1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#define _CRT_SECURE_NO_WARNINGS
6
7#include "base/process/memory.h"
8
9#include <limits>
10
11#include "base/compiler_specific.h"
12#include "base/debug/alias.h"
13#include "base/strings/stringprintf.h"
14#include "testing/gtest/include/gtest/gtest.h"
15
16#if defined(OS_WIN)
17#include <windows.h>
18#endif
19#if defined(OS_POSIX)
20#include <errno.h>
21#endif
22#if defined(OS_MACOSX)
23#include <malloc/malloc.h>
24#include "base/mac/mac_util.h"
25#include "base/process/memory_unittest_mac.h"
26#endif
27#if defined(OS_LINUX)
28#include <malloc.h>
29#endif
30
31#if defined(OS_WIN)
32// HeapQueryInformation function pointer.
33typedef BOOL (WINAPI* HeapQueryFn)  \
34    (HANDLE, HEAP_INFORMATION_CLASS, PVOID, SIZE_T, PSIZE_T);
35
36const int kConstantInModule = 42;
37
38TEST(ProcessMemoryTest, GetModuleFromAddress) {
39  // Since the unit tests are their own EXE, this should be
40  // equivalent to the EXE's HINSTANCE.
41  //
42  // kConstantInModule is a constant in this file and
43  // therefore within the unit test EXE.
44  EXPECT_EQ(::GetModuleHandle(NULL),
45            base::GetModuleFromAddress(
46                const_cast<int*>(&kConstantInModule)));
47
48  // Any address within the kernel32 module should return
49  // kernel32's HMODULE.  Our only assumption here is that
50  // kernel32 is larger than 4 bytes.
51  HMODULE kernel32 = ::GetModuleHandle(L"kernel32.dll");
52  HMODULE kernel32_from_address =
53      base::GetModuleFromAddress(reinterpret_cast<DWORD*>(kernel32) + 1);
54  EXPECT_EQ(kernel32, kernel32_from_address);
55}
56
57TEST(ProcessMemoryTest, EnableLFH) {
58  ASSERT_TRUE(base::EnableLowFragmentationHeap());
59  if (IsDebuggerPresent()) {
60    // Under these conditions, LFH can't be enabled. There's no point to test
61    // anything.
62    const char* no_debug_env = getenv("_NO_DEBUG_HEAP");
63    if (!no_debug_env || strcmp(no_debug_env, "1"))
64      return;
65  }
66  HMODULE kernel32 = GetModuleHandle(L"kernel32.dll");
67  ASSERT_TRUE(kernel32 != NULL);
68  HeapQueryFn heap_query = reinterpret_cast<HeapQueryFn>(GetProcAddress(
69      kernel32,
70      "HeapQueryInformation"));
71
72  // On Windows 2000, the function is not exported. This is not a reason to
73  // fail but we won't be able to retrieves information about the heap, so we
74  // should stop here.
75  if (heap_query == NULL)
76    return;
77
78  HANDLE heaps[1024] = { 0 };
79  unsigned number_heaps = GetProcessHeaps(1024, heaps);
80  EXPECT_GT(number_heaps, 0u);
81  for (unsigned i = 0; i < number_heaps; ++i) {
82    ULONG flag = 0;
83    SIZE_T length;
84    ASSERT_NE(0, heap_query(heaps[i],
85                            HeapCompatibilityInformation,
86                            &flag,
87                            sizeof(flag),
88                            &length));
89    // If flag is 0, the heap is a standard heap that does not support
90    // look-asides. If flag is 1, the heap supports look-asides. If flag is 2,
91    // the heap is a low-fragmentation heap (LFH). Note that look-asides are not
92    // supported on the LFH.
93
94    // We don't have any documented way of querying the HEAP_NO_SERIALIZE flag.
95    EXPECT_LE(flag, 2u);
96    EXPECT_NE(flag, 1u);
97  }
98}
99#endif  // defined(OS_WIN)
100
101#if defined(OS_MACOSX)
102
103// For the following Mac tests:
104// Note that base::EnableTerminationOnHeapCorruption() is called as part of
105// test suite setup and does not need to be done again, else mach_override
106// will fail.
107
108#if !defined(ADDRESS_SANITIZER)
109// The following code tests the system implementation of malloc() thus no need
110// to test it under AddressSanitizer.
111TEST(ProcessMemoryTest, MacMallocFailureDoesNotTerminate) {
112#if ARCH_CPU_32_BITS
113  // The Mavericks malloc library changed in a way which breaks the tricks used
114  // to implement EnableTerminationOnOutOfMemory() with UncheckedMalloc() under
115  // 32-bit.  Under 64-bit the oom_killer code handles this.
