1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 * A poison value that can be used to fill a memory space with
9 * an address that leads to a safe crash when dereferenced.
12 #ifndef mozilla_Poison_h
13 #define mozilla_Poison_h
15 #include "mozilla/Assertions.h"
16 #include "mozilla/Types.h"
23 extern MFBT_DATA
uintptr_t gMozillaPoisonValue
;
26 * @return the poison value.
28 inline uintptr_t mozPoisonValue()
30 return gMozillaPoisonValue
;
34 * Overwrite the memory block of aSize bytes at aPtr with the poison value.
35 * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
36 * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
37 * few bytes (if any) is not overwritten.
39 inline void mozWritePoison(void* aPtr
, size_t aSize
)
41 const uintptr_t POISON
= mozPoisonValue();
42 char* p
= (char*)aPtr
;
43 char* limit
= p
+ (aSize
& ~(sizeof(uintptr_t) - 1));
44 MOZ_ASSERT(aSize
>= sizeof(uintptr_t), "poisoning this object has no effect");
45 for (; p
< limit
; p
+= sizeof(uintptr_t)) {
46 memcpy(p
, &POISON
, sizeof(POISON
));
51 * Initialize the poison value.
52 * This should only be called once.
54 extern MFBT_API
void mozPoisonValueInit();
56 /* Values annotated by CrashReporter */
57 extern MFBT_DATA
uintptr_t gMozillaPoisonBase
;
58 extern MFBT_DATA
uintptr_t gMozillaPoisonSize
;
62 #if defined(__cplusplus)
67 * A version of CorruptionCanary that is suitable as a member of objects that
68 * are statically allocated.
70 class CorruptionCanaryForStatics
{
72 constexpr CorruptionCanaryForStatics()
77 // This is required to avoid static constructor bloat.
78 ~CorruptionCanaryForStatics() = default;
81 if (mValue
!= kCanarySet
) {
82 MOZ_CRASH("Canary check failed, check lifetime");
90 static const uintptr_t kCanarySet
= 0x0f0b0f0b;
95 * This class is designed to cause crashes when various kinds of memory
96 * corruption are observed. For instance, let's say we have a class C where we
97 * suspect out-of-bounds writes to some members. We can insert a member of type
98 * Poison near the members we suspect are being corrupted by out-of-bounds
99 * writes. Or perhaps we have a class K we suspect is subject to use-after-free
100 * violations, in which case it doesn't particularly matter where in the class
101 * we add the member of type Poison.
103 * In either case, we then insert calls to Check() throughout the code. Doing
104 * so enables us to narrow down the location where the corruption is occurring.
105 * A pleasant side-effect of these additional Check() calls is that crash
106 * signatures may become more regular, as crashes will ideally occur
107 * consolidated at the point of a Check(), rather than scattered about at
108 * various uses of the corrupted memory.
110 class CorruptionCanary
: public CorruptionCanaryForStatics
{
112 constexpr CorruptionCanary() = default;
114 ~CorruptionCanary() {
116 mValue
= mozPoisonValue();
124 #endif /* mozilla_Poison_h */