mirror of
https://github.com/SerenityOS/serenity
synced 2024-07-05 20:54:44 +00:00
Kernel: Note if the page fault address is a destroyed smart pointer
While I was working on LibWeb, I got a page fault at 0xe0e0e0e4. This indicates a destroyed RefPtr if compiled with SANITIZE_PTRS defined. However, the page fault handler didn't print out this indication. This makes the page fault handler print out a note if the faulting address looks like a recently destroyed RefPtr, OwnPtr, NonnullRefPtr, NonnullOwnPtr, ThreadSafeRefPtr or ThreadSafeNonnullRefPtr. It will only do this if SANITIZE_PTRS is defined, as smart pointers don't get scrubbed without it being defined.
This commit is contained in:
Luke Wilde
Andreas Kling
parent
350c5a751d
commit
49259777ef
|
|
@ -13,6 +13,8 @@
|
|||
#include <AK/Traits.h>
|
||||
#include <AK/Types.h>
|
||||
|
||||
#define NONNULLOWNPTR_SCRUB_BYTE 0xf1
|
||||
|
||||
namespace AK {
|
||||
|
||||
template<typename T, typename PtrTraits>
|
||||
|
|
@ -51,7 +53,7 @@ public:
|
|||
{
|
||||
clear();
|
||||
#ifdef SANITIZE_PTRS
|
||||
m_ptr = (T*)(explode_byte(0xe3));
|
||||
m_ptr = (T*)(explode_byte(NONNULLOWNPTR_SCRUB_BYTE));
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@
|
|||
|
||||
#pragma once
|
||||
|
||||
#define NONNULLREFPTR_SCRUB_BYTE 0xe1
|
||||
|
||||
#ifdef KERNEL
|
||||
# include <Kernel/Library/ThreadSafeNonnullRefPtr.h>
|
||||
#else
|
||||
|
|
@ -97,7 +99,7 @@ public:
|
|||
unref_if_not_null(m_ptr);
|
||||
m_ptr = nullptr;
|
||||
# ifdef SANITIZE_PTRS
|
||||
m_ptr = reinterpret_cast<T*>(explode_byte(0xb0));
|
||||
m_ptr = reinterpret_cast<T*>(explode_byte(NONNULLREFPTR_SCRUB_BYTE));
|
||||
# endif
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@
|
|||
# include <Kernel/API/KResult.h>
|
||||
#endif
|
||||
|
||||
#define OWNPTR_SCRUB_BYTE 0xf0
|
||||
|
||||
namespace AK {
|
||||
|
||||
template<typename T>
|
||||
|
|
@ -43,7 +45,7 @@ public:
|
|||
{
|
||||
clear();
|
||||
#ifdef SANITIZE_PTRS
|
||||
m_ptr = (T*)(explode_byte(0xe1));
|
||||
m_ptr = (T*)(explode_byte(OWNPTR_SCRUB_BYTE));
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@
|
|||
|
||||
#pragma once
|
||||
|
||||
#define REFPTR_SCRUB_BYTE 0xe0
|
||||
|
||||
#ifdef KERNEL
|
||||
# include <Kernel/Library/ThreadSafeRefPtr.h>
|
||||
#else
|
||||
|
|
@ -100,7 +102,7 @@ public:
|
|||
{
|
||||
clear();
|
||||
# ifdef SANITIZE_PTRS
|
||||
m_ptr = reinterpret_cast<T*>(explode_byte(0xe0));
|
||||
m_ptr = reinterpret_cast<T*>(explode_byte(REFPTR_SCRUB_BYTE));
|
||||
# endif
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -357,12 +357,12 @@ void page_fault_handler(TrapFrame* trap)
|
|||
regs.exception_code & PageFaultFlags::InstructionFetch ? "instruction fetch / " : "",
|
||||
regs.exception_code & PageFaultFlags::Write ? "write to" : "read from",
|
||||
VirtualAddress(fault_address));
|
||||
FlatPtr malloc_scrub_pattern = explode_byte(MALLOC_SCRUB_BYTE);
|
||||
FlatPtr free_scrub_pattern = explode_byte(FREE_SCRUB_BYTE);
|
||||
FlatPtr kmalloc_scrub_pattern = explode_byte(KMALLOC_SCRUB_BYTE);
|
||||
FlatPtr kfree_scrub_pattern = explode_byte(KFREE_SCRUB_BYTE);
|
||||
FlatPtr slab_alloc_scrub_pattern = explode_byte(SLAB_ALLOC_SCRUB_BYTE);
|
||||
FlatPtr slab_dealloc_scrub_pattern = explode_byte(SLAB_DEALLOC_SCRUB_BYTE);
|
||||
constexpr FlatPtr malloc_scrub_pattern = explode_byte(MALLOC_SCRUB_BYTE);
|
||||
constexpr FlatPtr free_scrub_pattern = explode_byte(FREE_SCRUB_BYTE);
|
||||
constexpr FlatPtr kmalloc_scrub_pattern = explode_byte(KMALLOC_SCRUB_BYTE);
|
||||
constexpr FlatPtr kfree_scrub_pattern = explode_byte(KFREE_SCRUB_BYTE);
|
||||
constexpr FlatPtr slab_alloc_scrub_pattern = explode_byte(SLAB_ALLOC_SCRUB_BYTE);
