[VM runtime] Dual mapping of executable pages.

crelier · commit-bot@chromium.org · commit 44186dfdcda1 · 2019-03-01T22:19:31.000Z
Change-Id: Iaad78d324e25462ce951f4df26974a6a368c50b7 Reviewed-on: https://dart-review.googlesource.com/c/93377 Commit-Queue: Régis Crelier <regis@google.com> Reviewed-by: Ryan Macnak <rmacnak@google.com>
diff --git a/runtime/tests/vm/vm.status b/runtime/tests/vm/vm.status
@@ -4,6 +4,7 @@
 
 cc/AllocGeneric_Overflow: Crash, Fail # These tests are expected to crash on all platforms.
 cc/ArrayNew_Overflow_Crash: Crash, Fail # These tests are expected to crash on all platforms.
+cc/CodeExecutability: Crash, Fail # These tests are expected to crash on all platforms.
 cc/CodeImmutability: Crash, Fail # These tests are expected to crash on all platforms.
 cc/Dart2JSCompileAll: Fail, Crash # Issue 27369
 cc/Dart2JSCompilerStats: Fail, Crash # Issue 27369
@@ -28,6 +29,7 @@ dart/use_bare_instructions_flag_test: Pass, Slow # Spawns several subprocesses
 dart/appjit_cha_deopt_test: Pass, Slow # Quite slow in debug mode, uses --optimization-counter-threshold=100
 
 [ $builder_tag == asan ]
+cc/CodeExecutability: Fail, OK # Address Sanitizer turns a crash into a failure.
 cc/CodeImmutability: Fail, OK # Address Sanitizer turns a crash into a failure.
 
 [ $builder_tag == optimization_counter_threshold ]
diff --git a/runtime/vm/code_patcher.cc b/runtime/vm/code_patcher.cc
@@ -12,6 +12,14 @@ namespace dart {
 
 DEFINE_FLAG(bool, write_protect_code, true, "Write protect jitted code");
 
+#if (defined(HOST_OS_LINUX) || defined(HOST_OS_FUCHSIA)) &&                    \
+    !defined(TARGET_ARCH_IA32) && !defined(TARGET_ARCH_DBC)
+DEFINE_FLAG(bool, dual_map_code, true, "Dual map jitted code, RW and RX");
+#else
+DEFINE_FLAG(bool, dual_map_code, false, "Dual map jitted code, RW and RX");
+#endif
+
+#if defined(TARGET_ARCH_IA32) || defined(TARGET_ARCH_DBC)
 WritableInstructionsScope::WritableInstructionsScope(uword address,
                                                      intptr_t size)
     : address_(address), size_(size) {
@@ -27,6 +35,7 @@ WritableInstructionsScope::~WritableInstructionsScope() {
                            VirtualMemory::kReadExecute);
   }
 }
+#endif  // defined(TARGET_ARCH_IA32) || defined(TARGET_ARCH_DBC)
 
 bool MatchesPattern(uword end, const int16_t* pattern, intptr_t size) {
   // When breaking within generated code in GDB, it may overwrite individual
diff --git a/runtime/vm/code_patcher.h b/runtime/vm/code_patcher.h
@@ -19,10 +19,12 @@ class RawCode;
 class RawFunction;
 class RawObject;
 
+#if defined(TARGET_ARCH_IA32) || defined(TARGET_ARCH_DBC)
 // Stack-allocated class to create a scope where the specified region
 // [address, address + size] has write access enabled. This is used
 // when patching generated code. Access is reset to read-execute in
 // the destructor of this scope.
+// Dual mapping of instructions pages is not supported on these target arch.
 class WritableInstructionsScope : public ValueObject {
  public:
   WritableInstructionsScope(uword address, intptr_t size);
@@ -32,6 +34,7 @@ class WritableInstructionsScope : public ValueObject {
   const uword address_;
   const intptr_t size_;
 };
+#endif  // defined(TARGET_ARCH_IA32) || defined(TARGET_ARCH_DBC)
 
 class CodePatcher : public AllStatic {
  public:
diff --git a/runtime/vm/compiler/relocation.cc b/runtime/vm/compiler/relocation.cc
@@ -5,6 +5,7 @@
 #include "vm/compiler/relocation.h"
 
