author Emilio Cobos Álvarez <>
Wed, 23 May 2018 20:11:22 +0200
changeset 423087 ee6d7b68769f8a889b9217c82f932683aa707f1e
parent 421754 14f7dab3a9bd909e8ba5a9b05127f58e31139e63
child 448947 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
No bug - Remove some cfgs. r=me DONTBUILD, since this is not part of the build. MozReview-Commit-ID: 90UkG6QJWq

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at */

 * A poison value that can be used to fill a memory space with
 * an address that leads to a safe crash when dereferenced.

#ifndef mozilla_Poison_h
#define mozilla_Poison_h

#include "mozilla/Assertions.h"
#include "mozilla/Types.h"

#include <stdint.h>
#include <string.h>


extern MFBT_DATA uintptr_t gMozillaPoisonValue;

 * @return the poison value.
inline uintptr_t mozPoisonValue()
  return gMozillaPoisonValue;

 * Overwrite the memory block of aSize bytes at aPtr with the poison value.
 * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
 * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
 * few bytes (if any) is not overwritten.
inline void mozWritePoison(void* aPtr, size_t aSize)
  const uintptr_t POISON = mozPoisonValue();
  char* p = (char*)aPtr;
  char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
  MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
  for (; p < limit; p += sizeof(uintptr_t)) {
    memcpy(p, &POISON, sizeof(POISON));

 * Initialize the poison value.
 * This should only be called once.
extern MFBT_API void mozPoisonValueInit();

/* Values annotated by CrashReporter */
extern MFBT_DATA uintptr_t gMozillaPoisonBase;
extern MFBT_DATA uintptr_t gMozillaPoisonSize;


#if defined(__cplusplus)

namespace mozilla {

 * A version of CorruptionCanary that is suitable as a member of objects that
 * are statically allocated.
class CorruptionCanaryForStatics {
  constexpr CorruptionCanaryForStatics()
    : mValue(kCanarySet)

  // This is required to avoid static constructor bloat.
  ~CorruptionCanaryForStatics() = default;

  void Check() const {
    if (mValue != kCanarySet) {
      MOZ_CRASH("Canary check failed, check lifetime");

  uintptr_t mValue;

  static const uintptr_t kCanarySet = 0x0f0b0f0b;

 * This class is designed to cause crashes when various kinds of memory
 * corruption are observed. For instance, let's say we have a class C where we
 * suspect out-of-bounds writes to some members.  We can insert a member of type
 * Poison near the members we suspect are being corrupted by out-of-bounds
 * writes.  Or perhaps we have a class K we suspect is subject to use-after-free
 * violations, in which case it doesn't particularly matter where in the class
 * we add the member of type Poison.
 * In either case, we then insert calls to Check() throughout the code.  Doing
 * so enables us to narrow down the location where the corruption is occurring.
 * A pleasant side-effect of these additional Check() calls is that crash
 * signatures may become more regular, as crashes will ideally occur
 * consolidated at the point of a Check(), rather than scattered about at
 * various uses of the corrupted memory.
class CorruptionCanary : public CorruptionCanaryForStatics {
  constexpr CorruptionCanary() = default;

  ~CorruptionCanary() {
    mValue = mozPoisonValue();

} // mozilla


#endif /* mozilla_Poison_h */