1 /*
   2  * Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  *
  23  */
  24 
  25 #include "precompiled.hpp"
  26 #include "classfile/vmSymbols.hpp"
  27 #include "memory/allocation.inline.hpp"
  28 #include "memory/resourceArea.hpp"
  29 #include "oops/oop.inline.hpp"
  30 #include "os_bsd.inline.hpp"
  31 #include "runtime/handles.inline.hpp"
  32 #include "runtime/os.hpp"
  33 #include "runtime/perfMemory.hpp"
  34 #include "services/memTracker.hpp"
  35 #include "utilities/exceptions.hpp"
  36 
  37 // put OS-includes here
  38 # include <sys/types.h>
  39 # include <sys/mman.h>
  40 # include <errno.h>
  41 # include <stdio.h>
  42 # include <unistd.h>
  43 # include <sys/stat.h>
  44 # include <signal.h>
  45 # include <pwd.h>
  46 
  47 static char* backing_store_file_name = NULL;  // name of the backing store
  48                                               // file, if successfully created.
  49 
  50 // Standard Memory Implementation Details
  51 
  52 // create the PerfData memory region in standard memory.
  53 //
  54 static char* create_standard_memory(size_t size) {
  55 
  56   // allocate an aligned chuck of memory
  57   char* mapAddress = os::reserve_memory(size);
  58 
  59   if (mapAddress == NULL) {
  60     return NULL;
  61   }
  62 
  63   // commit memory
  64   if (!os::commit_memory(mapAddress, size, !ExecMem)) {
  65     if (PrintMiscellaneous && Verbose) {
  66       warning("Could not commit PerfData memory\n");
  67     }
  68     os::release_memory(mapAddress, size);
  69     return NULL;
  70   }
  71 
  72   return mapAddress;
  73 }
  74 
  75 // delete the PerfData memory region
  76 //
  77 static void delete_standard_memory(char* addr, size_t size) {
  78 
  79   // there are no persistent external resources to cleanup for standard
  80   // memory. since DestroyJavaVM does not support unloading of the JVM,
  81   // cleanup of the memory resource is not performed. The memory will be
  82   // reclaimed by the OS upon termination of the process.
  83   //
  84   return;
  85 }
  86 
  87 // save the specified memory region to the given file
  88 //
  89 // Note: this function might be called from signal handler (by os::abort()),
  90 // don't allocate heap memory.
  91 //
  92 static void save_memory_to_file(char* addr, size_t size) {
  93 
  94  const char* destfile = PerfMemory::get_perfdata_file_path();
  95  assert(destfile[0] != '\0', "invalid PerfData file path");
  96 
  97   int result;
  98 
  99   RESTARTABLE(::open(destfile, O_CREAT|O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE),
 100               result);;
 101   if (result == OS_ERR) {
 102     if (PrintMiscellaneous && Verbose) {
 103       warning("Could not create Perfdata save file: %s: %s\n",
 104               destfile, os::strerror(errno));
 105     }
 106   } else {
 107     int fd = result;
 108 
 109     for (size_t remaining = size; remaining > 0;) {
 110 
 111       RESTARTABLE(::write(fd, addr, remaining), result);
 112       if (result == OS_ERR) {
 113         if (PrintMiscellaneous && Verbose) {
 114           warning("Could not write Perfdata save file: %s: %s\n",
 115                   destfile, os::strerror(errno));
 116         }
 117         break;
 118       }
 119 
 120       remaining -= (size_t)result;
 121       addr += result;
 122     }
 123 
 124     result = ::close(fd);
 125     if (PrintMiscellaneous && Verbose) {
 126       if (result == OS_ERR) {
 127         warning("Could not close %s: %s\n", destfile, os::strerror(errno));
 128       }
 129     }
 130   }
 131   FREE_C_HEAP_ARRAY(char, destfile);
 132 }
 133 
 134 
 135 // Shared Memory Implementation Details
 136 
 137 // Note: the solaris and bsd shared memory implementation uses the mmap
 138 // interface with a backing store file to implement named shared memory.
 139 // Using the file system as the name space for shared memory allows a
 140 // common name space to be supported across a variety of platforms. It
 141 // also provides a name space that Java applications can deal with through
 142 // simple file apis.
 143 //
 144 // The solaris and bsd implementations store the backing store file in
 145 // a user specific temporary directory located in the /tmp file system,
 146 // which is always a local file system and is sometimes a RAM based file
 147 // system.
 148 
 149 // return the user specific temporary directory name.
 150 //
 151 // the caller is expected to free the allocated memory.
 152 //
 153 static char* get_user_tmp_dir(const char* user) {
 154 
 155   const char* tmpdir = os::get_temp_directory();
 156   const char* perfdir = PERFDATA_NAME;
 157   size_t nbytes = strlen(tmpdir) + strlen(perfdir) + strlen(user) + 3;
 158   char* dirname = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);
 159 
 160   // construct the path name to user specific tmp directory
 161   snprintf(dirname, nbytes, "%s/%s_%s", tmpdir, perfdir, user);
 162 
 163   return dirname;
 164 }
 165 
 166 // convert the given file name into a process id. if the file
 167 // does not meet the file naming constraints, return 0.
 168 //
 169 static pid_t filename_to_pid(const char* filename) {
 170 
 171   // a filename that doesn't begin with a digit is not a
 172   // candidate for conversion.
 173   //
 174   if (!isdigit(*filename)) {
 175     return 0;
 176   }
 177 
 178   // check if file name can be converted to an integer without
 179   // any leftover characters.
 180   //
 181   char* remainder = NULL;
 182   errno = 0;
 183   pid_t pid = (pid_t)strtol(filename, &remainder, 10);
 184 
 185   if (errno != 0) {
 186     return 0;
 187   }
 188 
 189   // check for left over characters. If any, then the filename is
 190   // not a candidate for conversion.
