// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef PARTITION_ALLOC_PARTITION_ROOT_H_ #define PARTITION_ALLOC_PARTITION_ROOT_H_ // DESCRIPTION // PartitionRoot::Alloc() and PartitionRoot::Free() are approximately analogous // to malloc() and free(). // // The main difference is that a PartitionRoot object must be supplied to these // functions, representing a specific "heap partition" that will be used to // satisfy the allocation. Different partitions are guaranteed to exist in // separate address spaces, including being separate from the main system // heap. If the contained objects are all freed, physical memory is returned to // the system but the address space remains reserved. See PartitionAlloc.md for // other security properties PartitionAlloc provides. // // THE ONLY LEGITIMATE WAY TO OBTAIN A PartitionRoot IS THROUGH THE // PartitionAllocator classes. To minimize the instruction count to the fullest // extent possible, the PartitionRoot is really just a header adjacent to other // data areas provided by the allocator class. // // The constraints for PartitionRoot::Alloc() are: // - Multi-threaded use against a single partition is ok; locking is handled. // - Allocations of any arbitrary size can be handled (subject to a limit of // INT_MAX bytes for security reasons). // - Bucketing is by approximate size, for example an allocation of 4000 bytes // might be placed into a 4096-byte bucket. Bucket sizes are chosen to try and // keep worst-case waste to ~10%. #include <algorithm> #include <atomic> #include <cstddef> #include <cstdint> #include <limits> #include <optional> #include <utility> #include "partition_alloc/address_pool_manager_types.h" #include "partition_alloc/allocation_guard.h" #include "partition_alloc/build_config.h" #include "partition_alloc/buildflags.h" #include "partition_alloc/freeslot_bitmap.h" #include "partition_alloc/in_slot_metadata.h" #include "partition_alloc/lightweight_quarantine.h" #include "partition_alloc/page_allocator.h" #include "partition_alloc/partition_address_space.h" #include "partition_alloc/partition_alloc-inl.h" #include "partition_alloc/partition_alloc_allocation_data.h" #include "partition_alloc/partition_alloc_base/bits.h" #include "partition_alloc/partition_alloc_base/compiler_specific.h" #include "partition_alloc/partition_alloc_base/component_export.h" #include "partition_alloc/partition_alloc_base/export_template.h" #include "partition_alloc/partition_alloc_base/no_destructor.h" #include "partition_alloc/partition_alloc_base/notreached.h" #include "partition_alloc/partition_alloc_base/thread_annotations.h" #include "partition_alloc/partition_alloc_base/time/time.h" #include "partition_alloc/partition_alloc_check.h" #include "partition_alloc/partition_alloc_config.h" #include "partition_alloc/partition_alloc_constants.h" #include "partition_alloc/partition_alloc_forward.h" #include "partition_alloc/partition_alloc_hooks.h" #include "partition_alloc/partition_bucket.h" #include "partition_alloc/partition_bucket_lookup.h" #include "partition_alloc/partition_cookie.h" #include "partition_alloc/partition_dcheck_helper.h" #include "partition_alloc/partition_direct_map_extent.h" #include "partition_alloc/partition_freelist_entry.h" #include "partition_alloc/partition_lock.h" #include "partition_alloc/partition_oom.h" #include "partition_alloc/partition_page.h" #include "partition_alloc/reservation_offset_table.h" #include "partition_alloc/tagging.h" #include "partition_alloc/thread_cache.h" #include "partition_alloc/thread_isolation/thread_isolation.h" namespace partition_alloc::internal { // We want this size to be big enough that we have time to start up other // scripts _before_ we wrap around. static