| blob | 830d15f7fb7261b6b935f810605727cbb2a52fe8 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
16 #include <errno.h>
31 #ifdef XP_WIN
34 #elif defined(__wasi__)
35 # if defined(JS_CODEGEN_WASM32)
36 # include <cstdlib>
37 # else
38 // Nothing.
39 # endif
40 #else
41 # include <sys/mman.h>
42 # include <unistd.h>
43 #endif
45 #ifdef MOZ_VALGRIND
46 # include <valgrind/valgrind.h>
47 #endif
52 #ifdef XP_WIN
53 # if defined(HAVE_64BIT_BUILD)
54 # define NEED_JIT_UNWIND_HANDLING
55 # endif
58 /*
59 * Inspiration is V8's OS::Allocate in platform-win32.cc.
60 *
61 * VirtualAlloc takes 64K chunks out of the virtual address space, so we
62 * keep 16b alignment.
63 *
64 * x86: V8 comments say that keeping addresses in the [64MiB, 1GiB) range
65 * tries to avoid system default DLL mapping space. In the end, we get 13
66 * bits of randomness in our selection.
67 * x64: [2GiB, 4TiB), with 25 bits of randomness.
68 */
69 # ifdef HAVE_64BIT_BUILD
72 # elif defined(_M_IX86) || defined(__i386__)
75 # else
77 # endif
81 }
83 # ifdef NEED_JIT_UNWIND_HANDLING
86 # endif
89 # ifdef NEED_JIT_UNWIND_HANDLING
92 # else
93 // Just do nothing if unwind handling is disabled.
94 # endif
95 }
97 # ifdef NEED_JIT_UNWIND_HANDLING
98 # if defined(_M_ARM64)
99 // See the ".xdata records" section of
100 // https://docs.microsoft.com/en-us/cpp/build/arm64-exception-handling
101 // These records can have various fields present or absent depending on the
102 // bits set in the header. Our struct will use one 32-bit slot for unwind codes,
103 // and no slots for epilog scopes.
113 };
116 # else
117 // From documentation for UNWIND_INFO on
118 // https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64
126 };
133 };
135 };
145 UnwindInfo unwindInfo;
160 // Offset here are specified to beginning of the -next- instruction.
168 }
169 };
170 # endif
174 UnwindData unwindData;
176 RUNTIME_FUNCTION runtimeFunction;
177 };
179 // This function must match the function pointer type PEXCEPTION_HANDLER
180 // mentioned in:
181 // http://msdn.microsoft.com/en-us/library/ssa62fwe.aspx.
182 // This type is rather elusive in documentation; Wine is the best I've found:
183 // http://source.winehq.org/source/include/winnt.h
186 _EXCEPTION_REGISTRATION_RECORD**) {
189 }
192 }
194 // Required for enabling Stackwalking on windows using external tools.
199 // For an explanation of the problem being solved here, see
200 // SetJitExceptionFilter in jsfriendapi.h.
204 }
206 // A page was reserved inside this structure for the record. This is because
207 // all entries in the record are describes as an offset from the start of the
208 // memory region. We construct the record there.
212 // Because the .xdata format on ARM64 can only encode sizes up to 1M (much
213 // too small for our JIT code regions), we register a function table callback
214 // to provide RUNTIME_FUNCTIONs at runtime. Windows doesn't seem to care about
215 // the size fields on RUNTIME_FUNCTIONs that are created in this way, so the
216 // same RUNTIME_FUNCTION can work for any address in the region. We'll set up
217 // a generic one now and the callback can just return a pointer to it.
219 // All these fields are specified to be offsets from the base of the
220 // executable code (which is 'p'), even if they have 'Address' in their
221 // names. In particular, exceptionHandler is a ULONG offset which is a
222 // 32-bit integer. Since 'p' can be farther than INT32_MAX away from
223 // sJitExceptionHandler, we must generate a little thunk inside the
224 // record. The record is put on its own page so that we can take away write
225 // access to protect against accidental clobbering.
227 # if defined(_M_ARM64)
230 }
235 "The ARM64 .pdata format requires that exception information "
242 // Use a fake unwind code to make the Windows unwinder do _something_. If the
243 // PC and SP both stay unchanged, we'll fail the unwinder's sanity checks and
244 // it won't call our exception handler.
253 // xip0/r16 should be safe to clobber: Windows just used it to call our thunk.
256 // Say `handler` is 0x4444333322221111, then:
262 # else
268 // mov imm64, rax
273 // jmp rax
276 # endif
278 // RtlAddGrowableFunctionTable will write into the region. We must therefore
279 // only write-protect is after this has been called.
281 // XXX NB: The profiler believes this function is only called from the main
282 // thread. If that ever becomes untrue, the profiler must be updated
283 // immediately.