 191   //
 192   if (remainder != NULL && *remainder != '\0') {
 193     return 0;
 194   }
 195 
 196   // successful conversion, return the pid
 197   return pid;
 198 }
 199 
 200 
 201 // Check if the given statbuf is considered a secure directory for
 202 // the backing store files. Returns true if the directory is considered
 203 // a secure location. Returns false if the statbuf is a symbolic link or
 204 // if an error occurred.
 205 //
 206 static bool is_statbuf_secure(struct stat *statp) {
 207   if (S_ISLNK(statp->st_mode) || !S_ISDIR(statp->st_mode)) {
 208     // The path represents a link or some non-directory file type,
 209     // which is not what we expected. Declare it insecure.
 210     //
 211     return false;
 212   }
 213   // We have an existing directory, check if the permissions are safe.
 214   //
 215   if ((statp->st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 216     // The directory is open for writing and could be subjected
 217     // to a symlink or a hard link attack. Declare it insecure.
 218     //
 219     return false;
 220   }
 221   // If user is not root then see if the uid of the directory matches the effective uid of the process.
 222   uid_t euid = geteuid();
 223   if ((euid != 0) && (statp->st_uid != euid)) {
 224     // The directory was not created by this user, declare it insecure.
 225     //
 226     return false;
 227   }
 228   return true;
 229 }
 230 
 231 
 232 // Check if the given path is considered a secure directory for
 233 // the backing store files. Returns true if the directory exists
 234 // and is considered a secure location. Returns false if the path
 235 // is a symbolic link or if an error occurred.
 236 //
 237 static bool is_directory_secure(const char* path) {
 238   struct stat statbuf;
 239   int result = 0;
 240 
 241   RESTARTABLE(::lstat(path, &statbuf), result);
 242   if (result == OS_ERR) {
 243     return false;
 244   }
 245 
 246   // The path exists, see if it is secure.
 247   return is_statbuf_secure(&statbuf);
 248 }
 249 
 250 
 251 // Check if the given directory file descriptor is considered a secure
 252 // directory for the backing store files. Returns true if the directory
 253 // exists and is considered a secure location. Returns false if the path
 254 // is a symbolic link or if an error occurred.
 255 //
 256 static bool is_dirfd_secure(int dir_fd) {
 257   struct stat statbuf;
 258   int result = 0;
 259 
 260   RESTARTABLE(::fstat(dir_fd, &statbuf), result);
 261   if (result == OS_ERR) {
 262     return false;
 263   }
 264 
 265   // The path exists, now check its mode.
 266   return is_statbuf_secure(&statbuf);
 267 }
 268 
 269 
 270 // Check to make sure fd1 and fd2 are referencing the same file system object.
 271 //
 272 static bool is_same_fsobject(int fd1, int fd2) {
 273   struct stat statbuf1;
 274   struct stat statbuf2;
 275   int result = 0;
 276 
 277   RESTARTABLE(::fstat(fd1, &statbuf1), result);
 278   if (result == OS_ERR) {
 279     return false;
 280   }
 281   RESTARTABLE(::fstat(fd2, &statbuf2), result);
 282   if (result == OS_ERR) {
 283     return false;
 284   }
 285 
 286   if ((statbuf1.st_ino == statbuf2.st_ino) &&
 287       (statbuf1.st_dev == statbuf2.st_dev)) {
 288     return true;
 289   } else {
 290     return false;
 291   }
 292 }
 293 
 294 
 295 // Open the directory of the given path and validate it.
 296 // Return a DIR * of the open directory.
 297 //
 298 static DIR *open_directory_secure(const char* dirname) {
 299   // Open the directory using open() so that it can be verified
 300   // to be secure by calling is_dirfd_secure(), opendir() and then check
 301   // to see if they are the same file system object.  This method does not
 302   // introduce a window of opportunity for the directory to be attacked that
 303   // calling opendir() and is_directory_secure() does.
 304   int result;
 305   DIR *dirp = NULL;
 306   RESTARTABLE(::open(dirname, O_RDONLY|O_NOFOLLOW), result);
 307   if (result == OS_ERR) {
 308     // Directory doesn't exist or is a symlink, so there is nothing to cleanup.
 309     if (PrintMiscellaneous && Verbose) {
 310       if (errno == ELOOP) {
 311         warning("directory %s is a symlink and is not secure\n", dirname);
 312       } else {
 313         warning("could not open directory %s: %s\n", dirname, os::strerror(errno));
 314       }
 315     }
 316     return dirp;
 317   }
 318   int fd = result;
 319 
 320   // Determine if the open directory is secure.
 321   if (!is_dirfd_secure(fd)) {
 322     // The directory is not a secure directory.
 323     os::close(fd);
 324     return dirp;
 325   }
 326 
 327   // Open the directory.
 328   dirp = ::opendir(dirname);
 329   if (dirp == NULL) {
 330     // The directory doesn't exist, close fd and return.
 331     os::close(fd);
 332     return dirp;
 333   }
 334 
 335   // Check to make sure fd and dirp are referencing the same file system object.
 336   if (!is_same_fsobject(fd, dirfd(dirp))) {
 337     // The directory is not secure.
 338     os::close(fd);
 339     os::closedir(dirp);
 340     dirp = NULL;
 341     return dirp;
 342   }
 343 
 344   // Close initial open now that we know directory is secure
 345   os::close(fd);
 346 
 347   return dirp;
 348 }
 349 
 350 // NOTE: The code below uses fchdir(), open() and unlink() because
 351 // fdopendir(), openat() and unlinkat() are not supported on all
 352 // versions.  Once the support for fdopendir(), openat() and unlinkat()
 353 // is available on all supported versions the code can be changed
 354 // to use these functions.
