| blob | 0c00b17c73be52b99dbd800bd837e65b85f52105 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
16 #include <errno.h>
31 #ifdef XP_WIN
34 #elif defined(__wasi__)
35 # if defined(JS_CODEGEN_WASM32)
36 # include <cstdlib>
37 # else
38 // Nothing.
39 # endif
40 #else
41 # include <sys/mman.h>
42 # include <unistd.h>
43 #endif
45 #ifdef MOZ_VALGRIND
46 # include <valgrind/valgrind.h>
47 #endif
49 #if defined(XP_IOS)
50 # include <BrowserEngineCore/BEMemory.h>
51 #endif
56 #ifdef XP_WIN
57 # if defined(HAVE_64BIT_BUILD)
58 # define NEED_JIT_UNWIND_HANDLING
59 # endif
62 /*
63 * Inspiration is V8's OS::Allocate in platform-win32.cc.
64 *
65 * VirtualAlloc takes 64K chunks out of the virtual address space, so we
66 * keep 16b alignment.
67 *
68 * x86: V8 comments say that keeping addresses in the [64MiB, 1GiB) range
69 * tries to avoid system default DLL mapping space. In the end, we get 13
70 * bits of randomness in our selection.
71 * x64: [2GiB, 4TiB), with 25 bits of randomness.
72 */
73 # ifdef HAVE_64BIT_BUILD
76 # elif defined(_M_IX86) || defined(__i386__)
79 # else
81 # endif
85 }
87 # ifdef NEED_JIT_UNWIND_HANDLING
90 # endif
93 # ifdef NEED_JIT_UNWIND_HANDLING
96 # else
97 // Just do nothing if unwind handling is disabled.
98 # endif
99 }
101 # ifdef NEED_JIT_UNWIND_HANDLING
102 # if defined(_M_ARM64)
103 // See the ".xdata records" section of
104 // https://docs.microsoft.com/en-us/cpp/build/arm64-exception-handling
105 // These records can have various fields present or absent depending on the
106 // bits set in the header. Our struct will use one 32-bit slot for unwind codes,
107 // and no slots for epilog scopes.
117 };
120 # else
121 // From documentation for UNWIND_INFO on
122 // https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64
130 };
137 };
139 };
149 UnwindInfo unwindInfo;
164 // Offset here are specified to beginning of the -next- instruction.
172 }
173 };
174 # endif
178 UnwindData unwindData;
180 RUNTIME_FUNCTION runtimeFunction;
181 };
183 // This function must match the function pointer type PEXCEPTION_HANDLER
184 // mentioned in:
185 // http://msdn.microsoft.com/en-us/library/ssa62fwe.aspx.
186 // This type is rather elusive in documentation; Wine is the best I've found:
187 // http://source.winehq.org/source/include/winnt.h
190 _EXCEPTION_REGISTRATION_RECORD**) {
193 }
196 }
198 // Required for enabling Stackwalking on windows using external tools.
203 // For an explanation of the problem being solved here, see
204 // SetJitExceptionFilter in jsfriendapi.h.
208 }
210 // A page was reserved inside this structure for the record. This is because
211 // all entries in the record are describes as an offset from the start of the
212 // memory region. We construct the record there.
216 // Because the .xdata format on ARM64 can only encode sizes up to 1M (much
217 // too small for our JIT code regions), we register a function table callback
218 // to provide RUNTIME_FUNCTIONs at runtime. Windows doesn't seem to care about
219 // the size fields on RUNTIME_FUNCTIONs that are created in this way, so the
220 // same RUNTIME_FUNCTION can work for any address in the region. We'll set up
221 // a generic one now and the callback can just return a pointer to it.
223 // All these fields are specified to be offsets from the base of the
224 // executable code (which is 'p'), even if they have 'Address' in their
225 // names. In particular, exceptionHandler is a ULONG offset which is a
226 // 32-bit integer. Since 'p' can be farther than INT32_MAX away from
227 // sJitExceptionHandler, we must generate a little thunk inside the
228 // record. The record is put on its own page so that we can take away write
229 // access to protect against accidental clobbering.
231 # if defined(_M_ARM64)
234 }
239 "The ARM64 .pdata format requires that exception information "
246 // Use a fake unwind code to make the Windows unwinder do _something_. If the
247 // PC and SP both stay unchanged, we'll fail the unwinder's sanity checks and
248 // it won't call our exception handler.
257 // xip0/r16 should be safe to clobber: Windows just used it to call our thunk.
260 // Say `handler` is 0x4444333322221111, then:
266 # else
272 // mov imm64, rax
277 // jmp rax
280 # endif
282 // RtlAddGrowableFunctionTable will write into the region. We must therefore
283 // only write-protect is after this has been called.
285 // XXX NB: The profiler believes this function is only called from the main
286 // thread. If that ever becomes untrue, the profiler must be updated
287 // immediately.
