1 /*
   2  * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  *
  23  */
  24 
  25 #include "precompiled.hpp"
  26 #include "classfile/vmSymbols.hpp"
  27 #include "logging/log.hpp"
  28 #include "memory/allocation.inline.hpp"
  29 #include "memory/resourceArea.hpp"
  30 #include "oops/oop.inline.hpp"
  31 #include "os_bsd.inline.hpp"
  32 #include "runtime/handles.inline.hpp"
  33 #include "runtime/os.hpp"
  34 #include "runtime/perfMemory.hpp"
  35 #include "services/memTracker.hpp"
  36 #include "utilities/exceptions.hpp"
  37 
  38 // put OS-includes here
  39 # include <sys/types.h>
  40 # include <sys/mman.h>
  41 # include <errno.h>
  42 # include <stdio.h>
  43 # include <unistd.h>
  44 # include <sys/stat.h>
  45 # include <signal.h>
  46 # include <pwd.h>
  47 
  48 static char* backing_store_file_name = NULL;  // name of the backing store
  49                                               // file, if successfully created.
  50 
  51 // Standard Memory Implementation Details
  52 
  53 // create the PerfData memory region in standard memory.
  54 //
  55 static char* create_standard_memory(size_t size) {
  56 
  57   // allocate an aligned chuck of memory
  58   char* mapAddress = os::reserve_memory(size);
  59 
  60   if (mapAddress == NULL) {
  61     return NULL;
  62   }
  63 
  64   // commit memory
  65   if (!os::commit_memory(mapAddress, size, !ExecMem)) {
  66     if (PrintMiscellaneous && Verbose) {
  67       warning("Could not commit PerfData memory\n");
  68     }
  69     os::release_memory(mapAddress, size);
  70     return NULL;
  71   }
  72 
  73   return mapAddress;
  74 }
  75 
  76 // delete the PerfData memory region
  77 //
  78 static void delete_standard_memory(char* addr, size_t size) {
  79 
  80   // there are no persistent external resources to cleanup for standard
  81   // memory. since DestroyJavaVM does not support unloading of the JVM,
  82   // cleanup of the memory resource is not performed. The memory will be
  83   // reclaimed by the OS upon termination of the process.
  84   //
  85   return;
  86 }
  87 
  88 // save the specified memory region to the given file
  89 //
  90 // Note: this function might be called from signal handler (by os::abort()),
  91 // don't allocate heap memory.
  92 //
  93 static void save_memory_to_file(char* addr, size_t size) {
  94 
  95  const char* destfile = PerfMemory::get_perfdata_file_path();
  96  assert(destfile[0] != '\0', "invalid PerfData file path");
  97 
  98   int result;
  99 
 100   RESTARTABLE(::open(destfile, O_CREAT|O_WRONLY|O_TRUNC, S_IREAD|S_IWRITE),
 101               result);;
 102   if (result == OS_ERR) {
 103     if (PrintMiscellaneous && Verbose) {
 104       warning("Could not create Perfdata save file: %s: %s\n",
 105               destfile, os::strerror(errno));
 106     }
 107   } else {
 108     int fd = result;
 109 
 110     for (size_t remaining = size; remaining > 0;) {
 111 
 112       RESTARTABLE(::write(fd, addr, remaining), result);
 113       if (result == OS_ERR) {
 114         if (PrintMiscellaneous && Verbose) {
 115           warning("Could not write Perfdata save file: %s: %s\n",
 116                   destfile, os::strerror(errno));
 117         }
 118         break;
 119       }
 120 
 121       remaining -= (size_t)result;
 122       addr += result;
 123     }
 124 
 125     result = ::close(fd);
 126     if (PrintMiscellaneous && Verbose) {
 127       if (result == OS_ERR) {
 128         warning("Could not close %s: %s\n", destfile, os::strerror(errno));
 129       }
 130     }
 131   }
 132   FREE_C_HEAP_ARRAY(char, destfile);
 133 }
 134 
 135 
 136 // Shared Memory Implementation Details
 137 
 138 // Note: the solaris and bsd shared memory implementation uses the mmap
 139 // interface with a backing store file to implement named shared memory.
 140 // Using the file system as the name space for shared memory allows a
 141 // common name space to be supported across a variety of platforms. It
 142 // also provides a name space that Java applications can deal with through
 143 // simple file apis.
 144 //
 145 // The solaris and bsd implementations store the backing store file in
 146 // a user specific temporary directory located in the /tmp file system,
 147 // which is always a local file system and is sometimes a RAM based file
 148 // system.
 149 
 150 // return the user specific temporary directory name.
 151 //
 152 // the caller is expected to free the allocated memory.
 153 //
 154 static char* get_user_tmp_dir(const char* user) {
 155 
 156   const char* tmpdir = os::get_temp_directory();
 157   const char* perfdir = PERFDATA_NAME;
 158   size_t nbytes = strlen(tmpdir) + strlen(perfdir) + strlen(user) + 3;
 159   char* dirname = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);
 160 
 161   // construct the path name to user specific tmp directory
 162   snprintf(dirname, nbytes, "%s/%s_%s", tmpdir, perfdir, user);
 163 
 164   return dirname;
 165 }
 166 
 167 // convert the given file name into a process id. if the file
 168 // does not meet the file naming constraints, return 0.
 169 //
 170 static pid_t filename_to_pid(const char* filename) {
 171 
 172   // a filename that doesn't begin with a digit is not a
 173   // candidate for conversion.
 174   //
 175   if (!isdigit(*filename)) {
 176     return 0;
 177   }
 178 
 179   // check if file name can be converted to an integer without
 180   // any leftover characters.
