From 80cb8a676404489f9f14dc578624b8f253b5d7ce Mon Sep 17 00:00:00 2001 From: Marcono1234 Date: Mon, 29 Apr 2024 21:40:11 +0200 Subject: [PATCH] Initial commit --- .gitattributes | 9 + .github/ISSUE_TEMPLATE/bug_report.md | 49 ++ .github/ISSUE_TEMPLATE/config.yml | 4 + .../ISSUE_TEMPLATE/enhancement_suggestion.md | 19 + .github/dependabot.yml | 13 + .github/workflows/build.yml | 35 + .gitignore | 9 + LICENSE.txt | 21 + README.md | 136 +++ agent-impl/README.md | 12 + agent-impl/build.gradle.kts | 48 ++ .../agent_impl/AgentErrorAction.java | 19 + .../agent_impl/ArrayAccessSanitizer.java | 122 +++ .../agent_impl/BadMemoryAccessError.java | 49 ++ .../agent_impl/DirectByteBufferHelper.java | 82 ++ .../agent_impl/FieldAccessSanitizer.java | 150 ++++ .../unsafe_sanitizer/agent_impl/LongSet.java | 94 +++ .../agent_impl/MemorySectionMap.java | 337 ++++++++ .../agent_impl/MemorySize.java | 65 ++ .../agent_impl/MemoryTracker.java | 287 +++++++ .../agent_impl/MethodCallDebugLogger.java | 122 +++ .../UninitializedMemoryTracker.java | 434 ++++++++++ .../agent_impl/UnsafeAccess.java | 22 + .../agent_impl/UnsafeSanitizerImpl.java | 399 +++++++++ agent-impl/src/main/java/module-info.java | 13 + .../agent_impl/ArrayAccessSanitizerTest.java | 247 ++++++ .../agent_impl/FieldAccessSanitizerTest.java | 158 ++++ .../agent_impl/LongSetTest.java | 140 ++++ .../agent_impl/MemorySectionMapTest.java | 544 ++++++++++++ .../UninitializedMemoryTrackerTest.java | 522 ++++++++++++ build.gradle.kts | 158 ++++ buildSrc/build.gradle.kts | 9 + buildSrc/settings.gradle.kts | 1 + ...safe-sanitizer.java-conventions.gradle.kts | 42 + gradle.properties | 2 + gradle/libs.versions.toml | 17 + gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 43453 bytes gradle/wrapper/gradle-wrapper.properties | 7 + gradlew | 249 ++++++ gradlew.bat | 92 ++ settings.gradle.kts | 7 + .../unsafe_sanitizer/AgentTest.java | 53 ++ .../unsafe_sanitizer/AgentMain.java | 249 ++++++ .../DirectByteBufferInterceptors.java | 58 ++ .../unsafe_sanitizer/ErrorAction.java | 42 + .../MethodLoggingInterceptor.java | 47 ++ .../unsafe_sanitizer/TestSupport.java | 194 +++++ .../unsafe_sanitizer/TransformBuilder.java | 101 +++ .../unsafe_sanitizer/UnsafeInterceptors.java | 311 +++++++ .../unsafe_sanitizer/UnsafeSanitizer.java | 664 +++++++++++++++ src/main/java/module-info.java | 19 + .../unsafe_sanitizer/AgentMainTest.java | 66 ++ .../unsafe_sanitizer/DebugLoggingTest.java | 254 ++++++ .../DirectByteBufferTest.java | 195 +++++ .../unsafe_sanitizer/MemoryHelper.java | 29 + .../ScopedNativeMemorySanitizerTest.java | 462 ++++++++++ .../unsafe_sanitizer/TestSupportTest.java | 179 ++++ .../unsafe_sanitizer/UnsafeAccess.java | 22 + .../unsafe_sanitizer/UnsafePrintSkipTest.java | 185 ++++ .../unsafe_sanitizer/UnsafePrintTest.java | 97 +++ .../UnsafeThrowErrorTest.java | 788 ++++++++++++++++++ 61 files changed, 8760 insertions(+) create mode 100644 .gitattributes create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/enhancement_suggestion.md create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build.yml create mode 100644 .gitignore create mode 100644 LICENSE.txt create mode 100644 README.md create mode 100644 agent-impl/README.md create mode 100644 agent-impl/build.gradle.kts create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/AgentErrorAction.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizer.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/BadMemoryAccessError.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/DirectByteBufferHelper.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizer.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/LongSet.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMap.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySize.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemoryTracker.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MethodCallDebugLogger.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTracker.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeAccess.java create mode 100644 agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeSanitizerImpl.java create mode 100644 agent-impl/src/main/java/module-info.java create mode 100644 agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizerTest.java create mode 100644 agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizerTest.java create mode 100644 agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/LongSetTest.java create mode 100644 agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMapTest.java create mode 100644 agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTrackerTest.java create mode 100644 build.gradle.kts create mode 100644 buildSrc/build.gradle.kts create mode 100644 buildSrc/settings.gradle.kts create mode 100644 buildSrc/src/main/kotlin/unsafe-sanitizer.java-conventions.gradle.kts create mode 100644 gradle.properties create mode 100644 gradle/libs.versions.toml create mode 100644 gradle/wrapper/gradle-wrapper.jar create mode 100644 gradle/wrapper/gradle-wrapper.properties create mode 100755 gradlew create mode 100644 gradlew.bat create mode 100644 settings.gradle.kts create mode 100644 src/agentTest/java/marcono1234/unsafe_sanitizer/AgentTest.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/AgentMain.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/DirectByteBufferInterceptors.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/ErrorAction.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/MethodLoggingInterceptor.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/TestSupport.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/TransformBuilder.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/UnsafeInterceptors.java create mode 100644 src/main/java/marcono1234/unsafe_sanitizer/UnsafeSanitizer.java create mode 100644 src/main/java/module-info.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/AgentMainTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/DebugLoggingTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/DirectByteBufferTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/MemoryHelper.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/ScopedNativeMemorySanitizerTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/TestSupportTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/UnsafeAccess.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintSkipTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintTest.java create mode 100644 src/test/java/marcono1234/unsafe_sanitizer/UnsafeThrowErrorTest.java diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..097f9f9 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,9 @@ +# +# https://help.github.com/articles/dealing-with-line-endings/ +# +# Linux start script should use lf +/gradlew text eol=lf + +# These are Windows script files and should use crlf +*.bat text eol=crlf + diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..8f83493 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,49 @@ +--- +name: Bug report +about: Report an Unsafe Sanitizer bug. +title: '' +labels: bug +assignees: '' + +--- + +### Unsafe Sanitizer version + + + +### Agent settings + +Agent installation: +- [ ] At JVM start (`-javaagent`) +- [ ] At runtime (`UnsafeSanitizer.installAgent(...)`) + +Settings: +- instrumentation-logging: true | false +- global-native-memory-sanitizer: true | false +- uninitialized-memory-tracking: true | false +- error-action: none | throw | print | print-skip +- call-debug-logging: true | false + + +### Java version + + + +### Description + + + +### Expected behavior + + + +### Actual behavior + + + +### Example code + + +```java +... +``` diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..c498ff0 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,4 @@ +contact_links: + - name: Usage question & discussion + url: https://github.com/Marcono1234/unsafe-address-sanitizer/discussions + about: Ask usage questions and discuss this Unsafe Sanitizer in GitHub Discussions. diff --git a/.github/ISSUE_TEMPLATE/enhancement_suggestion.md b/.github/ISSUE_TEMPLATE/enhancement_suggestion.md new file mode 100644 index 0000000..89c9d1d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/enhancement_suggestion.md @@ -0,0 +1,19 @@ +--- +name: Enhancement suggestion +about: Suggest an enhancement for Unsafe Sanitizer. +title: '' +labels: enhancement +assignees: '' + +--- + +### Problem solved by the enhancement + + + +### Enhancement description + + + +### Alternatives / workarounds + diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6380a77 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..8d4561c --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,35 @@ +name: Build + +on: + push: + branches-ignore: + # Ignore Dependabot branches because it will also open a pull request, which would cause the + # workflow to redundantly run twice + - dependabot/** + pull_request: + + +permissions: + contents: read # to fetch code (actions/checkout) + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Check out sources + uses: actions/checkout@v4 + + - name: Validate Gradle wrapper + uses: gradle/actions/wrapper-validation@v3 + + - name: Set up Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 + + - name: Set up Gradle + uses: gradle/actions/setup-gradle@v3 + + - name: Build with Gradle + run: ./gradlew build diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..364e4f3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +# Ignore Gradle project-specific cache directory +.gradle + +# Ignore Gradle build output directory +build + +# IntelliJ files +/.idea +/*.iml diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..01cac5e --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Marcono1234 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..b86bf15 --- /dev/null +++ b/README.md @@ -0,0 +1,136 @@ +# Java `Unsafe` address sanitizer + +Java Agent which validates memory access performed using `sun.misc.Unsafe`. `Unsafe` is a semi-public JDK class +which allows among others allocating native memory and directly accessing memory without bounds checks. It is +sometimes used by libraries for better performance. + +The issue with `Unsafe` is that it does not detect out-of-bounds reads and writes and performs little to no argument +validation. Therefore invalid arguments can break the correctness of an application or even represent a security +vulnerability. + +Note that the memory access methods of `Unsafe` will probably be deprecated and removed in future JDK versions, see +[JEP draft JDK-8323072](https://openjdk.org/jeps/8323072). Libraries targeting newer Java versions should +prefer [`java.lang.foreign.MemorySegment`](https://docs.oracle.com/en/java/javase/22/docs/api/java.base/java/lang/foreign/MemorySegment.html), +which is a safer alternative to `Unsafe`. + +### Why this sanitizer? + +Invalid `Unsafe` arguments can be noticeable when the JVM crashes due to `SIGSEGV` respectively +`EXCEPTION_ACCESS_VIOLATION`. However, if a unit test or fuzzer runs in the same JVM, then it can most likely not +properly report the failure in case of a JVM crash.\ +And even if no JVM crash occurs, `Unsafe` might have performed out-of-bounds access in the memory of the Java +process. Out-of-bounds reads can lead to non-deterministic behavior due to reading arbitrary data, or it could +leak sensitive information from other parts of the memory. Out-of-bounds writes can corrupt data, which can +lead to incorrect behavior or crashes at completely unrelated code locations later on. + +This sanitizer injects validation checks into the `Unsafe` methods, throwing errors when invalid arguments +are provided. The following is detected: + +- Arrays: + - Out-of-bounds reads and writes + - Bad aligned access (e.g. reading in the middle of a `long` element of a `long[]`) +- Fields: + - No field at the specified offset + - Out-of-bounds reads and writes +- Native memory: + - Out-of-bounds reads and writes ([CWE-125](https://cwe.mitre.org/data/definitions/125.html), [CWE-787](https://cwe.mitre.org/data/definitions/787.html)) + - Reading uninitialized memory ([EXP33-C](https://wiki.sei.cmu.edu/confluence/display/c/EXP33-C.+Do+not+read+uninitialized+memory)) + - Double free ([CWE-415](https://cwe.mitre.org/data/definitions/415.html)) + +> [!WARNING] +> This library is experimental and only intended for testing and fuzzing. Do not use it in production, especially do +> not rely on it as security measure in production. + +## How does it work? + +This project is implemented as Java Agent which uses [instrumentation](https://docs.oracle.com/en/java/javase/17/docs/api/java.instrument/java/lang/instrument/package-summary.html) +(more specifically the [Byte Buddy](https://github.com/raphw/byte-buddy) library) to instrument `sun.misc.Unsafe` and +related classes. The `Unsafe` methods are transformed so that all calls are intercepted to first check if the memory +access is valid, handling invalid access depending on the `ErrorAction` configured for the sanitizer. This allows the +sanitizer to react to invalid memory access before it occurs, and before the JVM might crash. + +### Limitations + +- Only usage of the 'public' `sun.misc.Unsafe` is checked, usage of the JDK-internal `jdk.internal.misc.Unsafe` is not + checked\ + This is normally not an issue because third-party code does not (and in recent JDK versions cannot) access the + JDK-internal `Unsafe` class. +- Not all invalid memory access might be detected\ + For example, if there is a dangling pointer but in the meantime another part of the application coincidentally + allocates memory at that address, access with the originally dangling pointer would be considered valid. Similarly, + if out-of-bounds access coincidentally happens to access another unrelated allocated memory section, it would be + considered valid as well. +- Sanitizer is unaware of allocations which occurred before it was installed, and memory which is allocated or freed + through other means than `Unsafe` or `ByteBuffer#allocateDirect`\ + If that allocated memory is accessed afterwards, the sanitizer will consider it invalid access. There are multiple + ways to work around this, such as: + - Installing the agent when the JVM starts, instead of at runtime + - Disabling native memory access sanitization (`AgentSettings.withGlobalNativeMemorySanitizer(false)`), and + optionally instead using `UnsafeSanitizer#withScopedNativeMemoryTracking` + - Manually registering the allocated memory with `UnsafeSanitizer#registerAllocatedMemory` +- This library has mainly been written for the Hotspot JVM\ + It might not work for other JVMs, but bug reports for this are appreciated! + +## Usage + +> [!NOTE] +> This library is currently not published to Maven Central. You have to build it locally, see the [Building](#building) +> section. + +(requires Java 17 or newer) + +The sanitizer Java agent has to be installed once to become active. It can either be installed at runtime by calling +`UnsafeSanitizer.installAgent(...)`, or when the JVM is started by adding `-javaagent` to the arguments: +``` +java -javaagent:unsafe-address-sanitizer-standalone-agent.jar -jar my-application.jar +``` + +Using `-javaagent` should be preferred, if possible, because `UnsafeSanitizer.installAgent(...)` might not be supported +by all JVMs and future JDK versions, and it might miss allocations which occurred before the sanitizer was installed, +which could lead to spurious invalid memory access errors. + +When using `-javaagent`, invalid memory access will cause an error by default. The behavior can be customized; to view +all possible options and examples, start the agent as regular JAR (without any additional arguments): +``` +java -jar unsafe-address-sanitizer-standalone-agent.jar +``` + +### Usage with Jazzer + +This sanitizer can be used in combination with the Java fuzzing library [Jazzer](https://github.com/CodeIntelligenceTesting/jazzer), +especially its [JUnit 5 integration](https://github.com/CodeIntelligenceTesting/jazzer?tab=readme-ov-file#junit-5). + +When installing the Unsafe Sanitizer at runtime using `UnsafeSanitizer.installAgent(...)`, it should be called in a +`static { ... }` block in the test class, to only call it once and not for every executed test method. + +Jazzer itself internally uses `sun.misc.Unsafe`. If the Unsafe Sanitizer agent is installed at runtime it might +therefore be necessary to disable sanitization of native memory by using `AgentSettings.withGlobalNativeMemorySanitizer(false)`.\ +If the Unsafe Sanitizer agent has been installed using `-javaagent` this might not be a problem. However, the +sanitizer might nonetheless decrease the Jazzer performance. So unless needed, it might be useful to disable native +memory sanitization. + +## Building + +This project uses Gradle for building. JDK 17 is recommended, but Gradle toolchains are used, so any needed JDK +is downloaded by Gradle automatically. + +``` +./gradlew build +``` + +This generates the file `build/libs/unsafe-address-sanitizer--standalone-agent.jar` which you can use with the +`-javaagent` JVM argument. Or you can add it as JAR dependency to your project and then install the agent at runtime. + +You can use `./gradlew publishToMavenLocal` to [add the library to your local Maven repository](https://docs.gradle.org/current/userguide/publishing_maven.html#publishing_maven:install). +The artifact coordinates are `marcono1234.unsafe_sanitizer:unsafe-address-sanitizer:`. + +## Similar third-party projects + +- Project https://github.com/serkan-ozal/mysafe \ + Offers more functionality for native memory access tracking, but does not validate array and field access. +- Paper: "Use at your own risk: the Java unsafe API in the wild"\ + Authors: Luis Mastrangelo, Luca Ponzanelli, Andrea Mocci, Michele Lanza, Matthias Hauswirth, Nathaniel Nystrom\ + DOI: [10.1145/2858965.2814313](https://doi.org/10.1145/2858965.2814313) +- Paper: "SafeCheck: safety enhancement of Java unsafe API"\ + Authors: Shiyou Huang, Jianmei Guo, Sanhong Li, Xiang Li, Yumin Qi, Kingsum Chow, Jeff Huang\ + DOI: [10.1109/ICSE.2019.00095](https://doi.org/10.1109/ICSE.2019.00095) diff --git a/agent-impl/README.md b/agent-impl/README.md new file mode 100644 index 0000000..6167b14 --- /dev/null +++ b/agent-impl/README.md @@ -0,0 +1,12 @@ +# agent-impl + +Contains the actual implementation of the agent, tracking memory and performing access checks. + +This is a separate sub-project which produces a JAR with dependencies which is then included in the main agent JAR. +The main agent then adds the nested agent-impl JAR to the bootstrap classpath, which is necessary because the +instrumented `Unsafe` methods can only access classes on the bootstrap classpath. + +See also [this Byte Buddy issue comment](https://github.com/raphw/byte-buddy/issues/597#issuecomment-458041738). + +The classes of this sub-project are not part of the public API (regardless of their visibility) and are normally +not directly accessible by user code. Instead, all interaction goes through the public API of the agent. diff --git a/agent-impl/build.gradle.kts b/agent-impl/build.gradle.kts new file mode 100644 index 0000000..feac196 --- /dev/null +++ b/agent-impl/build.gradle.kts @@ -0,0 +1,48 @@ +plugins { + id("unsafe-sanitizer.java-conventions") + alias(libs.plugins.shadow) +} + +dependencies { + implementation(libs.jetbrains.annotations) + + testImplementation(libs.junit) + testRuntimeOnly(libs.junit.launcher) +} + +tasks.test { + useJUnitPlatform() +} + +tasks.shadowJar { + // Relocate all dependencies to not cause conflicts when the agent JAR is added to the bootstrap classpath + isEnableRelocation = true + relocationPrefix = "marcono1234.unsafe_sanitizer.agent_impl.deps" + duplicatesStrategy = DuplicatesStrategy.FAIL + + // Include own `module-info.class`, see https://github.com/johnrengelman/shadow/issues/710 + excludes.remove("module-info.class") + + // Exclude `module-info` from dependencies, see also https://github.com/johnrengelman/shadow/issues/729 + exclude("META-INF/versions/*/module-info.class") + + // Note: Depending on the dependencies, might have to set `Multi-Release: true`, see https://github.com/johnrengelman/shadow/issues/449 +} + + +java { + // Publish only sources to allow debugging; don't publish Javadoc because this is not public API + withSourcesJar() +} + +publishing { + publications { + create("maven") { + // TODO: Maybe revert the following and only publish sources instead (`artifact(tasks["sourcesJar"])`)? + // Would not actually be necessary to publish the JAR since it is included inside the agent, + // and users are not expected to have direct dependency on it; but publish it anyway to allow + // debugging through the code + from(components["java"]) + } + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/AgentErrorAction.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/AgentErrorAction.java new file mode 100644 index 0000000..b517332 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/AgentErrorAction.java @@ -0,0 +1,19 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +/** + * Action to perform in case of bad memory access. + */ +public enum AgentErrorAction { + NONE(true), + THROW(true), // `executeOnError` does not matter since exception is thrown anyway + PRINT(true), + PRINT_SKIP(false), + ; + + /** Whether to perform the bad memory access; {@code false} if it should be skipped */ + final boolean executeOnError; + + AgentErrorAction(boolean executeOnError) { + this.executeOnError = executeOnError; + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizer.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizer.java new file mode 100644 index 0000000..4497692 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizer.java @@ -0,0 +1,122 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.jetbrains.annotations.Nullable; +import org.jetbrains.annotations.VisibleForTesting; +import sun.misc.Unsafe; + +import java.lang.reflect.Array; + +import static marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError.reportError; +import static marcono1234.unsafe_sanitizer.agent_impl.UnsafeAccess.unsafe; + +/** + * Checks access on array objects. + */ +class ArrayAccessSanitizer { + private ArrayAccessSanitizer() {} + + @VisibleForTesting // currently this method only exists to simplify tests + static boolean onAccess(Object obj, long offset, MemorySize memorySize) { + return onAccess(obj, offset, memorySize, null); + } + + /** + * @param array + * array object on which the access is performed + * @param offset + * offset within the array object where the access is performed + * @param memorySize + * size of the access + * @param writtenObject + * the object which is written to the array, in case this is a write access writing an {@code Object}; + * otherwise {@code null} + * @return + * {@code true} if the access was successful; {@code false} otherwise (in case the sanitizer is not + * configured to throw exceptions) + */ + public static boolean onAccess(Object array, long offset, MemorySize memorySize, @Nullable Object writtenObject) { + Class arrayClass = array.getClass(); + Class componentClass = arrayClass.getComponentType(); + + long bytesCount; + if (componentClass.isPrimitive()) { + // Assume that for primitive array primitive memory size is used + bytesCount = memorySize.getBytesCount(); + } else if (memorySize == MemorySize.OBJECT) { + if (writtenObject != null) { + Class writtenObjectClass = writtenObject.getClass(); + // `Unsafe.putObject` says "Unless the reference x being stored is either null or matches the field + // type, the results are undefined"; probably applies to array elements as well + if (!componentClass.isAssignableFrom(writtenObjectClass)) { + return reportError("Trying to write " + writtenObjectClass.getTypeName() + " to " + componentClass.getTypeName() + " array"); + } + } + + // Use the index scale of an `Object[]` + bytesCount = unsafe.arrayIndexScale(arrayClass); + } else { + // Trying to read primitive data from object array + // This is technically possible, but seems error-prone, especially if there are no guarantees how + // large object references actually are + return reportError("Bad request for " + memorySize + " from " + arrayClass.getTypeName()); + } + + return onAccessImpl(array, offset, bytesCount); + } + + public static boolean onAccess(Object obj, long offset, long bytesCount) { + Class arrayClass = obj.getClass(); + + if (!arrayClass.getComponentType().isPrimitive()) { + // This is technically possible, but seems error-prone, especially if there are no guarantees how + // large object references actually are + return reportError("Reading bytes from non-primitive array " + arrayClass.getTypeName()); + } + return onAccessImpl(obj, offset, bytesCount); + } + + private static boolean onAccessImpl(Object obj, long offset, long bytesCount) { + if (offset < 0) { + return reportError("Invalid offset: " + offset); + } + if (bytesCount < 0) { + return reportError("Invalid size: " + bytesCount); + } + + Class arrayClass = obj.getClass(); + int arrayLength = Array.getLength(obj); + long baseOffset; + long indexScale; + // Faster path for byte[], which is most commonly used (?) + if (arrayClass == byte[].class) { + baseOffset = Unsafe.ARRAY_BYTE_BASE_OFFSET; + indexScale = Unsafe.ARRAY_BYTE_INDEX_SCALE; + } else { + baseOffset = unsafe.arrayBaseOffset(arrayClass); + indexScale = unsafe.arrayIndexScale(arrayClass); + } + + if (indexScale == 0) { + return reportError("Unsupported array class: " + arrayClass.getTypeName()); + } + + if (offset < baseOffset) { + return reportError("Bad array access at offset " + offset + "; min offset is " + baseOffset); + } + long maxOffset = baseOffset + (arrayLength * indexScale); + // Overflow-safe variant, uses `Long.compareUnsigned` here since `maxOffset` might have overflown already (?) + if (Long.compareUnsigned(offset + bytesCount, maxOffset) > 0) { + return reportError("Bad array access at offset " + offset + ", size " + bytesCount + + "; max offset is " + Long.toUnsignedString(maxOffset)); + } + + // `Unsafe#getInt` documentation sounds like access must be aligned by scale + if ((offset - baseOffset) % indexScale != 0) { + return reportError("Bad aligned array access at offset " + offset + " for " + arrayClass.getTypeName()); + } + // TODO: Should this also check if `offset + bytesCount` is aligned? But `Unsafe` documentation does not + // seem to mention that + + return true; + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/BadMemoryAccessError.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/BadMemoryAccessError.java new file mode 100644 index 0000000..927187c --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/BadMemoryAccessError.java @@ -0,0 +1,49 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import java.io.PrintStream; + +// This is an `Error` instead of `RuntimeException` subclass to make it less likely that user code accidentally +// discards the error +public class BadMemoryAccessError extends Error { + private BadMemoryAccessError(String message) { + super(message); + } + + private BadMemoryAccessError(String message, Throwable cause) { + super(message, cause); + } + + private static void onError(BadMemoryAccessError error) { + UnsafeSanitizerImpl.getLastErrorRefImpl().set(error); + + switch (UnsafeSanitizerImpl.getErrorAction()) { + case THROW -> throw error; + case PRINT, PRINT_SKIP -> { + PrintStream stream = System.err; + error.printStackTrace(stream); + // Flush output to make sure users can see it in the console, even if the JVM crashes soon afterwards + stream.flush(); + } + } + } + + /** + * @return In case due to the {@link AgentErrorAction} no error is thrown, returns whether the {@code Unsafe} + * method should be executed or not and its execution should be skipped (e.g. to prevent a JVM crash). + */ + static boolean reportError(String message) { + var error = new BadMemoryAccessError(message); + onError(error); + return UnsafeSanitizerImpl.executeOnError(); + } + + /** + * @return In case due to the {@link AgentErrorAction} no error is thrown, returns whether the {@code Unsafe} + * method should be executed or not and its execution should be skipped (e.g. to prevent a JVM crash). + */ + static boolean reportError(Throwable exception) { + var error = new BadMemoryAccessError(exception.getMessage(), exception); + onError(error); + return UnsafeSanitizerImpl.executeOnError(); + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/DirectByteBufferHelper.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/DirectByteBufferHelper.java new file mode 100644 index 0000000..711cb53 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/DirectByteBufferHelper.java @@ -0,0 +1,82 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import java.lang.invoke.MethodHandle; +import java.lang.invoke.MethodHandles; +import java.lang.reflect.Field; +import java.nio.Buffer; +import java.nio.ByteBuffer; + +/** + * Helper for {@code ByteBuffer}s allocated with {@link ByteBuffer#allocateDirect(int)}. + */ +public class DirectByteBufferHelper { + private DirectByteBufferHelper() {} + + /** + * Name of the internal JDK class performing deallocation of direct byte buffers. + */ + public static final String DEALLOCATOR_CLASS_NAME = "java.nio.DirectByteBuffer$Deallocator"; + + /* + * Note: This does not use `Unsafe` to access the field values because this would then cause + * spurious log entries for the sanitizer + * Instead it makes the fields accessible and relies on the agent opening `java.nio` to this module + */ + private static final MethodHandle bufferAddressGetter; + static { + try { + Field bufferAddressField = Buffer.class.getDeclaredField("address"); + bufferAddressField.setAccessible(true); + bufferAddressGetter = MethodHandles.lookup().unreflectGetter(bufferAddressField); + } catch (ReflectiveOperationException e) { + throw new RuntimeException("Failed getting 'address' field", e); + } + } + + private static final MethodHandle deallocatorAddressGetter; + static { + Class deallocatorClass; + try { + deallocatorClass = Class.forName(DEALLOCATOR_CLASS_NAME); + } catch (ReflectiveOperationException e) { + throw new RuntimeException("Failed getting deallocator class", e); + } + + // In JDK 22 (backported to JDK 21) the class was converted to a record class, see + // https://github.com/openjdk/jdk/commit/cf74b8c2a32f33019a13ce80b6667da502cc6722 + // However, component name is still the same so can still access the backing field + // with that name + try { + Field deallocatorAddressField = deallocatorClass.getDeclaredField("address"); + deallocatorAddressField.setAccessible(true); + deallocatorAddressGetter = MethodHandles.lookup().unreflectGetter(deallocatorAddressField); + } catch (ReflectiveOperationException e) { + throw new RuntimeException("Failed getting 'address' field", e); + } + } + + public static long getAddress(ByteBuffer buffer) { + if (!buffer.isDirect()) { + throw new IllegalArgumentException("Buffer must be direct"); + } + try { + return (long) bufferAddressGetter.invokeExact((Buffer) buffer); + } catch (Error e) { + throw e; + } catch (Throwable t) { + throw new RuntimeException("Failed getting buffer address", t); + } + } + + public static long getDeallocatorAddress(Runnable r) { + try { + // Cannot use `invokeExact` here because the receiver type is actually the private + // `DirectByteBuffer$Deallocator` class + return (long) deallocatorAddressGetter.invoke(r); + } catch (Error e) { + throw e; + } catch (Throwable t) { + throw new RuntimeException("Failed getting deallocator address", t); + } + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizer.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizer.java new file mode 100644 index 0000000..a7209c7 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizer.java @@ -0,0 +1,150 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.jetbrains.annotations.Nullable; +import org.jetbrains.annotations.VisibleForTesting; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.*; + +import static marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError.reportError; +import static marcono1234.unsafe_sanitizer.agent_impl.UnsafeAccess.unsafe; + +/** + * Checks access on instance and static fields. + */ +class FieldAccessSanitizer { + // Implementation must be thread-safe + + private record FieldData(Field field, MemorySize fieldSize) { + } + + // Two separate maps, one for static fields and one for instance fields, because the way their + // offset is obtained from `Unsafe` differs, and there is no guarantee that there won't be collisions + private final Map, Map> staticFieldsCache; + private final Map, Map> instanceFieldsCache; + + public FieldAccessSanitizer() { + // Important: Must use fully synchronized maps here, cannot use read-write lock because for WeakHashMap + // even methods which normally don't mutate map (e.g. `size()`) might remove stale entries + staticFieldsCache = Collections.synchronizedMap(new WeakHashMap<>()); + instanceFieldsCache = Collections.synchronizedMap(new WeakHashMap<>()); + } + + @VisibleForTesting // currently this method only exists to simplify tests + boolean checkAccess(Object obj, long offset, MemorySize size) { + return checkAccess(obj, offset, size, null); + } + + private static String getFieldDisplayString(Field f) { + return f.getType().getTypeName() + " " + f.getDeclaringClass().getTypeName() + "#" + f.getName(); + } + + /** + * @param obj + * object on which the access is performed; for static fields the {@link sun.misc.Unsafe#staticFieldBase(Field)} + * @param offset + * offset of the accessed field + * @param size + * size of the access + * @param writtenObject + * the object which is written to the field, in case this is a write access writing an {@code Object}; + * otherwise {@code null} + * @return + * {@code true} if the access was successful; {@code false} otherwise (in case the sanitizer is not + * configured to throw exceptions) + */ + public boolean checkAccess(Object obj, long offset, MemorySize size, @Nullable Object writtenObject) { + Objects.requireNonNull(obj); + Objects.requireNonNull(size); + + if (offset < 0) { + return reportError("Invalid offset: " + offset); + } + + FieldData fieldData; + String classDisplayName; + if (obj instanceof Class c) { + // Object was probably obtained from `sun.misc.Unsafe#staticFieldBase` + // Note that this is an implementation detail of the Hotspot JVM, see + // https://github.com/openjdk/jdk/blob/55c1446b68db6c4734420124b5f26278389fdf2b/src/hotspot/share/prims/unsafe.cpp#L533-L553 + // For other JVMs `staticFieldBase` could return something different + + classDisplayName = c.getTypeName(); + fieldData = getStaticFieldData(c, offset); + } else { + Class c = obj.getClass(); + classDisplayName = c.getTypeName(); + fieldData = getInstanceFieldSize(c, offset); + } + + if (fieldData == null) { + return reportError("Class " + classDisplayName + " has no field at offset " + offset); + } + + if (writtenObject != null) { + Field field = fieldData.field; + Class writtenObjectClass = writtenObject.getClass(); + // `Unsafe.putObject` says "Unless the reference x being stored is either null or matches the field + // type, the results are undefined" + if (!field.getType().isAssignableFrom(writtenObjectClass)) { + return reportError("Trying to write " + writtenObjectClass + " to field '" + getFieldDisplayString(field) + "'"); + } + } + + // TODO: Should permit reading smaller? E.g. read `int` as `byte`? (but have to differentiate here then + // between read and write) + MemorySize fieldSize = fieldData.fieldSize; + if (fieldSize != size) { + return reportError("Field '" + getFieldDisplayString(fieldData.field) + "' at offset " + offset + // Include the `classDisplayName` for the case where the field is declared by a superclass + + " of class "+ classDisplayName + " has size " + fieldSize + ", not " + size); + } + return true; + } + + private FieldData getStaticFieldData(Class c, long offset) { + var offsetMap = staticFieldsCache.computeIfAbsent(c, key -> createStaticFieldsOffsetMap(c)); + return offsetMap.get(offset); + } + + private static Map createStaticFieldsOffsetMap(Class c) { + Map map = new HashMap<>(); + for (Field f : c.getDeclaredFields()) { + if (Modifier.isStatic(f.getModifiers())) { + FieldData fieldData = new FieldData(f, MemorySize.fromClass(f.getType())); + var oldValue = map.put(unsafe.staticFieldOffset(f), fieldData); + if (oldValue != null) { + throw new AssertionError("Duplicate field offset for " + f); + } + } + } + + return map; + } + + private FieldData getInstanceFieldSize(Class c, long offset) { + var offsetMap = instanceFieldsCache.computeIfAbsent(c, key -> createInstanceFieldsOffsetMap(c)); + return offsetMap.get(offset); + } + + private static Map createInstanceFieldsOffsetMap(Class c) { + Map map = new HashMap<>(); + + // For simplicity later during lookup, include the fields of all superclasses, instead of + // having separate entries for them + for (; c != null; c = c.getSuperclass()) { + for (Field f : c.getDeclaredFields()) { + if (!Modifier.isStatic(f.getModifiers())) { + FieldData fieldData = new FieldData(f, MemorySize.fromClass(f.getType())); + var oldValue = map.put(unsafe.objectFieldOffset(f), fieldData); + if (oldValue != null) { + throw new AssertionError("Duplicate field offset for " + f); + } + } + } + } + + return map; + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/LongSet.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/LongSet.java new file mode 100644 index 0000000..4e2c0d0 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/LongSet.java @@ -0,0 +1,94 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.jetbrains.annotations.VisibleForTesting; + +import java.util.Arrays; + +/** + * Set of {@code long} values. + */ +class LongSet { + @VisibleForTesting + static final int INITIAL_CAPACITY = 64; + + private long[] values; + private int count; + + public LongSet() { + values = new long[INITIAL_CAPACITY]; + count = 0; + } + + private int getIndex(long value) { + return Arrays.binarySearch(values, 0, count, value); + } + + /** + * @return {@code true} if the value was added, {@code false} is the set already contained the value + */ + public boolean add(long value) { + int index = getIndex(value); + if (index >= 0) { + return false; + } + index = -(index + 1); + + // Increase capacity if necessary + if (count >= values.length) { + int newCapacity = count * 2; + values = Arrays.copyOf(values, newCapacity); + } + + // Can avoid shifting if value is added at the end (`index == count`) + if (index < count) { + int copyCount = count - index; + // Shift subsequent values + System.arraycopy(values, index, values, index + 1, copyCount); + } + + // Insert new value + values[index] = value; + count++; + return true; + } + + public boolean contains(long value) { + return getIndex(value) >= 0; + } + + /** + * @return whether the value existed in the set and was removed + */ + public boolean remove(long value) { + int index = getIndex(value); + if (index < 0) { + return false; + } + + // Can avoid shifting if value is the last (or only) one (`index == count - 1`); + // will be implicitly removed by decrementing `count` + if (index < count - 1) { + int copyCount = count - index - 1; + // Remove value by shifting subsequent entries + System.arraycopy(values, index + 1, values, index, copyCount); + } + count--; + + // Check if arrays should be shrunken + int newCapacity = values.length / 2; + if (count * 4 < values.length && newCapacity >= INITIAL_CAPACITY) { + values = Arrays.copyOf(values, newCapacity); + } + return true; + } + + public void clear() { + values = new long[INITIAL_CAPACITY]; + count = 0; + } + + @VisibleForTesting + long[] getValues() { + return Arrays.copyOf(values, count); + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMap.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMap.java new file mode 100644 index 0000000..4215d46 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMap.java @@ -0,0 +1,337 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.jetbrains.annotations.Nullable; +import org.jetbrains.annotations.VisibleForTesting; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +/** + * Map for memory sections which consist of an {@code address} and a {@code size}. + */ +class MemorySectionMap { + /* + * Implementation note: + * This is basically a navigable long-to-long map, implemented using two `long[]` arrays + * (one storing keys, the other values) and binary search. + * + * Might not be super efficient, but avoids pulling in multiple MB large third-party libraries, + * and also for example fastutil has no navigable map for primitive types yet, see + * https://github.com/vigna/fastutil/issues/33. + */ + + @VisibleForTesting + static final int INITIAL_CAPACITY = 1024; + + /** + * Acts as 'key' array with the first {@link #count} entries being keys, and the entries at + * the same index in {@link #sizes} being their values. + * This array is sorted. + */ + private long[] addresses; + private long[] sizes; + /** Whether for this memory region it is tracked if memory is uninitialized. */ + private boolean[] isTrackingUninitialized; + private int count; + + // TODO: Maybe also track `StackWalker.StackFrame` of method which performed allocation (to make troubleshooting + // easier?) + + @Nullable("if disabled") + private UninitializedMemoryTracker uninitializedMemoryTracker; + + public MemorySectionMap() { + addresses = new long[INITIAL_CAPACITY]; + sizes = new long[INITIAL_CAPACITY]; + isTrackingUninitialized = new boolean[INITIAL_CAPACITY]; + count = 0; + + uninitializedMemoryTracker = new UninitializedMemoryTracker(); + } + + public void enableUninitializedMemoryTracking() { + if (uninitializedMemoryTracker == null) { + uninitializedMemoryTracker = new UninitializedMemoryTracker(); + } + } + + public void disableUninitializedMemoryTracking() { + uninitializedMemoryTracker = null; + } + + private static void checkAddress(long address) { + if (address < 0) { + throw new IllegalArgumentException("Invalid address " + address); + } + } + + private static void checkAddSize(long size) { + if (size <= 0) { + throw new IllegalArgumentException("Invalid size: " + size); + } + } + + public void addSection(long address, long size, boolean trackUninitialized) throws IllegalArgumentException { + checkAddress(address); + checkAddSize(size); + + int index = Arrays.binarySearch(addresses, 0, count, address); + if (index >= 0) { + throw new IllegalArgumentException("Overwriting entry at " + address); + } + index = -(index + 1); + if (index > 0) { + long previousAddress = addresses[index - 1]; + long previousSize = sizes[index - 1]; + // Overflow-safe variant of `previousAddress + previousSize > address` + if (previousAddress > address - previousSize) { + throw new IllegalArgumentException("Section at " + address + " collides with existing section at " + previousAddress); + } + } + if (index < count) { + long nextAddress = addresses[index]; + // Overflow-safe variant of `address + size > nextAddress` + if (address > nextAddress - size) { + throw new IllegalArgumentException("Section at " + address + " collides with existing section at " + nextAddress); + } + } + + // Increase capacity if necessary + if (count >= addresses.length) { + int newCapacity = count * 2; + addresses = Arrays.copyOf(addresses, newCapacity); + sizes = Arrays.copyOf(sizes, newCapacity); + isTrackingUninitialized = Arrays.copyOf(isTrackingUninitialized, newCapacity); + } + + // Can avoid shifting if entry is added at the end (`index == count`) + if (index < count) { + int copyCount = count - index; + // Shift subsequent entries + System.arraycopy(addresses, index, addresses, index + 1, copyCount); + System.arraycopy(sizes, index, sizes, index + 1, copyCount); + System.arraycopy(isTrackingUninitialized, index, isTrackingUninitialized, index + 1, copyCount); + } + + // Insert new entry + addresses[index] = address; + sizes[index] = size; + // Note: Instead of having a separate array for this, could also consider calling `uninitializedMemoryTracker.setInitialized`, + // but that might decrease performance of `uninitializedMemoryTracker` + isTrackingUninitialized[index] = trackUninitialized; + + count++; + } + + public boolean hasSectionAt(long address) { + checkAddress(address); + return Arrays.binarySearch(addresses, 0, count, address) >= 0; + } + + /** + * @param isZeroSized + * if {@code true} also allows the address right behind a section, i.e. an 'exclusive end address' + */ + public void checkIsInSection(long address, boolean isZeroSized) throws IllegalArgumentException { + checkAccessImpl(address, isZeroSized ? 0 : 1); + } + + public boolean tryRemoveSection(long address) { + var removeResult = tryRemoveSectionImpl(address); + if (removeResult == null) { + return false; + } + + if (uninitializedMemoryTracker != null && removeResult.wasTrackingUninitialized) { + // Treat memory as uninitialized; even if subsequent allocation happens to obtain same memory region, + // it should not make any assumptions about the previous content + uninitializedMemoryTracker.clearInitialized(address, removeResult.size); + } + return true; + } + + public void removeSection(long address) throws IllegalArgumentException { + if (!tryRemoveSection(address)) { + throw new IllegalArgumentException("No section at address " + address); + } + } + + /** + * Moves a memory section to a different (potentially overlapping) address, and shrinking or enlarging + * the section. Acts like a {@code reallocateMemory}. + * + *