288 {
289 AutoSuppressStackWalking suppress;
295 }
296 }
298 DWORD oldProtect;
301 }
304 }
307 // There's no such thing as RtlUninstallFunctionTableCallback, so there's
308 // nothing to do here.
309 }
310 # endif
313 # ifdef NEED_JIT_UNWIND_HANDLING
315 // Always reserve space for the unwind information.
317 # endif
325 }
326 }
329 // Try again without randomization.
333 }
334 }
336 # ifdef NEED_JIT_UNWIND_HANDLING
341 // This should have succeeded if we have an exception handler. Bail.
344 }
345 }
347 // Skip the first page where we might have allocated an exception handler
348 // record.
353 # endif
355 }
358 # ifdef NEED_JIT_UNWIND_HANDLING
366 }
367 # endif
370 }
375 }
381 }
383 }
386 ProtectionSetting protection) {
391 }
394 }
399 }
400 }
401 #elif defined(__wasi__)
402 # if defined(JS_CODEGEN_WASM32)
405 }
409 }
412 ProtectionSetting protection) {
414 }
418 # else
422 }
425 }
427 ProtectionSetting protection) {
430 }
433 }
434 # endif
436 # ifndef MAP_NORESERVE
437 # define MAP_NORESERVE 0
438 # endif
441 # ifdef __OpenBSD__
442 // OpenBSD already has random mmap and the idea that all x64 cpus
443 // have 48-bit address space is not correct. Returning nullptr
444 // allows OpenBSD do to the right thing.
446 # else
449 # ifdef HAVE_64BIT_BUILD
450 // x64 CPUs have a 48-bit address space and on some platforms the OS will
451 // give us access to 47 bits, so to be safe we right shift by 18 to leave
452 // 46 bits.
454 # else
455 // On 32-bit, right shift by 34 to leave 30 bits, range [0, 1GiB). Then add
456 // 512MiB to get range [512MiB, 1.5GiB), or [0x20000000, 0x60000000). This
457 // is based on V8 comments in platform-posix.cc saying this range is
458 // relatively unpopulated across a variety of kernels.
461 # endif
463 // Ensure page alignment.
466 # endif
467 }
472 // On most Unix platforms our strategy is as follows:
473 //
474 // * Reserve: mmap with PROT_NONE
475 // * Commit: mmap with MAP_FIXED, PROT_READ | ...
476 // * Decommit: mmap with MAP_FIXED, PROT_NONE
477 //
478 // On Apple Silicon this only works if we use mprotect to implement W^X. To
479 // use RWX pages with the faster pthread_jit_write_protect_np API for
480 // thread-local writable/executable switching, the kernel enforces the
481 // following rules:
482 //
483 // * The initial mmap must be called with MAP_JIT.
484 // * MAP_FIXED can't be used with MAP_JIT.
485 // * Since macOS 11.2, mprotect can't be used to change permissions of RWX JIT
486 // pages (even PROT_NONE fails).
487 // See https://developer.apple.com/forums/thread/672804.
488 //
489 // This means we have to use the following strategy on Apple Silicon:
490 //
491 // * Reserve: 1) mmap with PROT_READ | PROT_WRITE | PROT_EXEC and MAP_JIT
492 // 2) decommit
493 // * Commit: madvise with MADV_FREE_REUSE
494 // * Decommit: madvise with MADV_FREE_REUSABLE
495 //
496 // On Intel Macs we also need to use MAP_JIT, to be compatible with the
497 // Hardened Runtime (with com.apple.security.cs.allow-jit = true). The
498 // pthread_jit_write_protect_np API is not available on Intel and MAP_JIT
499 // can't be used with MAP_FIXED, so we have to use a hybrid of the above two
500 // strategies:
501 //
502 // * Reserve: 1) mmap with PROT_NONE and MAP_JIT
503 // 2) decommit
504 // * Commit: 1) madvise with MADV_FREE_REUSE
505 // 2) mprotect with PROT_READ | ...
506 // * Decommit: 1) mprotect with PROT_NONE
507 // 2) madvise with MADV_FREE_REUSABLE
508 //
509 // This is inspired by V8's code in OS::SetPermissions.
511 // Note that randomAddr is just a hint: if the address is not available
512 // mmap will pick a different address.
516 # if defined(XP_DARWIN)
518 # if defined(JS_USE_APPLE_FAST_WX)
520 # endif
521 # endif
526 }
527 # if defined(XP_DARWIN)
529 # endif
531 }
536 }
541 }
542 # ifdef MOZ_VALGRIND
543 // If we're configured for Valgrind and running on it, use a slacker
544 // scheme that doesn't change execute permissions, since doing so causes
545 // Valgrind a lot of extra overhead re-JITting code that loses and later
546 // regains execute permission. See bug 1338179.
