Hook up allocator shim on mac.

base/allocator/allocator_interception_mac.mm

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file contains all the logic necessary to intercept allocations on
 // macOS. "malloc zones" are an abstraction that allows the process to intercept
 // all malloc-related functions.  There is no good mechanism [short of
 // interposition] to determine new malloc zones are added, so there's no clean
 // mechanism to intercept all malloc zones. This file contains logic to
 // intercept the default and purgeable zones, which always exist. A cursory
@@ skipping 20 matching lines @@
 #include "base/mac/mac_util.h"
 #include "base/mac/mach_logging.h"
 #include "base/process/memory.h"
 #include "base/scoped_clear_errno.h"
 #include "build/build_config.h"
 #include "third_party/apple_apsl/CFBase.h"
 
 namespace base {
 namespace allocator {
 
+MallocZoneFunctions::MallocZoneFunctions() {}
+
 namespace {
 
 bool g_oom_killer_enabled;
+bool g_replaced_default_zone = false;
 
 // Starting with Mac OS X 10.7, the zone allocators set up by the system are
 // read-only, to prevent them from being overwritten in an attack. However,
 // blindly unprotecting and reprotecting the zone allocators fails with
 // GuardMalloc because GuardMalloc sets up its zone allocator using a block of
 // memory in its bss. Explicit saving/restoring of the protection is required.
 //
 // This function takes a pointer to a malloc zone, de-protects it if necessary,
 // and returns (in the out parameters) a region of memory (if any) to be
 // re-protected when modifications are complete. This approach assumes that
@@ skipping 241 matching lines @@
   return *result != NULL;
 }
 
 void StoreZoneFunctions(ChromeMallocZone* zone,
                         MallocZoneFunctions* functions) {
   functions->malloc = zone->malloc;
   functions->calloc = zone->calloc;
   functions->valloc = zone->valloc;
   functions->free = zone->free;
   functions->realloc = zone->realloc;
+  functions->size = zone->size;
   CHECK(functions->malloc && functions->calloc && functions->valloc &&
-        functions->free && functions->realloc);
+        functions->free && functions->realloc && functions->size);
+
+  // These functions might be nullptr.
+  functions->batch_malloc = zone->batch_malloc;
+  functions->batch_free = zone->batch_free;
 
   if (zone->version >= 5) {
     functions->memalign = zone->memalign;
     CHECK(functions->memalign);
   }
+  if (zone->version >= 6) {
+    // This may be nullptr.
+    functions->free_definite_size = zone->free_definite_size;
+  }
 }
 
 void ReplaceZoneFunctions(ChromeMallocZone* zone,
                           const MallocZoneFunctions* functions) {
   // Remove protection.
   mach_vm_address_t reprotection_start = 0;
   mach_vm_size_t reprotection_length = 0;
   vm_prot_t reprotection_value = VM_PROT_NONE;
   DeprotectMallocZone(zone, &reprotection_start, &reprotection_length,
                       &reprotection_value);
 
+  CHECK(functions->malloc && functions->calloc && functions->valloc &&
+        functions->free && functions->realloc);
   zone->malloc = functions->malloc;
   zone->calloc = functions->calloc;
   zone->valloc = functions->valloc;
   zone->free = functions->free;
   zone->realloc = functions->realloc;
-  if (zone->version >= 5) {
+  if (functions->batch_malloc)
+    zone->batch_malloc = functions->batch_malloc;
+  if (functions->batch_free)
+    zone->batch_free = functions->batch_free;
+  if (functions->size)
+    zone->size = functions->size;
+  if (zone->version >= 5 && functions->memalign) {
     zone->memalign = functions->memalign;
   }
+  if (zone->version >= 6 && functions->free_definite_size) {
+    zone->free_definite_size = functions->free_definite_size;
+  }
 
