1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this
5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 #ifndef jit_ProcessExecutableMemory_h
8 #define jit_ProcessExecutableMemory_h
9 
10 #include "util/Poison.h"
11 
12 namespace js {
13 namespace jit {
14 
15 // Limit on the number of bytes of executable memory to prevent JIT spraying
16 // attacks.
17 #if JS_BITS_PER_WORD == 32
18 static const size_t MaxCodeBytesPerProcess = 140 * 1024 * 1024;
19 #else
20 // This is the largest number which satisfies various alignment static
21 // asserts that is <= INT32_MAX. The INT32_MAX limit is required for making a
22 // single call to RtlInstallFunctionTableCallback(). (This limit could be
23 // relaxed in the future by making multiple calls.)
24 static const size_t MaxCodeBytesPerProcess = 2044 * 1024 * 1024;
25 #endif
26 
27 // Limit on the number of bytes of code memory per buffer.  This limit comes
28 // about because we encode an unresolved relative unconditional branch during
29 // assembly as a branch instruction that carries the absolute offset of the next
30 // branch instruction in the chain of branches that all reference the same
31 // unresolved label.  For this architecture to work, no branch instruction may
32 // lie at an offset greater than the maximum forward branch distance.  This is
33 // true on both ARM and ARM64.
34 //
35 // Notably, even though we know that the offsets thus encoded are always
36 // positive offsets, we use only the positive part of the signed range of the
37 // branch offset.
38 //
39 // On ARM-32, we are limited by BOffImm::IsInRange(), which checks that the
40 // offset is no greater than 2^25-4 in the offset's 26-bit signed field.
41 //
42 // On ARM-64, we are limited by Instruction::ImmBranchMaxForwardOffset(), which
43 // checks that the offset is no greater than 2^27-4 in the offset's 28-bit
44 // signed field.
45 //
46 // On MIPS, there are no limitations because the assembler has to implement
47 // jump chaining to be effective at all (jump offsets are quite small).
48 //
49 // On x86 and x64, there are no limitations here because the assembler
50 // MOZ_CRASHes if the 32-bit offset is exceeded.
51 
52 #if defined(JS_CODEGEN_ARM)
53 static const size_t MaxCodeBytesPerBuffer = (1 << 25) - 4;
54 #elif defined(JS_CODEGEN_ARM64)
55 static const size_t MaxCodeBytesPerBuffer = (1 << 27) - 4;
56 #else
57 static const size_t MaxCodeBytesPerBuffer = MaxCodeBytesPerProcess;
58 #endif
59 
60 // Executable code is allocated in 64K chunks. ExecutableAllocator uses pools
61 // that are at least this big. Code we allocate does not necessarily have 64K
62 // alignment though.
63 static const size_t ExecutableCodePageSize = 64 * 1024;
64 
65 enum class ProtectionSetting {
66   Protected,  // Not readable, writable, or executable.
67   Writable,
68   Executable,
69 };
70 
71 /// Whether the instruction cache must be flushed:
72 //- No means no flushing will happen.
73 //- LocalThreadOnly means only the local thread's icache will be flushed.
74 //- AllThreads means all the threads' icaches will be flushed; this must be used
75 // when the compiling thread and the executing thread might be different.
76 
77 enum class MustFlushICache { No, LocalThreadOnly, AllThreads };
78 
79 enum class FlushICacheSpec { LocalThreadOnly, AllThreads };
80 
81 [[nodiscard]] extern bool ReprotectRegion(void* start, size_t size,
82                                           ProtectionSetting protection,
83                                           MustFlushICache flushICache);
84 
85 // Functions called at process start-up/shutdown to initialize/release the
86 // executable memory region.
87 [[nodiscard]] extern bool InitProcessExecutableMemory();
88 extern void ReleaseProcessExecutableMemory();
89 
90 // Allocate/deallocate executable pages.
91 extern void* AllocateExecutableMemory(size_t bytes,
92                                       ProtectionSetting protection,
93                                       MemCheckKind checkKind);
94 extern void DeallocateExecutableMemory(void* addr, size_t bytes);
95 
96 // Returns true if we can allocate a few more MB of executable code without
97 // hitting our code limit. This function can be used to stop compiling things
98 // that are optional (like Baseline and Ion code) when we're about to reach the
99 // limit, so we are less likely to OOM or crash. Note that the limit is
100 // per-process, so other threads can also allocate code after we call this
101 // function.
102 extern bool CanLikelyAllocateMoreExecutableMemory();
103 
104 // Returns a rough guess of how much executable memory remains available,
105 // rounded down to MB limit.  Note this can fluctuate as other threads within
106 // the process allocate executable memory.
107 extern size_t LikelyAvailableExecutableMemory();
108 
109 // Returns whether |p| is stored in the executable code buffer.
110 extern bool AddressIsInExecutableMemory(const void* p);
111 
112 }  // namespace jit
113 }  // namespace js
114 
115 #endif  // jit_ProcessExecutableMemory_h
116