 355 
 356 // Open the directory of the given path, validate it and set the
 357 // current working directory to it.
 358 // Return a DIR * of the open directory and the saved cwd fd.
 359 //
 360 static DIR *open_directory_secure_cwd(const char* dirname, int *saved_cwd_fd) {
 361 
 362   // Open the directory.
 363   DIR* dirp = open_directory_secure(dirname);
 364   if (dirp == NULL) {
 365     // Directory doesn't exist or is insecure, so there is nothing to cleanup.
 366     return dirp;
 367   }
 368   int fd = dirfd(dirp);
 369 
 370   // Open a fd to the cwd and save it off.
 371   int result;
 372   RESTARTABLE(::open(".", O_RDONLY), result);
 373   if (result == OS_ERR) {
 374     *saved_cwd_fd = -1;
 375   } else {
 376     *saved_cwd_fd = result;
 377   }
 378 
 379   // Set the current directory to dirname by using the fd of the directory and
 380   // handle errors, otherwise shared memory files will be created in cwd.
 381   result = fchdir(fd);
 382   if (result == OS_ERR) {
 383     if (PrintMiscellaneous && Verbose) {
 384       warning("could not change to directory %s", dirname);
 385     }
 386     if (*saved_cwd_fd != -1) {
 387       ::close(*saved_cwd_fd);
 388       *saved_cwd_fd = -1;
 389     }
 390     // Close the directory.
 391     os::closedir(dirp);
 392     return NULL;
 393   } else {
 394     return dirp;
 395   }
 396 }
 397 
 398 // Close the directory and restore the current working directory.
 399 //
 400 static void close_directory_secure_cwd(DIR* dirp, int saved_cwd_fd) {
 401 
 402   int result;
 403   // If we have a saved cwd change back to it and close the fd.
 404   if (saved_cwd_fd != -1) {
 405     result = fchdir(saved_cwd_fd);
 406     ::close(saved_cwd_fd);
 407   }
 408 
 409   // Close the directory.
 410   os::closedir(dirp);
 411 }
 412 
 413 // Check if the given file descriptor is considered a secure.
 414 //
 415 static bool is_file_secure(int fd, const char *filename) {
 416 
 417   int result;
 418   struct stat statbuf;
 419 
 420   // Determine if the file is secure.
 421   RESTARTABLE(::fstat(fd, &statbuf), result);
 422   if (result == OS_ERR) {
 423     if (PrintMiscellaneous && Verbose) {
 424       warning("fstat failed on %s: %s\n", filename, os::strerror(errno));
 425     }
 426     return false;
 427   }
 428   if (statbuf.st_nlink > 1) {
 429     // A file with multiple links is not expected.
 430     if (PrintMiscellaneous && Verbose) {
 431       warning("file %s has multiple links\n", filename);
 432     }
 433     return false;
 434   }
 435   return true;
 436 }
 437 
 438 // return the user name for the given user id
 439 //
 440 // the caller is expected to free the allocated memory.
 441 //
 442 static char* get_user_name(uid_t uid) {
 443 
 444   struct passwd pwent;
 445 
 446   // determine the max pwbuf size from sysconf, and hardcode
 447   // a default if this not available through sysconf.
 448   //
 449   long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
 450   if (bufsize == -1)
 451     bufsize = 1024;
 452 
 453   char* pwbuf = NEW_C_HEAP_ARRAY(char, bufsize, mtInternal);
 454 
 455   // POSIX interface to getpwuid_r is used on LINUX
 456   struct passwd* p;
 457   int result = getpwuid_r(uid, &pwent, pwbuf, (size_t)bufsize, &p);
 458 
 459   if (result != 0 || p == NULL || p->pw_name == NULL || *(p->pw_name) == '\0') {
 460     if (PrintMiscellaneous && Verbose) {
 461       if (result != 0) {
 462         warning("Could not retrieve passwd entry: %s\n",
 463                 os::strerror(result));
 464       }
 465       else if (p == NULL) {
 466         // this check is added to protect against an observed problem
 467         // with getpwuid_r() on RedHat 9 where getpwuid_r returns 0,
 468         // indicating success, but has p == NULL. This was observed when
 469         // inserting a file descriptor exhaustion fault prior to the call
 470         // getpwuid_r() call. In this case, error is set to the appropriate
 471         // error condition, but this is undocumented behavior. This check
 472         // is safe under any condition, but the use of errno in the output
 473         // message may result in an erroneous message.
 474         // Bug Id 89052 was opened with RedHat.
 475         //
 476         warning("Could not retrieve passwd entry: %s\n",
 477                 os::strerror(errno));
 478       }
 479       else {
 480         warning("Could not determine user name: %s\n",
 481                 p->pw_name == NULL ? "pw_name = NULL" :
 482                                      "pw_name zero length");
 483       }
 484     }
 485     FREE_C_HEAP_ARRAY(char, pwbuf);
 486     return NULL;
 487   }
 488 
 489   char* user_name = NEW_C_HEAP_ARRAY(char, strlen(p->pw_name) + 1, mtInternal);
 490   strcpy(user_name, p->pw_name);
 491 
 492   FREE_C_HEAP_ARRAY(char, pwbuf);
 493   return user_name;
 494 }
 495 
 496 // return the name of the user that owns the process identified by vmid.
 497 //
 498 // This method uses a slow directory search algorithm to find the backing
 499 // store file for the specified vmid and returns the user name, as determined
 500 // by the user name suffix of the hsperfdata_<username> directory name.
 501 //
 502 // the caller is expected to free the allocated memory.
 503 //
 504 static char* get_user_name_slow(int vmid, TRAPS) {
 505 
 506   // short circuit the directory search if the process doesn't even exist.