   // Restore protection if it was active.
   if (reprotection_start) {
     kern_return_t result =
         mach_vm_protect(mach_task_self(), reprotection_start,
                         reprotection_length, false, reprotection_value);
     MACH_CHECK(result == KERN_SUCCESS, result) << "mach_vm_protect";
   }
 }
 
+void StoreFunctionsForDefaultZone(MallocZoneFunctions* functions) {
+  ChromeMallocZone* default_zone = reinterpret_cast<ChromeMallocZone*>(
+      malloc_default_zone());
+  StoreZoneFunctions(default_zone, functions);
+}
+
+void ReplaceFunctionsForDefaultZone(const MallocZoneFunctions* functions) {
+  CHECK(!g_replaced_default_zone);
+  g_replaced_default_zone = true;
+  StoreFunctionsForDefaultZone(&g_old_zone);
+  ChromeMallocZone* default_zone = reinterpret_cast<ChromeMallocZone*>(
+      malloc_default_zone());
+  ReplaceZoneFunctions(default_zone, functions);
+}
+
 void InterceptAllocationsMac() {
   if (g_oom_killer_enabled)
     return;
 
   g_oom_killer_enabled = true;
 
 // === C malloc/calloc/valloc/realloc/posix_memalign ===
 
 // This approach is not perfect, as requests for amounts of memory larger than
 // MALLOC_ABSOLUTE_MAX_SIZE (currently SIZE_T_MAX - (2 * PAGE_SIZE)) will
 // still fail with a NULL rather than dying (see
 // http://opensource.apple.com/source/Libc/Libc-583/gen/malloc.c for details).
 // Unfortunately, it's the best we can do. Also note that this does not affect
 // allocations from non-default zones.
 
 #if !defined(ADDRESS_SANITIZER)
   // Don't do anything special on OOM for the malloc zones replaced by
   // AddressSanitizer, as modifying or protecting them may not work correctly.
-  ChromeMallocZone* default_zone =
-      reinterpret_cast<ChromeMallocZone*>(malloc_default_zone());
-  StoreZoneFunctions(default_zone, &g_old_zone);
-  MallocZoneFunctions new_functions;
-  new_functions.malloc = oom_killer_malloc;
-  new_functions.calloc = oom_killer_calloc;
-  new_functions.valloc = oom_killer_valloc;
-  new_functions.free = oom_killer_free;
-  new_functions.realloc = oom_killer_realloc;
-  new_functions.memalign = oom_killer_memalign;
-  ReplaceZoneFunctions(default_zone, &new_functions);
+  if (!g_replaced_default_zone) {
+    StoreFunctionsForDefaultZone(&g_old_zone);
+    MallocZoneFunctions new_functions;
+    new_functions.malloc = oom_killer_malloc;
+    new_functions.calloc = oom_killer_calloc;
+    new_functions.valloc = oom_killer_valloc;
+    new_functions.free = oom_killer_free;
+    new_functions.realloc = oom_killer_realloc;
+    new_functions.memalign = oom_killer_memalign;
+    ReplaceFunctionsForDefaultZone(&new_functions);
+  }
 
   ChromeMallocZone* purgeable_zone =
       reinterpret_cast<ChromeMallocZone*>(malloc_default_purgeable_zone());
   if (purgeable_zone) {
     StoreZoneFunctions(purgeable_zone, &g_old_purgeable_zone);
     MallocZoneFunctions new_functions;
     new_functions.malloc = oom_killer_malloc_purgeable;
     new_functions.calloc = oom_killer_calloc_purgeable;
     new_functions.valloc = oom_killer_valloc_purgeable;
     new_functions.free = oom_killer_free_purgeable;
@@ skipping 82 matching lines @@
   g_old_allocWithZone =
       reinterpret_cast<allocWithZone_t>(method_getImplementation(orig_method));
   CHECK(g_old_allocWithZone)
       << "Failed to get allocWithZone allocation function.";
   method_setImplementation(orig_method,
                            reinterpret_cast<IMP>(oom_killer_allocWithZone));
 }
 
 }  // namespace allocator
 }  // namespace base