| blob | 7693499ae084606b8c379a5bfacc0e7d66822898 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 // PHC is a probabilistic heap checker. A tiny fraction of randomly chosen heap
8 // allocations are subject to some expensive checking via the use of OS page
9 // access protection. A failed check triggers a crash, whereupon useful
10 // information about the failure is put into the crash report. The cost and
11 // coverage for each user is minimal, but spread over the entire user base the
12 // coverage becomes significant.
13 //
14 // The idea comes from Chromium, where it is called GWP-ASAN. (Firefox uses PHC
15 // as the name because GWP-ASAN is long, awkward, and doesn't have any
16 // particular meaning.)
17 //
18 // In the current implementation up to 64 allocations per process can become
19 // PHC allocations. These allocations must be page-sized or smaller. Each PHC
20 // allocation gets its own page, and when the allocation is freed its page is
21 // marked inaccessible until the page is reused for another allocation. This
22 // means that a use-after-free defect (which includes double-frees) will be
23 // caught if the use occurs before the page is reused for another allocation.
24 // The crash report will contain stack traces for the allocation site, the free
25 // site, and the use-after-free site, which is often enough to diagnose the
26 // defect.
27 //
28 // Also, each PHC allocation is followed by a guard page. The PHC allocation is
29 // positioned so that its end abuts the guard page (or as close as possible,
30 // given alignment constraints). This means that a bounds violation at the end
31 // of the allocation (overflow) will be caught. The crash report will contain
32 // stack traces for the allocation site and the bounds violation use site,
33 // which is often enough to diagnose the defect.
34 //
35 // (A bounds violation at the start of the allocation (underflow) will not be
36 // caught, unless it is sufficiently large to hit the preceding allocation's
37 // guard page, which is not that likely. It would be possible to look more
38 // assiduously for underflow by randomly placing some allocations at the end of
39 // the page and some at the start of the page, and GWP-ASAN does this. PHC does
40 // not, however, because overflow is likely to be much more common than
41 // underflow in practice.)
42 //
43 // We use a simple heuristic to categorize a guard page access as overflow or
44 // underflow: if the address falls in the lower half of the guard page, we
45 // assume it is overflow, otherwise we assume it is underflow. More
46 // sophisticated heuristics are possible, but this one is very simple, and it is
47 // likely that most overflows/underflows in practice are very close to the page
48 // boundary.
49 //
50 // The design space for the randomization strategy is large. The current
51 // implementation has a large random delay before it starts operating, and a
52 // small random delay between each PHC allocation attempt. Each freed PHC
53 // allocation is quarantined for a medium random delay before being reused, in
54 // order to increase the chance of catching UAFs.
55 //
56 // The basic cost of PHC's operation is as follows.
57 //
58 // - The physical memory cost is 64 pages plus some metadata (including stack
59 // traces) for each page. This amounts to 256 KiB per process on
60 // architectures with 4 KiB pages and 1024 KiB on macOS/AArch64 which uses
61 // 16 KiB pages.
62 //
63 // - The virtual memory cost is the physical memory cost plus the guard pages:
64 // another 64 pages. This amounts to another 256 KiB per process on
65 // architectures with 4 KiB pages and 1024 KiB on macOS/AArch64 which uses
66 // 16 KiB pages. PHC is currently only enabled on 64-bit platforms so the
67 // impact of the virtual memory usage is negligible.
68 //
69 // - Every allocation requires a size check and a decrement-and-check of an
70 // atomic counter. When the counter reaches zero a PHC allocation can occur,
71 // which involves marking a page as accessible and getting a stack trace for
72 // the allocation site. Otherwise, mozjemalloc performs the allocation.
73 //
74 // - Every deallocation requires a range check on the pointer to see if it
75 // involves a PHC allocation. (The choice to only do PHC allocations that are
76 // a page or smaller enables this range check, because the 64 pages are
77 // contiguous. Allowing larger allocations would make this more complicated,
78 // and we definitely don't want something as slow as a hash table lookup on
79 // every deallocation.) PHC deallocations involve marking a page as
80 // inaccessible and getting a stack trace for the deallocation site.
