| blob | 5ff11be5b5f63ab1a0a2f7ada64e97d5e3478b28 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 // PHC is a probabilistic heap checker. A tiny fraction of randomly chosen heap
8 // allocations are subject to some expensive checking via the use of OS page
9 // access protection. A failed check triggers a crash, whereupon useful
10 // information about the failure is put into the crash report. The cost and
11 // coverage for each user is minimal, but spread over the entire user base the
12 // coverage becomes significant.
13 //
14 // The idea comes from Chromium, where it is called GWP-ASAN. (Firefox uses PHC
15 // as the name because GWP-ASAN is long, awkward, and doesn't have any
16 // particular meaning.)
17 //
18 // In the current implementation up to 64 allocations per process can become
19 // PHC allocations. These allocations must be page-sized or smaller. Each PHC
20 // allocation gets its own page, and when the allocation is freed its page is
21 // marked inaccessible until the page is reused for another allocation. This
22 // means that a use-after-free defect (which includes double-frees) will be
23 // caught if the use occurs before the page is reused for another allocation.
24 // The crash report will contain stack traces for the allocation site, the free
25 // site, and the use-after-free site, which is often enough to diagnose the
26 // defect.
27 //
28 // Also, each PHC allocation is followed by a guard page. The PHC allocation is
29 // positioned so that its end abuts the guard page (or as close as possible,
30 // given alignment constraints). This means that a bounds violation at the end
31 // of the allocation (overflow) will be caught. The crash report will contain
32 // stack traces for the allocation site and the bounds violation use site,
33 // which is often enough to diagnose the defect.
34 //
35 // (A bounds violation at the start of the allocation (underflow) will not be
36 // caught, unless it is sufficiently large to hit the preceding allocation's
37 // guard page, which is not that likely. It would be possible to look more
38 // assiduously for underflow by randomly placing some allocations at the end of
39 // the page and some at the start of the page, and GWP-ASAN does this. PHC does
40 // not, however, because overflow is likely to be much more common than
41 // underflow in practice.)
42 //
43 // We use a simple heuristic to categorize a guard page access as overflow or
44 // underflow: if the address falls in the lower half of the guard page, we
45 // assume it is overflow, otherwise we assume it is underflow. More
46 // sophisticated heuristics are possible, but this one is very simple, and it is
47 // likely that most overflows/underflows in practice are very close to the page
48 // boundary.
49 //
50 // The design space for the randomization strategy is large. The current
51 // implementation has a large random delay before it starts operating, and a
52 // small random delay between each PHC allocation attempt. Each freed PHC
53 // allocation is quarantined for a medium random delay before being reused, in
54 // order to increase the chance of catching UAFs.
55 //
56 // The basic cost of PHC's operation is as follows.
57 //
58 // - The physical memory cost is 64 pages plus some metadata (including stack
59 // traces) for each page. This amounts to 256 KiB per process on
60 // architectures with 4 KiB pages and 1024 KiB on macOS/AArch64 which uses
61 // 16 KiB pages.
62 //
63 // - The virtual memory cost is the physical memory cost plus the guard pages:
64 // another 64 pages. This amounts to another 256 KiB per process on
65 // architectures with 4 KiB pages and 1024 KiB on macOS/AArch64 which uses
66 // 16 KiB pages. PHC is currently only enabled on 64-bit platforms so the
67 // impact of the virtual memory usage is negligible.
68 //
69 // - Every allocation requires a size check and a decrement-and-check of an
70 // atomic counter. When the counter reaches zero a PHC allocation can occur,
71 // which involves marking a page as accessible and getting a stack trace for
72 // the allocation site. Otherwise, mozjemalloc performs the allocation.
73 //
74 // - Every deallocation requires a range check on the pointer to see if it
75 // involves a PHC allocation. (The choice to only do PHC allocations that are
76 // a page or smaller enables this range check, because the 64 pages are
77 // contiguous. Allowing larger allocations would make this more complicated,
78 // and we definitely don't want something as slow as a hash table lookup on
79 // every deallocation.) PHC deallocations involve marking a page as
80 // inaccessible and getting a stack trace for the deallocation site.
