1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this
5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 /*
8  * A poison value that can be used to fill a memory space with
9  * an address that leads to a safe crash when dereferenced.
10  */
11 
12 #ifndef mozilla_Poison_h
13 #define mozilla_Poison_h
14 
15 #include "mozilla/Assertions.h"
16 #include "mozilla/Types.h"
17 
18 #include <stdint.h>
19 #include <string.h>
20 
21 MOZ_BEGIN_EXTERN_C
22 
23 extern MFBT_DATA uintptr_t gMozillaPoisonValue;
24 
25 /**
26  * @return the poison value.
27  */
mozPoisonValue()28 inline uintptr_t mozPoisonValue() { return gMozillaPoisonValue; }
29 
30 /**
31  * Overwrite the memory block of aSize bytes at aPtr with the poison value.
32  * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
33  * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
34  * few bytes (if any) is not overwritten.
35  */
mozWritePoison(void * aPtr,size_t aSize)36 inline void mozWritePoison(void* aPtr, size_t aSize) {
37   const uintptr_t POISON = mozPoisonValue();
38   char* p = (char*)aPtr;
39   char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
40   MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
41   for (; p < limit; p += sizeof(uintptr_t)) {
42     memcpy(p, &POISON, sizeof(POISON));
43   }
44 }
45 
46 /**
47  * Initialize the poison value.
48  * This should only be called once.
49  */
50 extern MFBT_API void mozPoisonValueInit();
51 
52 /* Values annotated by CrashReporter */
53 extern MFBT_DATA uintptr_t gMozillaPoisonBase;
54 extern MFBT_DATA uintptr_t gMozillaPoisonSize;
55 
56 MOZ_END_EXTERN_C
57 
58 #if defined(__cplusplus)
59 
60 namespace mozilla {
61 
62 /**
63  * This class is designed to cause crashes when various kinds of memory
64  * corruption are observed. For instance, let's say we have a class C where we
65  * suspect out-of-bounds writes to some members.  We can insert a member of type
66  * Poison near the members we suspect are being corrupted by out-of-bounds
67  * writes.  Or perhaps we have a class K we suspect is subject to use-after-free
68  * violations, in which case it doesn't particularly matter where in the class
69  * we add the member of type Poison.
70  *
71  * In either case, we then insert calls to Check() throughout the code.  Doing
72  * so enables us to narrow down the location where the corruption is occurring.
73  * A pleasant side-effect of these additional Check() calls is that crash
74  * signatures may become more regular, as crashes will ideally occur
75  * consolidated at the point of a Check(), rather than scattered about at
76  * various uses of the corrupted memory.
77  */
78 class CorruptionCanary {
79  public:
CorruptionCanary()80   CorruptionCanary() { mValue = kCanarySet; }
81 
~CorruptionCanary()82   ~CorruptionCanary() {
83     Check();
84     mValue = mozPoisonValue();
85   }
86 
Check()87   void Check() const {
88     if (mValue != kCanarySet) {
89       MOZ_CRASH("Canary check failed, check lifetime");
90     }
91   }
92 
93  private:
94   static const uintptr_t kCanarySet = 0x0f0b0f0b;
95   uintptr_t mValue;
96 };
97 
98 }  // namespace mozilla
99 
100 #endif
101 
102 #endif /* mozilla_Poison_h */
103