553 }
555 }
556 // If we get here, we're configured for Valgrind but not running on
557 // it, so use the standard scheme.
558 # endif
564 }
566 }
569 ProtectionSetting protection) {
570 // See the comment in ReserveProcessExecutableMemory.
571 # if defined(XP_DARWIN)
578 }
579 # if !defined(JS_USE_APPLE_FAST_WX)
583 }
584 # endif
586 # else
593 }
596 # endif
597 }
600 // See the comment in ReserveProcessExecutableMemory.
601 # if defined(XP_DARWIN)
603 # if !defined(JS_USE_APPLE_FAST_WX)
606 # endif
611 # else
612 // Use mmap with MAP_FIXED and PROT_NONE. Inspired by jemalloc's
613 // pages_decommit.
618 # endif
619 }
620 #endif
636 }
640 }
647 }
652 }
657 }
659 #ifdef DEBUG
664 }
665 }
667 }
668 #endif
669 };
671 // Per-process executable memory allocator. It reserves a block of memory of
672 // MaxCodeBytesPerProcess bytes, then allocates/deallocates pages from that.
673 //
674 // This has a number of benefits compared to raw mmap/VirtualAlloc:
675 //
676 // * More resillient against certain attacks.
677 //
678 // * Behaves more consistently across platforms: it avoids the 64K granularity
679 // issues on Windows, for instance.
680 //
681 // * On x64, near jumps can be used for jumps to other JIT pages.
682 //
683 // * On Win64, we have to register the exception handler only once (at process
684 // startup). This saves some memory and avoids RtlAddFunctionTable profiler
685 // deadlocks.
693 // Start of the MaxCodeBytesPerProcess memory block or nullptr if
694 // uninitialized. Note that this is NOT guaranteed to be aligned to
695 // ExecutableCodePageSize.
698 // The fields below should only be accessed while we hold the lock.
699 Mutex lock_ MOZ_UNANNOTATED;
701 // pagesAllocated_ is an Atomic so that bytesAllocated does not have to
702 // take the lock.
705 // Page where we should try to allocate next.
729 }
737 }
746 }
756 }
762 }
767 }
770 MemCheckKind checkKind);
772 };
775 ProtectionSetting protection,
776 MemCheckKind checkKind) {
784 // Take the lock and try to allocate.
786 {
790 // Check if we have enough pages available.
793 }
797 // Maybe skip a page to make allocations less predictable.
801 // Make sure page + numPages - 1 is a valid index.
804 }
811 }
812 }
814 page++;
816 }
818 // Mark the pages as unavailable.
821 }
826 // If we allocated a small number of pages, move cursor_ to the
827 // next page. We don't do this for larger allocations to avoid
828 // skipping a large number of small holes.
831 }
835 }
838 }
839 }
841 // Commit the pages after releasing the lock.
845 }
850 }
866 // Decommit before taking the lock.
870 }
878 }
880 // Move the cursor back so we can reuse pages instead of fragmenting the
881 // whole region.
884 }
885 }
890 ProtectionSetting protection,
891 MemCheckKind checkKind) {
893 }
897 }
904 // Round down available memory to the closest MB.
907 }
910 // Use a 8 MB buffer.
916 }
920 }
923 ProtectionSetting protection,
924 MustFlushICache flushICache) {
925 #if defined(JS_CODEGEN_WASM32)
927 #endif
929 // Flush ICache when making code executable, before we modify |size|.
933 }
935 // Calculate the start of the page containing this region,
936 // and account for this extra memory within size.
943 // Round size up
951 // On weak memory systems, make sure new code is visible on all cores before
952 // addresses of the code are made public. Now is the latest moment in time
953 // when we can do that, and we're assuming that every other thread that has
954 // written into the memory that is being reprotected here has synchronized
955 // with this thread in such a way that the memory writes have become visible
956 // and we therefore only need to execute the fence once here. See bug 1529933
957 // for a longer discussion of why this is both necessary and sufficient.
958 //
959 // We use the C++ fence here -- and not AtomicOperations::fenceSeqCst() --
960 // primarily because ReprotectRegion will be called while we construct our own
961 // jitted atomics. But the C++ fence is sufficient and correct, too.
962 #ifdef __wasi__
964 #else
969 }
971 # ifdef JS_USE_APPLE_FAST_WX
973 # endif
975 # ifdef XP_WIN
977 // This is a essentially a VirtualProtect, but with lighter impact on
978 // antivirus analysis. See bug 1823634.
981 }
982 # else
986 }
987 # endif
992 }
994 #ifdef JS_USE_APPLE_FAST_WX
997 # if defined(XP_IOS)
1002 }
1003 # else
1008 }
1009 # endif
1010 }
1011 #endif
1013 #ifdef DEBUG
1019 }
1023 }
1028 }
1029 #endif