81 //
82 // Note that calls to realloc(), free(), and malloc_usable_size() will
83 // immediately crash if the given pointer falls within a page allocation's
84 // page, but does not point to the start of the allocation itself.
85 //
86 // void* p = malloc(64);
87 // free(p + 1); // p+1 doesn't point to the allocation start; crash
88 //
89 // Such crashes will not have the PHC fields in the crash report.
90 //
91 // PHC-specific tests can be run with the following commands:
92 // - gtests: `./mach gtest '*PHC*'`
93 // - xpcshell-tests: `./mach test toolkit/crashreporter/test/unit`
94 // - This runs some non-PHC tests as well.
98 #include <stdlib.h>
99 #include <time.h>
101 #include <algorithm>
103 #ifdef XP_WIN
104 # include <process.h>
105 #else
106 # include <sys/mman.h>
107 # include <sys/types.h>
108 # include <pthread.h>
109 # include <unistd.h>
110 #endif
126 //---------------------------------------------------------------------------
127 // Utilities
128 //---------------------------------------------------------------------------
130 #ifdef ANDROID
131 // Android doesn't have pthread_atfork defined in pthread.h.
134 #endif
136 #ifndef DISALLOW_COPY_AND_ASSIGN
137 # define DISALLOW_COPY_AND_ASSIGN(T) \
138 T(const T&); \
139 void operator=(const T&)
140 #endif
144 // This class provides infallible operations for the small number of heap
145 // allocations that PHC does for itself. It would be nice if we could use the
146 // InfallibleAllocPolicy from mozalloc, but PHC cannot use mozalloc.
152 }
153 }
160 }
161 };
163 //---------------------------------------------------------------------------
164 // Stack traces
165 //---------------------------------------------------------------------------
167 // This code is similar to the equivalent code within DMD.
185 }
186 };
188 // WARNING WARNING WARNING: this function must only be called when GMut::sMutex
189 // is *not* locked, otherwise we might get deadlocks.
190 //
191 // How? On Windows, MozStackWalk() can lock a mutex, M, from the shared library
192 // loader. Another thread might call malloc() while holding M locked (when
193 // loading a shared library) and try to lock GMut::sMutex, causing a deadlock.
194 // So GMut::sMutex can't be locked during the call to MozStackWalk(). (For
195 // details, see https://bugzilla.mozilla.org/show_bug.cgi?id=374829#c8. On
196 // Linux, something similar can happen; see bug 824340. So we just disallow it
197 // on all platforms.)
198 //
199 // In DMD, to avoid this problem we temporarily unlock the equivalent mutex for
200 // the MozStackWalk() call. But that's grotty, and things are a bit different
201 // here, so we just require that stack traces be obtained before locking
202 // GMut::sMutex.
203 //
204 // Unfortunately, there is no reliable way at compile-time or run-time to ensure
205 // this pre-condition. Hence this large comment.
206 //
210 #if defined(XP_WIN) && defined(_M_IX86)
211 // This avoids MozStackWalk(), which causes unusably slow startup on Win32
212 // when it is called during static initialization (see bug 1241684).
213 //
214 // This code is cribbed from the Gecko Profiler, which also uses
215 // FramePointerStackWalk() on Win32: Registers::SyncPopulate() for the
216 // frame pointer, and GetStackTop() for the stack end.
217 CONTEXT context;
224 #elif defined(XP_MACOSX)
225 // This avoids MozStackWalk(), which has become unusably slow on Mac due to
226 // changes in libunwind.
227 //
228 // This code is cribbed from the Gecko Profiler, which also uses
229 // FramePointerStackWalk() on Mac: Registers::SyncPopulate() for the frame
230 // pointer, and GetStackTop() for the stack end.
231 # pragma GCC diagnostic push
234 # pragma GCC diagnostic pop
237 #else
239 #endif
240 }
242 //---------------------------------------------------------------------------
243 // Logging
244 //---------------------------------------------------------------------------
246 // Change this to 1 to enable some PHC logging. Useful for debugging.