81 //
82 // Note that calls to realloc(), free(), and malloc_usable_size() will
83 // immediately crash if the given pointer falls within a page allocation's
84 // page, but does not point to the start of the allocation itself.
85 //
86 // void* p = malloc(64);
87 // free(p + 1); // p+1 doesn't point to the allocation start; crash
88 //
89 // Such crashes will not have the PHC fields in the crash report.
90 //
91 // PHC-specific tests can be run with the following commands:
92 // - gtests: `./mach gtest '*PHC*'`
93 // - xpcshell-tests: `./mach test toolkit/crashreporter/test/unit`
94 // - This runs some non-PHC tests as well.
98 #include <stdlib.h>
99 #include <time.h>
101 #include <algorithm>
103 #ifdef XP_WIN
104 # include <process.h>
105 #else
106 # include <sys/mman.h>
107 # include <sys/types.h>
108 # include <pthread.h>
109 # include <unistd.h>
110 #endif
126 //---------------------------------------------------------------------------
127 // Utilities
128 //---------------------------------------------------------------------------
130 #ifdef ANDROID
131 // Android doesn't have pthread_atfork defined in pthread.h.
134 #endif
136 #ifndef DISALLOW_COPY_AND_ASSIGN
137 # define DISALLOW_COPY_AND_ASSIGN(T) \
138 T(const T&); \
139 void operator=(const T&)
140 #endif
144 // This class provides infallible operations for the small number of heap
145 // allocations that PHC does for itself. It would be nice if we could use the
146 // InfallibleAllocPolicy from mozalloc, but PHC cannot use mozalloc.
152 }
153 }
160 }
161 };
163 //---------------------------------------------------------------------------
164 // Stack traces
165 //---------------------------------------------------------------------------
167 // This code is similar to the equivalent code within DMD.
185 }
186 };
188 // WARNING WARNING WARNING: this function must only be called when GMut::sMutex
189 // is *not* locked, otherwise we might get deadlocks.
190 //
191 // How? On Windows, MozStackWalk() can lock a mutex, M, from the shared library
192 // loader. Another thread might call malloc() while holding M locked (when
193 // loading a shared library) and try to lock GMut::sMutex, causing a deadlock.
194 // So GMut::sMutex can't be locked during the call to MozStackWalk(). (For
195 // details, see https://bugzilla.mozilla.org/show_bug.cgi?id=374829#c8. On
196 // Linux, something similar can happen; see bug 824340. So we just disallow it
197 // on all platforms.)
198 //
199 // In DMD, to avoid this problem we temporarily unlock the equivalent mutex for
200 // the MozStackWalk() call. But that's grotty, and things are a bit different
201 // here, so we just require that stack traces be obtained before locking
202 // GMut::sMutex.
203 //
204 // Unfortunately, there is no reliable way at compile-time or run-time to ensure
205 // this pre-condition. Hence this large comment.
206 //
210 #if defined(XP_WIN) && defined(_M_IX86)
211 // This avoids MozStackWalk(), which causes unusably slow startup on Win32
212 // when it is called during static initialization (see bug 1241684).
213 //
214 // This code is cribbed from the Gecko Profiler, which also uses
215 // FramePointerStackWalk() on Win32: Registers::SyncPopulate() for the
216 // frame pointer, and GetStackTop() for the stack end.
217 CONTEXT context;
224 #elif defined(XP_MACOSX)
225 // This avoids MozStackWalk(), which has become unusably slow on Mac due to
226 // changes in libunwind.
227 //
228 // This code is cribbed from the Gecko Profiler, which also uses
229 // FramePointerStackWalk() on Mac: Registers::SyncPopulate() for the frame
230 // pointer, and GetStackTop() for the stack end.
231 # pragma GCC diagnostic push
234 # pragma GCC diagnostic pop
237 #else
239 #endif
240 }
242 //---------------------------------------------------------------------------
243 // Logging
244 //---------------------------------------------------------------------------
246 // Change this to 1 to enable some PHC logging. Useful for debugging.
