1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef jit_ProcessExecutableMemory_h 8 #define jit_ProcessExecutableMemory_h 9 10 #include "util/Poison.h" 11 12 namespace js { 13 namespace jit { 14 15 // Limit on the number of bytes of executable memory to prevent JIT spraying 16 // attacks. 17 #if JS_BITS_PER_WORD == 32 18 static const size_t MaxCodeBytesPerProcess = 140 * 1024 * 1024; 19 #else 20 // This is the largest number which satisfies various alignment static 21 // asserts that is <= INT32_MAX. The INT32_MAX limit is required for making a 22 // single call to RtlInstallFunctionTableCallback(). (This limit could be 23 // relaxed in the future by making multiple calls.) 24 static const size_t MaxCodeBytesPerProcess = 2044 * 1024 * 1024; 25 #endif 26 27 // Limit on the number of bytes of code memory per buffer. This limit comes 28 // about because we encode an unresolved relative unconditional branch during 29 // assembly as a branch instruction that carries the absolute offset of the next 30 // branch instruction in the chain of branches that all reference the same 31 // unresolved label. For this architecture to work, no branch instruction may 32 // lie at an offset greater than the maximum forward branch distance. This is 33 // true on both ARM and ARM64. 34 // 35 // Notably, even though we know that the offsets thus encoded are always 36 // positive offsets, we use only the positive part of the signed range of the 37 // branch offset. 38 // 39 // On ARM-32, we are limited by BOffImm::IsInRange(), which checks that the 40 // offset is no greater than 2^25-4 in the offset's 26-bit signed field. 41 // 42 // On ARM-64, we are limited by Instruction::ImmBranchMaxForwardOffset(), which 43 // checks that the offset is no greater than 2^27-4 in the offset's 28-bit 44 // signed field. 45 // 46 // On MIPS, there are no limitations because the assembler has to implement 47 // jump chaining to be effective at all (jump offsets are quite small). 48 // 49 // On x86 and x64, there are no limitations here because the assembler 50 // MOZ_CRASHes if the 32-bit offset is exceeded. 51 52 #if defined(JS_CODEGEN_ARM) 53 static const size_t MaxCodeBytesPerBuffer = (1 << 25) - 4; 54 #elif defined(JS_CODEGEN_ARM64) 55 static const size_t MaxCodeBytesPerBuffer = (1 << 27) - 4; 56 #else 57 static const size_t MaxCodeBytesPerBuffer = MaxCodeBytesPerProcess; 58 #endif 59 60 // Executable code is allocated in 64K chunks. ExecutableAllocator uses pools 61 // that are at least this big. Code we allocate does not necessarily have 64K 62 // alignment though. 63 static const size_t ExecutableCodePageSize = 64 * 1024; 64 65 enum class ProtectionSetting { 66 Protected, // Not readable, writable, or executable. 67 Writable, 68 Executable, 69 }; 70 71 /// Whether the instruction cache must be flushed: 72 //- No means no flushing will happen. 73 //- LocalThreadOnly means only the local thread's icache will be flushed. 74 //- AllThreads means all the threads' icaches will be flushed; this must be used 75 // when the compiling thread and the executing thread might be different. 76 77 enum class MustFlushICache { No, LocalThreadOnly, AllThreads }; 78 79 enum class FlushICacheSpec { LocalThreadOnly, AllThreads }; 80 81 [[nodiscard]] extern bool ReprotectRegion(void* start, size_t size, 82 ProtectionSetting protection, 83 MustFlushICache flushICache); 84 85 // Functions called at process start-up/shutdown to initialize/release the 86 // executable memory region. 87 [[nodiscard]] extern bool InitProcessExecutableMemory(); 88 extern void ReleaseProcessExecutableMemory(); 89 90 // Allocate/deallocate executable pages. 91 extern void* AllocateExecutableMemory(size_t bytes, 92 ProtectionSetting protection, 93 MemCheckKind checkKind); 94 extern void DeallocateExecutableMemory(void* addr, size_t bytes); 95 96 // Returns true if we can allocate a few more MB of executable code without 97 // hitting our code limit. This function can be used to stop compiling things 98 // that are optional (like Baseline and Ion code) when we're about to reach the 99 // limit, so we are less likely to OOM or crash. Note that the limit is 100 // per-process, so other threads can also allocate code after we call this 101 // function. 102 extern bool CanLikelyAllocateMoreExecutableMemory(); 103 104 // Returns a rough guess of how much executable memory remains available, 105 // rounded down to MB limit. Note this can fluctuate as other threads within 106 // the process allocate executable memory. 107 extern size_t LikelyAvailableExecutableMemory(); 108 109 // Returns whether |p| is stored in the executable code buffer. 110 extern bool AddressIsInExecutableMemory(const void* p); 111 112 } // namespace jit 113 } // namespace js 114 115 #endif // jit_ProcessExecutableMemory_h 116