247 #define PHC_LOGGING 0
249 #if PHC_LOGGING
254 # if defined(XP_WIN)
256 # else
258 # endif
259 }
261 # if defined(XP_WIN)
262 # define LOG_STDERR \
263 reinterpret_cast<intptr_t>(GetStdHandle(STD_ERROR_HANDLE))
264 # else
265 # define LOG_STDERR 2
266 # endif
267 # define LOG(fmt, ...) \
269 size_t(GAtomic::Now()), __VA_ARGS__)
271 #else
273 # define LOG(fmt, ...)
277 //---------------------------------------------------------------------------
278 // Global state
279 //---------------------------------------------------------------------------
281 // Throughout this entire file time is measured as the number of sub-page
282 // allocations performed (by PHC and mozjemalloc combined). `Time` is 64-bit
283 // because we could have more than 2**32 allocations in a long-running session.
284 // `Delay` is 32-bit because the delays used within PHC are always much smaller
285 // than 2**32.
289 // PHC only runs if the page size is 4 KiB; anything more is uncommon and would
290 // use too much memory. So we hardwire this size for all platforms but macOS
291 // on ARM processors. For the latter we make an exception because the minimum
292 // page size supported is 16KiB so there's no way to go below that.
294 #if defined(XP_MACOSX) && defined(__aarch64__)
295 16384
296 #else
297 4096
298 #endif
299 ;
301 // There are two kinds of page.
302 // - Allocation pages, from which allocations are made.
303 // - Guard pages, which are never touched by PHC.
304 //
305 // These page kinds are interleaved; each allocation page has a guard page on
306 // either side.
310 // The total size of the allocation pages and guard pages.
313 // The junk value used to fill new allocation in debug builds. It's same value
314 // as the one used by mozjemalloc. PHC applies it unconditionally in debug
315 // builds. Unlike mozjemalloc, PHC doesn't consult the MALLOC_OPTIONS
316 // environment variable to possibly change that behaviour.
317 //
318 // Also note that, unlike mozjemalloc, PHC doesn't have a poison value for freed
319 // allocations because freed allocations are protected by OS page protection.
320 #ifdef DEBUG
322 #endif
324 // The maximum time.
327 // The average delay before doing any page allocations at the start of a
328 // process. Note that roughly 1 million allocations occur in the main process
329 // while starting the browser. The delay range is 1..kAvgFirstAllocDelay*2.
332 // The average delay until the next attempted page allocation, once we get past
333 // the first delay. The delay range is 1..kAvgAllocDelay*2.
336 // The average delay before reusing a freed page. Should be significantly larger
337 // than kAvgAllocDelay, otherwise there's not much point in having it. The delay
338 // range is (kAvgAllocDelay / 2)..(kAvgAllocDelay / 2 * 3). This is different to
339 // the other delay ranges in not having a minimum of 1, because that's such a
340 // short delay that there is a high likelihood of bad stacks in any crash
341 // report.
344 // Truncate aRnd to the range (1 .. AvgDelay*2). If aRnd is random, this
345 // results in an average value of aAvgDelay + 0.5, which is close enough to
346 // aAvgDelay. aAvgDelay must be a power-of-two (otherwise it will crash) for
347 // speed.
353 }
355 // Maps a pointer to a PHC-specific structure:
356 // - Nothing
357 // - A guard page (it is unspecified which one)
358 // - An allocation page (with an index < kNumAllocPages)
359 //
360 // The standard way of handling a PtrKind is to check IsNothing(), and if that
361 // fails, to check IsGuardPage(), and if that fails, to call AllocPage().
365 Nothing,
366 GuardPage,
367 AllocPage,
368 };
370 Tag mTag;
374 // Detect what a pointer points to. This constructor must be fast because it
375 // is called for every call to free(), realloc(), malloc_usable_size(), and
376 // jemalloc_ptr_info().
386 // Odd-indexed pages are allocation pages.
392 // Even-numbered pages are guard pages.
394 }
395 }
396 }
401 // This should only be called after IsNothing() and IsGuardPage() have been
402 // checked and failed.
406 }
407 };
409 // Shared, atomic, mutable global state.
416 }
422 // Decrements the delay and returns the decremented value.
428 // The current time. Relaxed semantics because it's primarily used for
429 // determining if an allocation can be recycled yet and therefore it doesn't
430 // need to be exact.
