Make syzyasan_rtl compile in 64 bit

syzygy/agent/asan/shadow.cc

 // Copyright 2012 Google Inc. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 15 matching lines @@
 
 namespace {
 
 #ifdef _WIN64
 // A lock under which the shadow instance is modified.
 base::Lock shadow_instance_lock;
 
 // The pointer for the exception handler to know what shadow object is
 // currently used. Under shadow_instance_lock.
 // TODO(loskutov): eliminate this by enforcing Shadow to be a singleton.
-const Shadow* shadow_instance;
+const Shadow* shadow_instance = nullptr;
 
 // The exception handler, intended to map the pages for shadow and page_bits
 // on demand. When a page fault happens, the operating systems calls
 // this handler, and if the page is inside shadow or page_bits, it gets
 // commited seamlessly for the caller, and then execution continues.
 // Otherwise, the OS keeps searching for an appropriate handler.
 LONG NTAPI ShadowExceptionHandler(PEXCEPTION_POINTERS exception_pointers) {
+  DCHECK_NE(static_cast<const Shadow*>(nullptr), shadow_instance);
   // Only handle access violations.
   if (exception_pointers->ExceptionRecord->ExceptionCode !=
       EXCEPTION_ACCESS_VIOLATION) {
     return EXCEPTION_CONTINUE_SEARCH;
   }
 
   // Only handle access violations that land within the shadow memory
   // or the page bits.
 
   void* addr = reinterpret_cast<void*>(
@@ skipping 15 matching lines @@
   // This is an access violation while trying to read from the shadow. Commit
   // the relevant page and let execution continue.
 
   // Commit the page.
   void* result = ::VirtualAlloc(addr, 1, MEM_COMMIT, PAGE_READWRITE);
 
   return result != nullptr
       ? EXCEPTION_CONTINUE_EXECUTION
       : EXCEPTION_CONTINUE_SEARCH;
 }
+
+// Check if |addr| is in a memory region that has been committed.
+bool AddressIsInCommittedMemory(const void* addr) {
+  MEMORY_BASIC_INFORMATION memory_info = {};
+  SIZE_T mem_status = ::VirtualQuery(addr, &memory_info, sizeof(memory_info));
+  DCHECK_GT(mem_status, 0u);
+  if (memory_info.State != MEM_COMMIT)
+    return false;
+  return true;
+}
 #endif  // defined _WIN64
 
 static const size_t kPageSize = GetPageSize();
 
 // Converts an address to a page index and bit mask.
 inline void AddressToPageMask(const void* address,
                               size_t* index,
                               uint8_t* mask) {
   DCHECK_NE(static_cast<size_t*>(nullptr), index);
   DCHECK_NE(static_cast<uint8_t*>(nullptr), mask);
@@ skipping 119 matching lines @@
   }
 
   auto cursor = shadow_ + i;
   MEMORY_BASIC_INFORMATION info = {};
   while (i < length_) {
     auto next_cursor = cursor;
     while (cursor < shadow_ + length_) {
       auto ret = ::VirtualQuery(cursor, &info, sizeof(info));
       DCHECK_GT(ret, 0u);
       next_cursor = static_cast<uint8_t*>(info.BaseAddress) + info.RegionSize;
-      if (info.Type == MEM_COMMIT)
+      if (info.State == MEM_COMMIT)
         break;
       cursor = next_cursor;
     }
     i = cursor - shadow_;
     next_cursor = std::min(next_cursor, shadow_ + length_);
     auto next_i = next_cursor - shadow_;
     for (; i < next_i; ++i) {
       if ((i >= shadow_begin && i < shadow_end) ||
           (i >= page_bits_begin && i < page_bits_end) ||
           (i >= this_begin && i < this_end)) {
@@ skipping 48 matching lines @@
   Init(true, mem, length);
 }
 
 void Shadow::Init(bool own_memory, void* shadow, size_t length) {
 #ifdef _WIN64
   {
     base::AutoLock lock(shadow_instance_lock);
     shadow_instance = this;
   }
   exception_handler_ =
-      AddVectoredExceptionHandler(TRUE, ShadowExceptionHandler);
+      ::AddVectoredExceptionHandler(TRUE, ShadowExceptionHandler);
 #endif
 
   // Handle the case of a failed allocation.
   if (shadow == nullptr) {
     own_memory_ = false;
     shadow_ = nullptr;
     length = 0;
     return;
   }
 
@@ skipping 579 matching lines @@
 }
 
 bool Shadow::ScanLeftForBracketingBlockStart(
     size_t initial_nesting_depth, size_t cursor, size_t* location) const {
   DCHECK_NE(static_cast<size_t*>(NULL), location);
 
   static const size_t kLowerBound = kAddressLowerBound / kShadowRatio;
 
   size_t left = cursor;
   int nesting_depth = static_cast<int>(initial_nesting_depth);
+#ifdef _WIN64
+  if (!AddressIsInCommittedMemory((&shadow_[left])))

[chrisha, 2016/10/13 20:22:49]

This is going to cost a VirtualQuery per value of |left|, which is pretty
expensive. The virtual query gives us bounds of mapped memory, so we should
actually first do a VirtualQuery for the location, get bounds, and then do
normal checking against those bounds. If we hit the bounds and haven't found the
block start marker, then we return false.