There must not be an existing section at the destination address. + */ + public void moveSection(long srcAddress, long destAddress, long destSize) { + checkAddress(srcAddress); + checkAddress(destAddress); + checkAddSize(destSize); + + var removeResult = tryRemoveSectionImpl(srcAddress); + if (removeResult == null) { + throw new IllegalArgumentException("No section at address " + srcAddress); + } + boolean trackUninitialized = removeResult.wasTrackingUninitialized; + addSection(destAddress, destSize, trackUninitialized); + if (uninitializedMemoryTracker != null && trackUninitialized) { + uninitializedMemoryTracker.moveInitialized(srcAddress, removeResult.size, destAddress, destSize); + } + } + + private record RemoveResult(long size, boolean wasTrackingUninitialized) {} + + @Nullable + private RemoveResult tryRemoveSectionImpl(long address) throws IllegalArgumentException { + checkAddress(address); + + int index = Arrays.binarySearch(addresses, 0, count, address); + if (index < 0) { + return null; + } + long size = sizes[index]; + boolean wasTrackingUninitialized = isTrackingUninitialized[index]; + + // Can avoid shifting if entry is the last (or only) one (`index == count - 1`); + // will be implicitly removed by decrementing `count` + if (index < count - 1) { + int copyCount = count - index - 1; + // Remove entry by shifting subsequent entries + System.arraycopy(addresses, index + 1, addresses, index, copyCount); + System.arraycopy(sizes, index + 1, sizes, index, copyCount); + System.arraycopy(isTrackingUninitialized, index + 1, isTrackingUninitialized, index, copyCount); + } + count--; + + // Check if arrays should be shrunken + int newCapacity = addresses.length / 2; + if (count * 4 < addresses.length && newCapacity >= INITIAL_CAPACITY) { + addresses = Arrays.copyOf(addresses, newCapacity); + sizes = Arrays.copyOf(sizes, newCapacity); + isTrackingUninitialized = Arrays.copyOf(isTrackingUninitialized, newCapacity); + } + + return new RemoveResult(size, wasTrackingUninitialized); + } + + public void performAccess(long address, long size, boolean isRead) throws IllegalArgumentException { + int sectionIndex = checkAccessImpl(address, size); + if (size == 0) { + // For size 0 only validate the address with the check above + return; + } + + if (uninitializedMemoryTracker != null) { + if (isRead) { + if (isTrackingUninitialized[sectionIndex]) { + if (!uninitializedMemoryTracker.isInitialized(address, size)) { + throw new IllegalArgumentException("Trying to read uninitialized data at " + address + ", size " + size); + } + } + } else { + if (isTrackingUninitialized[sectionIndex]) { + uninitializedMemoryTracker.setInitialized(address, size); + } + } + } + } + + public void performCopyAccess(long srcAddress, long destAddress, long size) throws IllegalArgumentException { + // Check access without checking if memory is initialized + int srcSectionIndex = checkAccessImpl(srcAddress, size); + int destSectionIndex = checkAccessImpl(destAddress, size); + if (size == 0) { + // For size 0 only validate the addresses with the checks above + return; + } + + if (uninitializedMemoryTracker != null) { + if (isTrackingUninitialized[destSectionIndex]) { + if (isTrackingUninitialized[srcSectionIndex]) { + uninitializedMemoryTracker.copyInitialized(srcAddress, destAddress, size); + } else { + // Otherwise assume that source was fully initialized + uninitializedMemoryTracker.setInitialized(destAddress, size); + } + } + // If destination is assumed to be fully initialized, then require that source is fully initialized as well + else if (isTrackingUninitialized[srcSectionIndex]) { + if (!uninitializedMemoryTracker.isInitialized(srcAddress, size)) { + throw new IllegalArgumentException("Trying to copy uninitialized data from " + srcAddress + ", size " + size); + } + } + } + } + + // TODO: Maybe just use return value instead of throwing? But cannot convey reason for invalid arguments then + /** + * @return the section index + */ + private int checkAccessImpl(long address, long size) throws IllegalArgumentException { + checkAddress(address); + if (size < 0) { + throw new IllegalArgumentException("Invalid size: " + size); + } + + int index = Arrays.binarySearch(addresses, 0, count, address); + // Section starts at same address, only need to compare sizes + if (index >= 0) { + long actualSize = sizes[index]; + if (size > actualSize) { + throw new IllegalArgumentException("Size " + size + " exceeds actual size " + actualSize + " at " + address); + } + } + // Otherwise need to check size of section which starts before the address + else { + index = -(index + 1); + index--; // check previous section + if (index < 0) { + throw new IllegalArgumentException("Access outside of section at " + address); + } + + long previousAddress = addresses[index]; + long previousSize = sizes[index]; + // Overflow-safe variant of `previousAddress + previousSize < address + size` + if (previousAddress - size < address - previousSize) { + throw new IllegalArgumentException("Access outside of section at " + address + ", size " + size + " (previous section: " + previousAddress + ", size " + previousSize + ")"); + } + } + + return index; + } + + public record Section(long address, long bytesCount) {} + + public boolean isEmpty() { + return count == 0; + } + + public List

getAllSections() { + List
sections = new ArrayList<>(); + for (int i = 0; i < count; i++) { + sections.add(new Section(addresses[i], sizes[i])); + } + return sections; + } + + @VisibleForTesting + List getAllInitializedSections() { + if (uninitializedMemoryTracker == null) { + throw new IllegalStateException("Uninitialized memory tracking is disabled"); + } + return uninitializedMemoryTracker.getAllInitializedSections(); + } + + public void clearAllSections() { + // Note: This can be implemented more efficiently (but also more error-prone?), but this + // implementation should be fine for now + for (Section section : getAllSections()) { + removeSection(section.address); + } + } + + @Override + public String toString() { + return getAllSections().toString(); + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySize.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySize.java new file mode 100644 index 0000000..94be4cf --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySize.java @@ -0,0 +1,65 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import sun.misc.Unsafe; + +/** + * Size of a memory access which is using a primitive or {@code Object} value. + */ +// This assumes that for `Unsafe` method only size of data type matters, and it is for example possible to +// read a `float` (= 4 bytes) as `int` (= 4 bytes). +public enum MemorySize { + BOOLEAN, + BYTE_1, + BYTE_2, + BYTE_4, + BYTE_8, + ADDRESS, + OBJECT, + ; + + /** + * Gets the number of bytes this memory size represents. + * + * @throws BadMemoryAccessError + * If this 'memory size' has no defined number of bytes + */ + int getBytesCount() { + return switch (this) { + // TODO: Is this correct for boolean? + case BOOLEAN, BYTE_1 -> 1; + case BYTE_2 -> 2; + case BYTE_4 -> 4; + case BYTE_8 -> 8; + case ADDRESS -> Unsafe.ADDRESS_SIZE; + case OBJECT -> { + // It looks like it is for example possible to store an Object in a `byte[]`; though not sure if + // that is safe and if there are guarantees how large an Object reference actually is + // As fallback use `ARRAY_OBJECT_INDEX_SCALE`; that might be wrong though + BadMemoryAccessError.reportError("Using Object in the context of bytes"); + yield Unsafe.ARRAY_OBJECT_INDEX_SCALE; + } + }; + } + + /** + * Gets the memory size a value of type {@code c} takes up. + */ + public static MemorySize fromClass(Class c) { + if (c == boolean.class) { + return MemorySize.BOOLEAN; + } + if (c == byte.class) { + return MemorySize.BYTE_1; + } + if (c == char.class || c == short.class) { + return MemorySize.BYTE_2; + } + if (c == int.class || c == float.class) { + return MemorySize.BYTE_4; + } + if (c == long.class || c == double.class) { + return MemorySize.BYTE_8; + } + return MemorySize.OBJECT; + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemoryTracker.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemoryTracker.java new file mode 100644 index 0000000..fd800f1 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MemoryTracker.java @@ -0,0 +1,287 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import sun.misc.Unsafe; + +import java.util.concurrent.locks.ReadWriteLock; +import java.util.concurrent.locks.ReentrantReadWriteLock; + +import static marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError.reportError; + +/** + * Tracker of native memory access. + */ +class MemoryTracker { + // Implementation must be thread-safe + + private final ReadWriteLock lock = new ReentrantReadWriteLock(); + /** Known sections of active native memory */ + private final MemorySectionMap sectionsMap = new MemorySectionMap(); + /** + * Known addresses of active direct {@link java.nio.ByteBuffer}s; only contains addresses of buffers whose + * {@link java.nio.ByteBuffer#allocateDirect(int)} call was intercepted + */ + // TODO: Maybe instead of this separate set, store inside `sectionsMap` whether section is from direct ByteBuffer? + // But that would make the API of MemorySectionMap more verbose, and its logic more complicated + private final LongSet directBufferAddresses = new LongSet(); + + public void enableUninitializedMemoryTracking() { + lock.writeLock().lock(); + try { + sectionsMap.enableUninitializedMemoryTracking(); + } finally { + lock.writeLock().unlock(); + } + } + + public void disableUninitializedMemoryTracking() { + lock.writeLock().lock(); + try { + sectionsMap.disableUninitializedMemoryTracking(); + } finally { + lock.writeLock().unlock(); + } + } + + static boolean verifyValidBytesCount(long bytesCount) { + if (bytesCount < 0) { + return reportError("Invalid bytes count: " + bytesCount); + } + + if (Unsafe.ADDRESS_SIZE == 4) { + // Only allow 32-bit (unsigned) byte count, see `jdk.internal.misc.Unsafe#checkSize` + if (bytesCount >>> 32 != 0) { + return reportError("Too large bytes count: " + bytesCount); + } + } + return true; + } + + /** + * Informs the tracker that memory has been allocated. + * + * @param address + * address where the memory was allocated + * @param bytesCount + * size of the allocation + * @param trackUninitialized + * whether for this memory region it should be tracked if the memory is uninitialized + * (if {@linkplain #enableUninitializedMemoryTracking() enabled}); if {@code false} this memory section + * is always considered (and required) to be initialized + * @param isDirectBuffer + * whether the memory has been allocated by {@link java.nio.ByteBuffer#allocateDirect(int)} + * + * @return + * {@code true} if the caller should assume the allocation was successful; + * {@code false} if the allocation was considered invalid (but the sanitizer is not + * {@linkplain UnsafeSanitizerImpl#setErrorAction(AgentErrorAction) configured} to throw on bad memory access) + */ + public boolean onAllocatedMemory(long address, long bytesCount, boolean trackUninitialized, boolean isDirectBuffer) { + // At least `Unsafe.reallocateMemory` says result address will be zero if the size is zero, + // `Unsafe.unsafe.allocateMemory` says result will never be zero, but it actually seems to + // behave the same way as `reallocateMemory` + if (address == 0 && bytesCount == 0) { + return true; + } + + // TODO: Maybe these should throw AssertionError or similar, assuming that `Unsafe` never returns incorrect + // results for successful allocation + // Instead what could happen is that this sanitizer misses calls which free memory + + if (address <= 0) { + return reportError("Invalid address: " + address); + } else if (!verifyValidBytesCount(bytesCount)) { + return false; + } + + lock.writeLock().lock(); + try { + sectionsMap.addSection(address, bytesCount, trackUninitialized); + + if (isDirectBuffer) { + if (!directBufferAddresses.add(address)) { + // Probably impossible; `sectionsMap.addSection` call above would have failed already + throw new IllegalArgumentException("Direct byte buffer at address " + address + " already exists"); + } + } + } catch (IllegalArgumentException e) { + return reportError(e); + } finally { + lock.writeLock().unlock(); + } + return true; + } + + /** + * Verifies that a memory section starts at the address and can be reallocated. + * Does not check if the memory is initialized. + */ + public boolean verifyCanReallocate(long address) { + if (address <= 0) { + return reportError("Invalid address: " + address); + } + + lock.readLock().lock(); + try { + if (directBufferAddresses.contains(address)) { + return reportError("Trying to reallocate memory of direct ByteBuffer at address " + address); + } + + if (sectionsMap.hasSectionAt(address)) { + return true; + } + return reportError("No memory section at address " + address); + } catch (IllegalArgumentException e) { + return reportError(e); + } finally { + lock.readLock().unlock(); + } + } + + /** + * Verifies that the address is inside a section of allocated memory. + * Does not check if the memory is initialized. + * + * @param isZeroSized + * if {@code true} also allows the address right behind a section, i.e. an 'exclusive end address' + */ + public boolean verifyValidAddress(long address, boolean isZeroSized) { + if (address <= 0) { + return reportError("Invalid address: " + address); + } + + lock.readLock().lock(); + try { + sectionsMap.checkIsInSection(address, isZeroSized); + } catch (IllegalArgumentException e) { + return reportError(e); + } finally { + lock.readLock().unlock(); + } + return true; + } + + public boolean onReallocatedMemory(long oldAddress, long newAddress, long newBytesCount) { + // `Unsafe.reallocateMemory` says result address will be zero if the size is zero + if (newAddress == 0 && newBytesCount == 0) { + return tryFreeMemory(oldAddress, false) || reportError("Failed freeing memory at address " + oldAddress); + } + + lock.writeLock().lock(); + try { + sectionsMap.moveSection(oldAddress, newAddress, newBytesCount); + } catch (IllegalArgumentException e) { + return reportError(e); + } finally { + lock.writeLock().unlock(); + } + return true; + } + + /** + * @param isDirectBufferCleaner + * whether this is called by the direct {@link java.nio.ByteBuffer} cleaner + * + * @return true if memory could be freed at the given address, false otherwise; + * does not throw an error if freeing memory failed + */ + public boolean tryFreeMemory(long address, boolean isDirectBufferCleaner) { + if (address == 0) { + return true; + } + if (address < 0) { + return false; + } + + lock.writeLock().lock(); + try { + if (!isDirectBufferCleaner && directBufferAddresses.contains(address)) { + // Don't permit manually freeing memory of direct ByteBuffer because its cleaner would be + // unaware of it, and would perform double free when executed on garbage collection + return reportError("Trying to manually free memory of direct ByteBuffer at address " + address); + } + if (isDirectBufferCleaner && !directBufferAddresses.remove(address)) { + // If call is by direct ByteBuffer cleaner but buffer address is unknown, then either it was not + // tracked by this tracker, or buffer had been allocated before sanitizer was installed (e.g. by JDK); + // no need to try removing section + return false; + } + return sectionsMap.tryRemoveSection(address); + } finally { + lock.writeLock().unlock(); + } + } + + public boolean onAccess(long address, long bytesCount, boolean isRead) { + if (address <= 0) { + return reportError("Invalid address: " + address); + } else if (!verifyValidBytesCount(bytesCount)) { + return false; + } + + lock.readLock().lock(); + try { + sectionsMap.performAccess(address, bytesCount, isRead); + } catch (IllegalArgumentException e) { + return reportError(e); + } finally { + lock.readLock().unlock(); + } + return true; + } + + public boolean onCopy(long srcAddress, long destAddress, long bytesCount) { + if (srcAddress <= 0) { + return reportError("Invalid srcAddress: " + srcAddress); + } else if (destAddress <= 0) { + return reportError("Invalid destAddress: " + destAddress); + } else if (!verifyValidBytesCount(bytesCount)) { + return false; + } + + if (bytesCount == 0) { + // Allow address to be right behind section ('exclusive end address') since copy size is 0 + boolean isZeroSized = true; + return verifyValidAddress(srcAddress, isZeroSized) && verifyValidAddress(destAddress, isZeroSized); + } + + lock.writeLock().lock(); + try { + sectionsMap.performCopyAccess(srcAddress, destAddress, bytesCount); + } catch (IllegalArgumentException e) { + return reportError(e); + } finally { + lock.writeLock().unlock(); + } + return true; + } + + public boolean hasAllocations() { + lock.readLock().lock(); + try { + return !sectionsMap.isEmpty(); + } finally { + lock.readLock().unlock(); + } + } + + /** + * @param clearSections + * whether to clear all sections after checking; this only clears the sections from the map, it does + * not try to free the memory + */ + public void checkEverythingFreed(boolean clearSections) { + lock.readLock().lock(); + try { + var sections = sectionsMap.getAllSections(); + if (clearSections) { + sectionsMap.clearAllSections(); + directBufferAddresses.clear(); + } + if (!sections.isEmpty()) { + throw new IllegalStateException("Still contains the following sections: " + sections); + } + } finally { + lock.readLock().unlock(); + } + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MethodCallDebugLogger.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MethodCallDebugLogger.java new file mode 100644 index 0000000..1311ab9 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/MethodCallDebugLogger.java @@ -0,0 +1,122 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import java.lang.invoke.MethodType; +import java.lang.reflect.Array; +import java.nio.ByteBuffer; +import java.util.HexFormat; +import java.util.Objects; + +import static marcono1234.unsafe_sanitizer.agent_impl.DirectByteBufferHelper.DEALLOCATOR_CLASS_NAME; + +/** + * Injected into transformed classes by the agent to log method calls. + */ +public class MethodCallDebugLogger { + private MethodCallDebugLogger() {} + + static volatile boolean isEnabled = false; + + private static String formatChar(char c) { + if (c == '"' || c == '\'' || c == '\\') { + return "\\" + c; + } + if (c < 0x20 || c >= 127) { + return "\\u" + HexFormat.of().toHexDigits(c); + } else { + return Character.toString(c); + } + } + + private static String formatValue(Object obj) { + if (obj != null && obj.getClass().isArray()) { + int length = Array.getLength(obj); + return obj.getClass().getComponentType().getName() + "[length=" + length + "]"; + } else if (obj instanceof Character c) { + return "'" + formatChar(c) + "'"; + } else if (obj instanceof CharSequence charSequence) { + String s = charSequence.toString(); + StringBuilder stringBuilder = new StringBuilder(s.length()); + stringBuilder.append('"'); + for (char c : s.toCharArray()) { + stringBuilder.append(formatChar(c)); + } + return stringBuilder.append('"').toString(); + } else { + return Objects.toString(obj); + } + } + + // Note: This is split into `onMethodEnter` and `onMethodExit` (instead of only logging on exit) to make + // troubleshooting JVM crashes either (depending on ErrorAction) by already printing which method was called + // before the JVM crashes + public static void onMethodEnter( + String declaringClassName, + String methodName, + Object this_, + Object[] arguments + ) { + if (!isEnabled) { + return; + } + + StringBuilder message = new StringBuilder("[DEBUG] "); + // Append class name without package name + message.append(declaringClassName, declaringClassName.lastIndexOf('.') + 1, declaringClassName.length()); + + if (this_ != null && this_.getClass().getName().equals(DEALLOCATOR_CLASS_NAME)) { + long deallocatorAddress = DirectByteBufferHelper.getDeallocatorAddress((Runnable) this_); + message.append("[address=").append(deallocatorAddress).append(']'); + } + + message.append('.').append(methodName).append('('); + + boolean isFirst = true; + for (Object arg : arguments) { + if (isFirst) { + isFirst = false; + } else { + message.append(", "); + } + message.append(formatValue(arg)); + } + message.append(')'); + + // Only use `print` here instead of `println`; the remainder is appended by `onMethodExit` + // This avoids duplicating the message in `onMethodExit`, but could cause corrupted output if a different + // thread concurrently prints to System.out, or if System.err and System.out are merged on the console + System.out.print(message.toString()); + // Flush output to make sure users can see it in the console, even if the JVM crashes soon afterwards + System.out.flush(); + } + + public static void onMethodExit( + MethodType methodType, + Object result, + Throwable thrown + ) { + if (!isEnabled) { + return; + } + + // Prints the remainder for the message started in `onMethodEnter` + String remainder; + if (thrown != null) { + remainder = " = "; + } else if (methodType.returnType() != void.class) { + remainder = " = "; + + // Special case for DirectByteBuffer to include its address in the output + if (result instanceof ByteBuffer byteBuffer && byteBuffer.isDirect()) { + long address = DirectByteBufferHelper.getAddress(byteBuffer); + remainder += "DirectByteBuffer[address=" + address + "]"; + } else { + remainder += formatValue(result); + } + } else { + remainder = ""; + } + System.out.println(remainder); + // Flush output to make sure users can see it in the console, even if the JVM crashes soon afterwards + System.out.flush(); + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTracker.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTracker.java new file mode 100644 index 0000000..53ddfb8 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTracker.java @@ -0,0 +1,434 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.jetbrains.annotations.VisibleForTesting; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +/** + * Tracks whether memory allocated with {@link sun.misc.Unsafe#allocateMemory(long)} and + * {@link sun.misc.Unsafe#reallocateMemory(long, long)} is read before data has been written there, and it + * is therefore uninitialized, containing arbitrary data. + * + *

This does not track whether memory sections exist or where they end. Therefore it should only be used + * after {@link MemorySectionMap} verified that the access is within an existing memory section. + */ +class UninitializedMemoryTracker { + /* + * Implementation note: + * Because this class is intended to be used in combination with `MemorySectionMap` it does not have + * to track boundaries of sections. Instead it merges adjacent and overlapping sections. This reduces + * memory usage and allows initialized memory checks to be performed by only checking if there is one + * initialized section large enough for the access, and not having to check multiple sections. + */ + + @VisibleForTesting + static final int INITIAL_CAPACITY = 1024; + + /** + * Acts as 'key' array with the first {@link #count} entries being keys, and the entries at + * the same index in {@link #sizes} being their values. + * This array is sorted. + */ + private long[] addresses; + private long[] sizes; + private int count; + + public UninitializedMemoryTracker() { + addresses = new long[INITIAL_CAPACITY]; + sizes = new long[INITIAL_CAPACITY]; + count = 0; + } + + private static void checkAddress(long address) { + if (address < 0) { + throw new IllegalArgumentException("Invalid address: " + address); + } + } + + private static void checkBytesCount(long bytesCount) { + if (bytesCount <= 0) { + throw new IllegalArgumentException("Invalid bytes count: " + bytesCount); + } + } + + private void enlargeExistingSection(int index, long address, long newBytesCount) { + // Simple case for enlarging last section + if (index == count - 1) { + sizes[index] = newBytesCount; + return; + } + + long endAddress = Math.addExact(address, newBytesCount); + // End index (inclusive) of existing sections which should be merged with the new one + int endIndex = Arrays.binarySearch(addresses, index + 1, count, endAddress); + + if (endIndex >= 0) { + // Merge with adjacent section + newBytesCount = Math.addExact(newBytesCount, sizes[endIndex]); + } else { + endIndex = -(endIndex + 1); + endIndex--; // check the previous section + if (endIndex > index) { + long previousAddress = addresses[endIndex]; + long previousSize = sizes[endIndex]; + long previousEndAddress = Math.addExact(previousAddress, previousSize); + + // Check if new section has to be extended + if (previousEndAddress > endAddress) { + newBytesCount = Math.addExact(newBytesCount, previousEndAddress - endAddress); + } + } + } + + sizes[index] = newBytesCount; + + // Check if there is no need to merge or remove subsequent sections + if (index == endIndex) { + return; + } + + // Remove merged sections by shifting subsequent sections + int shiftCount = count - endIndex - 1; + if (shiftCount > 0) { + int shiftIndex = endIndex + 1; + System.arraycopy(addresses, shiftIndex, addresses, index + 1, shiftCount); + System.arraycopy(sizes, shiftIndex, sizes, index + 1, shiftCount); + } + count -= (endIndex - index); + checkReduceCapacity(); + } + + private void checkIncreaseCapacity() { + if (count >= addresses.length) { + int newCapacity = count * 2; + addresses = Arrays.copyOf(addresses, newCapacity); + sizes = Arrays.copyOf(sizes, newCapacity); + } + } + + private void checkReduceCapacity() { + // Check if arrays should be shrunken + int newCapacity = addresses.length / 2; + if (count * 4 < addresses.length && newCapacity >= INITIAL_CAPACITY) { + addresses = Arrays.copyOf(addresses, newCapacity); + sizes = Arrays.copyOf(sizes, newCapacity); + } + } + + /** + * Prepend new section at {@code index}. + */ + private void insertNewSection(int index, long address, long bytesCount) { + // Simply case for appending section + if (index == count) { + checkIncreaseCapacity(); + addresses[index] = address; + sizes[index] = bytesCount; + count++; + return; + } + + long endAddress = Math.addExact(address, bytesCount); + // End index (inclusive) of existing sections which should be merged with the new one + int endIndex = Arrays.binarySearch(addresses, index, count, endAddress); + + if (endIndex >= 0) { + // Merge with adjacent section + bytesCount = Math.addExact(bytesCount, sizes[endIndex]); + } else { + endIndex = -(endIndex + 1); + endIndex--; // check the previous section + if (endIndex >= index) { + long previousAddress = addresses[endIndex]; + long previousSize = sizes[endIndex]; + long previousEndAddress = Math.addExact(previousAddress, previousSize); + + // Check if new section has to be extended + if (previousEndAddress > endAddress) { + bytesCount = Math.addExact(bytesCount, previousEndAddress - endAddress); + } + } + } + + int removeCount = endIndex - index; + assert removeCount >= -1; + // Insert new section + if (removeCount == -1) { + checkIncreaseCapacity(); + + // Shift subsequent sections + int shiftCount = count - index; + System.arraycopy(addresses, index, addresses, index + 1, shiftCount); + System.arraycopy(sizes, index, sizes, index + 1, shiftCount); + } + // Remove merged sections by shifting subsequent sections + else if (removeCount > 0) { + int shiftCount = count - endIndex - 1; + if (shiftCount > 0) { + int shiftIndex = endIndex + 1; + System.arraycopy(addresses, shiftIndex, addresses, index + 1, shiftCount); + System.arraycopy(sizes, shiftIndex, sizes, index + 1, shiftCount); + } + } + // Otherwise just overwrite existing section + + addresses[index] = address; + sizes[index] = bytesCount; + count -= removeCount; + checkReduceCapacity(); + } + + public void setInitialized(long address, long bytesCount) { + checkAddress(address); + checkBytesCount(bytesCount); + + int startIndex = Arrays.binarySearch(addresses, 0, count, address); + if (startIndex >= 0) { + long size = sizes[startIndex]; + // Only enlarge existing section if it is smaller + if (size < bytesCount) { + enlargeExistingSection(startIndex, address, bytesCount); + } + return; + } + + startIndex = -(startIndex + 1); + if (startIndex == 0) { + insertNewSection(startIndex, address, bytesCount); + return; + } + + int previousIndex = startIndex - 1; + long previousAddress = addresses[previousIndex]; + long previousSize = sizes[previousIndex]; + // Check if previous section is adjacent or overlaps + // Overflow-safe variant of `previousAddress + previousSize >= address` + if (previousAddress >= address - previousSize) { + // Enlarge the previous section + long newSize = Math.addExact(address - previousAddress, bytesCount); + if (newSize > previousSize) { + enlargeExistingSection(previousIndex, previousAddress, newSize); + } + } else { + insertNewSection(startIndex, address, bytesCount); + } + } + + public void copyInitialized(long srcAddress, long destAddress, long bytesCount) { + checkAddress(srcAddress); + checkAddress(destAddress); + checkBytesCount(bytesCount); + + // First determine all new sections, then perform changes + // This allows overlapping copies; otherwise would erroneously consider section initialized + // which was just copied there during the copy (and same for uninitialized) + // TODO: ^ does Unsafe.copyMemory officially support overlapping copying? + List

newSections = new ArrayList<>(); + + long endAddress = Math.addExact(srcAddress, bytesCount); + int startIndex = Arrays.binarySearch(addresses, 0, count, srcAddress); + if (startIndex < 0) { + startIndex = -(startIndex + 1); + int previousIndex = startIndex - 1; + if (previousIndex >= 0) { + long previousEndAddress = Math.addExact(addresses[previousIndex], sizes[previousIndex]); + long copyCount = previousEndAddress - srcAddress; + + if (copyCount >= bytesCount) { + // Previous section encloses complete copy source region; simply set destination as initialized + setInitialized(destAddress, bytesCount); + return; + } + // Check if remainder of previous section should be copied + else if (copyCount > 0) { + newSections.add(new Section(destAddress, copyCount)); + } + } + } + + int endIndex = Arrays.binarySearch(addresses, startIndex, count, endAddress); + if (endIndex < 0) { + endIndex = -(endIndex + 1); + + int previousIndex = endIndex - 1; + // Don't check previous in front of `startIndex`; that has already been checked above + if (previousIndex >= startIndex) { + long previousAddress = addresses[previousIndex]; + long previousEndAddress = Math.addExact(previousAddress, sizes[previousIndex]); + if (previousEndAddress > endAddress) { + // Only copy beginning of last section + long copyDestAddress = Math.addExact(destAddress, previousAddress - srcAddress); + long copyCount = endAddress - previousAddress; + newSections.add(new Section(copyDestAddress, copyCount)); + // Exclude last section + endIndex--; + } + } + } + + for (int i = startIndex; i < endIndex; i++) { + long copyDestAddress = Math.addExact(destAddress, addresses[i] - srcAddress); + newSections.add(new Section(copyDestAddress, sizes[i])); + } + + // Clear all initialized sections from destination because copying will also copy over uninitialized + // sections (i.e. areas not in `newSections`); then afterwards set initialized areas from `newSections` + clearInitialized(destAddress, bytesCount); + + for (Section newSection : newSections) { + setInitialized(newSection.address, newSection.bytesCount); + } + } + + /** + * Moves data from one region to another (potentially overlapping) region, which can be smaller or + * larger than the original region. + */ + public void moveInitialized(long srcAddress, long srcBytesCount, long destAddress, long destBytesCount) { + checkAddress(srcAddress); + checkBytesCount(srcBytesCount); + checkAddress(destAddress); + checkBytesCount(destBytesCount); + + long copyCount = Math.min(srcBytesCount, destBytesCount); + copyInitialized(srcAddress, destAddress, copyCount); + + // Then clear areas of source region which are not inside of dest region + long srcEndAddress = Math.addExact(srcAddress, srcBytesCount); + long copyEndAddress = Math.addExact(destAddress, copyCount); + + if (srcEndAddress <= destAddress || copyEndAddress <= srcAddress) { + // No overlap, clear complete source region + clearInitialized(srcAddress, srcBytesCount); + } else { + long prefixCount = destAddress - srcAddress; + if (prefixCount > 0) { + clearInitialized(srcAddress, prefixCount); + } + + long suffixCount = srcEndAddress - copyEndAddress; + if (suffixCount > 0) { + clearInitialized(copyEndAddress, suffixCount); + } + } + } + + public void clearInitialized(long address, long bytesCount) { + checkAddress(address); + checkBytesCount(bytesCount); + + long endAddress = Math.addExact(address, bytesCount); + + int startIndex = Arrays.binarySearch(addresses, 0, count, address); + if (startIndex < 0) { + startIndex = -(startIndex + 1); + + int previousIndex = startIndex - 1; + if (previousIndex >= 0) { + long previousAddress = addresses[previousIndex]; + long previousSize = sizes[previousIndex]; + long previousEndAddress = Math.addExact(previousAddress, previousSize); + + // Shorten previous size + if (previousEndAddress >= address) { + long leadingSectionSize = previousSize - (previousEndAddress - address); + sizes[previousIndex] = leadingSectionSize; + } + + long trailingSectionSize = previousEndAddress - endAddress; + + if (trailingSectionSize <= 0) { + if (startIndex >= count) { + // There is no subsequent section + return; + } + } else { + // Add remainder of previous section which is not cleared + setInitialized(endAddress, trailingSectionSize); + return; + } + } + } + + // End index (inclusive) of existing sections which should be removed + // Note: Begin at `startIndex` (instead of `startIndex + 1`) to check if section at `address` (if any) has to + // be cut instead of being removed completely + int endIndex = Arrays.binarySearch(addresses, startIndex, count, endAddress); + if (endIndex >= 0) { + // Don't remove section at `endIndex` which is adjacent; it will be unaffected by clearing + endIndex--; + } else { + endIndex = -(endIndex + 1); + endIndex--; // check previous section + + if (endIndex >= 0) { + long previousAddress = addresses[endIndex]; + long previousSize = sizes[endIndex]; + long previousEndAddress = Math.addExact(previousAddress, previousSize); + + if (previousEndAddress > endAddress) { + // Shorten & shift previous section + addresses[endIndex] = endAddress; + sizes[endIndex] = previousEndAddress - endAddress; + // Don't remove section at `endIndex` + endIndex--; + } + } + } + + int removeCount = endIndex - startIndex + 1; + if (removeCount > 0) { + // Remove sections by shifting subsequent sections + int shiftCount = count - endIndex - 1; + if (shiftCount > 0) { + int shiftIndex = endIndex + 1; + System.arraycopy(addresses, shiftIndex, addresses, startIndex, shiftCount); + System.arraycopy(sizes, shiftIndex, sizes, startIndex, shiftCount); + } + } + count -= removeCount; + checkReduceCapacity(); + } + + public boolean isInitialized(long address, long bytesCount) { + checkAddress(address); + checkBytesCount(bytesCount); + + int index = Arrays.binarySearch(addresses, 0, count, address); + // Section starts at same address, only need to compare sizes + if (index >= 0) { + long size = sizes[index]; + return size >= bytesCount; + } + // Otherwise need to check size of section which starts before the address + else { + index = -(index + 1); + if (index == 0) { + // Access occurred in front of first section (if any) + return false; + } + + long previousAddress = addresses[index - 1]; + long previousSize = sizes[index - 1]; + // Overflow-safe variant of `previousAddress + previousSize >= address + bytesCount` + return previousAddress - bytesCount >= address - previousSize; + } + } + + public record Section(long address, long bytesCount) {} + + public List
getAllInitializedSections() { + List
sections = new ArrayList<>(); + for (int i = 0; i < count; i++) { + sections.add(new Section(addresses[i], sizes[i])); + } + return sections; + } + + @Override + public String toString() { + return getAllInitializedSections().toString(); + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeAccess.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeAccess.java new file mode 100644 index 0000000..8995e12 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeAccess.java @@ -0,0 +1,22 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import sun.misc.Unsafe; + +/** + * Exposes an instance of {@link Unsafe} through {@link #unsafe}. + */ +class UnsafeAccess { + private UnsafeAccess() { + } + + public static final Unsafe unsafe; + static { + try { + var field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new IllegalStateException("Failed getting Unsafe", e); + } + } +} diff --git a/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeSanitizerImpl.java b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeSanitizerImpl.java new file mode 100644 index 0000000..8ac9413 --- /dev/null +++ b/agent-impl/src/main/java/marcono1234/unsafe_sanitizer/agent_impl/UnsafeSanitizerImpl.java @@ -0,0 +1,399 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.jetbrains.annotations.Nullable; +import org.jetbrains.annotations.VisibleForTesting; + +import java.util.Iterator; +import java.util.Objects; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.atomic.AtomicReference; + +import static marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError.reportError; + +/** + * Actual implementation of the sanitizer, providing the methods used by the public API. + */ +public class UnsafeSanitizerImpl { + private UnsafeSanitizerImpl() {} + + private static class ScopedData { + // Technically this does not have to be `AtomicReference` since ScopedData is thread-local, but + // having it as `AtomicReference` allows it to be used with `getLastErrorRef()` + final AtomicReference lastError = new AtomicReference<>(null); + /** Memory tracker in this scope; might be {@code null} if no native memory tracking should be performed */ + @Nullable + final MemoryTracker memoryTracker; + + public ScopedData(@Nullable MemoryTracker memoryTracker) { + this.memoryTracker = memoryTracker; + } + } + + /** Contains {@code null} if scoped tracking has not been used yet */ + private static final AtomicReference> scopedData = new AtomicReference<>(null); + + private static final AtomicReference lastError = new AtomicReference<>(null); + private static volatile AgentErrorAction errorAction = AgentErrorAction.THROW; + private static volatile boolean isRequireInitializedOnCopy = false; + + private static volatile boolean isTrackingUninitializedMemory = true; + /** Global native memory tracker, {@code null} if global tracking is disabled */ + @Nullable + private static volatile MemoryTracker memoryTracker = new MemoryTracker(); + private static final Set activeScopedMemoryTrackers = ConcurrentHashMap.newKeySet(); + /** Scoped memory trackers which are not used anymore, but which still have allocations */ + private static final Set staleScopedMemoryTrackers = ConcurrentHashMap.newKeySet(); + + private static final FieldAccessSanitizer fieldAccessSanitizer = new FieldAccessSanitizer(); + + @Nullable + private static ScopedData getScopedData() { + var scopedData = UnsafeSanitizerImpl.scopedData.get(); + if (scopedData != null) { + var data = scopedData.get(); + if (data != null) { + return data; + } else { + // Clear `null` ThreadLocal entry again, see also https://bugs.openjdk.org/browse/JDK-6630585 + scopedData.remove(); + } + } + return null; + } + + @Nullable + private static MemoryTracker getMemoryTracker() { + var scopedData = getScopedData(); + if (scopedData != null) { + return scopedData.memoryTracker; + } + return memoryTracker; + } + + /** + * Whether the instrumented method should be executed in case of an error, or not and + * its execution should be skipped (e.g. to prevent a JVM crash). + * + *

See {@link AgentErrorAction#executeOnError} + */ + static boolean executeOnError() { + return errorAction.executeOnError; + } + + public static void setErrorAction(AgentErrorAction errorAction) { + UnsafeSanitizerImpl.errorAction = Objects.requireNonNull(errorAction); + } + + public static AgentErrorAction getErrorAction() { + return errorAction; + } + + public static void setIsDebugLogging(boolean isDebugLogging) { + MethodCallDebugLogger.isEnabled = isDebugLogging; + } + + static AtomicReference getLastErrorRefImpl() { + var scopedData = getScopedData(); + if (scopedData != null) { + return scopedData.lastError; + } + + return lastError; + } + + /** + * Returns a reference to the last error. This reference should only be used to retrieving or clearing + * the last error. The {@link AtomicReference} should not be stored somewhere. + */ + // Note: Don't expose `BadMemoryAccessError` as return type since it cannot be used in public API anyway + // since users won't have access to it + public static AtomicReference getLastErrorRef() { + return getLastErrorRefImpl(); + } + + // TODO: Add corresponding method in public `UnsafeSanitizer` + /** + * Sets whether for copying native memory to native memory the source must be fully initialized. + * If {@code true}, the source must be fully initialized, if {@code false} this is not required + * and uninitialized sections are copied to the destination. + * + *

