TCMalloc: support userland ASLR on Linux

base/security_unittest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 #include <algorithm>
 #include <limits>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using std::nothrow;
 
@@ skipping 75 matching lines @@
   }
 }
 
 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) {
   if (!IsTcMallocBypassed()) {
     scoped_ptr<char[]> ptr(new (nothrow) char[kTooBigAllocSize]);
     ASSERT_TRUE(ptr == NULL);
   }
 }
 
+#if (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__)
+// Useful for debugging.
+void PrintProcSelfMaps() {
+  int fd = open("/proc/self/maps", O_RDONLY);
+  ASSERT_GE(fd, 0);
+  char buffer[1<<13];
+  int ret;
+  ret = read(fd, buffer, sizeof(buffer) - 1);
+  ASSERT_GT(ret, 0);
+  buffer[ret - 1] = 0;
+  fprintf(stdout, "%s\n", buffer);
+}
+
+// Check if TCMalloc uses an underlying random memory allocator.
+TEST(SecurityTest, ALLOC_TEST(RandomMemoryAllocations)) {

[Chris Evans, 2013/01/29 06:10:58]

This test seems complicated to me.

Can you just do:
- Malloc 1GB
- Malloc another GB
- Assert not contiguous.

It should work because both massive allocations should fall through to a raw
mmap() due to the lack of buckets of that size ;-)

[jln (very slow on Chromium), 2013/01/29 06:23:46]

1GB is a bit special. That's where we would magically switch from BRK to MMAP()
before this patch.

I know the test looks a bit complicated, but I think it's pretty good. It's
reliably failing when there is no randomization, and reliably not failing
otherwise :)

+  if (IsTcMallocBypassed())
+    return;
+  // Two successive calls to mmap() have roughly one chance out of 2^6 to be
+  // detected as having the same order. With 32 allocations, we see ~16 that
+  // trigger a call to mmap, so the chances of this test flaking is roughly
+  // 2^-(6*15), i.e. virtually impossible.
+  const int kAllocNumber = 32;
+  bool is_contiguous = true;
+  // Make kAllocNumber successive allocations of growing size and compare the
+  // successive pointers to detect adjacent mappings. We grow the size because
+  // TCMalloc can sometimes over-allocate.
+  scoped_ptr<char, base::FreeDeleter> ptr[kAllocNumber];
+  for (int i = 0; i < kAllocNumber; ++i) {
+    // Grow the Malloc size slightly sub-exponentially.
+    const size_t kMallocSize = 1 << (12 + (i>>1));
+    ptr[i].reset(static_cast<char*>(malloc(kMallocSize)));
+    ASSERT_TRUE(ptr[i] != NULL);
+    if (i > 0) {
+      // Without mmap randomization, the two high order nibbles
+      // of a 47 bits userland address address will be identical.
+      const size_t kHighOrderMask = 0xff0000000000;
+      bool pointer_have_same_high_order =
+          (reinterpret_cast<size_t>(ptr[i].get()) & kHighOrderMask) ==
+          (reinterpret_cast<size_t>(ptr[i - 1].get()) & kHighOrderMask);
+      if (!pointer_have_same_high_order) {
+        // PrintProcSelfMaps();
+        is_contiguous = false;
+        break;
+      }
+    }
+  }
+  ASSERT_FALSE(is_contiguous);
+}
+
+#endif  // (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__)
+
 }  // namespace