gc asan poison
This commit is contained in:
@@ -19,8 +19,9 @@
|
||||
#include <unistd.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
/* Test suite declaration */
|
||||
/* Test suite declarations */
|
||||
int run_c_test_suite(JSContext *ctx);
|
||||
static int run_test_suite(size_t heap_size);
|
||||
|
||||
cell_rt *root_cell = NULL;
|
||||
static char *core_path = NULL;
|
||||
@@ -204,7 +205,7 @@ static void signal_handler(int sig)
|
||||
}
|
||||
|
||||
/* Run the C test suite with minimal runtime setup */
|
||||
static int run_test_suite(void)
|
||||
static int run_test_suite(size_t heap_size)
|
||||
{
|
||||
JSRuntime *rt = JS_NewRuntime();
|
||||
if (!rt) {
|
||||
@@ -212,7 +213,7 @@ static int run_test_suite(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
JSContext *ctx = JS_NewContextRaw(rt);
|
||||
JSContext *ctx = JS_NewContextRawWithHeapSize(rt, heap_size);
|
||||
if (!ctx) {
|
||||
printf("Failed to create JS context\n");
|
||||
JS_FreeRuntime(rt);
|
||||
@@ -233,7 +234,15 @@ int cell_init(int argc, char **argv)
|
||||
{
|
||||
/* Check for --test flag to run C test suite */
|
||||
if (argc >= 2 && strcmp(argv[1], "--test") == 0) {
|
||||
return run_test_suite();
|
||||
size_t heap_size = 1024; /* default */
|
||||
if (argc >= 3) {
|
||||
heap_size = strtoull(argv[2], NULL, 0);
|
||||
/* Round up to power of 2 for buddy allocator */
|
||||
size_t p = 1;
|
||||
while (p < heap_size) p <<= 1;
|
||||
heap_size = p;
|
||||
}
|
||||
return run_test_suite(heap_size);
|
||||
}
|
||||
|
||||
int script_start = 1;
|
||||
|
||||
@@ -82,7 +82,7 @@
|
||||
*/
|
||||
// #define DUMP_BYTECODE (1)
|
||||
/* dump the occurence of the automatic GC */
|
||||
// #define DUMP_GC
|
||||
#define DUMP_GC
|
||||
/* dump objects freed by the garbage collector */
|
||||
// #define DUMP_GC_FREE
|
||||
/* dump memory usage before running the garbage collector */
|
||||
@@ -94,6 +94,27 @@
|
||||
/* test the GC by forcing it before each object allocation */
|
||||
// #define FORCE_GC_AT_MALLOC
|
||||
|
||||
/* POISON_HEAP: Use ASan's memory poisoning to detect stale pointer access */
|
||||
#ifdef POISON_HEAP
|
||||
#if defined(__has_feature)
|
||||
#if __has_feature(address_sanitizer)
|
||||
#define HAVE_ASAN 1
|
||||
#endif
|
||||
#elif defined(__SANITIZE_ADDRESS__)
|
||||
#define HAVE_ASAN 1
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_ASAN
|
||||
#include <sanitizer/asan_interface.h>
|
||||
#define gc_poison_region(addr, size) __asan_poison_memory_region((addr), (size))
|
||||
#define gc_unpoison_region(addr, size) __asan_unpoison_memory_region((addr), (size))
|
||||
#else
|
||||
/* Fallback: no-op when not building with ASan */
|
||||
#define gc_poison_region(addr, size) ((void)0)
|
||||
#define gc_unpoison_region(addr, size) ((void)0)
|
||||
#endif
|
||||
#endif /* POISON_HEAP */
|
||||
|
||||
/* Forward declarations for heap object types */
|
||||
typedef struct JSArray JSArray;
|
||||
typedef struct JSBlob JSBlob;
|
||||
@@ -310,7 +331,12 @@ typedef enum OPCodeEnum OPCodeEnum;
|
||||
Buddy Allocator for Actor Memory Blocks
|
||||
============================================================ */
|
||||
|
||||
#define BUDDY_MIN_ORDER 28 /* 64KB minimum block */
|
||||
/* Platform-specific minimum block size */
|
||||
#if defined(__LP64__) || defined(_WIN64)
|
||||
#define BUDDY_MIN_ORDER 10 /* 1KB minimum on 64-bit */
|
||||
#else
|
||||
#define BUDDY_MIN_ORDER 9 /* 512B minimum on 32-bit */
|
||||
#endif
|
||||
#define BUDDY_MAX_ORDER 28 /* 256MB maximum */
|
||||
#define BUDDY_LEVELS (BUDDY_MAX_ORDER - BUDDY_MIN_ORDER + 1)
|
||||
#define BUDDY_POOL_SIZE (1ULL << BUDDY_MAX_ORDER)
|
||||
@@ -2033,17 +2059,26 @@ static void buddy_list_remove (BuddyBlock *block) {
|
||||
block->prev = NULL;
|
||||
}
|
||||
|
||||
/* Add block to front of free list */
|
||||
/* Add block to END of free list (FIFO policy).
