executor.c

Go to the documentation of this file.

 
#include "common/infix_internals.h"
#include "common/utility.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
 
#if defined(INFIX_OS_WINDOWS)
#include <windows.h>
#else  // Linux, macOS, BSDs
#include <errno.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <unistd.h>
#endif
 
#if defined(INFIX_OS_MACOS)
#include <dlfcn.h>
#include <pthread.h>
#endif
 
// Portability shim for mmap anonymous flag.
#if defined(INFIX_ENV_POSIX) && !defined(INFIX_OS_WINDOWS)
#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
#define MAP_ANON MAP_ANONYMOUS
#endif
#endif
 
// Internal Helpers for macOS Runtime Linking
#if defined(INFIX_OS_MACOS)
// Define opaque types to avoid including the full framework headers, which is key
// to avoiding the forced linker dependency.
typedef const struct __CFString * CFStringRef;
typedef const void * CFTypeRef;
typedef struct __SecTask * SecTaskRef;
typedef struct __CFError * CFErrorRef;
#define kCFStringEncodingUTF8 0x08000100
 
// A struct to hold dynamically loaded function pointers. It is populated once at runtime.
static struct {
    void (*CFRelease)(CFTypeRef);
    bool (*CFBooleanGetValue)(CFTypeRef boolean);
    CFStringRef (*CFStringCreateWithCString)(CFTypeRef allocator, const char * cStr, uint32_t encoding);
    CFTypeRef kCFAllocatorDefault;
    SecTaskRef (*SecTaskCreateFromSelf)(CFTypeRef allocator);
    CFTypeRef (*SecTaskCopyValueForEntitlement)(SecTaskRef task, CFStringRef entitlement, CFErrorRef * error);
} g_macos_apis;
 
static void initialize_macos_apis(void) {
    // Attempt to load the required system frameworks dynamically.
    void * cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_LAZY);
    void * sec = dlopen("/System/Library/Frameworks/Security.framework/Security", RTLD_LAZY);
 
    // If either fails, we cannot proceed with the secure path. Clean up and exit.
    if (!cf || !sec) {
        INFIX_DEBUG_PRINTF("Warning: Could not dlopen macOS frameworks. JIT security features will be degraded.");
        if (cf)
            dlclose(cf);
        if (sec)
            dlclose(sec);
        // Ensure all pointers are null to signal failure.
        memset(&g_macos_apis, 0, sizeof(g_macos_apis));
        return;
    }
 
    // Use dlsym to find the address of each function and global constant we need.
    g_macos_apis.CFRelease = dlsym(cf, "CFRelease");
    g_macos_apis.CFBooleanGetValue = dlsym(cf, "CFBooleanGetValue");
    g_macos_apis.CFStringCreateWithCString = dlsym(cf, "CFStringCreateWithCString");
    void ** pAlloc = (void **)dlsym(cf, "kCFAllocatorDefault");
    if (pAlloc)
        g_macos_apis.kCFAllocatorDefault = *pAlloc;
 
    g_macos_apis.SecTaskCreateFromSelf = dlsym(sec, "SecTaskCreateFromSelf");
    g_macos_apis.SecTaskCopyValueForEntitlement = dlsym(sec, "SecTaskCopyValueForEntitlement");
 
    // The handles can be closed; the OS keeps the libraries in memory and the pointers remain valid.
    dlclose(cf);
    dlclose(sec);
}
 
static bool has_jit_entitlement(void) {
    // Use pthread_once to ensure the framework APIs are loaded exactly once in a thread-safe manner.
    static pthread_once_t init_once = PTHREAD_ONCE_INIT;
    pthread_once(&init_once, initialize_macos_apis);
 
    // If we failed to load the necessary APIs, we cannot check, so we must return false.
    if (!g_macos_apis.SecTaskCopyValueForEntitlement || !g_macos_apis.CFStringCreateWithCString)
        return false;
 
    bool result = false;
    // Get a reference to the current process's security properties.
    SecTaskRef task = g_macos_apis.SecTaskCreateFromSelf(g_macos_apis.kCFAllocatorDefault);
    if (!task)
        return false;
 
