Poison.h (3266B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 /* 8 * A poison value that can be used to fill a memory space with 9 * an address that leads to a safe crash when dereferenced. 10 */ 11 12 #ifndef mozilla_Poison_h 13 #define mozilla_Poison_h 14 15 #include "mozilla/Assertions.h" 16 #include "mozilla/Types.h" 17 18 #include <stdint.h> 19 #include <string.h> 20 21 MOZ_BEGIN_EXTERN_C 22 23 extern MFBT_DATA uintptr_t gMozillaPoisonValue; 24 25 /** 26 * @return the poison value. 27 */ 28 inline uintptr_t mozPoisonValue() { return gMozillaPoisonValue; } 29 30 /** 31 * Overwrite the memory block of aSize bytes at aPtr with the poison value. 32 * Only a multiple of sizeof(uintptr_t) bytes are overwritten, the last 33 * few bytes (if any) are not overwritten. 34 */ 35 inline void mozWritePoison(void* aPtr, size_t aSize) { 36 const uintptr_t POISON = mozPoisonValue(); 37 char* p = (char*)aPtr; 38 char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1)); 39 MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect"); 40 for (; p < limit; p += sizeof(uintptr_t)) { 41 memcpy(p, &POISON, sizeof(POISON)); 42 } 43 } 44 45 /* Values annotated by CrashReporter */ 46 extern MFBT_DATA uintptr_t gMozillaPoisonBase; 47 extern MFBT_DATA uintptr_t gMozillaPoisonSize; 48 49 MOZ_END_EXTERN_C 50 51 #if defined(__cplusplus) 52 53 namespace mozilla { 54 55 /** 56 * A version of CorruptionCanary that is suitable as a member of objects that 57 * are statically allocated. 58 */ 59 class CorruptionCanaryForStatics { 60 public: 61 constexpr CorruptionCanaryForStatics() : mValue(kCanarySet) {} 62 63 // This is required to avoid static constructor bloat. 64 ~CorruptionCanaryForStatics() = default; 65 66 void Check() const { 67 if (mValue != kCanarySet) { 68 MOZ_CRASH("Canary check failed, check lifetime"); 69 } 70 } 71 72 protected: 73 uintptr_t mValue; 74 75 private: 76 static const uintptr_t kCanarySet = 0x0f0b0f0b; 77 }; 78 79 /** 80 * This class is designed to cause crashes when various kinds of memory 81 * corruption are observed. For instance, let's say we have a class C where we 82 * suspect out-of-bounds writes to some members. We can insert a member of type 83 * Poison near the members we suspect are being corrupted by out-of-bounds 84 * writes. Or perhaps we have a class K we suspect is subject to use-after-free 85 * violations, in which case it doesn't particularly matter where in the class 86 * we add the member of type Poison. 87 * 88 * In either case, we then insert calls to Check() throughout the code. Doing 89 * so enables us to narrow down the location where the corruption is occurring. 90 * A pleasant side-effect of these additional Check() calls is that crash 91 * signatures may become more regular, as crashes will ideally occur 92 * consolidated at the point of a Check(), rather than scattered about at 93 * various uses of the corrupted memory. 94 */ 95 class CorruptionCanary : public CorruptionCanaryForStatics { 96 public: 97 constexpr CorruptionCanary() = default; 98 99 ~CorruptionCanary() { 100 Check(); 101 mValue = mozPoisonValue(); 102 } 103 }; 104 105 } // namespace mozilla 106 107 #endif 108 109 #endif /* mozilla_Poison_h */