|
||||
This ensures recently freed blocks are reused last, making stale pointer
|
||||
bugs crash deterministically instead of accidentally working. */
|
||||
static void buddy_list_add (BuddyAllocator *b, BuddyBlock *block, int order) {
|
||||
int level = order - BUDDY_MIN_ORDER;
|
||||
block->next = b->free_lists[level];
|
||||
block->prev = NULL;
|
||||
if (b->free_lists[level]) {
|
||||
b->free_lists[level]->prev = block;
|
||||
}
|
||||
b->free_lists[level] = block;
|
||||
block->next = NULL;
|
||||
block->order = order;
|
||||
block->is_free = 1;
|
||||
|
||||
if (!b->free_lists[level]) {
|
||||
b->free_lists[level] = block;
|
||||
return;
|
||||
}
|
||||
|
||||
/* FIFO: append to end */
|
||||
BuddyBlock *tail = b->free_lists[level];
|
||||
while (tail->next) tail = tail->next;
|
||||
tail->next = block;
|
||||
block->prev = tail;
|
||||
}
|
||||
|
||||
/* Initialize buddy allocator with 256MB pool */
|
||||
@@ -2226,6 +2261,11 @@ static JSValue gc_copy_value (JSContext *ctx, JSValue v, uint8_t *to_base,
|
||||
while (objhdr_type (hdr) == OBJ_FORWARD) {
|
||||
void *fwd_target = objhdr_fwd_ptr (hdr);
|
||||
|
||||
/* Stale pointer bug: forward target is NULL (should not happen with proper rooting) */
|
||||
if (!fwd_target) {
|
||||
return v; /* Return original value and let caller handle it */
|
||||
}
|
||||
|
||||
/* Check if forward target is in new space */
|
||||
if ((uint8_t *)fwd_target >= to_base && (uint8_t *)fwd_target < *to_free) {
|
||||
/* Target is in new space - update chain and return */
|
||||
@@ -2371,6 +2411,9 @@ static int ctx_gc (JSContext *ctx) {
|
||||
}
|
||||
|
||||
/* Return old block to buddy allocator */
|
||||
#ifdef POISON_HEAP
|
||||
gc_poison_region(ctx->heap_base, ctx->current_block_size);
|
||||
#endif
|
||||
buddy_free (&rt->buddy, ctx->heap_base, ctx->current_block_size);
|
||||
|
||||
/* Update context with new block */
|
||||
@@ -3333,7 +3376,15 @@ static JSRecord *get_proto_obj (JSValue proto_val) {
|
||||
|
||||
/* WARNING: proto must be an object or JS_NULL */
|
||||
JSValue JS_NewObjectProtoClass (JSContext *ctx, JSValue proto_val, JSClassID class_id) {
|
||||
JSGCRef proto_ref;
|
||||
JS_PushGCRef (ctx, &proto_ref);
|
||||
proto_ref.val = proto_val;
|
||||
|
||||
JSRecord *rec = js_new_record_class (ctx, 0, class_id);
|
||||
|
||||
proto_val = proto_ref.val; /* Get potentially-updated value after GC */
|
||||
JS_PopGCRef (ctx, &proto_ref);
|
||||
|
||||
if (!rec) return JS_EXCEPTION;
|
||||
|
||||
/* Set prototype if provided */
|
||||
@@ -24673,19 +24724,23 @@ static const char *const native_error_name[JS_NATIVE_ERROR_COUNT] = {
|
||||
/* Minimum amount of objects to be able to compile code and display
|
||||
error messages. No JSAtom should be allocated by this function. */
|
||||
void JS_AddIntrinsicBasicObjects (JSContext *ctx) {
|
||||
JSValue proto;
|
||||
JSGCRef proto_ref;
|
||||
int i;
|
||||
|
||||
JS_PushGCRef (ctx, &proto_ref);
|
||||
|
||||
ctx->class_proto[JS_CLASS_OBJECT] = JS_NewObjectProto (ctx, JS_NULL);
|
||||
|
||||
ctx->class_proto[JS_CLASS_ERROR] = JS_NewObject (ctx);
|
||||
|
||||
for (i = 0; i < JS_NATIVE_ERROR_COUNT; i++) {
|
||||
proto = JS_NewObjectProto (ctx, ctx->class_proto[JS_CLASS_ERROR]);
|
||||
JS_SetPropertyInternal (ctx, proto, JS_KEY_name, JS_NewAtomString (ctx, native_error_name[i]));
|
||||
JS_SetPropertyInternal (ctx, proto, JS_KEY_message, JS_KEY_empty);
|
||||
ctx->native_error_proto[i] = proto;
|
||||
proto_ref.val = JS_NewObjectProto (ctx, ctx->class_proto[JS_CLASS_ERROR]);
|
||||
JS_SetPropertyInternal (ctx, proto_ref.val, JS_KEY_name, JS_NewAtomString (ctx, native_error_name[i]));
|
||||
JS_SetPropertyInternal (ctx, proto_ref.val, JS_KEY_message, JS_KEY_empty);
|
||||
ctx->native_error_proto[i] = proto_ref.val;
|
||||
}
|
||||
|
||||
JS_PopGCRef (ctx, &proto_ref);
|
||||
}
|
||||
|
||||
void JS_AddIntrinsicBaseObjects (JSContext *ctx) {
|
||||
|
||||
Reference in New Issue
Block a user