| blob | 872a10c86f05534793be7162fae522392d8279c4 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef ds_LifoAlloc_h
8 #define ds_LifoAlloc_h
17 #include <algorithm>
18 #include <new>
20 #include <type_traits>
21 #include <utility>
23 // [SMDOC] LifoAlloc bump allocator
24 //
25 // This file defines an allocator named LifoAlloc which is a Bump allocator,
26 // which has the property of making fast allocation but is not able to reclaim
27 // individual allocations.
28 //
29 // * Allocation principle
30 //
31 // In practice a LifoAlloc is implemented using a list of BumpChunks, which are
32 // contiguous memory areas which are chained in a single linked list.
33 //
34 // When an allocation is performed, we check if there is space in the last
35 // chunk. If there is we bump the pointer of the last chunk and return the
36 // previous value of the pointer. Otherwise we allocate a new chunk which is
37 // large enough and perform the allocation the same way.
38 //
39 // Each allocation is made with 2 main functions, called
40 // BumpChunk::nextAllocBase and BumpChunk::nextAllocEnd. These functions are
41 // made to avoid duplicating logic, such as allocating, checking if we can
42 // allocate or reserving a given buffer space. They are made to align the
43 // pointer for the next allocation (8-byte aligned), and also to reserve some
44 // red-zones to improve reports of our security instrumentation. (see Security
45 // features below)
46 //
47 // The Chunks sizes are following the heuristics implemented in NextSize
48 // (LifoAlloc.cpp), which doubles the size until we reach 1 MB and then
49 // continues with a smaller geometric series. This heuristic is meant to reduce
50 // the number of allocations, such that we spend less time allocating/freeing
51 // chunks of a few KB at a time.
52 //
53 // ** Oversize allocations
54 //
55 // When allocating with a LifoAlloc, we distinguish 2 different kinds of
56 // allocations, the small allocations and the large allocations. The reason for
57 // splitting in 2 sets is to avoid wasting memory.
58 //
59 // If you had a single linked list of chunks, then making oversized allocations
60 // can cause chunks to contain a lot of wasted space as new chunks would have to
61 // be allocated to fit these allocations, and the space of the previous chunk
62 // would remain unused.
63 //
64 // Oversize allocation size can be disabled or customized with disableOversize
65 // and setOversizeThreshold, which must be smaller than the default chunk size
66 // with which the LifoAlloc was initialized.
67 //
68 // ** LifoAllocScope (mark & release)
69 //
70 // As the memory cannot be reclaimed except when the LifoAlloc structure is
71 // deleted, the LifoAllocScope structure is used to create scopes, related to a
72 // stacked task. When going out of a LifoAllocScope the memory associated to the
73 // scope is marked as unused but not reclaimed. This implies that the memory
74 // allocated for one task can be reused for a similar task later on. (see
75 // Safety)
76 //
77 // LifoAllocScope is based on mark and release functions. The mark function is
78 // used to recall the offsets at which a LifoAllocScope got created. The release
79 // function takes the Mark as input and will flag all memory allocated after the
80 // mark creation as unused.
81 //
82 // When releasing all the memory of BumpChunks, these are moved to a list of
83 // unused chunks which will later be reused by new allocations.
84 //
85 // A bump chunk allocator normally has a single bump pointers, whereas we have
86 // 2. (see Oversize allocations) By doing so, we lose the ordering of allocation
87 // coming from a single linked list of allocation.
88 //
89 // However, we rely on the ordering of allocation with LifoAllocScope, i-e when
90 // mark and release functions are used. Thus the LifoAlloc::Mark is composed of
91 // 2 marks, One for each singled linked list of allocations, to keep both lists
92 // of allocations ordered.
93 //
94 // ** Infallible Allocator
95 //
96 // LifoAlloc can also be used as an infallible allocator. This requires the user
97 // to periodically ensure that enough space has been reserved to satisfy the
98 // upcoming set of allocations by calling LifoAlloc::ensureUnusedApproximate or
99 // LifoAlloc::allocEnsureUnused functions. Between 2 calls of these functions,
100 // functions such as allocInfallible can be used without checking against
101 // nullptr, as long as there is a bounded number of such calls and that all
102 // allocations including their red-zone fit in the reserved space.