 181   //
 182   char* remainder = NULL;
 183   errno = 0;
 184   pid_t pid = (pid_t)strtol(filename, &remainder, 10);
 185 
 186   if (errno != 0) {
 187     return 0;
 188   }
 189 
 190   // check for left over characters. If any, then the filename is
 191   // not a candidate for conversion.
 192   //
 193   if (remainder != NULL && *remainder != '\0') {
 194     return 0;
 195   }
 196 
 197   // successful conversion, return the pid
 198   return pid;
 199 }
 200 
 201 
 202 // Check if the given statbuf is considered a secure directory for
 203 // the backing store files. Returns true if the directory is considered
 204 // a secure location. Returns false if the statbuf is a symbolic link or
 205 // if an error occurred.
 206 //
 207 static bool is_statbuf_secure(struct stat *statp) {
 208   if (S_ISLNK(statp->st_mode) || !S_ISDIR(statp->st_mode)) {
 209     // The path represents a link or some non-directory file type,
 210     // which is not what we expected. Declare it insecure.
 211     //
 212     return false;
 213   }
 214   // We have an existing directory, check if the permissions are safe.
 215   //
 216   if ((statp->st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 217     // The directory is open for writing and could be subjected
 218     // to a symlink or a hard link attack. Declare it insecure.
 219     //
 220     return false;
 221   }
 222   // If user is not root then see if the uid of the directory matches the effective uid of the process.
 223   uid_t euid = geteuid();
 224   if ((euid != 0) && (statp->st_uid != euid)) {
 225     // The directory was not created by this user, declare it insecure.
 226     //
 227     return false;
 228   }
 229   return true;
 230 }
 231 
 232 
 233 // Check if the given path is considered a secure directory for
 234 // the backing store files. Returns true if the directory exists
 235 // and is considered a secure location. Returns false if the path
 236 // is a symbolic link or if an error occurred.
 237 //
 238 static bool is_directory_secure(const char* path) {
 239   struct stat statbuf;
 240   int result = 0;
 241 
 242   RESTARTABLE(::lstat(path, &statbuf), result);
 243   if (result == OS_ERR) {
 244     return false;
 245   }
 246 
 247   // The path exists, see if it is secure.
 248   return is_statbuf_secure(&statbuf);
 249 }
 250 
 251 
 252 // Check if the given directory file descriptor is considered a secure
 253 // directory for the backing store files. Returns true if the directory
 254 // exists and is considered a secure location. Returns false if the path
 255 // is a symbolic link or if an error occurred.
 256 //
 257 static bool is_dirfd_secure(int dir_fd) {
 258   struct stat statbuf;
 259   int result = 0;
 260 
 261   RESTARTABLE(::fstat(dir_fd, &statbuf), result);
 262   if (result == OS_ERR) {
 263     return false;
 264   }
 265 
 266   // The path exists, now check its mode.
 267   return is_statbuf_secure(&statbuf);
 268 }
 269 
 270 
 271 // Check to make sure fd1 and fd2 are referencing the same file system object.
 272 //
 273 static bool is_same_fsobject(int fd1, int fd2) {
 274   struct stat statbuf1;
 275   struct stat statbuf2;
 276   int result = 0;
 277 
 278   RESTARTABLE(::fstat(fd1, &statbuf1), result);
 279   if (result == OS_ERR) {
 280     return false;
 281   }
 282   RESTARTABLE(::fstat(fd2, &statbuf2), result);
 283   if (result == OS_ERR) {
 284     return false;
 285   }
 286 
 287   if ((statbuf1.st_ino == statbuf2.st_ino) &&
 288       (statbuf1.st_dev == statbuf2.st_dev)) {
 289     return true;
 290   } else {
 291     return false;
 292   }
 293 }
 294 
 295 
 296 // Open the directory of the given path and validate it.
 297 // Return a DIR * of the open directory.
 298 //
 299 static DIR *open_directory_secure(const char* dirname) {
 300   // Open the directory using open() so that it can be verified
 301   // to be secure by calling is_dirfd_secure(), opendir() and then check
 302   // to see if they are the same file system object.  This method does not
 303   // introduce a window of opportunity for the directory to be attacked that
 304   // calling opendir() and is_directory_secure() does.
 305   int result;
 306   DIR *dirp = NULL;
 307   RESTARTABLE(::open(dirname, O_RDONLY|O_NOFOLLOW), result);
 308   if (result == OS_ERR) {
 309     // Directory doesn't exist or is a symlink, so there is nothing to cleanup.
 310     if (PrintMiscellaneous && Verbose) {
 311       if (errno == ELOOP) {
 312         warning("directory %s is a symlink and is not secure\n", dirname);
 313       } else {
 314         warning("could not open directory %s: %s\n", dirname, os::strerror(errno));
 315       }
 316     }
 317     return dirp;
 318   }
 319   int fd = result;
 320 
 321   // Determine if the open directory is secure.
 322   if (!is_dirfd_secure(fd)) {
 323     // The directory is not a secure directory.
 324     os::close(fd);
 325     return dirp;
 326   }
 327 
 328   // Open the directory.
 329   dirp = ::opendir(dirname);
 330   if (dirp == NULL) {
 331     // The directory doesn't exist, close fd and return.
 332     os::close(fd);
 333     return dirp;
 334   }
 335 
 336   // Check to make sure fd and dirp are referencing the same file system object.
 337   if (!is_same_fsobject(fd, dirfd(dirp))) {
 338     // The directory is not secure.