constexpr size_t kAllocInfoSize = …; struct AllocInfo { … }; #if PA_BUILDFLAG(RECORD_ALLOC_INFO) extern AllocInfo g_allocs; void RecordAllocOrFree(uintptr_t addr, size_t size); #endif // PA_BUILDFLAG(RECORD_ALLOC_INFO) } // namespace partition_alloc::internal namespace partition_alloc { internal // namespace internal // Bit flag constants used to purge memory. See PartitionRoot::PurgeMemory. // // In order to support bit operations like `flag_a | flag_b`, the old-fashioned // enum (+ surrounding named struct) is used instead of enum class. struct PurgeFlags { … }; // Options struct used to configure PartitionRoot and PartitionAllocator. struct PartitionOptions { … }; constexpr PartitionOptions::PartitionOptions() = default; constexpr PartitionOptions::PartitionOptions(const PartitionOptions& other) = default; PA_CONSTEXPR_DTOR PartitionOptions::~PartitionOptions() = default; // When/if free lists should be "straightened" when calling // PartitionRoot::PurgeMemory(..., accounting_only=false). enum class StraightenLargerSlotSpanFreeListsMode { … }; // Never instantiate a PartitionRoot directly, instead use // PartitionAllocator. struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot { … }; internal // namespace internal template <AllocFlags flags> PA_ALWAYS_INLINE uintptr_t PartitionRoot::AllocFromBucket(Bucket* bucket, size_t raw_size, size_t slot_span_alignment, size_t* usable_size, size_t* slot_size, bool* is_already_zeroed) { … } AllocationNotificationData PartitionRoot::CreateAllocationNotificationData( void* object, size_t size, const char* type_name) const { … } FreeNotificationData PartitionRoot::CreateDefaultFreeNotificationData( void* address) { … } FreeNotificationData PartitionRoot::CreateFreeNotificationData( void* address) const { … } // static template <FreeFlags flags> PA_ALWAYS_INLINE bool PartitionRoot::FreeProlog(void* object, const PartitionRoot* root) { … } PA_ALWAYS_INLINE bool PartitionRoot::IsMemoryTaggingEnabled() const { … } PA_ALWAYS_INLINE bool PartitionRoot::UseRandomMemoryTagging() const { … } PA_ALWAYS_INLINE TagViolationReportingMode PartitionRoot::memory_tagging_reporting_mode() const { … } // static template <FreeFlags flags> PA_ALWAYS_INLINE void PartitionRoot::FreeInlineInUnknownRoot(void* object) { … } template <FreeFlags flags> PA_ALWAYS_INLINE void PartitionRoot::FreeInline(void* object) { … } PA_ALWAYS_INLINE void PartitionRoot::FreeNoHooksImmediate( void* object, SlotSpanMetadata* slot_span, uintptr_t slot_start) { … } PA_ALWAYS_INLINE void PartitionRoot::FreeInSlotSpan( uintptr_t slot_start, SlotSpanMetadata* slot_span) { … } PA_ALWAYS_INLINE void PartitionRoot::RawFree(uintptr_t slot_start) { … } #if PA_CONFIG(IS_NONCLANG_MSVC) // MSVC only supports inline assembly on x86. This preprocessor directive // is intended to be a replacement for the same. // // TODO(crbug.com/40234441): Make sure inlining doesn't degrade this into // a no-op or similar. The documentation doesn't say. #pragma optimize("", off) #endif PA_ALWAYS_INLINE void PartitionRoot::RawFree(uintptr_t slot_start, SlotSpanMetadata* slot_span) { … } #if PA_CONFIG(IS_NONCLANG_MSVC) #pragma optimize("", on) #endif PA_ALWAYS_INLINE void PartitionRoot::RawFreeBatch(FreeListEntry* head, FreeListEntry* tail, size_t size, SlotSpanMetadata* slot_span) { … } #if PA_BUILDFLAG(HAS_MEMORY_TAGGING) PA_ALWAYS_INLINE void PartitionRoot::RetagSlotIfNeeded(void* slot_start_ptr, size_t slot_size) { // This branch is |likely| because HAS_MEMORY_TAGGING build flag is true for // arm64 Android devices and only a small portion of them will have memory // tagging enabled. if (!IsMemoryTaggingEnabled()) [[likely]] { return; } if (slot_size <= internal::kMaxMemoryTaggingSize) [[likely]] { if (UseRandomMemoryTagging()) { // Exclude the previous tag so that immediate use after free is detected // 100% of the time. uint8_t previous_tag = internal::ExtractTagFromPtr(slot_start_ptr); internal::TagMemoryRangeRandomly(slot_start_ptr, slot_size, 1 << previous_tag); } else { internal::TagMemoryRangeIncrement(slot_start_ptr, slot_size); } } } #endif // PA_BUILDFLAG(HAS_MEMORY_TAGGING) PA_ALWAYS_INLINE void PartitionRoot::RawFreeWithThreadCache( uintptr_t slot_start, void* slot_start_ptr, SlotSpanMetadata* slot_span) { … } PA_ALWAYS_INLINE void PartitionRoot::RawFreeLocked(uintptr_t slot_start) { … } PA_ALWAYS_INLINE PartitionRoot* PartitionRoot::FromSlotSpanMetadata( SlotSpanMetadata* slot_span) { … } PA_ALWAYS_INLINE PartitionRoot* PartitionRoot::FromFirstSuperPage( uintptr_t super_page) { … } PA_ALWAYS_INLINE PartitionRoot* PartitionRoot::FromAddrInFirstSuperpage( uintptr_t address) { … } PA_ALWAYS_INLINE void PartitionRoot::IncreaseTotalSizeOfAllocatedBytes( uintptr_t addr, size_t len, size_t raw_size) { … } PA_ALWAYS_INLINE void PartitionRoot::DecreaseTotalSizeOfAllocatedBytes( uintptr_t addr, size_t len) { … } PA_ALWAYS_INLINE void PartitionRoot::IncreaseCommittedPages(size_t len) { … } PA_ALWAYS_INLINE void PartitionRoot::DecreaseCommittedPages(size_t len) { … } PA_ALWAYS_INLINE void PartitionRoot::DecommitSystemPagesForData( uintptr_t address, size_t length, PageAccessibilityDisposition accessibility_disposition) { … } // Not unified with TryRecommitSystemPagesForData() to preserve error codes. PA_ALWAYS_INLINE void PartitionRoot::RecommitSystemPagesForData( uintptr_t address, size_t length, PageAccessibilityDisposition accessibility_disposition, bool request_tagging) { … } template <bool already_locked> PA_ALWAYS_INLINE bool PartitionRoot::TryRecommitSystemPagesForDataInternal( uintptr_t address, size_t length, PageAccessibilityDisposition accessibility_disposition, bool request_tagging) { … } PA_ALWAYS_INLINE bool PartitionRoot::TryRecommitSystemPagesForDataWithAcquiringLock( uintptr_t address, size_t length, PageAccessibilityDisposition accessibility_disposition, bool request_tagging) { … } PA_ALWAYS_INLINE bool PartitionRoot::TryRecommitSystemPagesForDataLocked( uintptr_t address, size_t length, PageAccessibilityDisposition accessibility_disposition, bool request_tagging) { … } // static // // Returns the size available to the app. It can be equal or higher than the // requested size. If higher, the overage won't exceed what's actually usable // by the app without a risk of running out of an allocated region or into // PartitionAlloc's internal data. Used as malloc_usable_size and malloc_size. // // |ptr| should preferably point to the beginning of an object returned from // malloc() et al., but it doesn't have to. crbug.com/1292646 shows an example // where this isn't the case. Note, an inner object pointer won't work for // direct map, unless it is within the first partition page. PA_ALWAYS_INLINE size_t PartitionRoot::GetUsableSize(void* ptr) { … } PA_ALWAYS_INLINE size_t PartitionRoot::GetUsableSizeWithMac11MallocSizeHack(void* ptr) { … } // Returns the page configuration to use when mapping slot spans for a given // partition root. ReadWriteTagged is used on MTE-enabled systems for // PartitionRoots supporting it. PA_ALWAYS_INLINE PageAccessibilityConfiguration PartitionRoot::GetPageAccessibility(bool request_tagging) const { … } PA_ALWAYS_INLINE PageAccessibilityConfiguration PartitionRoot::PageAccessibilityWithThreadIsolationIfEnabled( PageAccessibilityConfiguration::Permissions permissions) const { … } // Return the capacity of the underlying slot (adjusted for extras). This // doesn't mean this capacity is readily available. It