116  if (base::mac::IsOSMavericksOrLater())
117    return;
118#endif
119
120  // Test that ENOMEM doesn't crash via CrMallocErrorBreak two ways: the exit
121  // code and lack of the error string. The number of bytes is one less than
122  // MALLOC_ABSOLUTE_MAX_SIZE, more than which the system early-returns NULL and
123  // does not call through malloc_error_break(). See the comment at
124  // EnableTerminationOnOutOfMemory() for more information.
125  void* buf = NULL;
126  ASSERT_EXIT(
127      {
128        base::EnableTerminationOnOutOfMemory();
129
130        buf = malloc(std::numeric_limits<size_t>::max() - (2 * PAGE_SIZE) - 1);
131      },
132      testing::KilledBySignal(SIGTRAP),
133      "\\*\\*\\* error: can't allocate region.*\\n?.*");
134
135  base::debug::Alias(buf);
136}
137#endif  // !defined(ADDRESS_SANITIZER)
138
139TEST(ProcessMemoryTest, MacTerminateOnHeapCorruption) {
140  // Assert that freeing an unallocated pointer will crash the process.
141  char buf[9];
142  asm("" : "=r" (buf));  // Prevent clang from being too smart.
143#if ARCH_CPU_64_BITS
144  // On 64 bit Macs, the malloc system automatically abort()s on heap corruption
145  // but does not output anything.
146  ASSERT_DEATH(free(buf), "");
147#elif defined(ADDRESS_SANITIZER)
148  // AddressSanitizer replaces malloc() and prints a different error message on
149  // heap corruption.
150  ASSERT_DEATH(free(buf), "attempting free on address which "
151      "was not malloc\\(\\)-ed");
152#else
153  ASSERT_DEATH(free(buf), "being freed.*\\n?\\.*"
154      "\\*\\*\\* set a breakpoint in malloc_error_break to debug.*\\n?.*"
155      "Terminating process due to a potential for future heap corruption");
156#endif  // ARCH_CPU_64_BITS || defined(ADDRESS_SANITIZER)
157}
158
159#endif  // defined(OS_MACOSX)
160
161// Android doesn't implement set_new_handler, so we can't use the
162// OutOfMemoryTest cases.
163// OpenBSD does not support these tests either.
164// TODO(vandebo) make this work on Windows too.
165#if !defined(OS_ANDROID) && !defined(OS_OPENBSD) && \
166    !defined(OS_WIN)
167
168#if defined(USE_TCMALLOC)
169extern "C" {
170int tc_set_new_mode(int mode);
171}
172#endif  // defined(USE_TCMALLOC)
173
174class OutOfMemoryTest : public testing::Test {
175 public:
176  OutOfMemoryTest()
177    : value_(NULL),
178    // Make test size as large as possible minus a few pages so
179    // that alignment or other rounding doesn't make it wrap.
180    test_size_(std::numeric_limits<std::size_t>::max() - 12 * 1024),
181    signed_test_size_(std::numeric_limits<ssize_t>::max()) {
182  }
183
184#if defined(USE_TCMALLOC)
185  virtual void SetUp() OVERRIDE {
186    tc_set_new_mode(1);
187  }
188
189  virtual void TearDown() OVERRIDE {
190    tc_set_new_mode(0);
191  }
192#endif  // defined(USE_TCMALLOC)
193
194 protected:
195  void* value_;
196  size_t test_size_;
197  ssize_t signed_test_size_;
198};
199
200class OutOfMemoryDeathTest : public OutOfMemoryTest {
201 public:
202  void SetUpInDeathAssert() {
203    // Must call EnableTerminationOnOutOfMemory() because that is called from
204    // chrome's main function and therefore hasn't been called yet.
205    // Since this call may result in another thread being created and death
206    // tests shouldn't be started in a multithread environment, this call
207    // should be done inside of the ASSERT_DEATH.
