Use chain-loading for Linux nacl_helper

Use chain-loading for Linux nacl_helper

This replaces the nacl_helper_bootstrap program, dynamically-linked against
nacl_helper.so, with a standalone, statically-linked nacl_helper_bootstrap
program that loads the dynamic linker, instructing it in turn to load the
nacl_helper program (now a PIE rather than a DSO).

This avoids two problems with the old scheme:
1. The nacl_helper_bootstrap program remained in the dynamic linker's
   list of loaded objects, as the main executable, even though the
   memory where its .dynamic section had been was overwritten with
   the NaCl untrusted address space.  Code that traverses the list of
   all loaded objects could thus attempt to look at pointers into this
   part of memory, and be led astray.
2. nacl_helper_bootstrap's large (~1G) bss segment could cause the kernel
   to refuse to load the program because it didn't think there was enough
   free memory in the system for so large an allocation of anonymous memory.

The bootstrap program is kept very small by avoiding all use of libc
(except for memset and integer division routines needed on ARM).  It has
its own custom start-up code hand-written in assembly and its own custom
system call stubs done with hand-written GCC inline asm statements.

To avoid the second problem, the bootstrap program no longer has a large
bss.  Instead, it has a special ELF segment (i.e. PT_LOAD header) that
specifies no memory access, and a large (~1G) mapping size from the file.
This mapping is way off the end of the file, but the kernel doesn't mind
that, and since it's all a file mapping, the kernel does not do its normal
memory accounting for consuming a large amount of anonymous memory.

Unfortunately, it's impossible to get the linker to produce exactly the
right PT_LOAD header by itself.  Using a custom linker script, we get the
layout exactly how we want it and a PT_LOAD header that is almost right.
We then use a build-time helper program to munge one field of the PT_LOAD
to make it exactly what we need.

BUG= http://code.google.com/p/chromium/issues/detail?id=94147
TEST= hand-tested chromium build, invoked with --nacl-linux-helper

R=bradchen@google.com,mseaborn@chromium.org


Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=98909

[Mark Seaborn, 2011-08-29 22:26:50]

Initial comments...

I think the code for the ELF chainloader should live in the NaCl repo because it
is closely tied to the sandbox model.  The chainloader is needed on ARM even for
the standalone sel_ldr.  sel_main.c has an unreliable hack for dealing with the
bottom 1GB, but we need to remove that hack, and for that we need the
chainloader to be in the NaCl repo.

http://codereview.chromium.org/7795010/diff/1/chrome/common/chrome_paths.h
File chrome/common/chrome_paths.h (right):

http://codereview.chromium.org/7795010/diff/1/chrome/common/chrome_paths.h#ne...
chrome/common/chrome_paths.h:74: FILE_NACL_HELPER_BOOTSTRAP,   // ... and
nacl_helper_bootstrap executable.
This should be under OS_LINUX really, because it's very Linux-specific.  But you
don't have to change this now since the problem is pre-existing.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl.gypi
File chrome/nacl.gypi (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl.gypi#newcode227
chrome/nacl.gypi:227: # use the hack of eliding all the -m* flags from the
This is scary.  See comment elsewhere about using Python...

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
File chrome/nacl/nacl_helper_bootstrap_linux.c (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.c:103: asm volatile("int $0x80"
The Chromium tree already has code for doing syscalls directly.  Please don't
duplicate it.  See linux_syscall_support.h which is pulled into both Breakpad
and seccompsandbox.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
File chrome/nacl/nacl_helper_bootstrap_munge_phdr.c (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:13: #define _FILE_OFFSET_BITS 64
This needs a comment.  Is it really needed?

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:18: #include <libelf.h>
A new build-time dependency?  If you must depend on this, you should add it to
build/install-build-deps.sh.

However, the file modification is pretty trivial.  You could do this in Python
quite easily instead.

[Brad Chen, 2011-08-29 22:26:57]

While I'm reading send this out to the try bots. In addition to the defaults
(linux/win/mac), you should also do linux_touch, linux_clang. Be sure to
also try both 32- and 64-bit builds, BUILDTYPE=Release as well as the
default debug, on your own machine.