If enabled it allows detecting potential subsequent uninitialized memory access in advance, + * however risking that there are false positives if there would not actually be any uninitialized + * read access later on. + */ + public static void setIsRequireInitializedOnCopy(boolean requireInitialized) { + isRequireInitializedOnCopy = requireInitialized; + } + + // No method for enabling this again because otherwise could lead to spurious errors for memory + // which was allocated while sanitizer was disabled + public static void disableNativeMemorySanitizer() { + memoryTracker = null; + } + + private static void enableUninitializedMemoryTracking() { + isTrackingUninitializedMemory = true; + var memoryTracker = getMemoryTracker(); + if (memoryTracker != null) { + memoryTracker.enableUninitializedMemoryTracking(); + } + } + + public static void disableUninitializedMemoryTracking() { + isTrackingUninitializedMemory = false; + var memoryTracker = getMemoryTracker(); + if (memoryTracker != null) { + memoryTracker.disableUninitializedMemoryTracking(); + } + } + + @FunctionalInterface + public interface ThrowingRunnable { + void run() throws E; + } + + // Only for testing; otherwise when enabling uninitialized tracking it could lead to spurious errors for memory + // which was initialized before this was enabled + @VisibleForTesting + public static void withUninitializedMemoryTracking(boolean enabled, ThrowingRunnable runnable) throws E { + boolean wasEnabled = isTrackingUninitializedMemory; + if (enabled) { + enableUninitializedMemoryTracking(); + } else { + disableUninitializedMemoryTracking(); + } + + try { + runnable.run(); + } finally { + if (wasEnabled) { + enableUninitializedMemoryTracking(); + } else { + disableUninitializedMemoryTracking(); + } + } + } + + /** + * @param trackUninitialized + * Whether uninitialized memory should be tracked. {@code null} if the global setting + * should be inherited. + */ + public static void withScopedNativeMemoryTracking(@Nullable Boolean trackUninitialized, ThrowingRunnable runnable) throws IllegalStateException, E { + Objects.requireNonNull(runnable); + // Note: Don't use `ThreadLocal.withInitial` here to allow calling `ThreadLocal.get` for peeking + // in `getScopedData()` without directly creating instance + var threadLocalData = UnsafeSanitizerImpl.scopedData.updateAndGet(old -> old != null ? old : new ThreadLocal<>()); + + var data = threadLocalData.get(); + if (data != null) { + throw new IllegalStateException("Scope is already active; cannot nest scopes"); + } + + var tracker = new MemoryTracker(); + if (trackUninitialized == null && !isTrackingUninitializedMemory || Boolean.FALSE.equals(trackUninitialized)) { + tracker.disableUninitializedMemoryTracking(); + } + activeScopedMemoryTrackers.add(tracker); + + data = new ScopedData(tracker); + threadLocalData.set(data); + + try { + runnable.run(); + + // Only check for last error if runnable did not throw any error or exception, and only + // if error action is `AgentErrorAction.THROW` + var error = getLastErrorRefImpl().getAndSet(null); + if (errorAction == AgentErrorAction.THROW && error != null) { + throw new IllegalStateException("Unhandled bad memory access error", error); + } + } finally { + threadLocalData.remove(); + + if (tracker.hasAllocations()) { + staleScopedMemoryTrackers.add(tracker); + } + // Remove afterwards to avoid situation where tracker is in neither of the sets + activeScopedMemoryTrackers.remove(tracker); + } + } + + // These methods return `true` if the method should be executed, and `false` if it should be skipped + + public static boolean verifyCanReallocate(long address) { + var memoryTracker = getMemoryTracker(); + return memoryTracker == null + || memoryTracker.verifyCanReallocate(address); + } + + public static boolean verifyValidMemoryAddress(long address) { + var memoryTracker = getMemoryTracker(); + // `Unsafe#putAddress(java.lang.Object, long, long)` says "or does not point *into* a block"; + // the "into" sounds like an address representing an 'exclusive end address' (= offset + size) is not valid + boolean isZeroSized = false; + return memoryTracker == null + || memoryTracker.verifyValidAddress(address, isZeroSized); + } + + public static boolean verifyValidAllocationBytesCount(long bytesCount) { + return MemoryTracker.verifyValidBytesCount(bytesCount); + } + + private static boolean onAllocatedMemory(long address, long bytesCount, boolean trackUninitialized, boolean isDirectBuffer) { + var memoryTracker = getMemoryTracker(); + return memoryTracker == null + || memoryTracker.onAllocatedMemory(address, bytesCount, trackUninitialized, isDirectBuffer); + } + + public static boolean onAllocatedMemory(long address, long bytesCount, boolean trackUninitialized) { + return onAllocatedMemory(address, bytesCount, trackUninitialized, false); + } + + public static boolean onAllocatedDirectBuffer(long address, long bytesCount) { + // `ByteBuffer.allocateDirect` creates fully initialized memory; no need to track it + boolean trackUninitialized = false; + return onAllocatedMemory(address, bytesCount, trackUninitialized, true); + } + + public static boolean onReallocatedMemory(long oldAddress, long newAddress, long newBytesCount) { + var memoryTracker = getMemoryTracker(); + return memoryTracker == null + || memoryTracker.onReallocatedMemory(oldAddress, newAddress, newBytesCount); + } + + private static boolean freeMemory(long address, boolean isDirectBufferCleaner) { + // The following allows freeing memory of other scopes if there is no current scope; this covers the + // case where a cleaner thread frees the memory after garbage collection + + var globalMemoryTracker = UnsafeSanitizerImpl.memoryTracker; + var memoryTracker = getMemoryTracker(); + if (memoryTracker != null) { + if (memoryTracker.tryFreeMemory(address, isDirectBufferCleaner)) { + return true; + } + // If there is a tracker for the current scope (which is not the global tracker), it must have been + // able to free the memory; cannot free memory of other scope + else if (memoryTracker != globalMemoryTracker) { + return reportError("Cannot free at address " + address); + } + } + + // The following handles freeing locally scoped memory from the global scope + + for (MemoryTracker tracker : activeScopedMemoryTrackers) { + if (tracker.tryFreeMemory(address, isDirectBufferCleaner)) { + return true; + } + } + + Iterator staleTrackers = staleScopedMemoryTrackers.iterator(); + while (staleTrackers.hasNext()) { + var tracker = staleTrackers.next(); + + if (tracker.tryFreeMemory(address, isDirectBufferCleaner)) { + // If tracker has no more allocations remove it from stale trackers set + if (!tracker.hasAllocations()) { + staleTrackers.remove(); + } + return true; + } + } + + if (globalMemoryTracker == null) { + // Assume that allocation had not been tracked + return true; + } else if (isDirectBufferCleaner) { + // If call is by direct ByteBuffer cleaner but freeing failed, assume that buffer had been allocated + // before sanitizer was installed (e.g. by JDK) + // This will likely occur because interceptor sees cleaner calls for both JDK- and user-allocated + // direct ByteBuffers (unlike for Unsafe usage where only the 'public' Unsafe class is intercepted, but + // not the JDK-internal one) + return true; + } else { + return reportError("Cannot free at address " + address); + } + } + + public static boolean freeMemory(long address) { + return freeMemory(address, false); + } + + public static boolean freeDirectBufferMemory(long address) { + return freeMemory(address, true); + } + + public static boolean onReadAccess(@Nullable Object obj, long address, MemorySize size) { + return onAccess(obj, address, size, true, null); + } + + public static boolean onWriteAccess(@Nullable Object obj, long address, MemorySize size, @Nullable Object writtenObject) { + return onAccess(obj, address, size, false, writtenObject); + } + + private static boolean onAccess(@Nullable Object obj, long address, MemorySize size, boolean isRead, @Nullable Object writtenObject) { + // `writtenObject` may only be non-null if this is a write of an Object value + assert writtenObject == null || (!isRead && size == MemorySize.OBJECT); + + if (obj == null) { + var memoryTracker = getMemoryTracker(); + return memoryTracker == null + || memoryTracker.onAccess(address, size.getBytesCount(), isRead); + } else if (obj.getClass().isArray()) { + return ArrayAccessSanitizer.onAccess(obj, address, size, writtenObject); + } else { + return fieldAccessSanitizer.checkAccess(obj, address, size, writtenObject); + } + } + + public static boolean onReadAccess(@Nullable Object obj, long address, long bytesCount) { + return onAccess(obj, address, bytesCount, true); + } + + public static boolean onWriteAccess(@Nullable Object obj, long address, long bytesCount) { + return onAccess(obj, address, bytesCount, false); + } + + private static boolean onAccess(@Nullable Object obj, long address, long bytesCount, boolean isRead) { + if (obj == null) { + var memoryTracker = getMemoryTracker(); + return memoryTracker == null + || memoryTracker.onAccess(address, bytesCount, isRead); + } else if (obj.getClass().isArray() && obj.getClass().getComponentType().isPrimitive()) { + return ArrayAccessSanitizer.onAccess(obj, address, bytesCount); + } else { + // `jdk.internal.misc.Unsafe` requires for `setMemory` and `copyMemory` that obj is primitive array + return reportError("Unsupported class " + obj.getClass().getTypeName()); + } + } + + public static boolean onCopy(@Nullable Object srcObj, long srcAddress, @Nullable Object destObj, long destAddress, long bytesCount) { + // If `isRequireInitializedOnCopy` perform normal access checks further below, requiring that source + // is fully initialized + if (!isRequireInitializedOnCopy && srcObj == null && destObj == null) { + // Native to native memory copy; don't require that source is fully initialized, will just copy + // uninitialized sections to destination + var memoryTracker = getMemoryTracker(); + return memoryTracker == null + || memoryTracker.onCopy(srcAddress, destAddress, bytesCount); + } + // For native to non-native require that source is fully initialized, and for non-native to native assume + // that destination will be fully initialized afterwards + return onReadAccess(srcObj, srcAddress, bytesCount) && onWriteAccess(destObj, destAddress, bytesCount); + } + + /** + * @param forgetMemorySections + * whether to 'forget' all known memory sections after checking; this only clears the sections from the + * map, it does not try to free the memory + */ + public static void checkAllNativeMemoryFreed(boolean forgetMemorySections) throws IllegalStateException { + var memoryTracker = getMemoryTracker(); + if (memoryTracker == null) { + throw new IllegalStateException("Native memory sanitizer is not enabled"); + } else { + memoryTracker.checkEverythingFreed(forgetMemorySections); + } + } +} diff --git a/agent-impl/src/main/java/module-info.java b/agent-impl/src/main/java/module-info.java new file mode 100644 index 0000000..1178a6c --- /dev/null +++ b/agent-impl/src/main/java/module-info.java @@ -0,0 +1,13 @@ +// TODO: This seems to be ignored at the moment and classes are in unnamed module at runtime, maybe https://bugs.openjdk.org/browse/JDK-6932391? + +// This module exists so that instrumentation can open the `java.nio` package to it, +// to allow `DirectByteBufferHelper` to work +@SuppressWarnings({"module", "JavaModuleNaming"}) // suppress warnings about module name +module marcono1234.unsafe_sanitizer.agent_impl { + // For `sun.misc.Unsafe` + requires jdk.unsupported; + + requires org.jetbrains.annotations; + + exports marcono1234.unsafe_sanitizer.agent_impl to marcono1234.unsafe_sanitizer; +} diff --git a/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizerTest.java b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizerTest.java new file mode 100644 index 0000000..c4e04ef --- /dev/null +++ b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/ArrayAccessSanitizerTest.java @@ -0,0 +1,247 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.function.Executable; + +import static org.junit.jupiter.api.Assertions.*; +import static sun.misc.Unsafe.*; + +class ArrayAccessSanitizerTest { + @BeforeEach + void setUp() { + UnsafeSanitizerImpl.setErrorAction(AgentErrorAction.THROW); + } + + @AfterEach + void clearLastError() { + var lastError = UnsafeSanitizerImpl.getLastErrorRefImpl().getAndSet(null); + if (lastError != null) { + fail("Unexpected error", lastError); + } + } + + private static void assertThrows(Executable executable, String expectedMessage) { + var e = Assertions.assertThrows(BadMemoryAccessError.class, executable); + UnsafeSanitizerImpl.getLastErrorRefImpl().set(null); + assertEquals(expectedMessage, e.getMessage()); + } + + @Test + void onAccessMemorySize() { + Object a = new byte[8]; + long offset = ARRAY_BYTE_BASE_OFFSET; + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BOOLEAN)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_1)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_2)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_4)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_8)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.ADDRESS)); + + a = new long[1]; + offset = ARRAY_LONG_BASE_OFFSET; + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BOOLEAN)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_1)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_2)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_4)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_8)); + assertTrue(ArrayAccessSanitizer.onAccess(a, offset, MemorySize.ADDRESS)); + + a = new Object[1]; + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_OBJECT_BASE_OFFSET, MemorySize.OBJECT)); + } + + @Test + void onAccessMemorySize_Error() { + { + var a = new byte[0]; + long offset = ARRAY_BYTE_BASE_OFFSET; + String expectedPrefix = "Bad array access at offset " + offset + ", size "; + String expectedSuffix = "; max offset is " + ARRAY_BYTE_BASE_OFFSET; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BOOLEAN), + expectedPrefix + MemorySize.BOOLEAN.getBytesCount() + expectedSuffix + ); + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_1), + expectedPrefix + MemorySize.BYTE_1.getBytesCount() + expectedSuffix + ); + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_2), + expectedPrefix + MemorySize.BYTE_2.getBytesCount() + expectedSuffix + ); + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_4), + expectedPrefix + MemorySize.BYTE_4.getBytesCount() + expectedSuffix + ); + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_8), + expectedPrefix + MemorySize.BYTE_8.getBytesCount() + expectedSuffix + ); + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.ADDRESS), + expectedPrefix + MemorySize.ADDRESS.getBytesCount() + expectedSuffix + ); + } + + { + var a = new byte[1]; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, -1, MemorySize.BYTE_1), + "Invalid offset: -1" + ); + } + + { + var a = new byte[1]; + // Not using base offset, assuming it is > 0 + assert ARRAY_BYTE_BASE_OFFSET > 0; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, 0, MemorySize.BYTE_1), + "Bad array access at offset 0; min offset is " + ARRAY_BYTE_BASE_OFFSET + ); + } + + { + var a = new byte[2]; + long offset = ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_2), + "Bad array access at offset " + offset + ", size " + MemorySize.BYTE_2.getBytesCount() + "; max offset is " + (ARRAY_BYTE_BASE_OFFSET + a.length * ARRAY_BYTE_INDEX_SCALE) + ); + } + + { + var a = new byte[60]; + // Trying to access Object from primitive array + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, MemorySize.OBJECT), + "Using Object in the context of bytes" + ); + + // Only permitted if error throwing is disabled + UnsafeSanitizerImpl.setErrorAction(AgentErrorAction.NONE); + try { + ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, MemorySize.OBJECT); + BadMemoryAccessError error = UnsafeSanitizerImpl.getLastErrorRefImpl().getAndSet(null); + assertEquals("Using Object in the context of bytes", error.getMessage()); + } finally { + UnsafeSanitizerImpl.setErrorAction(AgentErrorAction.THROW); + } + } + + { + var a = new Object[1]; + // Trying to access primitive from Object array + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, ARRAY_OBJECT_BASE_OFFSET, MemorySize.BYTE_1), + "Bad request for BYTE_1 from java.lang.Object[]" + ); + } + + { + var a = new long[2]; + // Not aligned by `long[]` scale + long offset = ARRAY_LONG_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, MemorySize.BYTE_1), + "Bad aligned array access at offset " + offset + " for long[]" + ); + } + } + + @Test + void onAccessBytesCount() { + Object a = new byte[4]; + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, 0)); + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, 1)); + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, 2)); + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE * 2L, 2)); + + a = new long[2]; + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_LONG_BASE_OFFSET, 16)); + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_LONG_BASE_OFFSET + ARRAY_LONG_INDEX_SCALE, 8)); + // TODO: Is this allowed? Reading 2 bytes from array where each element has 8 bytes + assertTrue(ArrayAccessSanitizer.onAccess(a, ARRAY_LONG_BASE_OFFSET + ARRAY_LONG_INDEX_SCALE, 2)); + } + + @Test + void onAccessBytesCount_Error() { + { + var a = new byte[0]; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, 1), + "Bad array access at offset " + ARRAY_BYTE_BASE_OFFSET + ", size 1; max offset is " + ARRAY_BYTE_BASE_OFFSET + ); + } + { + var a = new byte[0]; + long offset = ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE; + // Should also validate when trying to access 0 bytes + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, 0), + "Bad array access at offset " + offset + ", size 0; max offset is " + ARRAY_BYTE_BASE_OFFSET + ); + } + { + var a = new byte[1]; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, 2), + "Bad array access at offset " + ARRAY_BYTE_BASE_OFFSET + ", size 2; max offset is " + (ARRAY_BYTE_BASE_OFFSET + a.length * ARRAY_BYTE_INDEX_SCALE) + ); + } + { + var a = new byte[2]; + long offset = ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, 2), + "Bad array access at offset " + offset + ", size 2; max offset is " + (ARRAY_BYTE_BASE_OFFSET + a.length * ARRAY_BYTE_INDEX_SCALE) + ); + } + + { + var a = new byte[1]; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, -1, 1), + "Invalid offset: -1" + ); + } + { + var a = new byte[1]; + // Not using base offset, assuming it is > 0 + assert ARRAY_BYTE_BASE_OFFSET > 0; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, 0, 1), + "Bad array access at offset 0; min offset is " + ARRAY_BYTE_BASE_OFFSET + ); + } + { + var a = new byte[1]; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, ARRAY_BYTE_BASE_OFFSET, -1), + "Invalid size: -1" + ); + } + + { + var a = new long[2]; + // Not aligned by `long[]` scale + long offset = ARRAY_LONG_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE; + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, offset, 1), + "Bad aligned array access at offset " + offset + " for long[]" + ); + } + + { + var a = new Object[1]; + // Trying to access bytes from `Object[]` + assertThrows( + () -> ArrayAccessSanitizer.onAccess(a, ARRAY_OBJECT_BASE_OFFSET, 1), + "Reading bytes from non-primitive array java.lang.Object[]" + ); + } + } +} \ No newline at end of file diff --git a/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizerTest.java b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizerTest.java new file mode 100644 index 0000000..8982902 --- /dev/null +++ b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/FieldAccessSanitizerTest.java @@ -0,0 +1,158 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.function.Executable; + +import java.lang.reflect.Field; + +import static marcono1234.unsafe_sanitizer.agent_impl.UnsafeAccess.unsafe; +import static org.junit.jupiter.api.Assertions.fail; + +class FieldAccessSanitizerTest { + private FieldAccessSanitizer sanitizer; + + @BeforeEach + void setUp() { + UnsafeSanitizerImpl.setErrorAction(AgentErrorAction.THROW); + sanitizer = new FieldAccessSanitizer(); + } + + @AfterEach + void clearLastError() { + var lastError = UnsafeSanitizerImpl.getLastErrorRefImpl().getAndSet(null); + if (lastError != null) { + fail("Unexpected error", lastError); + } + } + + // TODO: Check exception messages? + private static void assertThrows(Executable executable) { + Assertions.assertThrows(BadMemoryAccessError.class, executable); + UnsafeSanitizerImpl.getLastErrorRefImpl().set(null); + } + + @Test + void instanceField() throws Exception { + class Dummy { + byte b; + int i; + Object o; + } + Dummy dummy = new Dummy(); + + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("b")); + sanitizer.checkAccess(dummy, offset, MemorySize.BYTE_1); + + offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("i")); + sanitizer.checkAccess(dummy, offset, MemorySize.BYTE_4); + + offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("o")); + sanitizer.checkAccess(dummy, offset, MemorySize.OBJECT); + } + + @Test + void instanceFieldInheritance() throws Exception { + class Super { + int i; + } + class Sub extends Super { + } + + long offset = unsafe.objectFieldOffset(Super.class.getDeclaredField("i")); + sanitizer.checkAccess(new Sub(), offset, MemorySize.BYTE_4); + } + + @Test + void instanceFieldError() throws Exception { + class Dummy { + int i; + long l; + Object o; + } + Dummy dummy = new Dummy(); + + { + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("i")); + assertThrows(() -> sanitizer.checkAccess(dummy, offset + 1, MemorySize.BYTE_4)); + // Trying to access with misaligned offset; `Unsafe` doc says that offset should not be used for + // arithmetic operations + assertThrows(() -> sanitizer.checkAccess(dummy, offset + 1, MemorySize.BYTE_1)); + + // Trying to access 4 byte `int` as 8 byte + assertThrows(() -> sanitizer.checkAccess(dummy, offset, MemorySize.BYTE_8)); + // Access of smaller size + assertThrows(() -> sanitizer.checkAccess(dummy, offset, MemorySize.BYTE_1)); + } + + { + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("l")); + // Trying to access `long` as Object + assertThrows(() -> sanitizer.checkAccess(dummy, offset, MemorySize.OBJECT)); + + // Trying to access `long` as 'address'; at least on 32-bit platforms this could be an issue + assertThrows(() -> sanitizer.checkAccess(dummy, offset, MemorySize.ADDRESS)); + } + + { + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("o")); + // Trying to access Object as bytes; might be technically possible but not sure if this is really + // officially supported + assertThrows(() -> sanitizer.checkAccess(dummy, offset, MemorySize.BYTE_4)); + } + } + + @Test + void staticField() throws Exception { + class Dummy { + static byte b; + static int i; + } + + Field field = Dummy.class.getDeclaredField("b"); + Object base = unsafe.staticFieldBase(field); + long offset = unsafe.staticFieldOffset(field); + sanitizer.checkAccess(base, offset, MemorySize.BYTE_1); + + field = Dummy.class.getDeclaredField("i"); + base = unsafe.staticFieldBase(field); + offset = unsafe.staticFieldOffset(field); + sanitizer.checkAccess(base, offset, MemorySize.BYTE_4); + } + + @Test + void staticFieldInterface() throws Exception { + interface Dummy { + int i = 1; + } + + Field field = Dummy.class.getDeclaredField("i"); + Object base = unsafe.staticFieldBase(field); + long offset = unsafe.staticFieldOffset(field); + sanitizer.checkAccess(base, offset, MemorySize.BYTE_4); + } + + @Test + void mixedFields() throws Exception { + class Dummy { + int i; + static int s; + } + Dummy dummy = new Dummy(); + + long offsetI = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("i")); + + Field fieldS = Dummy.class.getDeclaredField("s"); + Object baseS = unsafe.staticFieldBase(fieldS); + long offsetS = unsafe.staticFieldOffset(fieldS); + + sanitizer.checkAccess(dummy, offsetI, MemorySize.BYTE_4); + sanitizer.checkAccess(baseS, offsetS, MemorySize.BYTE_4); + + // Mixing offsets is not allowed + assertThrows(() -> sanitizer.checkAccess(dummy, offsetS, MemorySize.BYTE_4)); + assertThrows(() -> sanitizer.checkAccess(baseS, offsetI, MemorySize.BYTE_4)); + } +} \ No newline at end of file diff --git a/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/LongSetTest.java b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/LongSetTest.java new file mode 100644 index 0000000..447ced6 --- /dev/null +++ b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/LongSetTest.java @@ -0,0 +1,140 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import org.junit.jupiter.api.Test; + +import java.util.*; + +import static org.junit.jupiter.api.Assertions.*; + +class LongSetTest { + + @Test + void add() { + LongSet set = new LongSet(); + assertTrue(set.add(3)); + assertArrayEquals(new long[] {3}, set.getValues()); + + assertTrue(set.add(1)); + assertArrayEquals(new long[] {1, 3}, set.getValues()); + + assertTrue(set.add(2)); + assertArrayEquals(new long[] {1, 2, 3}, set.getValues()); + + assertTrue(set.add(-1)); + assertArrayEquals(new long[] {-1, 1, 2, 3}, set.getValues()); + + // Adding already existing value + assertFalse(set.add(1)); + assertArrayEquals(new long[] {-1, 1, 2, 3}, set.getValues()); + + assertTrue(set.add(Long.MIN_VALUE)); + assertArrayEquals(new long[] {Long.MIN_VALUE, -1, 1, 2, 3}, set.getValues()); + assertTrue(set.add(Long.MAX_VALUE)); + assertArrayEquals(new long[] {Long.MIN_VALUE, -1, 1, 2, 3, Long.MAX_VALUE}, set.getValues()); + } + + @Test + void contains() { + LongSet set = new LongSet(); + assertFalse(set.contains(1)); + + set.add(1); + assertTrue(set.contains(1)); + assertFalse(set.contains(2)); + + set.add(-2); + assertTrue(set.contains(-2)); + assertFalse(set.contains(-1)); + assertFalse(set.contains(2)); + + assertFalse(set.contains(Long.MIN_VALUE)); + set.add(Long.MIN_VALUE); + assertTrue(set.contains(Long.MIN_VALUE)); + + assertFalse(set.contains(Long.MAX_VALUE)); + set.add(Long.MAX_VALUE); + assertTrue(set.contains(Long.MAX_VALUE)); + } + + @Test + void remove() { + LongSet set = new LongSet(); + assertFalse(set.remove(1)); + assertArrayEquals(new long[] {}, set.getValues()); + + set.add(1); + assertArrayEquals(new long[] {1}, set.getValues()); + assertTrue(set.remove(1)); + assertArrayEquals(new long[] {}, set.getValues()); + assertFalse(set.remove(1)); + + set.add(-2); + assertArrayEquals(new long[] {-2}, set.getValues()); + assertTrue(set.remove(-2)); + assertArrayEquals(new long[] {}, set.getValues()); + assertFalse(set.remove(-2)); + + assertFalse(set.remove(Long.MIN_VALUE)); + set.add(Long.MIN_VALUE); + assertArrayEquals(new long[] {Long.MIN_VALUE}, set.getValues()); + assertTrue(set.remove(Long.MIN_VALUE)); + + assertFalse(set.remove(Long.MAX_VALUE)); + set.add(Long.MAX_VALUE); + assertArrayEquals(new long[] {Long.MAX_VALUE}, set.getValues()); + assertTrue(set.remove(Long.MAX_VALUE)); + } + + @Test + void clear() { + LongSet set = new LongSet(); + set.clear(); + assertArrayEquals(new long[] {}, set.getValues()); + + set.add(1); + assertArrayEquals(new long[] {1}, set.getValues()); + set.clear(); + assertFalse(set.contains(1)); + assertArrayEquals(new long[] {}, set.getValues()); + + set.add(-2); + set.add(5); + assertArrayEquals(new long[] {-2, 5}, set.getValues()); + set.clear(); + assertFalse(set.contains(-2)); + assertFalse(set.contains(5)); + assertArrayEquals(new long[] {}, set.getValues()); + } + + @Test + void addRemove_Many() { + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + SortedSet addedValues = new TreeSet<>(); + LongSet longSet = new LongSet(); + + while (addedValues.size() < LongSet.INITIAL_CAPACITY * 5) { + long value = random.nextLong(); + boolean wasAdded = addedValues.add(value); + + assertEquals(wasAdded, !longSet.contains(value)); + assertEquals(wasAdded, longSet.add(value)); + assertTrue(longSet.contains(value)); + + assertArrayEquals(addedValues.stream().mapToLong(Long::longValue).toArray(), longSet.getValues()); + } + + List remainingValues = new LinkedList<>(addedValues); + while (!remainingValues.isEmpty()) { + int indexToRemove = random.nextInt(remainingValues.size()); + long valueToRemove = remainingValues.remove(indexToRemove); + + assertTrue(longSet.contains(valueToRemove)); + assertTrue(longSet.remove(valueToRemove)); + assertFalse(longSet.contains(valueToRemove)); + + assertArrayEquals(remainingValues.stream().mapToLong(Long::longValue).toArray(), longSet.getValues()); + } + } +} diff --git a/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMapTest.java b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMapTest.java new file mode 100644 index 0000000..ed6c88c --- /dev/null +++ b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/MemorySectionMapTest.java @@ -0,0 +1,544 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import marcono1234.unsafe_sanitizer.agent_impl.MemorySectionMap.Section; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.function.Executable; + +import java.util.*; + +import static org.junit.jupiter.api.Assertions.*; + +class MemorySectionMapTest { + private MemorySectionMap map; + + @BeforeEach + void setUp() { + map = new MemorySectionMap(); + } + + // For most tests here ignore uninitialized memory tracking + private static final boolean NO_TRACKING = false; + private static final boolean IS_READ = true; + + // TODO: Check exception messages? + private static void assertThrows(Executable executable) { + Assertions.assertThrows(IllegalArgumentException.class, executable); + } + + @Test + void addSection() { + assertTrue(map.isEmpty()); + map.addSection(0, 1, NO_TRACKING); + assertFalse(map.isEmpty()); + map.addSection(1, 2, NO_TRACKING); + map.addSection(3, 1, NO_TRACKING); + map.addSection(Long.MAX_VALUE, Long.MAX_VALUE, NO_TRACKING); + map.addSection(10, 1, NO_TRACKING); + map.addSection(9, 1, NO_TRACKING); + + assertEquals( + List.of( + new Section(0, 1), + new Section(1, 2), + new Section(3, 1), + new Section(9, 1), + new Section(10, 1), + new Section(Long.MAX_VALUE, Long.MAX_VALUE) + ), + map.getAllSections() + ); + } + + // Note: This test is slightly slower than the others, but the performance problem seems to be caused by + // creating the `expectedSections` and comparing it; not by the tested code itself + @Test + void addSection_Many() { + List