 507   if (kill(vmid, 0) == OS_ERR) {
 508     if (errno == ESRCH) {
 509       THROW_MSG_0(vmSymbols::java_lang_IllegalArgumentException(),
 510                   "Process not found");
 511     }
 512     else /* EPERM */ {
 513       THROW_MSG_0(vmSymbols::java_io_IOException(), os::strerror(errno));
 514     }
 515   }
 516 
 517   // directory search
 518   char* oldest_user = NULL;
 519   time_t oldest_ctime = 0;
 520 
 521   const char* tmpdirname = os::get_temp_directory();
 522 
 523   // open the temp directory
 524   DIR* tmpdirp = os::opendir(tmpdirname);
 525 
 526   if (tmpdirp == NULL) {
 527     // Cannot open the directory to get the user name, return.
 528     return NULL;
 529   }
 530 
 531   // for each entry in the directory that matches the pattern hsperfdata_*,
 532   // open the directory and check if the file for the given vmid exists.
 533   // The file with the expected name and the latest creation date is used
 534   // to determine the user name for the process id.
 535   //
 536   struct dirent* dentry;
 537   char* tdbuf = NEW_C_HEAP_ARRAY(char, os::readdir_buf_size(tmpdirname), mtInternal);
 538   errno = 0;
 539   while ((dentry = os::readdir(tmpdirp, (struct dirent *)tdbuf)) != NULL) {
 540 
 541     // check if the directory entry is a hsperfdata file
 542     if (strncmp(dentry->d_name, PERFDATA_NAME, strlen(PERFDATA_NAME)) != 0) {
 543       continue;
 544     }
 545 
 546     char* usrdir_name = NEW_C_HEAP_ARRAY(char,
 547                  strlen(tmpdirname) + strlen(dentry->d_name) + 2, mtInternal);
 548     strcpy(usrdir_name, tmpdirname);
 549     strcat(usrdir_name, "/");
 550     strcat(usrdir_name, dentry->d_name);
 551 
 552     // open the user directory
 553     DIR* subdirp = open_directory_secure(usrdir_name);
 554 
 555     if (subdirp == NULL) {
 556       FREE_C_HEAP_ARRAY(char, usrdir_name);
 557       continue;
 558     }
 559 
 560     struct dirent* udentry;
 561     char* udbuf = NEW_C_HEAP_ARRAY(char, os::readdir_buf_size(usrdir_name), mtInternal);
 562     errno = 0;
 563     while ((udentry = os::readdir(subdirp, (struct dirent *)udbuf)) != NULL) {
 564 
 565       if (filename_to_pid(udentry->d_name) == vmid) {
 566         struct stat statbuf;
 567         int result;
 568 
 569         char* filename = NEW_C_HEAP_ARRAY(char,
 570                  strlen(usrdir_name) + strlen(udentry->d_name) + 2, mtInternal);
 571 
 572         strcpy(filename, usrdir_name);
 573         strcat(filename, "/");
 574         strcat(filename, udentry->d_name);
 575 
 576         // don't follow symbolic links for the file
 577         RESTARTABLE(::lstat(filename, &statbuf), result);
 578         if (result == OS_ERR) {
 579            FREE_C_HEAP_ARRAY(char, filename);
 580            continue;
 581         }
 582 
 583         // skip over files that are not regular files.
 584         if (!S_ISREG(statbuf.st_mode)) {
 585           FREE_C_HEAP_ARRAY(char, filename);
 586           continue;
 587         }
 588 
 589         // compare and save filename with latest creation time
 590         if (statbuf.st_size > 0 && statbuf.st_ctime > oldest_ctime) {
 591 
 592           if (statbuf.st_ctime > oldest_ctime) {
 593             char* user = strchr(dentry->d_name, '_') + 1;
 594 
 595             if (oldest_user != NULL) FREE_C_HEAP_ARRAY(char, oldest_user);
 596             oldest_user = NEW_C_HEAP_ARRAY(char, strlen(user)+1, mtInternal);
 597 
 598             strcpy(oldest_user, user);
 599             oldest_ctime = statbuf.st_ctime;
 600           }
 601         }
 602 
 603         FREE_C_HEAP_ARRAY(char, filename);
 604       }
 605     }
 606     os::closedir(subdirp);
 607     FREE_C_HEAP_ARRAY(char, udbuf);
 608     FREE_C_HEAP_ARRAY(char, usrdir_name);
 609   }
 610   os::closedir(tmpdirp);
 611   FREE_C_HEAP_ARRAY(char, tdbuf);
 612 
 613   return(oldest_user);
 614 }
 615 
 616 // return the name of the user that owns the JVM indicated by the given vmid.
 617 //
 618 static char* get_user_name(int vmid, TRAPS) {
 619   return get_user_name_slow(vmid, THREAD);
 620 }
 621 
 622 // return the file name of the backing store file for the named
 623 // shared memory region for the given user name and vmid.
 624 //
 625 // the caller is expected to free the allocated memory.
 626 //
 627 static char* get_sharedmem_filename(const char* dirname, int vmid) {
 628 
 629   // add 2 for the file separator and a null terminator.
 630   size_t nbytes = strlen(dirname) + UINT_CHARS + 2;
 631 
 632   char* name = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);
 633   snprintf(name, nbytes, "%s/%d", dirname, vmid);
 634 
 635   return name;
 636 }
 637 
 638 
 639 // remove file
 640 //
 641 // this method removes the file specified by the given path
 642 //
 643 static void remove_file(const char* path) {
 644 
 645   int result;
 646 
 647   // if the file is a directory, the following unlink will fail. since
 648   // we don't expect to find directories in the user temp directory, we
 649   // won't try to handle this situation. even if accidentially or
 650   // maliciously planted, the directory's presence won't hurt anything.
