mfbt/Poison.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 /*
   8  * A poison value that can be used to fill a memory space with
   9  * an address that leads to a safe crash when dereferenced.
  10  */
  11
  12 #ifndef mozilla_Poison_h
  13 #define mozilla_Poison_h
  14
  15 #include "mozilla/Assertions.h"
  16 #include "mozilla/Types.h"
  17
  18 #include <stdint.h>
  19 #include <string.h>
  20
  21 MOZ_BEGIN_EXTERN_C
  22
  23 extern MFBT_DATA uintptr_t gMozillaPoisonValue;
  24
  25 /**
  26  * @return the poison value.
  27  */
  28 inline uintptr_t mozPoisonValue()
  29 {
  30   return gMozillaPoisonValue;
  31 }
  32
  33 /**
  34  * Overwrite the memory block of aSize bytes at aPtr with the poison value.
  35  * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
  36  * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
  37  * few bytes (if any) is not overwritten.
  38  */
  39 inline void mozWritePoison(void* aPtr, size_t aSize)
  40 {
  41   const uintptr_t POISON = mozPoisonValue();
  42   char* p = (char*)aPtr;
  43   char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
  44   MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
  45   for (; p < limit; p += sizeof(uintptr_t)) {
  46     memcpy(p, &POISON, sizeof(POISON));
  47   }
  48 }
  49
  50 /**
  51  * Initialize the poison value.
  52  * This should only be called once.
  53  */
  54 extern MFBT_API void mozPoisonValueInit();
  55
  56 /* Values annotated by CrashReporter */
  57 extern MFBT_DATA uintptr_t gMozillaPoisonBase;
  58 extern MFBT_DATA uintptr_t gMozillaPoisonSize;
  59
  60 MOZ_END_EXTERN_C
  61
  62 #if defined(__cplusplus)
  63
  64 namespace mozilla {
  65
  66 /**
  67  * A version of CorruptionCanary that is suitable as a member of objects that
  68  * are statically allocated.
  69  */
  70 class CorruptionCanaryForStatics {
  71 public:
  72   constexpr CorruptionCanaryForStatics()
  73     : mValue(kCanarySet)
  74   {
  75   }
  76
  77   // This is required to avoid static constructor bloat.
  78   ~CorruptionCanaryForStatics() = default;
  79
  80   void Check() const {
  81     if (mValue != kCanarySet) {
  82       MOZ_CRASH("Canary check failed, check lifetime");
  83     }
  84   }
  85
  86 protected:
  87   uintptr_t mValue;
  88
  89 private:
  90   static const uintptr_t kCanarySet = 0x0f0b0f0b;
  91 };
  92
  93
  94 /**
  95  * This class is designed to cause crashes when various kinds of memory
  96  * corruption are observed. For instance, let's say we have a class C where we
  97  * suspect out-of-bounds writes to some members.  We can insert a member of type
  98  * Poison near the members we suspect are being corrupted by out-of-bounds
  99  * writes.  Or perhaps we have a class K we suspect is subject to use-after-free
 100  * violations, in which case it doesn't particularly matter where in the class
 101  * we add the member of type Poison.
 102  *
 103  * In either case, we then insert calls to Check() throughout the code.  Doing
 104  * so enables us to narrow down the location where the corruption is occurring.
 105  * A pleasant side-effect of these additional Check() calls is that crash
 106  * signatures may become more regular, as crashes will ideally occur
 107  * consolidated at the point of a Check(), rather than scattered about at
 108  * various uses of the corrupted memory.
 109  */
 110 class CorruptionCanary : public CorruptionCanaryForStatics {
 111 public:
 112   constexpr CorruptionCanary() = default;
 113
 114   ~CorruptionCanary() {
 115     Check();
 116     mValue = mozPoisonValue();
 117   }
 118 };
 119
 120 } // mozilla
 121
 122 #endif
 123
 124 #endif /* mozilla_Poison_h */