208    base::EnableTerminationOnOutOfMemory();
209  }
210};
211
212TEST_F(OutOfMemoryDeathTest, New) {
213  ASSERT_DEATH({
214      SetUpInDeathAssert();
215      value_ = operator new(test_size_);
216    }, "");
217}
218
219TEST_F(OutOfMemoryDeathTest, NewArray) {
220  ASSERT_DEATH({
221      SetUpInDeathAssert();
222      value_ = new char[test_size_];
223    }, "");
224}
225
226TEST_F(OutOfMemoryDeathTest, Malloc) {
227  ASSERT_DEATH({
228      SetUpInDeathAssert();
229      value_ = malloc(test_size_);
230    }, "");
231}
232
233TEST_F(OutOfMemoryDeathTest, Realloc) {
234  ASSERT_DEATH({
235      SetUpInDeathAssert();
236      value_ = realloc(NULL, test_size_);
237    }, "");
238}
239
240TEST_F(OutOfMemoryDeathTest, Calloc) {
241  ASSERT_DEATH({
242      SetUpInDeathAssert();
243      value_ = calloc(1024, test_size_ / 1024L);
244    }, "");
245}
246
247TEST_F(OutOfMemoryDeathTest, Valloc) {
248  ASSERT_DEATH({
249      SetUpInDeathAssert();
250      value_ = valloc(test_size_);
251    }, "");
252}
253
254#if defined(OS_LINUX)
255
256#if PVALLOC_AVAILABLE == 1
257TEST_F(OutOfMemoryDeathTest, Pvalloc) {
258  ASSERT_DEATH({
259      SetUpInDeathAssert();
260      value_ = pvalloc(test_size_);
261    }, "");
262}
263#endif  // PVALLOC_AVAILABLE == 1
264
265TEST_F(OutOfMemoryDeathTest, Memalign) {
266  ASSERT_DEATH({
267      SetUpInDeathAssert();
268      value_ = memalign(4, test_size_);
269    }, "");
270}
271
272TEST_F(OutOfMemoryDeathTest, ViaSharedLibraries) {
273  // This tests that the run-time symbol resolution is overriding malloc for
274  // shared libraries (including libc itself) as well as for our code.
275  std::string format = base::StringPrintf("%%%zud", test_size_);
276  char *value = NULL;
277  ASSERT_DEATH({
278      SetUpInDeathAssert();
279      EXPECT_EQ(-1, asprintf(&value, format.c_str(), 0));
280    }, "");
281}
282#endif  // OS_LINUX
283
284// Android doesn't implement posix_memalign().
285#if defined(OS_POSIX) && !defined(OS_ANDROID)
286TEST_F(OutOfMemoryDeathTest, Posix_memalign) {
287  // Grab the return value of posix_memalign to silence a compiler warning
288  // about unused return values. We don't actually care about the return
289  // value, since we're asserting death.
290  ASSERT_DEATH({
291      SetUpInDeathAssert();
292      EXPECT_EQ(ENOMEM, posix_memalign(&value_, 8, test_size_));
293    }, "");
294}
295#endif  // defined(OS_POSIX) && !defined(OS_ANDROID)
296
297#if defined(OS_MACOSX)
298
299// Purgeable zone tests
300
301TEST_F(OutOfMemoryDeathTest, MallocPurgeable) {
302  malloc_zone_t* zone = malloc_default_purgeable_zone();
303  ASSERT_DEATH({
304      SetUpInDeathAssert();
305      value_ = malloc_zone_malloc(zone, test_size_);
306    }, "");
307}
308
309TEST_F(OutOfMemoryDeathTest, ReallocPurgeable) {
310  malloc_zone_t* zone = malloc_default_purgeable_zone();
311  ASSERT_DEATH({
312      SetUpInDeathAssert();
313      value_ = malloc_zone_realloc(zone, NULL, test_size_);
314    }, "");
315}
316
317TEST_F(OutOfMemoryDeathTest, CallocPurgeable) {
318  malloc_zone_t* zone = malloc_default_purgeable_zone();
319  ASSERT_DEATH({
320      SetUpInDeathAssert();
321      value_ = malloc_zone_calloc(zone, 1024, test_size_ / 1024L);
322    }, "");
323}
324
325TEST_F(OutOfMemoryDeathTest, VallocPurgeable) {
326  malloc_zone_t* zone = malloc_default_purgeable_zone();
327  ASSERT_DEATH({
328      SetUpInDeathAssert();
329      value_ = malloc_zone_valloc(zone, test_size_);
330    }, "");
331}
332
333TEST_F(OutOfMemoryDeathTest, PosixMemalignPurgeable) {
334  malloc_zone_t* zone = malloc_default_purgeable_zone();
335  ASSERT_DEATH({
336      SetUpInDeathAssert();
337      value_ = malloc_zone_memalign(zone, 8, test_size_);
338    }, "");
339}
340
341// Since these allocation functions take a signed size, it's possible that
342// calling them just once won't be enough to exhaust memory. In the 32-bit
343// environment, it's likely that these allocation attempts will fail because
344// not enough contiguous address space is available. In the 64-bit environment,
345// it's likely that they'll fail because they would require a preposterous
346// amount of (virtual) memory.