 651   //
 652   RESTARTABLE(::unlink(path), result);
 653   if (PrintMiscellaneous && Verbose && result == OS_ERR) {
 654     if (errno != ENOENT) {
 655       warning("Could not unlink shared memory backing"
 656               " store file %s : %s\n", path, os::strerror(errno));
 657     }
 658   }
 659 }
 660 
 661 
 662 // cleanup stale shared memory resources
 663 //
 664 // This method attempts to remove all stale shared memory files in
 665 // the named user temporary directory. It scans the named directory
 666 // for files matching the pattern ^$[0-9]*$. For each file found, the
 667 // process id is extracted from the file name and a test is run to
 668 // determine if the process is alive. If the process is not alive,
 669 // any stale file resources are removed.
 670 //
 671 static void cleanup_sharedmem_resources(const char* dirname) {
 672 
 673   int saved_cwd_fd;
 674   // open the directory and set the current working directory to it
 675   DIR* dirp = open_directory_secure_cwd(dirname, &saved_cwd_fd);
 676   if (dirp == NULL) {
 677     // directory doesn't exist or is insecure, so there is nothing to cleanup
 678     return;
 679   }
 680 
 681   // for each entry in the directory that matches the expected file
 682   // name pattern, determine if the file resources are stale and if
 683   // so, remove the file resources. Note, instrumented HotSpot processes
 684   // for this user may start and/or terminate during this search and
 685   // remove or create new files in this directory. The behavior of this
 686   // loop under these conditions is dependent upon the implementation of
 687   // opendir/readdir.
 688   //
 689   struct dirent* entry;
 690   char* dbuf = NEW_C_HEAP_ARRAY(char, os::readdir_buf_size(dirname), mtInternal);
 691 
 692   errno = 0;
 693   while ((entry = os::readdir(dirp, (struct dirent *)dbuf)) != NULL) {
 694 
 695     pid_t pid = filename_to_pid(entry->d_name);
 696 
 697     if (pid == 0) {
 698 
 699       if (strcmp(entry->d_name, ".") != 0 && strcmp(entry->d_name, "..") != 0) {
 700 
 701         // attempt to remove all unexpected files, except "." and ".."
 702         unlink(entry->d_name);
 703       }
 704 
 705       errno = 0;
 706       continue;
 707     }
 708 
 709     // we now have a file name that converts to a valid integer
 710     // that could represent a process id . if this process id
 711     // matches the current process id or the process is not running,
 712     // then remove the stale file resources.
 713     //
 714     // process liveness is detected by sending signal number 0 to
 715     // the process id (see kill(2)). if kill determines that the
 716     // process does not exist, then the file resources are removed.
 717     // if kill determines that that we don't have permission to
 718     // signal the process, then the file resources are assumed to
 719     // be stale and are removed because the resources for such a
 720     // process should be in a different user specific directory.
 721     //
 722     if ((pid == os::current_process_id()) ||
 723         (kill(pid, 0) == OS_ERR && (errno == ESRCH || errno == EPERM))) {
 724 
 725         unlink(entry->d_name);
 726     }
 727     errno = 0;
 728   }
 729 
 730   // close the directory and reset the current working directory
 731   close_directory_secure_cwd(dirp, saved_cwd_fd);
 732 
 733   FREE_C_HEAP_ARRAY(char, dbuf);
 734 }
 735 
 736 // make the user specific temporary directory. Returns true if
 737 // the directory exists and is secure upon return. Returns false
 738 // if the directory exists but is either a symlink, is otherwise
 739 // insecure, or if an error occurred.
 740 //
 741 static bool make_user_tmp_dir(const char* dirname) {
 742 
 743   // create the directory with 0755 permissions. note that the directory
 744   // will be owned by euid::egid, which may not be the same as uid::gid.
 745   //
 746   if (mkdir(dirname, S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) == OS_ERR) {
 747     if (errno == EEXIST) {
 748       // The directory already exists and was probably created by another
 749       // JVM instance. However, this could also be the result of a
 750       // deliberate symlink. Verify that the existing directory is safe.
 751       //
 752       if (!is_directory_secure(dirname)) {
 753         // directory is not secure
 754         if (PrintMiscellaneous && Verbose) {
 755           warning("%s directory is insecure\n", dirname);
 756         }
 757         return false;
 758       }
 759     }
 760     else {
 761       // we encountered some other failure while attempting
 762       // to create the directory
 763       //
 764       if (PrintMiscellaneous && Verbose) {
 765         warning("could not create directory %s: %s\n",
 766                 dirname, os::strerror(errno));
 767       }
 768       return false;
 769     }
 770   }
 771   return true;
 772 }
 773 
 774 // create the shared memory file resources
 775 //
 776 // This method creates the shared memory file with the given size
 777 // This method also creates the user specific temporary directory, if
 778 // it does not yet exist.
 779 //
 780 static int create_sharedmem_resources(const char* dirname, const char* filename, size_t size) {
 781 
 782   // make the user temporary directory
 783   if (!make_user_tmp_dir(dirname)) {
 784     // could not make/find the directory or the found directory
 785     // was not secure
 786     return -1;
 787   }
 788 
 789   int saved_cwd_fd;
 790   // open the directory and set the current working directory to it
 791   DIR* dirp = open_directory_secure_cwd(dirname, &saved_cwd_fd);
 792   if (dirp == NULL) {
 793     // Directory doesn't exist or is insecure, so cannot create shared
 794     // memory file.
 795     return -1;
 796   }
 797 
 798   // Open the filename in the current directory.
 799   // Cannot use O_TRUNC here; truncation of an existing file has to happen
 800   // after the is_file_secure() check below.