 339     os::close(fd);
 340     os::closedir(dirp);
 341     dirp = NULL;
 342     return dirp;
 343   }
 344 
 345   // Close initial open now that we know directory is secure
 346   os::close(fd);
 347 
 348   return dirp;
 349 }
 350 
 351 // NOTE: The code below uses fchdir(), open() and unlink() because
 352 // fdopendir(), openat() and unlinkat() are not supported on all
 353 // versions.  Once the support for fdopendir(), openat() and unlinkat()
 354 // is available on all supported versions the code can be changed
 355 // to use these functions.
 356 
 357 // Open the directory of the given path, validate it and set the
 358 // current working directory to it.
 359 // Return a DIR * of the open directory and the saved cwd fd.
 360 //
 361 static DIR *open_directory_secure_cwd(const char* dirname, int *saved_cwd_fd) {
 362 
 363   // Open the directory.
 364   DIR* dirp = open_directory_secure(dirname);
 365   if (dirp == NULL) {
 366     // Directory doesn't exist or is insecure, so there is nothing to cleanup.
 367     return dirp;
 368   }
 369   int fd = dirfd(dirp);
 370 
 371   // Open a fd to the cwd and save it off.
 372   int result;
 373   RESTARTABLE(::open(".", O_RDONLY), result);
 374   if (result == OS_ERR) {
 375     *saved_cwd_fd = -1;
 376   } else {
 377     *saved_cwd_fd = result;
 378   }
 379 
 380   // Set the current directory to dirname by using the fd of the directory and
 381   // handle errors, otherwise shared memory files will be created in cwd.
 382   result = fchdir(fd);
 383   if (result == OS_ERR) {
 384     if (PrintMiscellaneous && Verbose) {
 385       warning("could not change to directory %s", dirname);
 386     }
 387     if (*saved_cwd_fd != -1) {
 388       ::close(*saved_cwd_fd);
 389       *saved_cwd_fd = -1;
 390     }
 391     // Close the directory.
 392     os::closedir(dirp);
 393     return NULL;
 394   } else {
 395     return dirp;
 396   }
 397 }
 398 
 399 // Close the directory and restore the current working directory.
 400 //
 401 static void close_directory_secure_cwd(DIR* dirp, int saved_cwd_fd) {
 402 
 403   int result;
 404   // If we have a saved cwd change back to it and close the fd.
 405   if (saved_cwd_fd != -1) {
 406     result = fchdir(saved_cwd_fd);
 407     ::close(saved_cwd_fd);
 408   }
 409 
 410   // Close the directory.
 411   os::closedir(dirp);
 412 }
 413 
 414 // Check if the given file descriptor is considered a secure.
 415 //
 416 static bool is_file_secure(int fd, const char *filename) {
 417 
 418   int result;
 419   struct stat statbuf;
 420 
 421   // Determine if the file is secure.
 422   RESTARTABLE(::fstat(fd, &statbuf), result);
 423   if (result == OS_ERR) {
 424     if (PrintMiscellaneous && Verbose) {
 425       warning("fstat failed on %s: %s\n", filename, os::strerror(errno));
 426     }
 427     return false;
 428   }
 429   if (statbuf.st_nlink > 1) {
 430     // A file with multiple links is not expected.
 431     if (PrintMiscellaneous && Verbose) {
 432       warning("file %s has multiple links\n", filename);
 433     }
 434     return false;
 435   }
 436   return true;
 437 }
 438 
 439 // return the user name for the given user id
 440 //
 441 // the caller is expected to free the allocated memory.
 442 //
 443 static char* get_user_name(uid_t uid) {
 444 
 445   struct passwd pwent;
 446 
 447   // determine the max pwbuf size from sysconf, and hardcode
 448   // a default if this not available through sysconf.
 449   //
 450   long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
 451   if (bufsize == -1)
 452     bufsize = 1024;
 453 
 454   char* pwbuf = NEW_C_HEAP_ARRAY(char, bufsize, mtInternal);
 455 
 456   // POSIX interface to getpwuid_r is used on LINUX
 457   struct passwd* p;
 458   int result = getpwuid_r(uid, &pwent, pwbuf, (size_t)bufsize, &p);
 459 
 460   if (result != 0 || p == NULL || p->pw_name == NULL || *(p->pw_name) == '\0') {
 461     if (PrintMiscellaneous && Verbose) {
 462       if (result != 0) {
 463         warning("Could not retrieve passwd entry: %s\n",
 464                 os::strerror(result));
 465       }
 466       else if (p == NULL) {
 467         // this check is added to protect against an observed problem
 468         // with getpwuid_r() on RedHat 9 where getpwuid_r returns 0,
 469         // indicating success, but has p == NULL. This was observed when
 470         // inserting a file descriptor exhaustion fault prior to the call
 471         // getpwuid_r() call. In this case, error is set to the appropriate
 472         // error condition, but this is undocumented behavior. This check
 473         // is safe under any condition, but the use of errno in the output
 474         // message may result in an erroneous message.
 475         // Bug Id 89052 was opened with RedHat.
 476         //
 477         warning("Could not retrieve passwd entry: %s\n",
 478                 os::strerror(errno));
 479       }
 480       else {
 481         warning("Could not determine user name: %s\n",
 482                 p->pw_name == NULL ? "pw_name = NULL" :
 483                                      "pw_name zero length");
 484       }
 485     }
 486     FREE_C_HEAP_ARRAY(char, pwbuf);
 487     return NULL;
 488   }
 489 
 490   char* user_name = NEW_C_HEAP_ARRAY(char, strlen(p->pw_name) + 1, mtInternal);
 491   strcpy(user_name, p->pw_name);
 492 
 493   FREE_C_HEAP_ARRAY(char, pwbuf);
 494   return user_name;
 495 }
 496 
 497 // return the name of the user that owns the process identified by vmid.
