[Mac] Remove potential for malloc in CrMallocErrorBreak().

base/process_util_mac.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/process_util.h"
 
 #import <Cocoa/Cocoa.h>
 #include <crt_externs.h>
 #include <dlfcn.h>
 #include <errno.h>
@@ skipping 572 matching lines @@
  private:
   ThreadLocalBoolean* scoped_tlb_;
   bool original_value_;
 
   DISALLOW_COPY_AND_ASSIGN(ThreadLocalBooleanAutoReset);
 };
 
 base::LazyInstance<ThreadLocalBoolean>::Leaky
     g_unchecked_malloc = LAZY_INSTANCE_INITIALIZER;
 
+// NOTE(shess): This is called when the malloc library noticed that the heap
+// is fubar.  Avoid calls which will re-enter the malloc library.
 void CrMallocErrorBreak() {
   g_original_malloc_error_break();
 
   // Out of memory is certainly not heap corruption, and not necessarily
   // something for which the process should be terminated. Leave that decision
   // to the OOM killer.  The EBADF case comes up because the malloc library
   // attempts to log to ASL (syslog) before calling this code, which fails
   // accessing a Unix-domain socket because of sandboxing.
   if (errno == ENOMEM || (errno == EBADF && g_unchecked_malloc.Get().Get()))
     return;
 
   // A unit test checks this error message, so it needs to be in release builds.
-  PLOG(ERROR) <<
-      "Terminating process due to a potential for future heap corruption";
+  char buf[1024] =
+      "Terminating process due to a potential for future heap corruption: "
+      "errno==";

[Mark Mentovai, 2012/11/12 23:19:32]

One = too many?

[Scott Hess - ex-Googler, 2012/11/12 23:39:53]

Done.  I was thinking C-style is-equal-to, but a byte is a byte.

+  char errnobuf[4] = {

[Mark Mentovai, 2012/11/12 23:19:32]

No [4], just [].

[Scott Hess - ex-Googler, 2012/11/12 23:39:53]

Done.

+    '0' + ((errno / 100) % 10),
+    '0' + ((errno / 10) % 10),
+    '0' + (errno % 10),
+    '\000'
+  };

[Mark Mentovai, 2012/11/12 23:19:32]

Ha!

Do you want to COMPILE_ASSERT that ELAST <= 999?

[Scott Hess - ex-Googler, 2012/11/12 23:39:53]

Honestly, I kind of questioned even the third digit.  But, sure.

+  strlcat(buf, errnobuf, sizeof(buf));

[Mark Mentovai, 2012/11/12 23:19:32]

I can think of a way to avoid the copy, but that’s just for fun at that point,
there’s nothing wrong with the strlcat.

[Scott Hess - ex-Googler, 2012/11/12 23:39:53]

There are dozens of ways to skin this cat, and they're all guaranteed to be
gross.

+  RAW_LOG(ERROR, buf);
 
   // Crash by writing to NULL+errno to allow analyzing errno from
   // crash dump info (setting a breakpad key would re-enter the malloc
   // library).  Max documented errno in intro(2) is actually 102, but
   // it really just needs to be "small" to stay on the right vm page.
   const int kMaxErrno = 256;
   char* volatile death_ptr = NULL;
   death_ptr += std::min(errno, kMaxErrno);
   *death_ptr = '!';
 }
 
 }  // namespace
 
 void EnableTerminationOnHeapCorruption() {
 #ifdef ADDRESS_SANITIZER
   // Don't do anything special on heap corruption, because it should be handled
   // by AddressSanitizer.
   return;
 #endif
   malloc_error_break_t malloc_error_break = LookUpMallocErrorBreak();
   if (!malloc_error_break) {
     DLOG(WARNING) << "Could not find malloc_error_break";
     return;
   }
 
+  // Warm this up so that it doesn't require allocation when
+  // |CrMallocErrorBreak()| calls it.
+  ignore_result(g_unchecked_malloc.Get().Get());
+
   mach_error_t err = mach_override_ptr(
      (void*)malloc_error_break,
      (void*)&CrMallocErrorBreak,
      (void**)&g_original_malloc_error_break);
 
   if (err != err_none)
     DLOG(WARNING) << "Could not override malloc_error_break; error = " << err;
 }
 
 // ------------------------------------------------------------------------
@@ skipping 596 matching lines @@
   }
 }
 
 }  // namespace
 
 void EnsureProcessTerminated(ProcessHandle process) {
   WaitForChildToDie(process, kWaitBeforeKillSeconds);
 }
 
 }  // namespace base