    // Create a CoreFoundation string for the entitlement key we're looking for.
    CFStringRef key = g_macos_apis.CFStringCreateWithCString(
        g_macos_apis.kCFAllocatorDefault, "com.apple.security.cs.allow-jit", kCFStringEncodingUTF8);
    CFTypeRef value = NULL;
    if (key) {  // Query the OS for the entitlement value.
        value = g_macos_apis.SecTaskCopyValueForEntitlement(task, key, NULL);
        g_macos_apis.CFRelease(key);  // Must release objects we create.
    }
    g_macos_apis.CFRelease(task);  // Must release the task reference.
 
    if (value) {
        // A JIT entitlement is boolean. We must check that its value is explicitly `true`.
        if (g_macos_apis.CFBooleanGetValue && g_macos_apis.CFBooleanGetValue(value))
            result = true;
        g_macos_apis.CFRelease(value);  // Must release the retrieved value object.
    }
    return result;
}
#endif
 
#if !defined(INFIX_OS_WINDOWS) && !defined(INFIX_OS_MACOS) && !defined(INFIX_OS_ANDROID) && !defined(INFIX_OS_OPENBSD)
#include <fcntl.h>
#include <stdint.h>
 
static int shm_open_anonymous() {
    char shm_name[64];
    uint64_t random_val = 0;
 
    // Use /dev/urandom to generate a highly unpredictable name to avoid collisions
    // and prevent predictable name attacks.
    int rand_fd = open("/dev/urandom", O_RDONLY);
    if (rand_fd < 0)
        return -1;
 
    ssize_t bytes_read = read(rand_fd, &random_val, sizeof(random_val));
    close(rand_fd);
    if (bytes_read != sizeof(random_val))
        return -1;
 
    snprintf(shm_name, sizeof(shm_name), "/infix-jit-%d-%llx", getpid(), (unsigned long long)random_val);
 
    // Create the shared memory object.
    // - O_CREAT | O_EXCL: Atomically create the object, failing if it already exists.
    //   This prevents race conditions and symlink attacks.
    int fd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600);
    if (fd >= 0) {
        shm_unlink(shm_name);
        return fd;
    }
 
    return -1;
}
#endif
 
// Executable Memory Management
c23_nodiscard infix_executable_t infix_executable_alloc(size_t size) {
#if defined(INFIX_OS_WINDOWS)
    infix_executable_t exec = {.rx_ptr = nullptr, .rw_ptr = nullptr, .size = 0, .handle = NULL};
#else
    infix_executable_t exec = {.rx_ptr = nullptr, .rw_ptr = nullptr, .size = 0, .shm_fd = -1};
#endif
 
    if (size == 0)
        return exec;
 
#if defined(INFIX_OS_WINDOWS)
    void * code = VirtualAlloc(nullptr, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (code == nullptr)
        return exec;
    exec.rw_ptr = code;
    exec.rx_ptr = code;
 
#elif defined(INFIX_OS_MACOS) || defined(INFIX_OS_ANDROID) || defined(INFIX_OS_OPENBSD) || defined(INFIX_OS_DRAGONFLY)
    void * code = MAP_FAILED;
#if defined(MAP_ANON)
    int flags = MAP_PRIVATE | MAP_ANON;
#if defined(INFIX_OS_MACOS)
    static bool g_use_secure_jit_path = false;
    static bool g_checked_jit_support = false;
    if (!g_checked_jit_support) {
        g_use_secure_jit_path = has_jit_entitlement();
        INFIX_DEBUG_PRINTF("macOS JIT check: Entitlement found = %s. Using %s API.",
                           g_use_secure_jit_path ? "yes" : "no",
                           g_use_secure_jit_path ? "secure (MAP_JIT)" : "legacy/insecure (mprotect)");
        g_checked_jit_support = true;
    }
    // If the check determined the secure path is viable, add the MAP_JIT flag.
    // Otherwise, we proceed without it, using the legacy path.
    if (g_use_secure_jit_path)
        flags |= MAP_JIT;
#endif
    code = mmap(nullptr, size, PROT_READ | PROT_WRITE, flags, -1, 0);
#endif
    if (code == MAP_FAILED) {  // Fallback for systems without MAP_ANON (like DragonflyBSD)
        int fd = open("/dev/zero", O_RDWR);
        if (fd != -1) {
            code = mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
            close(fd);
        }
    }
    if (code == MAP_FAILED)
        return exec;
    exec.rw_ptr = code;
    exec.rx_ptr = code;
 