 801   int result;
 802   RESTARTABLE(::open(filename, O_RDWR|O_CREAT|O_NOFOLLOW, S_IREAD|S_IWRITE), result);
 803   if (result == OS_ERR) {
 804     if (PrintMiscellaneous && Verbose) {
 805       if (errno == ELOOP) {
 806         warning("file %s is a symlink and is not secure\n", filename);
 807       } else {
 808         warning("could not create file %s: %s\n", filename, os::strerror(errno));
 809       }
 810     }
 811     // close the directory and reset the current working directory
 812     close_directory_secure_cwd(dirp, saved_cwd_fd);
 813 
 814     return -1;
 815   }
 816   // close the directory and reset the current working directory
 817   close_directory_secure_cwd(dirp, saved_cwd_fd);
 818 
 819   // save the file descriptor
 820   int fd = result;
 821 
 822   // check to see if the file is secure
 823   if (!is_file_secure(fd, filename)) {
 824     ::close(fd);
 825     return -1;
 826   }
 827 
 828   // truncate the file to get rid of any existing data
 829   RESTARTABLE(::ftruncate(fd, (off_t)0), result);
 830   if (result == OS_ERR) {
 831     if (PrintMiscellaneous && Verbose) {
 832       warning("could not truncate shared memory file: %s\n", os::strerror(errno));
 833     }
 834     ::close(fd);
 835     return -1;
 836   }
 837   // set the file size
 838   RESTARTABLE(::ftruncate(fd, (off_t)size), result);
 839   if (result == OS_ERR) {
 840     if (PrintMiscellaneous && Verbose) {
 841       warning("could not set shared memory file size: %s\n", os::strerror(errno));
 842     }
 843     ::close(fd);
 844     return -1;
 845   }
 846 
 847   // Verify that we have enough disk space for this file.
 848   // We'll get random SIGBUS crashes on memory accesses if
 849   // we don't.
 850 
 851   for (size_t seekpos = 0; seekpos < size; seekpos += os::vm_page_size()) {
 852     int zero_int = 0;
 853     result = (int)os::seek_to_file_offset(fd, (jlong)(seekpos));
 854     if (result == -1 ) break;
 855     RESTARTABLE(::write(fd, &zero_int, 1), result);
 856     if (result != 1) {
 857       if (errno == ENOSPC) {
 858         warning("Insufficient space for shared memory file:\n   %s\nTry using the -Djava.io.tmpdir= option to select an alternate temp location.\n", filename);
 859       }
 860       break;
 861     }
 862   }
 863 
 864   if (result != -1) {
 865     return fd;
 866   } else {
 867     ::close(fd);
 868     return -1;
 869   }
 870 }
 871 
 872 // open the shared memory file for the given user and vmid. returns
 873 // the file descriptor for the open file or -1 if the file could not
 874 // be opened.
 875 //
 876 static int open_sharedmem_file(const char* filename, int oflags, TRAPS) {
 877 
 878   // open the file
 879   int result;
 880   RESTARTABLE(::open(filename, oflags), result);
 881   if (result == OS_ERR) {
 882     if (errno == ENOENT) {
 883       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
 884                   "Process not found", OS_ERR);
 885     }
 886     else if (errno == EACCES) {
 887       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
 888                   "Permission denied", OS_ERR);
 889     }
 890     else {
 891       THROW_MSG_(vmSymbols::java_io_IOException(), os::strerror(errno), OS_ERR);
 892     }
 893   }
 894   int fd = result;
 895 
 896   // check to see if the file is secure
 897   if (!is_file_secure(fd, filename)) {
 898     ::close(fd);
 899     return -1;
 900   }
 901 
 902   return fd;
 903 }
 904 
 905 // create a named shared memory region. returns the address of the
 906 // memory region on success or NULL on failure. A return value of
 907 // NULL will ultimately disable the shared memory feature.
 908 //
 909 // On Solaris and Bsd, the name space for shared memory objects
 910 // is the file system name space.
 911 //
 912 // A monitoring application attaching to a JVM does not need to know
 913 // the file system name of the shared memory object. However, it may
 914 // be convenient for applications to discover the existence of newly
 915 // created and terminating JVMs by watching the file system name space
 916 // for files being created or removed.
 917 //
 918 static char* mmap_create_shared(size_t size) {
 919 
 920   int result;
 921   int fd;
 922   char* mapAddress;
 923 
 924   int vmid = os::current_process_id();
 925 
 926   char* user_name = get_user_name(geteuid());
 927 
 928   if (user_name == NULL)
 929     return NULL;
 930 
 931   char* dirname = get_user_tmp_dir(user_name);
 932   char* filename = get_sharedmem_filename(dirname, vmid);
 933 
 934   // get the short filename
 935   char* short_filename = strrchr(filename, '/');
 936   if (short_filename == NULL) {
 937     short_filename = filename;
 938   } else {
 939     short_filename++;
 940   }
 941 
 942   // cleanup any stale shared memory files
 943   cleanup_sharedmem_resources(dirname);
 944 
 945   assert(((size > 0) && (size % os::vm_page_size() == 0)),
 946          "unexpected PerfMemory region size");
 947 
 948   fd = create_sharedmem_resources(dirname, short_filename, size);
 949 
 950   FREE_C_HEAP_ARRAY(char, user_name);
 951   FREE_C_HEAP_ARRAY(char, dirname);
 952 
 953   if (fd == -1) {
 954     FREE_C_HEAP_ARRAY(char, filename);
 955     return NULL;
 956   }
 957 
 958   mapAddress = (char*)::mmap((char*)0, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
 959 
 960   result = ::close(fd);
 961   assert(result != OS_ERR, "could not close file");
 962 
 963   if (mapAddress == MAP_FAILED) {
 964     if (PrintMiscellaneous && Verbose) {
 965       warning("mmap failed -  %s\n", os::strerror(errno));
 966     }
 967     remove_file(filename);
 968     FREE_C_HEAP_ARRAY(char, filename);
 969     return NULL;
 970   }
 971 
 972   // save the file name for use in delete_shared_memory()
 973   backing_store_file_name = filename;
 974 
 975   // clear the shared memory region
 976   (void)::memset((void*) mapAddress, 0, size);
 977 
 978   // it does not go through os api, the operation has to record from here
 979   MemTracker::record_virtual_memory_reserve_and_commit((address)mapAddress, size, CURRENT_PC, mtInternal);
 980 
 981   return mapAddress;
 982 }
 983 
 984 // release a named shared memory region
 985 //
 986 static void unmap_shared(char* addr, size_t bytes) {
 987   os::release_memory(addr, bytes);
 988 }
 989 
 990 // create the PerfData memory region in shared memory.