103 //
104 // The infallible allocator mode can be toggle as being the default by calling
105 // setAsInfallibleByDefault, in which case an AutoFallibleScope should be used
106 // to make any large allocations. Failing to do so will raise an issue when
107 // running the LifoAlloc with the OOM Simulator. (see Security features)
108 //
109 // * LifoAlloc::Enum Iterator
110 //
111 // A LifoAlloc is used for backing the store-buffer of the Garbage Collector
112 // (GC). The store-buffer is appending data as it is being reported during
113 // incremental GC. The LifoAlloc::Enum class is used for iterating over the set
114 // of allocations made within the LifoAlloc.
115 //
116 // However, one must take extra care into having the proper associated types for
117 // the data which are being written and read out of the LifoAlloc. The iterator
118 // is reusing the same logic as the allocator in order to skip red-zones.
119 //
120 // At the moment, the iterator will cause a hard failure if any oversize
121 // allocation are made.
122 //
123 // * Safety
124 //
125 // A LifoAlloc is neither thread-safe nor interrupt-safe. It should only be
126 // manipulated in one thread of execution at a time. It can be transferred from
127 // one thread to another but should not be used concurrently.
128 //
129 // When using LifoAllocScope, no pointer to the data allocated within a
130 // LifoAllocScope should be stored in data allocated before the latest
131 // LifoAllocScope. This kind of issue can hide in different forms, such as
132 // appending to a Vector backed by a LifoAlloc, which can resize and move the
133 // data below the LifoAllocScope. Thus causing a use-after-free once leaving a
134 // LifoAllocScope.
135 //
136 // * Security features
137 //
138 // ** Single Linked List
139 //
140 // For sanity reasons this LifoAlloc implementation makes use of its own single
141 // linked list implementation based on unique pointers (UniquePtr). The reason
142 // for this is to ensure that a BumpChunk is owned only once, thus preventing
143 // use-after-free issues.
144 //
145 // ** OOM Simulator
146 //
147 // The OOM simulator is controlled by the JS_OOM_BREAKPOINT macro, and used to
148 // check any fallible allocation for potential OOM. Fallible functions are
149 // instrumented with JS_OOM_POSSIBLY_FAIL(); function calls, and are expected to
150 // return null on failures.
151 //
152 // Except for simulating OOMs, LifoAlloc is instrumented in DEBUG and OOM
153 // Simulator builds to checks for the correctness of the Infallible Allocator
154 // state. When using a LifoAlloc as an infallible allocator, enough space should
155 // always be reserved for the next allocations. Therefore, to check this
156 // invariant LifoAlloc::newChunkWithCapacity checks that any new chunks are
157 // allocated within a fallible scope, under AutoFallibleScope.
158 //
159 // ** Address Sanitizers & Valgrind
160 //
161 // When manipulating memory in a LifoAlloc, the memory remains contiguous and
162 // therefore subject to potential buffer overflow/underflow. To check for these
163 // memory corruptions, the macro LIFO_HAVE_MEM_CHECK is used to add red-zones
164 // with LIFO_MAKE_MEM_NOACCESS and LIFO_MAKE_MEM_UNDEFINED.
165 //
166 // The red-zone is a minimum space left in between 2 allocations. Any access to
167 // these red-zones should warn in both valgrind / ASan builds.
168 //
169 // The red-zone size is defined in BumpChunk::RedZoneSize and default to 0 if
170 // not instrumentation is expected, and 16 otherwise.
171 //
172 // ** Magic Number
173 //
174 // A simple sanity check is present in all BumpChunk under the form of a
175 // constant field which is never mutated. the BumpChunk::magic_ is initalized to
176 // the "Lif" string. Any mutation of this value indicate a memory corruption.
177 //
178 // This magic number is enabled in all MOZ_DIAGNOSTIC_ASSERT_ENABLED builds,
179 // which implies that all Nightly and dev-edition versions of
180 // Firefox/SpiderMonkey contain this instrumentation.
181 //
182 // ** Memory protection
183 //
184 // LifoAlloc chunks are holding a lot of memory. When the memory is known to be
185 // unused, unchanged for some period of time, such as moving from one thread to
186 // another. Then the memory can be set as read-only with LifoAlloc::setReadOnly
187 // and reset as read-write with LifoAlloc::setReadWrite.
188 //
189 // This code is guarded by LIFO_CHUNK_PROTECT and at the moment only enabled in
190 // DEBUG builds in order to avoid the fragmentation of the TLB which might run
191 // out-of-memory when calling mprotect.
192 //
215 };
217 // Single linked list which is using UniquePtr to hold the next pointers.