247 #define PHC_LOGGING 0
249 #if PHC_LOGGING
254 # if defined(XP_WIN)
256 # else
258 # endif
259 }
261 # if defined(XP_WIN)
262 # define LOG_STDERR \
263 reinterpret_cast<intptr_t>(GetStdHandle(STD_ERROR_HANDLE))
264 # else
265 # define LOG_STDERR 2
266 # endif
267 # define LOG(fmt, ...) \
269 size_t(GAtomic::Now()), __VA_ARGS__)
271 #else
273 # define LOG(fmt, ...)
277 //---------------------------------------------------------------------------
278 // Global state
279 //---------------------------------------------------------------------------
281 // Throughout this entire file time is measured as the number of sub-page
282 // allocations performed (by PHC and mozjemalloc combined). `Time` is 64-bit
283 // because we could have more than 2**32 allocations in a long-running session.
284 // `Delay` is 32-bit because the delays used within PHC are always much smaller
285 // than 2**32.
289 // PHC only runs if the page size is 4 KiB; anything more is uncommon and would
290 // use too much memory. So we hardwire this size for all platforms but macOS
291 // on ARM processors. For the latter we make an exception because the minimum
292 // page size supported is 16KiB so there's no way to go below that.
294 #if defined(XP_MACOSX) && defined(__aarch64__)
295 16384
296 #else
297 4096
298 #endif
299 ;
301 // We align the PHC area to a multiple of the jemalloc and JS GC chunk size
302 // (both use 1MB aligned chunks) so that their address computations don't lead
303 // from non-PHC memory into PHC memory causing misleading PHC stacks to be
304 // attached to a crash report.
310 // There are two kinds of page.
311 // - Allocation pages, from which allocations are made.
312 // - Guard pages, which are never touched by PHC.
313 //
314 // These page kinds are interleaved; each allocation page has a guard page on
315 // either side.
319 // The total size of the allocation pages and guard pages.
322 // jemalloc adds a guard page to the end of our allocation, see the comment in
323 // AllocAllPages() for more information.
326 // The default state for PHC. Either Enabled or OnlyFree.
327 #define DEFAULT_STATE mozilla::phc::OnlyFree
329 // The junk value used to fill new allocation in debug builds. It's same value
330 // as the one used by mozjemalloc. PHC applies it unconditionally in debug
331 // builds. Unlike mozjemalloc, PHC doesn't consult the MALLOC_OPTIONS
332 // environment variable to possibly change that behaviour.
333 //
334 // Also note that, unlike mozjemalloc, PHC doesn't have a poison value for freed
335 // allocations because freed allocations are protected by OS page protection.
336 #ifdef DEBUG
338 #endif
340 // The maximum time.
343 // The average delay before doing any page allocations at the start of a
344 // process. Note that roughly 1 million allocations occur in the main process
345 // while starting the browser. The delay range is 1..kAvgFirstAllocDelay*2.
348 // The average delay until the next attempted page allocation, once we get past
349 // the first delay. The delay range is 1..kAvgAllocDelay*2.
352 // The average delay before reusing a freed page. Should be significantly larger
353 // than kAvgAllocDelay, otherwise there's not much point in having it. The delay
354 // range is (kAvgAllocDelay / 2)..(kAvgAllocDelay / 2 * 3). This is different to
355 // the other delay ranges in not having a minimum of 1, because that's such a
356 // short delay that there is a high likelihood of bad stacks in any crash
357 // report.
360 // Truncate aRnd to the range (1 .. AvgDelay*2). If aRnd is random, this
361 // results in an average value of aAvgDelay + 0.5, which is close enough to
362 // aAvgDelay. aAvgDelay must be a power-of-two (otherwise it will crash) for
363 // speed.
369 }
371 // Maps a pointer to a PHC-specific structure:
372 // - Nothing
373 // - A guard page (it is unspecified which one)
374 // - An allocation page (with an index < kNumAllocPages)
375 //
376 // The standard way of handling a PtrKind is to check IsNothing(), and if that
377 // fails, to check IsGuardPage(), and if that fails, to call AllocPage().
381 Nothing,
382 GuardPage,
383 AllocPage,
384 };
386 Tag mTag;
390 // Detect what a pointer points to. This constructor must be fast because it
391 // is called for every call to free(), realloc(), malloc_usable_size(), and
392 // jemalloc_ptr_info().