 498 //
 499 // This method uses a slow directory search algorithm to find the backing
 500 // store file for the specified vmid and returns the user name, as determined
 501 // by the user name suffix of the hsperfdata_<username> directory name.
 502 //
 503 // the caller is expected to free the allocated memory.
 504 //
 505 static char* get_user_name_slow(int vmid, TRAPS) {
 506 
 507   // short circuit the directory search if the process doesn't even exist.
 508   if (kill(vmid, 0) == OS_ERR) {
 509     if (errno == ESRCH) {
 510       THROW_MSG_0(vmSymbols::java_lang_IllegalArgumentException(),
 511                   "Process not found");
 512     }
 513     else /* EPERM */ {
 514       THROW_MSG_0(vmSymbols::java_io_IOException(), os::strerror(errno));
 515     }
 516   }
 517 
 518   // directory search
 519   char* oldest_user = NULL;
 520   time_t oldest_ctime = 0;
 521 
 522   const char* tmpdirname = os::get_temp_directory();
 523 
 524   // open the temp directory
 525   DIR* tmpdirp = os::opendir(tmpdirname);
 526 
 527   if (tmpdirp == NULL) {
 528     // Cannot open the directory to get the user name, return.
 529     return NULL;
 530   }
 531 
 532   // for each entry in the directory that matches the pattern hsperfdata_*,
 533   // open the directory and check if the file for the given vmid exists.
 534   // The file with the expected name and the latest creation date is used
 535   // to determine the user name for the process id.
 536   //
 537   struct dirent* dentry;
 538   errno = 0;
 539   while ((dentry = os::readdir(tmpdirp)) != NULL) {
 540 
 541     // check if the directory entry is a hsperfdata file
 542     if (strncmp(dentry->d_name, PERFDATA_NAME, strlen(PERFDATA_NAME)) != 0) {
 543       continue;
 544     }
 545 
 546     char* usrdir_name = NEW_C_HEAP_ARRAY(char,
 547                  strlen(tmpdirname) + strlen(dentry->d_name) + 2, mtInternal);
 548     strcpy(usrdir_name, tmpdirname);
 549     strcat(usrdir_name, "/");
 550     strcat(usrdir_name, dentry->d_name);
 551 
 552     // open the user directory
 553     DIR* subdirp = open_directory_secure(usrdir_name);
 554 
 555     if (subdirp == NULL) {
 556       FREE_C_HEAP_ARRAY(char, usrdir_name);
 557       continue;
 558     }
 559 
 560     struct dirent* udentry;
 561     errno = 0;
 562     while ((udentry = os::readdir(subdirp)) != NULL) {
 563 
 564       if (filename_to_pid(udentry->d_name) == vmid) {
 565         struct stat statbuf;
 566         int result;
 567 
 568         char* filename = NEW_C_HEAP_ARRAY(char,
 569                  strlen(usrdir_name) + strlen(udentry->d_name) + 2, mtInternal);
 570 
 571         strcpy(filename, usrdir_name);
 572         strcat(filename, "/");
 573         strcat(filename, udentry->d_name);
 574 
 575         // don't follow symbolic links for the file
 576         RESTARTABLE(::lstat(filename, &statbuf), result);
 577         if (result == OS_ERR) {
 578            FREE_C_HEAP_ARRAY(char, filename);
 579            continue;
 580         }
 581 
 582         // skip over files that are not regular files.
 583         if (!S_ISREG(statbuf.st_mode)) {
 584           FREE_C_HEAP_ARRAY(char, filename);
 585           continue;
 586         }
 587 
 588         // compare and save filename with latest creation time
 589         if (statbuf.st_size > 0 && statbuf.st_ctime > oldest_ctime) {
 590 
 591           if (statbuf.st_ctime > oldest_ctime) {
 592             char* user = strchr(dentry->d_name, '_') + 1;
 593 
 594             FREE_C_HEAP_ARRAY(char, oldest_user);
 595             oldest_user = NEW_C_HEAP_ARRAY(char, strlen(user)+1, mtInternal);
 596 
 597             strcpy(oldest_user, user);
 598             oldest_ctime = statbuf.st_ctime;
 599           }
 600         }
 601 
 602         FREE_C_HEAP_ARRAY(char, filename);
 603       }
 604     }
 605     os::closedir(subdirp);
 606     FREE_C_HEAP_ARRAY(char, usrdir_name);
 607   }
 608   os::closedir(tmpdirp);
 609 
 610   return(oldest_user);
 611 }
 612 
 613 // return the name of the user that owns the JVM indicated by the given vmid.
 614 //
 615 static char* get_user_name(int vmid, TRAPS) {
 616   return get_user_name_slow(vmid, THREAD);
 617 }
 618 
 619 // return the file name of the backing store file for the named
 620 // shared memory region for the given user name and vmid.
 621 //
 622 // the caller is expected to free the allocated memory.
 623 //
 624 static char* get_sharedmem_filename(const char* dirname, int vmid) {
 625 
 626   // add 2 for the file separator and a null terminator.
 627   size_t nbytes = strlen(dirname) + UINT_CHARS + 2;
 628 
 629   char* name = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);
 630   snprintf(name, nbytes, "%s/%d", dirname, vmid);
 631 
 632   return name;
 633 }
 634 
 635 
 636 // remove file
 637 //
 638 // this method removes the file specified by the given path
 639 //
 640 static void remove_file(const char* path) {
 641 
 642   int result;
 643 
 644   // if the file is a directory, the following unlink will fail. since
 645   // we don't expect to find directories in the user temp directory, we
 646   // won't try to handle this situation. even if accidentially or
 647   // maliciously planted, the directory's presence won't hurt anything.