433 // Delay until the next attempt at a page allocation. See the comment in
434 // MaybePageAlloc() for an explanation of why it is a signed integer, and why
435 // it uses ReleaseAcquire semantics.
437 };
442 // Shared, immutable global state. Initialized by replace_init() and never
443 // changed after that. replace_init() runs early enough that no synchronization
444 // is needed.
447 // The bounds of the allocated pages.
451 // Allocates the allocation pages and the guard pages, contiguously.
453 // Allocate the pages so that they are inaccessible. They are never freed,
454 // because it would happen at process termination when it would be of little
455 // use.
457 #ifdef XP_WIN
459 #else
462 #endif
465 }
468 }
474 }
479 }
483 }
485 // Get the address of the allocation page referred to via an index. Used when
486 // marking the page as accessible/inaccessible.
489 // Multiply by two and add one to account for allocation pages *and* guard
490 // pages.
492 }
493 };
497 // On MacOS, the first __thread/thread_local access calls malloc, which leads
498 // to an infinite loop. So we use pthread-based TLS instead, which somehow
499 // doesn't have this problem.
500 #if !defined(XP_DARWIN)
501 # define PHC_THREAD_LOCAL(T) MOZ_THREAD_LOCAL(T)
502 #else
503 # define PHC_THREAD_LOCAL(T) \
504 detail::ThreadLocal<T, detail::ThreadLocalKeyStorage>
505 #endif
507 // Thread-local state.
513 // When true, PHC does as little as possible.
514 //
515 // (a) It does not allocate any new page allocations.
516 //
517 // (b) It avoids doing any operations that might call malloc/free/etc., which
518 // would cause re-entry into PHC. (In practice, MozStackWalk() is the
519 // only such operation.) Note that calls to the functions in sMallocTable
520 // are ok.
521 //
522 // For example, replace_malloc() will just fall back to mozjemalloc. However,
523 // operations involving existing allocations are more complex, because those
524 // existing allocations may be page allocations. For example, if
525 // replace_free() is passed a page allocation on a PHC-disabled thread, it
526 // will free the page allocation in the usual way, but it will get a dummy
527 // freeStack in order to avoid calling MozStackWalk(), as per (b) above.
528 //
529 // This single disabling mechanism has two distinct uses.
530 //
531 // - It's used to prevent re-entry into PHC, which can cause correctness
532 // problems. For example, consider this sequence.
533 //
534 // 1. enter replace_free()
535 // 2. which calls PageFree()
536 // 3. which calls MozStackWalk()
537 // 4. which locks a mutex M, and then calls malloc
538 // 5. enter replace_malloc()
539 // 6. which calls MaybePageAlloc()
540 // 7. which calls MozStackWalk()
541 // 8. which (re)locks a mutex M --> deadlock
542 //
543 // We avoid this sequence by "disabling" the thread in PageFree() (at step
544 // 2), which causes MaybePageAlloc() to fail, avoiding the call to
545 // MozStackWalk() (at step 7).
546 //
547 // In practice, realloc or free of a PHC allocation is unlikely on a thread
548 // that is disabled because of this use: MozStackWalk() will probably only
549 // realloc/free allocations that it allocated itself, but those won't be
550 // page allocations because PHC is disabled before calling MozStackWalk().
551 //
552 // (Note that MaybePageAlloc() could safely do a page allocation so long as
553 // it avoided calling MozStackWalk() by getting a dummy allocStack. But it
554 // wouldn't be useful, and it would prevent the second use below.)
555 //
556 // - It's used to prevent PHC allocations in some tests that rely on
557 // mozjemalloc's exact allocation behaviour, which PHC does not replicate
558 // exactly. (Note that (b) isn't necessary for this use -- MozStackWalk()
559 // could be safely called -- but it is necessary for the first use above.)
560 //
567 }
568 }
573 }
578 }
581 };
594 };
596 // This type is used as a proof-of-lock token, to make it clear which functions
597 // require sMutex to be locked.
600 // Shared, mutable global state. Protected by sMutex; all accessing functions
601 // take a GMutLock as proof that sMutex is held.