402 // Odd-indexed pages are allocation pages.
408 // Even-numbered pages are guard pages.
410 }
411 }
412 }
417 // This should only be called after IsNothing() and IsGuardPage() have been
418 // checked and failed.
422 }
423 };
425 // Shared, atomic, mutable global state.
432 }
438 // Decrements the delay and returns the decremented value.
444 // Delay is unsigned so we can't test for less that zero. Instead test if
445 // it has wrapped around by comparing with the maximum value we ever use.
447 }
450 // The current time. Relaxed semantics because it's primarily used for
451 // determining if an allocation can be recycled yet and therefore it doesn't
452 // need to be exact.
455 // Delay until the next attempt at a page allocation. See the comment in
456 // MaybePageAlloc() for an explanation of why it uses ReleaseAcquire
457 // semantics.
459 };
464 // Shared, immutable global state. Initialized by replace_init() and never
465 // changed after that. replace_init() runs early enough that no synchronization
466 // is needed.
469 // The bounds of the allocated pages.
473 // Allocates the allocation pages and the guard pages, contiguously.
475 // The memory allocated here is never freed, because it would happen at
476 // process termination when it would be of little use.
478 // We can rely on jemalloc's behaviour that when it allocates memory aligned
479 // with its own chunk size it will over-allocate and guarantee that the
480 // memory after the end of our allocation, but before the next chunk, is
481 // decommitted and inaccessible. Elsewhere in PHC we assume that we own
482 // that page (so that memory errors in it get caught by PHC) but here we
483 // use kAllPagesJemallocSize which subtracts jemalloc's guard page.
487 }
489 // Make the pages inaccessible.
490 #ifdef XP_WIN
493 }
494 #else
498 }
499 #endif
502 }
508 }
513 }
517 }
519 // Get the address of the allocation page referred to via an index. Used when
520 // marking the page as accessible/inaccessible.
523 // Multiply by two and add one to account for allocation pages *and* guard
524 // pages.
526 }
527 };
531 // This type is used as a proof-of-lock token, to make it clear which functions
532 // require sMutex to be locked.
535 // Shared, mutable global state. Protected by sMutex; all accessing functions
536 // take a GMutLock as proof that sMutex is held.
542 };
544 // Metadata for each allocation page.
552 // The current allocation page state.
553 AllocPageState mState;
555 // The arena that the allocation is nominally from. This isn't meaningful
556 // within PHC, which has no arenas. But it is necessary for reallocation of
557 // page allocations as normal allocations, such as in this code:
558 //
559 // p = moz_arena_malloc(arenaId, 4096);
560 // realloc(p, 8192);
561 //
562 // The realloc is more than one page, and thus too large for PHC to handle.
563 // Therefore, if PHC handles the first allocation, it must ask mozjemalloc
564 // to allocate the 8192 bytes in the correct arena, and to do that, it must
565 // call sMallocTable.moz_arena_malloc with the correct arenaId under the
566 // covers. Therefore it must record that arenaId.
567 //
568 // This field is also needed for jemalloc_ptr_info() to work, because it
569 // also returns the arena ID (but only in debug builds).
570 //
571 // - NeverAllocated: must be 0.
572 // - InUse | Freed: can be any valid arena ID value.
575 // The starting address of the allocation. Will not be the same as the page
576 // address unless the allocation is a full page.
577 // - NeverAllocated: must be 0.
578 // - InUse | Freed: must be within the allocation page.
581 // Usable size is computed as the number of bytes between the pointer and
582 // the end of the allocation page. This might be bigger than the requested
583 // size, especially if an outsized alignment is requested.
589 }
591 // The internal fragmentation for this allocation.
595 }
597 // The allocation stack.
598 // - NeverAllocated: Nothing.
599 // - InUse | Freed: Some.
602 // The free stack.
603 // - NeverAllocated | InUse: Nothing.
604 // - Freed: Some.
607 // The time at which the page is available for reuse, as measured against
608 // GAtomic::sNow. When the page is in use this value will be kMaxTime.
609 // - NeverAllocated: must be 0.
610 // - InUse: must be kMaxTime.
611 // - Freed: must be > 0 and < kMaxTime.