Brad

On Mon, Aug 29, 2011 at 3:07 PM, <mcgrathr@chromium.org> wrote:

> Reviewers: Brad Chen, Mark Seaborn,
>
> Description:
> Use chain-loading for Linux nacl_helper
>
> This replaces the nacl_helper_bootstrap program, dynamically-linked against
> nacl_helper.so, with a standalone, statically-linked nacl_helper_bootstrap
> program that loads the dynamic linker, instructing it in turn to load the
> nacl_helper program (now a PIE rather than a DSO).
>
> This avoids two problems with the old scheme:
> 1. The nacl_helper_bootstrap program remained in the dynamic linker's
>   list of loaded objects, as the main executable, even though the
>   memory where its .dynamic section had been was overwritten with
>   the NaCl untrusted address space.  Code that traverses the list of
>   all loaded objects could thus attempt to look at pointers into this
>   part of memory, and be led astray.
> 2. nacl_helper_bootstrap's large (~1G) bss segment could cause the kernel
>   to refuse to load the program because it didn't think there was enough
>   free memory in the system for so large an allocation of anonymous memory.
>
> The bootstrap program is kept very small by avoiding all use of libc
> (except for memset and integer division routines needed on ARM).  It has
> its own custom start-up code hand-written in assembly and its own custom
> system call stubs done with hand-written GCC inline asm statements.
>
> To avoid the second problem, the bootstrap program no longer has a large
> bss.  Instead, it has a special ELF segment (i.e. PT_LOAD header) that
> specifies no memory access, and a large (~1G) mapping size from the file.
> This mapping is way off the end of the file, but the kernel doesn't mind
> that, and since it's all a file mapping, the kernel does not do its normal
> memory accounting for consuming a large amount of anonymous memory.
>
> Unfortunately, it's impossible to get the linker to produce exactly the
> right PT_LOAD header by itself.  Using a custom linker script, we get the
> layout exactly how we want it and a PT_LOAD header that is almost right.
> We then use a build-time helper program to munge one field of the PT_LOAD
> to make it exactly what we need.
>
> BUG=
http://code.google.com/p/**chromium/issues/detail?id=**94147<http://code.goog...
> TEST= hand-tested chromium build
>
> R=bradchen@google.com,mseaborn**@chromium.org <mseaborn@chromium.org>
>
>
> Please review this at
http://codereview.chromium.**org/7795010/<http://codereview.chromium.org/7795...
>
> SVN Base:
svn://svn.chromium.org/chrome/**trunk/src<http://svn.chromium.org/chrome/trunk/src>
>
> Affected files:
>  M chrome/common/chrome_paths.h
>  M chrome/common/chrome_paths.cc
>  M chrome/nacl.gypi
>  M chrome/nacl/nacl_fork_**delegate_linux.cc
>  M chrome/nacl/nacl_helper_**bootstrap_linux.c
>  A chrome/nacl/nacl_helper_**bootstrap_linux.x
>  A chrome/nacl/nacl_helper_**bootstrap_munge_phdr.c
>  A chrome/nacl/nacl_helper_**bootstrap_munge_phdr.py
>  D chrome/nacl/nacl_helper_**exports.txt
>  M chrome/nacl/nacl_helper_linux.**cc
>
>
>

-- 
You received this message because you are subscribed to the Google Groups
"Native-Client-Reviews" group.
To post to this group, send email to native-client-reviews@googlegroups.com.
To unsubscribe from this group, send email to
native-client-reviews+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/native-client-reviews?hl=en.

[Brad Chen, 2011-08-29 22:27:00]

While I'm reading send this out to the try bots. In addition to the defaults
(linux/win/mac), you should also do linux_touch, linux_clang. Be sure to
also try both 32- and 64-bit builds, BUILDTYPE=Release as well as the
default debug, on your own machine.

