Make SyzyAsan support the allocation > 1GB

syzygy/agent/asan/heap_managers/block_heap_manager.cc

 // Copyright 2014 Google Inc. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 48 matching lines @@
   shift = (n > 0xF) << 2;
   n >>= shift;
   r |= shift;
   shift = (n > 0x3) << 1;
   n >>= shift;
   r |= shift;
   r |= (n >> 1);
   return r;
 }
 
+// Try to do an unguarded allocation.
+// @param heap_interface The heap that should serve the allocation.
+// @param shadow The shadow memory.
+// @param bytes The size of the allocation.
+// @returns a pointer to the allocation on success, nullptr otherwise.
+void* DoUnguardedAllocation(BlockHeapInterface* heap_interface,
+                            Shadow* shadow,
+                            uint32_t bytes) {
+  void* alloc = heap_interface->Allocate(bytes);
+  if ((heap_interface->GetHeapFeatures() &
+       HeapInterface::kHeapReportsReservations) != 0) {
+    shadow->Unpoison(alloc, bytes);
+  }
+  return alloc;
+}
+
 }  // namespace
 
 BlockHeapManager::BlockHeapManager(Shadow* shadow,
                                    StackCaptureCache* stack_cache,
                                    MemoryNotifierInterface* memory_notifier)
     : shadow_(shadow),
       stack_cache_(stack_cache),
       memory_notifier_(memory_notifier),
       initialized_(false),
       process_heap_(nullptr),
@@ skipping 93 matching lines @@
   return true;
 }
 
 void* BlockHeapManager::Allocate(HeapId heap_id, uint32_t bytes) {
   DCHECK(initialized_);
   DCHECK(IsValidHeapId(heap_id, false));
 
   // Some allocations can pass through without instrumentation.
   if (parameters_.allocation_guard_rate < 1.0 &&
       base::RandDouble() >= parameters_.allocation_guard_rate) {
-    BlockHeapInterface* heap = GetHeapFromId(heap_id);
-    void* alloc = heap->Allocate(bytes);
-    if ((heap->GetHeapFeatures() &
-        HeapInterface::kHeapReportsReservations) != 0) {
-      shadow_->Unpoison(alloc, bytes);
-    }
-    return alloc;
+    return DoUnguardedAllocation(GetHeapFromId(heap_id), shadow_, bytes);
   }
 
   // Capture the current stack. InitFromStack is inlined to preserve the
   // greatest number of stack frames.
   common::StackCapture stack;
   stack.InitFromStack();
 
   // Build the set of heaps that will be used to satisfy the allocation. This
   // is a stack of heaps, and they will be tried in the reverse order they are
   // inserted.
@@ skipping 20 matching lines @@
         bytes,
         0,
         parameters_.trailer_padding_size + sizeof(BlockTrailer),
         &block_layout);
     if (alloc != nullptr) {
       heap_id = heaps[i];
       break;
     }
   }
 
-  // The allocation can fail if we're out of memory.
+  // The allocation might fail because its size exceed the maximum size that

[Sigurður Ásgeirsson, 2016/11/25 18:16:11]

It would IMHO make much more sense, and be much simpler and easier to maintain
correctness, if we outright reject allocations that are too large. I guarantee
that there's no code in Chrome that requires the ability to allocate >1Gb in a
chunk, though there will be code that makes that attempt.

[Sébastien Marchand, 2016/11/25 21:14:57]

I'm not sure, we had some CF test cases who allocate some really large buffers,
and I don't think that this is an issue? We shouldn't crash for these, we could
return nullptr but we've always to try to mimic Chrome as much as we can in this
kind of edge cases, and in this case Chrome doesn't cap the allocation size, so
I'm not sure that we should do it either (not instrumenting this allocation is a
different thing).

+  // we can represent in the BlockHeader structure, try to do an unguarded
+  // allocation.
   if (alloc == nullptr)
-    return nullptr;
+    return DoUnguardedAllocation(GetHeapFromId(heap_id), shadow_, bytes);
 
   DCHECK_NE(static_cast<void*>(nullptr), alloc);
   DCHECK_EQ(0u, reinterpret_cast<size_t>(alloc) % kShadowRatio);
   BlockInfo block = {};
   BlockInitialize(block_layout, alloc, &block);
 
   // Poison the redzones in the shadow memory as early as possible.
   shadow_->PoisonAllocatedBlock(block);
 
   block.header->alloc_stack = stack_cache_->SaveStackTrace(stack);
@@ skipping 870 matching lines @@
   if (trailer_has_valid_heap_id)
     return block_info->trailer->heap_id;
 
   // Unfortunately, there's no way to know which heap this block belongs to.
   return 0;
 }
 
 }  // namespace heap_managers
 }  // namespace asan
 }  // namespace agent