607 };
609 // Metadata for each allocation page.
620 // The current allocation page state.
621 AllocPageState mState;
623 // The arena that the allocation is nominally from. This isn't meaningful
624 // within PHC, which has no arenas. But it is necessary for reallocation of
625 // page allocations as normal allocations, such as in this code:
626 //
627 // p = moz_arena_malloc(arenaId, 4096);
628 // realloc(p, 8192);
629 //
630 // The realloc is more than one page, and thus too large for PHC to handle.
631 // Therefore, if PHC handles the first allocation, it must ask mozjemalloc
632 // to allocate the 8192 bytes in the correct arena, and to do that, it must
633 // call sMallocTable.moz_arena_malloc with the correct arenaId under the
634 // covers. Therefore it must record that arenaId.
635 //
636 // This field is also needed for jemalloc_ptr_info() to work, because it
637 // also returns the arena ID (but only in debug builds).
638 //
639 // - NeverAllocated: must be 0.
640 // - InUse | Freed: can be any valid arena ID value.
643 // The starting address of the allocation. Will not be the same as the page
644 // address unless the allocation is a full page.
645 // - NeverAllocated: must be 0.
646 // - InUse | Freed: must be within the allocation page.
649 // Usable size is computed as the number of bytes between the pointer and
650 // the end of the allocation page. This might be bigger than the requested
651 // size, especially if an outsized alignment is requested.
657 }
659 // The internal fragmentation for this allocation.
663 }
665 // The allocation stack.
666 // - NeverAllocated: Nothing.
667 // - InUse | Freed: Some.
670 // The free stack.
671 // - NeverAllocated | InUse: Nothing.
672 // - Freed: Some.
675 // The time at which the page is available for reuse, as measured against
676 // GAtomic::sNow. When the page is in use this value will be kMaxTime.
677 // - NeverAllocated: must be 0.
678 // - InUse: must be kMaxTime.
679 // - Freed: must be > 0 and < kMaxTime.
680 Time mReuseTime;
681 };
684 // The mutex that protects the other members.
689 }
695 }
697 // Is the page free? And if so, has enough time passed that we can use it?
701 }
703 // Get the address of the allocation page referred to via an index. Used
704 // when checking pointers against page boundaries.
707 }
714 }
721 }
723 // The total fragmentation in PHC
728 }
730 }
744 }
746 #if PHC_LOGGING
748 #endif
756 // page.mState is not changed.
758 // Crash if the arenas don't match.
760 }
762 // We could just keep the original alloc stack, but the realloc stack is
763 // more recent and therefore seems more useful.
765 // page.mFreeStack is not changed.
766 // page.mReuseTime is not changed.
767 };
777 // page.mArenaId is left unchanged, for jemalloc_ptr_info() calls that
778 // occur after freeing (e.g. in the PtrInfo test in TestJemalloc.cpp).
780 // Crash if the arenas don't match.
782 }
784 // page.musableSize is left unchanged, for reporting on UAF, and for
785 // jemalloc_ptr_info() calls that occur after freeing (e.g. in the PtrInfo
786 // test in TestJemalloc.cpp).
788 // page.mAllocStack is left unchanged, for reporting on UAF.
792 #if PHC_LOGGING
794 #endif
796 }
799 // An operation on a guard page? This is a bounds violation. Deliberately
800 // touch the page in question, to cause a crash that triggers the usual PHC
801 // machinery.
805 }
811 // The pointer must point to the start of the allocation.
816 // An operation on a freed page? This is a particular kind of
817 // use-after-free. Deliberately touch the page in question, in order to
818 // cause a crash that triggers the usual PHC machinery. But unlock sMutex
819 // first, because that self-same PHC machinery needs to re-lock it, and
820 // the crash causes non-local control flow so sMutex won't be unlocked
821 // the normal way in the caller.
825 }
826 }
849 }
850 }
855 }
865 // Only return TagLiveAlloc if the pointer is within the bounds of the
866 // allocation's usable size.
873 }
875 }
878 // Only return TagFreedAlloc if the pointer is within the bounds of the
879 // former allocation's usable size.