|
||||
constexpr FlatPtr slab_dealloc_scrub_pattern = explode_byte(SLAB_DEALLOC_SCRUB_BYTE);
|
||||
if ((fault_address & 0xffff0000) == (malloc_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be uninitialized malloc() memory", VirtualAddress(fault_address));
|
||||
} else if ((fault_address & 0xffff0000) == (free_scrub_pattern & 0xffff0000)) {
|
||||
|
|
@ -377,6 +377,27 @@ void page_fault_handler(TrapFrame* trap)
|
|||
dbgln("Note: Address {} looks like it may be recently slab_dealloc()'d memory", VirtualAddress(fault_address));
|
||||
} else if (fault_address < 4096) {
|
||||
dbgln("Note: Address {} looks like a possible nullptr dereference", VirtualAddress(fault_address));
|
||||
} else if constexpr (SANITIZE_PTRS) {
|
||||
constexpr FlatPtr refptr_scrub_pattern = explode_byte(REFPTR_SCRUB_BYTE);
|
||||
constexpr FlatPtr nonnullrefptr_scrub_pattern = explode_byte(NONNULLREFPTR_SCRUB_BYTE);
|
||||
constexpr FlatPtr ownptr_scrub_pattern = explode_byte(OWNPTR_SCRUB_BYTE);
|
||||
constexpr FlatPtr nonnullownptr_scrub_pattern = explode_byte(NONNULLOWNPTR_SCRUB_BYTE);
|
||||
constexpr FlatPtr threadsaferefptr_scrub_pattern = explode_byte(THREADSAFEREFPTR_SCRUB_BYTE);
|
||||
constexpr FlatPtr threadsafenonnullrefptr_scrub_pattern = explode_byte(THREADSAFENONNULLREFPTR_SCRUB_BYTE);
|
||||
|
||||
if ((fault_address & 0xffff0000) == (refptr_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be a recently destroyed RefPtr", VirtualAddress(fault_address));
|
||||
} else if ((fault_address & 0xffff0000) == (nonnullrefptr_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be a recently destroyed NonnullRefPtr", VirtualAddress(fault_address));
|
||||
} else if ((fault_address & 0xffff0000) == (ownptr_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be a recently destroyed OwnPtr", VirtualAddress(fault_address));
|
||||
} else if ((fault_address & 0xffff0000) == (nonnullownptr_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be a recently destroyed NonnullOwnPtr", VirtualAddress(fault_address));
|
||||
} else if ((fault_address & 0xffff0000) == (threadsaferefptr_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be a recently destroyed ThreadSafeRefPtr", VirtualAddress(fault_address));
|
||||
} else if ((fault_address & 0xffff0000) == (threadsafenonnullrefptr_scrub_pattern & 0xffff0000)) {
|
||||
dbgln("Note: Address {} looks like it may be a recently destroyed ThreadSafeNonnullRefPtr", VirtualAddress(fault_address));
|
||||
}
|
||||
}
|
||||
|
||||
if (current_thread) {
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@
|
|||
# include <Kernel/Arch/x86/ScopedCritical.h>
|
||||
#endif
|
||||
|
||||
#define THREADSAFENONNULLREFPTR_SCRUB_BYTE 0xa1
|
||||
|
||||
namespace AK {
|
||||
|
||||
template<typename T>
|
||||
|
|
@ -95,7 +97,7 @@ public:
|
|||
{
|
||||
assign(nullptr);
|
||||
#ifdef SANITIZE_PTRS
|
||||
m_bits.store(explode_byte(0xb0), AK::MemoryOrder::memory_order_relaxed);
|
||||
m_bits.store(explode_byte(THREADSAFENONNULLREFPTR_SCRUB_BYTE), AK::MemoryOrder::memory_order_relaxed);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
# include <Kernel/Arch/x86/ScopedCritical.h>
|
||||
#endif
|
||||
|
||||
#define THREADSAFEREFPTR_SCRUB_BYTE 0xa0
|
||||
|
||||
namespace AK {
|
||||
|
||||
template<typename T>
|
||||
|
|
@ -182,7 +184,7 @@ public:
|
|||
{
|
||||
clear();
|
||||
#ifdef SANITIZE_PTRS
|
||||
m_bits.store(explode_byte(0xe0), AK::MemoryOrder::memory_order_relaxed);
|
||||
m_bits.store(explode_byte(THREADSAFEREFPTR_SCRUB_BYTE), AK::MemoryOrder::memory_order_relaxed);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user