Brad

On Mon, Aug 29, 2011 at 3:07 PM, <mcgrathr@chromium.org> wrote:

> Reviewers: Brad Chen, Mark Seaborn,
>
> Description:
> Use chain-loading for Linux nacl_helper
>
> This replaces the nacl_helper_bootstrap program, dynamically-linked against
> nacl_helper.so, with a standalone, statically-linked nacl_helper_bootstrap
> program that loads the dynamic linker, instructing it in turn to load the
> nacl_helper program (now a PIE rather than a DSO).
>
> This avoids two problems with the old scheme:
> 1. The nacl_helper_bootstrap program remained in the dynamic linker's
>   list of loaded objects, as the main executable, even though the
>   memory where its .dynamic section had been was overwritten with
>   the NaCl untrusted address space.  Code that traverses the list of
>   all loaded objects could thus attempt to look at pointers into this
>   part of memory, and be led astray.
> 2. nacl_helper_bootstrap's large (~1G) bss segment could cause the kernel
>   to refuse to load the program because it didn't think there was enough
>   free memory in the system for so large an allocation of anonymous memory.
>
> The bootstrap program is kept very small by avoiding all use of libc
> (except for memset and integer division routines needed on ARM).  It has
> its own custom start-up code hand-written in assembly and its own custom
> system call stubs done with hand-written GCC inline asm statements.
>
> To avoid the second problem, the bootstrap program no longer has a large
> bss.  Instead, it has a special ELF segment (i.e. PT_LOAD header) that
> specifies no memory access, and a large (~1G) mapping size from the file.
> This mapping is way off the end of the file, but the kernel doesn't mind
> that, and since it's all a file mapping, the kernel does not do its normal
> memory accounting for consuming a large amount of anonymous memory.
>
> Unfortunately, it's impossible to get the linker to produce exactly the
> right PT_LOAD header by itself.  Using a custom linker script, we get the
> layout exactly how we want it and a PT_LOAD header that is almost right.
> We then use a build-time helper program to munge one field of the PT_LOAD
> to make it exactly what we need.
>
> BUG=
http://code.google.com/p/**chromium/issues/detail?id=**94147<http://code.goog...
> TEST= hand-tested chromium build
>
> R=bradchen@google.com,mseaborn**@chromium.org <mseaborn@chromium.org>
>
>
> Please review this at
http://codereview.chromium.**org/7795010/<http://codereview.chromium.org/7795...
>
> SVN Base:
svn://svn.chromium.org/chrome/**trunk/src<http://svn.chromium.org/chrome/trunk/src>
>
> Affected files:
>  M chrome/common/chrome_paths.h
>  M chrome/common/chrome_paths.cc
>  M chrome/nacl.gypi
>  M chrome/nacl/nacl_fork_**delegate_linux.cc
>  M chrome/nacl/nacl_helper_**bootstrap_linux.c
>  A chrome/nacl/nacl_helper_**bootstrap_linux.x
>  A chrome/nacl/nacl_helper_**bootstrap_munge_phdr.c
>  A chrome/nacl/nacl_helper_**bootstrap_munge_phdr.py
>  D chrome/nacl/nacl_helper_**exports.txt
>  M chrome/nacl/nacl_helper_linux.**cc
>
>
>

[Brad Chen, 2011-08-29 23:04:57]

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
File chrome/nacl/nacl_helper_bootstrap_linux.c (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.c:5: * This is a standalone program that
loads and run the dynamic linker.
'runs'

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.c:100: #if defined(__i386__)
I tend to agree with Mark that these syscall stubs do add a lot of duplicated
code. It would be worth using existing stubs even if it added slightly to the
executable size.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.c:369: *--p = "0123456789"[value % 10];
Yikes! I bet this code works just fine but I'm pretty sure you are violating
several style rules. Think you could break it into approximate one operation per
line?

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.c:513: ElfW(Phdr) phdr[12];
make this 12 a constant please.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.c:594: * entry point address.
This is pretty cool code, but again, if we could use the standard _start without
too much bloat it would probably be better for maintainability.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
File chrome/nacl/nacl_helper_bootstrap_linux.x (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_linux.x:63: * It just maps it from the file,
i.e. way off the end of the file,
Is this well-defined kernel behavior? I know you've checked the source, but it
would be nice to know it was specified someplace or that lots of people relied
on this behavior to be confident it won't change.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
File chrome/nacl/nacl_helper_bootstrap_munge_phdr.c (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:11: */
It may be that this should go into tools/ instead of chrome/nacl/. We should
find a chance to ask Brad Nelson or somebody else who might be more aware of
directory conventions.

