PassRefPtr<SharedMemory> SharedMemory::createFromVMBuffer(void* data, size_t size)
{
ASSERT(size);
// Create a Mach port that represents the shared memory.
mach_port_t port;
memory_object_size_t memoryObjectSize = round_page(size);
kern_return_t kr = mach_make_memory_entry_64(mach_task_self(), &memoryObjectSize, toVMAddress(data), VM_PROT_DEFAULT | VM_PROT_IS_MASK, &port, MACH_PORT_NULL);
if (kr != KERN_SUCCESS) {
LOG_ERROR("Failed to create a mach port for shared memory. %s (%x)", mach_error_string(kr), kr);
return 0;
}
ASSERT(memoryObjectSize >= round_page(size));
if (memoryObjectSize < round_page(size)) {
mach_port_deallocate(mach_task_self(), port);
return 0;
}
RefPtr<SharedMemory> sharedMemory(adoptRef(new SharedMemory));
sharedMemory->m_size = size;
sharedMemory->m_data = data;
sharedMemory->m_shouldVMDeallocateData = false;
sharedMemory->m_port = port;
return sharedMemory.release();
}
bool SharedMemory::createHandle(Handle& handle, Protection protection)
{
ASSERT(!handle.m_port);
ASSERT(!handle.m_size);
mach_vm_address_t address = toVMAddress(m_data);
memory_object_size_t size = round_page(m_size);
mach_port_t port;
if (protection == ReadWrite && m_port) {
// Just re-use the port we have.
port = m_port;
if (mach_port_mod_refs(mach_task_self(), port, MACH_PORT_RIGHT_SEND, 1) != KERN_SUCCESS)
return false;
} else {
// Create a mach port that represents the shared memory.
kern_return_t kr = mach_make_memory_entry_64(mach_task_self(), &size, address, machProtection(protection), &port, MACH_PORT_NULL);
if (kr != KERN_SUCCESS)
return false;
ASSERT(size >= round_page(m_size));
}
handle.m_port = port;
handle.m_size = size;
return true;
}
PassRefPtr<SharedMemory> SharedMemory::create(size_t size)
{
ASSERT(size);
mach_vm_address_t address;
kern_return_t kr = mach_vm_allocate(mach_task_self(), &address, round_page(size), VM_FLAGS_ANYWHERE);
if (kr != KERN_SUCCESS) {
LOG_ERROR("Failed to allocate mach_vm_allocate shared memory (%zu bytes). %s (%x)", size, mach_error_string(kr), kr);
return 0;
}
// Create a Mach port that represents the shared memory.
mach_port_t port;
memory_object_size_t memoryObjectSize = round_page(size);
kr = mach_make_memory_entry_64(mach_task_self(), &memoryObjectSize, address, VM_PROT_DEFAULT, &port, MACH_PORT_NULL);
if (kr != KERN_SUCCESS) {
LOG_ERROR("Failed to create a mach port for shared memory. %s (%x)", mach_error_string(kr), kr);
mach_vm_deallocate(mach_task_self(), address, round_page(size));
return 0;
}
ASSERT(memoryObjectSize >= round_page(size));
RefPtr<SharedMemory> sharedMemory(adoptRef(new SharedMemory));
sharedMemory->m_size = size;
sharedMemory->m_data = toPointer(address);
sharedMemory->m_port = port;
return sharedMemory.release();
}
static WebCore::MachSendRight makeMemoryEntry(size_t size, vm_offset_t offset, SharedMemory::Protection protection, mach_port_t parentEntry)
{
memory_object_size_t memoryObjectSize = round_page(size);
mach_port_t port;
kern_return_t kr = mach_make_memory_entry_64(mach_task_self(), &memoryObjectSize, offset, machProtection(protection) | VM_PROT_IS_MASK | MAP_MEM_VM_SHARE, &port, parentEntry);
if (kr != KERN_SUCCESS) {
LOG_ERROR("Failed to create a mach port for shared memory. %s (%x)", mach_error_string(kr), kr);
return { };
}
RELEASE_ASSERT(memoryObjectSize >= size);
return WebCore::MachSendRight::adopt(port);
}
bool SharedMemory::createHandle(Handle& handle, Protection protection)
{
ASSERT(!handle.m_port);
ASSERT(!handle.m_size);
mach_vm_address_t address = toVMAddress(m_data);
memory_object_size_t size = round_page(m_size);
// Create a mach port that represents the shared memory.