sectionsToAdd = new ArrayList<>(); + for (int i = 0; i < MemorySectionMap.INITIAL_CAPACITY * 5; i++) { + sectionsToAdd.add(new Section(i, 1)); + } + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + Set
expectedSections = new TreeSet<>(Comparator.comparingLong(Section::address)); + + while (!sectionsToAdd.isEmpty()) { + int i = random.nextInt(sectionsToAdd.size()); + Section section = sectionsToAdd.remove(i); + expectedSections.add(section); + + map.addSection(section.address(), section.bytesCount(), NO_TRACKING); + assertEquals(new ArrayList<>(expectedSections), map.getAllSections()); + } + } + + @Test + void addSection_Error() { + assertThrows(() -> map.addSection(-1, 1, NO_TRACKING)); + assertEquals(List.of(), map.getAllSections()); + + assertThrows(() -> map.addSection(1, 0, NO_TRACKING)); + assertEquals(List.of(), map.getAllSections()); + + assertThrows(() -> map.addSection(1, -1, NO_TRACKING)); + assertEquals(List.of(), map.getAllSections()); + + map.addSection(1, 2, NO_TRACKING); + // Should fail adding duplicate or overlapping sections + assertThrows(() -> map.addSection(1, 2, NO_TRACKING)); + assertEquals(List.of(new Section(1, 2)), map.getAllSections()); + assertThrows(() -> map.addSection(0, 2, NO_TRACKING)); + assertEquals(List.of(new Section(1, 2)), map.getAllSections()); + assertThrows(() -> map.addSection(2, 4, NO_TRACKING)); + assertEquals(List.of(new Section(1, 2)), map.getAllSections()); + } + + @Test + void removeSection() { + map.addSection(0, 1, NO_TRACKING); + map.addSection(1, 2, NO_TRACKING); + map.addSection(3, 1, NO_TRACKING); + + map.removeSection(3); + assertEquals( + List.of( + new Section(0, 1), + new Section(1, 2) + ), + map.getAllSections() + ); + + map.removeSection(0); + assertEquals( + List.of(new Section(1, 2)), + map.getAllSections() + ); + + assertFalse(map.isEmpty()); + map.removeSection(1); + assertTrue(map.isEmpty()); + assertEquals(List.of(), map.getAllSections()); + } + + @Test + void removeSection_Error() { + assertThrows(() -> map.removeSection(0)); + + map.addSection(1, 5, NO_TRACKING); + // Cannot remove in the middle of a section + assertThrows(() -> map.removeSection(2)); + + assertThrows(() -> map.removeSection(0)); + assertThrows(() -> map.removeSection(6)); + assertEquals(List.of(new Section(1, 5)), map.getAllSections()); + } + + @Test + void removeSection_Many() { + List
allSections = new ArrayList<>(); + for (int i = 0; i < MemorySectionMap.INITIAL_CAPACITY * 5; i++) { + allSections.add(new Section(i, 1)); + map.addSection(i, 1, NO_TRACKING); + } + + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + while (!allSections.isEmpty()) { + int i = random.nextInt(allSections.size()); + Section section = allSections.remove(i); + map.removeSection(section.address()); + + assertEquals(allSections, map.getAllSections()); + } + } + + @Test + void removeSection_Tracking() { + map.addSection(1, 4, true); + map.addSection(6, 4, true); + assertEquals(List.of(), map.getAllInitializedSections()); + + map.performAccess(2, 2, false); + map.performAccess(6, 2, false); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(2, 2), + new UninitializedMemoryTracker.Section(6, 2) + ), + map.getAllInitializedSections() + ); + + map.removeSection(1); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(6, 2) + ), + map.getAllInitializedSections() + ); + + map.removeSection(6); + assertEquals(List.of(), map.getAllInitializedSections()); + + + map.addSection(1, 2, true); + map.addSection(3, 2, true); + map.performAccess(1, 2, false); + map.performAccess(3, 2, false); + // Current implementation merges adjacent initialized sections + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(1, 4) + ), + map.getAllInitializedSections() + ); + // However, access spanning both sections should still not be permitted + assertThrows(() -> map.performAccess(2, 3, true)); + + map.removeSection(1); + // Should have removed part of merged initialized section + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(3, 2) + ), + map.getAllInitializedSections() + ); + } + + @Test + void moveSection() { + map.addSection(1, 6, false); + + // Same address, same size + map.moveSection(1, 1, 6); + assertEquals(List.of(new Section(1, 6)), map.getAllSections()); + + map.moveSection(1, 8, 6); + assertEquals(List.of(new Section(8, 6)), map.getAllSections()); + + // Overlapping move + map.moveSection(8, 9, 6); + assertEquals(List.of(new Section(9, 6)), map.getAllSections()); + + // Shrinking move (same address) + map.moveSection(9, 9, 4); + assertEquals(List.of(new Section(9, 4)), map.getAllSections()); + + // Shrinking move + map.moveSection(9, 3, 2); + assertEquals(List.of(new Section(3, 2)), map.getAllSections()); + + // Enlarging move (same address) + map.moveSection(3, 3, 4); + assertEquals(List.of(new Section(3, 4)), map.getAllSections()); + + // Enlarging move + map.moveSection(3, 7, 5); + assertEquals(List.of(new Section(7, 5)), map.getAllSections()); + } + + @Test + void moveSection_Error() { + map.addSection(1, 4, false); + + assertThrows(() -> map.moveSection(0, 10, 2)); + assertThrows(() -> map.moveSection(5, 10, 1)); + // Cannot move only part of section + assertThrows(() -> map.moveSection(2, 10, 2)); + + assertThrows(() -> map.moveSection(1, 10, -1)); + assertThrows(() -> map.moveSection(1, 10, 0)); + assertThrows(() -> map.moveSection(1, -1, 1)); + } + + @Test + void moveSection_Tracking() { + map.addSection(1, 4, true); + assertEquals(List.of(), map.getAllInitializedSections()); + + map.moveSection(1, 6, 4); + assertEquals(List.of(), map.getAllInitializedSections()); + + map.performAccess(6, 1, false); + map.performAccess(8, 1, false); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(6, 1), + new UninitializedMemoryTracker.Section(8, 1) + ), + map.getAllInitializedSections() + ); + + // Overlapping move + map.moveSection(6, 7, 4); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(7, 1), + new UninitializedMemoryTracker.Section(9, 1) + ), + map.getAllInitializedSections() + ); + + // Enlarging move + map.moveSection(7, 2, 8); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(2, 1), + new UninitializedMemoryTracker.Section(4, 1) + ), + map.getAllInitializedSections() + ); + + // Shrinking move + map.moveSection(2, 10, 2); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(10, 1) + ), + map.getAllInitializedSections() + ); + } + + @Test + void performAccess() { + map.addSection(0, 1, NO_TRACKING); + map.addSection(5, 3, NO_TRACKING); + + map.performAccess(0, 1, IS_READ); + map.performAccess(5, 1, IS_READ); + map.performAccess(5, 3, IS_READ); + map.performAccess(6, 2, IS_READ); + } + + @Test + void performAccess_Error() { + assertThrows(() -> map.performAccess(-1, 1, IS_READ)); + assertThrows(() -> map.performAccess(0, -1, IS_READ)); + assertThrows(() -> map.performAccess(0, 0, IS_READ)); + + map.addSection(1, 5, NO_TRACKING); + map.addSection(7, 1, NO_TRACKING); + map.addSection(8, 1, NO_TRACKING); + + assertThrows(() -> map.performAccess(0, 2, IS_READ)); + assertThrows(() -> map.performAccess(2, -1, IS_READ)); + assertThrows(() -> map.performAccess(2, 5, IS_READ)); + assertThrows(() -> map.performAccess(6, 1, IS_READ)); + // Cannot start in one section and end in another one + assertThrows(() -> map.performAccess(7, 2, IS_READ)); + + assertEquals( + List.of( + new Section(1, 5), + new Section(7, 1), + new Section(8, 1) + ), + map.getAllSections() + ); + } + + @Test + void performAccess_Tracking() { + map.addSection(1, 4, true); + + // Reading uninitialized + assertThrows(() -> map.performAccess(1, 4, true)); + + map.performAccess(2, 2, false); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(2, 2) + ), + map.getAllInitializedSections() + ); + + // Reading initialized + map.performAccess(2, 1, true); + map.performAccess(2, 2, true); + map.performAccess(3, 1, true); + + // Reading uninitialized + assertThrows(() -> map.performAccess(1, 4, true)); + assertThrows(() -> map.performAccess(1, 2, true)); + assertThrows(() -> map.performAccess(4, 1, true)); + + // Prepare split initialized with uninitialized gap + map.removeSection(1); + map.addSection(1, 4, true); + map.performAccess(1, 1, false); + map.performAccess(3, 1, false); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(1, 1), + new UninitializedMemoryTracker.Section(3, 1) + ), + map.getAllInitializedSections() + ); + // Reading section with uninitialized gap + assertThrows(() -> map.performAccess(1, 3, true)); + } + + @Test + void performCopyAccess() { + map.addSection(1, 3, NO_TRACKING); + map.addSection(5, 3, NO_TRACKING); + + map.performCopyAccess(1, 5, 3); + map.performCopyAccess(2, 6, 2); + // Overlapping copy + map.performCopyAccess(1, 2, 2); + + // Copying does not create new sections + assertEquals( + List.of( + new Section(1, 3), + new Section(5, 3) + ), + map.getAllSections() + ); + } + + @Test + void performCopyAccess_Error() { + map.addSection(1, 3, NO_TRACKING); + map.addSection(5, 2, NO_TRACKING); + + assertThrows(() -> map.performCopyAccess(0, 5, 3)); + assertThrows(() -> map.performCopyAccess(1, 5, 3)); + assertThrows(() -> map.performCopyAccess(1, 6, 2)); + assertThrows(() -> map.performCopyAccess(1, 4, 2)); + assertThrows(() -> map.performCopyAccess(4, 5, 1)); + } + + @Test + void performCopyAccess_TrackingTracking() { + map.addSection(1, 4, true); + map.addSection(6, 4, true); + + map.performAccess(2, 2, false); + map.performCopyAccess(1, 7, 3); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(2, 2), + new UninitializedMemoryTracker.Section(8, 2) + ), + map.getAllInitializedSections() + ); + + + map.removeSection(1); + map.removeSection(6); + map.addSection(1, 4, true); + map.performAccess(1, 1, false); + map.performAccess(3, 1, false); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(1, 1), + new UninitializedMemoryTracker.Section(3, 1) + ), + map.getAllInitializedSections() + ); + // Overlapping copy + map.performCopyAccess(1, 3, 2); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(1, 1), + new UninitializedMemoryTracker.Section(3, 1) + ), + map.getAllInitializedSections() + ); + // Overlapping copy + map.performCopyAccess(1, 2, 3); + // Uninitialized was copied from address 2 to 3 + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(1, 2), + new UninitializedMemoryTracker.Section(4, 1) + ), + map.getAllInitializedSections() + ); + } + + @Test + void performCopyAccess_TrackingNonTracking() { + map.addSection(1, 4, true); + map.addSection(6, 4, false); + assertEquals(List.of(), map.getAllInitializedSections()); + + // Copying uninitialized to non-tracking should fail + assertThrows(() -> map.performCopyAccess(1, 6, 4)); + + map.performAccess(1, 3, false); + // Should also fail when only partially initialized + assertThrows(() -> map.performCopyAccess(1, 6, 4)); + + map.performCopyAccess(1, 6, 3); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(1, 3) + // no entry for non-tracking + ), + map.getAllInitializedSections() + ); + } + + @Test + void performCopyAccess_NonTrackingTracking() { + map.addSection(1, 4, false); + map.addSection(6, 4, true); + assertEquals(List.of(), map.getAllInitializedSections()); + + // Copying non-tracking to uninitialized should mark destination as initialized + map.performCopyAccess(1, 6, 4); + assertEquals( + List.of( + new UninitializedMemoryTracker.Section(6, 4) + ), + map.getAllInitializedSections() + ); + } + + @Test + void checkIsInSection() { + assertThrows(() -> map.checkIsInSection(1, true)); + assertThrows(() -> map.checkIsInSection(1, false)); + + map.addSection(1, 10, true); + map.checkIsInSection(1, false); + map.checkIsInSection(5, false); + map.checkIsInSection(10, false); + map.checkIsInSection(11, true); + + assertThrows(() -> map.checkIsInSection(0, true)); + assertThrows(() -> map.checkIsInSection(11, false)); + assertThrows(() -> map.checkIsInSection(12, true)); + } + + @Test + void hasSectionAt() { + assertFalse(map.hasSectionAt(1)); + + map.addSection(1, 10, true); + assertTrue(map.hasSectionAt(1)); + + assertFalse(map.hasSectionAt(0)); + // Only consider start of section, not if section includes address + assertFalse(map.hasSectionAt(2)); + } + + @Test + void disableUninitializedMemoryTracking() { + map.disableUninitializedMemoryTracking(); + map.addSection(1, 10, true); + + // Should not throw an exception, even though this reads uninitialized memory + map.performAccess(1, 10, true); + map.performAccess(1, 1, false); + map.performCopyAccess(1, 4, 2); + map.removeSection(1); + + assertEquals(List.of(), map.getAllSections()); + } +} diff --git a/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTrackerTest.java b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTrackerTest.java new file mode 100644 index 0000000..cfa9876 --- /dev/null +++ b/agent-impl/src/test/java/marcono1234/unsafe_sanitizer/agent_impl/UninitializedMemoryTrackerTest.java @@ -0,0 +1,522 @@ +package marcono1234.unsafe_sanitizer.agent_impl; + +import marcono1234.unsafe_sanitizer.agent_impl.UninitializedMemoryTracker.Section; +import org.junit.jupiter.api.Test; + +import java.util.*; + +import static org.junit.jupiter.api.Assertions.*; + +class UninitializedMemoryTrackerTest { + @Test + void setInitialized() { + var tracker = new UninitializedMemoryTracker(); + assertEquals(List.of(), tracker.getAllInitializedSections()); + + tracker.setInitialized(1, 1); + assertEquals(List.of(new Section(1, 1)), tracker.getAllInitializedSections()); + + tracker.setInitialized(6, 10); + assertEquals( + List.of( + new Section(1, 1), + new Section(6, 10) + ), + tracker.getAllInitializedSections() + ); + + // Marking already initialized should have no effect + tracker.setInitialized(6, 10); + assertEquals( + List.of( + new Section(1, 1), + new Section(6, 10) + ), + tracker.getAllInitializedSections() + ); + + // Marking subsection of already initialized should have no effect + tracker.setInitialized(7, 3); + assertEquals( + List.of( + new Section(1, 1), + new Section(6, 10) + ), + tracker.getAllInitializedSections() + ); + + tracker.setInitialized(3, 2); + assertEquals( + List.of( + new Section(1, 1), + new Section(3, 2), + new Section(6, 10) + ), + tracker.getAllInitializedSections() + ); + } + + @Test + void setInitialized_Enlarge() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 2); + tracker.setInitialized(1, 5); + assertEquals(List.of(new Section(1, 5)), tracker.getAllInitializedSections()); + } + + @Test + void setInitialized_Merge() { + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 2); + tracker.setInitialized(4, 2); + tracker.setInitialized(7, 2); + + // Merge sections + tracker.setInitialized(2, 6); + assertEquals(List.of(new Section(1, 8)), tracker.getAllInitializedSections()); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 8); + tracker.setInitialized(10, 2); + + // Merge sections + tracker.setInitialized(0, 11); + assertEquals(List.of(new Section(0, 12)), tracker.getAllInitializedSections()); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 3); + tracker.setInitialized(5, 2); + + // Replace sections + tracker.setInitialized(0, 10); + assertEquals(List.of(new Section(0, 10)), tracker.getAllInitializedSections()); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 3); + tracker.setInitialized(5, 2); + tracker.setInitialized(20, 2); + + // Replace sections, but leave subsequent section untouched + tracker.setInitialized(0, 10); + assertEquals( + List.of( + new Section(0, 10), + new Section(20, 2) + ), + tracker.getAllInitializedSections() + ); + } + } + + @Test + void setInitialized_MergeAdjacent() { + var tracker = new UninitializedMemoryTracker(); + + tracker.setInitialized(1, 2); + tracker.setInitialized(4, 2); + tracker.setInitialized(7, 2); + + // Merge sections + tracker.setInitialized(3, 4); // 3 to 7 (exclusive) + assertEquals(List.of(new Section(1, 8)), tracker.getAllInitializedSections()); + } + + // Note: This test is slightly slower than the others, but the performance problem seems to be caused by + // creating the `expectedSections` and comparing it; not by the tested code itself + @Test + void setInitialized_Many() { + var tracker = new UninitializedMemoryTracker(); + + List
sectionsToAdd = new ArrayList<>(); + for (int i = 0; i < UninitializedMemoryTracker.INITIAL_CAPACITY * 5; i++) { + // `* 2` to avoid merging adjacent sections + sectionsToAdd.add(new Section(i * 2, 1)); + } + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + Set
expectedSections = new TreeSet<>(Comparator.comparingLong(Section::address)); + + while (!sectionsToAdd.isEmpty()) { + int i = random.nextInt(sectionsToAdd.size()); + Section section = sectionsToAdd.remove(i); + expectedSections.add(section); + + tracker.setInitialized(section.address(), section.bytesCount()); + assertEquals(new ArrayList<>(expectedSections), tracker.getAllInitializedSections()); + } + } + + @Test + void setInitialized_ManyMerge() { + var tracker = new UninitializedMemoryTracker(); + + List
sectionsToAdd = new ArrayList<>(); + for (int i = 0; i < UninitializedMemoryTracker.INITIAL_CAPACITY * 5; i++) { + // `bytesCount = 2` to cover adjacent and overlapping merging + sectionsToAdd.add(new Section(i, 2)); + } + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + Collections.shuffle(sectionsToAdd, random); + + for (Section section : sectionsToAdd) { + tracker.setInitialized(section.address(), section.bytesCount()); + // Cannot easily verify intermediate results; just verify that there are sections + assertFalse(tracker.getAllInitializedSections().isEmpty()); + } + // Verify that in the end a single merged section should exist + assertEquals(List.of(new Section(0, sectionsToAdd.size() + 1)), tracker.getAllInitializedSections()); + } + + @Test + void clearInitialized() { + var tracker = new UninitializedMemoryTracker(); + tracker.clearInitialized(1, 10); + assertEquals(List.of(), tracker.getAllInitializedSections()); + + tracker.setInitialized(1, 10); + tracker.clearInitialized(1, 10); + assertEquals(List.of(), tracker.getAllInitializedSections()); + + tracker.setInitialized(1, 5); + // Adjacent clear should have no effect + tracker.clearInitialized(0, 1); + assertEquals(List.of(new Section(1, 5)), tracker.getAllInitializedSections()); + tracker.clearInitialized(6, 10); + assertEquals(List.of(new Section(1, 5)), tracker.getAllInitializedSections()); + } + + @Test + void clearInitialized_TruncateStart() { + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 10); + tracker.clearInitialized(1, 8); + assertEquals(List.of(new Section(9, 2)), tracker.getAllInitializedSections()); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 10); + // Should also work when cleared section starts in front + tracker.clearInitialized(0, 8); + assertEquals(List.of(new Section(8, 3)), tracker.getAllInitializedSections()); + } + } + + @Test + void clearInitialized_TruncateEnd() { + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 10); + tracker.clearInitialized(3, 8); + assertEquals(List.of(new Section(1, 2)), tracker.getAllInitializedSections()); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 10); + // Should also work when cleared section ends behind + tracker.clearInitialized(3, 20); + assertEquals(List.of(new Section(1, 2)), tracker.getAllInitializedSections()); + } + } + + @Test + void clearInitialized_Cut() { + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 10); + tracker.clearInitialized(3, 4); + assertEquals( + List.of( + new Section(1, 2), + new Section(7, 4) + ), + tracker.getAllInitializedSections() + ); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 2); + tracker.setInitialized(4, 2); + tracker.setInitialized(7, 2); + tracker.setInitialized(10, 2); + tracker.clearInitialized(2, 9); + assertEquals( + List.of( + new Section(1, 1), + new Section(11, 1) + ), + tracker.getAllInitializedSections() + ); + } + } + + @Test + void removeSection_Many() { + var tracker = new UninitializedMemoryTracker(); + + List
allSections = new ArrayList<>(); + for (int i = 0; i < UninitializedMemoryTracker.INITIAL_CAPACITY * 5; i++) { + // `* 2` to avoid merging adjacent sections + allSections.add(new Section(i * 2, 1)); + tracker.setInitialized(i * 2, 1); + } + + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + while (!allSections.isEmpty()) { + int i = random.nextInt(allSections.size()); + Section section = allSections.remove(i); + tracker.clearInitialized(section.address(), section.bytesCount()); + + assertEquals(allSections, tracker.getAllInitializedSections()); + } + } + + @Test + void removeSection_ManySplit() { + var tracker = new UninitializedMemoryTracker(); + + // `bytesCount = 4` to cover removing multiple sections + int bytesCountPerRemove = 4; + List
sectionsToRemove = new ArrayList<>(); + for (int i = 0; i < UninitializedMemoryTracker.INITIAL_CAPACITY * 5; i++) { + sectionsToRemove.add(new Section(i, bytesCountPerRemove)); + } + + // TODO: Maybe make the seed of Random a parameter of this test method and then convert to `@ParameterizedTest`; + // this assumes that Gradle prints the parameter values, at least for test failures (is that actually the case?) + Random random = new Random(); + Collections.shuffle(sectionsToRemove, random); + + // First fully initialize sections + tracker.setInitialized(0, sectionsToRemove.size()); + // Then one by one remove sections + for (int i = 0; i < sectionsToRemove.size(); i++) { + // Verify that for the first `clear` calls sections are not immediately empty afterwards + // Consider `bytesCountPerRemove` in case randomly shuffled removals already cleared all sections + // before all removals have been performed + if (i < sectionsToRemove.size() / (bytesCountPerRemove + 1)) { + assertFalse(tracker.getAllInitializedSections().isEmpty()); + } + + Section section = sectionsToRemove.get(i); + tracker.clearInitialized(section.address(), section.bytesCount()); + // Cannot easily verify intermediate results + } + // Verify that in the end all sections should have been removed + assertEquals(List.of(), tracker.getAllInitializedSections()); + } + + @Test + void copyInitialized() { + var tracker = new UninitializedMemoryTracker(); + tracker.copyInitialized(1, 10, 5); + assertEquals(List.of(), tracker.getAllInitializedSections()); + + tracker.setInitialized(2, 3); + tracker.copyInitialized(2, 6, 3); + assertEquals( + List.of( + new Section(2, 3), + new Section(6, 3) + ), + tracker.getAllInitializedSections() + ); + + // Copy partially from two sections + tracker.copyInitialized(3, 10, 5); + assertEquals( + List.of( + new Section(2, 3), + new Section(6, 3), + new Section(10, 2), + new Section(13, 2) + ), + tracker.getAllInitializedSections() + ); + + // Merge sections due to copy + tracker.copyInitialized(4, 5, 1); + assertEquals( + List.of( + new Section(2, 7), + new Section(10, 2), + new Section(13, 2) + ), + tracker.getAllInitializedSections() + ); + } + + @Test + void copyInitialized_Cut() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(2, 5); + tracker.setInitialized(10, 1); + + tracker.copyInitialized(10, 3, 2); + assertEquals( + List.of( + new Section(2, 2), + new Section(5, 2), + new Section(10, 1) + ), + tracker.getAllInitializedSections() + ); + + tracker.copyInitialized(20, 3, 15); + assertEquals(List.of(new Section(2, 1)), tracker.getAllInitializedSections()); + } + + @Test + void copyInitialized_Enlarge() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(2, 3); + tracker.setInitialized(10, 1); + + tracker.copyInitialized(3, 10, 2); + assertEquals( + List.of( + new Section(2, 3), + new Section(10, 2) + ), + tracker.getAllInitializedSections() + ); + + tracker.copyInitialized(2, 11, 3); + assertEquals( + List.of( + new Section(2, 3), + new Section(10, 4) + ), + tracker.getAllInitializedSections() + ); + } + + @Test + void copyInitialized_Overlap() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(2, 2); + tracker.setInitialized(6, 2); + + tracker.copyInitialized(2, 3, 6); + assertEquals( + List.of( + new Section(2, 3), + new Section(7, 2) + ), + tracker.getAllInitializedSections() + ); + } + + @Test + void moveInitialized() { + var tracker = new UninitializedMemoryTracker(); + tracker.moveInitialized(1, 4, 10, 4); + assertEquals(List.of(), tracker.getAllInitializedSections()); + + tracker.setInitialized(2, 4); + tracker.moveInitialized(2, 4, 6, 4); + assertEquals(List.of(new Section(6, 4)), tracker.getAllInitializedSections()); + + // Splits source + tracker.moveInitialized(7, 2, 12, 2); + assertEquals( + List.of( + new Section(6, 1), + new Section(9, 1), + new Section(12, 2) + ), + tracker.getAllInitializedSections() + ); + + // Splits source and merges at destination + tracker.moveInitialized(7, 6, 0, 6); + assertEquals( + List.of( + new Section(2, 1), + new Section(5, 2), + new Section(13, 1) + ), + tracker.getAllInitializedSections() + ); + } + + @Test + void moveInitialized_Shrink() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(0, 4); + tracker.moveInitialized(0, 4, 6, 2); + assertEquals(List.of(new Section(6, 2)), tracker.getAllInitializedSections()); + } + + @Test + void moveInitialized_Enlarge() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(0, 2); + tracker.setInitialized(6, 4); + + tracker.moveInitialized(0, 2, 3, 10); + assertEquals( + List.of( + new Section(3, 2), + // Existing section should have remained unmodified + // (this is not actually possible for `Unsafe.reallocateMemory` because destination should not + // overlap with existing section, but this is only validated by `MemorySectionMap` and not here) + new Section(6, 4) + ), + tracker.getAllInitializedSections() + ); + } + + @Test + void moveInitialized_Overlap() { + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(0, 4); + // Move forward + tracker.moveInitialized(0, 4, 2, 4); + assertEquals(List.of(new Section(2, 4)), tracker.getAllInitializedSections()); + } + + { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(4, 4); + // Move backward + tracker.moveInitialized(4, 4, 2, 4); + assertEquals(List.of(new Section(2, 4)), tracker.getAllInitializedSections()); + } + } + + @Test + void isInitialized() { + var tracker = new UninitializedMemoryTracker(); + tracker.setInitialized(1, 3); + tracker.setInitialized(5, 2); + + assertTrue(tracker.isInitialized(1, 1)); + assertTrue(tracker.isInitialized(1, 3)); + assertTrue(tracker.isInitialized(2, 1)); + assertTrue(tracker.isInitialized(5, 2)); + + assertFalse(tracker.isInitialized(0, 1)); + // Only partially initialized + assertFalse(tracker.isInitialized(0, 2)); + assertFalse(tracker.isInitialized(3, 2)); + // Start and end are in initialized sections, but middle is not + assertFalse(tracker.isInitialized(3, 4)); + } +} \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts new file mode 100644 index 0000000..8990a6f --- /dev/null +++ b/build.gradle.kts @@ -0,0 +1,158 @@ +plugins { + id("unsafe-sanitizer.java-conventions") + alias(libs.plugins.shadow) +} + +val agentJar: Configuration by configurations.creating { + // Prevent projects depending on this one from seeing and using this configuration + isCanBeConsumed = false + isVisible = false + isTransitive = false +} + +dependencies { + implementation(libs.bytebuddy) + implementation(libs.bytebuddy.agent) + implementation(libs.errorprone.annotations) + implementation(libs.jetbrains.annotations) + + // For convenience add `compileOnly` dependency so that code in this project can directly reference agent classes + // However, they are not part of the public API, and accessing them will only work after agent has been installed + compileOnly(project(":agent-impl")) + testCompileOnly(project(":agent-impl")) + agentJar(project(path = ":agent-impl", configuration = "shadow")) + + testImplementation(libs.junit) + testRuntimeOnly(libs.junit.launcher) +} + +// Embed the agent JAR as resource, see `marcono1234.unsafe_sanitizer.UnsafeSanitizer#addAgentToBootstrapClasspath` +// for details +val agentJarDir = layout.buildDirectory.dir("generated/agent-impl-jar").get().asFile +val copyAgentImplJar = tasks.register("copyAgentImplJar") { + from(agentJar) { + // TODO: Trailing `_` is as workaround for https://github.com/johnrengelman/shadow/issues/111 for standalone agent JAR + rename(".*", "agent-impl.jar_") + } + // Add package name prefix + into(agentJarDir.resolve("marcono1234/unsafe_sanitizer")) +} +sourceSets.main.get().output.dir(mutableMapOf("builtBy" to copyAgentImplJar), agentJarDir) + + +// TODO: Maybe configure this using test suites instead, for consistency +val testJdk21 = tasks.register("testJdk21") { + javaLauncher.set(javaToolchains.launcherFor { + languageVersion.set(JavaLanguageVersion.of(21)) + }) +} +tasks.check { + dependsOn(testJdk21) +} + + +@Suppress("UnstableApiUsage") // for Test Suites +testing { + suites { + data class TestConfig(val javaVersion: Int, val agentArgs: String? = null) + + val testConfigs = arrayOf( + TestConfig(17), + TestConfig(21), + TestConfig(21, "call-debug-logging=true,uninitialized-memory-tracking=false") + ) + testConfigs.forEach { testConfig -> + // Create integration test for using agent standalone by running with `-javaagent:...` + + var testName = "agentTestJdk${testConfig.javaVersion}"; + testConfig.agentArgs?.let { testName += "Args" } + + val agentTest by register(testName, JvmTestSuite::class) { + useJUnitJupiter(libs.versions.junit) + + // TODO: This causes the warning "Duplicate content roots detected" in IntelliJ; can probably be ignored for now + sources { + java { + setSrcDirs(listOf("src/agentTest/java")) + } + } + + targets { + all { + testTask.configure { + // Run regular tests first + shouldRunAfter(tasks.test) + + // Requires JAR with dependencies + dependsOn(tasks.shadowJar) + + val agentJar = tasks.shadowJar.get().archiveFile + // Define the agent JAR as additional input to prevent Gradle from erroneously assuming + // this task is UP-TO-DATE or can be used FROM-CACHE despite the agent JAR having changed + inputs.file(agentJar) + + // Evaluate the arguments lazily to make sure the `shadowJar` task has already been configured + jvmArgumentProviders.add { + val agentPath = agentJar.get().asFile.absolutePath; + val agentArgs = testConfig.agentArgs?.let { "=$it" } ?: "" + listOf("-javaagent:${agentPath}${agentArgs}") + } + + javaLauncher.set(javaToolchains.launcherFor { + languageVersion.set(JavaLanguageVersion.of(testConfig.javaVersion)) + }) + } + } + } + } + + tasks.check { + dependsOn(agentTest) + } + } + } +} + + +// Create JAR with dependencies variant to allow standalone agent usage +tasks.shadowJar { + isEnableRelocation = false + duplicatesStrategy = DuplicatesStrategy.FAIL + archiveClassifier = "standalone-agent" + + manifest { + attributes( + // See https://docs.oracle.com/en/java/javase/17/docs/api/java.instrument/java/lang/instrument/package-summary.html + // section "Manifest Attributes" + "Premain-Class" to "marcono1234.unsafe_sanitizer.AgentMain", + "Can-Retransform-Classes" to "true", + // Main class is used for printing usage help on command line + "Main-Class" to "marcono1234.unsafe_sanitizer.AgentMain", + + // Note: Depending on the dependencies, might have to set `Multi-Release: true`, see https://github.com/johnrengelman/shadow/issues/449 + ) + } + + // Exclude `module-info` from dependencies, see also https://github.com/johnrengelman/shadow/issues/729 + exclude("META-INF/versions/*/module-info.class") +} +// Run shadow task by default +tasks.build { + dependsOn(tasks.shadowJar) +} + + +java { + // Publish sources and javadoc + withSourcesJar() + withJavadocJar() +} + +// TODO: Maybe should use `agent` as artifactId (by changing rootProject.name?) +publishing { + publications { + create("maven") { + from(components["java"]) + } + } +} diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts new file mode 100644 index 0000000..05b7105 --- /dev/null +++ b/buildSrc/build.gradle.kts @@ -0,0 +1,9 @@ +plugins { + `kotlin-dsl` +} + +// Needed for external plugins, see +// https://docs.gradle.org/8.5/samples/sample_convention_plugins.html#applying_an_external_plugin_in_precompiled_script_plugin +repositories { + gradlePluginPortal() +} diff --git a/buildSrc/settings.gradle.kts b/buildSrc/settings.gradle.kts new file mode 100644 index 0000000..716b7d3 --- /dev/null +++ b/buildSrc/settings.gradle.kts @@ -0,0 +1 @@ +rootProject.name = "java-conventions" diff --git a/buildSrc/src/main/kotlin/unsafe-sanitizer.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/unsafe-sanitizer.java-conventions.gradle.kts new file mode 100644 index 0000000..5ad17c1 --- /dev/null +++ b/buildSrc/src/main/kotlin/unsafe-sanitizer.java-conventions.gradle.kts @@ -0,0 +1,42 @@ +import org.gradle.api.tasks.testing.logging.TestExceptionFormat +import org.gradle.api.tasks.testing.logging.TestLogEvent + +// Conventions plugin to share common configuration for all sub-projects, +// see https://docs.gradle.org/8.5/samples/sample_convention_plugins.html + +plugins { + `java-library` + `maven-publish` +} + +repositories { + mavenCentral() +} + +group = "marcono1234.unsafe_sanitizer" +version = "0.0.1-SNAPSHOT" + +java { + toolchain { + languageVersion.set(JavaLanguageVersion.of(17)) + } +} + +// Additionally set desired release version to allow building with newer JDK but still targeting older Java version +tasks.compileJava { + options.release = 17 +} + +// TODO: Maybe configure this using test suites instead, for consistency +tasks.withType() { + useJUnitPlatform() + + testLogging { + events = setOf(TestLogEvent.SKIPPED, TestLogEvent.FAILED) + + showExceptions = true + showStackTraces = true + showCauses = true + exceptionFormat = TestExceptionFormat.FULL + } +} diff --git a/gradle.properties b/gradle.properties new file mode 100644 index 0000000..4f996f1 --- /dev/null +++ b/gradle.properties @@ -0,0 +1,2 @@ +org.gradle.parallel=true +org.gradle.caching=true diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml new file mode 100644 index 0000000..60a8278 --- /dev/null +++ b/gradle/libs.versions.toml @@ -0,0 +1,17 @@ +# https://docs.gradle.org/8.5/userguide/platforms.html#sub::toml-dependencies-format + +[versions] +bytebuddy = "1.14.11" +junit = "5.10.1" + +[libraries] +bytebuddy = { module = "net.bytebuddy:byte-buddy", version.ref = "bytebuddy" } +bytebuddy-agent = { module = "net.bytebuddy:byte-buddy-agent", version.ref = "bytebuddy" } +errorprone-annotations = { module = "com.google.errorprone:error_prone_annotations", version = "2.24.1" } +jetbrains-annotations = { module = "org.jetbrains:annotations", version = "24.1.0" } + +junit = { module = "org.junit.jupiter:junit-jupiter", version.ref = "junit" } +junit-launcher = { module = "org.junit.platform:junit-platform-launcher" } + +[plugins] +shadow = { id = "com.github.johnrengelman.shadow", version = "8.1.1" } diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000000000000000000000000000000000000..e6441136f3d4ba8a0da8d277868979cfbc8ad796 GIT binary patch literal 43453 zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`; zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z!9)DPf zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl z7D=Js!i~0=u3rox^eO3i@$0=n{K1lPNU zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwAyRPZo2Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS} z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby z1Qaw8lU4jZpQ_$;*7RME+gq1KySGG#Wql>aL~k9tLrSO()LWn*q&YxHEuzmwd1?aAtI zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(!{a z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br# z#Q61gBzEpmy`$pA*6!87 zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J* z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4 z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5 zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*| z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^ z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+mg&7$u!! z-^+Z%;-3IDwqZ|K=ah85OLwkO zKxNBh+4QHh)u9D?MFtpbl)us}9+V!D%w9jfAMYEb>%$A;u)rrI zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0 z^2>|DxhQw(mtNEI2Kj(;KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4& zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|( zRi{Uw%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*( zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi z4vtM;+uPsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc ztw6Mh2d>_iO*$Rd8(-Cr1_V8EO1f*^@wRoSozS) zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;sIav&gu z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{XBdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<3>n{Iuo`r3UZp;>GkT2YBNAh|b z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9% zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx| z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ibNBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR` zEAu4B8l>NPuhsk5a`rReSya2nfV1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3# z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe zklbm8+zB_syQv5A2rj!Vbw8;|$@C!vfNmNV!yJIWDQ>{+2x zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^ zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6QK=mbA-|Cf* zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2 z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%+clM1xQEdPYt_g<2K+z!$>*$9nQ>; zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9 z5VK_kkSJ3?zOH)OezMT{!YkCuSSn!K#-Rhl$uUM(bq*jY? zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x z7sLP1&3^%Nld9Dhm@$3f2}87!quhI@nwd@3~fZl_3LYW-B?Ia>ui`ELg z&Qfe!7m6ze=mZ`Ia9$z|ARSw|IdMpooY4YiPN8K z4B(ts3p%2i(Td=tgEHX z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&NykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z` zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWDqZ7J&~gAm1#~maIGJ1sls^gxL9LLG_NhU!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q zhBv$n5j0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY; z-HB&Je%Gg}Jt@={_C{L$!RM;$$|iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN- zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf; zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26Y(3%TL; zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_ z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f z&J_}jskj|Q;73NP4<4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0 z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i) z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor% z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj z=*dXG&n0>)_)N5oc6v!>-bd(2ragD8O=M|wGW z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9 zx+EuMkC>(4j1;m6NoGqEkpJYJ?vc|B zOlwT3t&UgL!pX_P*6g36`ZXQ; z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&FwI=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%) zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5! zpZy5Jc{`r{1e(jd%jsG7k%I+m#CGS*BPA65ZVW~fLYw0dA-H_}O zrkGFL&P1PG9p2(%QiEWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e yu?e%!_ptzGB|8GrCfu%p?(_ zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76PYe*<%H(y>qx-`Kq!X_; z<{RpAqYhE=L1r*M)gNF3B8r(<%8mo*SR2hu zccLRZwGARt)Hlo1euqTyM>^!HK*!Q2P;4UYrysje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F- z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT@ZzrHS$Q%LC?n|e>V+D+8D zYc4)QddFz7I8#}y#Wj6>4P%34dZH~OUDb?uP%-E zwjXM(?Sg~1!|wI(RVuxbu)-rH+O=igSho_pDCw(c6b=P zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&) zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_< zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<Ozh@Kw)#bdktM^GVb zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY zvll&>dIuUGs{Qnd- zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OIC;jSE3DO8`hX955ui`s%||YQtt2 z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1 z+ULn^10+rWLF6j2>Ya@@Kq?26>AqK{A_| zQKb*~F1>sE*=d?A?W7N2j?L09_7n+HGi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t z@dpPSGwgH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+ zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2 zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ< z=p_T86jog%!p)D&5g9taSwYi&eP z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqAOQqLc zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4 zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_ zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo& z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6! zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSche7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A zm7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k> zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8 z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV zAJUBGEg5L2fY)ZGJb^E34R2zJ?}Vf>{~gB!8=5Z) z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08 zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09> z`P3s=-kt_cYcxWd{de@}TwSqg*xVhp;E9zCsnXo6z z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`? z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS zbOPcUY#*$3sL2x4v_i*Y=N7E$mR}J%|GUI(>WEr+28+V z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de( z>{qD~GGuOk559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1 zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV)Z-~rZg6~b z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p z$X!_9Ds;Zz)f+;%s&dRcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5 z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1TyYXT6%Ju=|X;6D@lq$8T zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H z6JWa-6+FJF#x>~+A;D~;VDs26>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P{{s@sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9KnY#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1 z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P z=mGEPP7GbvoG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RHmw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)YsbHSz8!mG)WiJE| z2f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9 z~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc(`RPb z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc# zKouFh!`?Xuo{IMz^xi-h=StCis_M7yq$u) z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii- z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`ltNebF46ZX_BbZNU}}ZOm{M2&nANL9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|> z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x zVjbXljBm34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3 zk==|{lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh6? zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&| zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5 z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK zZh`d;*VOkPs4*-9kL>$GP0`(M!j~B;#x?Ba~&s6CopvO86oM?-? zOw#dIRc;6A6T?B`Qp%^<U5 z19x(ywSH$_N+Io!6;e?`tWaM$`=Db!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^ z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57 zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vSTxF-Vi3+ZOI=Thq2} zyQgjYY1_7^ZQHh{?P))4+qUiQJLi1&{yE>h?~jU%tjdV0h|FENbM3X(KnJdPKc?~k zh=^Ixv*+smUll!DTWH!jrV*wSh*(mx0o6}1@JExzF(#9FXgmTXVoU+>kDe68N)dkQ zH#_98Zv$}lQwjKL@yBd;U(UD0UCl322=pav<=6g>03{O_3oKTq;9bLFX1ia*lw;#K zOiYDcBJf)82->83N_Y(J7Kr_3lE)hAu;)Q(nUVydv+l+nQ$?|%MWTy`t>{havFSQloHwiIkGK9YZ79^9?AZo0ZyQlVR#}lF%dn5n%xYksXf8gnBm=wO7g_^! zauQ-bH1Dc@3ItZ-9D_*pH}p!IG7j8A_o94#~>$LR|TFq zZ-b00*nuw|-5C2lJDCw&8p5N~Z1J&TrcyErds&!l3$eSz%`(*izc;-?HAFD9AHb-| z>)id`QCrzRws^9(#&=pIx9OEf2rmlob8sK&xPCWS+nD~qzU|qG6KwA{zbikcfQrdH z+ zQg>O<`K4L8rN7`GJB0*3<3`z({lWe#K!4AZLsI{%z#ja^OpfjU{!{)x0ZH~RB0W5X zTwN^w=|nA!4PEU2=LR05x~}|B&ZP?#pNgDMwD*ajI6oJqv!L81gu=KpqH22avXf0w zX3HjbCI!n9>l046)5rr5&v5ja!xkKK42zmqHzPx$9Nn_MZk`gLeSLgC=LFf;H1O#B zn=8|^1iRrujHfbgA+8i<9jaXc;CQBAmQvMGQPhFec2H1knCK2x!T`e6soyrqCamX% zTQ4dX_E*8so)E*TB$*io{$c6X)~{aWfaqdTh=xEeGvOAN9H&-t5tEE-qso<+C!2>+ zskX51H-H}#X{A75wqFe-J{?o8Bx|>fTBtl&tcbdR|132Ztqu5X0i-pisB-z8n71%q%>EF}yy5?z=Ve`}hVh{Drv1YWL zW=%ug_&chF11gDv3D6B)Tz5g54H0mDHNjuKZ+)CKFk4Z|$RD zfRuKLW`1B>B?*RUfVd0+u8h3r-{@fZ{k)c!93t1b0+Q9vOaRnEn1*IL>5Z4E4dZ!7 ztp4GP-^1d>8~LMeb}bW!(aAnB1tM_*la=Xx)q(I0Y@__Zd$!KYb8T2VBRw%e$iSdZ zkwdMwd}eV9q*;YvrBFTv1>1+}{H!JK2M*C|TNe$ZSA>UHKk);wz$(F$rXVc|sI^lD zV^?_J!3cLM;GJuBMbftbaRUs$;F}HDEDtIeHQ)^EJJ1F9FKJTGH<(Jj`phE6OuvE) zqK^K`;3S{Y#1M@8yRQwH`?kHMq4tHX#rJ>5lY3DM#o@or4&^_xtBC(|JpGTfrbGkA z2Tu+AyT^pHannww!4^!$5?@5v`LYy~T`qs7SYt$JgrY(w%C+IWA;ZkwEF)u5sDvOK zGk;G>Mh&elvXDcV69J_h02l&O;!{$({fng9Rlc3ID#tmB^FIG^w{HLUpF+iB`|
NnX)EH+Nua)3Y(c z&{(nX_ht=QbJ%DzAya}!&uNu!4V0xI)QE$SY__m)SAKcN0P(&JcoK*Lxr@P zY&P=}&B3*UWNlc|&$Oh{BEqwK2+N2U$4WB7Fd|aIal`FGANUa9E-O)!gV`((ZGCc$ zBJA|FFrlg~9OBp#f7aHodCe{6= zay$6vN~zj1ddMZ9gQ4p32(7wD?(dE>KA2;SOzXRmPBiBc6g`eOsy+pVcHu=;Yd8@{ zSGgXf@%sKKQz~;!J;|2fC@emm#^_rnO0esEn^QxXgJYd`#FPWOUU5b;9eMAF zZhfiZb|gk8aJIw*YLp4!*(=3l8Cp{(%p?ho22*vN9+5NLV0TTazNY$B5L6UKUrd$n zjbX%#m7&F#U?QNOBXkiiWB*_tk+H?N3`vg;1F-I+83{M2!8<^nydGr5XX}tC!10&e z7D36bLaB56WrjL&HiiMVtpff|K%|*{t*ltt^5ood{FOG0<>k&1h95qPio)2`eL${YAGIx(b4VN*~nKn6E~SIQUuRH zQ+5zP6jfnP$S0iJ@~t!Ai3o`X7biohli;E zT#yXyl{bojG@-TGZzpdVDXhbmF%F9+-^YSIv|MT1l3j zrxOFq>gd2%U}?6}8mIj?M zc077Zc9fq(-)4+gXv?Az26IO6eV`RAJz8e3)SC7~>%rlzDwySVx*q$ygTR5kW2ds- z!HBgcq0KON9*8Ff$X0wOq$`T7ml(@TF)VeoF}x1OttjuVHn3~sHrMB++}f7f9H%@f z=|kP_?#+fve@{0MlbkC9tyvQ_R?lRdRJ@$qcB(8*jyMyeME5ns6ypVI1Xm*Zr{DuS zZ!1)rQfa89c~;l~VkCiHI|PCBd`S*2RLNQM8!g9L6?n`^evQNEwfO@&JJRme+uopQX0%Jo zgd5G&#&{nX{o?TQwQvF1<^Cg3?2co;_06=~Hcb6~4XWpNFL!WU{+CK;>gH%|BLOh7@!hsa(>pNDAmpcuVO-?;Bic17R}^|6@8DahH)G z!EmhsfunLL|3b=M0MeK2vqZ|OqUqS8npxwge$w-4pFVXFq$_EKrZY?BuP@Az@(k`L z`ViQBSk`y+YwRT;&W| z2e3UfkCo^uTA4}Qmmtqs+nk#gNr2W4 zTH%hhErhB)pkXR{B!q5P3-OM+M;qu~f>}IjtF%>w{~K-0*jPVLl?Chz&zIdxp}bjx zStp&Iufr58FTQ36AHU)0+CmvaOpKF;W@sMTFpJ`j;3d)J_$tNQI^c<^1o<49Z(~K> z;EZTBaVT%14(bFw2ob@?JLQ2@(1pCdg3S%E4*dJ}dA*v}_a4_P(a`cHnBFJxNobAv zf&Zl-Yt*lhn-wjZsq<9v-IsXxAxMZ58C@e0!rzhJ+D@9^3~?~yllY^s$?&oNwyH!#~6x4gUrfxplCvK#!f z$viuszW>MFEcFL?>ux*((!L$;R?xc*myjRIjgnQX79@UPD$6Dz0jutM@7h_pq z0Zr)#O<^y_K6jfY^X%A-ip>P%3saX{!v;fxT-*0C_j4=UMH+Xth(XVkVGiiKE#f)q z%Jp=JT)uy{&}Iq2E*xr4YsJ5>w^=#-mRZ4vPXpI6q~1aFwi+lQcimO45V-JXP;>(Q zo={U`{=_JF`EQj87Wf}{Qy35s8r1*9Mxg({CvOt}?Vh9d&(}iI-quvs-rm~P;eRA@ zG5?1HO}puruc@S{YNAF3vmUc2B4!k*yi))<5BQmvd3tr}cIs#9)*AX>t`=~{f#Uz0 z0&Nk!7sSZwJe}=)-R^$0{yeS!V`Dh7w{w5rZ9ir!Z7Cd7dwZcK;BT#V0bzTt>;@Cl z#|#A!-IL6CZ@eHH!CG>OO8!%G8&8t4)Ro@}USB*k>oEUo0LsljsJ-%5Mo^MJF2I8- z#v7a5VdJ-Cd%(a+y6QwTmi+?f8Nxtm{g-+WGL>t;s#epv7ug>inqimZCVm!uT5Pf6 ziEgQt7^%xJf#!aPWbuC_3Nxfb&CFbQy!(8ANpkWLI4oSnH?Q3f?0k1t$3d+lkQs{~(>06l&v|MpcFsyAv zin6N!-;pggosR*vV=DO(#+}4ps|5$`udE%Kdmp?G7B#y%H`R|i8skKOd9Xzx8xgR$>Zo2R2Ytktq^w#ul4uicxW#{ zFjG_RNlBroV_n;a7U(KIpcp*{M~e~@>Q#Av90Jc5v%0c>egEdY4v3%|K1XvB{O_8G zkTWLC>OZKf;XguMH2-Pw{BKbFzaY;4v2seZV0>^7Q~d4O=AwaPhP3h|!hw5aqOtT@ z!SNz}$of**Bl3TK209@F=Tn1+mgZa8yh(Png%Zd6Mt}^NSjy)etQrF zme*llAW=N_8R*O~d2!apJnF%(JcN??=`$qs3Y+~xs>L9x`0^NIn!8mMRFA_tg`etw z3k{9JAjnl@ygIiJcNHTy02GMAvBVqEss&t2<2mnw!; zU`J)0>lWiqVqo|ex7!+@0i>B~BSU1A_0w#Ee+2pJx0BFiZ7RDHEvE*ptc9md(B{&+ zKE>TM)+Pd>HEmdJao7U@S>nL(qq*A)#eLOuIfAS@j`_sK0UEY6OAJJ-kOrHG zjHx`g!9j*_jRcJ%>CE9K2MVf?BUZKFHY?EpV6ai7sET-tqk=nDFh-(65rhjtlKEY% z@G&cQ<5BKatfdA1FKuB=i>CCC5(|9TMW%K~GbA4}80I5%B}(gck#Wlq@$nO3%@QP_ z8nvPkJFa|znk>V92cA!K1rKtr)skHEJD;k8P|R8RkCq1Rh^&}Evwa4BUJz2f!2=MH zo4j8Y$YL2313}H~F7@J7mh>u%556Hw0VUOz-Un@ZASCL)y8}4XXS`t1AC*^>PLwIc zUQok5PFS=*#)Z!3JZN&eZ6ZDP^-c@StY*t20JhCnbMxXf=LK#;`4KHEqMZ-Ly9KsS zI2VUJGY&PmdbM+iT)zek)#Qc#_i4uH43 z@T5SZBrhNCiK~~esjsO9!qBpaWK<`>!-`b71Y5ReXQ4AJU~T2Njri1CEp5oKw;Lnm)-Y@Z3sEY}XIgSy%xo=uek(kAAH5MsV$V3uTUsoTzxp_rF=tx zV07vlJNKtJhCu`b}*#m&5LV4TAE&%KtHViDAdv#c^x`J7bg z&N;#I2GkF@SIGht6p-V}`!F_~lCXjl1BdTLIjD2hH$J^YFN`7f{Q?OHPFEM$65^!u zNwkelo*5+$ZT|oQ%o%;rBX$+?xhvjb)SHgNHE_yP%wYkkvXHS{Bf$OiKJ5d1gI0j< zF6N}Aq=(WDo(J{e-uOecxPD>XZ@|u-tgTR<972`q8;&ZD!cep^@B5CaqFz|oU!iFj zU0;6fQX&~15E53EW&w1s9gQQ~Zk16X%6 zjG`j0yq}4deX2?Tr(03kg>C(!7a|b9qFI?jcE^Y>-VhudI@&LI6Qa}WQ>4H_!UVyF z((cm&!3gmq@;BD#5P~0;_2qgZhtJS|>WdtjY=q zLnHH~Fm!cxw|Z?Vw8*~?I$g#9j&uvgm7vPr#&iZgPP~v~BI4jOv;*OQ?jYJtzO<^y z7-#C={r7CO810!^s(MT!@@Vz_SVU)7VBi(e1%1rvS!?PTa}Uv`J!EP3s6Y!xUgM^8 z4f!fq<3Wer_#;u!5ECZ|^c1{|q_lh3m^9|nsMR1#Qm|?4Yp5~|er2?W^7~cl;_r4WSme_o68J9p03~Hc%X#VcX!xAu%1`R!dfGJCp zV*&m47>s^%Ib0~-2f$6oSgn3jg8m%UA;ArcdcRyM5;}|r;)?a^D*lel5C`V5G=c~k zy*w_&BfySOxE!(~PI$*dwG><+-%KT5p?whOUMA*k<9*gi#T{h3DAxzAPxN&Xws8o9Cp*`PA5>d9*Z-ynV# z9yY*1WR^D8|C%I@vo+d8r^pjJ$>eo|j>XiLWvTWLl(^;JHCsoPgem6PvegHb-OTf| zvTgsHSa;BkbG=(NgPO|CZu9gUCGr$8*EoH2_Z#^BnxF0yM~t`|9ws_xZ8X8iZYqh! zAh;HXJ)3P&)Q0(&F>!LN0g#bdbis-cQxyGn9Qgh`q+~49Fqd2epikEUw9caM%V6WgP)532RMRW}8gNS%V%Hx7apSz}tn@bQy!<=lbhmAH=FsMD?leawbnP5BWM0 z5{)@EEIYMu5;u)!+HQWhQ;D3_Cm_NADNeb-f56}<{41aYq8p4=93d=-=q0Yx#knGYfXVt z+kMxlus}t2T5FEyCN~!}90O_X@@PQpuy;kuGz@bWft%diBTx?d)_xWd_-(!LmVrh**oKg!1CNF&LX4{*j|) zIvjCR0I2UUuuEXh<9}oT_zT#jOrJAHNLFT~Ilh9hGJPI1<5`C-WA{tUYlyMeoy!+U zhA#=p!u1R7DNg9u4|QfED-2TuKI}>p#2P9--z;Bbf4Op*;Q9LCbO&aL2i<0O$ByoI z!9;Ght733FC>Pz>$_mw(F`zU?`m@>gE`9_p*=7o=7av`-&ifU(^)UU`Kg3Kw`h9-1 z6`e6+im=|m2v`pN(2dE%%n8YyQz;#3Q-|x`91z?gj68cMrHl}C25|6(_dIGk*8cA3 zRHB|Nwv{@sP4W+YZM)VKI>RlB`n=Oj~Rzx~M+Khz$N$45rLn6k1nvvD^&HtsMA4`s=MmuOJID@$s8Ph4E zAmSV^+s-z8cfv~Yd(40Sh4JG#F~aB>WFoX7ykaOr3JaJ&Lb49=B8Vk-SQT9%7TYhv z?-Pprt{|=Y5ZQ1?od|A<_IJU93|l4oAfBm?3-wk{O<8ea+`}u%(kub(LFo2zFtd?4 zwpN|2mBNywv+d^y_8#<$r>*5+$wRTCygFLcrwT(qc^n&@9r+}Kd_u@Ithz(6Qb4}A zWo_HdBj#V$VE#l6pD0a=NfB0l^6W^g`vm^sta>Tly?$E&{F?TTX~DsKF~poFfmN%2 z4x`Dc{u{Lkqz&y!33;X}weD}&;7p>xiI&ZUb1H9iD25a(gI|`|;G^NwJPv=1S5e)j z;U;`?n}jnY6rA{V^ zxTd{bK)Gi^odL3l989DQlN+Zs39Xe&otGeY(b5>rlIqfc7Ap4}EC?j<{M=hlH{1+d zw|c}}yx88_xQr`{98Z!d^FNH77=u(p-L{W6RvIn40f-BldeF-YD>p6#)(Qzf)lfZj z?3wAMtPPp>vMehkT`3gToPd%|D8~4`5WK{`#+}{L{jRUMt zrFz+O$C7y8$M&E4@+p+oV5c%uYzbqd2Y%SSgYy#xh4G3hQv>V*BnuKQhBa#=oZB~w{azUB+q%bRe_R^ z>fHBilnRTUfaJ201czL8^~Ix#+qOHSO)A|xWLqOxB$dT2W~)e-r9;bm=;p;RjYahB z*1hegN(VKK+ztr~h1}YP@6cfj{e#|sS`;3tJhIJK=tVJ-*h-5y9n*&cYCSdg#EHE# zSIx=r#qOaLJoVVf6v;(okg6?*L_55atl^W(gm^yjR?$GplNP>BZsBYEf_>wM0Lc;T zhf&gpzOWNxS>m+mN92N0{;4uw`P+9^*|-1~$uXpggj4- z^SFc4`uzj2OwdEVT@}Q`(^EcQ_5(ZtXTql*yGzdS&vrS_w>~~ra|Nb5abwf}Y!uq6R5f&6g2ge~2p(%c< z@O)cz%%rr4*cRJ5f`n@lvHNk@lE1a*96Kw6lJ~B-XfJW%?&-y?;E&?1AacU@`N`!O z6}V>8^%RZ7SQnZ-z$(jsX`amu*5Fj8g!3RTRwK^`2_QHe;_2y_n|6gSaGyPmI#kA0sYV<_qOZc#-2BO%hX)f$s-Z3xlI!ub z^;3ru11DA`4heAu%}HIXo&ctujzE2!6DIGE{?Zs>2}J+p&C$rc7gJC35gxhflorvsb%sGOxpuWhF)dL_&7&Z99=5M0b~Qa;Mo!j&Ti_kXW!86N%n= zSC@6Lw>UQ__F&+&Rzv?gscwAz8IP!n63>SP)^62(HK98nGjLY2*e^OwOq`3O|C92? z;TVhZ2SK%9AGW4ZavTB9?)mUbOoF`V7S=XM;#3EUpR+^oHtdV!GK^nXzCu>tpR|89 zdD{fnvCaN^^LL%amZ^}-E+214g&^56rpdc@yv0b<3}Ys?)f|fXN4oHf$six)-@<;W&&_kj z-B}M5U*1sb4)77aR=@%I?|Wkn-QJVuA96an25;~!gq(g1@O-5VGo7y&E_srxL6ZfS z*R%$gR}dyONgju*D&?geiSj7SZ@ftyA|}(*Y4KbvU!YLsi1EDQQCnb+-cM=K1io78o!v*);o<XwjaQH%)uIP&Zm?)Nfbfn;jIr z)d#!$gOe3QHp}2NBak@yYv3m(CPKkwI|{;d=gi552u?xj9ObCU^DJFQp4t4e1tPzM zvsRIGZ6VF+{6PvqsplMZWhz10YwS={?`~O0Ec$`-!klNUYtzWA^f9m7tkEzCy<_nS z=&<(awFeZvt51>@o_~>PLs05CY)$;}Oo$VDO)?l-{CS1Co=nxjqben*O1BR>#9`0^ zkwk^k-wcLCLGh|XLjdWv0_Hg54B&OzCE^3NCP}~OajK-LuRW53CkV~Su0U>zN%yQP zH8UH#W5P3-!ToO-2k&)}nFe`t+mdqCxxAHgcifup^gKpMObbox9LFK;LP3}0dP-UW z?Zo*^nrQ6*$FtZ(>kLCc2LY*|{!dUn$^RW~m9leoF|@Jy|M5p-G~j%+P0_#orRKf8 zvuu5<*XO!B?1E}-*SY~MOa$6c%2cM+xa8}_8x*aVn~57v&W(0mqN1W`5a7*VN{SUH zXz98DDyCnX2EPl-`Lesf`=AQT%YSDb`$%;(jUTrNen$NPJrlpPDP}prI>Ml!r6bCT;mjsg@X^#&<}CGf0JtR{Ecwd&)2zuhr#nqdgHj+g2n}GK9CHuwO zk>oZxy{vcOL)$8-}L^iVfJHAGfwN$prHjYV0ju}8%jWquw>}_W6j~m<}Jf!G?~r5&Rx)!9JNX!ts#SGe2HzobV5); zpj@&`cNcO&q+%*<%D7za|?m5qlmFK$=MJ_iv{aRs+BGVrs)98BlN^nMr{V_fcl_;jkzRju+c-y?gqBC_@J0dFLq-D9@VN&-`R9U;nv$Hg?>$oe4N&Ht$V_(JR3TG^! zzJsbQbi zFE6-{#9{G{+Z}ww!ycl*7rRdmU#_&|DqPfX3CR1I{Kk;bHwF6jh0opI`UV2W{*|nn zf_Y@%wW6APb&9RrbEN=PQRBEpM(N1w`81s=(xQj6 z-eO0k9=Al|>Ej|Mw&G`%q8e$2xVz1v4DXAi8G};R$y)ww638Y=9y$ZYFDM$}vzusg zUf+~BPX>(SjA|tgaFZr_e0{)+z9i6G#lgt=F_n$d=beAt0Sa0a7>z-?vcjl3e+W}+ z1&9=|vC=$co}-Zh*%3588G?v&U7%N1Qf-wNWJ)(v`iO5KHSkC5&g7CrKu8V}uQGcfcz zmBz#Lbqwqy#Z~UzHgOQ;Q-rPxrRNvl(&u6ts4~0=KkeS;zqURz%!-ERppmd%0v>iRlEf+H$yl{_8TMJzo0 z>n)`On|7=WQdsqhXI?#V{>+~}qt-cQbokEbgwV3QvSP7&hK4R{Z{aGHVS3;+h{|Hz z6$Js}_AJr383c_+6sNR|$qu6dqHXQTc6?(XWPCVZv=)D#6_;D_8P-=zOGEN5&?~8S zl5jQ?NL$c%O)*bOohdNwGIKM#jSAC?BVY={@A#c9GmX0=T(0G}xs`-%f3r=m6-cpK z!%waekyAvm9C3%>sixdZj+I(wQlbB4wv9xKI*T13DYG^T%}zZYJ|0$Oj^YtY+d$V$ zAVudSc-)FMl|54n=N{BnZTM|!>=bhaja?o7s+v1*U$!v!qQ%`T-6fBvmdPbVmro&d zk07TOp*KuxRUSTLRrBj{mjsnF8`d}rMViY8j`jo~Hp$fkv9F_g(jUo#Arp;Xw0M$~ zRIN!B22~$kx;QYmOkos@%|5k)!QypDMVe}1M9tZfkpXKGOxvKXB!=lo`p?|R1l=tA zp(1}c6T3Fwj_CPJwVsYtgeRKg?9?}%oRq0F+r+kdB=bFUdVDRPa;E~~>2$w}>O>v=?|e>#(-Lyx?nbg=ckJ#5U6;RT zNvHhXk$P}m9wSvFyU3}=7!y?Y z=fg$PbV8d7g25&-jOcs{%}wTDKm>!Vk);&rr;O1nvO0VrU&Q?TtYVU=ir`te8SLlS zKSNmV=+vF|ATGg`4$N1uS|n??f}C_4Sz!f|4Ly8#yTW-FBfvS48Tef|-46C(wEO_%pPhUC5$-~Y?!0vFZ^Gu`x=m7X99_?C-`|h zfmMM&Y@zdfitA@KPw4Mc(YHcY1)3*1xvW9V-r4n-9ZuBpFcf{yz+SR{ zo$ZSU_|fgwF~aakGr(9Be`~A|3)B=9`$M-TWKipq-NqRDRQc}ABo*s_5kV%doIX7LRLRau_gd@Rd_aLFXGSU+U?uAqh z8qusWWcvgQ&wu{|sRXmv?sl=xc<$6AR$+cl& zFNh5q1~kffG{3lDUdvEZu5c(aAG~+64FxdlfwY^*;JSS|m~CJusvi-!$XR`6@XtY2 znDHSz7}_Bx7zGq-^5{stTRy|I@N=>*y$zz>m^}^{d&~h;0kYiq8<^Wq7Dz0w31ShO^~LUfW6rfitR0(=3;Uue`Y%y@ex#eKPOW zO~V?)M#AeHB2kovn1v=n^D?2{2jhIQd9t|_Q+c|ZFaWt+r&#yrOu-!4pXAJuxM+Cx z*H&>eZ0v8Y`t}8{TV6smOj=__gFC=eah)mZt9gwz>>W$!>b3O;Rm^Ig*POZP8Rl0f zT~o=Nu1J|lO>}xX&#P58%Yl z83`HRs5#32Qm9mdCrMlV|NKNC+Z~ z9OB8xk5HJ>gBLi+m@(pvpw)1(OaVJKs*$Ou#@Knd#bk+V@y;YXT?)4eP9E5{J%KGtYinNYJUH9PU3A}66c>Xn zZ{Bn0<;8$WCOAL$^NqTjwM?5d=RHgw3!72WRo0c;+houoUA@HWLZM;^U$&sycWrFd zE7ekt9;kb0`lps{>R(}YnXlyGY}5pPd9zBpgXeJTY_jwaJGSJQC#-KJqmh-;ad&F- z-Y)E>!&`Rz!HtCz>%yOJ|v(u7P*I$jqEY3}(Z-orn4 zlI?CYKNl`6I){#2P1h)y(6?i;^z`N3bxTV%wNvQW+eu|x=kbj~s8rhCR*0H=iGkSj zk23lr9kr|p7#qKL=UjgO`@UnvzU)`&fI>1Qs7ubq{@+lK{hH* zvl6eSb9%yngRn^T<;jG1SVa)eA>T^XX=yUS@NCKpk?ovCW1D@!=@kn;l_BrG;hOTC z6K&H{<8K#dI(A+zw-MWxS+~{g$tI7|SfP$EYKxA}LlVO^sT#Oby^grkdZ^^lA}uEF zBSj$weBJG{+Bh@Yffzsw=HyChS(dtLE3i*}Zj@~!_T-Ay7z=B)+*~3|?w`Zd)Co2t zC&4DyB!o&YgSw+fJn6`sn$e)29`kUwAc+1MND7YjV%lO;H2}fNy>hD#=gT ze+-aFNpyKIoXY~Vq-}OWPBe?Rfu^{ps8>Xy%42r@RV#*QV~P83jdlFNgkPN=T|Kt7 zV*M`Rh*30&AWlb$;ae130e@}Tqi3zx2^JQHpM>j$6x`#{mu%tZlwx9Gj@Hc92IuY* zarmT|*d0E~vt6<+r?W^UW0&#U&)8B6+1+;k^2|FWBRP9?C4Rk)HAh&=AS8FS|NQaZ z2j!iZ)nbEyg4ZTp-zHwVlfLC~tXIrv(xrP8PAtR{*c;T24ycA-;auWsya-!kF~CWZ zw_uZ|%urXgUbc@x=L=_g@QJ@m#5beS@6W195Hn7>_}z@Xt{DIEA`A&V82bc^#!q8$ zFh?z_Vn|ozJ;NPd^5uu(9tspo8t%&-U9Ckay-s@DnM*R5rtu|4)~e)`z0P-sy?)kc zs_k&J@0&0!q4~%cKL)2l;N*T&0;mqX5T{Qy60%JtKTQZ-xb%KOcgqwJmb%MOOKk7N zgq})R_6**{8A|6H?fO+2`#QU)p$Ei2&nbj6TpLSIT^D$|`TcSeh+)}VMb}LmvZ{O| ze*1IdCt3+yhdYVxcM)Q_V0bIXLgr6~%JS<<&dxIgfL=Vnx4YHuU@I34JXA|+$_S3~ zy~X#gO_X!cSs^XM{yzDGNM>?v(+sF#<0;AH^YrE8smx<36bUsHbN#y57K8WEu(`qHvQ6cAZPo=J5C(lSmUCZ57Rj6cx!e^rfaI5%w}unz}4 zoX=nt)FVNV%QDJH`o!u9olLD4O5fl)xp+#RloZlaA92o3x4->?rB4`gS$;WO{R;Z3>cG3IgFX2EA?PK^M}@%1%A;?f6}s&CV$cIyEr#q5;yHdNZ9h{| z-=dX+a5elJoDo?Eq&Og!nN6A)5yYpnGEp}?=!C-V)(*~z-+?kY1Q7qs#Rsy%hu_60rdbB+QQNr?S1 z?;xtjUv|*E3}HmuNyB9aFL5H~3Ho0UsmuMZELp1a#CA1g`P{-mT?BchuLEtK}!QZ=3AWakRu~?f9V~3F;TV`5%9Pcs_$gq&CcU}r8gOO zC2&SWPsSG{&o-LIGTBqp6SLQZPvYKp$$7L4WRRZ0BR$Kf0I0SCFkqveCp@f)o8W)! z$%7D1R`&j7W9Q9CGus_)b%+B#J2G;l*FLz#s$hw{BHS~WNLODV#(!u_2Pe&tMsq={ zdm7>_WecWF#D=?eMjLj=-_z`aHMZ=3_-&E8;ibPmM}61i6J3is*=dKf%HC>=xbj4$ zS|Q-hWQ8T5mWde6h@;mS+?k=89?1FU<%qH9B(l&O>k|u_aD|DY*@~(`_pb|B#rJ&g zR0(~(68fpUPz6TdS@4JT5MOPrqDh5_H(eX1$P2SQrkvN8sTxwV>l0)Qq z0pzTuvtEAKRDkKGhhv^jk%|HQ1DdF%5oKq5BS>szk-CIke{%js?~%@$uaN3^Uz6Wf z_iyx{bZ(;9y4X&>LPV=L=d+A}7I4GkK0c1Xts{rrW1Q7apHf-))`BgC^0^F(>At1* za@e7{lq%yAkn*NH8Q1{@{lKhRg*^TfGvv!Sn*ed*x@6>M%aaqySxR|oNadYt1mpUZ z6H(rupHYf&Z z29$5g#|0MX#aR6TZ$@eGxxABRKakDYtD%5BmKp;HbG_ZbT+=81E&=XRk6m_3t9PvD zr5Cqy(v?gHcYvYvXkNH@S#Po~q(_7MOuCAB8G$a9BC##gw^5mW16cML=T=ERL7wsk zzNEayTG?mtB=x*wc@ifBCJ|irFVMOvH)AFRW8WE~U()QT=HBCe@s$dA9O!@`zAAT) zaOZ7l6vyR+Nk_OOF!ZlZmjoImKh)dxFbbR~z(cMhfeX1l7S_`;h|v3gI}n9$sSQ>+3@AFAy9=B_y$)q;Wdl|C-X|VV3w8 z2S#>|5dGA8^9%Bu&fhmVRrTX>Z7{~3V&0UpJNEl0=N32euvDGCJ>#6dUSi&PxFW*s zS`}TB>?}H(T2lxBJ!V#2taV;q%zd6fOr=SGHpoSG*4PDaiG0pdb5`jelVipkEk%FV zThLc@Hc_AL1#D&T4D=w@UezYNJ%0=f3iVRuVL5H?eeZM}4W*bomebEU@e2d`M<~uW zf#Bugwf`VezG|^Qbt6R_=U0}|=k;mIIakz99*>FrsQR{0aQRP6ko?5<7bkDN8evZ& zB@_KqQG?ErKL=1*ZM9_5?Pq%lcS4uLSzN(Mr5=t6xHLS~Ym`UgM@D&VNu8e?_=nSFtF$u@hpPSmI4Vo_t&v?>$~K4y(O~Rb*(MFy_igM7 z*~yYUyR6yQgzWnWMUgDov!!g=lInM+=lOmOk4L`O?{i&qxy&D*_qorRbDwj6?)!ef z#JLd7F6Z2I$S0iYI={rZNk*<{HtIl^mx=h>Cim*04K4+Z4IJtd*-)%6XV2(MCscPiw_a+y*?BKbTS@BZ3AUao^%Zi#PhoY9Vib4N>SE%4>=Jco0v zH_Miey{E;FkdlZSq)e<{`+S3W=*ttvD#hB8w=|2aV*D=yOV}(&p%0LbEWH$&@$X3x~CiF-?ejQ*N+-M zc8zT@3iwkdRT2t(XS`d7`tJQAjRmKAhiw{WOqpuvFp`i@Q@!KMhwKgsA}%@sw8Xo5Y=F zhRJZg)O4uqNWj?V&&vth*H#je6T}}p_<>!Dr#89q@uSjWv~JuW(>FqoJ5^ho0%K?E z9?x_Q;kmcsQ@5=}z@tdljMSt9-Z3xn$k)kEjK|qXS>EfuDmu(Z8|(W?gY6-l z@R_#M8=vxKMAoi&PwnaIYw2COJM@atcgfr=zK1bvjW?9B`-+Voe$Q+H$j!1$Tjn+* z&LY<%)L@;zhnJlB^Og6I&BOR-m?{IW;tyYC%FZ!&Z>kGjHJ6cqM-F z&19n+e1=9AH1VrVeHrIzqlC`w9=*zfmrerF?JMzO&|Mmv;!4DKc(sp+jy^Dx?(8>1 zH&yS_4yL7m&GWX~mdfgH*AB4{CKo;+egw=PrvkTaoBU+P-4u?E|&!c z)DKc;>$$B6u*Zr1SjUh2)FeuWLWHl5TH(UHWkf zLs>7px!c5n;rbe^lO@qlYLzlDVp(z?6rPZel=YB)Uv&n!2{+Mb$-vQl=xKw( zve&>xYx+jW_NJh!FV||r?;hdP*jOXYcLCp>DOtJ?2S^)DkM{{Eb zS$!L$e_o0(^}n3tA1R3-$SNvgBq;DOEo}fNc|tB%%#g4RA3{|euq)p+xd3I8^4E&m zFrD%}nvG^HUAIKe9_{tXB;tl|G<%>yk6R;8L2)KUJw4yHJXUOPM>(-+jxq4R;z8H#>rnJy*)8N+$wA$^F zN+H*3t)eFEgxLw+Nw3};4WV$qj&_D`%ADV2%r zJCPCo%{=z7;`F98(us5JnT(G@sKTZ^;2FVitXyLe-S5(hV&Ium+1pIUB(CZ#h|g)u zSLJJ<@HgrDiA-}V_6B^x1>c9B6%~847JkQ!^KLZ2skm;q*edo;UA)~?SghG8;QbHh z_6M;ouo_1rq9=x$<`Y@EA{C%6-pEV}B(1#sDoe_e1s3^Y>n#1Sw;N|}8D|s|VPd+g z-_$QhCz`vLxxrVMx3ape1xu3*wjx=yKSlM~nFgkNWb4?DDr*!?U)L_VeffF<+!j|b zZ$Wn2$TDv3C3V@BHpSgv3JUif8%hk%OsGZ=OxH@8&4`bbf$`aAMchl^qN>Eyu3JH} z9-S!x8-s4fE=lad%Pkp8hAs~u?|uRnL48O|;*DEU! zuS0{cpk%1E0nc__2%;apFsTm0bKtd&A0~S3Cj^?72-*Owk3V!ZG*PswDfS~}2<8le z5+W^`Y(&R)yVF*tU_s!XMcJS`;(Tr`J0%>p=Z&InR%D3@KEzzI+-2)HK zuoNZ&o=wUC&+*?ofPb0a(E6(<2Amd6%uSu_^-<1?hsxs~0K5^f(LsGqgEF^+0_H=uNk9S0bb!|O8d?m5gQjUKevPaO+*VfSn^2892K~%crWM8+6 z25@V?Y@J<9w%@NXh-2!}SK_(X)O4AM1-WTg>sj1{lj5@=q&dxE^9xng1_z9w9DK>| z6Iybcd0e zyi;Ew!KBRIfGPGytQ6}z}MeXCfLY0?9%RiyagSp_D1?N&c{ zyo>VbJ4Gy`@Fv+5cKgUgs~na$>BV{*em7PU3%lloy_aEovR+J7TfQKh8BJXyL6|P8un-Jnq(ghd!_HEOh$zlv2$~y3krgeH;9zC}V3f`uDtW(%mT#944DQa~^8ZI+zAUu4U(j0YcDfKR$bK#gvn_{JZ>|gZ5+)u?T$w7Q%F^;!Wk?G z(le7r!ufT*cxS}PR6hIVtXa)i`d$-_1KkyBU>qmgz-=T};uxx&sKgv48akIWQ89F{ z0XiY?WM^~;|T8zBOr zs#zuOONzH?svv*jokd5SK8wG>+yMC)LYL|vLqm^PMHcT=`}V$=nIRHe2?h)8WQa6O zPAU}d`1y(>kZiP~Gr=mtJLMu`i<2CspL|q2DqAgAD^7*$xzM`PU4^ga`ilE134XBQ z99P(LhHU@7qvl9Yzg$M`+dlS=x^(m-_3t|h>S}E0bcFMn=C|KamQ)=w2^e)35p`zY zRV8X?d;s^>Cof2SPR&nP3E+-LCkS0J$H!eh8~k0qo$}00b=7!H_I2O+Ro@3O$nPdm ztmbOO^B+IHzQ5w>@@@J4cKw5&^_w6s!s=H%&byAbUtczPQ7}wfTqxxtQNfn*u73Qw zGuWsrky_ajPx-5`R<)6xHf>C(oqGf_Fw|-U*GfS?xLML$kv;h_pZ@Kk$y0X(S+K80 z6^|z)*`5VUkawg}=z`S;VhZhxyDfrE0$(PMurAxl~<>lfZa>JZ288ULK7D` zl9|#L^JL}Y$j*j`0-K6kH#?bRmg#5L3iB4Z)%iF@SqT+Lp|{i`m%R-|ZE94Np7Pa5 zCqC^V3}B(FR340pmF*qaa}M}+h6}mqE~7Sh!9bDv9YRT|>vBNAqv09zXHMlcuhKD| zcjjA(b*XCIwJ33?CB!+;{)vX@9xns_b-VO{i0y?}{!sdXj1GM8+$#v>W7nw;+O_9B z_{4L;C6ol?(?W0<6taGEn1^uG=?Q3i29sE`RfYCaV$3DKc_;?HsL?D_fSYg}SuO5U zOB_f4^vZ_x%o`5|C@9C5+o=mFy@au{s)sKw!UgC&L35aH(sgDxRE2De%(%OT=VUdN ziVLEmdOvJ&5*tCMKRyXctCwQu_RH%;m*$YK&m;jtbdH#Ak~13T1^f89tn`A%QEHWs~jnY~E}p_Z$XC z=?YXLCkzVSK+Id`xZYTegb@W8_baLt-Fq`Tv|=)JPbFsKRm)4UW;yT+J`<)%#ue9DPOkje)YF2fsCilK9MIIK>p*`fkoD5nGfmLwt)!KOT+> zOFq*VZktDDyM3P5UOg`~XL#cbzC}eL%qMB=Q5$d89MKuN#$6|4gx_Jt0Gfn8w&q}%lq4QU%6#jT*MRT% zrLz~C8FYKHawn-EQWN1B75O&quS+Z81(zN)G>~vN8VwC+e+y(`>HcxC{MrJ;H1Z4k zZWuv$w_F0-Ub%MVcpIc){4PGL^I7M{>;hS?;eH!;gmcOE66z3;Z1Phqo(t zVP(Hg6q#0gIKgsg7L7WE!{Y#1nI(45tx2{$34dDd#!Z0NIyrm)HOn5W#7;f4pQci# zDW!FI(g4e668kI9{2+mLwB+=#9bfqgX%!B34V-$wwSN(_cm*^{y0jQtv*4}eO^sOV z*9xoNvX)c9isB}Tgx&ZRjp3kwhTVK?r9;n!x>^XYT z@Q^7zp{rkIs{2mUSE^2!Gf6$6;j~&4=-0cSJJDizZp6LTe8b45;{AKM%v99}{{FfC zz709%u0mC=1KXTo(=TqmZQ;c?$M3z(!xah>aywrj40sc2y3rKFw4jCq+Y+u=CH@_V zxz|qeTwa>+<|H%8Dz5u>ZI5MmjTFwXS-Fv!TDd*`>3{krWoNVx$<133`(ftS?ZPyY z&4@ah^3^i`vL$BZa>O|Nt?ucewzsF)0zX3qmM^|waXr=T0pfIb0*$AwU=?Ipl|1Y; z*Pk6{C-p4MY;j@IJ|DW>QHZQJcp;Z~?8(Q+Kk3^0qJ}SCk^*n4W zu9ZFwLHUx-$6xvaQ)SUQcYd6fF8&x)V`1bIuX@>{mE$b|Yd(qomn3;bPwnDUc0F=; zh*6_((%bqAYQWQ~odER?h>1mkL4kpb3s7`0m@rDKGU*oyF)$j~Ffd4fXV$?`f~rHf zB%Y)@5SXZvfwm10RY5X?TEo)PK_`L6qgBp=#>fO49$D zDq8Ozj0q6213tV5Qq=;fZ0$|KroY{Dz=l@lU^J)?Ko@ti20TRplXzphBi>XGx4bou zEWrkNjz0t5j!_ke{g5I#PUlEU$Km8g8TE|XK=MkU@PT4T><2OVamoK;wJ}3X0L$vX zgd7gNa359*nc)R-0!`2X@FOTB`+oETOPc=ubp5R)VQgY+5BTZZJ2?9QwnO=dnulIUF3gFn;BODC2)65)HeVd%t86sL7Rv^Y+nbn+&l z6BAJY(ETvwI)Ts$aiE8rht4KD*qNyE{8{x6R|%akbTBzw;2+6Echkt+W+`u^XX z_z&x%n '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..25da30d --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/settings.gradle.kts b/settings.gradle.kts new file mode 100644 index 0000000..3f2d33f --- /dev/null +++ b/settings.gradle.kts @@ -0,0 +1,7 @@ +plugins { + // Apply the foojay-resolver plugin to allow automatic download of JDKs + id("org.gradle.toolchains.foojay-resolver-convention") version "0.8.0" +} + +rootProject.name = "unsafe-address-sanitizer" +include("agent-impl") diff --git a/src/agentTest/java/marcono1234/unsafe_sanitizer/AgentTest.java b/src/agentTest/java/marcono1234/unsafe_sanitizer/AgentTest.java new file mode 100644 index 0000000..1a0dedd --- /dev/null +++ b/src/agentTest/java/marcono1234/unsafe_sanitizer/AgentTest.java @@ -0,0 +1,53 @@ +package marcono1234.unsafe_sanitizer; + +import org.junit.jupiter.api.Disabled; +import org.junit.jupiter.api.Test; +import sun.misc.Unsafe; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +class AgentTest { + public static final Unsafe unsafe; + static { + try { + var field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new IllegalStateException("Failed getting Unsafe", e); + } + } + + @Test + void success() { + long a = unsafe.allocateMemory(10); + unsafe.putInt(a + 6, 1); + assertEquals(1, unsafe.getInt(a + 6)); + unsafe.freeMemory(a); + } + + @Test + void error() { + var error = assertThrows(Error.class, () -> unsafe.freeMemory(-1)); + assertEquals("Cannot free at address -1", error.getMessage()); + + long a = unsafe.allocateMemory(3); + error = assertThrows(Error.class, () -> unsafe.putInt(a, 1)); + assertEquals("Size 4 exceeds actual size 3 at " + a, error.getMessage()); + unsafe.freeMemory(a); + } + + /** + * Verifies that the JAR with dependencies was properly packaged and includes the right module descriptors. + */ + @Disabled("agent JAR is not loaded as module; https://bugs.openjdk.org/browse/JDK-6932391?") + @Test + void moduleTest() throws Exception { + Module agentImplModule = Class.forName("marcono1234.unsafe_sanitizer.agent_impl.UnsafeSanitizerImpl").getModule(); + assertEquals("marcono1234.unsafe_sanitizer.agent_impl", agentImplModule.getName()); + + Module agentModule = Class.forName("marcono1234.unsafe_sanitizer.UnsafeSanitizer").getModule(); + assertEquals("marcono1234.unsafe_sanitizer", agentModule.getName()); + } +} \ No newline at end of file diff --git a/src/main/java/marcono1234/unsafe_sanitizer/AgentMain.java b/src/main/java/marcono1234/unsafe_sanitizer/AgentMain.java new file mode 100644 index 0000000..060305d --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/AgentMain.java @@ -0,0 +1,249 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import org.jetbrains.annotations.VisibleForTesting; + +import java.lang.instrument.Instrumentation; +import java.util.*; +import java.util.function.BiFunction; +import java.util.regex.Pattern; + +import static java.util.Map.entry; + +/** + * Internal class used for standalone agent usage with {@code -javaagent} on the command line. + */ +@SuppressWarnings("unused") // executed for standalone agent usage +class AgentMain { + private AgentMain() {} + + /** + * Entry point for agent specified with {@code -javaagent} on the command line. + * + *