612 Time mReuseTime;
613 };
616 // The mutex that protects the other members.
625 }
627 // Is the page free? And if so, has enough time passed that we can use it?
631 }
633 // Get the address of the allocation page referred to via an index. Used
634 // when checking pointers against page boundaries.
637 }
644 }
651 }
653 // The total fragmentation in PHC
658 }
660 }
674 }
676 #if PHC_LOGGING
678 #endif
686 // page.mState is not changed.
688 // Crash if the arenas don't match.
690 }
692 // We could just keep the original alloc stack, but the realloc stack is
693 // more recent and therefore seems more useful.
695 // page.mFreeStack is not changed.
696 // page.mReuseTime is not changed.
697 };
707 // page.mArenaId is left unchanged, for jemalloc_ptr_info() calls that
708 // occur after freeing (e.g. in the PtrInfo test in TestJemalloc.cpp).
710 // Crash if the arenas don't match.
712 }
714 // page.musableSize is left unchanged, for reporting on UAF, and for
715 // jemalloc_ptr_info() calls that occur after freeing (e.g. in the PtrInfo
716 // test in TestJemalloc.cpp).
718 // page.mAllocStack is left unchanged, for reporting on UAF.
722 #if PHC_LOGGING
724 #endif
726 }
729 // An operation on a guard page? This is a bounds violation. Deliberately
730 // touch the page in question to cause a crash that triggers the usual PHC
731 // machinery.
735 }
741 // The pointer must point to the start of the allocation.
746 // An operation on a freed page? This is a particular kind of
747 // use-after-free. Deliberately touch the page in question, in order to
748 // cause a crash that triggers the usual PHC machinery. But unlock sMutex
749 // first, because that self-same PHC machinery needs to re-lock it, and
750 // the crash causes non-local control flow so sMutex won't be unlocked
751 // the normal way in the caller.
755 }
756 }
758 // This expects GMUt::sMutex to be locked but can't check it with a parameter
759 // since we try-lock it.
781 }
782 }
787 }
797 // Only return TagLiveAlloc if the pointer is within the bounds of the
798 // allocation's usable size.
805 }
807 }
810 // Only return TagFreedAlloc if the pointer is within the bounds of the
811 // former allocation's usable size.
818 }
820 }
824 }
826 // Pointers into guard pages will end up here, as will pointers into
827 // allocation pages that aren't within the allocation's bounds.
829 }
831 #ifndef XP_WIN
835 }
837 #endif
839 #if PHC_LOGGING
842 #else
845 #endif
847 #if PHC_LOGGING
851 };
854 PageStats stats;
859 }
862 }
867 }
869 // This is an integer because FdPrintf only supports integer printing.
872 }
873 #endif
875 // Should we make new PHC allocations?
878 }
886 // An older version of this code used RandomUint64() here, but on Mac that
887 // function uses arc4random(), which can allocate, which would cause
888 // re-entry, which would be bad. So we just use time() and a local variable
889 // address. These are mediocre sources of entropy, but good enough for PHC.
897 }
899 }
903 // There is nothing to assert about aPage.mArenaId.
909 }
912 // We can assert a lot about `NeverAllocated` pages, but not much about
913 // `Freed` pages.
914 #ifdef DEBUG
922 #endif
923 }
925 // RNG for deciding which allocations to treat specially. It doesn't need to
926 // be high quality.
927 //
928 // This is a raw pointer for the reason explained in the comment above
929 // GMut's constructor. Don't change it to UniquePtr or anything like that.
933 #if PHC_LOGGING
936 // How many allocations that could have been page allocs actually were? As
937 // constrained kNumAllocPages. If the hit ratio isn't close to 100% it's
938 // likely that the global constants are poorly chosen.
941 #endif
943 // This will only ever be updated from one thread. The other threads should
944 // eventually get the update.
947 };
953 // When PHC wants to crash we first have to unlock so that the crash reporter
954 // can call into PHC to lockup its pointer. That also means that before calling
955 // PHCCrash please ensure that state is consistent. Because this can report an
956 // arbitrary string, use of it must be reviewed by Firefox data stewards.
