Make C memory safe like Rust

This change enables Address Sanitizer systemically w/ `make MODE=dbg`. Our version of Rust's `unsafe` keyword is named `noasan` which is used for two functions that do aligned memory chunking, like `strcpy.c` and we need to fix the tiny DEFLATE code, but that's it everything else is fabulous you can have all the fischer price security blankets you need Best of all is we're now able to use the ASAN data in Blinkenlights to colorize the memory dumps. See the screenshot below of a test program: https://justine.lol/blinkenlights/asan.png Which is operating on float arrays stored on the stack, with red areas indicating poisoned memory, and the green areas indicate valid memory.
2025-05-28 00:02:28 +00:00 · 2021-02-01 03:33:13 -08:00 · 2021-02-01 03:33:13 -08:00 · 1ff9ab95ac
commit 1ff9ab95ac
parent fdc3fa9148
153 changed files with 2545 additions and 2077 deletions
--- a/libc/runtime/executive.S
+++ b/libc/runtime/executive.S
@ -25,22 +25,29 @@
 .text.startup
 .source	__FILE__

-/	Stack frame that owns process from spawn to exit.
+/	Cosmopolitan runtime.
 /
 /	@param	edi is argc
 /	@param	rsi is argv
 /	@param	rdx is environ
 /	@param	rcx is auxv
 /	@noreturn
-_executive:
-	push	%rbp
+cosmo:	push	%rbp
 	mov	%rsp,%rbp
 	ezlea	_base,bx
 	mov	%edi,%r12d
 	mov	%rsi,%r13
 	mov	%rdx,%r14
 	mov	%rcx,%r15
-	call	_spawn
+#ifdef __FAST_MATH__
+	call	__fast_math
+#endif
+	call	_init
+	call	_construct
+#if !IsTrustworthy()
+	mov	$PROT_READ,%edi
+	call	_piro
+#endif
 	mov	%r12d,%edi
 	mov	%r13,%rsi
 	mov	%r14,%rdx
@ -49,7 +56,7 @@ _executive:
 	call	main
 	xchg	%eax,%edi
 	call	exit
-	.endfn	_executive,weak,hidden
+	.endfn	cosmo,weak,hidden
 	ud2

 #ifdef __PG__
--- a/libc/runtime/finddebugbinary.c
+++ b/libc/runtime/finddebugbinary.c
@ -36,6 +36,7 @@ const char *FindDebugBinary(void) {
  char buf[2][PATH_MAX];
  static char res[PATH_MAX];
  const char *bins[4], *pwd;
+  if (res[0]) return res;
  bins[0] = program_invocation_name;
  bins[1] = (const char *)getauxval(AT_EXECFN);
  pwd = emptytonull(getenv("PWD"));
@ -59,6 +60,7 @@ const char *FindDebugBinary(void) {
      return res;
    }
  }
+  res[0] = '\0';
  errno = ENOENT;
  return NULL;
 }
--- a/libc/runtime/internal.h
+++ b/libc/runtime/internal.h
@ -19,7 +19,7 @@ extern hidden void *g_stacktop;
 void _init(void) hidden;
 void _piro(int) hidden;
 void *__cxa_finalize(void *) hidden;
-void _executive(int, char **, char **, long (*)[2]) hidden wontreturn;
+void cosmo(int, char **, char **, long (*)[2]) hidden wontreturn;
 void __stack_chk_fail(void) wontreturn relegated;
 void __stack_chk_fail_local(void) wontreturn relegated hidden;
 void _jmpstack(void *, void *, ...) hidden wontreturn;
--- a/libc/runtime/memtrack.h
+++ b/libc/runtime/memtrack.h
@ -23,7 +23,7 @@ COSMOPOLITAN_C_START_
 #define kFixedmapStart MEMTRACK_ADDRESS(_kFixedmapStart, 0x40000000)

 struct MemoryIntervals {
-  int i;
+  long i;
  struct MemoryInterval {
    int x;
    int y;
--- a/libc/runtime/mmap.c
+++ b/libc/runtime/mmap.c
@ -21,7 +21,7 @@
 #include "libc/calls/calls.h"
 #include "libc/calls/internal.h"
 #include "libc/dce.h"
-#include "libc/log/asan.internal.h"
+#include "libc/intrin/asan.internal.h"
 #include "libc/macros.h"
 #include "libc/rand/rand.h"
 #include "libc/runtime/directmap.h"
@ -94,7 +94,7 @@ void *mmap(void *addr, size_t size, int prot, int flags, int fd, int64_t off) {
    abort();
  }
  if (weaken(__asan_map_shadow)) {
-    weaken(__asan_map_shadow)(dm.addr, size);
+    weaken(__asan_map_shadow)((uintptr_t)dm.addr, size);
  }
  return dm.addr;
 }
--- a/libc/runtime/runtime.mk
+++ b/libc/runtime/runtime.mk
@ -56,7 +56,23 @@ $(LIBC_RUNTIME_A).pkg:					\
 		$(LIBC_RUNTIME_A_OBJS)			\
 		$(foreach x,$(LIBC_RUNTIME_A_DIRECTDEPS),$($(x)_A).pkg)