See package documentation for {@link java.lang.instrument}. + */ + public static void premain(String agentArgs, Instrumentation instrumentation) { + AgentSettings agentSettings; + if (agentArgs == null || agentArgs.isEmpty()) { + agentSettings = AgentSettings.defaultSettings(); + } else { + agentSettings = parseAgentSettings(agentArgs); + } + + System.out.println("Installing Unsafe Sanitizer agent with settings " + agentSettings); + UnsafeSanitizer.installAgent(instrumentation, agentSettings); + } + + private static String createExampleAgentArg(Map.Entry> optionEntry) { + var option = optionEntry.getValue(); + return optionEntry.getKey() + AGENT_ARG_VALUE_SEPARATOR + option.getDefaultValueArgString(); + } + + // `main` method is only used to show usage help + public static void main(String[] args) { + System.out.println("=== Unsafe Address Sanitizer ==="); + System.out.println("https://github.com/Marcono1234/unsafe-address-sanitizer"); + System.out.println(); + System.out.println("Standalone agent usage:"); + String jvmAgentArg = "-javaagent:unsafe-address-sanitizer-standalone-agent.jar"; + System.out.println(" java " + jvmAgentArg + "[=[,...]] -jar ..."); + System.out.println(); + System.out.println("Agent arguments:"); + for (var optionEntry : agentOptions.entrySet()) { + var option = optionEntry.getValue(); + System.out.println(" - " + optionEntry.getKey() + ": " + option.parser.getValuesHelp()); + System.out.println(" default: " + option.getDefaultValueArgString()); + } + + System.out.println("(see Javadoc for more details)"); + System.out.println(); + System.out.println("Examples:"); + System.out.println(" java " + jvmAgentArg + " -jar my-application.jar"); + var optionsIter = agentOptions.entrySet().iterator(); + System.out.println(" java " + jvmAgentArg + "=" + createExampleAgentArg(optionsIter.next()) + + AGENT_ARGS_SEPARATOR + createExampleAgentArg(optionsIter.next()) + " -jar my-application.jar"); + } + + @VisibleForTesting + static AgentSettings createDefaultSettings() { + AgentSettings agentSettings = AgentSettings.defaultSettings(); + // Options have their own default values; this makes it easier to print them in the command line help, + // and it allows having different default settings for standalone usage + for (var option : agentOptions.values()) { + agentSettings = option.applyDefaultTo(agentSettings); + } + return agentSettings; + } + + /** Separates multiple agent args */ + private static final String AGENT_ARGS_SEPARATOR = ","; + /** Separates agent arg name and value */ + private static final String AGENT_ARG_VALUE_SEPARATOR = "="; + + @VisibleForTesting + static AgentSettings parseAgentSettings(String agentArgs) { + AgentSettings agentSettings = createDefaultSettings(); + + String[] argStrings = agentArgs.split(Pattern.quote(AGENT_ARGS_SEPARATOR), -1); + Set seenOptions = new HashSet<>(); + + for (String argString : argStrings) { + if (argString.isBlank()) { + throw new IllegalArgumentException("Invalid blank argument in agent args: " + agentArgs); + } + + String[] optionValuePair = argString.split(Pattern.quote(AGENT_ARG_VALUE_SEPARATOR), 2); + if (optionValuePair.length != 2) { + throw new IllegalArgumentException("Missing value for '" + argString + "'"); + } + + String optionName = optionValuePair[0]; + AgentOption option = agentOptions.get(optionName); + if (option == null) { + throw new IllegalArgumentException("Unknown option: " + optionName); + } + + try { + agentSettings = option.applyParsedTo(agentSettings, optionValuePair[1]); + } catch (Exception e) { + throw new IllegalArgumentException("Invalid value for '" + optionName + "': " + e.getMessage(), e); + } + if (!seenOptions.add(optionName)) { + throw new IllegalArgumentException("Duplicate '" + optionName + "' value"); + } + } + + return agentSettings; + } + + private static final ArgumentParser BOOLEAN_PARSER = new ArgumentParser<>() { + @Override + public Boolean parse(String arg) throws IllegalArgumentException { + return switch (arg) { + case "true" -> true; + case "false" -> false; + default -> throw new IllegalArgumentException("Invalid boolean '" + arg + "'"); + }; + } + + @Override + public String getValuesHelp() { + return "true | false"; + } + + @Override + public String valueToArgString(Boolean value) { + Objects.requireNonNull(value); + return value.toString(); + } + + @Override + public String toString() { + return "BOOLEAN_PARSER"; + } + }; + + private static final ArgumentParser ERROR_ACTION_PARSER = new ArgumentParser<>() { + private static String errorActionToArgString(ErrorAction errorAction) { + return errorAction.name().toLowerCase(Locale.ROOT).replace('_', '-'); + } + + private static final Map actions; + static { + Map tempActions = new LinkedHashMap<>(); + for (ErrorAction errorAction : ErrorAction.values()) { + String transformedName = errorActionToArgString(errorAction); + var oldValue = tempActions.put(transformedName, errorAction); + if (oldValue != null) { + throw new AssertionError(errorAction + " and " + oldValue + " have conflicting names"); + } + } + // Don't use `Map.copyOf` because the iteration order is unspecified + actions = Collections.unmodifiableMap(tempActions); + } + + @Override + public ErrorAction parse(String arg) throws IllegalArgumentException { + ErrorAction action = actions.get(arg); + if (action == null) { + throw new IllegalArgumentException("Invalid error action '" + arg + "'"); + } + return action; + } + + @Override + public String getValuesHelp() { + return String.join(" | ", actions.keySet()); + } + + @Override + public String valueToArgString(ErrorAction value) { + Objects.requireNonNull(value); + return errorActionToArgString(value); + } + + @Override + public String toString() { + return "ERROR_ACTION_PARSER"; + } + }; + + @SafeVarargs + private static Map mapOf(Map.Entry... entries) { + Map map = new LinkedHashMap<>(); + for (var entry : entries) { + K key = entry.getKey(); + var oldValue = map.put(key, entry.getValue()); + if (oldValue != null) { + throw new IllegalArgumentException("Duplicate key: " + key); + } + } + return Collections.unmodifiableMap(map); + } + + // Don't use `Map.of` because the iteration order is unspecified + private static final Map> agentOptions = mapOf( + entry("instrumentation-logging", new AgentOption<>(BOOLEAN_PARSER, true, AgentSettings::withInstrumentationLogging)), + entry("global-native-memory-sanitizer", new AgentOption<>(BOOLEAN_PARSER, true, AgentSettings::withGlobalNativeMemorySanitizer)), + entry("uninitialized-memory-tracking", new AgentOption<>(BOOLEAN_PARSER, true, AgentSettings::withUninitializedMemoryTracking)), + entry("error-action", new AgentOption<>(ERROR_ACTION_PARSER, ErrorAction.THROW, AgentSettings::withErrorAction)), + entry("call-debug-logging", new AgentOption<>(BOOLEAN_PARSER, false, AgentSettings::withCallDebugLogging)) + ); + static { + assert agentOptions.size() == AgentSettings.class.getRecordComponents().length; + } + + private record AgentOption(ArgumentParser parser, T defaultValue, BiFunction setter) { + AgentOption { + // Assert that at least for default value round trip to and from string works + assert Objects.equals(defaultValue, parser.parse(parser.valueToArgString(defaultValue))); + } + + public AgentSettings applyDefaultTo(AgentSettings agentSettings) { + return setter.apply(agentSettings, defaultValue); + } + + public AgentSettings applyParsedTo(AgentSettings agentSettings, String value) throws IllegalArgumentException { + T parsedValue = parser.parse(value); + return setter.apply(agentSettings, parsedValue); + } + + public String getDefaultValueArgString() { + return parser.valueToArgString(defaultValue); + } + } + + private interface ArgumentParser { + T parse(String arg) throws IllegalArgumentException; + + /** + * Gets a help string representing all valid values, to be shown to the user. + */ + String getValuesHelp(); + + /** + * Converts a value to the string representation expected by {@link #parse(String)}. + */ + String valueToArgString(T value); + } +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/DirectByteBufferInterceptors.java b/src/main/java/marcono1234/unsafe_sanitizer/DirectByteBufferInterceptors.java new file mode 100644 index 0000000..ab385a5 --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/DirectByteBufferInterceptors.java @@ -0,0 +1,58 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.agent_impl.DirectByteBufferHelper; +import marcono1234.unsafe_sanitizer.agent_impl.UnsafeSanitizerImpl; +import net.bytebuddy.asm.Advice.*; + +import java.nio.ByteBuffer; + +// Note: To avoid IntelliJ warnings, can mark in IntelliJ methods annotated with `@OnMethodEnter` and `@OnMethodExit` +// as entrypoint + +/** + * Interceptors for 'direct' {@link ByteBuffer}, allocated with {@link ByteBuffer#allocateDirect(int)}. + */ +// This is an interface to allow writing `class` instead of `public static class` for all nested classes; +// probably acceptable since this is not public API +interface DirectByteBufferInterceptors { + // Note: This currently assumes that all buffer instances which use `java.nio.DirectByteBuffer$Deallocator` are + // created by `ByteBuffer.allocateDirect`. Otherwise unrelated `Deallocator.run()` calls would erroneously cause + // a double free sanitizer error. This assumption seems to currently hold true, but might be a bit brittle. Maybe + // instead of `ByteBuffer.allocateDirect` could intercept `DirectByteBuffer` constructor. But that would also be + // brittle then because it relies on its implementation details. + + class AllocateDirect { + // Note: Don't need to check arguments here since `ByteBuffer.allocateDirect` is public API and validates + // its arguments + @OnMethodExit + public static void exit(@Argument(0) int bytesCount, @Return(readOnly = false) ByteBuffer buffer) { + long address = DirectByteBufferHelper.getAddress(buffer); + if (!UnsafeSanitizerImpl.onAllocatedDirectBuffer(address, bytesCount)) { + //noinspection UnusedAssignment + buffer = null; + } + } + } + + // TODO: Instead of intercepting this private class, could also intercept JDK-internal `jdk.internal.misc.Unsafe#freeMemory` + // but would have to ignore then when no allocation exists at that address, because `freeMemory` will also be + // used by other JDK code which allocated native memory (and which won't be detected by sanitizer because it + // only intercepts the 'public' `sun.misc.Unsafe` class) + /** + * {@code java.nio.DirectByteBuffer$Deallocator#run()} + */ + class DeallocatorRun { + // Uses `@OnMethodEnter#skipOn` to skip execution in case of `ErrorAction#PRINT_SKIP`; otherwise it might + // crash the JVM when deallocating already freed memory (double free) + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@This Runnable this_) { + long address = DirectByteBufferHelper.getDeallocatorAddress(this_); + if (address == 0) { + // Already freed + return true; + } + + return UnsafeSanitizerImpl.freeDirectBufferMemory(address); + } + } +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/ErrorAction.java b/src/main/java/marcono1234/unsafe_sanitizer/ErrorAction.java new file mode 100644 index 0000000..9c569d0 --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/ErrorAction.java @@ -0,0 +1,42 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.agent_impl.AgentErrorAction; + +/** + * Action to perform in case of bad memory access. Regardless of the error action the error will always be + * additionally stored as {@link UnsafeSanitizer#getLastError()}. + */ +public enum ErrorAction { + /** + * Do nothing, permit bad memory access. + */ + NONE, + /** + * Throw an {@link Error} on bad memory access. + */ + THROW, + /** + * Print the error stack trace to the console, but permit the bad memory access anyway. + */ + PRINT, + /** + * Print the error stack trace to the console and skip actual memory access. + * When the {@code Unsafe} method expects a return value, a (possibly invalid) default value is returned instead. + */ + PRINT_SKIP, + ; + + /** + * Gets the corresponding internal error action. + */ + AgentErrorAction getAgentErrorAction() { + // Do this lookup dynamically (instead of for example storing values as field of this enum) to make sure + // agent-impl class is only accessed after it has been loaded + return switch (this) { + case NONE -> AgentErrorAction.NONE; + case THROW -> AgentErrorAction.THROW; + case PRINT -> AgentErrorAction.PRINT; + case PRINT_SKIP -> AgentErrorAction.PRINT_SKIP; + }; + } +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/MethodLoggingInterceptor.java b/src/main/java/marcono1234/unsafe_sanitizer/MethodLoggingInterceptor.java new file mode 100644 index 0000000..8585ae5 --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/MethodLoggingInterceptor.java @@ -0,0 +1,47 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.agent_impl.MethodCallDebugLogger; +import net.bytebuddy.asm.Advice.*; + +import java.lang.invoke.MethodType; + +import static net.bytebuddy.implementation.bytecode.assign.Assigner.Typing.DYNAMIC; + +// Note: To avoid IntelliJ warnings, can mark in IntelliJ methods annotated with `@OnMethodEnter` and `@OnMethodExit` +// as entrypoint + +/** + * Interceptor which performs debug logging of called methods. + */ +class MethodLoggingInterceptor { + + private MethodLoggingInterceptor() { + } + + /* + * Implementation notes: + * - The actual logging is implemented in agent-impl because here in Advice methods cannot have + * separate helper methods, and cannot debug through code + * - Uses `@Origin MethodType` and `@Origin(...)` because they can be stored as constants, + * whereas `@Origin Method` would always create new instance, even if debug logging is not enabled + */ + + @OnMethodEnter + static void enter( + @Origin("#t") String declaringTypeName, + @Origin("#m") String methodName, + @This(optional = true, typing = DYNAMIC) Object this_, + @AllArguments(typing = DYNAMIC) Object[] arguments + ) { + MethodCallDebugLogger.onMethodEnter(declaringTypeName, methodName, this_, arguments); + } + + @OnMethodExit(onThrowable = Throwable.class) + static void exit( + @Origin MethodType method, + @Return(typing = DYNAMIC) Object result, + @Thrown Throwable thrown + ) { + MethodCallDebugLogger.onMethodExit(method, result, thrown); + } +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/TestSupport.java b/src/main/java/marcono1234/unsafe_sanitizer/TestSupport.java new file mode 100644 index 0000000..1b54113 --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/TestSupport.java @@ -0,0 +1,194 @@ +package marcono1234.unsafe_sanitizer; + +import com.google.errorprone.annotations.CanIgnoreReturnValue; +import marcono1234.unsafe_sanitizer.agent_impl.AgentErrorAction; +import marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError; +import marcono1234.unsafe_sanitizer.agent_impl.UnsafeSanitizerImpl; + +import java.util.Objects; +import java.util.function.Supplier; + +/** + * Provides helper methods for tests which want to assert that a certain action performed + * good or bad memory access. + * + *