mach_port_t port;
kern_return_t kr = mach_make_memory_entry_64(mach_task_self(), &size, address, machProtection(protection), &port, MACH_PORT_NULL);
if (kr != KERN_SUCCESS)
return false;
handle.m_port = port;
handle.m_size = size;
return true;
}
static bool
CreateThePort(mach_vm_address_t& child_address)
{
mach_vm_address_t address;
mach_port_t port;
size_t size = 8000;
kern_return_t kr = mach_vm_allocate(mach_task_self(), &address, round_page(size), VM_FLAGS_ANYWHERE);
if (kr != KERN_SUCCESS) {
printf("Failed to allocate mach_vm_allocate shared memory (%zu bytes). %s (%x)", size, mach_error_string(kr), kr);
return false;
}
memory_object_size_t memoryObjectSize = round_page(size);
kr = mach_make_memory_entry_64(mach_task_self(), &memoryObjectSize, address, VM_PROT_DEFAULT, &port, MACH_PORT_NULL);
if (kr != KERN_SUCCESS) {
printf("Failed to make memory entry (%zu bytes). %s (%x)\n", size, mach_error_string(kr), kr);
return false;
}
vm_prot_t vmProtection = VM_PROT_READ | VM_PROT_WRITE;
// Choose an address that will be valid in the child process and point to our buffer.
// child_address must not be dereferenced in the parent process.
child_address = address + 0x10000;
kr = mach_vm_map(child_task, &child_address, round_page(size), 0, 0,
port, 0, false, vmProtection, vmProtection, VM_INHERIT_NONE);
if (kr != KERN_SUCCESS) {
printf("Failed to mach_vm_map (%zu bytes). %s (%x)\n", size, mach_error_string(kr), kr);
return false;
}
int* buf = reinterpret_cast<int*>(static_cast<uintptr_t>(address));
buf[0] = 42;
return true;
}
/**
* Map pages starting at @a task_addr from @a task into the current process. The mapping
* will be copy-on-write, and will be checked to ensure a minimum protection value of
* VM_PROT_READ.
*
* @param task The task from which the memory will be mapped.
* @param task_addr The task-relative address of the memory to be mapped. This is not required to fall on a page boundry.
* @param length The total size of the mapping to create.
* @param require_full If false, short mappings will be permitted in the case where a memory object of the requested length
* does not exist at the target address. It is the caller's responsibility to validate the resulting length of the
* mapping, eg, using plcrash_async_mobject_remap_address() and similar. If true, and the entire requested page range is
* not valid, the mapping request will fail.
* @param[out] result The in-process address at which the pages were mapped.
* @param[out] result_length The total size, in bytes, of the mapped pages.
*
* @return On success, returns PLCRASH_ESUCCESS. On failure, one of the plcrash_error_t error values will be returned, and no
* mapping will be performed.
*
* @note
* This code previously used vm_remap() to perform atomic remapping of process memory. However, this appeared
* to trigger a kernel bug (and resulting panic) on iOS 6.0 through 6.1.2, possibly fixed in 6.1.3. Note that
* no stable release of PLCrashReporter shipped with the vm_remap() code.
*
* Investigation of the failure seems to show an over-release of the target vm_map and backing vm_object, leading to
* NULL dereference, invalid memory references, and in some cases, deadlocks that result in watchdog timeouts.
