Line data Source code
1 : /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 : /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 : /* This Source Code Form is subject to the terms of the Mozilla Public
4 : * License, v. 2.0. If a copy of the MPL was not distributed with this
5 : * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 :
7 : /*
8 : * A poison value that can be used to fill a memory space with
9 : * an address that leads to a safe crash when dereferenced.
10 : */
11 :
12 : #ifndef mozilla_Poison_h
13 : #define mozilla_Poison_h
14 :
15 : #include "mozilla/Assertions.h"
16 : #include "mozilla/Types.h"
17 :
18 : #include <stdint.h>
19 : #include <string.h>
20 :
21 : MOZ_BEGIN_EXTERN_C
22 :
23 : extern MFBT_DATA uintptr_t gMozillaPoisonValue;
24 :
25 : /**
26 : * @return the poison value.
27 : */
28 : inline uintptr_t mozPoisonValue()
29 : {
30 0 : return gMozillaPoisonValue;
31 : }
32 :
33 : /**
34 : * Overwrite the memory block of aSize bytes at aPtr with the poison value.
35 : * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
36 : * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
37 : * few bytes (if any) is not overwritten.
38 : */
39 0 : inline void mozWritePoison(void* aPtr, size_t aSize)
40 : {
41 0 : const uintptr_t POISON = mozPoisonValue();
42 0 : char* p = (char*)aPtr;
43 0 : char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
44 0 : MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
45 0 : for (; p < limit; p += sizeof(uintptr_t)) {
46 0 : memcpy(p, &POISON, sizeof(POISON));
47 : }
48 0 : }
49 :
50 : /**
51 : * Initialize the poison value.
52 : * This should only be called once.
53 : */
54 : extern MFBT_API void mozPoisonValueInit();
55 :
56 : /* Values annotated by CrashReporter */
57 : extern MFBT_DATA uintptr_t gMozillaPoisonBase;
58 : extern MFBT_DATA uintptr_t gMozillaPoisonSize;
59 :
60 : MOZ_END_EXTERN_C
61 :
62 : #if defined(__cplusplus)
63 :
64 : namespace mozilla {
65 :
66 : /**
67 : * A version of CorruptionCanary that is suitable as a member of objects that
68 : * are statically allocated.
69 : */
70 : class CorruptionCanaryForStatics {
71 : public:
72 : constexpr CorruptionCanaryForStatics()
73 741 : : mValue(kCanarySet)
74 : {
75 : }
76 :
77 : // This is required to avoid static constructor bloat.
78 : ~CorruptionCanaryForStatics() = default;
79 :
80 219574 : void Check() const {
81 219574 : if (mValue != kCanarySet) {
82 0 : MOZ_CRASH("Canary check failed, check lifetime");
83 : }
84 0 : }
85 :
86 : protected:
87 : uintptr_t mValue;
88 :
89 : private:
90 : static const uintptr_t kCanarySet = 0x0f0b0f0b;
91 : };
92 :
93 :
94 : /**
95 : * This class is designed to cause crashes when various kinds of memory
96 : * corruption are observed. For instance, let's say we have a class C where we
97 : * suspect out-of-bounds writes to some members. We can insert a member of type
98 : * Poison near the members we suspect are being corrupted by out-of-bounds
99 : * writes. Or perhaps we have a class K we suspect is subject to use-after-free
100 : * violations, in which case it doesn't particularly matter where in the class
101 : * we add the member of type Poison.
102 : *
103 : * In either case, we then insert calls to Check() throughout the code. Doing
104 : * so enables us to narrow down the location where the corruption is occurring.
105 : * A pleasant side-effect of these additional Check() calls is that crash
106 : * signatures may become more regular, as crashes will ideally occur
107 : * consolidated at the point of a Check(), rather than scattered about at
108 : * various uses of the corrupted memory.
109 : */
110 : class CorruptionCanary : public CorruptionCanaryForStatics {
111 : public:
112 : constexpr CorruptionCanary() = default;
113 :
114 : ~CorruptionCanary() {
115 : Check();
116 : mValue = mozPoisonValue();
117 : }
118 : };
119 :
120 : } // mozilla
121 :
122 : #endif
123 :
124 : #endif /* mozilla_Poison_h */
|