 #include "vm/code_patcher.h"
+#include "vm/heap/pages.h"
 #include "vm/instructions.h"
 #include "vm/object_store.h"
 #include "vm/stub_code.h"
@@ -362,8 +363,11 @@ void CodeRelocator::ResolveCallToDestination(UnresolvedCall* unresolved_call,
   auto caller = Code::InstructionsOf(unresolved_call->caller);
   const int32_t distance = destination_text - call_text_offset;
   {
-    PcRelativeCallPattern call(Instructions::PayloadStart(caller) +
-                               call_offset);
+    uword addr = Instructions::PayloadStart(caller) + call_offset;
+    if (FLAG_write_protect_code) {
+      addr -= HeapPage::Of(caller)->AliasOffset();
+    }
+    PcRelativeCallPattern call(addr);
     ASSERT(call.IsValid());
     call.set_distance(static_cast<int32_t>(distance));
     ASSERT(call.distance() == distance);
diff --git a/runtime/vm/heap/marker.cc b/runtime/vm/heap/marker.cc
@@ -368,6 +368,10 @@ class MarkingVisitorBase : public ObjectPointerVisitor {
   }
 
   static bool TryAcquireMarkBit(RawObject* raw_obj) {
+    if (FLAG_write_protect_code && raw_obj->IsInstructions()) {
+      // A non-writable alias mapping may exist for instruction pages.
+      raw_obj = HeapPage::ToWritable(raw_obj);
+    }
     if (!sync) {
       raw_obj->SetMarkBitUnsynchronized();
       return true;
diff --git a/runtime/vm/heap/pages.cc b/runtime/vm/heap/pages.cc
@@ -57,11 +57,8 @@ DEFINE_FLAG(bool, log_growth, false, "Log PageSpace growth policy decisions.");
 HeapPage* HeapPage::Allocate(intptr_t size_in_words,
                              PageType type,
                              const char* name) {
-  bool is_executable = (type == kExecutable);
-  // Create the new page executable (RWX) only if we're not in W^X mode
-  bool create_executable = !FLAG_write_protect_code && is_executable;
   VirtualMemory* memory = VirtualMemory::AllocateAligned(
-      size_in_words << kWordSizeLog2, kPageSize, create_executable, name);
+      size_in_words << kWordSizeLog2, kPageSize, type == kExecutable, name);
   if (memory == NULL) {
     return NULL;
   }
@@ -214,7 +211,7 @@ void HeapPage::WriteProtect(bool read_only) {
 
   VirtualMemory::Protection prot;
   if (read_only) {
-    if (type_ == kExecutable) {
+    if ((type_ == kExecutable) && (memory_->AliasOffset() == 0)) {
       prot = VirtualMemory::kReadExecute;
     } else {
       prot = VirtualMemory::kReadOnly;
diff --git a/runtime/vm/heap/pages.h b/runtime/vm/heap/pages.h
@@ -40,7 +40,8 @@ class HeapPage {
   HeapPage* next() const { return next_; }
   void set_next(HeapPage* next) { next_ = next; }
 
-  bool Contains(uword addr) { return memory_->Contains(addr); }
+  bool Contains(uword addr) const { return memory_->Contains(addr); }
+  intptr_t AliasOffset() const { return memory_->AliasOffset(); }
 
   uword object_start() const { return memory_->start() + ObjectStartOffset(); }
   uword object_end() const { return object_end_; }
@@ -70,18 +71,54 @@ class HeapPage {
   }
 
   // Warning: This does not work for objects on image pages because image pages
-  // are not aligned.
+  // are not aligned. However, it works for objects on large pages, because
+  // only one object is allocated per large page.
   static HeapPage* Of(RawObject* obj) {
     ASSERT(obj->IsHeapObject());
     ASSERT(obj->IsOldObject());
     return reinterpret_cast<HeapPage*>(reinterpret_cast<uword>(obj) &
                                        kPageMask);
   }
 
-  static HeapPage* Of(uintptr_t addr) {
+  // Warning: This does not work for addresses on image pages or on large pages.
+  static HeapPage* Of(uword addr) {
     return reinterpret_cast<HeapPage*>(addr & kPageMask);
   }
 
