Enable the service runtime to use a zero-based sandbox on Linux.

src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c

 /*
  * Copyright 2009 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can
  * be found in the LICENSE file.
  */
 
 #include "native_client/src/include/nacl_platform.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/trusted/service_runtime/nacl_error_code.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
 #include "native_client/src/trusted/service_runtime/sel_memory.h"
 
 
-#define POST_ADDR_SPACE_GUARD_SIZE  (2 * NACL_PAGESIZE)
-
 /*
  * On ARM, we cheat slightly: we add two pages to the requested allocation!
  * This accomodates the guard region we require at the top end of untrusted
  * memory.
  */
+#define POST_ADDR_SPACE_GUARD_SIZE  (2 * NACL_PAGESIZE)
+
+/* NOTE: This routine is almost identical to the x86_32 version.
+ */
 NaClErrorCode NaClAllocateSpace(void **mem, size_t addrsp_size) {
-  CHECK(mem);
+  const void* ONE_MEGABYTE = (void *)1024*1024;

[Mark Seaborn, 2011/08/18 23:09:45]

Nit: " *" style not "* " in this code.

[Brad Chen, 2011/08/19 00:24:35]

Done.

+  int result;
+
+  CHECK(NULL != mem);
 
   addrsp_size += POST_ADDR_SPACE_GUARD_SIZE;
-  addrsp_size -= NACL_TRAMPOLINE_START;
+#if NACL_LINUX
+  /*
+   * On 32 bit Linux, a 1 gigabyte block of address space may be reserved at
+   * the zero-end of the address space during process creation, to address
+   * sandbox layout requirements on ARM and performance issues on Intel ATOM.
+   * Look for this pre-reserved block and if found, pass its address to the
+   * page allocation function.
+   */
+  if (!NaCl_find_prereserved_sandbox_memory(mem, addrsp_size)) {
+    /* zero-based sandbox not pre-reserved */

[Mark Seaborn, 2011/08/18 23:09:45]

Capitalise the start of the sentence, please.

[Brad Chen, 2011/08/19 00:24:35]

Done.

+    return LOAD_NO_MEMORY;
+  } else {
+    /* sanity check zero sandbox base address */

[Mark Seaborn, 2011/08/18 23:09:45]

Capitalise.

[Brad Chen, 2011/08/19 00:24:35]

Done.

+    if (0 == *mem || ONE_MEGABYTE > *mem)
+      return LOAD_NO_MEMORY;
 
-  *mem = (void *) NACL_TRAMPOLINE_START;
-  if (NaCl_page_alloc_at_addr(mem, addrsp_size) != 0) {
+    /*
+     * When creating a zero-based sandbox, we do not allocate the first 64K of
+     * pages beneath the trampolines, because -- on Linux at least -- we cannot.
+     * Instead, we allocate starting at the trampolines, and then coerce the
+     * "mem" out parameter.
+     */
+    addrsp_size -= NACL_TRAMPOLINE_START;
+    *mem = (void *) NACL_TRAMPOLINE_START;
+    result = NaCl_page_alloc_at_addr(mem, addrsp_size);
+    *mem = 0;
+  }
+#else
+# error "I only know how to allocate memory for ARM on Linux."
+#endif
+  if (0 != result) {
     NaClLog(2,
         "NaClAllocateSpace: NaCl_page_alloc_at_addr 0x%08"NACL_PRIxPTR
         " failed\n",
         (uintptr_t) *mem);
     return LOAD_NO_MEMORY;
   }
   NaClLog(4, "NaClAllocateSpace: %"NACL_PRIxPTR", %"NACL_PRIxS"\n",
           (uintptr_t) *mem,
           addrsp_size);
 
-  /*
-   * makes sel_ldr think that the module's address space is at 0x0, this where
-   * it should be
-   */
-  *mem = 0x0;
-
   return LOAD_OK;
 }
 
 /*
  * In the ARM sandboxing scheme we put the NaCl module at low virtual
  * address -- and thus there can only ever be one running NaCl app per
  * sel_ldr process -- to simplify the address masking etc needed for
  * the sandboxing.  All memory below ((uintptr_t) 1) << nap->addr_bits
  * is accessible to the NaCl app, and modulo page protection,
  * potentially writable.  Page protection is, of course, used to
@@ skipping 48 matching lines @@
    * NB: the pages just mapped are OUTSIDE of the address space of the
    * NaCl module.  We should not track them in the Vmmap structure,
    * since that's to track addressable memory for mapping and unmapping.
    *
    * This means that because these pages are implicit and not tracked,
    * we should have a hook to tear down these pages as part of the
    * NaClApp dtor.
    */
   return LOAD_OK;
 }