 648   //
 649   RESTARTABLE(::unlink(path), result);
 650   if (PrintMiscellaneous && Verbose && result == OS_ERR) {
 651     if (errno != ENOENT) {
 652       warning("Could not unlink shared memory backing"
 653               " store file %s : %s\n", path, os::strerror(errno));
 654     }
 655   }
 656 }
 657 
 658 
 659 // cleanup stale shared memory resources
 660 //
 661 // This method attempts to remove all stale shared memory files in
 662 // the named user temporary directory. It scans the named directory
 663 // for files matching the pattern ^$[0-9]*$. For each file found, the
 664 // process id is extracted from the file name and a test is run to
 665 // determine if the process is alive. If the process is not alive,
 666 // any stale file resources are removed.
 667 //
 668 static void cleanup_sharedmem_resources(const char* dirname) {
 669 
 670   int saved_cwd_fd;
 671   // open the directory and set the current working directory to it
 672   DIR* dirp = open_directory_secure_cwd(dirname, &saved_cwd_fd);
 673   if (dirp == NULL) {
 674     // directory doesn't exist or is insecure, so there is nothing to cleanup
 675     return;
 676   }
 677 
 678   // for each entry in the directory that matches the expected file
 679   // name pattern, determine if the file resources are stale and if
 680   // so, remove the file resources. Note, instrumented HotSpot processes
 681   // for this user may start and/or terminate during this search and
 682   // remove or create new files in this directory. The behavior of this
 683   // loop under these conditions is dependent upon the implementation of
 684   // opendir/readdir.
 685   //
 686   struct dirent* entry;
 687   errno = 0;
 688   while ((entry = os::readdir(dirp)) != NULL) {
 689 
 690     pid_t pid = filename_to_pid(entry->d_name);
 691 
 692     if (pid == 0) {
 693 
 694       if (strcmp(entry->d_name, ".") != 0 && strcmp(entry->d_name, "..") != 0) {
 695 
 696         // attempt to remove all unexpected files, except "." and ".."
 697         unlink(entry->d_name);
 698       }
 699 
 700       errno = 0;
 701       continue;
 702     }
 703 
 704     // we now have a file name that converts to a valid integer
 705     // that could represent a process id . if this process id
 706     // matches the current process id or the process is not running,
 707     // then remove the stale file resources.
 708     //
 709     // process liveness is detected by sending signal number 0 to
 710     // the process id (see kill(2)). if kill determines that the
 711     // process does not exist, then the file resources are removed.
 712     // if kill determines that that we don't have permission to
 713     // signal the process, then the file resources are assumed to
 714     // be stale and are removed because the resources for such a
 715     // process should be in a different user specific directory.
 716     //
 717     if ((pid == os::current_process_id()) ||
 718         (kill(pid, 0) == OS_ERR && (errno == ESRCH || errno == EPERM))) {
 719 
 720         unlink(entry->d_name);
 721     }
 722     errno = 0;
 723   }
 724 
 725   // close the directory and reset the current working directory
 726   close_directory_secure_cwd(dirp, saved_cwd_fd);
 727 }
 728 
 729 // make the user specific temporary directory. Returns true if
 730 // the directory exists and is secure upon return. Returns false
 731 // if the directory exists but is either a symlink, is otherwise
 732 // insecure, or if an error occurred.
 733 //
 734 static bool make_user_tmp_dir(const char* dirname) {
 735 
 736   // create the directory with 0755 permissions. note that the directory
 737   // will be owned by euid::egid, which may not be the same as uid::gid.
 738   //
 739   if (mkdir(dirname, S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) == OS_ERR) {
 740     if (errno == EEXIST) {
 741       // The directory already exists and was probably created by another
 742       // JVM instance. However, this could also be the result of a
 743       // deliberate symlink. Verify that the existing directory is safe.
 744       //
 745       if (!is_directory_secure(dirname)) {
 746         // directory is not secure
 747         if (PrintMiscellaneous && Verbose) {
 748           warning("%s directory is insecure\n", dirname);
 749         }
 750         return false;
 751       }
 752     }
 753     else {
 754       // we encountered some other failure while attempting
 755       // to create the directory
 756       //
 757       if (PrintMiscellaneous && Verbose) {
 758         warning("could not create directory %s: %s\n",
 759                 dirname, os::strerror(errno));
 760       }
 761       return false;
 762     }
 763   }
 764   return true;
 765 }
 766 
 767 // create the shared memory file resources
 768 //
 769 // This method creates the shared memory file with the given size
 770 // This method also creates the user specific temporary directory, if
 771 // it does not yet exist.
 772 //
 773 static int create_sharedmem_resources(const char* dirname, const char* filename, size_t size) {
 774 
 775   // make the user temporary directory
 776   if (!make_user_tmp_dir(dirname)) {
 777     // could not make/find the directory or the found directory
 778     // was not secure
 779     return -1;
 780   }
 781 
 782   int saved_cwd_fd;
 783   // open the directory and set the current working directory to it
 784   DIR* dirp = open_directory_secure_cwd(dirname, &saved_cwd_fd);
 785   if (dirp == NULL) {
 786     // Directory doesn't exist or is insecure, so cannot create shared
 787     // memory file.
 788     return -1;
 789   }
 790 
 791   // Open the filename in the current directory.
 792   // Cannot use O_TRUNC here; truncation of an existing file has to happen
 793   // after the is_file_secure() check below.