284 {
285 AutoSuppressStackWalking suppress;
291 }
292 }
294 DWORD oldProtect;
297 }
300 }
303 // There's no such thing as RtlUninstallFunctionTableCallback, so there's
304 // nothing to do here.
305 }
306 # endif
309 # ifdef NEED_JIT_UNWIND_HANDLING
311 // Always reserve space for the unwind information.
313 # endif
321 }
322 }
325 // Try again without randomization.
329 }
330 }
332 # ifdef NEED_JIT_UNWIND_HANDLING
337 // This should have succeeded if we have an exception handler. Bail.
340 }
341 }
343 // Skip the first page where we might have allocated an exception handler
344 // record.
349 # endif
351 }
354 # ifdef NEED_JIT_UNWIND_HANDLING
362 }
363 # endif
366 }
371 }
377 }
379 }
382 ProtectionSetting protection) {
387 }
390 }
395 }
396 }
397 #elif defined(__wasi__)
398 # if defined(JS_CODEGEN_WASM32)
401 }
405 }
408 ProtectionSetting protection) {
410 }
414 # else
418 }
421 }
423 ProtectionSetting protection) {
426 }
429 }
430 # endif
432 # ifndef MAP_NORESERVE
433 # define MAP_NORESERVE 0
434 # endif
437 # ifdef __OpenBSD__
438 // OpenBSD already has random mmap and the idea that all x64 cpus
439 // have 48-bit address space is not correct. Returning nullptr
440 // allows OpenBSD do to the right thing.
442 # else
445 # ifdef HAVE_64BIT_BUILD
446 // x64 CPUs have a 48-bit address space and on some platforms the OS will
447 // give us access to 47 bits, so to be safe we right shift by 18 to leave
448 // 46 bits.
450 # else
451 // On 32-bit, right shift by 34 to leave 30 bits, range [0, 1GiB). Then add
452 // 512MiB to get range [512MiB, 1.5GiB), or [0x20000000, 0x60000000). This
453 // is based on V8 comments in platform-posix.cc saying this range is
454 // relatively unpopulated across a variety of kernels.
457 # endif
459 // Ensure page alignment.
462 # endif
463 }
468 // On most Unix platforms our strategy is as follows:
469 //
470 // * Reserve: mmap with PROT_NONE
471 // * Commit: mmap with MAP_FIXED, PROT_READ | ...
472 // * Decommit: mmap with MAP_FIXED, PROT_NONE
473 //
474 // On Apple Silicon this only works if we use mprotect to implement W^X. To
475 // use RWX pages with the faster pthread_jit_write_protect_np API for
476 // thread-local writable/executable switching, the kernel enforces the
477 // following rules:
478 //
479 // * The initial mmap must be called with MAP_JIT.
480 // * MAP_FIXED can't be used with MAP_JIT.
481 // * Since macOS 11.2, mprotect can't be used to change permissions of RWX JIT
482 // pages (even PROT_NONE fails).
483 // See https://developer.apple.com/forums/thread/672804.
484 //
485 // This means we have to use the following strategy on Apple Silicon:
486 //
487 // * Reserve: 1) mmap with PROT_READ | PROT_WRITE | PROT_EXEC and MAP_JIT
488 // 2) decommit
489 // * Commit: madvise with MADV_FREE_REUSE
490 // * Decommit: madvise with MADV_FREE_REUSABLE
491 //
492 // On Intel Macs we also need to use MAP_JIT, to be compatible with the
493 // Hardened Runtime (with com.apple.security.cs.allow-jit = true). The
494 // pthread_jit_write_protect_np API is not available on Intel and MAP_JIT
495 // can't be used with MAP_FIXED, so we have to use a hybrid of the above two
496 // strategies:
497 //
498 // * Reserve: 1) mmap with PROT_NONE and MAP_JIT
499 // 2) decommit
500 // * Commit: 1) madvise with MADV_FREE_REUSE
501 // 2) mprotect with PROT_READ | ...
502 // * Decommit: 1) mprotect with PROT_NONE
503 // 2) madvise with MADV_FREE_REUSABLE
504 //
505 // This is inspired by V8's code in OS::SetPermissions.
507 // Note that randomAddr is just a hint: if the address is not available
508 // mmap will pick a different address.
512 # if defined(XP_DARWIN)
514 # if defined(JS_USE_APPLE_FAST_WX)
516 # endif
517 # endif
522 }
523 # if defined(XP_DARWIN)
525 # endif
527 }
532 }
537 }
538 # ifdef MOZ_VALGRIND
539 // If we're configured for Valgrind and running on it, use a slacker
540 // scheme that doesn't change execute permissions, since doing so causes
541 // Valgrind a lot of extra overhead re-JITting code that loses and later
542 // regains execute permission. See bug 1338179.