*
* In one example case, the crash occurs in update_first_free_ll() as a NULL dereference of the vm_map_entry_t parameter.
* Analysis of the limited reports shows that this is called via vm_map_store_update_first_free(). No backtrace is
* available from the kernel panics, but analyzing the register state demonstrates:
* - A reference to vm_map_store_update_first_free() remains in the link register.
* - Of the following callers, one can be eliminated by register state:
* - vm_map_enter - not possible, r3 should be equal to r0
* - vm_map_clip_start - possible
* - vm_map_clip_unnest - possible
* - vm_map_clip_end - possible
*
* In the other panic seen in vm_object_reap_pages(), a value of 0x8008 is loaded and deferenced from the next pointer
* of an element within the vm_object's resident page queue (object->memq).
*
* Unfortunately, our ability to investigate has been extremely constrained by the following issues;
* - The panic is not easily or reliably reproducible
* - Apple's does not support iOS kernel debugging
* - There is no support for jailbreak kernel debugging against iOS 6.x devices at the time of writing.
*
* The work-around used here is to split the vm_remap() into distinct calls to mach_make_memory_entry_64() and
* vm_map(); this follows a largely distinct code path from vm_remap(). In testing by a large-scale user of PLCrashReporter,
* they were no longer able to reproduce the issue with this fix in place. Additionally, they've not been able to reproduce
* the issue on 6.1.3 devices, or had any reports of the issue occuring on 6.1.3 devices.
*
* The mach_make_memory_entry_64() API may not actually return an entry for the full requested length; this requires
* that we loop through the full range, requesting an entry for the remaining unallocated pages, and then mapping
* the pages in question. Since this requires multiple calls to vm_map(), we pre-allocate a contigious range of pages
* for the target mappings into which we'll insert (via overwrite) our own mappings.
*
* @note
* As a work-around for bugs in Apple's Mach-O/dyld implementation, we provide the @a require_full flag; if false,
* a successful mapping that is smaller than the requested range may be made, and will not return an error. This is necessary
* to allow our callers to work around bugs in update_dyld_shared_cache(1), which writes out a larger Mach-O VM segment
* size value than is actually available and mappable. See the plcrash_async_macho_map_segment() API documentation for
* more details. This bug has been reported to Apple as rdar://13707406.
*/
static plcrash_error_t plcrash_async_mobject_remap_pages_workaround (mach_port_t task,
pl_vm_address_t task_addr,
pl_vm_size_t length,
bool require_full,
pl_vm_address_t *result,
pl_vm_size_t *result_length)
{
kern_return_t kt;
/* Compute the total required page size. */
pl_vm_address_t base_addr = mach_vm_trunc_page(task_addr);
pl_vm_size_t total_size = mach_vm_round_page(length + (task_addr - base_addr));
/*
* If short mappings are permitted, determine the actual mappable size of the target range. Due
* to rdar://13707406 (update_dyld_shared_cache appears to write invalid LINKEDIT vmsize), an
* LC_SEGMENT-reported VM size may be far larger than the actual mapped pages. This would result
* in us making large (eg, 36MB) allocations in cases where the mappable range is actually much
* smaller, which can trigger out-of-memory conditions on smaller devices.
*/
if (!require_full) {
pl_vm_size_t verified_size = 0;
while (verified_size < total_size) {
memory_object_size_t entry_length = total_size - verified_size;
mach_port_t mem_handle;
/* Fetch an entry reference */
kt = mach_make_memory_entry_64(task, &entry_length, base_addr + verified_size, VM_PROT_READ, &mem_handle, MACH_PORT_NULL);
if (kt != KERN_SUCCESS) {
/* Once we hit an unmappable page, break */
break;
}
/* Drop the reference */
kt = mach_port_mod_refs(mach_task_self(), mem_handle, MACH_PORT_RIGHT_SEND, -1);
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("mach_port_mod_refs(-1) failed: %d", kt);
}
/* Note the size */
verified_size += entry_length;
}
/* No valid page found at the task_addr */
if (verified_size == 0) {
PLCF_DEBUG("No mappable pages found at 0x%" PRIx64, (uint64_t) task_addr);
return PLCRASH_ENOMEM;
}
/* Reduce the total size to the verified size */
if (verified_size < total_size)
total_size = verified_size;
}
/*
* Set aside a memory range large enough for the total requested number of pages. Ideally the kernel
* will lazy-allocate the backing physical pages so that we don't waste actual memory on this
* pre-emptive page range reservation.