merely means that if // a new allocation (or realloc) happened with that returned value, it'd use // the same amount of underlying memory. PA_ALWAYS_INLINE size_t PartitionRoot::AllocationCapacityFromSlotStart(uintptr_t slot_start) const { … } #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) PA_ALWAYS_INLINE internal::InSlotMetadata* PartitionRoot::InSlotMetadataPointerFromSlotStartAndSize(uintptr_t slot_start, size_t slot_size) { … } PA_ALWAYS_INLINE internal::InSlotMetadata* PartitionRoot::InSlotMetadataPointerFromObjectForTesting(void* object) const { … } #endif // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) // static PA_ALWAYS_INLINE uint16_t PartitionRoot::SizeToBucketIndex(size_t size, BucketDistribution bucket_distribution) { … } template <AllocFlags flags> PA_ALWAYS_INLINE void* PartitionRoot::AllocInternal(size_t requested_size, size_t slot_span_alignment, const char* type_name) { … } template <AllocFlags flags> PA_ALWAYS_INLINE void* PartitionRoot::AllocInternalNoHooks( size_t requested_size, size_t slot_span_alignment) { … } template <AllocFlags flags> PA_ALWAYS_INLINE uintptr_t PartitionRoot::RawAlloc(Bucket* bucket, size_t raw_size, size_t slot_span_alignment, size_t* usable_size, size_t* slot_size, bool* is_already_zeroed) { … } template <AllocFlags flags> PA_ALWAYS_INLINE void* PartitionRoot::AlignedAllocInline( size_t alignment, size_t requested_size) { … } template <AllocFlags alloc_flags, FreeFlags free_flags> void* PartitionRoot::ReallocInline(void* ptr, size_t new_size, const char* type_name) { … } // Return the capacity of the underlying slot (adjusted for extras) that'd be // used to satisfy a request of |size|. This doesn't mean this capacity would be // readily available. It merely means that if an allocation happened with that // returned value, it'd use the same amount of underlying memory as the // allocation with |size|. PA_ALWAYS_INLINE size_t PartitionRoot::AllocationCapacityFromRequestedSize(size_t size) const { … } ThreadCache* PartitionRoot::GetOrCreateThreadCache() { … } ThreadCache* PartitionRoot::GetThreadCache() { … } // private. internal::LightweightQuarantineBranch& PartitionRoot::GetSchedulerLoopQuarantineBranch() { … } internal::LightweightQuarantineRoot& PartitionRoot::GetSchedulerLoopQuarantineRoot() { … } // Explicitly declare common template instantiations to reduce compile time. #define EXPORT_TEMPLATE … EXPORT_TEMPLATE void* PartitionRoot::Alloc<AllocFlags::kNone>(size_t, const char*); EXPORT_TEMPLATE void* PartitionRoot::Alloc<AllocFlags::kReturnNull>( size_t, const char*); EXPORT_TEMPLATE void* PartitionRoot::Realloc<AllocFlags::kNone, FreeFlags::kNone>(void*, size_t, const char*); EXPORT_TEMPLATE void* PartitionRoot::Realloc<AllocFlags::kReturnNull, FreeFlags::kNone>(void*, size_t, const char*); EXPORT_TEMPLATE void* PartitionRoot::AlignedAlloc<AllocFlags::kNone>(size_t, size_t); #undef EXPORT_TEMPLATE #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) // Usage in `raw_ptr_backup_ref_impl.cc` is notable enough to merit a // non-internal alias. PartitionAllocGetSlotStartAndSizeInBRPPool; #endif // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) #if PA_BUILDFLAG(IS_APPLE) && PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) PA_COMPONENT_EXPORT(PARTITION_ALLOC) void PartitionAllocMallocHookOnBeforeForkInParent(); PA_COMPONENT_EXPORT(PARTITION_ALLOC) void PartitionAllocMallocHookOnAfterForkInParent(); PA_COMPONENT_EXPORT(PARTITION_ALLOC) void PartitionAllocMallocHookOnAfterForkInChild(); #endif // PA_BUILDFLAG(IS_APPLE) && PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) } // namespace partition_alloc #endif // PARTITION_ALLOC_PARTITION_ROOT_H_
Codebase Browser
chromium