886 }
888 }
892 }
894 // Pointers into guard pages will end up here, as will pointers into
895 // allocation pages that aren't within the allocation's bounds.
897 }
899 #ifndef XP_WIN
903 }
905 #endif
907 #if PHC_LOGGING
910 #else
913 #endif
915 #if PHC_LOGGING
919 };
922 PageStats stats;
927 }
930 }
935 }
937 // This is an integer because FdPrintf only supports integer printing.
940 }
941 #endif
946 // An older version of this code used RandomUint64() here, but on Mac that
947 // function uses arc4random(), which can allocate, which would cause
948 // re-entry, which would be bad. So we just use time() and a local variable
949 // address. These are mediocre sources of entropy, but good enough for PHC.
957 }
959 }
963 // There is nothing to assert about aPage.mArenaId.
969 }
972 // We can assert a lot about `NeverAllocated` pages, but not much about
973 // `Freed` pages.
974 #ifdef DEBUG
982 #endif
983 }
985 // RNG for deciding which allocations to treat specially. It doesn't need to
986 // be high quality.
987 //
988 // This is a raw pointer for the reason explained in the comment above
989 // GMut's constructor. Don't change it to UniquePtr or anything like that.
993 #if PHC_LOGGING
996 // How many allocations that could have been page allocs actually were? As
997 // constrained kNumAllocPages. If the hit ratio isn't close to 100% it's
998 // likely that the global constants are poorly chosen.
1001 #endif
1002 };
1008 //---------------------------------------------------------------------------
1009 // Page allocation operations
1010 //---------------------------------------------------------------------------
1012 // Attempt a page allocation if the time and the size are right. Allocated
1013 // memory is zeroed if aZero is true. On failure, the caller should attempt a
1014 // normal allocation via sMallocTable. Can be called in a context where
1015 // GMut::sMutex is locked.
1022 }
1026 // Decrement the delay. If it's zero, we do a page allocation and reset the
1027 // delay to a random number. Because the assignment to the random number isn't
1028 // atomic w.r.t. the decrement, we might have a sequence like this:
1029 //
1030 // Thread 1 Thread 2 Thread 3
1031 // -------- -------- --------
1032 // (a) newDelay = --sAllocDelay (-> 0)
1033 // (b) --sAllocDelay (-> -1)
1034 // (c) (newDelay != 0) fails
1035 // (d) --sAllocDelay (-> -2)
1036 // (e) sAllocDelay = new_random_number()
1037 //
1038 // It's critical that sAllocDelay has ReleaseAcquire semantics, because that
1039 // guarantees that exactly one thread will see sAllocDelay have the value 0.
1040 // (Relaxed semantics wouldn't guarantee that.)
1041 //
1042 // It's also nice that sAllocDelay is signed, given that we can decrement to
1043 // below zero. (Strictly speaking, an unsigned integer would also work due
1044 // to wrapping, but a signed integer is conceptually cleaner.)
1045 //
1046 // Finally, note that the decrements that occur between (a) and (e) above are
1047 // effectively ignored, because (e) clobbers them. This shouldn't be a
1048 // problem; it effectively just adds a little more randomness to
1049 // new_random_number(). An early version of this code tried to account for
1050 // these decrements by doing `sAllocDelay += new_random_number()`. However, if
1051 // new_random_value() is small, the number of decrements between (a) and (e)
1052 // can easily exceed it, whereupon sAllocDelay ends up negative after
1053 // `sAllocDelay += new_random_number()`, and the zero-check never succeeds
1054 // again. (At least, not until sAllocDelay wraps around on overflow, which
1055 // would take a very long time indeed.)
1056 //
1060 }
1064 }
1066 // Disable on this thread *before* getting the stack trace.
1067 AutoDisableOnCurrentThread disable;
1069 // Get the stack trace *before* locking the mutex. If we return nullptr then
1070 // it was a waste, but it's not so frequent, and doing a stack walk while
1071 // the mutex is locked is problematic (see the big comment on
1072 // StackTrace::Fill() for details).
1073 StackTrace allocStack;
1081 // We start at a random page alloc and wrap around, to ensure pages get even
1082 // amounts of use.