(On Win32, the bounds are simply initialized to the entire range of the shadow
memory.)

[Sébastien Marchand, 2016/10/13 21:05:45]

No, in the loop I'm evaluating the following condition:
    if (&shadow_[left] < page_begin &&
        !AddressIsInCommittedMemory((&shadow_[left]))) {

so we will call AddressIsInCommittedMemory only once per page, not for every
value of |left|. But I agree that using the bound returned by VirtualQuery is
probably a better solution, on it.

[Sébastien Marchand, 2016/10/14 19:04:14]

Ha, didn't realized that VirtualQuery return the information about the whole
segment (not just the page), nice.

+    return false;
+  uint8_t* page_begin = ::common::AlignDown(&shadow_[left], kPageSize);
+#endif
   if (ShadowMarkerHelper::IsBlockEnd(shadow_[left]))
     --nesting_depth;
   while (true) {
+#ifdef _WIN64
+    if (&shadow_[left] < page_begin &&
+        !AddressIsInCommittedMemory((&shadow_[left]))) {
+      return false;
+    } else {
+      page_begin = ::common::AlignDown(&shadow_[left], kPageSize);
+    }
+#endif
     if (ShadowMarkerHelper::IsBlockStart(shadow_[left])) {
       if (nesting_depth == 0) {
         *location = left;
         return true;
       }
       // If this is not a nested block then there's no hope of finding a
       // block containing the original cursor.
       if (!ShadowMarkerHelper::IsNestedBlockStart(shadow_[left]))
         return false;
       --nesting_depth;
@@ skipping 142 matching lines @@
     size_t initial_nesting_depth,
     const void* addr,
     CompactBlockInfo* info) const {
   DCHECK_NE(static_cast<void*>(NULL), addr);
   DCHECK_NE(static_cast<CompactBlockInfo*>(NULL), info);
 
   // Convert the address to an offset in the shadow memory.
   size_t left = reinterpret_cast<uintptr_t>(addr) / kShadowRatio;
   size_t right = left;
 
+#ifdef _WIN64
+  if (!AddressIsInCommittedMemory((&shadow_[left])))
+    return false;
+#endif
+
   if (!ScanLeftForBracketingBlockStart(initial_nesting_depth, left, &left))
     return false;
   if (!ScanRightForBracketingBlockEnd(initial_nesting_depth, right, &right))
     return false;
   ++right;
 
   uint8_t* block = reinterpret_cast<uint8_t*>(left * kShadowRatio);
   info->header = reinterpret_cast<BlockHeader*>(block);
   info->block_size = static_cast<uint32_t>((right - left) * kShadowRatio);
 
@@ skipping 72 matching lines @@
     auto end_of_region = start_of_region + memory_info.RegionSize;
 
     // If the region isn't committed and readable memory then skip it.
     if (memory_info.State != MEM_COMMIT) {
       // If the next region is beyond the part of the shadow being scanned
       // then bail early (be careful to handle overflow here).
       if (end_of_region > shadow_upper_bound || end_of_region == nullptr)
         return false;
 
       // Step to the beginning of the next region and try again.
-      shadow_cursor_ = start_of_region;
+      shadow_cursor_ = end_of_region;

[chrisha, 2016/10/13 20:22:49]

Oops! My bad. New unittest for this?

[Sébastien Marchand, 2016/10/14 19:04:14]

Addressing this in https://codereview.chromium.org/2421523003.

       continue;
     }
 
     // Getting here then |start_of_region| and |end_of_region| are a part of
     // the shadow that should be scanned. Calculate where to stop for this
     // region, taking care to handle overflow.
     if (!end_of_region) {
       end_of_region = shadow_upper_bound;
     } else {
       end_of_region = std::min(shadow_upper_bound, end_of_region);
@@ skipping 51 matching lines @@
       // Advance the shadow cursor.
       ++shadow_cursor_;
     }  // while (shadow_cursor_ < end_of_region)
   }
 
   return false;
 }
 
 }  // namespace asan
 }  // namespace agent