 991 //
 992 static char* create_shared_memory(size_t size) {
 993 
 994   // create the shared memory region.
 995   return mmap_create_shared(size);
 996 }
 997 
 998 // delete the shared PerfData memory region
 999 //
1000 static void delete_shared_memory(char* addr, size_t size) {
1001 
1002   // cleanup the persistent shared memory resources. since DestroyJavaVM does
1003   // not support unloading of the JVM, unmapping of the memory resource is
1004   // not performed. The memory will be reclaimed by the OS upon termination of
1005   // the process. The backing store file is deleted from the file system.
1006 
1007   assert(!PerfDisableSharedMem, "shouldn't be here");
1008 
1009   if (backing_store_file_name != NULL) {
1010     remove_file(backing_store_file_name);
1011     // Don't.. Free heap memory could deadlock os::abort() if it is called
1012     // from signal handler. OS will reclaim the heap memory.
1013     // FREE_C_HEAP_ARRAY(char, backing_store_file_name);
1014     backing_store_file_name = NULL;
1015   }
1016 }
1017 
1018 // return the size of the file for the given file descriptor
1019 // or 0 if it is not a valid size for a shared memory file
1020 //
1021 static size_t sharedmem_filesize(int fd, TRAPS) {
1022 
1023   struct stat statbuf;
1024   int result;
1025 
1026   RESTARTABLE(::fstat(fd, &statbuf), result);
1027   if (result == OS_ERR) {
1028     if (PrintMiscellaneous && Verbose) {
1029       warning("fstat failed: %s\n", os::strerror(errno));
1030     }
1031     THROW_MSG_0(vmSymbols::java_io_IOException(),
1032                 "Could not determine PerfMemory size");
1033   }
1034 
1035   if ((statbuf.st_size == 0) ||
1036      ((size_t)statbuf.st_size % os::vm_page_size() != 0)) {
1037     THROW_MSG_0(vmSymbols::java_lang_Exception(),
1038                 "Invalid PerfMemory size");
1039   }
1040 
1041   return (size_t)statbuf.st_size;
1042 }
1043 
1044 // attach to a named shared memory region.
1045 //
1046 static void mmap_attach_shared(const char* user, int vmid, PerfMemory::PerfMemoryMode mode, char** addr, size_t* sizep, TRAPS) {
1047 
1048   char* mapAddress;
1049   int result;
1050   int fd;
1051   size_t size = 0;
1052   const char* luser = NULL;
1053 
1054   int mmap_prot;
1055   int file_flags;
1056 
1057   ResourceMark rm;
1058 
1059   // map the high level access mode to the appropriate permission
1060   // constructs for the file and the shared memory mapping.
1061   if (mode == PerfMemory::PERF_MODE_RO) {
1062     mmap_prot = PROT_READ;
1063     file_flags = O_RDONLY | O_NOFOLLOW;
1064   }
1065   else if (mode == PerfMemory::PERF_MODE_RW) {
1066 #ifdef LATER
1067     mmap_prot = PROT_READ | PROT_WRITE;
1068     file_flags = O_RDWR | O_NOFOLLOW;
1069 #else
1070     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1071               "Unsupported access mode");
1072 #endif
1073   }
1074   else {
1075     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1076               "Illegal access mode");
1077   }
1078 
1079   if (user == NULL || strlen(user) == 0) {
1080     luser = get_user_name(vmid, CHECK);
1081   }
1082   else {
1083     luser = user;
1084   }
1085 
1086   if (luser == NULL) {
1087     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1088               "Could not map vmid to user Name");
1089   }
1090 
1091   char* dirname = get_user_tmp_dir(luser);
1092 
1093   // since we don't follow symbolic links when creating the backing
1094   // store file, we don't follow them when attaching either.
1095   //
1096   if (!is_directory_secure(dirname)) {
1097     FREE_C_HEAP_ARRAY(char, dirname);
1098     if (luser != user) {
1099       FREE_C_HEAP_ARRAY(char, luser);
1100     }
1101     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1102               "Process not found");
1103   }
1104 
1105   char* filename = get_sharedmem_filename(dirname, vmid);
1106 
1107   // copy heap memory to resource memory. the open_sharedmem_file
1108   // method below need to use the filename, but could throw an
1109   // exception. using a resource array prevents the leak that
1110   // would otherwise occur.