 794   int result;
 795   RESTARTABLE(::open(filename, O_RDWR|O_CREAT|O_NOFOLLOW, S_IREAD|S_IWRITE), result);
 796   if (result == OS_ERR) {
 797     if (PrintMiscellaneous && Verbose) {
 798       if (errno == ELOOP) {
 799         warning("file %s is a symlink and is not secure\n", filename);
 800       } else {
 801         warning("could not create file %s: %s\n", filename, os::strerror(errno));
 802       }
 803     }
 804     // close the directory and reset the current working directory
 805     close_directory_secure_cwd(dirp, saved_cwd_fd);
 806 
 807     return -1;
 808   }
 809   // close the directory and reset the current working directory
 810   close_directory_secure_cwd(dirp, saved_cwd_fd);
 811 
 812   // save the file descriptor
 813   int fd = result;
 814 
 815   // check to see if the file is secure
 816   if (!is_file_secure(fd, filename)) {
 817     ::close(fd);
 818     return -1;
 819   }
 820 
 821   // truncate the file to get rid of any existing data
 822   RESTARTABLE(::ftruncate(fd, (off_t)0), result);
 823   if (result == OS_ERR) {
 824     if (PrintMiscellaneous && Verbose) {
 825       warning("could not truncate shared memory file: %s\n", os::strerror(errno));
 826     }
 827     ::close(fd);
 828     return -1;
 829   }
 830   // set the file size
 831   RESTARTABLE(::ftruncate(fd, (off_t)size), result);
 832   if (result == OS_ERR) {
 833     if (PrintMiscellaneous && Verbose) {
 834       warning("could not set shared memory file size: %s\n", os::strerror(errno));
 835     }
 836     ::close(fd);
 837     return -1;
 838   }
 839 
 840   // Verify that we have enough disk space for this file.
 841   // We'll get random SIGBUS crashes on memory accesses if
 842   // we don't.
 843 
 844   for (size_t seekpos = 0; seekpos < size; seekpos += os::vm_page_size()) {
 845     int zero_int = 0;
 846     result = (int)os::seek_to_file_offset(fd, (jlong)(seekpos));
 847     if (result == -1 ) break;
 848     RESTARTABLE(::write(fd, &zero_int, 1), result);
 849     if (result != 1) {
 850       if (errno == ENOSPC) {
 851         warning("Insufficient space for shared memory file:\n   %s\nTry using the -Djava.io.tmpdir= option to select an alternate temp location.\n", filename);
 852       }
 853       break;
 854     }
 855   }
 856 
 857   if (result != -1) {
 858     return fd;
 859   } else {
 860     ::close(fd);
 861     return -1;
 862   }
 863 }
 864 
 865 // open the shared memory file for the given user and vmid. returns
 866 // the file descriptor for the open file or -1 if the file could not
 867 // be opened.
 868 //
 869 static int open_sharedmem_file(const char* filename, int oflags, TRAPS) {
 870 
 871   // open the file
 872   int result;
 873   RESTARTABLE(::open(filename, oflags), result);
 874   if (result == OS_ERR) {
 875     if (errno == ENOENT) {
 876       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
 877                  "Process not found", OS_ERR);
 878     }
 879     else if (errno == EACCES) {
 880       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
 881                  "Permission denied", OS_ERR);
 882     }
 883     else {
 884       THROW_MSG_(vmSymbols::java_io_IOException(),
 885                  os::strerror(errno), OS_ERR);
 886     }
 887   }
 888   int fd = result;
 889 
 890   // check to see if the file is secure
 891   if (!is_file_secure(fd, filename)) {
 892     ::close(fd);
 893     return -1;
 894   }
 895 
 896   return fd;
 897 }
 898 
 899 // create a named shared memory region. returns the address of the
 900 // memory region on success or NULL on failure. A return value of
 901 // NULL will ultimately disable the shared memory feature.
 902 //
 903 // On BSD, the name space for shared memory objects
 904 // is the file system name space.
 905 //
 906 // A monitoring application attaching to a JVM does not need to know
 907 // the file system name of the shared memory object. However, it may
 908 // be convenient for applications to discover the existence of newly
 909 // created and terminating JVMs by watching the file system name space
 910 // for files being created or removed.
 911 //
 912 static char* mmap_create_shared(size_t size) {
 913 
 914   int result;
 915   int fd;
 916   char* mapAddress;
 917 
 918   int vmid = os::current_process_id();
 919 
 920   char* user_name = get_user_name(geteuid());
 921 
 922   if (user_name == NULL)
 923     return NULL;
 924 
 925   char* dirname = get_user_tmp_dir(user_name);
 926   char* filename = get_sharedmem_filename(dirname, vmid);
 927 
 928   // get the short filename
 929   char* short_filename = strrchr(filename, '/');
 930   if (short_filename == NULL) {
 931     short_filename = filename;
 932   } else {
 933     short_filename++;
 934   }
 935 
 936   // cleanup any stale shared memory files
 937   cleanup_sharedmem_resources(dirname);
 938 
 939   assert(((size > 0) && (size % os::vm_page_size() == 0)),
 940          "unexpected PerfMemory region size");
 941 
 942   fd = create_sharedmem_resources(dirname, short_filename, size);
 943 
 944   FREE_C_HEAP_ARRAY(char, user_name);
 945   FREE_C_HEAP_ARRAY(char, dirname);
 946 
 947   if (fd == -1) {
 948     FREE_C_HEAP_ARRAY(char, filename);
 949     return NULL;
 950   }
 951 
 952   mapAddress = (char*)::mmap((char*)0, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
 953 
 954   result = ::close(fd);
 955   assert(result != OS_ERR, "could not close file");
 956 
 957   if (mapAddress == MAP_FAILED) {
 958     if (PrintMiscellaneous && Verbose) {
 959       warning("mmap failed -  %s\n", os::strerror(errno));
 960     }
 961     remove_file(filename);
 962     FREE_C_HEAP_ARRAY(char, filename);
 963     return NULL;
 964   }
 965 
 966   // save the file name for use in delete_shared_memory()
 967   backing_store_file_name = filename;
 968 
 969   // clear the shared memory region
 970   (void)::memset((void*) mapAddress, 0, size);
 971 
 972   // it does not go through os api, the operation has to record from here
 973   MemTracker::record_virtual_memory_reserve_and_commit((address)mapAddress, size, CURRENT_PC, mtInternal);
 974 
 975   return mapAddress;
 976 }
 977 
 978 // release a named shared memory region
 979 //
 980 static void unmap_shared(char* addr, size_t bytes) {
 981   os::release_memory(addr, bytes);
 982 }
 983 
 984 // create the PerfData memory region in shared memory.