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_linux.cc
File chrome/nacl/nacl_helper_linux.cc (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_linux.c...
chrome/nacl/nacl_helper_linux.cc:120: static const char kNaClHelperAtZero[] =
"at-zero";
Probably ought to add a comment here where copies of this string appear
(nacl_helper_bootstrap_linux.c).

[Brad Chen, 2011-08-29 23:25:24]

one more thing...

http://codereview.chromium.org/7795010/diff/1/chrome/nacl.gypi
File chrome/nacl.gypi (right):

http://codereview.chromium.org/7795010/diff/1/chrome/nacl.gypi#newcode186
chrome/nacl.gypi:186: 'target_name': 'nacl_helper',
Once this is in we'll need to go back and update the Linux installer in the four
places it refers to nacl_helper.so.

[Roland McGrath, 2011-08-29 23:49:44]

On 2011/08/29 22:26:50, Mark Seaborn wrote:
> I think the code for the ELF chainloader should live in the NaCl repo
> because it is closely tied to the sandbox model.  The chainloader is
> needed on ARM even for the standalone sel_ldr.  sel_main.c has an
> unreliable hack for dealing with the bottom 1GB, but we need to remove
> that hack, and for that we need the chainloader to be in the NaCl repo.

Code can always be moved later.  We need to land this work this week.
Off hand it's not clear to me how we'd put this into the NaCl repo and
have it built here as we need it.

> http://codereview.chromium.org/7795010/diff/1/chrome/nacl.gypi#newcode227
> chrome/nacl.gypi:227: # use the hack of eliding all the -m* flags from the
> This is scary.  See comment elsewhere about using Python...

Hand-rolling this sort of code in Python rather than using the
well-established library for handling ELF files is far more scary
than this bit of build trivia.

> The Chromium tree already has code for doing syscalls directly.  Please don't
> duplicate it.  See linux_syscall_support.h which is pulled into both Breakpad
> and seccompsandbox.

Done.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:13: #define _FILE_OFFSET_BITS
64
> This needs a comment.  Is it really needed?

It's not really needed.  Removed.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:18: #include <libelf.h>
> A new build-time dependency?  If you must depend on this, you should add it to
> build/install-build-deps.sh.

Done.

[Roland McGrath, 2011-08-29 23:59:17]

On 2011/08/29 23:04:57, Brad Chen wrote:
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_linux.c:5: * This is a standalone program
that
> loads and run the dynamic linker.
> 'runs'

Done.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_linux.c:100: #if defined(__i386__)
> I tend to agree with Mark that these syscall stubs do add a lot of duplicated
> code. It would be worth using existing stubs even if it added slightly to the
> executable size.

Already done.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_linux.c:369: *--p = "0123456789"[value %
10];
> Yikes! I bet this code works just fine but I'm pretty sure you are violating
> several style rules. Think you could break it into approximate one operation
per
> line?

Seriously?  This is C 101.  But done, anyway.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_linux.c:513: ElfW(Phdr) phdr[12];
> make this 12 a constant please.

Done.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_linux.c:594: * entry point address.
> This is pretty cool code, but again, if we could use the standard _start
without
> too much bloat it would probably be better for maintainability.

We cannot.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_linux.x:63: * It just maps it from the file,
> i.e. way off the end of the file,
> Is this well-defined kernel behavior? I know you've checked the source, but it
> would be nice to know it was specified someplace or that lots of people relied
> on this behavior to be confident it won't change.

It is well-defined as the meaning of mmap on files.  We are assuming that
the kernel loader internally behaves like mmap on the executable file,
which is how modern kernel loaders have always behaved.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:11: */
> It may be that this should go into tools/ instead of chrome/nacl/. We should
> find a chance to ask Brad Nelson or somebody else who might be more aware of
> directory conventions.

Given clear instructions I will move the code.

>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_linux.c...
> chrome/nacl/nacl_helper_linux.cc:120: static const char kNaClHelperAtZero[] =
> "at-zero";
> Probably ought to add a comment here where copies of this string appear
> (nacl_helper_bootstrap_linux.c).

I meant to ask if there is anything cleaner to do for the option stuff than
duplicating the string (with "--" prefix in one place and without in the
other).  It doesn't seem like this should be the right way to do it.


Thanks,
Roland

[Brad Chen, 2011-08-30 00:29:44]

LGTM

Please give Mark a chance to chime in, in case there is anything herein he to
which he objects strongly.