#else
    exec.shm_fd = shm_open_anonymous();
    if (exec.shm_fd < 0)
        return exec;
    if (ftruncate(exec.shm_fd, size) != 0) {
        close(exec.shm_fd);
        return exec;
    }
    exec.rw_ptr = mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_SHARED, exec.shm_fd, 0);
    exec.rx_ptr = mmap(nullptr, size, PROT_READ | PROT_EXEC, MAP_SHARED, exec.shm_fd, 0);
    if (exec.rw_ptr == MAP_FAILED || exec.rx_ptr == MAP_FAILED) {
        if (exec.rw_ptr != MAP_FAILED)
            munmap(exec.rw_ptr, size);
        if (exec.rx_ptr != MAP_FAILED)
            munmap(exec.rx_ptr, size);
        close(exec.shm_fd);
        return (infix_executable_t){.rx_ptr = nullptr, .rw_ptr = nullptr, .size = 0, .shm_fd = -1};
    }
#endif
 
    exec.size = size;
    INFIX_DEBUG_PRINTF("Allocated JIT memory. RW at %p, RX at %p", exec.rw_ptr, exec.rx_ptr);
    return exec;
}
 
void infix_executable_free(infix_executable_t exec) {
    if (exec.size == 0)
        return;
 
#if defined(INFIX_OS_WINDOWS)
    if (exec.rw_ptr) {
        // Arm the guard page by revoking all access.
        if (!VirtualProtect(exec.rw_ptr, exec.size, PAGE_NOACCESS, &(DWORD){0}))
            INFIX_DEBUG_PRINTF("WARNING: VirtualProtect failed to set PAGE_NOACCESS.");
        // Now, release the memory.
        VirtualFree(exec.rw_ptr, 0, MEM_RELEASE);
    }
#elif defined(INFIX_OS_MACOS)
    if (exec.rw_ptr) {
#if INFIX_MACOS_SECURE_JIT_AVAILABLE
        // We must check the same static bool to know which path was taken during allocation.
        static bool g_use_secure_jit_path = false;
        if (g_use_secure_jit_path)
            // If the secure path was used, the memory must be made writable again
            // before it can be unmapped.
            pthread_jit_write_protect_np(true);
#endif
        mprotect(exec.rw_ptr, exec.size, PROT_NONE);
        munmap(exec.rw_ptr, exec.size);
    }
#elif defined(INFIX_OS_ANDROID) || defined(INFIX_OS_OPENBSD) || defined(INFIX_OS_DRAGONFLY)
    if (exec.rw_ptr) {
        mprotect(exec.rw_ptr, exec.size, PROT_NONE);
        munmap(exec.rw_ptr, exec.size);
    }
#else
    if (exec.rx_ptr)
        mprotect(exec.rx_ptr, exec.size, PROT_NONE);
    if (exec.rw_ptr)
        munmap(exec.rw_ptr, exec.size);
    if (exec.rx_ptr && exec.rx_ptr != exec.rw_ptr)
        munmap(exec.rx_ptr, exec.size);
    if (exec.shm_fd >= 0)
        close(exec.shm_fd);
#endif
}
 
c23_nodiscard bool infix_executable_make_executable(infix_executable_t exec) {
    if (exec.rw_ptr == nullptr || exec.size == 0)
        return false;
 