218 // UniquePtr are used to ensure that none of the elements are used
219 // silmutaneously in 2 different list.
223 // First element of the list which owns the next element, and ensure that
224 // that this list is the only owner of the element.
227 // Weak pointer to the last element of the list.
233 }
243 }
248 }
250 // Move the elements of the |other| list in the current one, and implicitly
251 // remove all the elements of the current list.
259 }
263 // Iterates over the elements of the list, this is used to avoid raw
264 // manipulation of pointers as much as possible.
278 }
282 }
285 }
286 };
292 // Split the list in 2 single linked lists after the element given as
293 // argument. The front of the list remains in the current list, while the
294 // back goes in the newly create linked list.
295 //
296 // This is used for example to extract one element from a list. (see
297 // LifoAlloc::getOrCreateChunk)
300 SingleLinkedList result;
305 }
309 }
314 }
318 }
327 }
329 }
333 }
338 }
343 }
350 }
354 }
361 }
364 }
365 };
369 MOZ_ALWAYS_INLINE
377 }
379 // A Chunk represent a single memory allocation made with the system
380 // allocator. As the owner of the memory, it is responsible for the allocation
381 // and the deallocation.
382 //
383 // This structure is only move-able, but not copyable.
386 // Pointer to the last byte allocated in this chunk.
388 // Pointer to the first byte after this chunk.
391 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
392 // Magic number used to check against poisoned values.
395 #endif
397 #if defined(DEBUG)
398 # define LIFO_CHUNK_PROTECT 1
399 #endif
401 // Poison the memory with memset, in order to catch errors due to
402 // use-after-free, with JS_LIFO_UNDEFINED_PATTERN pattern, or to catch
403 // use-before-init with JS_LIFO_UNINITIALIZED_PATTERN.
404 #if defined(DEBUG)
405 # define LIFO_HAVE_MEM_CHECKS 1
406 # define LIFO_MAKE_MEM_NOACCESS(addr, size) \
407 do { \
408 uint8_t* base = (addr); \
409 size_t sz = (size); \
410 MOZ_MAKE_MEM_UNDEFINED(base, sz); \
411 memset(base, JS_LIFO_UNDEFINED_PATTERN, sz); \
412 MOZ_MAKE_MEM_NOACCESS(base, sz); \
413 } while (0)
415 # define LIFO_MAKE_MEM_UNDEFINED(addr, size) \
416 do { \
417 uint8_t* base = (addr); \
418 size_t sz = (size); \
419 MOZ_MAKE_MEM_UNDEFINED(base, sz); \
420 memset(base, JS_LIFO_UNINITIALIZED_PATTERN, sz); \
421 MOZ_MAKE_MEM_UNDEFINED(base, sz); \
422 } while (0)
424 #elif defined(MOZ_HAVE_MEM_CHECKS)
425 # define LIFO_HAVE_MEM_CHECKS 1
426 # define LIFO_MAKE_MEM_NOACCESS(addr, size) \
427 MOZ_MAKE_MEM_NOACCESS((addr), (size))
428 # define LIFO_MAKE_MEM_UNDEFINED(addr, size) \
429 MOZ_MAKE_MEM_UNDEFINED((addr), (size))
430 #endif
432 #ifdef LIFO_HAVE_MEM_CHECKS
433 // Red zone reserved after each allocation.
435 #else
437 #endif
443 }
451 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
452 ,
454 #endif
455 {
457 #if defined(LIFO_HAVE_MEM_CHECKS)
458 // The memory is freshly allocated and marked as undefined by the
459 // allocator of the BumpChunk. Instead, we mark this memory as
460 // no-access, as it has not been allocated within the BumpChunk.
462 #endif
463 }
465 // Cast |this| into a uint8_t* pointer.
466 //
467 // Warning: Are you sure you do not want to use begin() instead?
471 // Update the bump pointer to any value contained in this chunk, which is
472 // above the private fields of this chunk.
473 //
474 // The memory is poisoned and flagged as no-access when the bump pointer is
475 // moving backward, such as when memory is released, or when a Mark is used
476 // to unwind previous allocations.
477 //
478 // The memory is flagged as undefined when the bump pointer is moving
479 // forward.
484 #if defined(LIFO_HAVE_MEM_CHECKS)
485 // Poison/Unpoison memory that we just free'd/allocated.