On 2011/08/29 23:59:17, Roland McGrath wrote:
> On 2011/08/29 23:04:57, Brad Chen wrote:
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_linux.c:5: * This is a standalone program
> that
> > loads and run the dynamic linker.
> > 'runs'
> 
> Done.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_linux.c:100: #if defined(__i386__)
> > I tend to agree with Mark that these syscall stubs do add a lot of
duplicated
> > code. It would be worth using existing stubs even if it added slightly to
the
> > executable size.
> 
> Already done.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_linux.c:369: *--p = "0123456789"[value %
> 10];
> > Yikes! I bet this code works just fine but I'm pretty sure you are violating
> > several style rules. Think you could break it into approximate one operation
> per
> > line?
> 
> Seriously?  This is C 101.  But done, anyway.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_linux.c:513: ElfW(Phdr) phdr[12];
> > make this 12 a constant please.
> 
> Done.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_linux.c:594: * entry point address.
> > This is pretty cool code, but again, if we could use the standard _start
> without
> > too much bloat it would probably be better for maintainability.
> 
> We cannot.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_linux.x:63: * It just maps it from the
file,
> > i.e. way off the end of the file,
> > Is this well-defined kernel behavior? I know you've checked the source, but
it
> > would be nice to know it was specified someplace or that lots of people
relied
> > on this behavior to be confident it won't change.
> 
> It is well-defined as the meaning of mmap on files.  We are assuming that
> the kernel loader internally behaves like mmap on the executable file,
> which is how modern kernel loaders have always behaved.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_bootstr...
> > chrome/nacl/nacl_helper_bootstrap_munge_phdr.c:11: */
> > It may be that this should go into tools/ instead of chrome/nacl/. We should
> > find a chance to ask Brad Nelson or somebody else who might be more aware of
> > directory conventions.
> 
> Given clear instructions I will move the code.
> 
> >
>
http://codereview.chromium.org/7795010/diff/1/chrome/nacl/nacl_helper_linux.c...
> > chrome/nacl/nacl_helper_linux.cc:120: static const char kNaClHelperAtZero[]
=
> > "at-zero";
> > Probably ought to add a comment here where copies of this string appear
> > (nacl_helper_bootstrap_linux.c).
> 
> I meant to ask if there is anything cleaner to do for the option stuff than
> duplicating the string (with "--" prefix in one place and without in the
> other).  It doesn't seem like this should be the right way to do it.
> 
> 
> Thanks,
> Roland

[Mark Seaborn, 2011-08-30 19:58:59]

In the "TEST=" field, please say how you invoke Chromium, i.e. the env vars
needed to exercise this code path, since I believe it's not the default yet.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi
File chrome/nacl.gypi (right):

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode204
chrome/nacl.gypi:204: 'cflags': [ '-fPIE' ],
Style nit: use "[xx]" not "[ xx ]"

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode230
chrome/nacl.gypi:230: # TODO(bradnelson): Clean up with proper cross support.
TODO(xx) is supposed to contain your name, not someone else's (so I'm told). 
It's supposed to record who added the TODO; it's not a way to assign people
tasks.

BTW, if you could file a bug on Gyp at http://code.google.com/p/gyp/issues/list
for this, that would be good.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode233
chrome/nacl.gypi:233: 'cflags/': [ ['exclude', '-m.*'] ],
Style nit: use "[xx]" not "[ xx ]"

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode239
chrome/nacl.gypi:239: 'target_name': 'nacl_helper_bootstrap_raw',
Maybe 'raw' -> 'before_patch' or something like that?

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode249
chrome/nacl.gypi:249: # TODO(bradnelson): Fix the dependency handling.
Ditto about the TODO and bug raising.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode254
chrome/nacl.gypi:254: # -fstack-protector, which might be on by default.
Please add: ...because we are bypassing libc's initialisation which sets us
%gs/%fs for use by -fstack-protector.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode278
chrome/nacl.gypi:278: # TODO(bradnelson): Use some <(foo) instead of chrome/
here.
Ditto about TODOs

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl.gypi#newcode293
chrome/nacl.gypi:293: ],
Indent -2 for consistency?

