Adjust memory pressure from SSL

runtime/bin/secure_socket_boringssl.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #if !defined(DART_IO_DISABLED) && !defined(DART_IO_SECURE_SOCKET_DISABLED)
 
 #include "platform/globals.h"
 #if defined(TARGET_OS_ANDROID) || defined(TARGET_OS_LINUX) ||                  \
     defined(TARGET_OS_WINDOWS) || defined(TARGET_OS_FUCHSIA)
 
@@ skipping 37 matching lines @@
   }
 
 namespace dart {
 namespace bin {
 
 bool SSLFilter::library_initialized_ = false;
 // To protect library initialization.
 Mutex* SSLFilter::mutex_ = new Mutex();
 int SSLFilter::filter_ssl_index;
 
+const intptr_t SSLFilter::kInternalBIOSize = 10 * KB;
+const intptr_t SSLFilter::kApproximateSize =
+    sizeof(SSLFilter) + (2 * SSLFilter::kInternalBIOSize);
+
+// The security context won't necessarily use the compiled-in root certificates,
+// but since there is no way to update the size of the allocation after creating
+// the weak persistent handle, we assume that it will. Note that when the
+// root certs aren't compiled in, |root_certificates_pem_length| is 0.
+const intptr_t SSLContext::kApproximateSize =
+    sizeof(SSLContext) + root_certificates_pem_length;
+
 static const int kSSLFilterNativeFieldIndex = 0;
 static const int kSecurityContextNativeFieldIndex = 0;
 static const int kX509NativeFieldIndex = 0;
 
 static const bool SSL_LOG_STATUS = false;
 static const bool SSL_LOG_DATA = false;
 
 static const int SSL_ERROR_MESSAGE_BUFFER_SIZE = 1000;
 
-
 const char* commandline_root_certs_file = NULL;
 const char* commandline_root_certs_cache = NULL;
 
-
 /* Get the error messages from BoringSSL, and put them in buffer as a
  * null-terminated string. */
 static void FetchErrorString(char* buffer, int length) {
   buffer[0] = '\0';
   int error = ERR_get_error();
   while (error != 0) {
     int used = strlen(buffer);
     int free_length = length - used;
     if (free_length > 16) {
       // Enough room for error code at least.
@@ skipping 52 matching lines @@
 static Dart_Handle SetFilter(Dart_NativeArguments args, SSLFilter* filter) {
   ASSERT(filter != NULL);
   Dart_Handle dart_this = Dart_GetNativeArgument(args, 0);
   RETURN_IF_ERROR(dart_this);
   ASSERT(Dart_IsInstance(dart_this));
   Dart_Handle err =
       Dart_SetNativeInstanceField(dart_this, kSSLFilterNativeFieldIndex,
                                   reinterpret_cast<intptr_t>(filter));
   RETURN_IF_ERROR(err);
   Dart_NewWeakPersistentHandle(dart_this, reinterpret_cast<void*>(filter),
-                               sizeof(*filter), DeleteFilter);
+                               SSLFilter::kApproximateSize, DeleteFilter);
   return Dart_Null();
 }
 
 
 static SSLContext* GetSecurityContext(Dart_NativeArguments args) {
   SSLContext* context;
   Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
   ASSERT(Dart_IsInstance(dart_this));
   ThrowIfError(
       Dart_GetNativeInstanceField(dart_this, kSecurityContextNativeFieldIndex,
                                   reinterpret_cast<intptr_t*>(&context)));
   return context;
 }
 
 
 static void DeleteSecurityContext(void* isolate_data,
                                   Dart_WeakPersistentHandle handle,
                                   void* context_pointer) {
   SSLContext* context = static_cast<SSLContext*>(context_pointer);
   delete context;
 }
 
 
 static Dart_Handle SetSecurityContext(Dart_NativeArguments args,
                                       SSLContext* context) {
-  const int approximate_size_of_context = 1500;
   Dart_Handle dart_this = Dart_GetNativeArgument(args, 0);
   RETURN_IF_ERROR(dart_this);
   ASSERT(Dart_IsInstance(dart_this));
   Dart_Handle err =
       Dart_SetNativeInstanceField(dart_this, kSecurityContextNativeFieldIndex,
                                   reinterpret_cast<intptr_t>(context));
   RETURN_IF_ERROR(err);
-  Dart_NewWeakPersistentHandle(dart_this, context, approximate_size_of_context,
+  Dart_NewWeakPersistentHandle(dart_this, context, SSLContext::kApproximateSize,
                                DeleteSecurityContext);
   return Dart_Null();
 }
 