+  // Warning: This does not work for objects on image pages.
+  static RawObject* ToExecutable(RawObject* obj) {
+    HeapPage* page = Of(obj);
+    VirtualMemory* memory = page->memory_;
+    const intptr_t alias_offset = memory->AliasOffset();
+    if (alias_offset == 0) {
+      return obj;  // Not aliased.
+    }
+    uword addr = RawObject::ToAddr(obj);
+    if (memory->Contains(addr)) {
+      return RawObject::FromAddr(addr + alias_offset);
+    }
+    // obj is executable.
+    ASSERT(memory->ContainsAlias(addr));
+    return obj;
+  }
+
+  // Warning: This does not work for objects on image pages.
+  static RawObject* ToWritable(RawObject* obj) {
+    HeapPage* page = Of(obj);
+    VirtualMemory* memory = page->memory_;
+    const intptr_t alias_offset = memory->AliasOffset();
+    if (alias_offset == 0) {
+      return obj;  // Not aliased.
+    }
+    uword addr = RawObject::ToAddr(obj);
+    if (memory->ContainsAlias(addr)) {
+      return RawObject::FromAddr(addr - alias_offset);
+    }
+    // obj is writable.
+    ASSERT(memory->Contains(addr));
+    return obj;
+  }
+
   // 1 card = 128 slots.
   static const intptr_t kSlotsPerCardLog2 = 7;
   static const intptr_t kBytesPerCardLog2 = kWordSizeLog2 + kSlotsPerCardLog2;
diff --git a/runtime/vm/heap/verifier.cc b/runtime/vm/heap/verifier.cc
@@ -49,6 +49,10 @@ void VerifyPointersVisitor::VisitPointers(RawObject** first, RawObject** last) {
     RawObject* raw_obj = *current;
     if (raw_obj->IsHeapObject()) {
       if (!allocated_set_->Contains(raw_obj)) {
+        if (raw_obj->IsInstructions() &&
+            allocated_set_->Contains(HeapPage::ToWritable(raw_obj))) {
+          continue;
+        }
         uword raw_addr = RawObject::ToAddr(raw_obj);
         FATAL1("Invalid object pointer encountered %#" Px "\n", raw_addr);
       }
diff --git a/runtime/vm/object.cc b/runtime/vm/object.cc
@@ -2019,7 +2019,12 @@ RawError* Object::Init(Isolate* isolate,
 bool Object::InVMHeap() const {
   if (FLAG_verify_handles && raw()->IsVMHeapObject()) {
     Heap* vm_isolate_heap = Dart::vm_isolate()->heap();
-    ASSERT(vm_isolate_heap->Contains(RawObject::ToAddr(raw())));
+    uword addr = RawObject::ToAddr(raw());
+    if (!vm_isolate_heap->Contains(addr)) {
+      ASSERT(FLAG_write_protect_code);
+      addr = RawObject::ToAddr(HeapPage::ToWritable(raw()));
+      ASSERT(vm_isolate_heap->Contains(addr));
+    }
   }
   return raw()->IsVMHeapObject();
 }
@@ -2080,8 +2085,12 @@ void Object::CheckHandle() const {
       Isolate* isolate = Isolate::Current();
       Heap* isolate_heap = isolate->heap();
       Heap* vm_isolate_heap = Dart::vm_isolate()->heap();
-      ASSERT(isolate_heap->Contains(RawObject::ToAddr(raw_)) ||
-             vm_isolate_heap->Contains(RawObject::ToAddr(raw_)));
+      uword addr = RawObject::ToAddr(raw_);
+      if (!isolate_heap->Contains(addr) && !vm_isolate_heap->Contains(addr)) {
+        ASSERT(FLAG_write_protect_code);
+        addr = RawObject::ToAddr(HeapPage::ToWritable(raw_));
+        ASSERT(isolate_heap->Contains(addr) || vm_isolate_heap->Contains(addr));
+      }
     }
   }
 #endif
@@ -14569,6 +14578,24 @@ RawCode* Code::FinalizeCode(FlowGraphCompiler* compiler,
                                object->raw());
     }
 