*/
pl_vm_address_t mapping_addr = 0x0;
pl_vm_size_t mapped_size = 0;
#ifdef PL_HAVE_MACH_VM
kt = mach_vm_allocate(mach_task_self(), &mapping_addr, total_size, VM_FLAGS_ANYWHERE);
#else
kt = vm_allocate(mach_task_self(), &mapping_addr, total_size, VM_FLAGS_ANYWHERE);
#endif
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("Failed to allocate a target page range for the page remapping: %d", kt);
return PLCRASH_EINTERNAL;
}
/* Map the source pages into the allocated region, overwriting the existing page mappings */
while (mapped_size < total_size) {
/* Create a reference to the target pages. The returned entry may be smaller than the total length. */
memory_object_size_t entry_length = total_size - mapped_size;
mach_port_t mem_handle;
kt = mach_make_memory_entry_64(task, &entry_length, base_addr + mapped_size, VM_PROT_READ, &mem_handle, MACH_PORT_NULL);
if (kt != KERN_SUCCESS) {
/* No pages are found at the target. When validating the total length above, we already verified the
* availability of the requested pages; if they've now disappeared, we can treat it as an error,
* even if !require_full was specified */
PLCF_DEBUG("mach_make_memory_entry_64() failed: %d", kt);
/* Clean up the reserved pages */
kt = vm_deallocate(mach_task_self(), mapping_addr, total_size);
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("vm_deallocate() failed: %d", kt);
}
/* Return error */
return PLCRASH_ENOMEM;
}
/* Map the pages into our local task, overwriting the allocation used to reserve the target space above. */
pl_vm_address_t target_address = mapping_addr + mapped_size;
#ifdef PL_HAVE_MACH_VM
kt = mach_vm_map(mach_task_self(), &target_address, entry_length, 0x0, VM_FLAGS_FIXED|VM_FLAGS_OVERWRITE, mem_handle, 0x0, TRUE, VM_PROT_READ, VM_PROT_READ, VM_INHERIT_COPY);
#else
kt = vm_map(mach_task_self(), &target_address, entry_length, 0x0, VM_FLAGS_FIXED|VM_FLAGS_OVERWRITE, mem_handle, 0x0, TRUE, VM_PROT_READ, VM_PROT_READ, VM_INHERIT_COPY);
#endif /* !PL_HAVE_MACH_VM */
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("vm_map() failure: %d", kt);
/* Clean up the reserved pages */
kt = vm_deallocate(mach_task_self(), mapping_addr, total_size);
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("vm_deallocate() failed: %d", kt);
}
/* Drop the memory handle */
kt = mach_port_mod_refs(mach_task_self(), mem_handle, MACH_PORT_RIGHT_SEND, -1);
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("mach_port_mod_refs(-1) failed: %d", kt);
}
return PLCRASH_ENOMEM;
}
/* Drop the memory handle */
kt = mach_port_mod_refs(mach_task_self(), mem_handle, MACH_PORT_RIGHT_SEND, -1);
if (kt != KERN_SUCCESS) {
PLCF_DEBUG("mach_port_mod_refs(-1) failed: %d", kt);
}
/* Adjust the total mapping size */
mapped_size += entry_length;
}
*result = mapping_addr;
*result_length = mapped_size;
return PLCRASH_ESUCCESS;
}