1111   char* rfilename = NEW_RESOURCE_ARRAY(char, strlen(filename) + 1);
1112   strcpy(rfilename, filename);
1113 
1114   // free the c heap resources that are no longer needed
1115   if (luser != user) FREE_C_HEAP_ARRAY(char, luser);
1116   FREE_C_HEAP_ARRAY(char, dirname);
1117   FREE_C_HEAP_ARRAY(char, filename);
1118 
1119   // open the shared memory file for the give vmid
1120   fd = open_sharedmem_file(rfilename, file_flags, CHECK);
1121   assert(fd != OS_ERR, "unexpected value");
1122 
1123   if (*sizep == 0) {
1124     size = sharedmem_filesize(fd, CHECK);
1125   } else {
1126     size = *sizep;
1127   }
1128 
1129   assert(size > 0, "unexpected size <= 0");
1130 
1131   mapAddress = (char*)::mmap((char*)0, size, mmap_prot, MAP_SHARED, fd, 0);
1132 
1133   // attempt to close the file - restart if it gets interrupted,
1134   // but ignore other failures
1135   result = ::close(fd);
1136   assert(result != OS_ERR, "could not close file");
1137 
1138   if (mapAddress == MAP_FAILED) {
1139     if (PrintMiscellaneous && Verbose) {
1140       warning("mmap failed: %s\n", os::strerror(errno));
1141     }
1142     THROW_MSG(vmSymbols::java_lang_OutOfMemoryError(),
1143               "Could not map PerfMemory");
1144   }
1145 
1146   // it does not go through os api, the operation has to record from here
1147   MemTracker::record_virtual_memory_reserve_and_commit((address)mapAddress, size, CURRENT_PC, mtInternal);
1148 
1149   *addr = mapAddress;
1150   *sizep = size;
1151 
1152   if (PerfTraceMemOps) {
1153     tty->print("mapped " SIZE_FORMAT " bytes for vmid %d at "
1154                INTPTR_FORMAT "\n", size, vmid, p2i((void*)mapAddress));
1155   }
1156 }
1157 
1158 
1159 
1160 
1161 // create the PerfData memory region
1162 //
1163 // This method creates the memory region used to store performance
1164 // data for the JVM. The memory may be created in standard or
1165 // shared memory.
1166 //
1167 void PerfMemory::create_memory_region(size_t size) {
1168 
1169   if (PerfDisableSharedMem) {
1170     // do not share the memory for the performance data.
1171     _start = create_standard_memory(size);
1172   }
1173   else {
1174     _start = create_shared_memory(size);
1175     if (_start == NULL) {
1176 
1177       // creation of the shared memory region failed, attempt
1178       // to create a contiguous, non-shared memory region instead.
1179       //
1180       if (PrintMiscellaneous && Verbose) {
1181         warning("Reverting to non-shared PerfMemory region.\n");
1182       }
1183       PerfDisableSharedMem = true;
1184       _start = create_standard_memory(size);
1185     }
1186   }
1187 
1188   if (_start != NULL) _capacity = size;
1189 
1190 }
1191 
1192 // delete the PerfData memory region
1193 //
1194 // This method deletes the memory region used to store performance
1195 // data for the JVM. The memory region indicated by the <address, size>
1196 // tuple will be inaccessible after a call to this method.
1197 //
1198 void PerfMemory::delete_memory_region() {
1199 
1200   assert((start() != NULL && capacity() > 0), "verify proper state");
1201 
1202   // If user specifies PerfDataSaveFile, it will save the performance data
1203   // to the specified file name no matter whether PerfDataSaveToFile is specified
1204   // or not. In other word, -XX:PerfDataSaveFile=.. overrides flag
1205   // -XX:+PerfDataSaveToFile.
1206   if (PerfDataSaveToFile || PerfDataSaveFile != NULL) {
1207     save_memory_to_file(start(), capacity());
1208   }
1209 
1210   if (PerfDisableSharedMem) {
1211     delete_standard_memory(start(), capacity());
1212   }
1213   else {
1214     delete_shared_memory(start(), capacity());
1215   }
1216 }
1217 
1218 // attach to the PerfData memory region for another JVM
1219 //
1220 // This method returns an <address, size> tuple that points to
1221 // a memory buffer that is kept reasonably synchronized with
1222 // the PerfData memory region for the indicated JVM. This
1223 // buffer may be kept in synchronization via shared memory
1224 // or some other mechanism that keeps the buffer updated.
1225 //
1226 // If the JVM chooses not to support the attachability feature,
1227 // this method should throw an UnsupportedOperation exception.
1228 //
1229 // This implementation utilizes named shared memory to map
1230 // the indicated process's PerfData memory region into this JVMs
1231 // address space.
1232 //
1233 void PerfMemory::attach(const char* user, int vmid, PerfMemoryMode mode, char** addrp, size_t* sizep, TRAPS) {
1234 
1235   if (vmid == 0 || vmid == os::current_process_id()) {
1236      *addrp = start();
1237      *sizep = capacity();
1238      return;
1239   }
1240 
1241   mmap_attach_shared(user, vmid, mode, addrp, sizep, CHECK);
1242 }
1243 
1244 // detach from the PerfData memory region of another JVM
1245 //
1246 // This method detaches the PerfData memory region of another
1247 // JVM, specified as an <address, size> tuple of a buffer
1248 // in this process's address space. This method may perform
1249 // arbitrary actions to accomplish the detachment. The memory
1250 // region specified by <address, size> will be inaccessible after
1251 // a call to this method.
1252 //
1253 // If the JVM chooses not to support the attachability feature,
1254 // this method should throw an UnsupportedOperation exception.
1255 //
1256 // This implementation utilizes named shared memory to detach
1257 // the indicated process's PerfData memory region from this
1258 // process's address space.
1259 //
1260 void PerfMemory::detach(char* addr, size_t bytes, TRAPS) {
1261 
1262   assert(addr != 0, "address sanity check");
1263   assert(bytes > 0, "capacity sanity check");
1264 
1265   if (PerfMemory::contains(addr) || PerfMemory::contains(addr + bytes - 1)) {
1266     // prevent accidental detachment of this process's PerfMemory region
1267     return;
1268   }
1269 
1270   unmap_shared(addr, bytes);
1271 }