+    // Write protect instructions and, if supported by OS, use dual mapping
+    // for execution.
+    if (FLAG_write_protect_code) {
+      uword address = RawObject::ToAddr(instrs.raw());
+      // Check if a dual mapping exists.
+      instrs = Instructions::RawCast(HeapPage::ToExecutable(instrs.raw()));
+      uword exec_address = RawObject::ToAddr(instrs.raw());
+      if (exec_address != address) {
+        VirtualMemory::Protect(reinterpret_cast<void*>(address),
+                               instrs.raw()->HeapSize(),
+                               VirtualMemory::kReadOnly);
+        address = exec_address;
+      }
+      VirtualMemory::Protect(reinterpret_cast<void*>(address),
+                             instrs.raw()->HeapSize(),
+                             VirtualMemory::kReadExecute);
+    }
+
     // Hook up Code and Instructions objects.
     code.SetActiveInstructions(instrs);
     code.set_instructions(instrs);
@@ -14579,13 +14606,6 @@ RawCode* Code::FinalizeCode(FlowGraphCompiler* compiler,
       code.set_object_pool(object_pool->raw());
     }
 
-    if (FLAG_write_protect_code) {
-      uword address = RawObject::ToAddr(instrs.raw());
-      VirtualMemory::Protect(reinterpret_cast<void*>(address),
-                             instrs.raw()->HeapSize(),
-                             VirtualMemory::kReadExecute);
-    }
-
 #if defined(DART_PRECOMPILER)
     if (stats != nullptr) {
       stats->Finalize();
diff --git a/runtime/vm/object.h b/runtime/vm/object.h
@@ -4652,6 +4652,7 @@ class ExceptionHandlers : public Object {
 
 class Code : public Object {
  public:
+  // When dual mapping, this returns the executable view.
   RawInstructions* active_instructions() const {
 #if defined(DART_PRECOMPILED_RUNTIME)
     UNREACHABLE();
@@ -4661,6 +4662,7 @@ class Code : public Object {
 #endif
   }
 
+  // When dual mapping, these return the executable view.
   RawInstructions* instructions() const { return raw_ptr()->instructions_; }
   static RawInstructions* InstructionsOf(const RawCode* code) {
     return code->ptr()->instructions_;
@@ -5141,6 +5143,7 @@ class Code : public Object {
 
   FINAL_HEAP_OBJECT_IMPLEMENTATION(Code, Object);
   friend class Class;
+  friend class CodeTestHelper;
   friend class SnapshotWriter;
   friend class StubCode;     // for set_object_pool
   friend class Precompiler;  // for set_object_pool
@@ -9139,8 +9142,12 @@ DART_FORCE_INLINE void Object::SetRaw(RawObject* value) {
     Isolate* isolate = Isolate::Current();
     Heap* isolate_heap = isolate->heap();
     Heap* vm_isolate_heap = Dart::vm_isolate()->heap();
-    ASSERT(isolate_heap->Contains(RawObject::ToAddr(raw_)) ||
-           vm_isolate_heap->Contains(RawObject::ToAddr(raw_)));
+    uword addr = RawObject::ToAddr(raw_);
+    if (!isolate_heap->Contains(addr) && !vm_isolate_heap->Contains(addr)) {
+      ASSERT(FLAG_write_protect_code);
+      addr = RawObject::ToAddr(HeapPage::ToWritable(raw_));
+      ASSERT(isolate_heap->Contains(addr) || vm_isolate_heap->Contains(addr));
+    }
   }
 #endif
 }
diff --git a/runtime/vm/object_graph.cc b/runtime/vm/object_graph.cc
@@ -44,7 +44,12 @@ class ObjectGraph::Stack : public ObjectPointerVisitor {
         if (!include_vm_objects_ && !IsUserClass((*current)->GetClassId())) {
           continue;
         }
-        (*current)->SetGraphMarked();
+        if (FLAG_write_protect_code && (*current)->IsInstructions()) {
+          // A non-writable alias mapping may exist for instruction pages.
+          HeapPage::ToWritable(*current)->SetGraphMarked();
+        } else {
+          (*current)->SetGraphMarked();
+        }
         Node node;
         node.ptr = current;
         node.obj = *current;
diff --git a/runtime/vm/object_test.cc b/runtime/vm/object_test.cc
@@ -23,6 +23,7 @@
 
