorruptionCanaryForStatics {
+ public:
+ constexpr CorruptionCanaryForStatics() : mValue(kCanarySet) {}
+
+ // This is required to avoid static constructor bloat.
+ ~CorruptionCanaryForStatics() = default;
+
+ void Check() const {
+ if (mValue != kCanarySet) {
+ MOZ_CRASH("Canary check failed, check lifetime");
+ }
+ }
+
+ protected:
+ uintptr_t mValue;
+
+ private:
+ static const uintptr_t kCanarySet = 0x0f0b0f0b;
+};
+
+/**
+ * This class is designed to cause crashes when various kinds of memory
+ * corruption are observed. For instance, let's say we have a class C where we
+ * suspect out-of-bounds writes to some members. We can insert a member of type
+ * Poison near the members we suspect are being corrupted by out-of-bounds
+ * writes. Or perhaps we have a class K we suspect is subject to use-after-free
+ * violations, in which case it doesn't particularly matter where in the class
+ * we add the member of type Poison.
+ *
+ * In either case, we then insert calls to Check() throughout the code. Doing
+ * so enables us to narrow down the location where the corruption is occurring.
+ * A pleasant side-effect of these additional Check() calls is that crash
+ * signatures may become more regular, as crashes will ideally occur
+ * consolidated at the point of a Check(), rather than scattered about at
+ * various uses of the corrupted memory.
+ */
+class CorruptionCanary : public CorruptionCanaryForStatics {
+ public:
+ constexpr CorruptionCanary() = default;
+
+ ~CorruptionCanary() {
+ Check();
+ mValue = mozPoisonValue();
+ }
+};
+
+} // namespace mozilla
+
+#endif
+
+#endif /* mozilla_Poison_h */