Enable the service runtime to use a zero-based sandbox on Linux.

src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c

Index: src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c
diff --git a/src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c b/src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c
index 7283cd604598ce31c0daf3e8b4f7f7e3b38e426f..b2277376be1f9cbe096d43354ad98056b46bbce8 100644
--- a/src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c
+++ b/src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c
@@ -11,37 +11,72 @@
 #include "native_client/src/trusted/service_runtime/sel_memory.h"
 
 
-#define POST_ADDR_SPACE_GUARD_SIZE  (2 * NACL_PAGESIZE)
-
 /*
  * On ARM, we cheat slightly: we add two pages to the requested allocation!
  * This accomodates the guard region we require at the top end of untrusted
  * memory.
  */
+#define POST_ADDR_SPACE_GUARD_SIZE  (2 * NACL_PAGESIZE)
+
+/* NOTE: This routine is almost identical to the x86_32 version.
+ */
 NaClErrorCode NaClAllocateSpace(void **mem, size_t addrsp_size) {
-  CHECK(mem);
+#if NACL_LINUX
+  const void *ONE_MEGABYTE = (void *)(1024*1024);
+#endif
+  int result;
+
+  CHECK(NULL != mem);
 
   addrsp_size += POST_ADDR_SPACE_GUARD_SIZE;
+#if NACL_LINUX
+  /*
+   * When creating a zero-based sandbox, we do not allocate the first 64K of
+   * pages beneath the trampolines, because -- on Linux at least -- we cannot.
+   * Instead, we allocate starting at the trampolines, and then coerce the
+   * "mem" out parameter.
+   */
   addrsp_size -= NACL_TRAMPOLINE_START;
-
   *mem = (void *) NACL_TRAMPOLINE_START;
-  if (NaCl_page_alloc_at_addr(mem, addrsp_size) != 0) {
+  /*
+   * On 32 bit Linux, a 1 gigabyte block of address space may be reserved at
+   * the zero-end of the address space during process creation, to address
+   * sandbox layout requirements on ARM and performance issues on Intel ATOM.
+   * Look for this pre-reserved block and if found, pass its address to the
+   * page allocation function.
+   */
+  if (NaCl_find_prereserved_sandbox_memory(mem, addrsp_size)) {
+    /* Sanity check zero sandbox base address. */
+    /* It should be within a few pages above the 64KB boundary. See   */

[Mark Seaborn, 2011/08/23 18:26:36]

Nit: Comment style

[Brad Chen, 2011/08/23 21:15:09]

Done.

+    /* chrome/nacl/nacl_helper_bootstrap.c in the Chromium repository */
+    /* for more details. */
+    if (0 == *mem || ONE_MEGABYTE < *mem) {

[bsy, 2011/08/23 18:31:23]

just assigned to *mem NACL_TRAMPOLINE_START, so always false?  *unless*
NaCl_find_prereserved_sandbox_memory changed it?  this seems confusing.

and looking at NaCl_f_p_s_m, *p = 0 occurs early on, so it *always* overwrites,
and the initialization above is a no-op.

[Brad Chen, 2011/08/23 21:15:09]

I moved initialization into else clause where it is useful.

On 2011/08/23 18:31:23, bsy wrote:

+      NaClLog(LOG_ERROR, "NaClAllocateSpace:"
+                         "Can't handle sandbox at high address"
+                         "0x%08"NACL_PRIxPTR"\n",
+              (uintptr_t)*mem);
+      return LOAD_NO_MEMORY;
+    }

[bsy, 2011/08/23 18:43:19]

if we find memory, we should ensure squatting between vm.mmap_min_addr the same
as for x86-32 linux.  at least a TODO here please

[Brad Chen, 2011/08/23 21:15:09]

I think this is already taken care of. You need to look at the Chrome side as
well, chrome/nacl/nacl_helper_bootstrap_linux.c and chrome/nacl.gypi. The
nacl_helper_bootstrap loads at 64K, and the code below protects up to 64K, so
everything should be covered.

On 2011/08/23 18:43:19, bsy wrote:

+  } else {
+    /* Zero-based sandbox not pre-reserved. Try anyways. */
+    /* TODO(bradchen): delete once new code is working.  */
+  }
+  result = NaCl_page_alloc_at_addr(mem, addrsp_size);

[bsy, 2011/08/23 18:31:23]

since NaCl_find_prereserved_sandbox_memory had zeroed out *mem, we aren't
allocating at NACL_TRAMPOLINE_START like it used to.  this probably breaks arm
code.

[Brad Chen, 2011/08/23 21:15:09]

If *mem is zero after NaCl_fpsm(), then we will return above with
LOAD_NO_MEMORY. *mem is non-zero for all other paths. I can add an assert (0 !=
*mem) here if you like.

On 2011/08/23 18:31:23, bsy wrote:

+  *mem = 0;
+#else
+# error "I only know how to allocate memory for ARM on Linux."
+#endif
+  if (0 != result) {
     NaClLog(2,
-        "NaClAllocateSpace: NaCl_page_alloc_at_addr 0x%08"NACL_PRIxPTR
-        " failed\n",
-        (uintptr_t) *mem);
+            "NaClAllocateSpace: NaCl_page_alloc_at_addr 0x%08"NACL_PRIxPTR
+            " failed\n",
+            (uintptr_t) *mem);
     return LOAD_NO_MEMORY;
   }
   NaClLog(4, "NaClAllocateSpace: %"NACL_PRIxPTR", %"NACL_PRIxS"\n",
           (uintptr_t) *mem,
           addrsp_size);
 
-  /*
-   * makes sel_ldr think that the module's address space is at 0x0, this where
-   * it should be
-   */
-  *mem = 0x0;
-
   return LOAD_OK;
 }
 
@@ -73,6 +108,7 @@ NaClErrorCode NaClMprotectGuards(struct NaClApp *nap) {
            "size 0x%08x, end 0x%08"NACL_PRIxPTR"\n"),
           0, NACL_SYSCALL_START_ADDR,
           NACL_SYSCALL_START_ADDR);
+
   if (!NaClVmmapAdd(&nap->mem_map,
                     nap->mem_start >> NACL_PAGESHIFT,
                     NACL_SYSCALL_START_ADDR >> NACL_PAGESHIFT,