549 }
551 }
552 // If we get here, we're configured for Valgrind but not running on
553 // it, so use the standard scheme.
554 # endif
560 }
562 }
565 ProtectionSetting protection) {
566 // See the comment in ReserveProcessExecutableMemory.
567 # if defined(XP_DARWIN)
574 }
575 # if !defined(JS_USE_APPLE_FAST_WX)
579 }
580 # endif
582 # else
589 }
592 # endif
593 }
596 // See the comment in ReserveProcessExecutableMemory.
597 # if defined(XP_DARWIN)
599 # if !defined(JS_USE_APPLE_FAST_WX)
602 # endif
607 # else
608 // Use mmap with MAP_FIXED and PROT_NONE. Inspired by jemalloc's
609 // pages_decommit.
614 # endif
615 }
616 #endif
632 }
636 }
643 }
648 }
653 }
655 #ifdef DEBUG
660 }
661 }
663 }
664 #endif
665 };
667 // Per-process executable memory allocator. It reserves a block of memory of
668 // MaxCodeBytesPerProcess bytes, then allocates/deallocates pages from that.
669 //
670 // This has a number of benefits compared to raw mmap/VirtualAlloc:
671 //
672 // * More resillient against certain attacks.
673 //
674 // * Behaves more consistently across platforms: it avoids the 64K granularity
675 // issues on Windows, for instance.
676 //
677 // * On x64, near jumps can be used for jumps to other JIT pages.
678 //
679 // * On Win64, we have to register the exception handler only once (at process
680 // startup). This saves some memory and avoids RtlAddFunctionTable profiler
681 // deadlocks.
689 // Start of the MaxCodeBytesPerProcess memory block or nullptr if
690 // uninitialized. Note that this is NOT guaranteed to be aligned to
691 // ExecutableCodePageSize.
694 // The fields below should only be accessed while we hold the lock.
695 Mutex lock_ MOZ_UNANNOTATED;
697 // pagesAllocated_ is an Atomic so that bytesAllocated does not have to
698 // take the lock.
701 // Page where we should try to allocate next.
725 }
733 }
742 }
752 }
758 }
763 }
766 MemCheckKind checkKind);
768 };
771 ProtectionSetting protection,
772 MemCheckKind checkKind) {
780 // Take the lock and try to allocate.
782 {
786 // Check if we have enough pages available.
789 }
793 // Maybe skip a page to make allocations less predictable.
797 // Make sure page + numPages - 1 is a valid index.
800 }
807 }
808 }
810 page++;
812 }
814 // Mark the pages as unavailable.
817 }
822 // If we allocated a small number of pages, move cursor_ to the
823 // next page. We don't do this for larger allocations to avoid
824 // skipping a large number of small holes.
827 }
831 }
834 }
835 }
837 // Commit the pages after releasing the lock.
841 }
846 }
862 // Decommit before taking the lock.
866 }
874 }
876 // Move the cursor back so we can reuse pages instead of fragmenting the
877 // whole region.
880 }
881 }
886 ProtectionSetting protection,
887 MemCheckKind checkKind) {
889 }
893 }
900 // Round down available memory to the closest MB.
903 }
906 // Use a 8 MB buffer.
912 }
916 }
919 ProtectionSetting protection,
920 MustFlushICache flushICache) {
921 #if defined(JS_CODEGEN_WASM32)
923 #endif
925 // Flush ICache when making code executable, before we modify |size|.
929 }
931 // Calculate the start of the page containing this region,
932 // and account for this extra memory within size.
939 // Round size up
947 // On weak memory systems, make sure new code is visible on all cores before
948 // addresses of the code are made public. Now is the latest moment in time
949 // when we can do that, and we're assuming that every other thread that has
950 // written into the memory that is being reprotected here has synchronized
951 // with this thread in such a way that the memory writes have become visible
952 // and we therefore only need to execute the fence once here. See bug 1529933
953 // for a longer discussion of why this is both necessary and sufficient.
954 //
955 // We use the C++ fence here -- and not AtomicOperations::fenceSeqCst() --
956 // primarily because ReprotectRegion will be called while we construct our own
957 // jitted atomics. But the C++ fence is sufficient and correct, too.
958 #ifdef __wasi__
960 #else
965 }
967 # ifdef JS_USE_APPLE_FAST_WX
969 # endif
971 # ifdef XP_WIN
973 // This is a essentially a VirtualProtect, but with lighter impact on
974 // antivirus analysis. See bug 1823634.
977 }
978 # else
982 }
983 # endif
988 }
990 #ifdef JS_USE_APPLE_FAST_WX
997 }
998 }
999 #endif
1001 #ifdef DEBUG
1007 }
1011 }
1016 }
1017 #endif