 
 static X509* GetX509Certificate(Dart_NativeArguments args) {
   X509* certificate;
   Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
   ASSERT(Dart_IsInstance(dart_this));
   ThrowIfError(
@@ skipping 134 matching lines @@
 
 
 static void ReleaseCertificate(void* isolate_data,
                                Dart_WeakPersistentHandle handle,
                                void* context_pointer) {
   X509* cert = reinterpret_cast<X509*>(context_pointer);
   X509_free(cert);
 }
 
 
+static intptr_t EstimateX509Size(X509* certificate) {
+  intptr_t length = i2d_X509(certificate, NULL);
+  return length > 0 ? length : 0;
+}
+
+
 // Returns the handle for a Dart object wrapping the X509 certificate object.
 // The caller should own a reference to the X509 object whose reference count
 // won't drop to zero before the ReleaseCertificate finalizer runs.
 static Dart_Handle WrappedX509Certificate(X509* certificate) {
-  const intptr_t approximate_size_of_certificate = 1500;
   if (certificate == NULL) {
     return Dart_Null();
   }
   Dart_Handle x509_type =
       DartUtils::GetDartType(DartUtils::kIOLibURL, "X509Certificate");
   if (Dart_IsError(x509_type)) {
     X509_free(certificate);
     return x509_type;
   }
   Dart_Handle arguments[] = {NULL};
   Dart_Handle result =
       Dart_New(x509_type, DartUtils::NewString("_"), 0, arguments);
   if (Dart_IsError(result)) {
     X509_free(certificate);
     return result;
   }
   ASSERT(Dart_IsInstance(result));
   Dart_Handle status = Dart_SetNativeInstanceField(
       result, kX509NativeFieldIndex, reinterpret_cast<intptr_t>(certificate));
   if (Dart_IsError(status)) {
     X509_free(certificate);
     return status;
   }
+  const intptr_t approximate_size_of_certificate =
+      sizeof(*certificate) + EstimateX509Size(certificate);
+  ASSERT(approximate_size_of_certificate > 0);
   Dart_NewWeakPersistentHandle(result, reinterpret_cast<void*>(certificate),
                                approximate_size_of_certificate,
                                ReleaseCertificate);
   return result;
 }
 
 
 int CertificateCallback(int preverify_ok, X509_STORE_CTX* store_ctx) {
   if (preverify_ok == 1) {
     return 1;
@@ skipping 1118 matching lines @@
                         bool require_client_certificate,
                         Dart_Handle protocols_handle) {
   is_server_ = is_server;
   if (in_handshake_) {
     FATAL("Connect called twice on the same _SecureFilter.");
   }
 
   int status;
   int error;
   BIO* ssl_side;
-  status = BIO_new_bio_pair(&ssl_side, 10000, &socket_side_, 10000);
+  status = BIO_new_bio_pair(&ssl_side, kInternalBIOSize, &socket_side_,
+                            kInternalBIOSize);
   CheckStatus(status, "TlsException", "BIO_new_bio_pair");
 
   assert(context != NULL);
   ssl_ = SSL_new(context);
   SSL_set_bio(ssl_, ssl_side, ssl_side);
   SSL_set_mode(ssl_, SSL_MODE_AUTO_RETRY);  // TODO(whesse): Is this right?
   SSL_set_ex_data(ssl_, filter_ssl_index, this);
 
 #if defined(TARGET_OS_FUCHSIA)
   // Temporary workaround until we isolate the memory leak issue.
@@ skipping 251 matching lines @@
   return bytes_processed;
 }
 
 }  // namespace bin
 }  // namespace dart
 
 #endif  // defined(TARGET_OS_LINUX)
 
 #endif  // !defined(DART_IO_DISABLED) &&
         // !defined(DART_IO_SECURE_SOCKET_DISABLED)