961 }
963 // On MacOS, the first __thread/thread_local access calls malloc, which leads
964 // to an infinite loop. So we use pthread-based TLS instead, which somehow
965 // doesn't have this problem.
966 #if !defined(XP_DARWIN)
967 # define PHC_THREAD_LOCAL(T) MOZ_THREAD_LOCAL(T)
968 #else
969 # define PHC_THREAD_LOCAL(T) \
970 detail::ThreadLocal<T, detail::ThreadLocalKeyStorage>
971 #endif
973 // Thread-local state.
980 // When true, PHC does as little as possible.
981 //
982 // (a) It does not allocate any new page allocations.
983 //
984 // (b) It avoids doing any operations that might call malloc/free/etc., which
985 // would cause re-entry into PHC. (In practice, MozStackWalk() is the
986 // only such operation.) Note that calls to the functions in sMallocTable
987 // are ok.
988 //
989 // For example, replace_malloc() will just fall back to mozjemalloc. However,
990 // operations involving existing allocations are more complex, because those
991 // existing allocations may be page allocations. For example, if
992 // replace_free() is passed a page allocation on a PHC-disabled thread, it
993 // will free the page allocation in the usual way, but it will get a dummy
994 // freeStack in order to avoid calling MozStackWalk(), as per (b) above.
995 //
996 // This single disabling mechanism has two distinct uses.
997 //
998 // - It's used to prevent re-entry into PHC, which can cause correctness
999 // problems. For example, consider this sequence.
1000 //
1001 // 1. enter replace_free()
1002 // 2. which calls PageFree()
1003 // 3. which calls MozStackWalk()
1004 // 4. which locks a mutex M, and then calls malloc
1005 // 5. enter replace_malloc()
1006 // 6. which calls MaybePageAlloc()
1007 // 7. which calls MozStackWalk()
1008 // 8. which (re)locks a mutex M --> deadlock
1009 //
1010 // We avoid this sequence by "disabling" the thread in PageFree() (at step
1011 // 2), which causes MaybePageAlloc() to fail, avoiding the call to
1012 // MozStackWalk() (at step 7).
1013 //
1014 // In practice, realloc or free of a PHC allocation is unlikely on a thread
1015 // that is disabled because of this use: MozStackWalk() will probably only
1016 // realloc/free allocations that it allocated itself, but those won't be
1017 // page allocations because PHC is disabled before calling MozStackWalk().
1018 //
1019 // (Note that MaybePageAlloc() could safely do a page allocation so long as
1020 // it avoided calling MozStackWalk() by getting a dummy allocStack. But it
1021 // wouldn't be useful, and it would prevent the second use below.)
1022 //
1023 // - It's used to prevent PHC allocations in some tests that rely on
1024 // mozjemalloc's exact allocation behaviour, which PHC does not replicate
1025 // exactly. (Note that (b) isn't necessary for this use -- MozStackWalk()
1026 // could be safely called -- but it is necessary for the first use above.)
1027 //
1032 }
1033 }
1038 }
1044 {
1047 }
1049 }
1051 }
1057 };
1070 };
1072 //---------------------------------------------------------------------------
1073 // Page allocation operations
1074 //---------------------------------------------------------------------------
1076 // Attempt a page allocation if the time and the size are right. Allocated
1077 // memory is zeroed if aZero is true. On failure, the caller should attempt a
1078 // normal allocation via sMallocTable. Can be called in a context where
1079 // GMut::sMutex is locked.
1086 }
1091 }
1095 // Decrement the delay. If it's zero, we do a page allocation and reset the
1096 // delay to a random number. Because the assignment to the random number isn't
1097 // atomic w.r.t. the decrement, we might have a sequence like this:
1098 //
1099 // Thread 1 Thread 2 Thread 3
1100 // -------- -------- --------
1101 // (a) newDelay = --sAllocDelay (-> 0)
1102 // (b) --sAllocDelay (-> -1)
1103 // (c) (newDelay != 0) fails
1104 // (d) --sAllocDelay (-> -2)
1105 // (e) sAllocDelay = new_random_number()
1106 //
1107 // It's critical that sAllocDelay has ReleaseAcquire semantics, because that
1108 // guarantees that exactly one thread will see sAllocDelay have the value 0.