Which types of bad memory access are detected depends on the {@link UnsafeSanitizer} configuration. + */ +public class TestSupport { + private TestSupport() {} + + /** + * Runnable which can throw a {@link Throwable}. + * + * @see #assertBadMemoryAccess(ThrowingRunnable) + * @see #assertNoBadMemoryAccess(ThrowingRunnable) + */ + @FunctionalInterface + public interface ThrowingRunnable { + /** Performs the action. */ + void run() throws Throwable; + } + + /** + * Supplier which can throw a {@link Throwable}. + * @param type of the result + * + * @see #assertNoBadMemoryAccessGet(ThrowingSupplier) + */ + @FunctionalInterface + public interface ThrowingSupplier { + /** Performs the action and returns the result. */ + T get() throws Throwable; + } + + private static void checkAgentThrowsErrors() { + UnsafeSanitizer.checkInstalled(); + if (UnsafeSanitizerImpl.getErrorAction() != AgentErrorAction.THROW) { + throw new IllegalStateException("Error action must be " + ErrorAction.THROW); + } + } + + /** + * Helper method for unit tests which temporarily sets {@link ErrorAction#THROW} + * before restoring the original error action. + */ + // Only for internal usage for now + static T withThrowErrorAction(Supplier s) { + UnsafeSanitizer.checkInstalled(); + var oldErrorAction = UnsafeSanitizerImpl.getErrorAction(); + try { + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + return s.get(); + } finally { + UnsafeSanitizerImpl.setErrorAction(oldErrorAction); + } + } + + /** + * Asserts that the runnable performs a bad memory access, and returns the error. + * + *

The {@linkplain UnsafeSanitizer#getLastError() last error} will be cleared automatically. + * The exact type and message of the returned error are implementation details. + * + * @throws IllegalStateException + * if the agent has not been installed yet + * @throws IllegalStateException + * if the current {@linkplain UnsafeSanitizer#setErrorAction(ErrorAction) error action} is + * not {@link ErrorAction#THROW} + */ + // @CanIgnoreReturnValue is needed to avoid spurious IntelliJ warnings for callers, see https://youtrack.jetbrains.com/issue/IDEA-188863 + @CanIgnoreReturnValue + public static Error assertBadMemoryAccess(ThrowingRunnable runnable) { + Objects.requireNonNull(runnable); + checkAgentThrowsErrors(); + + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected previous error" , lastError); + } + + try { + runnable.run(); + } catch (Throwable t) { + // Cannot directly refer to `BadMemoryAccessError` in `catch` because it seems the class is then + // loaded eagerly, which fails because the agent has not been installed yet + if (t instanceof BadMemoryAccessError badMemoryAccessError) { + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != badMemoryAccessError) { + var e = new AssertionError("Last error does not match thrown error", lastError); + e.addSuppressed(badMemoryAccessError); + throw e; + } + + return badMemoryAccessError; + } + + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null) { + throw new AssertionError("Unexpected exception", t); + } else { + // TODO: Should this be allowed? For example when user code wraps the BadMemoryAccessError, or even + // just rethrows different exception (without wrapping)? + var e = new AssertionError("Unexpected exception, but expected bad memory access error occurred as well", t); + e.addSuppressed(lastError); + throw e; + } + } + + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null) { + throw new AssertionError("No exception was thrown"); + } else { + throw new AssertionError("No exception was thrown, but expected bad memory access error occurred", lastError); + } + } + + /** + * Asserts that the supplier performs no bad memory access, and returns the result + * of the supplier. + * + *

If an unexpected bad memory access occurs, an {@link AssertionError} will be thrown and the + * {@linkplain UnsafeSanitizer#getLastError() last error} will be cleared automatically. + * + * @throws IllegalStateException + * if the agent has not been installed yet + * @throws IllegalStateException + * if the current {@linkplain UnsafeSanitizer#setErrorAction(ErrorAction) error action} is + * not {@link ErrorAction#THROW} + */ + public static T assertNoBadMemoryAccessGet(ThrowingSupplier supplier) { + Objects.requireNonNull(supplier); + checkAgentThrowsErrors(); + + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected previous error" , lastError); + } + + T result; + try { + result = supplier.get(); + } catch (Throwable t) { + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null || lastError == t) { + throw new AssertionError("Unexpected exception", t); + } else { + var e = new AssertionError("Unexpected exception, and unexpected bad memory access error occurred as well", t); + e.addSuppressed(lastError); + throw e; + } + } + + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("No exception was thrown, but unexpected bad memory access error occurred", lastError); + } + return result; + } + + /** + * Asserts that the runnable performs no bad memory access. + * + *

If an unexpected bad memory access occurs, an {@link AssertionError} will be thrown and the + * {@linkplain UnsafeSanitizer#getLastError() last error} will be cleared automatically. + * + * @throws IllegalStateException + * if the agent has not been installed yet + * @throws IllegalStateException + * if the current {@linkplain UnsafeSanitizer#setErrorAction(ErrorAction) error action} is + * not {@link ErrorAction#THROW} + */ + public static void assertNoBadMemoryAccess(ThrowingRunnable runnable) { + Objects.requireNonNull(runnable); + assertNoBadMemoryAccessGet(() -> { + runnable.run(); + return null; + }); + } + + // Only for internal usage for now + static void checkAllNativeMemoryFreedAndForget() { + UnsafeSanitizer.checkInstalled(); + UnsafeSanitizerImpl.checkAllNativeMemoryFreed(true); + } +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/TransformBuilder.java b/src/main/java/marcono1234/unsafe_sanitizer/TransformBuilder.java new file mode 100644 index 0000000..5cbc9ab --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/TransformBuilder.java @@ -0,0 +1,101 @@ +package marcono1234.unsafe_sanitizer; + +import net.bytebuddy.agent.builder.AgentBuilder; +import net.bytebuddy.asm.Advice; +import net.bytebuddy.asm.AsmVisitorWrapper; +import net.bytebuddy.description.method.MethodDescription; +import net.bytebuddy.matcher.ElementMatcher; + +import java.util.ArrayList; +import java.util.List; +import java.util.Objects; + +import static net.bytebuddy.matcher.ElementMatchers.*; + +/** + * Helper class for defining the class transformations and configuring the Byte Buddy agent. + */ +class TransformBuilder { + /** The class that will be transformed */ + private final Class classToTransform; + private final List> methodMatchers; + private final List visitors; + + public TransformBuilder(Class classToTransform) { + this.classToTransform = Objects.requireNonNull(classToTransform); + this.methodMatchers = new ArrayList<>(); + this.visitors = new ArrayList<>(); + } + + public TransformBuilder(String typeName) { + this(lookUpClass(typeName)); + } + + private static Class lookUpClass(String name) { + // Assume that the class can be found; throwing an exception (and failing agent installation) if it can't + try { + return Class.forName(name); + } catch (ClassNotFoundException e) { + throw new RuntimeException("Failed to find class: " + name, e); + } + } + + public Class getClassToTransform() { + return classToTransform; + } + + /** + * Adds the {@code interceptor} (implemented using {@link Advice}) for all matching methods. + */ + public TransformBuilder addMethods(ElementMatcher.Junction matcher, Class interceptor) { + Objects.requireNonNull(matcher); + Objects.requireNonNull(interceptor); + + methodMatchers.add(matcher); + visitors.add(Advice.to(interceptor).on(matcher)); + return this; + } + + /** + * Adds the {@code interceptor} (implemented using {@link Advice}) for all methods with the given {@code name}. + */ + public TransformBuilder addMethod(String name, Class interceptor) { + Objects.requireNonNull(name); + return addMethods(named(name).and(isPublic()), interceptor); + } + + /** + * Adds the {@code interceptor} (implemented using {@link Advice}) for all methods whose name starts with {@code namePrefix}. + */ + public TransformBuilder addMethodsWithPrefix(String namePrefix, Class interceptor) { + Objects.requireNonNull(namePrefix); + return addMethods(nameStartsWith(namePrefix).and(isPublic()), interceptor); + } + + /** + * Configures the given {@code agentBuilder} with all registered interceptors, and returns the modified agent builder. + */ + public AgentBuilder configure(AgentBuilder agentBuilder) { + if (methodMatchers.isEmpty()) { + throw new IllegalStateException("No matchers have been added"); + } + + var loggingMatcher = methodMatchers.get(0); + for (int i = 1; i < methodMatchers.size(); i++) { + loggingMatcher = loggingMatcher.or(methodMatchers.get(i)); + } + var loggingMatcherF = loggingMatcher; + + return agentBuilder.type(is(classToTransform)) + .transform((builder, type, classLoader, module, protectionDomain) -> { + // Logging interceptor apparently has to be visited first; otherwise if other advice + // methods throw exception (in enter or exit), the logging interceptor is not run + builder = builder.visit(Advice.to(MethodLoggingInterceptor.class).on(loggingMatcherF)); + + for (var visitor : visitors) { + builder = builder.visit(visitor); + } + return builder; + }); + } +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/UnsafeInterceptors.java b/src/main/java/marcono1234/unsafe_sanitizer/UnsafeInterceptors.java new file mode 100644 index 0000000..07c8372 --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/UnsafeInterceptors.java @@ -0,0 +1,311 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.agent_impl.MemorySize; +import marcono1234.unsafe_sanitizer.agent_impl.UnsafeSanitizerImpl; +import net.bytebuddy.asm.Advice.*; +import sun.misc.Unsafe; + +import java.lang.invoke.MethodType; + +import static net.bytebuddy.implementation.bytecode.assign.Assigner.Typing.DYNAMIC; + +// Note: To avoid IntelliJ warnings, can mark in IntelliJ methods annotated with `@OnMethodEnter` and `@OnMethodExit` +// as entrypoint + +/** + * Interceptors for {@link Unsafe}. + */ +// This is an interface to allow writing `class` instead of `public static class` for all nested classes; +// probably acceptable since this is not public API +@SuppressWarnings("ParameterCanBeLocal") // suppress warnings for reassigning `@Return` parameter +interface UnsafeInterceptors { + long INVALID_ADDRESS = 0; + + /* + * Notes: + * - These methods use `@OnMethodEnter#skipOn` to skip execution in case of `ErrorAction#PRINT_SKIP`; + * otherwise it might crash the JVM when the Unsafe method is called with invalid arguments + * - There are two `Unsafe` classes, the 'public' `sun.misc.Unsafe` and the JDK-internal `jdk.internal.misc.Unsafe`. + * The public Unsafe delegates to the JDK-internal one, and also direct ByteBuffers use the JDK-internal + * one, so intercepting it instead of the public one might seem more useful. However, this is not possible + * for all methods because some are native and cannot be intercepted. Also, the JDK-internal Unsafe might + * have already been used before the agent is installed, so spurious memory access errors would be reported + * by the sanitizer because it is not aware of the previously allocated memory. + * Therefore intercept only calls to the public Unsafe. + */ + + /** + * {@link Unsafe#allocateMemory(long)} + */ + class AllocateMemory { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) long bytesCount) { + return UnsafeSanitizerImpl.verifyValidAllocationBytesCount(bytesCount); + } + + @OnMethodExit + public static void exit(@Argument(0) long bytesCount, @Enter boolean wasExecuted, @Return(readOnly = false) long address) { + if (!(wasExecuted && UnsafeSanitizerImpl.onAllocatedMemory(address, bytesCount, true))) { + // Set custom return value as result + //noinspection UnusedAssignment + address = INVALID_ADDRESS; + } + } + } + + /** + * {@link Unsafe#reallocateMemory(long, long)} + */ + class ReallocateMemory { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) long oldAddress, @Argument(1) long bytesCount) { + // `oldAddress == 0` acts like allocate instead + return (oldAddress == 0 || UnsafeSanitizerImpl.verifyCanReallocate(oldAddress)) + && UnsafeSanitizerImpl.verifyValidAllocationBytesCount(bytesCount); + } + + @OnMethodExit + public static void exit(@Argument(0) long oldAddress, @Argument(1) long bytesCount, @Enter(readOnly = false) boolean wasExecuted, @Return(readOnly = false) long newAddress) { + if (wasExecuted) { + // `oldAddress == 0` acts like allocate instead + if (oldAddress == 0) { + wasExecuted = UnsafeSanitizerImpl.onAllocatedMemory(newAddress, bytesCount, true); + } else { + wasExecuted = UnsafeSanitizerImpl.onReallocatedMemory(oldAddress, newAddress, bytesCount); + } + } + + if (!wasExecuted) { + // Set custom return value as result + //noinspection UnusedAssignment + newAddress = INVALID_ADDRESS; + } + } + } + + /** + * {@link Unsafe#freeMemory(long)} + */ + class FreeMemory { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) long address) { + return UnsafeSanitizerImpl.freeMemory(address); + } + } + + /** + * {@link Unsafe#setMemory(Object, long, long, byte)} + */ + class SetMemoryObject { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) Object obj, @Argument(1) long offset, @Argument(2) long bytesCount) { + return UnsafeSanitizerImpl.onWriteAccess(obj, offset, bytesCount); + } + } + + /** + * {@link Unsafe#setMemory(long, long, byte)} + */ + class SetMemoryAddress { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) long address, @Argument(1) long bytesCount) { + return UnsafeSanitizerImpl.onWriteAccess(null, address, bytesCount); + } + } + + /** + * {@link Unsafe#copyMemory(Object, long, Object, long, long)} + */ + class CopyMemoryObject { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) Object srcBase, @Argument(1) long srcOffset, @Argument(2) Object destBase, @Argument(3) long destOffset, @Argument(4) long bytesCount) { + return UnsafeSanitizerImpl.onCopy(srcBase, srcOffset, destBase, destOffset, bytesCount); + } + } + + /** + * {@link Unsafe#copyMemory(long, long, long)} + */ + class CopyMemoryAddress { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) long srcAddress, @Argument(1) long destAddress, @Argument(2) long bytesCount) { + return UnsafeSanitizerImpl.onCopy(null, srcAddress, null, destAddress, bytesCount); + } + } + + /** + * All {@code getX} memory methods, except for {@link Unsafe#getAndSetObject(Object, long, Object)} + * (which is handled by {@link GetAndSetObject}). + */ + class GetX { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + // Note: Don't use `@Origin Method` because that would create a new `Method` for every call + public static boolean enter(@Origin("#m") String methodName, @Origin MethodType method, @AllArguments(typing = DYNAMIC) Object[] arguments) { + Object obj; + long address; + // Check index 1 because index 0 is `Unsafe` (receiver type) + if (method.parameterType(1) == Object.class) { + obj = arguments[0]; + address = (long) arguments[1]; + } else { + obj = null; + address = (long) arguments[0]; + } + + MemorySize size; + if (methodName.equals("getAddress")) { + size = MemorySize.ADDRESS; + } else { + size = MemorySize.fromClass(method.returnType()); + } + + // Technically for the `getAnd...` methods this is also `onWriteAccess`, but that would be mainly relevant + // for marking memory as initialized, and `onReadAccess` already verifies that memory is initialized + return UnsafeSanitizerImpl.onReadAccess(obj, address, size); + } + + @OnMethodExit + public static void exit(@Origin("#m") String methodName, @Enter boolean wasExecuted, @Return(typing = DYNAMIC, readOnly = false) Object result, @StubValue Object resultDefault) { + if (!wasExecuted) { + if (methodName.equals("getAddress")) { + //noinspection UnusedAssignment + result = INVALID_ADDRESS; + } else { + // TODO: Is this explicitly necessary, or does it implicitly get the default value? + //noinspection UnusedAssignment + result = resultDefault; + } + } + } + } + + /** + * {@link Unsafe#getAndSetObject(Object, long, Object)}. + */ + class GetAndSetObject { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) Object obj, @Argument(1) long offset, @Argument(2) Object newValue) { + MemorySize size = MemorySize.OBJECT; + // `onWriteAccess` check is mainly needed to make sure `writtenObject` is valid; everything else is + // already checked by `onReadAccess` (correct field offset & size) + return UnsafeSanitizerImpl.onReadAccess(obj, offset, size) && UnsafeSanitizerImpl.onWriteAccess(obj, offset, size, newValue); + } + + @OnMethodExit + public static void exit(@Enter boolean wasExecuted, @Return(readOnly = false) Object result) { + if (!wasExecuted) { + //noinspection UnusedAssignment + result = null; + } + } + } + + /** + * All {@code putX} methods. + */ + class PutX { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + // Note: Don't use `@Origin Method` because that would create a new `Method` for every call + public static boolean enter(@Origin("#m") String methodName, @Origin MethodType method, @AllArguments(typing = DYNAMIC) Object[] arguments) { + Object obj; + int addressIndex; + // Check index 1 because index 0 is `Unsafe` (receiver type) + if (method.parameterType(1) == Object.class) { + obj = arguments[0]; + addressIndex = 1; + } else { + obj = null; + addressIndex = 0; + } + + boolean isPutAddressMethod = methodName.equals("putAddress"); + + long address = (long) arguments[addressIndex]; + int valueIndex = addressIndex + 1; + MemorySize size; + Object writtenObject = null; + if (isPutAddressMethod) { + size = MemorySize.ADDRESS; + + // `Unsafe.putAddress` says behavior is undefined if address value does not point to valid allocation + long addressValue = (long) arguments[valueIndex]; + if (!UnsafeSanitizerImpl.verifyValidMemoryAddress(addressValue)) { + return false; + } + } else { + // Additional `+ 1` because index 0 is `Unsafe` (receiver type) + Class valueClass = method.parameterType(valueIndex + 1); + size = MemorySize.fromClass(valueClass); + if (valueClass == Object.class) { + writtenObject = arguments[valueIndex]; + } + } + + return UnsafeSanitizerImpl.onWriteAccess(obj, address, size, writtenObject); + } + } + + /** + * All {@code compareAndSwapX} methods, except for {@link Unsafe#compareAndSwapObject(Object, long, Object, Object)} + * (which is handled by {@link CompareAndSwapObject}). + */ + class CompareAndSwapX { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + // Note: Don't use `@Origin Method` because that would create a new `Method` for every call + public static boolean enter(@Origin("#m") String methodName, @Argument(0) Object obj, @Argument(1) long offset) { + MemorySize size = switch (methodName) { + case "compareAndSwapInt" -> MemorySize.BYTE_4; + case "compareAndSwapLong" -> MemorySize.BYTE_8; + default -> throw new AssertionError("Unexpected method: " + methodName); + }; + // Technically this is also `onWriteAccess`, but that would be mainly relevant for marking memory as + // initialized, and `onReadAccess` already verifies that memory is initialized + return UnsafeSanitizerImpl.onReadAccess(obj, offset, size); + } + + @OnMethodExit + public static void exit(@Enter boolean wasExecuted, @Return(readOnly = false) boolean result) { + if (!wasExecuted) { + //noinspection UnusedAssignment + result = false; + } + } + } + + /** + * {@link Unsafe#compareAndSwapObject(Object, long, Object, Object)} + */ + class CompareAndSwapObject { + @OnMethodEnter(skipOn = OnDefaultValue.class) // -> `return false` = skip + public static boolean enter(@Argument(0) Object obj, @Argument(1) long offset, @Argument(3) Object newValue) { + MemorySize size = MemorySize.OBJECT; + // `onWriteAccess` check is mainly needed to make sure `writtenObject` is valid; everything else is + // already checked by `onReadAccess` (correct field offset & size) + return UnsafeSanitizerImpl.onReadAccess(obj, offset, size) && UnsafeSanitizerImpl.onWriteAccess(obj, offset, size, newValue); + } + + @OnMethodExit + public static void exit(@Enter boolean wasExecuted, @Return(readOnly = false) boolean result) { + if (!wasExecuted) { + //noinspection UnusedAssignment + result = false; + } + } + } + + + /* + TODO: Maybe cover the following incorrect usage (validation only seems to happen in native code?) + + class Test { + int i; + static int s; + } + + unsafe.arrayBaseOffset(int.class); + unsafe.arrayIndexScale(int.class); + unsafe.staticFieldBase(Test.class.getDeclaredField("i")); + unsafe.staticFieldOffset(Test.class.getDeclaredField("i")); + unsafe.objectFieldOffset(Test.class.getDeclaredField("s")); + */ +} diff --git a/src/main/java/marcono1234/unsafe_sanitizer/UnsafeSanitizer.java b/src/main/java/marcono1234/unsafe_sanitizer/UnsafeSanitizer.java new file mode 100644 index 0000000..aaef405 --- /dev/null +++ b/src/main/java/marcono1234/unsafe_sanitizer/UnsafeSanitizer.java @@ -0,0 +1,664 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeInterceptors.*; +import marcono1234.unsafe_sanitizer.agent_impl.UnsafeSanitizerImpl; +import net.bytebuddy.agent.ByteBuddyAgent; +import net.bytebuddy.agent.builder.AgentBuilder; +import net.bytebuddy.matcher.ElementMatchers; +import org.jetbrains.annotations.CheckReturnValue; +import org.jetbrains.annotations.Nullable; +import sun.misc.Unsafe; + +import java.io.IOException; +import java.io.InputStream; +import java.io.UncheckedIOException; +import java.lang.instrument.Instrumentation; +import java.nio.ByteBuffer; +import java.nio.file.DirectoryStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.StandardCopyOption; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; +import java.util.jar.JarFile; + +import static marcono1234.unsafe_sanitizer.agent_impl.DirectByteBufferHelper.DEALLOCATOR_CLASS_NAME; +import static net.bytebuddy.matcher.ElementMatchers.*; + +/** + * Class for installing and configuring the {@link Unsafe} sanitizer agent. + * + *

The agent can be installed either at runtime using one of the {@link #installAgent(AgentSettings)} methods + * or when starting the JVM by using {@code -javaagent}: + * 

+ * java -javaagent:unsafe-address-sanitizer-standalone-agent.jar -jar my-application.jar
+ *
+ * + *

When installed using {@code -javaagent}, by default the sanitizer will use {@link ErrorAction#THROW}. + * Custom agent settings can be specified; to view all possible options and examples, start the agent as regular JAR + * (without any additional arguments): + * 

+ * java -jar unsafe-address-sanitizer-standalone-agent.jar
+ *
+ * + *

Once installed subsequent {@code Unsafe} usage will be checked and bad memory access will be reported. + * Which cases of bad memory access will be detected and how they are reported depends on the {@link AgentSettings}. + * + *

Most methods of this class assume that the sanitizer agent has already been installed, otherwise an + * {@link IllegalStateException} will be thrown. + */ +public class UnsafeSanitizer { + private UnsafeSanitizer() { + } + + /** + * Unsafe Sanitizer agent settings. Use {@link #defaultSettings()} for defaults, or customize settings + * by calling the constructor or the {@code withX} methods. Some of the settings can also be changed + * afterwards at runtime using methods of {@link UnsafeSanitizer}. + * + * @param instrumentationLogging + * Whether to log information during instrumentation. Can be useful for troubleshooting. + * @param globalNativeMemorySanitizer + * Whether to enable the native memory sanitizer globally. + * + *

When disabled only field and array memory access is sanitized. Disabling this can be useful when + * the tested code is known to not use native memory, but the test or fuzzing framework is using + * native memory and the sanitizer could interfere with it or slow it down. + * + *

Regardless of whether the sanitizer is enabled globally, it is always possible to sanitize native memory + * access in a local scope using {@link #withScopedNativeMemoryTracking(boolean, MemoryAction)}. + * @param uninitializedMemoryTracking + * Whether to track if native memory is initialized or not. + * + *

Disabling this can improve performance, but will then not report any errors when uninitialized + * memory is read. Has no effect for global tracking when native memory sanitization is + * {@linkplain #withGlobalNativeMemorySanitizer(boolean) disabled}, but can affect {@linkplain #withScopedNativeMemoryTracking(MemoryAction) scoped tracking}. + * @param errorAction + * Defines how to handle bad memory access; can be changed at runtime with + * {@link UnsafeSanitizer#setErrorAction(ErrorAction)}. + * @param callDebugLogging + * Whether to log debug information about called {@code Unsafe} methods; can be changed at runtime + * with {@link UnsafeSanitizer#setIsDebugLogging(boolean)}. + */ + public record AgentSettings( + boolean instrumentationLogging, + boolean globalNativeMemorySanitizer, + boolean uninitializedMemoryTracking, + ErrorAction errorAction, + boolean callDebugLogging + ) { + public AgentSettings { + Objects.requireNonNull(errorAction); + } + + /** + * Creates 'default' agent settings suitable for most use cases. The settings have the following values: + *

    + *
  • {@link #instrumentationLogging()}: true
    • + *
  • {@link #globalNativeMemorySanitizer()}: true
    • + *
  • {@link #uninitializedMemoryTracking()}: true
    • + *
  • {@link #errorAction()}: {@link ErrorAction#THROW}
    • + *
  • {@link #callDebugLogging()}: false
    • + *
+ * + *

The returned settings can be customized further using the {@code withX} methods of this + * class, for example: + * 

+         * var settings = AgentSettings.defaultSettings().withCallDebugLogging(true);
+         *
+ */ + public static AgentSettings defaultSettings() { + return new AgentSettings( + true, + // Note: If this default for `globalNativeMemorySanitizer` causes issues even for `premain` when + // there have already been allocations before, leading to false positive errors, could consider + // skipping native memory access sanitization for all threads which already existed when `premain` + // was called (except for 'main' thread) + true, + true, + ErrorAction.THROW, + false + ); + } + + /** + * Creates new agent settings with modified {@link #instrumentationLogging()} value. + */ + public AgentSettings withInstrumentationLogging(boolean instrumentationLogging) { + return new AgentSettings( + instrumentationLogging, + globalNativeMemorySanitizer, + uninitializedMemoryTracking, + errorAction, + callDebugLogging + ); + } + + /** + * Creates new agent settings with modified {@link #globalNativeMemorySanitizer()} value. + */ + public AgentSettings withGlobalNativeMemorySanitizer(boolean globalNativeMemorySanitizer) { + return new AgentSettings( + instrumentationLogging, + globalNativeMemorySanitizer, + uninitializedMemoryTracking, + errorAction, + callDebugLogging + ); + } + + /** + * Creates new agent settings with modified {@link #uninitializedMemoryTracking()} value. + */ + public AgentSettings withUninitializedMemoryTracking(boolean uninitializedMemoryTracking) { + return new AgentSettings( + instrumentationLogging, + globalNativeMemorySanitizer, + uninitializedMemoryTracking, + errorAction, + callDebugLogging + ); + } + + /** + * Creates new agent settings with modified {@link #errorAction()} value. + */ + public AgentSettings withErrorAction(ErrorAction errorAction) { + return new AgentSettings( + instrumentationLogging, + globalNativeMemorySanitizer, + uninitializedMemoryTracking, + errorAction, + callDebugLogging + ); + } + + /** + * Creates new agent settings with modified {@link #callDebugLogging()} value. + */ + public AgentSettings withCallDebugLogging(boolean callDebugLogging) { + return new AgentSettings( + instrumentationLogging, + globalNativeMemorySanitizer, + uninitializedMemoryTracking, + errorAction, + callDebugLogging + ); + } + } + + private static volatile boolean isInstalled = false; + private static final Lock installLock = new ReentrantLock(); + @Nullable("when the agent has not been installed yet") + private static AgentSettings agentSettings; + + /** + * Dynamically installs the agent at runtime. Has no effect if the agent has already been installed. + * + *

Warning

+ * Dynamically installing agents at runtime might not be supported by all JVMs and might require a full JDK instead + * of just a JRE (or certain JDK modules not included by a JRE by default), see {@link ByteBuddyAgent#install()} + * for details. Additionally, future JDK versions will disallow dynamically installing agents by default, + * see JEP 451. + * + *

If possible prefer installing the agent by starting the JVM with {@code -javaagent}, or use + * {@link #installAgent(Instrumentation, AgentSettings)} if an {@link Instrumentation} instance is already + * available. + * + * @param settings + * settings for the sanitizer agent; if the agent has been installed before, these settings must + * match the previous ones, otherwise an exception is thrown + * @throws IllegalArgumentException + * if this agent had already been installed before but with different {@link AgentSettings} + */ + public static void installAgent(AgentSettings settings) throws IllegalArgumentException { + installAgent(ByteBuddyAgent.install(), settings); + } + + /** + * Installs the agent, using a provided {@link Instrumentation} instance. Has no effect if the agent has already + * been installed. + * + *

This method is intended for third-party agents which already have an {@code Instrumentation} instance + * available and want to additionally install this unsafe-sanitizer agent. + * + * @param instrumentation + * instrumentation instance used for installing the agent + * @param settings + * settings for the sanitizer agent; if the agent has been installed before, these settings must + * match the previous ones, otherwise an exception is thrown + * @throws IllegalArgumentException + * if this agent had already been installed before but with different {@link AgentSettings} + */ + public static void installAgent(Instrumentation instrumentation, AgentSettings settings) throws IllegalArgumentException { + Objects.requireNonNull(instrumentation); + Objects.requireNonNull(settings); + + // Note: Don't return fast here if `isInstalled == true` without acquiring lock; + // instead always acquire lock to make sure that once method returns agent has been fully installed + // (possibly by different thread though) + installLock.lock(); + try { + if (isInstalled) { + assert UnsafeSanitizer.agentSettings != null; + if (!UnsafeSanitizer.agentSettings.equals(settings)) { + throw new IllegalArgumentException( + "Settings of installed agent do not match provided settings:\n previous settings: " + + UnsafeSanitizer.agentSettings + "\n new settings: " + settings + ); + } + return; + } + + UnsafeSanitizer.agentSettings = settings; + addAgentToBootstrapClasspath(instrumentation); + + if (!settings.globalNativeMemorySanitizer) { + UnsafeSanitizerImpl.disableNativeMemorySanitizer(); + } + if (!settings.uninitializedMemoryTracking) { + UnsafeSanitizerImpl.disableUninitializedMemoryTracking(); + } + UnsafeSanitizerImpl.setErrorAction(settings.errorAction.getAgentErrorAction()); + UnsafeSanitizerImpl.setIsDebugLogging(settings.callDebugLogging); + + // Allow the agent to access the values of the internal `DirectByteBuffer$Deallocator` class + Module agentModule = UnsafeSanitizerImpl.class.getModule(); + instrumentation.redefineModule( + ByteBuffer.class.getModule(), + Set.of(), + Map.of(), + // Add 'opens' + Map.of("java.nio", Set.of(agentModule)), + Set.of(), + Map.of() + ); + + var transforms = List.of( + new TransformBuilder(Unsafe.class) + .addMethod("allocateMemory", AllocateMemory.class) + .addMethod("reallocateMemory", ReallocateMemory.class) + .addMethod("freeMemory", FreeMemory.class) + .addMethods(named("setMemory").and(isPublic()).and(takesArguments(4)), SetMemoryObject.class) + .addMethods(named("setMemory").and(isPublic()).and(takesArguments(3)), SetMemoryAddress.class) + .addMethods(named("copyMemory").and(isPublic()).and(takesArguments(5)), CopyMemoryObject.class) + .addMethods(named("copyMemory").and(isPublic()).and(takesArguments(3)), CopyMemoryAddress.class) + .addMethods( + nameStartsWith("get").and(isPublic()) + // Avoid matching unrelated getters such as `getUnsafe`, `getLoadAverage` or `getClass` + .and(hasParameters(whereAny(hasType(is(long.class))))) + // `getAndSetObject` is handled separately below + .and(not(named("getAndSetObject"))), + GetX.class + ) + .addMethod("getAndSetObject", GetAndSetObject.class) + .addMethodsWithPrefix("put", PutX.class) + .addMethods( + nameStartsWith("compareAndSwap").and(isPublic()) + // `compareAndSwapObject` is handled separately below + .and(not(named("compareAndSwapObject"))), + CompareAndSwapX.class + ) + .addMethod("compareAndSwapObject", CompareAndSwapObject.class), + new TransformBuilder(ByteBuffer.class) + .addMethod("allocateDirect", DirectByteBufferInterceptors.AllocateDirect.class), + new TransformBuilder(DEALLOCATOR_CLASS_NAME) + .addMethod("run", DirectByteBufferInterceptors.DeallocatorRun.class) + ); + + // The agent and the advice classes are installed here (in non-bootstrap) because otherwise if this was + // done in the JAR loaded from bootstrap Byte Buddy seems to be unable to locate the advice classes, + // Possibly same issue as https://github.com/raphw/byte-buddy/issues/720 + AgentBuilder agentBuilder = new AgentBuilder.Default() + // Need to use `RETRANSFORMATION` because the JDK classes which should be instrumented are most likely + // already loaded, see https://github.com/raphw/byte-buddy/issues/1564#issuecomment-1906823082 + .with(AgentBuilder.RedefinitionStrategy.RETRANSFORMATION) + // (Not completely sure if `disableClassFormatChanges()` is needed, but the Byte Buddy comment above + // mentions it, so use it to be safe) + .disableClassFormatChanges() + // Overwrite default ignore matcher to be able to instrument the JDK classes loaded by the bootstrap + // classloader, see https://github.com/raphw/byte-buddy/issues/236#issuecomment-268968111 + .ignore(ElementMatchers.nameStartsWith("net.bytebuddy.")); + /* + * TODO: Not sure if this is needed as well (maybe for cases where `Unsafe` has not been loaded yet?): + * .with(AgentBuilder.InitializationStrategy.NoOp.INSTANCE) + * .with(AgentBuilder.TypeStrategy.Default.REDEFINE) + */ + + if (settings.instrumentationLogging) { + var typeNames = transforms.stream().map(TransformBuilder::getClassToTransform).map(Class::getName).toList(); + + var logger = new AgentBuilder.Listener.Filtering( + ElementMatchers.anyOf(typeNames), + AgentBuilder.Listener.StreamWriting.toSystemOut() + ); + agentBuilder = agentBuilder.with(logger); + } + + for (TransformBuilder transform : transforms) { + agentBuilder = transform.configure(agentBuilder); + } + + agentBuilder.installOn(instrumentation); + + isInstalled = true; + } finally { + installLock.unlock(); + } + } + + private static Path createLockFilePath(Path path) { + return path.resolveSibling(path.getFileName().toString() + ".lock"); + } + + /* + * The agent has to be added to the bootstrap classpath so that the injected `Advice` code can access + * its classes. + * + * The implementation here is based on https://github.com/CodeIntelligenceTesting/jazzer/blob/5bc43a6f65180cb003605349c9e2fdadc702d2c8/src/main/java/com/code_intelligence/jazzer/agent/AgentUtils.java#L30 + * The agent JAR is embedded as resource, this has the following advantages: + * - In case the enclosing JAR is repackaged, the agent JAR stays intact + * - Prevents accidentally loading agent classes with non-bootstrap classloader, causing errors at runtime + * (now can only get errors about missing classes if agent has not been installed yet, but public API + * here prevents this) + * - Can easily obtain agent-impl JAR, whereas if agent-impl JAR was not separate, using something like `class.getProtectionDomain().getCodeSource().getLocation()` + * might have the file URL of a large repackaged uber JAR as result, which should most likely not be added + * to the bootstrap classpath + */ + private static void addAgentToBootstrapClasspath(Instrumentation instrumentation) { + String jarNamePrefix = "unsafe-sanitizer-agent-"; + String jarNameSuffix = ".jar"; + + Path jarDir; + JarFile jar; + try { + Path agentJarPath = Files.createTempFile(jarNamePrefix, jarNameSuffix); + // TODO: Trailing `_` is as workaround for https://github.com/johnrengelman/shadow/issues/111 + InputStream agentJarStream = UnsafeSanitizer.class.getResourceAsStream("agent-impl.jar_"); + if (agentJarStream == null) { + throw new IllegalStateException("agent-impl JAR is missing"); + } + + try (agentJarStream) { + Files.copy(agentJarStream, agentJarPath, StandardCopyOption.REPLACE_EXISTING); + } + jarDir = agentJarPath.getParent(); + + // On Windows this seems to have no effect, see https://bugs.openjdk.org/browse/JDK-8219681 + // Therefore need to clean up manually, see below + agentJarPath.toFile().deleteOnExit(); + // Create a 'lock file' to know if agent JAR is still in use + Path lockFile = createLockFilePath(agentJarPath); + Files.createFile(lockFile); + lockFile.toFile().deleteOnExit(); + + jar = new JarFile(agentJarPath.toFile()); + } catch (Exception e) { + throw new IllegalStateException("Failed preparing agent-impl JAR", e); + } + + // Delete old temporary agent JAR files, because on Windows `deleteOnExit` does not work for this, + // see https://bugs.openjdk.org/browse/JDK-8219681 + DirectoryStream.Filter agentJarFilter = file -> { + if (!Files.isRegularFile(file)) { + return false; + } + + String name = file.getFileName().toString(); + return name.startsWith(jarNamePrefix) && name.endsWith(jarNameSuffix); + }; + try (DirectoryStream agentJarFiles = Files.newDirectoryStream(jarDir, agentJarFilter)) { + for (Path agentJarFile : agentJarFiles) { + Path lockFile = createLockFilePath(agentJarFile); + // Only delete if the agent JAR is not in use anymore, i.e. the lock file does not exist + if (Files.notExists(lockFile)) { + try { + Files.delete(agentJarFile); + } catch (IOException e) { + // Ignore if deletion failed + } + } + } + } catch (IOException e) { + throw new UncheckedIOException("Failed cleaning up old agent JARs", e); + } + + instrumentation.appendToBootstrapClassLoaderSearch(jar); + } + + /** Verifies that the agent is installed, and the agent-impl classes can be accessed */ + static void checkInstalled() { + if (!isInstalled) { + throw new IllegalStateException("Agent has not been installed"); + } + } + + // Important: Guard all these methods with a `checkInstalled()`, otherwise they will fail because agent classes + // have not been added to classpath yet + + // TODO: Remove and only allow configuring this through AgentSettings? + /** + * Sets the error action, that is, how to react to bad memory access. + * + *

