mfbt/Poison.h
author Kris Maglione <maglione.k@gmail.com>
Mon, 15 Jul 2019 16:19:32 -0700
changeset 483100 bcdcbeb490e137f4d093f63394080917d6cd7ca4
parent 448947 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
Bug 1566182: Annotate mochitests that fail with Fission enabled. r=mccr8 My preference was to annotate most of the failing tests with `fail-if` so that if they start passing, the `fail-if` needs to be removed and they need to keep passing. That doesn't work for tests that timeout, or which trigger failures from their cleanup functions, however, so those tests need skip-if. And tests with fail in their cleanup functions likely leave the browser in an inconsistent state for subsequent tests, anyway, so really should be skipped regardless. There are some remaining tests which still fail because of crashes. I chose not to skip them here, but to fix the crashes in separate bugs instead. Differential Revision: https://phabricator.services.mozilla.com/D38247

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * A poison value that can be used to fill a memory space with
 * an address that leads to a safe crash when dereferenced.
 */

#ifndef mozilla_Poison_h
#define mozilla_Poison_h

#include "mozilla/Assertions.h"
#include "mozilla/Types.h"

#include <stdint.h>
#include <string.h>

MOZ_BEGIN_EXTERN_C

extern MFBT_DATA uintptr_t gMozillaPoisonValue;

/**
 * @return the poison value.
 */
inline uintptr_t mozPoisonValue() { return gMozillaPoisonValue; }

/**
 * Overwrite the memory block of aSize bytes at aPtr with the poison value.
 * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
 * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
 * few bytes (if any) is not overwritten.
 */
inline void mozWritePoison(void* aPtr, size_t aSize) {
  const uintptr_t POISON = mozPoisonValue();
  char* p = (char*)aPtr;
  char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
  MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
  for (; p < limit; p += sizeof(uintptr_t)) {
    memcpy(p, &POISON, sizeof(POISON));
  }
}

/**
 * Initialize the poison value.
 * This should only be called once.
 */
extern MFBT_API void mozPoisonValueInit();

/* Values annotated by CrashReporter */
extern MFBT_DATA uintptr_t gMozillaPoisonBase;
extern MFBT_DATA uintptr_t gMozillaPoisonSize;

MOZ_END_EXTERN_C

#if defined(__cplusplus)

namespace mozilla {

/**
 * A version of CorruptionCanary that is suitable as a member of objects that
 * are statically allocated.
 */
class CorruptionCanaryForStatics {
 public:
  constexpr CorruptionCanaryForStatics() : mValue(kCanarySet) {}

  // This is required to avoid static constructor bloat.
  ~CorruptionCanaryForStatics() = default;

  void Check() const {
    if (mValue != kCanarySet) {
      MOZ_CRASH("Canary check failed, check lifetime");
    }
  }

 protected:
  uintptr_t mValue;

 private:
  static const uintptr_t kCanarySet = 0x0f0b0f0b;
};

/**
 * This class is designed to cause crashes when various kinds of memory
 * corruption are observed. For instance, let's say we have a class C where we
 * suspect out-of-bounds writes to some members.  We can insert a member of type
 * Poison near the members we suspect are being corrupted by out-of-bounds
 * writes.  Or perhaps we have a class K we suspect is subject to use-after-free
 * violations, in which case it doesn't particularly matter where in the class
 * we add the member of type Poison.
 *
 * In either case, we then insert calls to Check() throughout the code.  Doing
 * so enables us to narrow down the location where the corruption is occurring.
 * A pleasant side-effect of these additional Check() calls is that crash
 * signatures may become more regular, as crashes will ideally occur
 * consolidated at the point of a Check(), rather than scattered about at
 * various uses of the corrupted memory.
 */
class CorruptionCanary : public CorruptionCanaryForStatics {
 public:
  constexpr CorruptionCanary() = default;

  ~CorruptionCanary() {
    Check();
    mValue = mozPoisonValue();
  }
};

}  // namespace mozilla

#endif

#endif /* mozilla_Poison_h */