1089 }
1091 #if PHC_LOGGING
1093 #endif
1097 #ifdef XP_WIN
1099 #else
1101 #endif
1106 }
1111 // Put the allocation as close to the end of the page as possible,
1112 // allowing for alignment requirements.
1117 }
1119 #if PHC_LOGGING
1122 #endif
1129 #ifdef DEBUG
1131 #endif
1132 }
1135 #if PHC_LOGGING
1137 #endif
1145 }
1148 // No pages are available, or VirtualAlloc/mprotect failed.
1150 #if PHC_LOGGING
1152 #endif
1158 }
1160 // Set the new alloc delay.
1164 }
1171 #ifdef XP_WIN
1174 }
1175 #else
1179 }
1180 #endif
1183 }
1185 //---------------------------------------------------------------------------
1186 // replace-malloc machinery
1187 //---------------------------------------------------------------------------
1189 // This handles malloc, moz_arena_malloc, and realloc-with-a-nullptr.
1198 }
1202 }
1207 }
1209 // This handles both calloc and moz_arena_calloc.
1215 }
1223 }
1227 }
1229 // This function handles both realloc and moz_arena_realloc.
1230 //
1231 // As always, realloc is complicated, and doubly so when there are two
1232 // different kinds of allocations in play. Here are the possible transitions,
1233 // and what we do in practice.
1234 //
1235 // - normal-to-normal: This is straightforward and obviously necessary.
1236 //
1237 // - normal-to-page: This is disallowed because it would require getting the
1238 // arenaId of the normal allocation, which isn't possible in non-DEBUG builds
1239 // for security reasons.
1240 //
1241 // - page-to-page: This is done whenever possible, i.e. whenever the new size
1242 // is less than or equal to 4 KiB. This choice counterbalances the
1243 // disallowing of normal-to-page allocations, in order to avoid biasing
1244 // towards or away from page allocations. It always occurs in-place.
1245 //
1246 // - page-to-normal: this is done only when necessary, i.e. only when the new
1247 // size is greater than 4 KiB. This choice naturally flows from the
1248 // prior choice on page-to-page transitions.
1249 //
1250 // In summary: realloc doesn't change the allocation kind unless it must.
1251 //
1255 // Null pointer. Treat like malloc(aNewSize).
1257 }
1261 // A normal-to-normal transition.
1265 }
1269 }
1271 // At this point we know we have an allocation page.
1274 // A page-to-something transition.
1276 // Note that `disable` has no effect unless it is emplaced below.
1278 // Get the stack trace *before* locking the mutex.
1279 StackTrace stack;
1281 // PHC is disabled on this thread. Leave the stack empty.
1283 // Disable on this thread *before* getting the stack trace.
1286 }
1290 // Check for realloc() of a freed block.
1294 // A page-to-page transition. Just keep using the page allocation. We do
1295 // this even if the thread is disabled, because it doesn't create a new
1296 // page allocation. Note that ResizePageInUse() checks aArenaId.
1297 //
1298 // Move the bytes with memmove(), because the old allocation and the new
1299 // allocation overlap. Move the usable size rather than the requested size,
1300 // because the user might have used malloc_usable_size() and filled up the
1301 // usable size.
1310 }
1312 // A page-to-normal transition (with the new size greater than page-sized).
1313 // (Note that aArenaId is checked below.)
1322 }
1325 }
1331 // Copy the usable size rather than the requested size, because the user
1332 // might have used malloc_usable_size() and filled up the usable size. Note
1333 // that FreePage() checks aArenaId (via SetPageFreed()).
1342 }
1346 }
1348 // This handles both free and moz_arena_free.
1353 // Not a page allocation.
1356 }
1360 }
1362 // At this point we know we have an allocation page.
1365 // Note that `disable` has no effect unless it is emplaced below.
1367 // Get the stack trace *before* locking the mutex.
1368 StackTrace freeStack;
1370 // PHC is disabled on this thread. Leave the stack empty.
1372 // Disable on this thread *before* getting the stack trace.
1375 }
1379 // Check for a double-free.
1382 // Note that FreePage() checks aArenaId (via SetPageFreed()).