491 // The area [newBump - RedZoneSize .. newBump[ is already flagged as
492 // no-access either with the previous if-branch or with the
493 // BumpChunk constructor. No need to mark it twice.
494 }
495 #endif
497 }
502 // Returns true if this chunk contains no allocated content.
505 // Returns the size in bytes of the number of allocated space. This includes
506 // the size consumed by the alignment of the allocations.
509 // These are used for manipulating a chunk as if it was a vector of bytes,
510 // and used for iterating over the content of the buffer (see
511 // LifoAlloc::Enum)
516 // This function is the only way to allocate and construct a chunk. It
517 // returns a UniquePtr to the newly allocated chunk. The size given as
518 // argument includes the space needed for the header of the chunk.
521 // Report allocation.
524 }
526 // Report allocation size.
529 // Opaque type used to carry a pointer to the current location of the bump_
530 // pointer, within a BumpChunk.
532 // Chunk which owns the pointer.
534 // Recorded of the bump_ pointer of the BumpChunk.
544 };
546 // Return a mark to be able to unwind future allocations with the release
547 // function. (see LifoAllocScope)
550 // Check if a pointer is part of the allocated data of this chunk.
552 // Note: We cannot check "ptr < end()" because the mark have a 0-size
553 // length.
555 }
557 // Check if a mark is part of the allocated data of this chunk.
561 }
563 // Release the memory allocated in this chunk. This function does not call
564 // any of the destructors.
567 // Release the memory allocated in this chunk since the corresponding mark
568 // got created. This function does not call any of the destructors.
572 }
574 // Given an amount, compute the total size of a chunk for it: reserved
575 // space before |begin()|, space for |amount| bytes, and red-zone space
576 // after those bytes that will ultimately end at |capacity_|.
580 // Given a bump chunk pointer, find the next base/end pointers. This is
581 // useful for having consistent allocations, and iterating over known size
582 // allocations.
586 }
588 // Returns true, if the unused space is large enough for an allocation of
589 // |n| bytes.
592 // bump_ <= newBump, is necessary to catch overflow.
594 }
596 // Space remaining in the current chunk.
601 }
603 }
605 // Try to perform an allocation of size |n|, returns nullptr if not possible.
606 MOZ_ALWAYS_INLINE
613 }
615 // Check for overflow.
618 }
623 }
625 #ifdef LIFO_CHUNK_PROTECT
628 #else
631 #endif
632 };
634 // Space reserved for the BumpChunk internal data, and the alignment of the
635 // first allocation content. This can be used to ensure there is enough space
636 // for the next allocation (see LifoAlloc::newChunkWithCapacity).
654 }
658 }
664 // LIFO bump allocator: used for phase-oriented and fast LIFO allocations.
665 //
666 // Note: We leave BumpChunks latent in the set of unused chunks after they've
667 // been released to avoid thrashing before a GC.
672 // List of chunks containing allocated data of size smaller than the default
673 // chunk size. In the common case, the last chunk of this list is always
674 // used to perform the allocations. When the allocation cannot be performed,
675 // we move a Chunk from the unused set to the list of used chunks.
676 BumpChunkList chunks_;
678 // List of chunks containing allocated data where each allocation is larger
679 // than the oversize threshold. Each chunk contains exactly one allocation.
680 // This reduces wasted space in the chunk list.
681 //
682 // Oversize chunks are allocated on demand and freed as soon as they are
683 // released, instead of being pushed to the unused list.
684 BumpChunkList oversize_;
686 // Set of unused chunks, which can be reused for future allocations.
687 BumpChunkList unused_;
693 // Size of all chunks in chunks_, oversize_, unused_ lists.
697 // Size of all chunks containing small bump allocations. This heuristic is
698 // used to compute growth rate while ignoring chunks such as oversized,
699 // now-unused, or transferred (which followed their own growth patterns).
702 #if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
704 #endif
709 // Return a BumpChunk that can perform an allocation of at least size |n|.
712 // Reuse or allocate a BumpChunk that can perform an allocation of at least
713 // size |n|, if successful it is placed at the end the list of |chunks_|.
718 // Append unused chunks to the end of this LifoAlloc.
720 #ifdef DEBUG
723 }
724 #endif
726 }
728 // Append used chunks to the end of this LifoAlloc. We act as if all the
729 // chunks in |this| are used, even if they're not, so memory may be wasted.
732 }
734 // Track the amount of space allocated in used and unused chunks.