#if defined(INFIX_ARCH_AARCH64)
#if defined(_MSC_VER)
    FlushInstructionCache(GetCurrentProcess(), exec.rw_ptr, exec.size);
#else
    __builtin___clear_cache((char *)exec.rw_ptr, (char *)exec.rw_ptr + exec.size);
#endif
#endif
 
    bool result = false;
#if defined(INFIX_OS_WINDOWS)
    result = VirtualProtect(exec.rw_ptr, exec.size, PAGE_EXECUTE_READ, &(DWORD){0});
#elif defined(INFIX_OS_MACOS)
#if INFIX_MACOS_SECURE_JIT_AVAILABLE
    static bool g_use_secure_jit_path = false;
    if (g_use_secure_jit_path) {
        pthread_jit_write_protect_np(false);
        result = true;
    }
    else  // Fallback to the legacy, insecure method.
#endif
        result = (mprotect(exec.rw_ptr, exec.size, PROT_READ | PROT_EXEC) == 0);
#elif defined(INFIX_OS_ANDROID) || defined(INFIX_OS_OPENBSD) || defined(INFIX_OS_DRAGONFLY)
    result = (mprotect(exec.rw_ptr, exec.size, PROT_READ | PROT_EXEC) == 0);
#else
    result = true;  // No-op for dual-map platforms
#endif
 
    if (result)
        INFIX_DEBUG_PRINTF("Memory at %p is ready for execution.", exec.rx_ptr);
    return result;
}
 
// Protected Data Memory Management
c23_nodiscard infix_protected_t infix_protected_alloc(size_t size) {
    infix_protected_t prot = {.rw_ptr = nullptr, .size = 0};
    if (size == 0)
        return prot;
#if defined(INFIX_OS_WINDOWS)
    prot.rw_ptr = VirtualAlloc(nullptr, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
#else
#if defined(MAP_ANON)
    prot.rw_ptr = mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
#else
    int fd = open("/dev/zero", O_RDWR);
    if (fd == -1)
        prot.rw_ptr = MAP_FAILED;
    else {
        prot.rw_ptr = mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
        close(fd);
    }
#endif
    if (prot.rw_ptr == MAP_FAILED)
        prot.rw_ptr = nullptr;
#endif
    if (prot.rw_ptr)
        prot.size = size;
    return prot;
}
 
void infix_protected_free(infix_protected_t prot) {
    if (prot.size == 0)
        return;
#if defined(INFIX_OS_WINDOWS)
    VirtualFree(prot.rw_ptr, 0, MEM_RELEASE);
#else
    munmap(prot.rw_ptr, prot.size);
#endif
}
 
c23_nodiscard bool infix_protected_make_readonly(infix_protected_t prot) {
    if (prot.size == 0)
        return false;
    bool result = false;
#if defined(INFIX_OS_WINDOWS)
    result = VirtualProtect(prot.rw_ptr, prot.size, PAGE_READONLY, &(DWORD){0});
#else
    // On all POSIX platforms (Linux, macOS, BSDs), this works as expected for data pages.
    result = (mprotect(prot.rw_ptr, prot.size, PROT_READ) == 0);
#endif
    return result;
}
 
void infix_internal_dispatch_callback_fn_impl(infix_reverse_t * context, void * return_value_ptr, void ** args_array) {
    INFIX_DEBUG_PRINTF("Dispatching callback. Context: %p, User Fn: %p", (void *)context, context->user_callback_fn);
 
    if (context->user_callback_fn == nullptr) {
        // This is a fatal internal error, likely from a failed allocation during setup.
        if (return_value_ptr && context->return_type->size > 0)
            infix_memset(return_value_ptr, 0, context->return_type->size);
        return;
    }
 
    // Check if this is a high-level "callback" or a low-level "closure".
    if (context->cached_forward_trampoline != nullptr) {
        // High-Level, Type-Safe "Callback" Path
        // Use the cached forward trampoline to call the user's type-safe C handler.
        // The user's handler has a "clean" signature and does not expect the context.
        infix_cif_func cif_func = infix_forward_get_code(context->cached_forward_trampoline);
        cif_func(return_value_ptr, args_array);
    }
    else {
        // Low-Level, Generic "Closure" Path
        // Directly call the user's generic handler, which expects the context.
        infix_closure_handler_fn handler = (infix_closure_handler_fn)context->user_callback_fn;
        handler(context, return_value_ptr, args_array);
    }
 
    INFIX_DEBUG_PRINTF("Exiting callback dispatcher.");
}