1386 #if PHC_LOGGING
1388 #endif
1392 }
1396 // This handles memalign and moz_arena_memalign.
1402 // PHC can't satisfy an alignment greater than a page size, so fall back to
1403 // mozjemalloc in that case.
1407 }
1411 aReqSize)
1413 }
1417 }
1422 // Not a page allocation. Measure it normally.
1424 }
1428 }
1430 // At this point we know aPtr lands within an allocation page, due to the
1431 // math done in the PtrKind constructor. But if aPtr points to memory
1432 // before the base address of the allocation, we return 0.
1441 }
1444 }
1449 }
1455 // Add all the pages to `mapped`.
1460 {
1463 // Add usable space of in-use allocations to `allocated`.
1467 }
1468 }
1469 }
1472 // guards is the gap between `allocated` and `mapped`. In some ways this
1473 // almost fits into aStats->wasted since it feels like wasted memory. However
1474 // wasted should only include committed memory and these guard pages are
1475 // uncommitted. Therefore we don't include it anywhere.
1476 // size_t guards = mapped - allocated;
1478 // aStats.page_cache and aStats.bin_unused are left unchanged because PHC
1479 // doesn't have anything corresponding to those.
1481 // The metadata is stored in normal heap allocations, so they're measured by
1482 // mozjemalloc as `allocated`. Move them into `bookkeeping`.
1483 // They're also reported under explicit/heap-overhead/phc/fragmentation in
1484 // about:memory.
1488 }
1491 // We need to implement this properly, because various code locations do
1492 // things like checking that allocations are in the expected arena.
1495 // Not a page allocation.
1497 }
1500 // Treat a guard page as unknown because there's no better alternative.
1503 }
1505 // At this point we know we have an allocation page.
1511 #if DEBUG
1514 #else
1517 #endif
1518 }
1521 // No need to do anything special here.
1523 }
1526 // No need to do anything special here.
1528 }
1531 // No need to do anything special here.
1533 }
1537 }
1542 }
1547 }
1551 }
1556 }
1563 }
1568 // The address is in the lower half of a guard page, so it's probably an
1569 // overflow. But first check that it is not on the very first guard
1570 // page, in which case it cannot be an overflow, and we ignore it.
1573 }
1575 // Get the allocation page preceding this guard page.
1579 // The address is in the upper half of a guard page, so it's probably an
1580 // underflow. Get the allocation page following this guard page.
1582 }
1584 // Make a note of the fact that we hit a guard page.
1586 }
1588 // At this point we know we have an allocation page.
1598 }
1600 }
1605 }
1610 }
1616 }
1626 }
1627 }
1628 };
1630 // WARNING: this function runs *very* early -- before all static initializers
1631 // have run. For this reason, non-scalar globals (gConst, gMut) are allocated
1632 // dynamically (so we can guarantee their construction in this function) rather
1633 // than statically. GAtomic and GTls contain simple static data that doesn't
1634 // involve static initializers so they don't need to be allocated dynamically.
1636 // Don't run PHC if the page size isn't 4 KiB.
1637 jemalloc_stats_t stats;
1641 }
1645 // The choices of which functions to replace are complex enough that we set
1646 // them individually instead of using MALLOC_FUNCS/malloc_decls.h.
1654 // posix_memalign, aligned_alloc & valloc: unset, which means they fall back
1655 // to replace_memalign.
1657 // default malloc_good_size: the default suffices.
1660 // jemalloc_purge_freed_pages: the default suffices.
1661 // jemalloc_free_dirty_pages: the default suffices.
1662 // jemalloc_thread_local_arena: the default suffices.
1666 replace_moz_create_arena_with_params;
1677 #ifndef XP_WIN
1678 // Avoid deadlocks when forking by acquiring our state lock prior to forking
1679 // and releasing it after forking. See |LogAlloc|'s |replace_init| for
1680 // in-depth details.
1681 //
1682 // Note: This must run after attempting an allocation so as to give the
1683 // system malloc a chance to insert its own atfork handler.
1686 #endif
1688 // gConst and gMut are never freed. They live for the life of the process.
1692 {
1694 Delay firstAllocDelay =
1697 }
1698 }