This setting can already be specified when the agent is installed by using {@link AgentSettings#withErrorAction(ErrorAction)}. + */ + public static void setErrorAction(ErrorAction errorAction) { + Objects.requireNonNull(errorAction); + checkInstalled(); + UnsafeSanitizerImpl.setErrorAction(errorAction.getAgentErrorAction()); + + // TODO: Should this update / replace the `agentSettings` (while holding `installLock`)? + } + + /** + * Sets whether debug logging for {@code Unsafe} methods should be enabled. + * + *

This setting can already be specified when the agent is installed by using {@link AgentSettings#withCallDebugLogging(boolean)}. + */ + public static void setIsDebugLogging(boolean isDebugLogging) { + checkInstalled(); + UnsafeSanitizerImpl.setIsDebugLogging(isDebugLogging); + + // TODO: Should this update / replace the `agentSettings` (while holding `installLock`)? + } + + // TODO: Maybe only provide `getAndClearLastError()` but not `getLastError()` and `clearLastError()`? + // (but remove `@CheckReturnValue` then) + + /** + * Gets the last bad memory access error, if any, returning {@code null} otherwise. + * + *

This method is useful to verify that no bad memory access error has not been discarded somewhere + * in the code calling {@code Unsafe}, or when an {@linkplain #setErrorAction(ErrorAction) error action} is + * used which does not throw the error. The last error is set regardless of whether the original error + * was propagated or not. And it will not be cleared automatically if subsequent usage of {@code Unsafe} + * methods performs good memory access. + * + *

The error is retrieved from the global scope, or from the current {@linkplain #withScopedNativeMemoryTracking(boolean, MemoryAction) local scope} + * (in case one is active). For the global scope it might be overwritten concurrently by a different thread. + * + *

Normally {@link #getAndClearLastError()} should be preferred over {@code getLastError()} to avoid + * accidentally retrieving the same error later again on subsequent calls. Alternatively {@link #clearLastError()} + * can be used to clear the error after a {@code getLastError()} call. + */ + @CheckReturnValue + @Nullable + public static Error getLastError() { + checkInstalled(); + return UnsafeSanitizerImpl.getLastErrorRef().get(); + } + + /** + * Clears the last bad memory access error, if any. + * + * @see #getLastError() + */ + public static void clearLastError() { + //noinspection ResultOfMethodCallIgnored,ThrowableNotThrown + getAndClearLastError(); + } + + /** + * Gets and clears the last bad memory access error, if any, returning {@code null} otherwise. + * + *

This is a convenience method which combines {@link #getLastError()} and {@link #clearLastError()}. + */ + @CheckReturnValue + @Nullable + public static Error getAndClearLastError() { + checkInstalled(); + // Directly perform this using `AtomicReference#getAndSet` to avoid a race condition where clearing + // erroneously clears a different error which has been set in the meantime + return UnsafeSanitizerImpl.getLastErrorRef().getAndSet(null); + } + + // TODO: Remove and only allow configuring this through AgentSettings? + /** + * Disables global sanitization of native memory access. + * + *

When disabled, only field and array memory access is sanitized. Disabling this can be useful when + * the tested code is known to not use native memory, but the test or fuzzing framework is using + * native memory and the sanitizer could interfere with it or slow it down. + * + *

This setting can already be specified when the agent is installed by using {@link AgentSettings#withGlobalNativeMemorySanitizer(boolean)}. + */ + // No method for enabling this again because otherwise could lead to spurious errors for memory + // which was allocated while sanitizer was disabled + public static void disableNativeMemorySanitizer() { + checkInstalled(); + UnsafeSanitizerImpl.disableNativeMemorySanitizer(); + + // TODO: Should this update / replace the `agentSettings` (while holding `installLock`)? + } + + /** + * Manually registers a section of allocated memory with this sanitizer. + * + *

This method is intended for use cases where the sanitizer has to be informed that a certain + * section of memory has already been allocated without it having noticed it. For example when the agent + * has been {@linkplain #installAgent(AgentSettings) installed at runtime}, or when the memory has been + * allocated through means other than {@code Unsafe} or {@link ByteBuffer#allocateDirect(int)}. + * Otherwise if that memory had not been registered, the sanitizer would likely report errors when + * trying to access that memory later. + * + * @see #deregisterAllocatedMemory(long) + */ + public static void registerAllocatedMemory(long address, long bytesCount) { + checkInstalled(); + if (address <= 0) { + throw new IllegalArgumentException("Invalid address: " + address); + } + if (bytesCount <= 0) { + throw new IllegalArgumentException("Invalid bytes count: " + address); + } + + // Assume that memory is fully initialized + boolean trackUninitialized = false; + // TODO: Maybe handle it better when ErrorAction is not THROW (and this only returns false instead of throwing)? + if (!UnsafeSanitizerImpl.onAllocatedMemory(address, bytesCount, trackUninitialized)) { + throw new IllegalStateException("Failed to register allocated memory"); + } + } + + /** + * Deregisters allocated memory previously registered with {@link #registerAllocatedMemory(long, long)}. + */ + public static void deregisterAllocatedMemory(long address) { + checkInstalled(); + if (address <= 0) { + throw new IllegalArgumentException("Invalid address: " + address); + } + + // Note: This does not actually check that memory has been registered with `registerAllocatedMemory` before, + // but that is probably fine for now; in case of double free this would then raise an error + // TODO: Maybe handle it better when ErrorAction is not THROW (and this only returns false instead of throwing)? + if (!UnsafeSanitizerImpl.freeMemory(address)) { + throw new IllegalStateException("Failed to deregister allocated memory"); + } + } + + /** + * Action which performs native memory access, which should be sanitized by + * {@link #withScopedNativeMemoryTracking(boolean, MemoryAction)}. + * + * @param + * the type of the exception thrown by the action, if any + */ + @FunctionalInterface + public interface MemoryAction { + void run() throws E; + } + + // TODO: Maybe also have method with allows running scoped so that `lastError` is scoped, but without + // enabling native memory tracking (or using global native memory tracking, if enabled?) + + /** + * Same as {@link #withScopedNativeMemoryTracking(boolean, MemoryAction)}, except that whether uninitialized + * memory is tracked is inherited from the {@linkplain AgentSettings#withUninitializedMemoryTracking(boolean) agent settings}. + */ + public static void withScopedNativeMemoryTracking(MemoryAction action) throws IllegalStateException, E { + checkInstalled(); + Objects.requireNonNull(action); + + UnsafeSanitizerImpl.withScopedNativeMemoryTracking(null, action::run); + } + + /** + * Runs the {@code action} in a scope where native memory tracking is enabled, regardless of whether it has + * been enabled {@linkplain AgentSettings#globalNativeMemorySanitizer() globally} before. + * + *

Using scoped tracking can be useful to avoid interference with other code using {@code Unsafe}, such + * as the testing or fuzzing framework running the tested code. Note however that the scope is thread-local, + * so any access in other threads is not tracked. + * + *

The scope tracks the {@linkplain #getLastError() last error} separately from the global scope. If the + * {@code action} does not throw any exception, but it is detected that a bad memory access occurred, an + * {@link IllegalStateException} is thrown because the original bad memory access error was apparently + * (accidentally) discarded. + * + * @param trackUninitialized + * whether to additionally track if read access on uninitialized memory is performed + * @param action + * action to run with native memory tracking enabled + * @throws IllegalStateException + * if a local scope is already active + * @throws IllegalStateException + * if no exception was thrown by the {@code action}, but bad memory access was detected (that is, the + * bad memory access error was discarded) + * @throws E + * exception thrown by {@code action}, if any + * + * @see #withScopedNativeMemoryTracking(MemoryAction) + */ + public static void withScopedNativeMemoryTracking(boolean trackUninitialized, MemoryAction action) throws IllegalStateException, E { + checkInstalled(); + Objects.requireNonNull(action); + + UnsafeSanitizerImpl.withScopedNativeMemoryTracking(trackUninitialized, action::run); + } + + /** + * Verifies that all native memory has been freed again. + * + *

This can be especially useful in combination with {@link #withScopedNativeMemoryTracking(boolean, MemoryAction)}, + * as last call in the memory action. Using it with the global memory sanitizer should be done with care since + * allocations unrelated to the tested library might have been performed, e.g. by the testing or fuzzing framework. + * + * @throws IllegalStateException + * if the native memory sanitizer is not enabled (neither globally nor in a local scope) + * @throws IllegalStateException + * if not all native memory has been freed + */ + public static void checkAllNativeMemoryFreed() { + checkInstalled(); + // TODO: Maybe support `forgetMemorySections = true` as well? Otherwise users will experience same issues + // as in the tests in this project: Once one test forgets to clean up memory all subsequent tests will + // fail because for them the memory from the first failing test still exists + // Remove `TestSupport#checkAllNativeMemoryFreedAndForget` then + UnsafeSanitizerImpl.checkAllNativeMemoryFreed(false); + } +} diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java new file mode 100644 index 0000000..ab7296e --- /dev/null +++ b/src/main/java/module-info.java @@ -0,0 +1,19 @@ +/** + * Module for installing and interacting with the {@code Unsafe} sanitizer, see + * {@link marcono1234.unsafe_sanitizer.UnsafeSanitizer}. + */ +@SuppressWarnings({"module", "JavaModuleNaming"}) // suppress warnings about module name +module marcono1234.unsafe_sanitizer { + requires marcono1234.unsafe_sanitizer.agent_impl; + + requires java.instrument; + // For `sun.misc.Unsafe` + requires jdk.unsupported; + + requires net.bytebuddy; + requires net.bytebuddy.agent; + requires com.google.errorprone.annotations; + requires org.jetbrains.annotations; + + exports marcono1234.unsafe_sanitizer; +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/AgentMainTest.java b/src/test/java/marcono1234/unsafe_sanitizer/AgentMainTest.java new file mode 100644 index 0000000..554b37c --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/AgentMainTest.java @@ -0,0 +1,66 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import org.junit.jupiter.api.Test; + +import java.lang.reflect.Method; +import java.lang.reflect.RecordComponent; + +import static org.junit.jupiter.api.Assertions.*; + +class AgentMainTest { + @Test + void defaultSettings() { + AgentSettings agentMainDefaultSettings = AgentMain.createDefaultSettings(); + // For now assume both default settings should be the same; can be changed in the future if necessary + assertEquals(AgentSettings.defaultSettings(), agentMainDefaultSettings); + } + + @Test + void parseAgentSettings() throws Exception { + // Should keep default values for all non-specified settings + assertEquals(AgentSettings.defaultSettings(), AgentMain.parseAgentSettings("instrumentation-logging=true")); + assertEquals(AgentSettings.defaultSettings(), AgentMain.parseAgentSettings("call-debug-logging=false")); + + String agentArgs = "instrumentation-logging=false" + + ",global-native-memory-sanitizer=false" + + ",uninitialized-memory-tracking=false" + + ",error-action=print-skip" + + ",call-debug-logging=true"; + AgentSettings parsedSettings = AgentMain.parseAgentSettings(agentArgs); + AgentSettings defaultSettings = AgentSettings.defaultSettings(); + assertNotEquals(defaultSettings, parsedSettings); + + // Assumes that agentArgs above overwrite default values for all components + for (RecordComponent recordComponent : AgentSettings.class.getRecordComponents()) { + Method accessor = recordComponent.getAccessor(); + Object defaultValue = accessor.invoke(defaultSettings); + Object parsedValue = accessor.invoke(parsedSettings); + assertNotEquals(defaultValue, parsedValue, "Expected different values for " + recordComponent.getName()); + } + } + + @Test + void parseAgentSettings_Error() { + var e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("instrumentation-logging=false,")); + assertEquals("Invalid blank argument in agent args: instrumentation-logging=false,", e.getMessage()); + + e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("instrumentation-logging=false,,call-debug-logging=true")); + assertEquals("Invalid blank argument in agent args: instrumentation-logging=false,,call-debug-logging=true", e.getMessage()); + + e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("instrumentation-logging")); + assertEquals("Missing value for 'instrumentation-logging'", e.getMessage()); + + e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("something-unknown=value")); + assertEquals("Unknown option: something-unknown", e.getMessage()); + + e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("instrumentation-logging=not-boolean")); + assertEquals("Invalid value for 'instrumentation-logging': Invalid boolean 'not-boolean'", e.getMessage()); + + e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("error-action=something-invalid")); + assertEquals("Invalid value for 'error-action': Invalid error action 'something-invalid'", e.getMessage()); + + e = assertThrows(IllegalArgumentException.class, () -> AgentMain.parseAgentSettings("error-action=throw,error-action=print")); + assertEquals("Duplicate 'error-action' value", e.getMessage()); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/DebugLoggingTest.java b/src/test/java/marcono1234/unsafe_sanitizer/DebugLoggingTest.java new file mode 100644 index 0000000..a2bf7d9 --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/DebugLoggingTest.java @@ -0,0 +1,254 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import marcono1234.unsafe_sanitizer.agent_impl.DirectByteBufferHelper; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import sun.misc.Unsafe; + +import java.io.ByteArrayOutputStream; +import java.io.PrintStream; +import java.lang.ref.Reference; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.util.Objects; +import java.util.concurrent.atomic.AtomicLong; +import java.util.concurrent.atomic.AtomicReference; +import java.util.function.Consumer; +import java.util.function.Supplier; +import java.util.regex.Pattern; + +import static marcono1234.unsafe_sanitizer.MemoryHelper.allocateMemory; +import static marcono1234.unsafe_sanitizer.MemoryHelper.freeMemory; +import static marcono1234.unsafe_sanitizer.TestSupport.assertBadMemoryAccess; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; + +class DebugLoggingTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + UnsafeSanitizer.setIsDebugLogging(true); + } + + @AfterAll + static void resetDebugLogging() { + UnsafeSanitizer.setIsDebugLogging(false); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterEach + void resetErrorAction() { + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + } + + private static void assertDebugLog(Runnable runnable, String expectedOutput) { + assertDebugLog(runnable, () -> expectedOutput); + } + + private static void assertDebugLog(Runnable runnable, Supplier expectedOutput) { + assertDebugLogImpl(runnable, output -> assertEquals(expectedOutput.get(), output)); + } + + private static void assertDebugLog(Runnable runnable, Pattern expectedOutput) { + //noinspection CodeBlock2Expr + assertDebugLogImpl(runnable, output -> { + assertTrue(expectedOutput.matcher(output).matches(), "Unexpected output: " + output); + }); + } + + private static void assertDebugLogImpl(Runnable runnable, Consumer assertion) { + Objects.requireNonNull(runnable); + + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected previous error", lastError); + } + + ByteArrayOutputStream capturedOut = new ByteArrayOutputStream(); + PrintStream tempSystemOut = new PrintStream(capturedOut, true, StandardCharsets.UTF_8); + PrintStream oldSystemOut = System.out; + + try { + System.setOut(tempSystemOut); + runnable.run(); + } finally { + System.setOut(oldSystemOut); + } + + tempSystemOut.flush(); + String systemOutOutput = capturedOut.toString(StandardCharsets.UTF_8); + + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + + assertion.accept(systemOutOutput.trim()); + } + + @Test + void allocate_success() { + AtomicLong a = new AtomicLong(); + assertDebugLog( + () -> a.set(allocateMemory(10)), + () -> "[DEBUG] Unsafe.allocateMemory(10) = " + a.get() + ); + freeMemory(a.get()); + } + + @Test + void allocate_thrown_error() { + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + assertDebugLog( + () -> assertBadMemoryAccess(() -> unsafe.allocateMemory(-1)), + "[DEBUG] Unsafe.allocateMemory(-1) = " + ); + } + + @Test + void allocate_unsafe_exception() { + UnsafeSanitizer.setErrorAction(ErrorAction.NONE); + assertDebugLog( + () -> { + try { + unsafe.allocateMemory(-1); + } catch (RuntimeException t) { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null) { + throw new AssertionError("No memory error occurred, but other exception was thrown", t); + } + // Else exception is expected + } + }, + // Don't check exact error message because it is an `Unsafe` implementation detail + Pattern.compile("\\[DEBUG\\] Unsafe\\.allocateMemory\\(-1\\) = ") + ); + } + + @Test + void allocate_skipped() { + UnsafeSanitizer.setErrorAction(ErrorAction.PRINT_SKIP); + + ByteArrayOutputStream capturedErr = new ByteArrayOutputStream(); + PrintStream tempSystemErr = new PrintStream(capturedErr, true, StandardCharsets.UTF_8); + PrintStream oldSystemErr = System.err; + + AtomicReference error = new AtomicReference<>(); + + try { + System.setErr(tempSystemErr); + assertDebugLog( + () -> { + unsafe.allocateMemory(-1); + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null) { + throw new AssertionError("No memory error occurred"); + } + assertEquals("Invalid bytes count: -1", lastError.getMessage()); + error.set(lastError); + }, + "[DEBUG] Unsafe.allocateMemory(-1) = 0" + ); + } finally { + System.setErr(oldSystemErr); + } + + tempSystemErr.flush(); + String systemErrOutput = capturedErr.toString(StandardCharsets.UTF_8); + assertTrue(systemErrOutput.contains(error.get().toString()), "Unexpected System.err output: " + systemErrOutput); + } + + @Test + void directByteBuffer_allocate() { + AtomicReference buffer = new AtomicReference<>(); + assertDebugLog( + () -> buffer.set(ByteBuffer.allocateDirect(10)), + () -> "[DEBUG] ByteBuffer.allocateDirect(10) = DirectByteBuffer[address=" + DirectByteBufferHelper.getAddress(buffer.get()) + "]" + ); + // Clean up buffer to not affect other tests, in case garbage collection does not directly collect it + unsafe.invokeCleaner(buffer.get()); + } + + @Test + void directByteBuffer_free() { + ByteBuffer buffer = ByteBuffer.allocateDirect(10); + long address = DirectByteBufferHelper.getAddress(buffer); + assertDebugLog( + () -> unsafe.invokeCleaner(buffer), + "[DEBUG] DirectByteBuffer$Deallocator[address=" + address + "].run()" + ); + // Make sure buffer is not freed automatically before or within `assertDebugLog` + Reference.reachabilityFence(buffer.get()); + } + + @Test + void putObject_Null() { + String[] a = new String[1]; + long offset = Unsafe.ARRAY_OBJECT_BASE_OFFSET; + assertDebugLog( + () -> unsafe.putObject(a, offset, null), + "[DEBUG] Unsafe.putObject(java.lang.String[length=1], " + offset + ", null)" + ); + } + + @Test + void getObject_String() throws Exception { + class Dummy { + final String s = "abc\u001Fd'\"\\e\u007F"; + + @Override + public String toString() { + return "Dummy"; + } + } + + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("s")); + assertDebugLog( + () -> unsafe.getObject(new Dummy(), offset), + "[DEBUG] Unsafe.getObject(Dummy, " + offset + ") = \"abc\\u001fd\\'\\\"\\\\e\\u007f\"" + ); + } + + @Test + void putObject_String() throws Exception { + class Dummy { + String s; + + @Override + public String toString() { + return "Dummy"; + } + } + + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("s")); + assertDebugLog( + () -> unsafe.putObject(new Dummy(), offset, "abc\u001Fd'\"\\e\u007F"), + "[DEBUG] Unsafe.putObject(Dummy, " + offset + ", \"abc\\u001fd\\'\\\"\\\\e\\u007f\")" + ); + } + + @Test + void getInt_Array() { + int[] a = new int[10]; + long offset = Unsafe.ARRAY_INT_BASE_OFFSET; + assertDebugLog( + () -> unsafe.getInt(a, offset), + "[DEBUG] Unsafe.getInt(int[length=10], " + offset + ") = 0" + ); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/DirectByteBufferTest.java b/src/test/java/marcono1234/unsafe_sanitizer/DirectByteBufferTest.java new file mode 100644 index 0000000..8ec5d7f --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/DirectByteBufferTest.java @@ -0,0 +1,195 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import java.lang.reflect.Field; +import java.nio.Buffer; +import java.nio.ByteBuffer; +import java.nio.ByteOrder; + +import static marcono1234.unsafe_sanitizer.MemoryHelper.freeMemory; +import static marcono1234.unsafe_sanitizer.TestSupport.*; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; + +class DirectByteBufferTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + private static long getAddress(ByteBuffer buffer) { + assertTrue(buffer.isDirect()); + Field addressField; + try { + addressField = Buffer.class.getDeclaredField("address"); + } catch (ReflectiveOperationException e) { + throw new RuntimeException(e); + } + + return assertNoBadMemoryAccessGet(() -> unsafe.getLong(buffer, unsafe.objectFieldOffset(addressField))); + } + + private static void assertBadMemoryAccess(ThrowingRunnable runnable, String expectedMessage) { + var e = TestSupport.assertBadMemoryAccess(runnable); + assertEquals(expectedMessage, e.getMessage()); + } + + private final int bytesCount = 10; + private ByteBuffer buffer; + private long address; + + @BeforeEach + void setUpBuffer() { + buffer = assertNoBadMemoryAccessGet(() -> ByteBuffer.allocateDirect(bytesCount)); + // Match byte order of Unsafe + buffer.order(ByteOrder.nativeOrder()); + address = getAddress(buffer); + } + + @AfterEach + void clearBuffer() { + // Verify that no double free occurs + // This also makes sure there is still a strong reference to the buffer; otherwise might have to + // use `Reference.reachabilityFence` to prevent garbage collection of the buffer within the tests + assertNoBadMemoryAccess(() -> unsafe.invokeCleaner(buffer)); + + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @Test + void readAccess() { + assertNoBadMemoryAccess(() -> { + assertEquals(0, unsafe.getByte(address)); + assertEquals(0, unsafe.getInt(address)); + assertEquals(0, unsafe.getLong(address)); + assertEquals(0, unsafe.getLong(address + bytesCount - Long.BYTES)); + + buffer.put(0, (byte) 1); + assertEquals(1, unsafe.getByte(address)); + + buffer.putInt(0, 0x12345678); + assertEquals(0x12345678, unsafe.getInt(address)); + + buffer.putLong(0, 0x00_01_02_03_04_05_06_07L); + assertEquals(0x00_01_02_03_04_05_06_07L, unsafe.getLong(address)); + buffer.putLong(2, 0x02_03_04_05_06_07_08_09L); + assertEquals(0x02_03_04_05_06_07_08_09L, unsafe.getLong(address + 2)); + }); + } + + @Test + void writeAccess() { + assertNoBadMemoryAccess(() -> { + unsafe.putByte(address, (byte) 1); + assertEquals(1, buffer.get(0)); + + unsafe.putInt(address, 0x12345678); + assertEquals(0x12345678, buffer.getInt(0)); + + unsafe.putLong(address, 0x00_01_02_03_04_05_06_07L); + int charOffset = Long.BYTES; + unsafe.putChar(address + charOffset, (char) 0x08_09); + assertEquals(0x00_01_02_03_04_05_06_07L, buffer.getLong(0)); + assertEquals((char) 0x08_09, buffer.getChar(charOffset)); + }); + } + + @Test + void outOfBoundsAccess() { + long badAddress = address - 1; + String expectedMessage = "Access outside of section at " + badAddress; + assertBadMemoryAccess( + () -> unsafe.getLong(badAddress), + expectedMessage + ); + assertBadMemoryAccess( + () -> unsafe.putLong(badAddress, 0), + expectedMessage + ); + + long badAddressEnd = address + bytesCount - (Long.BYTES - 1); + expectedMessage = "Access outside of section at " + badAddressEnd + ", size " + Long.BYTES + + " (previous section: " + address + ", size " + bytesCount + ")"; + assertBadMemoryAccess( + () -> unsafe.getLong(badAddressEnd), + expectedMessage + ); + assertBadMemoryAccess( + () -> unsafe.putLong(badAddressEnd, 0), + expectedMessage + ); + } + + /** + * Verify that buffer is considered fully initialized, and can read its content without having + * to write data first. + */ + @Test + void readInitial() { + for (int i = 0; i < bytesCount; i++) { + final int iFinal = i; + byte result = assertNoBadMemoryAccessGet(() -> unsafe.getByte(address + iFinal)); + assertEquals(0, result); + } + } + + /** + * Buffer content is assumed to be fully initialized, so must not copy uninitialized data there. + */ + @Test + void copyUninitialized() { + long uninitializedAddress = assertNoBadMemoryAccessGet(() -> unsafe.allocateMemory(bytesCount)); + assertBadMemoryAccess( + () -> unsafe.copyMemory(uninitializedAddress, address, bytesCount), + "Trying to copy uninitialized data from " + uninitializedAddress + ", size 10" + ); + // Clean up + freeMemory(uninitializedAddress); + } + + @Test + void doubleFree() { + buffer.put((byte) 123); + + assertBadMemoryAccess( + () -> unsafe.freeMemory(address), + "Trying to manually free memory of direct ByteBuffer at address " + address + ); + assertBadMemoryAccess( + () -> unsafe.reallocateMemory(address, 10), + "Trying to reallocate memory of direct ByteBuffer at address " + address + ); + + assertNoBadMemoryAccess(() -> { + assertEquals(123, unsafe.getByte(address)); + unsafe.invokeCleaner(buffer); + }); + + assertNoBadMemoryAccess(() -> { + // Cleaner is implemented by JDK to only free memory once + unsafe.invokeCleaner(buffer); + }); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/MemoryHelper.java b/src/test/java/marcono1234/unsafe_sanitizer/MemoryHelper.java new file mode 100644 index 0000000..df2bd98 --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/MemoryHelper.java @@ -0,0 +1,29 @@ +package marcono1234.unsafe_sanitizer; + +import static marcono1234.unsafe_sanitizer.TestSupport.assertNoBadMemoryAccess; +import static marcono1234.unsafe_sanitizer.TestSupport.assertNoBadMemoryAccessGet; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; + +/** + * Helper class for memory allocation and deallocation in unit tests. + */ +public class MemoryHelper { + private MemoryHelper() {} + + /** Allocates memory, not expecting any error */ + public static long allocateMemory(long bytesCount) { + // Temporarily set ErrorAction#THROW to detect unexpected bad memory access + return TestSupport.withThrowErrorAction(() -> { + return assertNoBadMemoryAccessGet(() -> unsafe.allocateMemory(bytesCount)); + }); + } + + /** Frees memory, not expecting any error */ + public static void freeMemory(long address) { + // Temporarily set ErrorAction#THROW to detect unexpected bad memory access + TestSupport.withThrowErrorAction(() -> { + assertNoBadMemoryAccess(() -> unsafe.freeMemory(address)); + return null; + }); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/ScopedNativeMemorySanitizerTest.java b/src/test/java/marcono1234/unsafe_sanitizer/ScopedNativeMemorySanitizerTest.java new file mode 100644 index 0000000..7d44c8a --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/ScopedNativeMemorySanitizerTest.java @@ -0,0 +1,462 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError; +import marcono1234.unsafe_sanitizer.agent_impl.UnsafeSanitizerImpl; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import sun.misc.Unsafe; + +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.atomic.AtomicLong; +import java.util.concurrent.atomic.AtomicReference; + +import static marcono1234.unsafe_sanitizer.MemoryHelper.allocateMemory; +import static marcono1234.unsafe_sanitizer.MemoryHelper.freeMemory; +import static marcono1234.unsafe_sanitizer.TestSupport.assertBadMemoryAccess; +import static marcono1234.unsafe_sanitizer.TestSupport.assertNoBadMemoryAccess; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; +import static marcono1234.unsafe_sanitizer.UnsafeSanitizer.withScopedNativeMemoryTracking; +import static org.junit.jupiter.api.Assertions.*; + +@SuppressWarnings({"Convert2MethodRef", "CodeBlock2Expr"}) +class ScopedNativeMemorySanitizerTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(UnsafeSanitizer.AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + fail("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @Test + void success() { + assertNoBadMemoryAccess(() -> { + withScopedNativeMemoryTracking(() -> { + long address = unsafe.allocateMemory(10); + unsafe.putInt(address, 1); + + var e = assertThrows(IllegalStateException.class, () -> UnsafeSanitizer.checkAllNativeMemoryFreed()); + assertEquals("Still contains the following sections: [Section[address=" + address + ", bytesCount=10]]", e.getMessage()); + + unsafe.freeMemory(address); + UnsafeSanitizer.checkAllNativeMemoryFreed(); + }); + }); + } + + /** + * For arrays should not matter where array was created. + */ + @Test + void success_Array() { + AtomicReference array = new AtomicReference<>(); + withScopedNativeMemoryTracking(() -> array.set(new byte[10])); + + withScopedNativeMemoryTracking(() -> { + assertNoBadMemoryAccess(() -> unsafe.putByte(array.get(), Unsafe.ARRAY_BYTE_BASE_OFFSET, (byte) 1)); + }); + } + + @Test + void error_BadAccess() { + withScopedNativeMemoryTracking(() -> { + long address = allocateMemory(10); + assertBadMemoryAccess(() -> unsafe.putInt(address - 4, 1)); + // Clean up + freeMemory(address); + }); + + withScopedNativeMemoryTracking(() -> { + long address = allocateMemory(10); + freeMemory(address); + + // Double free + assertBadMemoryAccess(() -> unsafe.freeMemory(address)); + }); + } + + @Test + void error_BadAccessDiscardedError() { + var e = assertThrows(IllegalStateException.class, () -> withScopedNativeMemoryTracking(() -> { + // Does not propagate the BadMemoryAccessError + assertThrows(BadMemoryAccessError.class, () -> unsafe.allocateMemory(-1)); + })); + assertEquals("Unhandled bad memory access error", e.getMessage()); + } + + @Test + void error_NestedScope() { + var e = assertThrows(IllegalStateException.class, () -> { + withScopedNativeMemoryTracking(() -> withScopedNativeMemoryTracking(() -> fail("should not be called"))); + }); + assertEquals("Scope is already active; cannot nest scopes", e.getMessage()); + } + + @Test + void error_AccessScopedInGlobal() { + AtomicLong address = new AtomicLong(); + withScopedNativeMemoryTracking(() -> { + address.set(allocateMemory(10)); + }); + + assertBadMemoryAccess(() -> unsafe.putInt(address.get(), 1)); + + // Clean up + freeMemory(address.get()); + } + + // TODO: Should support this case? + @Test + void error_AccessGlobalInScope() { + long address = allocateMemory(10); + + withScopedNativeMemoryTracking(() -> { + assertBadMemoryAccess(() -> unsafe.putInt(address, 1)); + }); + + // Clean up + freeMemory(address); + } + + @Test + void error_AccessScopedInOtherScope() { + AtomicLong address = new AtomicLong(); + withScopedNativeMemoryTracking(() -> { + address.set(allocateMemory(10)); + }); + + withScopedNativeMemoryTracking(() -> { + assertBadMemoryAccess(() -> unsafe.putInt(address.get(), 1)); + }); + + // Clean up + freeMemory(address.get()); + } + + /** + * Verifies that memory allocated in local scope can be freed in global scope, handling + * the case where a separate cleaner thread frees memory after garbage collection. + */ + @Test + void freeScopedInGlobal() { + AtomicLong address = new AtomicLong(); + withScopedNativeMemoryTracking(() -> { + address.set(allocateMemory(10)); + }); + + assertNoBadMemoryAccess(() -> unsafe.freeMemory(address.get())); + + // Double free + assertBadMemoryAccess(() -> unsafe.freeMemory(address.get())); + } + + /** + * Verifies that memory allocated in global scope cannot be freed in local scope, + * since memory cannot be accessed in local scope either and it is unlikely that + * cleaner action for global memory runs in local scope. + */ + @Test + void freeGlobalInScope() { + long address = allocateMemory(10); + + withScopedNativeMemoryTracking(() -> { + assertBadMemoryAccess(() -> unsafe.freeMemory(address)); + }); + + assertNoBadMemoryAccess(() -> unsafe.freeMemory(address)); + } + + /** + * Verifies that memory allocated in one scope cannot be freed in another scope, + * since memory cannot be accessed in that other scope either and it is unlikely that + * cleaner action for memory from one scope runs in other scope. + */ + @Test + void freeScopedInOtherScope() { + AtomicLong address = new AtomicLong(); + withScopedNativeMemoryTracking(() -> { + address.set(allocateMemory(10)); + }); + + withScopedNativeMemoryTracking(() -> { + assertBadMemoryAccess(() -> unsafe.freeMemory(address.get())); + }); + + assertNoBadMemoryAccess(() -> unsafe.freeMemory(address.get())); + } + + @Test + void uninitializedTracking() { + UnsafeSanitizerImpl.withUninitializedMemoryTracking(true, () -> { + { + long address = allocateMemory(10); + // Reads uninitialized memory + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + } + + // Inherited from global + withScopedNativeMemoryTracking(() -> { + long address = allocateMemory(10); + + // Reads uninitialized memory + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + }); + + // Overwrite global; enable uninitialized tracking + withScopedNativeMemoryTracking(true, () -> { + long address = allocateMemory(10); + + // Reads uninitialized memory + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + }); + + // Overwrite global; disable uninitialized tracking + withScopedNativeMemoryTracking(false, () -> { + long address = allocateMemory(10); + + // Reads uninitialized memory, but tracking is disabled + assertNoBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + }); + + // Global sanitizer should have been unaffected by disabled uninitialized memory tracking in scope above + { + long address = allocateMemory(10); + // Reads uninitialized memory + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + } + }); + } + + @Test + void uninitializedTracking_GlobalDisabled() { + UnsafeSanitizerImpl.withUninitializedMemoryTracking(false, () -> { + { + long address = allocateMemory(10); + // Reads uninitialized memory, but tracking is disabled + assertNoBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + } + + // Overwrite global; disable uninitialized tracking + withScopedNativeMemoryTracking(false, () -> { + long address = allocateMemory(10); + + // Reads uninitialized memory, but tracking is disabled + assertNoBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + }); + + // Overwrite global; enable uninitialized tracking + withScopedNativeMemoryTracking(true, () -> { + long address = allocateMemory(10); + + // Reads uninitialized memory + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + }); + + // Global sanitizer should have been unaffected by enabled uninitialized memory tracking in scope above + { + long address = allocateMemory(10); + // Reads uninitialized memory, but tracking is disabled + assertNoBadMemoryAccess(() -> unsafe.getByte(address)); + + // Clean up + freeMemory(address); + } + }); + } + + @Test + void lastErrorScoped_GlobalError() throws Exception { + byte[] array = new byte[0]; + assertThrows(BadMemoryAccessError.class, () -> unsafe.getByte(array, -1)); + var lastErrorGlobal = UnsafeSanitizer.getLastError(); + assertNotNull(lastErrorGlobal); + assertEquals("Invalid offset: -1", lastErrorGlobal.getMessage()); + + // Contains `Boolean.TRUE` on success + AtomicReference threadResult = new AtomicReference<>(null); + CountDownLatch threadCausedError = new CountDownLatch(1); + CountDownLatch mainCheckedError = new CountDownLatch(1); + Thread thread = new Thread(() -> { + try { + assertSame(lastErrorGlobal, UnsafeSanitizer.getLastError()); + + withScopedNativeMemoryTracking(() -> { + assertNull(UnsafeSanitizer.getLastError()); + + assertThrows(BadMemoryAccessError.class, () -> unsafe.getByte(array, -1)); + var lastErrorScoped = UnsafeSanitizer.getLastError(); + assertNotNull(lastErrorScoped); + assertNotSame(lastErrorGlobal, lastErrorScoped); + assertEquals("Invalid offset: -1", lastErrorScoped.getMessage()); + + threadCausedError.countDown(); + mainCheckedError.await(); + + // Allow to exit `withScopedNativeMemoryTracking` despite non-propagated last error + UnsafeSanitizer.setErrorAction(ErrorAction.NONE); + }); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + + // Sees original global error again + assertSame(lastErrorGlobal, UnsafeSanitizer.getLastError()); + threadResult.set(Boolean.TRUE); + } catch (Throwable t) { + threadResult.set(t); + // Prevent deadlock for main thread in case of exception + threadCausedError.countDown(); + } + }); + thread.setDaemon(true); + thread.start(); + + threadCausedError.await(); + // Should still see original global error + assertSame(lastErrorGlobal, UnsafeSanitizer.getLastError()); + mainCheckedError.countDown(); + + thread.join(); + UnsafeSanitizer.clearLastError(); + + if (threadResult.get() instanceof Throwable t) { + fail("Error in thread", t); + } + assertEquals(Boolean.TRUE, threadResult.get()); + } + + @Test + void lastErrorScoped_NoGlobalError() throws Exception { + byte[] array = new byte[0]; + assertNull(UnsafeSanitizer.getLastError()); + + // Contains `Boolean.TRUE` on success + AtomicReference threadResult = new AtomicReference<>(null); + CountDownLatch threadCausedError = new CountDownLatch(1); + CountDownLatch mainCheckedError = new CountDownLatch(1); + Thread thread = new Thread(() -> { + try { + assertNull(UnsafeSanitizer.getLastError()); + + withScopedNativeMemoryTracking(() -> { + assertThrows(BadMemoryAccessError.class, () -> unsafe.getByte(array, -1)); + var lastError = UnsafeSanitizer.getLastError(); + assertNotNull(lastError); + assertEquals("Invalid offset: -1", lastError.getMessage()); + + threadCausedError.countDown(); + mainCheckedError.await(); + // Should still see the same scoped error + assertSame(lastError, UnsafeSanitizer.getLastError()); + + // Allow to exit `withScopedNativeMemoryTracking` despite non-propagated last error + UnsafeSanitizer.setErrorAction(ErrorAction.NONE); + }); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + + assertNull(UnsafeSanitizer.getLastError()); + threadResult.set(Boolean.TRUE); + } catch (Throwable t) { + threadResult.set(t); + // Prevent deadlock for main thread in case of exception + threadCausedError.countDown(); + } + }); + thread.setDaemon(true); + thread.start(); + + threadCausedError.await(); + // Error from scope should not be visible + assertNull(UnsafeSanitizer.getLastError()); + // Clearing error should not affect scope + UnsafeSanitizer.clearLastError(); + mainCheckedError.countDown(); + + thread.join(); + if (threadResult.get() instanceof Throwable t) { + fail("Error in thread", t); + } + assertEquals(Boolean.TRUE, threadResult.get()); + } + + @Test + void registerAllocatedMemory() { + long address = allocateMemory(10); + + withScopedNativeMemoryTracking(true, () -> { + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + UnsafeSanitizer.registerAllocatedMemory(address, 10); + // This actually reads uninitialized memory, but `registerAllocatedMemory` assumes that region is + // fully initialized + assertNoBadMemoryAccess(() -> unsafe.getByte(address)); + + // Reads outside of region + assertBadMemoryAccess(() -> unsafe.getLong(address + 8)); + + UnsafeSanitizer.deregisterAllocatedMemory(address); + assertBadMemoryAccess(() -> unsafe.getByte(address)); + + // Double free + assertBadMemoryAccess(() -> UnsafeSanitizer.deregisterAllocatedMemory(address)); + }); + + // Clean up + freeMemory(address); + } + + @Test + void checkAllNativeMemoryFreed() { + long address = allocateMemory(10); + + withScopedNativeMemoryTracking(false, () -> { + // Should not see allocation outside of scope + UnsafeSanitizer.checkAllNativeMemoryFreed(); + + long scopedAddress = allocateMemory(10); + var e = assertThrows(IllegalStateException.class, () -> UnsafeSanitizer.checkAllNativeMemoryFreed()); + assertEquals( + "Still contains the following sections: [Section[address=" + scopedAddress + ", bytesCount=10]]", + e.getMessage() + ); + + freeMemory(scopedAddress); + UnsafeSanitizer.checkAllNativeMemoryFreed(); + }); + + // Clean up + freeMemory(address); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/TestSupportTest.java b/src/test/java/marcono1234/unsafe_sanitizer/TestSupportTest.java new file mode 100644 index 0000000..cb9af86 --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/TestSupportTest.java @@ -0,0 +1,179 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import marcono1234.unsafe_sanitizer.agent_impl.BadMemoryAccessError; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; + +import static marcono1234.unsafe_sanitizer.TestSupport.*; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; +import static org.junit.jupiter.api.Assertions.*; +import static sun.misc.Unsafe.ARRAY_BYTE_BASE_OFFSET; + +// Suppress redundant IntelliJ warnings +@SuppressWarnings({"Convert2MethodRef", "CodeBlock2Expr"}) +class TestSupportTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterEach + void resetErrorAction() { + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + } + + private static void performBadAccess() { + unsafe.getByte(new byte[0], ARRAY_BYTE_BASE_OFFSET); + } + + private static void performGoodAccess() { + unsafe.getByte(new byte[1], ARRAY_BYTE_BASE_OFFSET); + } + + @Test + void badAccess() { + var e = assertBadMemoryAccess(() -> performBadAccess()); + assertEquals(BadMemoryAccessError.class, e.getClass()); + assertEquals( + "Bad array access at offset " + ARRAY_BYTE_BASE_OFFSET + ", size 1; max offset is " + ARRAY_BYTE_BASE_OFFSET, + e.getMessage() + ); + // Last error should have been cleared + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void badAccess_NoError() { + var e = assertThrows(AssertionError.class, () -> { + assertBadMemoryAccess(() -> performGoodAccess()); + }); + assertEquals("No exception was thrown", e.getMessage()); + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void badAccess_OtherError() { + var otherError = new RuntimeException("custom"); + var e = assertThrows(AssertionError.class, () -> { + assertBadMemoryAccess(() -> { + throw otherError; + }); + }); + assertEquals("Unexpected exception", e.getMessage()); + assertSame(otherError, e.getCause()); + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void badAccess_OtherDiscardedError() { + var otherError = new RuntimeException("custom"); + var e = assertThrows(AssertionError.class, () -> { + assertBadMemoryAccess(() -> { + try { + performBadAccess(); + } catch (Throwable t) { + throw otherError; + } + }); + }); + assertEquals("Unexpected exception, but expected bad memory access error occurred as well", e.getMessage()); + assertSame(otherError, e.getCause()); + assertEquals(BadMemoryAccessError.class, e.getSuppressed()[0].getClass()); + // Last error should have been cleared + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void badAccess_WrongErrorAction() { + UnsafeSanitizer.setErrorAction(ErrorAction.PRINT); + var e = assertThrows(IllegalStateException.class, () -> { + assertBadMemoryAccess(() -> {}); + }); + assertEquals("Error action must be THROW", e.getMessage()); + assertNull(UnsafeSanitizer.getLastError()); + } + + + @Test + void noBadAccess() { + assertNoBadMemoryAccess(() -> performGoodAccess()); + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void noBadAccessGet() { + String result = "test"; + String actualResult = assertNoBadMemoryAccessGet(() -> { + unsafe.getByte(new byte[1], ARRAY_BYTE_BASE_OFFSET); + return result; + }); + assertEquals(result, actualResult); + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void noBadAccess_Error() { + var e = assertThrows(AssertionError.class, () -> { + assertNoBadMemoryAccess(() -> performBadAccess()); + }); + assertEquals("Unexpected exception", e.getMessage()); + // Last error should have been cleared + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void noBadAccess_OtherError() { + var otherError = new RuntimeException("custom"); + var e = assertThrows(AssertionError.class, () -> { + assertNoBadMemoryAccess(() -> { + throw otherError; + }); + }); + assertEquals("Unexpected exception", e.getMessage()); + assertSame(otherError, e.getCause()); + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void noBadAccess_OtherDiscardedError() { + var otherError = new RuntimeException("custom"); + var e = assertThrows(AssertionError.class, () -> { + assertNoBadMemoryAccess(() -> { + try { + performBadAccess(); + } catch (Throwable t) { + throw otherError; + } + }); + }); + assertEquals("Unexpected exception, and unexpected bad memory access error occurred as well", e.getMessage()); + assertSame(otherError, e.getCause()); + assertEquals(BadMemoryAccessError.class, e.getSuppressed()[0].getClass()); + // Last error should have been cleared + assertNull(UnsafeSanitizer.getLastError()); + } + + @Test + void noBadAccess_WrongErrorAction() { + UnsafeSanitizer.setErrorAction(ErrorAction.PRINT); + var e = assertThrows(IllegalStateException.class, () -> { + assertNoBadMemoryAccess(() -> {}); + }); + assertEquals("Error action must be THROW", e.getMessage()); + assertNull(UnsafeSanitizer.getLastError()); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/UnsafeAccess.java b/src/test/java/marcono1234/unsafe_sanitizer/UnsafeAccess.java new file mode 100644 index 0000000..301aea0 --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/UnsafeAccess.java @@ -0,0 +1,22 @@ +package marcono1234.unsafe_sanitizer; + +import sun.misc.Unsafe; + +/** + * Exposes an instance of {@link Unsafe} through {@link #unsafe}. + */ +class UnsafeAccess { + private UnsafeAccess() { + } + + public static final Unsafe unsafe; + static { + try { + var field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new IllegalStateException("Failed getting Unsafe", e); + } + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintSkipTest.java b/src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintSkipTest.java new file mode 100644 index 0000000..cca7277 --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintSkipTest.java @@ -0,0 +1,185 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.TestSupport.ThrowingRunnable; +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; + +import java.io.ByteArrayOutputStream; +import java.io.PrintStream; +import java.nio.charset.StandardCharsets; +import java.util.Objects; + +import static marcono1234.unsafe_sanitizer.MemoryHelper.allocateMemory; +import static marcono1234.unsafe_sanitizer.MemoryHelper.freeMemory; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; +import static marcono1234.unsafe_sanitizer.UnsafeInterceptors.INVALID_ADDRESS; +import static org.junit.jupiter.api.Assertions.*; + +/** + * Tests using {@link sun.misc.Unsafe} with {@link ErrorAction#PRINT_SKIP}. + * + *