-$(LIBC_RUNTIME_A_OBJS):					\
+o/$(MODE)/libc/runtime/abort-nt.o			\
+o/$(MODE)/libc/runtime/assertfail.o			\
+o/$(MODE)/libc/runtime/memtrack.o			\
+o/$(MODE)/libc/runtime/memtracknt.o			\
+o/$(MODE)/libc/runtime/findmemoryinterval.o		\
+o/$(MODE)/libc/runtime/arememoryintervalsok.o		\
+o/$(MODE)/libc/runtime/isheap.o				\
+o/$(MODE)/libc/runtime/directmap.o			\
+o/$(MODE)/libc/runtime/directmapnt.o			\
+o/$(MODE)/libc/runtime/stackchkfail.o			\
+o/$(MODE)/libc/runtime/stackchkfaillocal.o		\
+o/$(MODE)/libc/runtime/hook.greg.o			\
+o/$(MODE)/libc/runtime/print.greg.o			\
+o/$(MODE)/libc/runtime/ftrace.greg.o			\
+o/$(MODE)/libc/runtime/getdosargv.o			\
+o/$(MODE)/libc/runtime/getdosenviron.o			\
+o/$(MODE)/libc/runtime/winmain.greg.o:			\
 		OVERRIDE_CFLAGS +=			\
 			$(NO_MAGIC)

--- a/libc/runtime/spawn.S
+++ b/libc/runtime/spawn.S
@ -1,55 +0,0 @@
-/*-*- mode:unix-assembly; indent-tabs-mode:t; tab-width:8; coding:utf-8     -*-│
-│vi: set et ft=asm ts=8 tw=8 fenc=utf-8                                     :vi│
-╞══════════════════════════════════════════════════════════════════════════════╡
-│ Copyright 2020 Justine Alexandra Roberts Tunney                              │
-│                                                                              │
-│ Permission to use, copy, modify, and/or distribute this software for         │
-│ any purpose with or without fee is hereby granted, provided that the         │
-│ above copyright notice and this permission notice appear in all copies.      │
-│                                                                              │
-│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
-│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
-│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
-│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
-│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
-│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
-│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
-│ PERFORMANCE OF THIS SOFTWARE.                                                │
-╚─────────────────────────────────────────────────────────────────────────────*/
-#include "libc/dce.h"
-#include "libc/sysv/consts/prot.h"
-#include "libc/macros.h"
-
-/	Self-bootstraps process upon existence before calling main.
-/
-/	@param	r12 is argc
-/	@param	r13 is argv
-/	@param	r14 is environ
-/	@param	r15 is auxv
-_spawn:	push	%rbp
-	mov	%rsp,%rbp
-
-/	Tune FPU settings if -ffast-math is somehow used systemically.
-#ifdef __FAST_MATH__
-	call	__fast_math
-#endif
-
-/	Call decentralized initialization assembly.
-	call	_init
-#if IsModeDbg()
-	call	_init				# _init() is idempotent
-#endif
-
-/	Call global initialization functions.
-	call	_construct
-
-/	Restricts .initbss memory so it's read-only after initialization.
-/	TODO: Delete this unless there's measurable performance advantage.
-#if !IsTrustworthy()
-	mov	$PROT_READ,%edi
-	call	_piro
-#endif
-
-	pop	%rbp
-	ret
-	.endfn	_spawn,globl
--- a/libc/runtime/winmain.greg.c
+++ b/libc/runtime/winmain.greg.c
@ -49,8 +49,6 @@
 * TODO: How can we ensure we never overlap with KERNEL32.DLL?
 */

-#define WINSTACK 0x100000
-
 struct WinArgs {
  char *argv[4096];
  char *envp[4096];
@ -109,7 +107,7 @@ static textwindows wontreturn void WinMainNew(void) {
  NormalizeCmdExe();
  *(/*unconst*/ int *)&__hostos = WINDOWS;
  addr = NtGetVersion() < kNtVersionWindows10 ? 0xff00000 : 0x777000000000;
-  size = ROUNDUP(WINSTACK + sizeof(struct WinArgs), FRAMESIZE);
+  size = ROUNDUP(STACKSIZE + sizeof(struct WinArgs), FRAMESIZE);
  _mmi.p[0].h =
      __mmap$nt((char *)addr, size, PROT_READ | PROT_WRITE | PROT_EXEC, -1, 0)
          .maphandle;
@ -130,8 +128,7 @@ static textwindows wontreturn void WinMainNew(void) {
  FreeEnvironmentStrings(env16);
  auxv[0][0] = pushpop(0L);
  auxv[0][1] = pushpop(0L);
-  _jmpstack((char *)addr + WINSTACK, _executive, count, wa->argv, wa->envp,
-            auxv);
+  _jmpstack((char *)addr + STACKSIZE, cosmo, count, wa->argv, wa->envp, auxv);
 }

 /**