 985 //
 986 static char* create_shared_memory(size_t size) {
 987 
 988   // create the shared memory region.
 989   return mmap_create_shared(size);
 990 }
 991 
 992 // delete the shared PerfData memory region
 993 //
 994 static void delete_shared_memory(char* addr, size_t size) {
 995 
 996   // cleanup the persistent shared memory resources. since DestroyJavaVM does
 997   // not support unloading of the JVM, unmapping of the memory resource is
 998   // not performed. The memory will be reclaimed by the OS upon termination of
 999   // the process. The backing store file is deleted from the file system.
1000 
1001   assert(!PerfDisableSharedMem, "shouldn't be here");
1002 
1003   if (backing_store_file_name != NULL) {
1004     remove_file(backing_store_file_name);
1005     // Don't.. Free heap memory could deadlock os::abort() if it is called
1006     // from signal handler. OS will reclaim the heap memory.
1007     // FREE_C_HEAP_ARRAY(char, backing_store_file_name);
1008     backing_store_file_name = NULL;
1009   }
1010 }
1011 
1012 // return the size of the file for the given file descriptor
1013 // or 0 if it is not a valid size for a shared memory file
1014 //
1015 static size_t sharedmem_filesize(int fd, TRAPS) {
1016 
1017   struct stat statbuf;
1018   int result;
1019 
1020   RESTARTABLE(::fstat(fd, &statbuf), result);
1021   if (result == OS_ERR) {
1022     if (PrintMiscellaneous && Verbose) {
1023       warning("fstat failed: %s\n", os::strerror(errno));
1024     }
1025     THROW_MSG_0(vmSymbols::java_io_IOException(),
1026                 "Could not determine PerfMemory size");
1027   }
1028 
1029   if ((statbuf.st_size == 0) ||
1030      ((size_t)statbuf.st_size % os::vm_page_size() != 0)) {
1031     THROW_MSG_0(vmSymbols::java_io_IOException(),
1032                 "Invalid PerfMemory size");
1033   }
1034 
1035   return (size_t)statbuf.st_size;
1036 }
1037 
1038 // attach to a named shared memory region.
1039 //
1040 static void mmap_attach_shared(const char* user, int vmid, PerfMemory::PerfMemoryMode mode, char** addr, size_t* sizep, TRAPS) {
1041 
1042   char* mapAddress;
1043   int result;
1044   int fd;
1045   size_t size = 0;
1046   const char* luser = NULL;
1047 
1048   int mmap_prot;
1049   int file_flags;
1050 
1051   ResourceMark rm;
1052 
1053   // map the high level access mode to the appropriate permission
1054   // constructs for the file and the shared memory mapping.
1055   if (mode == PerfMemory::PERF_MODE_RO) {
1056     mmap_prot = PROT_READ;
1057     file_flags = O_RDONLY | O_NOFOLLOW;
1058   }
1059   else if (mode == PerfMemory::PERF_MODE_RW) {
1060 #ifdef LATER
1061     mmap_prot = PROT_READ | PROT_WRITE;
1062     file_flags = O_RDWR | O_NOFOLLOW;
1063 #else
1064     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1065               "Unsupported access mode");
1066 #endif
1067   }
1068   else {
1069     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1070               "Illegal access mode");
1071   }
1072 
1073   if (user == NULL || strlen(user) == 0) {
1074     luser = get_user_name(vmid, CHECK);
1075   }
1076   else {
1077     luser = user;
1078   }
1079 
1080   if (luser == NULL) {
1081     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1082               "Could not map vmid to user Name");
1083   }
1084 
1085   char* dirname = get_user_tmp_dir(luser);
1086 
1087   // since we don't follow symbolic links when creating the backing
1088   // store file, we don't follow them when attaching either.
1089   //
1090   if (!is_directory_secure(dirname)) {
1091     FREE_C_HEAP_ARRAY(char, dirname);
1092     if (luser != user) {
1093       FREE_C_HEAP_ARRAY(char, luser);
1094     }
1095     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
1096               "Process not found");
1097   }
1098 
1099   char* filename = get_sharedmem_filename(dirname, vmid);
1100 
1101   // copy heap memory to resource memory. the open_sharedmem_file
1102   // method below need to use the filename, but could throw an
1103   // exception. using a resource array prevents the leak that
1104   // would otherwise occur.