This only covers basic error scenarios; see {@link UnsafeThrowErrorTest} for more extensive tests. + * The main point of this test is to verify that skipping works as expected. + */ +class UnsafePrintSkipTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.PRINT_SKIP); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterAll + static void resetErrorAction() { + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + private static void assertBadMemoryAccess(ThrowingRunnable runnable) { + Objects.requireNonNull(runnable); + + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected previous error", lastError); + } + + ByteArrayOutputStream capturedErr = new ByteArrayOutputStream(); + PrintStream tempSystemErr = new PrintStream(capturedErr, true, StandardCharsets.UTF_8); + PrintStream oldSystemErr = System.err; + + try { + System.setErr(tempSystemErr); + runnable.run(); + } catch (Throwable t) { + // The tests here don't run with `ErrorAction.THROW`, so any thrown exception is unexpected + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null || lastError == t) { + throw new AssertionError("Unexpected exception", t); + } else { + var e = new AssertionError("Unexpected exception, but expected error occurred as well", t); + e.addSuppressed(lastError); + throw e; + } + } finally { + System.setErr(oldSystemErr); + } + + tempSystemErr.flush(); + String systemErrOutput = capturedErr.toString(StandardCharsets.UTF_8); + lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError == null) { + throw new AssertionError("No error was set as 'last error'"); + } + + if (!systemErrOutput.contains(lastError.toString())) { + var e = new AssertionError("No error output, but expected error occurred; System.err:\n" + systemErrOutput.replaceAll("\\R", "\n ")); + e.addSuppressed(lastError); + throw e; + } + } + + @Test + void allocate_bad() { + assertBadMemoryAccess(() -> { + long a = unsafe.allocateMemory(-1); + assertEquals(INVALID_ADDRESS, a); + }); + } + + @Test + void free_bad() { + assertBadMemoryAccess(() -> unsafe.freeMemory(-1)); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.freeMemory(1); + }); + } + + @Test + void reallocate_bad() { + assertBadMemoryAccess(() -> { + long a = unsafe.reallocateMemory(-1, 10); + assertEquals(INVALID_ADDRESS, a); + }); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + long a = unsafe.reallocateMemory(1, 10); + assertEquals(INVALID_ADDRESS, a); + }); + + { + long a = allocateMemory(10); + assertBadMemoryAccess(() -> { + long b = unsafe.reallocateMemory(a, -10); + assertEquals(INVALID_ADDRESS, b); + }); + // Clean up + freeMemory(a); + } + } + + @Test + void get_bad() { + assertBadMemoryAccess(() -> { + boolean b = unsafe.getBoolean(null, -1); + //noinspection SimplifiableAssertion + assertEquals(false, b); + }); + assertBadMemoryAccess(() -> { + byte b = unsafe.getByte(-1); + assertEquals(0, b); + }); + assertBadMemoryAccess(() -> { + long a = unsafe.getAddress(-1); + assertEquals(INVALID_ADDRESS, a); + }); + assertBadMemoryAccess(() -> { + Object o = unsafe.getObject(null, -1); + assertNull(o); + }); + + assertBadMemoryAccess(() -> { + char c = unsafe.getCharVolatile(null, -1); + assertEquals('\0', c); + }); + + assertBadMemoryAccess(() -> { + int i = unsafe.getAndAddInt(null, -1, 1); + assertEquals(0, i); + }); + assertBadMemoryAccess(() -> { + long l = unsafe.getAndSetLong(null, -1, 1); + assertEquals(0, l); + }); + } + + @Test + void compareAndSwap_bad() { + assertBadMemoryAccess(() -> { + boolean result = unsafe.compareAndSwapInt(null, -1, 0, 1); + assertFalse(result); + }); + assertBadMemoryAccess(() -> { + boolean result = unsafe.compareAndSwapLong(null, -1, 0, 1); + assertFalse(result); + }); + assertBadMemoryAccess(() -> { + boolean result = unsafe.compareAndSwapObject(null, -1, null, "a"); + assertFalse(result); + }); + } + + // TODO Cover other methods as well +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintTest.java b/src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintTest.java new file mode 100644 index 0000000..b213899 --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/UnsafePrintTest.java @@ -0,0 +1,97 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.TestSupport.ThrowingRunnable; +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; + +import java.io.ByteArrayOutputStream; +import java.io.PrintStream; +import java.nio.charset.StandardCharsets; +import java.util.Objects; + +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; + +/** + * Tests using {@link sun.misc.Unsafe} with {@link ErrorAction#PRINT}. + * + *

This only covers very few scenarios to verify that printing the error works in general. + * Since {@link ErrorAction#PRINT} is neither throwing an error not skipping execution, other + * error cases could otherwise crash the JVM. + * + *

See {@link UnsafeThrowErrorTest} for more extensive tests. + */ +class UnsafePrintTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.PRINT); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterAll + static void resetErrorAction() { + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + private static void assertBadMemoryAccess(ThrowingRunnable runnable) { + Objects.requireNonNull(runnable); + + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + throw new AssertionError("Unexpected previous error", lastError); + } + + ByteArrayOutputStream capturedErr = new ByteArrayOutputStream(); + PrintStream tempSystemErr = new PrintStream(capturedErr, true, StandardCharsets.UTF_8); + PrintStream oldSystemErr = System.err; + + try { + System.setErr(tempSystemErr); + runnable.run(); + } catch (Throwable t) { + lastError = UnsafeSanitizer.getAndClearLastError(); + //noinspection ConditionCoveredByFurtherCondition + if (lastError == null || lastError == t || !(t instanceof RuntimeException)) { + throw new AssertionError("Unexpected exception", t); + } + // Else assume that `Unsafe` API threw RuntimeException + } finally { + System.setErr(oldSystemErr); + } + + tempSystemErr.flush(); + String systemErrOutput = capturedErr.toString(StandardCharsets.UTF_8); + // Only fetch last error again if not done in `catch` above + if (lastError == null) { + lastError = UnsafeSanitizer.getAndClearLastError(); + } + + if (lastError == null) { + throw new AssertionError("No error was set as 'last error'"); + } + + if (!systemErrOutput.contains(lastError.toString())) { + var e = new AssertionError("No error output, but expected error occurred; System.err:\n" + systemErrOutput.replaceAll("\\R", "\n ")); + e.addSuppressed(lastError); + throw e; + } + } + + @Test + void allocate_bad() { + assertBadMemoryAccess(() -> unsafe.allocateMemory(-1)); + } +} diff --git a/src/test/java/marcono1234/unsafe_sanitizer/UnsafeThrowErrorTest.java b/src/test/java/marcono1234/unsafe_sanitizer/UnsafeThrowErrorTest.java new file mode 100644 index 0000000..074420a --- /dev/null +++ b/src/test/java/marcono1234/unsafe_sanitizer/UnsafeThrowErrorTest.java @@ -0,0 +1,788 @@ +package marcono1234.unsafe_sanitizer; + +import marcono1234.unsafe_sanitizer.UnsafeSanitizer.AgentSettings; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; + +import java.lang.reflect.Field; +import java.math.BigDecimal; +import java.math.BigInteger; + +import static marcono1234.unsafe_sanitizer.MemoryHelper.allocateMemory; +import static marcono1234.unsafe_sanitizer.MemoryHelper.freeMemory; +import static marcono1234.unsafe_sanitizer.TestSupport.*; +import static marcono1234.unsafe_sanitizer.UnsafeAccess.unsafe; +import static org.junit.jupiter.api.Assertions.*; +import static sun.misc.Unsafe.*; + +// TODO: Check error message of `assertBadMemoryAccess`? + +/** + * Tests using {@link sun.misc.Unsafe} with {@link ErrorAction#THROW}. + */ +class UnsafeThrowErrorTest { + @BeforeAll + static void installAgent() { + UnsafeSanitizer.installAgent(AgentSettings.defaultSettings()); + UnsafeSanitizer.setErrorAction(ErrorAction.THROW); + // This mainly prevents spurious errors in case any other test failed to free memory + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + @AfterEach + void checkNoError() { + var lastError = UnsafeSanitizer.getAndClearLastError(); + if (lastError != null) { + fail("Unexpected error", lastError); + } + TestSupport.checkAllNativeMemoryFreedAndForget(); + } + + /** Reallocates memory, not expecting any error */ + private static long reallocateMemory(long address, long bytesCount) { + return assertNoBadMemoryAccessGet(() -> unsafe.reallocateMemory(address, bytesCount)); + } + + @Test + void allocate() { + assertNoBadMemoryAccess(() -> { + // Size of 0 has no effect + long a = unsafe.allocateMemory(0); + assertEquals(0, a); + }); + + assertNoBadMemoryAccess(() -> { + long a = unsafe.allocateMemory(10); + unsafe.freeMemory(a); + }); + + assertNoBadMemoryAccess(() -> { + long a = unsafe.allocateMemory(10); + long b = unsafe.allocateMemory(20); + long c = unsafe.allocateMemory(30); + unsafe.freeMemory(b); + unsafe.freeMemory(c); + unsafe.freeMemory(a); + }); + } + + @Test + void allocate_bad() { + assertBadMemoryAccess(() -> unsafe.allocateMemory(-1)); + } + + @Test + void free() { + assertNoBadMemoryAccess(() -> { + // Free at 0 has no effect + unsafe.freeMemory(0); + }); + } + + @Test + void free_bad() { + assertBadMemoryAccess(() -> unsafe.freeMemory(-1)); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.freeMemory(1); + }); + + { + long a = allocateMemory(10); + freeMemory(a); + assertBadMemoryAccess(() -> { + // Double free + unsafe.freeMemory(a); + }); + } + } + + @Test + void reallocate() { + assertNoBadMemoryAccess(() -> { + // Enlarge + long a = unsafe.reallocateMemory(allocateMemory(10), 20); + // Can access enlarged memory section now + unsafe.putLong(a + 12, 1); + freeMemory(a); + }); + + assertNoBadMemoryAccess(() -> { + // Shrink + long a = unsafe.reallocateMemory(allocateMemory(10), 4); + unsafe.putInt(a, 1); + // Cannot access past new size (even though it would have been within original size) + assertBadMemoryAccess(() -> unsafe.putLong(a, 1)); + freeMemory(a); + }); + + assertNoBadMemoryAccess(() -> { + // Same size + long a = unsafe.reallocateMemory(allocateMemory(10), 10); + // Can still access memory + unsafe.putLong(a + 2, 1); + freeMemory(a); + }); + + assertNoBadMemoryAccess(() -> { + // Address 0 acts like `allocateMemory` instead + long a = unsafe.reallocateMemory(0, 20); + freeMemory(a); + }); + + assertNoBadMemoryAccess(() -> { + long a = unsafe.allocateMemory(10); + // Size of 0 only frees memory + long b = unsafe.reallocateMemory(a, 0); + assertEquals(0, b); + }); + } + + @Test + void reallocate_bad() { + assertBadMemoryAccess(() -> unsafe.reallocateMemory(-1, 10)); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.reallocateMemory(1, 10); + }); + + { + long a = allocateMemory(10); + assertBadMemoryAccess(() -> unsafe.reallocateMemory(a, -10)); + // Clean up + freeMemory(a); + } + + { + long a = allocateMemory(10); + long oldA = a; + a = reallocateMemory(a, 20); + // Only run if memory was reallocated at different address + if (a != oldA) { + assertBadMemoryAccess(() -> { + // Free moved memory + unsafe.freeMemory(oldA); + }); + } + // Clean up + freeMemory(a); + } + + { + long a = allocateMemory(10); + // Size of 0 only frees memory + long b = reallocateMemory(a, 0); + assertEquals(0, b); + assertBadMemoryAccess(() -> { + // Should fail freeing memory because `reallocateMemory` already freed it + unsafe.freeMemory(a); + }); + } + } + + @Test + void fields() throws Exception { + class Dummy { + int i; + static int s; + + @Override + public String toString() { + return "Dummy"; + } + } + + long offsetI = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("i")); + Field fieldS = Dummy.class.getDeclaredField("s"); + Object baseS = unsafe.staticFieldBase(fieldS); + long offsetS = unsafe.staticFieldOffset(fieldS); + + Dummy dummy = new Dummy(); + assertNoBadMemoryAccess(() -> { + unsafe.putFloat(dummy, offsetI, 1f); + unsafe.putInt(dummy, offsetI, 2); + + unsafe.putInt(baseS, offsetS, 3); + }); + assertEquals(2, dummy.i); + assertEquals(3, Dummy.s); + + assertBadMemoryAccess(() -> { + // Trying to store `long` (8 byte) in `int` (4 byte) field + unsafe.putLong(dummy, offsetI, 1); + }); + assertBadMemoryAccess(() -> { + // Trying to store Integer in `int` field + unsafe.putObject(dummy, offsetI, 1); + }); + assertBadMemoryAccess(() -> unsafe.putInt(dummy, offsetI + 1, 1)); + assertBadMemoryAccess(() -> unsafe.putInt(dummy, offsetI - 1, 1)); + assertBadMemoryAccess(() -> unsafe.putInt(dummy, -1, 1)); + assertBadMemoryAccess(() -> unsafe.putInt(baseS, -1, 1)); + + assertNoBadMemoryAccess(() -> { + dummy.i = 1; + boolean success = unsafe.compareAndSwapInt(dummy, offsetI, 1, 2); + assertTrue(success); + assertEquals(2, dummy.i); + }); + var e = assertBadMemoryAccess(() -> unsafe.compareAndSwapLong(dummy, offsetI, 1, 2)); + assertEquals( + "Field 'int " + Dummy.class.getTypeName() +"#i' at offset 12 of class " + Dummy.class.getTypeName() + " has size BYTE_4, not BYTE_8", + e.getMessage() + ); + + class DummySub extends Dummy { + } + DummySub dummySub = new DummySub(); + assertNoBadMemoryAccess(() -> unsafe.putInt(dummySub, offsetI, 1)); + assertEquals(1, dummySub.i); + } + + @Test + void objectField() throws Exception { + class Dummy { + Number n; + + @Override + public String toString() { + return "Dummy"; + } + } + Field field = Dummy.class.getDeclaredField("n"); + long offset = unsafe.objectFieldOffset(field); + Dummy dummy = new Dummy(); + + assertNoBadMemoryAccess(() -> { + unsafe.putObject(dummy, offset, BigInteger.valueOf(1)); + assertEquals(BigInteger.valueOf(1), unsafe.getObject(dummy, offset)); + }); + assertEquals(BigInteger.valueOf(1), dummy.n); + + assertNoBadMemoryAccess(() -> { + Object oldValue = unsafe.getAndSetObject(dummy, offset, BigInteger.valueOf(2)); + assertEquals(BigInteger.valueOf(1), oldValue); + }); + assertEquals(BigInteger.valueOf(2), dummy.n); + + assertNoBadMemoryAccess(() -> { + boolean success = unsafe.compareAndSwapObject(dummy, offset, BigInteger.valueOf(2), BigInteger.valueOf(3)); + assertTrue(success); + assertEquals(BigInteger.valueOf(3), dummy.n); + + // Value is now 3, and not the expected 2 + success = unsafe.compareAndSwapObject(dummy, offset, BigInteger.valueOf(2), BigInteger.valueOf(4)); + assertFalse(success); + // Still has old value + assertEquals(BigInteger.valueOf(3), dummy.n); + }); + + assertNoBadMemoryAccess(() -> { + unsafe.putObject(dummy, offset, null); + assertNull(unsafe.getObject(dummy, offset)); + }); + assertNull(dummy.n); + + var e = assertBadMemoryAccess(() -> unsafe.putObject(dummy, offset, "test")); + String expectedMessage = "Trying to write class java.lang.String to field 'java.lang.Number " + Dummy.class.getTypeName() + "#n'"; + assertEquals(expectedMessage, e.getMessage()); + + e = assertBadMemoryAccess(() -> unsafe.getAndSetObject(dummy, offset, "test")); + assertEquals(expectedMessage, e.getMessage()); + + e = assertBadMemoryAccess(() -> unsafe.compareAndSwapObject(dummy, offset, Boolean.TRUE, "test")); + assertEquals(expectedMessage, e.getMessage()); + } + + @Test + void putAddress() { + long a = allocateMemory(ADDRESS_SIZE); + + long sizeB = 1; + long b = allocateMemory(sizeB); + + assertNoBadMemoryAccess(() -> { + unsafe.putAddress(a, a); + unsafe.putAddress(a, b); + }); + assertBadMemoryAccess(() -> unsafe.putAddress(-1, b)); + assertBadMemoryAccess(() -> unsafe.putAddress(0, b)); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.putAddress(1, b); + }); + assertBadMemoryAccess(() -> unsafe.putAddress(a, -1)); + assertBadMemoryAccess(() -> unsafe.putAddress(a, 0)); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.putAddress(a, 1); + }); + assertBadMemoryAccess(() -> { + // Exceeds section + unsafe.putAddress(a + 1, b); + }); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.putAddress(a, b - 1); + }); + assertBadMemoryAccess(() -> { + // `Unsafe#putAddress` documentation sounds like an address which represents an 'exclusive end address', + // that is pointing right behind section, is not allowed + unsafe.putAddress(a, b + sizeB); + }); + assertBadMemoryAccess(() -> { + // Assumes that no allocation has been performed at this address + unsafe.putAddress(a, b + sizeB + 1); + }); + + // Clean up + freeMemory(a); + freeMemory(b); + } + + @Test + void array() { + byte[] b = {1, 2, 3}; + assertNoBadMemoryAccess(() -> { + assertEquals(1, unsafe.getByte(b, ARRAY_BYTE_BASE_OFFSET)); + + long offset = ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE * 2L; + assertEquals(3, unsafe.getByte(b, offset)); + unsafe.putByte(b, offset, (byte) 4); + assertEquals(4, unsafe.getByte(b, offset)); + + // TODO: Is this allowed? + // assertEquals("TODO", unsafe.getInt(b, ARRAY_BYTE_BASE_OFFSET)); + }); + + assertBadMemoryAccess(() -> unsafe.getByte(b, 0)); + assertBadMemoryAccess(() -> { + long offset = ARRAY_BYTE_BASE_OFFSET + (long) ARRAY_BYTE_INDEX_SCALE * b.length; + unsafe.getByte(b, offset); + }); + assertBadMemoryAccess(() -> unsafe.getByte(new byte[0], ARRAY_BYTE_BASE_OFFSET)); + assertBadMemoryAccess(() -> { + // Array contains only 3 bytes, `long` is 8 bytes + unsafe.getLong(b, ARRAY_BYTE_BASE_OFFSET); + }); + assertBadMemoryAccess(() -> unsafe.getObject(b, ARRAY_BYTE_BASE_OFFSET)); + assertBadMemoryAccess(() -> { + // Storing boxed Byte in array should not be allowed + unsafe.putObject(b, ARRAY_BYTE_BASE_OFFSET, (byte) 1); + }); + + assertBadMemoryAccess(() -> { + long[] l = {1, 2, 3}; + // Not aligned to indices + unsafe.getLong(l, ARRAY_LONG_BASE_OFFSET + 1); + }); + } + + @Test + void objectArray() { + Number[] o = {BigInteger.valueOf(1), BigDecimal.valueOf(2)}; + assertNoBadMemoryAccess(() -> { + assertEquals(BigInteger.valueOf(1), unsafe.getObject(o, ARRAY_OBJECT_BASE_OFFSET)); + + long offset = ARRAY_OBJECT_BASE_OFFSET + ARRAY_OBJECT_INDEX_SCALE; + assertEquals(BigDecimal.valueOf(2), unsafe.getObject(o, offset)); + + unsafe.putObject(o, offset, BigDecimal.valueOf(3)); + assertEquals(BigDecimal.valueOf(3), unsafe.getObject(o, offset)); + assertArrayEquals(new Number[] {BigInteger.valueOf(1), BigDecimal.valueOf(3)}, o); + + unsafe.putObject(o, offset, null); + assertNull(unsafe.getObject(o, offset)); + assertArrayEquals(new Number[] {BigInteger.valueOf(1), null}, o); + }); + + var e = assertBadMemoryAccess(() -> unsafe.putInt(o, ARRAY_OBJECT_BASE_OFFSET, 1)); + assertEquals("Bad request for BYTE_4 from java.lang.Number[]", e.getMessage()); + + e = assertBadMemoryAccess(() -> unsafe.putObject(o, ARRAY_OBJECT_BASE_OFFSET, "test")); + assertEquals("Trying to write java.lang.String to java.lang.Number array", e.getMessage()); + } + + @Test + void compareAndSwapInt() { + long a = allocateMemory(Integer.BYTES); + assertNoBadMemoryAccess(() -> { + unsafe.putInt(a, 0); + boolean success = unsafe.compareAndSwapInt(null, a, 0, 1); + assertTrue(success); + assertEquals(1, unsafe.getInt(a)); + + success = unsafe.compareAndSwapInt(null, a, 0, 1); + assertFalse(success); + }); + + var e = assertBadMemoryAccess(() -> unsafe.compareAndSwapInt(null, a + 1, 0, 1)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 4 (previous section: " + a + ", size 4)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + @Test + void compareAndSwapLong() { + long a = allocateMemory(Long.BYTES); + assertNoBadMemoryAccess(() -> { + unsafe.putLong(a, 0); + boolean success = unsafe.compareAndSwapLong(null, a, 0, 1); + assertTrue(success); + assertEquals(1, unsafe.getLong(a)); + + success = unsafe.compareAndSwapLong(null, a, 0, 1); + assertFalse(success); + }); + + var e = assertBadMemoryAccess(() -> unsafe.compareAndSwapLong(null, a + 1, 0, 1)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 8 (previous section: " + a + ", size 8)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + @Test + void getAndAddInt() { + long a = allocateMemory(Integer.BYTES); + assertNoBadMemoryAccess(() -> { + unsafe.putInt(a, 1); + assertEquals(1, unsafe.getAndAddInt(null, a, 5)); + assertEquals(6, unsafe.getInt(a)); + + assertEquals(6, unsafe.getAndAddInt(null, a, -2)); + assertEquals(4, unsafe.getInt(a)); + + assertEquals(4, unsafe.getAndAddInt(null, a, 0)); + assertEquals(4, unsafe.getInt(a)); + }); + + var e = assertBadMemoryAccess(() -> unsafe.getAndAddInt(null, a + 1, 1)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 4 (previous section: " + a + ", size 4)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + @Test + void getAndAddLong() { + long a = allocateMemory(Long.BYTES); + assertNoBadMemoryAccess(() -> { + unsafe.putLong(a, 1); + assertEquals(1, unsafe.getAndAddLong(null, a, 5)); + assertEquals(6, unsafe.getLong(a)); + + assertEquals(6, unsafe.getAndAddLong(null, a, -2)); + assertEquals(4, unsafe.getLong(a)); + + assertEquals(4, unsafe.getAndAddLong(null, a, 0)); + assertEquals(4, unsafe.getLong(a)); + }); + + var e = assertBadMemoryAccess(() -> unsafe.getAndAddLong(null, a + 1, 1)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 8 (previous section: " + a + ", size 8)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + @Test + void getAndSetInt() { + long a = allocateMemory(Integer.BYTES); + assertNoBadMemoryAccess(() -> { + unsafe.putInt(a, 1); + assertEquals(1, unsafe.getAndSetInt(null, a, 5)); + assertEquals(5, unsafe.getInt(a)); + + assertEquals(5, unsafe.getAndSetInt(null, a, -2)); + assertEquals(-2, unsafe.getInt(a)); + + assertEquals(-2, unsafe.getAndSetInt(null, a, 0)); + assertEquals(0, unsafe.getInt(a)); + }); + + var e = assertBadMemoryAccess(() -> unsafe.getAndSetInt(null, a + 1, 1)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 4 (previous section: " + a + ", size 4)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + @Test + void getAndSetLong() { + long a = allocateMemory(Long.BYTES); + assertNoBadMemoryAccess(() -> { + unsafe.putLong(a, 1); + assertEquals(1, unsafe.getAndSetLong(null, a, 5)); + assertEquals(5, unsafe.getLong(a)); + + assertEquals(5, unsafe.getAndSetLong(null, a, -2)); + assertEquals(-2, unsafe.getLong(a)); + + assertEquals(-2, unsafe.getAndSetLong(null, a, 0)); + assertEquals(0, unsafe.getLong(a)); + }); + + var e = assertBadMemoryAccess(() -> unsafe.getAndSetLong(null, a + 1, 1)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 8 (previous section: " + a + ", size 8)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + @SuppressWarnings("UnnecessaryLocalVariable") + @Test + void copyMemoryArray() { + assertNoBadMemoryAccess(() -> { + byte[] b = {1, 2, 3, 4}; + long from = ARRAY_BYTE_BASE_OFFSET; + long to = ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE * 2L; + unsafe.copyMemory(b, from, b, to, 2); + assertArrayEquals(new byte[] {1, 2, 1, 2}, b); + }); + assertNoBadMemoryAccess(() -> { + long[] a = {1, 2, 3, 4}; + long from = ARRAY_LONG_BASE_OFFSET; + long to = ARRAY_LONG_BASE_OFFSET + ARRAY_LONG_INDEX_SCALE * 2L; + unsafe.copyMemory(a, from, a, to, 2 * Long.BYTES); + assertArrayEquals(new long[] {1, 2, 1, 2}, a); + }); + assertBadMemoryAccess(() -> { + byte[] b = {1, 2, 3, 4}; + long from = ARRAY_BYTE_BASE_OFFSET; + // `to + size` exceeds array + long to = ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE * 3L; + unsafe.copyMemory(b, from, b, to, 2); + }); + + var e = assertBadMemoryAccess(() -> { + Object[] a = {"a", "b"}; + // `copyMemory` only permits primitive arrays + unsafe.copyMemory(a, ARRAY_OBJECT_BASE_OFFSET, a, ARRAY_OBJECT_BASE_OFFSET, 1); + }); + assertEquals("Unsupported class " + Object[].class.getTypeName(), e.getMessage()); + } + + @Test + void copyMemoryField() throws Exception { + class Dummy { + short a; + char b; + + @Override + public String toString() { + return "Dummy"; + } + } + Field fieldA = Dummy.class.getDeclaredField("a"); + long offsetA = unsafe.objectFieldOffset(fieldA); + Field fieldB = Dummy.class.getDeclaredField("b"); + long offsetB = unsafe.objectFieldOffset(fieldB); + Dummy dummy = new Dummy(); + + dummy.a = 1; + var e = assertBadMemoryAccess(() -> unsafe.copyMemory(dummy, offsetA, dummy, offsetB, 2)); + assertEquals("Unsupported class " + Dummy.class.getTypeName(), e.getMessage()); + } + + @Test + void copyMemory() { + assertNoBadMemoryAccess(() -> { + long size = Long.BYTES; + long a = allocateMemory(size); + long longValue = 0x1234567890ABCDEFL; + unsafe.putLong(a, longValue); + + long b = allocateMemory(size); + unsafe.putLong(b, 0); + + // Copy of size 0 should have no effect + unsafe.copyMemory(null, a, null, b, 0); + assertEquals(longValue, unsafe.getLong(a)); + assertEquals(0, unsafe.getLong(b)); + + // Copy of size 0 should also be allowed right behind sections, i.e. at 'exclusive end address' + unsafe.copyMemory(null, a + size, null, b + size, 0); + assertEquals(longValue, unsafe.getLong(a)); + assertEquals(0, unsafe.getLong(b)); + + unsafe.copyMemory(null, a, null, b, size); + assertEquals(longValue, unsafe.getLong(a)); + assertEquals(longValue, unsafe.getLong(b)); + + freeMemory(b); + b = allocateMemory(size); + unsafe.copyMemory(a, b, size); + assertEquals(longValue, unsafe.getLong(b)); + + freeMemory(b); + b = allocateMemory(size); + unsafe.setMemory(b, size, (byte) 0); + unsafe.putInt(a + 2, 1); + // Copy memory in the middle + unsafe.copyMemory(a + 2, b + 2, 4); + assertEquals(1, unsafe.getInt(b + 2)); + // Other memory should have remained unmodified + assertEquals(0, unsafe.getByte(b)); + assertEquals(0, unsafe.getByte(b + 6)); + + // Clean up + freeMemory(a); + freeMemory(b); + }); + + + long size = 8; + long a = allocateMemory(size); + long b = allocateMemory(size); + + assertBadMemoryAccess(() -> unsafe.copyMemory(null, a, null, b, size + 1)); + assertBadMemoryAccess(() -> unsafe.copyMemory(a, b, size + 1)); + + assertBadMemoryAccess(() -> unsafe.copyMemory(null, a + 1, null, b, size)); + assertBadMemoryAccess(() -> unsafe.copyMemory(a + 1, b, size)); + + assertBadMemoryAccess(() -> unsafe.copyMemory(null, a, null, b + 1, size)); + assertBadMemoryAccess(() -> unsafe.copyMemory(a, b + 1, size)); + + assertBadMemoryAccess(() -> { + class Dummy { + int i; + } + long offset = unsafe.objectFieldOffset(Dummy.class.getDeclaredField("i")); + Dummy dummy = new Dummy(); + // `copyMemory` only allows primitive arrays as objects + unsafe.copyMemory(dummy, offset, dummy, offset, 4); + }); + + // Clean up + freeMemory(a); + freeMemory(b); + } + + @Test + void setMemoryArray() { + assertNoBadMemoryAccess(() -> { + byte[] b = {1, 2, 3, 4}; + unsafe.setMemory(b, ARRAY_BYTE_BASE_OFFSET, 4, (byte) 2); + assertArrayEquals(new byte[] {2, 2, 2, 2}, b); + }); + assertNoBadMemoryAccess(() -> { + byte[] b = {1, 2, 3, 4}; + unsafe.setMemory(b, ARRAY_BYTE_BASE_OFFSET, 2, (byte) 5); + assertArrayEquals(new byte[] {5, 5, 3, 4}, b); + }); + assertNoBadMemoryAccess(() -> { + byte[] b = {1, 2, 3, 4}; + unsafe.setMemory(b, ARRAY_BYTE_BASE_OFFSET + ARRAY_BYTE_INDEX_SCALE, 2, (byte) 5); + assertArrayEquals(new byte[] {1, 5, 5, 4}, b); + }); + assertNoBadMemoryAccess(() -> { + long[] a = {1, 2, 3}; + unsafe.setMemory(a, ARRAY_LONG_BASE_OFFSET + ARRAY_LONG_INDEX_SCALE, Long.BYTES, (byte) 15); + assertArrayEquals(new long[] {1, 0x0F0F0F0F0F0F0F0FL, 3}, a); + }); + + var e = assertBadMemoryAccess(() -> { + byte[] b = {1, 2, 3, 4}; + unsafe.setMemory(b, ARRAY_BYTE_BASE_OFFSET, b.length + 1, (byte) 5); + }); + assertEquals( + "Bad array access at offset " + ARRAY_BYTE_BASE_OFFSET + ", size 5; max offset is " + (ARRAY_BYTE_BASE_OFFSET + 4 * ARRAY_BYTE_INDEX_SCALE), + e.getMessage() + ); + + e = assertBadMemoryAccess(() -> { + Object[] a = {"a", "b"}; + // `setMemory` only permits primitive arrays + unsafe.setMemory(a, ARRAY_OBJECT_BASE_OFFSET, ARRAY_OBJECT_INDEX_SCALE, (byte) 2); + }); + assertEquals("Unsupported class " + Object[].class.getTypeName(), e.getMessage()); + } + + @Test + void setMemoryField() throws Exception { + class Dummy { + int a; + + @Override + public String toString() { + return "Dummy"; + } + } + Field field = Dummy.class.getDeclaredField("a"); + long offset = unsafe.objectFieldOffset(field); + Dummy dummy = new Dummy(); + + dummy.a = 1; + var e = assertBadMemoryAccess(() -> unsafe.setMemory(dummy, offset, 4, (byte) 2)); + assertEquals("Unsupported class " + Dummy.class.getTypeName(), e.getMessage()); + } + + @Test + void setMemory() { + assertNoBadMemoryAccess(() -> { + long size = 8; + long a = allocateMemory(size); + unsafe.putLong(a, 0); + + // Size 0 should have no effect + unsafe.setMemory(a, 0, (byte) 1); + assertEquals(0, unsafe.getLong(a)); + + // Size 0 should also be allowed right behind section, i.e. at 'exclusive end address' + unsafe.setMemory(a + size, 0, (byte) 1); + assertEquals(0, unsafe.getLong(a)); + + unsafe.setMemory(a + 2, 4, (byte) 0x12); + assertEquals(0x12121212, unsafe.getInt(a + 2)); + // Other memory should have remained unmodified + assertEquals(0, unsafe.getByte(a)); + assertEquals(0, unsafe.getByte(a + 6)); + + // Clean up + freeMemory(a); + }); + + var e = assertBadMemoryAccess(() -> unsafe.setMemory(-1, 2, (byte) 0)); + assertEquals("Invalid address: -1", e.getMessage()); + + long size = 8; + long a = allocateMemory(size); + + e = assertBadMemoryAccess(() -> unsafe.setMemory(a, -1, (byte) 0)); + assertEquals("Invalid bytes count: -1", e.getMessage()); + + e = assertBadMemoryAccess(() -> unsafe.setMemory(a + 1, size, (byte) 0)); + assertEquals( + "Access outside of section at " + (a + 1) + ", size 8 (previous section: " + a + ", size 8)", + e.getMessage() + ); + + // Clean up + freeMemory(a); + } + + // TODO: Add tests which call all Unsafe methods (without necessarily verifying their effect) + // just to make sure that there is no bug in intercepting +}