739 }
740 }
745 }
750 MOZ_ALWAYS_INLINE
753 // Give oversized allocations their own chunk instead of wasting space
754 // due to fragmentation at the end of normal chunk.
757 }
761 }
763 }
765 // Check for space in unused chunks or allocate a new unused chunk.
771 #if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
772 ,
774 #endif
775 {
777 }
779 // Set the threshold to allocate data in its own chunk outside the space for
780 // small allocations.
785 }
787 // Steal allocated chunks from |other|.
790 // Append all chunks from |other|. They are removed from |other|.
793 // Append unused chunks from |other|. They are removed from |other|.
800 // Frees all held memory.
807 }
808 }
810 MOZ_ALWAYS_INLINE
812 #if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
813 // Only simulate OOMs when we are not using the LifoAlloc as an
814 // infallible allocator.
817 }
818 #endif
820 }
822 // Allocates |n| bytes if we can guarantee that we will have
823 // |needed| unused bytes remaining. Returns nullptr if we can't.
824 // This is useful for maintaining our ballast invariants while
825 // attempting fallible allocations.
826 MOZ_ALWAYS_INLINE
836 }
839 }
849 }
852 }
854 MOZ_ALWAYS_INLINE
856 AutoEnterOOMUnsafeRegion oomUnsafe;
859 }
862 }
864 // Ensures that enough space exists to satisfy N bytes worth of
865 // allocation requests, not necessarily contiguous. Note that this does
866 // not guarantee a successful single allocation of N bytes.
874 }
875 }
878 }
880 MOZ_ALWAYS_INLINE
882 #if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
884 #endif
885 }
888 #if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
897 }
900 #else
903 #endif
904 };
909 "T must be trivially constructible so that constructors need "
912 "T must be trivially destructible so destructors don't need "
915 }
917 // Create an array with uninitialized elements of type |T|.
918 // The caller is responsible for initialization.
924 }
926 }
932 };
934 // Note: MOZ_NEVER_INLINE is a work around for a Clang 9 (PGO) miscompilation.
935 // See bug 1583907.
947 // When releasing all chunks, we can no longer determine which chunks were
948 // transferred and which were not, so simply clear the heuristic to zero
949 // right away.
954 }
957 // On release, we free any oversize allocations instead of keeping them
958 // in unused chunks.
962 }
963 }
965 // Protect the content of the LifoAlloc chunks.
966 #ifdef LIFO_CHUNK_PROTECT
969 #else
972 #endif
974 // Get the total "used" (occupied bytes) count for the arena chunks.
979 }
981 }
983 // Return true if the LifoAlloc does not currently contain any allocations.
989 }
991 // Return the number of bytes remaining to allocate in the current chunk.
992 // e.g. How many bytes we can allocate before needing a new block.
996 }
998 }
1000 // Get the total size of the arena chunks (including unused space).
1005 }
1008 }
1011 }
1013 }
1015 // Like sizeOfExcludingThis(), but includes the size of the LifoAlloc itself.
1018 }
1020 // Get the current size of the arena chunks (including unused space and
1021 // bookkeeping space).
1024 // Get the peak size of the arena chunks (including unused space and
1025 // bookkeeping space).
1028 // Doesn't perform construction; useful for lazily-initialized POD types.
1032 }
1037 #ifdef DEBUG
1042 }
1043 }
1047 }
1048 }
1050 }
1051 #endif
1053 // Iterate over the data allocated in a LifoAlloc, and interpret it.
1058 // Iterator over the list of bump chunks.
1061 // Read head (must be within chunk_).
1064 // If there is not enough room in the remaining block for |size|,
1065 // advance to the next block and update the position.
1073 // The current code assumes that if we have a chunk, then we
1074 // have allocated something it in.
1076 }
1080 }
1090 }
1091 }
1093 // Return true if there are no more bytes to enumerate.
1097 }
1099 // Move the read position forward by the size of one T.
1103 }
1105 // Return a pointer to the item at the current position. This returns a
1106 // pointer to the inline storage, not a copy, and moves the read-head by
1107 // the requested |size|.
1109 };
1110 };
1126 /*
1127 * The parser can allocate enormous amounts of memory for large functions.
1128 * Eagerly free the memory now (which otherwise won't be freed until the
1129 * next GC) to avoid unnecessary OOMs.
1130 */
1132 }
1135 };
1150 }
1154 }
1160 }
1163 }
1169 }
1173 }
1177 }
1181 }
1185 }
1191 }
1192 };