Poison unallocated block memory in GrBlockAllocator.

This will allow ASAN to detect use-after-free errors in pooled memory,
enabling our fuzzers to catch errors sooner.

Testing with oss-fuzz:26942 : http://screen/C5TEbu3CJvHzRqA

Change-Id: Ic47d6b043998e5069525490cd25b2390cad94360
Bug: skia:10885
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/331482
Reviewed-by: Michael Ludwig <[email protected]>
Commit-Queue: John Stiles <[email protected]>
Auto-Submit: John Stiles <[email protected]>

Author: johnstiles-google

gn/core.gni

@@ -105,6 +105,7 @@ skia_core_sources = [
   "$_src/c/sk_types_priv.h",
   "$_src/core/Sk4px.h",
   "$_src/core/SkAAClip.cpp",
+  "$_src/core/SkASAN.h",
   "$_src/core/SkATrace.cpp",
   "$_src/core/SkATrace.h",
   "$_src/core/SkAdvancedTypefaceMetrics.h",
@@ -247,6 +248,7 @@ skia_core_sources = [
   "$_src/core/SkM44.cpp",
   "$_src/core/SkMD5.cpp",
   "$_src/core/SkMD5.h",
+  "$_src/core/SkMSAN.h",
   "$_src/core/SkMalloc.cpp",
   "$_src/core/SkMallocPixelRef.cpp",
   "$_src/core/SkMarkerStack.cpp",

src/core/SkASAN.h

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef SkASAN_DEFINED
+#define SkASAN_DEFINED
+
+#include "include/core/SkTypes.h"
+
+#include <string.h>
+
+#ifdef __SANITIZE_ADDRESS__
+    #define SK_SANITIZE_ADDRESS 1
+#endif
+#if !defined(SK_SANITIZE_ADDRESS) && defined(__has_feature)
+    #if __has_feature(address_sanitizer)
+        #define SK_SANITIZE_ADDRESS 1
+    #endif
+#endif
+
+// Typically declared in LLVM's asan_interface.h.
+#if SK_SANITIZE_ADDRESS
+extern "C" {
+    void __asan_poison_memory_region(void const volatile *addr, size_t size);
+    void __asan_unpoison_memory_region(void const volatile *addr, size_t size);
+}
+#endif
+
+// Code that implements bespoke allocation arenas can poison the entire arena on creation, then
+// unpoison chunks of arena memory as they are parceled out. Consider leaving gaps between blocks
+// to detect buffer overrun.
+static inline void sk_asan_poison_memory_region(void const volatile *addr, size_t size) {
+#if SK_SANITIZE_ADDRESS
+    __asan_poison_memory_region(addr, size);
+#endif
+}
+
+static inline void sk_asan_unpoison_memory_region(void const volatile *addr, size_t size) {
+#if SK_SANITIZE_ADDRESS
+    __asan_unpoison_memory_region(addr, size);
+#endif
+}
+
+#endif  // SkASAN_DEFINED

src/gpu/GrBlockAllocator.cpp

@@ -23,7 +23,7 @@ GrBlockAllocator::GrBlockAllocator(GrowthPolicy policy, size_t blockIncrementByt
         , fN1(1)
         // The head block always fills remaining space from GrBlockAllocator's size, because it's
         // inline, but can take over the specified number of bytes immediately after it.
-        , fHead(nullptr, additionalPreallocBytes + BaseHeadBlockSize()) {
+        , fHead(/*prev=*/nullptr, additionalPreallocBytes + BaseHeadBlockSize()) {
     SkASSERT(fBlockIncrement >= 1);
     SkASSERT(additionalPreallocBytes <= kMaxAllocationSize);
 }
@@ -37,9 +37,13 @@ GrBlockAllocator::Block::Block(Block* prev, int allocationSize)
          , fAllocatorMetadata(0) {
     SkASSERT(allocationSize >= (int) sizeof(Block));
     SkDEBUGCODE(fSentinel = kAssignedMarker;)
+
+    this->poisonRange(kDataStart, fSize);
 }
 
