[Mac] Implement base::EnableTerminationOnHeapCorruption() by overriding malloc_error_break().

base/process_util_mac.mm

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/process_util.h"
 
 #import <Cocoa/Cocoa.h>
 #include <crt_externs.h>
 #include <dlfcn.h>
 #include <mach/mach.h>
 #include <mach/mach_init.h>
 #include <mach/mach_vm.h>
 #include <mach/shared_region.h>
 #include <mach/task.h>
+#include <mach-o/dyld.h>
+#include <mach-o/nlist.h>
 #include <malloc/malloc.h>
 #import <objc/runtime.h>
 #include <spawn.h>
 #include <sys/mman.h>
 #include <sys/sysctl.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 
 #include <new>
 #include <string>
 
 #include "base/debug/debugger.h"
 #include "base/eintr_wrapper.h"
 #include "base/hash_tables.h"
 #include "base/logging.h"
 #include "base/mac/mac_util.h"
 #include "base/string_util.h"
 #include "base/sys_info.h"
 #include "base/sys_string_conversions.h"
 #include "base/time.h"
 #include "third_party/apple_apsl/CFBase.h"
 #include "third_party/apple_apsl/malloc.h"
+#include "third_party/mach_override/mach_override.h"
 
 namespace base {
 
 void RestoreDefaultExceptionHandler() {
   // This function is tailored to remove the Breakpad exception handler.
   // exception_mask matches s_exception_mask in
   // breakpad/src/client/mac/handler/exception_handler.cc
   const exception_mask_t exception_mask = EXC_MASK_BAD_ACCESS |
                                           EXC_MASK_BAD_INSTRUCTION |
                                           EXC_MASK_ARITHMETIC |
@@ skipping 429 matching lines @@
   vm_size_t page_size;
   kr = host_page_size(host, &page_size);
   if (kr) {
     LOG(ERROR) << "Failed to fetch host page size.";
     return 0;
   }
 
   return (data.active_count * page_size) / 1024;
 }
 
+namespace {
+
+// Finds the library path for malloc() and thus the libC part of libSystem,
+// which in Lion is in a separate image.
+const char* LookUpLibCPath() {
+  const void* addr = reinterpret_cast<void*>(&malloc);
+
+  Dl_info info;
+  if (dladdr(addr, &info))
+    return info.dli_fname;
+
+  LOG(WARNING) << "Could not find image path for malloc()";
+  return NULL;
+}
+
+typedef void(*malloc_error_break_t)(void);
+malloc_error_break_t g_original_malloc_error_break = NULL;
+
+// Returns the function pointer for malloc_error_break. This symbol is declared
+// as __private_extern__ and cannot be dlsym()ed. Instead, use nlist() to
+// get it.
+malloc_error_break_t LookUpMallocErrorBreak() {

[Scott Hess - ex-Googler, 2011/08/22 19:50:35]

Would it be worthwhile to unify this with the comparable code in
chrome/browser/ui/cocoa/objc_zombie.mm ?  Or would that just encourage this kind
of stuff?

[Robert Sesek, 2011/08/22 19:52:14]

We want to explicitly discourage this kind of very naughty behavior. Mark says
we should do some unification when we have to do 32- and 64-bit versions,
though.

[Mark Mentovai, 2011/08/22 20:07:23]

shess wrote:
My previous review comments on this thread tell you where I think we need to go
with this.

+#if ARCH_CPU_32_BITS
+  const char* lib_c_path = LookUpLibCPath();
+  if (!lib_c_path)
+    return NULL;
+
+  // Only need to look up two symbols, but nlist() requires a NULL-terminated
+  // array and takes no count.
+  struct nlist nl[3];
+  bzero(&nl, sizeof(nl));
+
+  // The symbol to find.
+  nl[0].n_un.n_name = const_cast<char*>("_malloc_error_break");
+
+  // A reference symbol by which the address of the desired symbol will be
+  // calculated.
+  nl[1].n_un.n_name = const_cast<char*>("_malloc");
+
+  int rv = nlist(lib_c_path, nl);
+  if (rv != 0 || nl[0].n_type == N_UNDF || nl[1].n_type == N_UNDF) {
+    return NULL;
+  }
+
+  // nlist() returns addresses as offsets in the image, not the instruction
+  // pointer in memory. Use the known in-memory address of malloc()
+  // to compute the offset for malloc_error_break().
+  uintptr_t reference_addr = reinterpret_cast<uintptr_t>(&malloc);
+  reference_addr -= nl[1].n_value;
+  reference_addr += nl[0].n_value;
+
+  return reinterpret_cast<malloc_error_break_t>(reference_addr);
+#endif  // ARCH_CPU_32_BITS
+
+  return NULL;
+}
+
+void CrMallocErrorBreak() {
+  g_original_malloc_error_break();
+  LOG(ERROR) <<
+      "Terminating process due to a potential for future heap corruption";
+  base::debug::BreakDebugger();
+}
+
+}  // namespace
+
+void EnableTerminationOnHeapCorruption() {
+  malloc_error_break_t malloc_error_break = LookUpMallocErrorBreak();
+  if (!malloc_error_break) {
+    LOG(WARNING) << "Could not find malloc_error_break";
+    return;
+  }
+
+  mach_error_t err = mach_override_ptr(
+     (void*)malloc_error_break,
+     (void*)&CrMallocErrorBreak,
+     (void**)&g_original_malloc_error_break);
+
+  if (err != err_none)
+    LOG(WARNING) << "Could not override malloc_error_break; error = " << err;
+}
+
 // ------------------------------------------------------------------------
 
 namespace {
 
 bool g_oom_killer_enabled;
 
 // === C malloc/calloc/valloc/realloc/posix_memalign ===
 
 typedef void* (*malloc_type)(struct _malloc_zone_t* zone,
                              size_t size);
@@ skipping 396 matching lines @@
   if (sysctl(mib, 4, &info, &length, NULL, 0) < 0) {
     PLOG(ERROR) << "sysctl";
     return -1;
   }
   if (length == 0)
     return -1;
   return info.kp_eproc.e_ppid;
 }
 
 }  // namespace base