[Mac] Implement base::EnableTerminationOnHeapCorruption() by overriding malloc_error_break().

base/process_util_mac.mm

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/process_util.h"
 
 #import <Cocoa/Cocoa.h>
 #include <crt_externs.h>
 #include <dlfcn.h>
 #include <mach/mach.h>
 #include <mach/mach_init.h>
 #include <mach/mach_vm.h>
 #include <mach/shared_region.h>
 #include <mach/task.h>
+#include <mach-o/dyld.h>
+#include <mach-o/nlist.h>
 #include <malloc/malloc.h>
 #import <objc/runtime.h>
 #include <spawn.h>
 #include <sys/mman.h>
 #include <sys/sysctl.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 
 #include <new>
 #include <string>
 
 #include "base/debug/debugger.h"
 #include "base/eintr_wrapper.h"
 #include "base/hash_tables.h"
 #include "base/logging.h"
 #include "base/mac/mac_util.h"
 #include "base/string_util.h"
 #include "base/sys_info.h"
 #include "base/sys_string_conversions.h"
 #include "base/time.h"
 #include "third_party/apple_apsl/CFBase.h"
 #include "third_party/apple_apsl/malloc.h"
+#include "third_party/mach_override/mach_override.h"
 
 namespace base {
 
 void RestoreDefaultExceptionHandler() {
   // This function is tailored to remove the Breakpad exception handler.
   // exception_mask matches s_exception_mask in
   // breakpad/src/client/mac/handler/exception_handler.cc
   const exception_mask_t exception_mask = EXC_MASK_BAD_ACCESS |
                                           EXC_MASK_BAD_INSTRUCTION |
                                           EXC_MASK_ARITHMETIC |
@@ skipping 429 matching lines @@
   vm_size_t page_size;
   kr = host_page_size(host, &page_size);
   if (kr) {
     LOG(ERROR) << "Failed to fetch host page size.";
     return 0;
   }
 
   return (data.active_count * page_size) / 1024;
 }
 
+namespace {
+
+typedef void(*malloc_error_break_t)(void);

[Mark Mentovai, 2011/08/17 16:44:55]

Move the typedef and declaration down so that they’re above CrMallocErrorBreak,
the first place they’re needed.

+malloc_error_break_t g_original_malloc_error_break = NULL;
+
+// Finds the library path for malloc() and thus libSystem, or at least a part
+// of it. libSystem was split into parts on Lion.
+const char* LookupLibSystemPath() {

[Mark Mentovai, 2011/08/17 16:44:55]

Since the “part of libSystem” is what Apple calls Libc (or
system/libsystem_c.dylib), this should probably refer to Libc or LibC,
LibSystemC, or LibSystemLibc or LibSystemLibC. (Libc has always been distinct in
source, but is only distinct in runtime binary as of Lion.)

“Look up” as a verb is two words, so InterCapped, this should be LookUpLibcPath
(or LookUpLibCPath). Same on line 510.

+  const void* addr = reinterpret_cast<void*>(&malloc);
+
+  Dl_info info;
+  if (dladdr(addr, &info))
+    return info.dli_fname;
+
+  LOG(WARNING) << "Could not find image path for malloc()";
+  return NULL;
+}
+
+// Returns the function pointer for malloc_error_break. This symbol is declared
+// as __private_extern__ and cannot be dlsym()ed. Instead, use nlist() to
+// get it.

[Mark Mentovai, 2011/08/17 16:44:55]

I think I’ll have to (or someone else will have to) write an nlist equivalent
that handles the 64-bit world. When I (or someone else) does this, it should be
possible to do without the stupid interface that opens a new copy of the
library. We should be able to do a better job and write something with a better
interface.

I actually kind of want to do this to give myself an nlist equivalent I can use
to test for the presence of symbols with N_UNDF for the
closure_blocks_leopard_compat unit test.

+malloc_error_break_t LookupMallocErrorBreak() {

[Mark Mentovai, 2011/08/17 16:44:55]

LookUp (as above).

+#if ARCH_CPU_32_BITS
+  const char* lib_system_path = LookupLibSystemPath();

[Mark Mentovai, 2011/08/17 16:44:55]

Rename the variable if you rename the function.

+  if (!lib_system_path)
+    return NULL;
+
+  // Only need to lookup two symbols, but nlist() requires a NULL-terminated

[Mark Mentovai, 2011/08/17 16:44:55]

Look up should be two words here too.

+  // array and takes no count. So do that.

[Mark Mentovai, 2011/08/17 16:44:55]

Nix “So do that.”

+  struct nlist nl[3];
+  bzero(&nl, sizeof(nl));
+
+  // The symbol to find.
+  nl[0].n_un.n_name = const_cast<char*>("_malloc_error_break");

[Mark Mentovai, 2011/08/17 16:44:55]

Wow, what a terrible interface.

+
+  // A reference symbol by which the address of the desired symbol will be
+  // calculated.
+  nl[1].n_un.n_name = const_cast<char*>("_malloc");
+
+  int rv = nlist(lib_system_path, nl);
+  if (rv < 0 || nl[0].n_type == N_UNDF || nl[1].n_type == N_UNDF) {

[Mark Mentovai, 2011/08/17 16:44:55]

Shouldn’t you explicitly test |rv == 0| here?

+    return NULL;
+  }
+
+  // nlist() returns addresses as offsets in the image, not the instruction
+  // pointer in memory. Use the known in-memory address of malloc()
+  // to compute the offset for malloc_error_break().
+  uintptr_t reference_addr = reinterpret_cast<uintptr_t>(&malloc);
+  reference_addr -= nl[1].n_value;
+  reference_addr += nl[0].n_value;
+
+  return reinterpret_cast<malloc_error_break_t>(reference_addr);
+#endif  // ARCH_CPU_32_BITS
+
+  return NULL;
+}
+
+void CrMallocErrorBreak() {
+  g_original_malloc_error_break();
+  base::debug::BreakDebugger();
+}
+
+}  // namespace
+
+void EnableTerminationOnHeapCorruption() {
+  malloc_error_break_t error_break = LookupMallocErrorBreak();

[Mark Mentovai, 2011/08/17 16:44:55]

I’d call this malloc_error_break.

+  if (!error_break) {
+    LOG(WARNING) << "Could not find malloc_error_break";
+    return;
+  }
+
+  mach_error_t err = mach_override_ptr(
+     (void*)error_break,
+     (void*)&CrMallocErrorBreak,
+     (void**)&g_original_malloc_error_break);
+
+  if (err != err_none)
+    LOG(WARNING) << "Could not override malloc_error_break; error = " << err;

[Mark Mentovai, 2011/08/17 16:44:55]

bpoop has a custom set of logging streams to handle mach_error_t. :)

(No change required, just sayin’.)

+}
 // ------------------------------------------------------------------------
 
 namespace {
 
 bool g_oom_killer_enabled;
 
 // === C malloc/calloc/valloc/realloc/posix_memalign ===
 
 typedef void* (*malloc_type)(struct _malloc_zone_t* zone,
                              size_t size);
@@ skipping 396 matching lines @@
   if (sysctl(mib, 4, &info, &length, NULL, 0) < 0) {
     PLOG(ERROR) << "sysctl";
     return -1;
   }
   if (length == 0)
     return -1;
   return info.kp_eproc.e_ppid;
 }
 
 }  // namespace base