 GrBlockAllocator::Block::~Block() {
+    this->unpoisonRange(kDataStart, fSize);
+
     SkASSERT(fSentinel == kAssignedMarker);
     SkDEBUGCODE(fSentinel = kFreedMarker;) // FWIW
 }
@@ -94,6 +98,7 @@ void GrBlockAllocator::releaseBlock(Block* block) {
         // Reset the cursor of the head block so that it can be reused if it becomes the new tail
         block->fCursor = kDataStart;
         block->fMetadata = 0;
+        block->poisonRange(kDataStart, block->fSize);
         // Unlike in reset(), we don't set the head's next block to null because there are
         // potentially heap-allocated blocks that are still connected to it.
     } else {
@@ -168,6 +173,7 @@ void GrBlockAllocator::reset() {
             // For reset(), but NOT releaseBlock(), the head allocatorMetadata and scratch block
             // are reset/destroyed.
             b->fAllocatorMetadata = 0;
+            b->poisonRange(kDataStart, b->fSize);
             this->resetScratchSpace();
         } else {
             delete b;

src/gpu/GrBlockAllocator.h

@@ -10,6 +10,7 @@
 
 #include "include/private/GrTypesPriv.h"
 #include "include/private/SkNoncopyable.h"
+#include "src/core/SkASAN.h"
 
 #include <memory>  // std::unique_ptr
 #include <cstddef> // max_align_t
@@ -125,6 +126,14 @@ class GrBlockAllocator final : SkNoncopyable {
 
         Block(Block* prev, int allocationSize);
 
+        // We poison the unallocated space in a Block to allow ASAN to catch invalid writes.
+        void poisonRange(int start, int end) {
+            sk_asan_poison_memory_region(reinterpret_cast<char*>(this) + start, end - start);
+        }
+        void unpoisonRange(int start, int end) {
+            sk_asan_unpoison_memory_region(reinterpret_cast<char*>(this) + start, end - start);
+        }
+
         // Get fCursor, but aligned such that ptr(rval) satisfies Align.
         template <size_t Align, size_t Padding>
         int cursor() const { return this->alignedOffset<Align, Padding>(fCursor); }
@@ -133,7 +142,10 @@ class GrBlockAllocator final : SkNoncopyable {
         int alignedOffset(int offset) const;
 
         bool isScratch() const { return fCursor < 0; }
-        void markAsScratch() { fCursor = -1; }
+        void markAsScratch() {
+            fCursor = -1;
+            this->poisonRange(kDataStart, fSize);
+        }
 
         SkDEBUGCODE(int fSentinel;) // known value to check for bad back pointers to blocks
 
@@ -577,6 +589,9 @@ GrBlockAllocator::ByteRange GrBlockAllocator::allocate(size_t size) {
 
     int start = fTail->fCursor;
     fTail->fCursor = end;
+
+    fTail->unpoisonRange(offset - Padding, end);
+
     return {fTail, start, offset, end};
 }
 
@@ -634,6 +649,14 @@ bool GrBlockAllocator::Block::resize(int start, int end, int deltaBytes) {
         SkASSERT(nextCursor >= start);
         // We still check nextCursor >= start for release builds that wouldn't assert.
         if (nextCursor <= fSize && nextCursor >= start) {
+            if (nextCursor < fCursor) {
+                // The allocation got smaller; poison the space that can no longer be used.
+                this->poisonRange(nextCursor + 1, end);
+            } else {
+                // The allocation got larger; unpoison the space that can now be used.
+                this->unpoisonRange(end, nextCursor);
+            }
+
             fCursor = nextCursor;
             return true;
         }
@@ -647,6 +670,9 @@ bool GrBlockAllocator::Block::resize(int start, int end, int deltaBytes) {
 bool GrBlockAllocator::Block::release(int start, int end) {
     SkASSERT(fSentinel == kAssignedMarker);
     SkASSERT(start >= kDataStart && end <= fSize && start < end);
+
+    this->poisonRange(start, end);
+
     if (fCursor == end) {
         fCursor = start;
         return true;