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
File chrome/nacl/nacl_helper_bootstrap_linux.c (right):

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:29: #define BSS_RESERVE_SIZE       
(ADDRESS_SPACE_RESERVE - TEXT_START_ADDRESS)
This definition seems to be unused.  The other two are transitively unused.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:45: * We're not using <string.h>
functions here to avoid dependencies.
Ambiguity nit: "To avoid dependencies, we're not using <string.h> functions."

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:77: static void itoa(int value, struct
kernel_iovec *iov, char *buf, size_t bufsz) {
This is different from the common function itoa(), so can you give it a
different name?  e.g. int_to_string()

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:94: char valbuf1[32], valbuf2[32];
Nit: one variable decl per line, please.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:100: { (void *)item1, item1 == NULL ?
0 : my_strlen(item1) },
Nit: use space, "(void *) item1"

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:109: const int niov = sizeof(iov) /
sizeof(iov[0]);
const is rather redundant on local variables...

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:118: while (1) *(volatile int *) 0 =
0;
Nit: Please put a "// Crash" comment next to this.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:160: static int prot_from_phdr(const
ElfW(Phdr) *phdr) {
The naming style in Chromium code and NaCl trusted code is CamelCase...

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:202: /* Record the auxv entries that
are specific to the file loaded.
Nit: this comment style is inconsistent with the others

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:212: ++av)
Use {...} for the for() loop.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:289: size_t span = last_load->p_vaddr
+ last_load->p_memsz - first_load->p_vaddr;
Please comment that you are assuming the PT_LOAD segments are in order.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:291: const uintptr_t mapping =
my_mmap("segment", first_load - phdr,
Comment: Map the first segment and reserve address space.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:315: for (ph = first_load + 1; ph <=
last_load; ++ph)
Add {...} for the for() loop.

Add comment: Map all but the first segment, plus mprotect() the gaps between
segments.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:321: ElfW(Addr) end = (last_end +
pagesize - 1) & -pagesize;
There is an awful lot of open-coding of pagesize rounding.  Can you split out
RoundUp and RoundDown functions?

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:334: sys_close(fd);
Check return value?

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:356: "leal 8(%ebx,%eax,4), %ecx\n"  /*
envp */
FWIW, the envp calculation doesn't need to be done in assembly.  It would be
better to do it in the C code.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:358: "0: addl $4, %ecx\n"
Ditto.  It would be much better to do this loop in C.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:365: );        /* Jump to the entry
point.  */
Move comment to previous line?

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.c:379: "call do_load\n"    /* Argument
already in %rdi: auxv */
Can you be more consistent about how you indent these comments?

[Mark Seaborn, 2011-08-30 20:12:25]

A few more comments...

"""
This avoids two problems with the old scheme:
1. The nacl_helper_bootstrap program remained in the dynamic linker's
list of loaded objects, as the main executable, even though the
memory where its .dynamic section had been was overwritten with
the NaCl untrusted address space. Code that traverses the list of
all loaded objects could thus attempt to look at pointers into this
part of memory, and be led astray.
"""
-- Could you put this in a comment in the code somewhere to explain why we have
this chainloader program?

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
File chrome/nacl/nacl_helper_bootstrap_linux.x (right):

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_linux.x:68: .reserve  : {
Nit: just use one space - ".reserve : {"

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
File chrome/nacl/nacl_helper_bootstrap_munge_phdr.py (right):

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.py:19: import optparse
Not used.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.py:32: result =
subprocess.call([munger, tmpfile, '1'])
Nit: Maybe do:
segment_num = '1'
result = subprocess.call([munger, tmpfile, segment_num])

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.py:33: if result != 0:
You can use subprocess.check_call().  Then you don't need this check.

http://codereview.chromium.org/7795010/diff/1023/chrome/nacl/nacl_helper_boot...
chrome/nacl/nacl_helper_bootstrap_munge_phdr.py:39: Main(sys.argv)
FWIW, I think it's preferable to do "Main(sys.argv[1:])"

[Roland McGrath, 2011-08-30 20:34:26]

I changed the nits that were reasonable, and ignored the comments I found
excessive.

[Mark Seaborn, 2011-08-30 20:48:58]

LGTM

[commit-bot: I haz the power, 2011-08-31 01:30:28]

Change committed as 98909