347
348TEST_F(OutOfMemoryDeathTest, CFAllocatorSystemDefault) {
349  ASSERT_DEATH({
350      SetUpInDeathAssert();
351      while ((value_ =
352              base::AllocateViaCFAllocatorSystemDefault(signed_test_size_))) {}
353    }, "");
354}
355
356TEST_F(OutOfMemoryDeathTest, CFAllocatorMalloc) {
357  ASSERT_DEATH({
358      SetUpInDeathAssert();
359      while ((value_ =
360              base::AllocateViaCFAllocatorMalloc(signed_test_size_))) {}
361    }, "");
362}
363
364TEST_F(OutOfMemoryDeathTest, CFAllocatorMallocZone) {
365  ASSERT_DEATH({
366      SetUpInDeathAssert();
367      while ((value_ =
368              base::AllocateViaCFAllocatorMallocZone(signed_test_size_))) {}
369    }, "");
370}
371
372#if !defined(ARCH_CPU_64_BITS)
373
374// See process_util_unittest_mac.mm for an explanation of why this test isn't
375// run in the 64-bit environment.
376
377TEST_F(OutOfMemoryDeathTest, PsychoticallyBigObjCObject) {
378  ASSERT_DEATH({
379      SetUpInDeathAssert();
380      while ((value_ = base::AllocatePsychoticallyBigObjCObject())) {}
381    }, "");
382}
383
384#endif  // !ARCH_CPU_64_BITS
385#endif  // OS_MACOSX
386
387class OutOfMemoryHandledTest : public OutOfMemoryTest {
388 public:
389  static const size_t kSafeMallocSize = 512;
390  static const size_t kSafeCallocSize = 128;
391  static const size_t kSafeCallocItems = 4;
392
393  virtual void SetUp() {
394    OutOfMemoryTest::SetUp();
395
396    // We enable termination on OOM - just as Chrome does at early
397    // initialization - and test that UncheckedMalloc and  UncheckedCalloc
398    // properly by-pass this in order to allow the caller to handle OOM.
399    base::EnableTerminationOnOutOfMemory();
400  }
401};
402
403// TODO(b.kelemen): make UncheckedMalloc and UncheckedCalloc work
404// on Windows as well.
405// UncheckedMalloc() and UncheckedCalloc() work as regular malloc()/calloc()
406// under sanitizer tools.
407#if !defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
408TEST_F(OutOfMemoryHandledTest, UncheckedMalloc) {
409#if defined(OS_MACOSX) && ARCH_CPU_32_BITS
410  // The Mavericks malloc library changed in a way which breaks the tricks used
411  // to implement EnableTerminationOnOutOfMemory() with UncheckedMalloc() under
412  // 32-bit.  The 64-bit malloc library works as desired without tricks.
413  if (base::mac::IsOSMavericksOrLater())
414    return;
415#endif
416  EXPECT_TRUE(base::UncheckedMalloc(kSafeMallocSize, &value_));
417  EXPECT_TRUE(value_ != NULL);
418  free(value_);
419
420  EXPECT_FALSE(base::UncheckedMalloc(test_size_, &value_));
421  EXPECT_TRUE(value_ == NULL);
422}
423
424TEST_F(OutOfMemoryHandledTest, UncheckedCalloc) {
425#if defined(OS_MACOSX) && ARCH_CPU_32_BITS
426  // The Mavericks malloc library changed in a way which breaks the tricks used
427  // to implement EnableTerminationOnOutOfMemory() with UncheckedCalloc() under
428  // 32-bit.  The 64-bit malloc library works as desired without tricks.
429  if (base::mac::IsOSMavericksOrLater())
430    return;
431#endif
432  EXPECT_TRUE(base::UncheckedCalloc(1, kSafeMallocSize, &value_));
433  EXPECT_TRUE(value_ != NULL);
434  const char* bytes = static_cast<const char*>(value_);
435  for (size_t i = 0; i < kSafeMallocSize; ++i)
436    EXPECT_EQ(0, bytes[i]);
437  free(value_);
438
439  EXPECT_TRUE(
440      base::UncheckedCalloc(kSafeCallocItems, kSafeCallocSize, &value_));
441  EXPECT_TRUE(value_ != NULL);
442  bytes = static_cast<const char*>(value_);
443  for (size_t i = 0; i < (kSafeCallocItems * kSafeCallocSize); ++i)
444    EXPECT_EQ(0, bytes[i]);
445  free(value_);
446
447  EXPECT_FALSE(base::UncheckedCalloc(1, test_size_, &value_));
448  EXPECT_TRUE(value_ == NULL);
449}
450#endif  // !defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
451#endif  // !defined(OS_ANDROID) && !defined(OS_OPENBSD) && !defined(OS_WIN)
452