1105   char* rfilename = NEW_RESOURCE_ARRAY(char, strlen(filename) + 1);
1106   strcpy(rfilename, filename);
1107 
1108   // free the c heap resources that are no longer needed
1109   if (luser != user) FREE_C_HEAP_ARRAY(char, luser);
1110   FREE_C_HEAP_ARRAY(char, dirname);
1111   FREE_C_HEAP_ARRAY(char, filename);
1112 
1113   // open the shared memory file for the give vmid
1114   fd = open_sharedmem_file(rfilename, file_flags, CHECK);
1115   assert(fd != OS_ERR, "unexpected value");
1116 
1117   if (*sizep == 0) {
1118     size = sharedmem_filesize(fd, CHECK);
1119   } else {
1120     size = *sizep;
1121   }
1122 
1123   assert(size > 0, "unexpected size <= 0");
1124 
1125   mapAddress = (char*)::mmap((char*)0, size, mmap_prot, MAP_SHARED, fd, 0);
1126 
1127   // attempt to close the file - restart if it gets interrupted,
1128   // but ignore other failures
1129   result = ::close(fd);
1130   assert(result != OS_ERR, "could not close file");
1131 
1132   if (mapAddress == MAP_FAILED) {
1133     if (PrintMiscellaneous && Verbose) {
1134       warning("mmap failed: %s\n", os::strerror(errno));
1135     }
1136     THROW_MSG(vmSymbols::java_lang_OutOfMemoryError(),
1137               "Could not map PerfMemory");
1138   }
1139 
1140   // it does not go through os api, the operation has to record from here
1141   MemTracker::record_virtual_memory_reserve_and_commit((address)mapAddress, size, CURRENT_PC, mtInternal);
1142 
1143   *addr = mapAddress;
1144   *sizep = size;
1145 
1146   log_debug(perf, memops)("mapped " SIZE_FORMAT " bytes for vmid %d at "
1147                           INTPTR_FORMAT, size, vmid, p2i((void*)mapAddress));
1148 }
1149 
1150 // create the PerfData memory region
1151 //
1152 // This method creates the memory region used to store performance
1153 // data for the JVM. The memory may be created in standard or
1154 // shared memory.
1155 //
1156 void PerfMemory::create_memory_region(size_t size) {
1157 
1158   if (PerfDisableSharedMem) {
1159     // do not share the memory for the performance data.
1160     _start = create_standard_memory(size);
1161   }
1162   else {
1163     _start = create_shared_memory(size);
1164     if (_start == NULL) {
1165 
1166       // creation of the shared memory region failed, attempt
1167       // to create a contiguous, non-shared memory region instead.
1168       //
1169       if (PrintMiscellaneous && Verbose) {
1170         warning("Reverting to non-shared PerfMemory region.\n");
1171       }
1172       PerfDisableSharedMem = true;
1173       _start = create_standard_memory(size);
1174     }
1175   }
1176 
1177   if (_start != NULL) _capacity = size;
1178 
1179 }
1180 
1181 // delete the PerfData memory region
1182 //
1183 // This method deletes the memory region used to store performance
1184 // data for the JVM. The memory region indicated by the <address, size>
1185 // tuple will be inaccessible after a call to this method.
1186 //
1187 void PerfMemory::delete_memory_region() {
1188 
1189   assert((start() != NULL && capacity() > 0), "verify proper state");
1190 
1191   // If user specifies PerfDataSaveFile, it will save the performance data
1192   // to the specified file name no matter whether PerfDataSaveToFile is specified
1193   // or not. In other word, -XX:PerfDataSaveFile=.. overrides flag
1194   // -XX:+PerfDataSaveToFile.
1195   if (PerfDataSaveToFile || PerfDataSaveFile != NULL) {
1196     save_memory_to_file(start(), capacity());
1197   }
1198 
1199   if (PerfDisableSharedMem) {
1200     delete_standard_memory(start(), capacity());
1201   }
1202   else {
1203     delete_shared_memory(start(), capacity());
1204   }
1205 }
1206 
1207 // attach to the PerfData memory region for another JVM
1208 //
1209 // This method returns an <address, size> tuple that points to
1210 // a memory buffer that is kept reasonably synchronized with
1211 // the PerfData memory region for the indicated JVM. This
1212 // buffer may be kept in synchronization via shared memory
1213 // or some other mechanism that keeps the buffer updated.
1214 //
1215 // If the JVM chooses not to support the attachability feature,
1216 // this method should throw an UnsupportedOperation exception.
1217 //
1218 // This implementation utilizes named shared memory to map
1219 // the indicated process's PerfData memory region into this JVMs
1220 // address space.
1221 //
1222 void PerfMemory::attach(const char* user, int vmid, PerfMemoryMode mode, char** addrp, size_t* sizep, TRAPS) {
1223 
1224   if (vmid == 0 || vmid == os::current_process_id()) {
1225      *addrp = start();
1226      *sizep = capacity();
1227      return;
1228   }
1229 
1230   mmap_attach_shared(user, vmid, mode, addrp, sizep, CHECK);
1231 }
1232 
1233 // detach from the PerfData memory region of another JVM
1234 //
1235 // This method detaches the PerfData memory region of another
1236 // JVM, specified as an <address, size> tuple of a buffer
1237 // in this process's address space. This method may perform
1238 // arbitrary actions to accomplish the detachment. The memory
1239 // region specified by <address, size> will be inaccessible after
1240 // a call to this method.
1241 //
1242 // If the JVM chooses not to support the attachability feature,
1243 // this method should throw an UnsupportedOperation exception.
1244 //
1245 // This implementation utilizes named shared memory to detach
1246 // the indicated process's PerfData memory region from this
1247 // process's address space.
1248 //
1249 void PerfMemory::detach(char* addr, size_t bytes, TRAPS) {
1250 
1251   assert(addr != 0, "address sanity check");
1252   assert(bytes > 0, "capacity sanity check");
1253 
1254   if (PerfMemory::contains(addr) || PerfMemory::contains(addr + bytes - 1)) {
1255     // prevent accidental detachment of this process's PerfMemory region
1256     return;
1257   }
1258 
1259   unmap_shared(addr, bytes);
1260 }