 namespace dart {
 
+DECLARE_FLAG(bool, dual_map_code);
 DECLARE_FLAG(bool, write_protect_code);
 
 static RawClass* CreateDummyClass(const String& class_name,
@@ -2507,8 +2508,56 @@ ISOLATE_UNIT_TEST_CASE(CodeImmutability) {
   if (!FLAG_write_protect_code) {
     // Since this test is expected to crash, crash if write protection of code
     // is switched off.
-    // TODO(regis, fschneider): Should this be FATAL() instead?
-    OS::DebugBreak();
+    FATAL("Test requires --write-protect-code; skip by forcing expected crash");
+  }
+  MallocHooks::set_stack_trace_collection_enabled(
+      stack_trace_collection_enabled);
+}
+
+class CodeTestHelper {
+ public:
+  static void SetInstructions(const Code& code,
+                              const Instructions& instructions) {
+    code.SetActiveInstructions(instructions);
+    code.set_instructions(instructions);
+  }
+};
+
+// Test for executability of generated instructions. The test crashes with a
+// segmentation fault when executing the writeable view.
+ISOLATE_UNIT_TEST_CASE(CodeExecutability) {
+  bool stack_trace_collection_enabled =
+      MallocHooks::stack_trace_collection_enabled();
+  MallocHooks::set_stack_trace_collection_enabled(false);
+  extern void GenerateIncrement(Assembler * assembler);
+  ObjectPoolBuilder object_pool_builder;
+  Assembler _assembler_(&object_pool_builder);
+  GenerateIncrement(&_assembler_);
+  const Function& function = Function::Handle(CreateFunction("Test_Code"));
+  Code& code = Code::Handle(Code::FinalizeCodeAndNotify(
+      function, nullptr, &_assembler_, Code::PoolAttachment::kAttachPool));
+  function.AttachCode(code);
+  Instructions& instructions = Instructions::Handle(code.instructions());
+  uword payload_start = instructions.PayloadStart();
+  EXPECT_EQ(instructions.raw(), Instructions::FromPayloadStart(payload_start));
+  // Execute the executable view of the instructions (default).
+  Object& result =
+      Object::Handle(DartEntry::InvokeFunction(function, Array::empty_array()));
+  EXPECT_EQ(1, Smi::Cast(result).Value());
+  // Switch to the writeable but non-executable view of the instructions.
+  instructions ^= HeapPage::ToWritable(instructions.raw());
+  payload_start = instructions.PayloadStart();
+  EXPECT_EQ(instructions.raw(), Instructions::FromPayloadStart(payload_start));
+  // Hook up Code and Instructions objects.
+  CodeTestHelper::SetInstructions(code, instructions);
+  function.AttachCode(code);
+  // Try executing the generated code, expected to crash.
+  result = DartEntry::InvokeFunction(function, Array::empty_array());
+  EXPECT_EQ(1, Smi::Cast(result).Value());
+  if (!FLAG_dual_map_code) {
+    // Since this test is expected to crash, crash if dual mapping of code
+    // is switched off.
+    FATAL("Test requires --dual-map-code; skip by forcing expected crash");
   }
   MallocHooks::set_stack_trace_collection_enabled(
       stack_trace_collection_enabled);
diff --git a/runtime/vm/os_linux.cc b/runtime/vm/os_linux.cc
@@ -558,9 +558,7 @@ void OS::SleepMicros(int64_t micros) {
   }
 }
 
-// TODO(regis, iposva): When this function is no longer called from the
-// CodeImmutability test in object_test.cc, it will be called only from the
-// simulator, which means that only the Intel implementation is needed.
+// TODO(regis): Function called only from the simulator.
 void OS::DebugBreak() {
   __builtin_trap();
 }
diff --git a/runtime/vm/virtual_memory.cc b/runtime/vm/virtual_memory.cc
diff --git a/runtime/vm/virtual_memory.h b/runtime/vm/virtual_memory.h
diff --git a/runtime/vm/virtual_memory_fuchsia.cc b/runtime/vm/virtual_memory_fuchsia.cc
diff --git a/runtime/vm/virtual_memory_posix.cc b/runtime/vm/virtual_memory_posix.cc
diff --git a/runtime/vm/virtual_memory_win.cc b/runtime/vm/virtual_memory_win.cc