1109 // (Relaxed semantics wouldn't guarantee that.)
1110 //
1111 // Note that sAllocDelay is unsigned and we expect that it will wrap after
1112 // being decremented "below" zero. It must be unsigned so that IsPowerOfTwo()
1113 // can work on some Delay values.
1114 //
1115 // Finally, note that the decrements that occur between (a) and (e) above are
1116 // effectively ignored, because (e) clobbers them. This shouldn't be a
1117 // problem; it effectively just adds a little more randomness to
1118 // new_random_number(). An early version of this code tried to account for
1119 // these decrements by doing `sAllocDelay += new_random_number()`. However, if
1120 // new_random_value() is small, the number of decrements between (a) and (e)
1121 // can easily exceed it, whereupon sAllocDelay ends up negative after
1122 // `sAllocDelay += new_random_number()`, and the zero-check never succeeds
1123 // again. (At least, not until sAllocDelay wraps around on overflow, which
1124 // would take a very long time indeed.)
1125 //
1129 }
1133 }
1135 // Disable on this thread *before* getting the stack trace.
1136 AutoDisableOnCurrentThread disable;
1138 // Get the stack trace *before* locking the mutex. If we return nullptr then
1139 // it was a waste, but it's not so frequent, and doing a stack walk while
1140 // the mutex is locked is problematic (see the big comment on
1141 // StackTrace::Fill() for details).
1142 StackTrace allocStack;
1150 // We start at a random page alloc and wrap around, to ensure pages get even
1151 // amounts of use.
1158 }
1160 #if PHC_LOGGING
1162 #endif
1166 #ifdef XP_WIN
1168 #else
1170 #endif
1175 }
1180 // Put the allocation as close to the end of the page as possible,
1181 // allowing for alignment requirements.
1186 }
1188 #if PHC_LOGGING
1191 #endif
1198 #ifdef DEBUG
1200 #endif
1201 }
1204 #if PHC_LOGGING
1206 #endif
1214 }
1217 // No pages are available, or VirtualAlloc/mprotect failed.
1219 #if PHC_LOGGING
1221 #endif
1227 }
1229 // Set the new alloc delay.
1233 }
1241 #ifdef XP_WIN
1244 }
1245 #else
1249 }
1250 #endif
1253 }
1255 //---------------------------------------------------------------------------
1256 // replace-malloc machinery
1257 //---------------------------------------------------------------------------
1259 // This handles malloc, moz_arena_malloc, and realloc-with-a-nullptr.
1268 }
1272 }
1277 }
1279 // This handles both calloc and moz_arena_calloc.
1285 }
1293 }
1297 }
1299 // This function handles both realloc and moz_arena_realloc.
1300 //
1301 // As always, realloc is complicated, and doubly so when there are two
1302 // different kinds of allocations in play. Here are the possible transitions,
1303 // and what we do in practice.
1304 //
1305 // - normal-to-normal: This is straightforward and obviously necessary.
1306 //
1307 // - normal-to-page: This is disallowed because it would require getting the
1308 // arenaId of the normal allocation, which isn't possible in non-DEBUG builds
1309 // for security reasons.
1310 //
1311 // - page-to-page: This is done whenever possible, i.e. whenever the new size
1312 // is less than or equal to 4 KiB. This choice counterbalances the
1313 // disallowing of normal-to-page allocations, in order to avoid biasing
1314 // towards or away from page allocations. It always occurs in-place.
1315 //
1316 // - page-to-normal: this is done only when necessary, i.e. only when the new
1317 // size is greater than 4 KiB. This choice naturally flows from the
1318 // prior choice on page-to-page transitions.
1319 //
1320 // In summary: realloc doesn't change the allocation kind unless it must.
1321 //
1325 // Null pointer. Treat like malloc(aNewSize).
1327 }
1331 // A normal-to-normal transition.
1335 }
1339 }
1341 // At this point we know we have an allocation page.
1344 // A page-to-something transition.
1346 // Note that `disable` has no effect unless it is emplaced below.
1348 // Get the stack trace *before* locking the mutex.
1349 StackTrace stack;
1351 // PHC is disabled on this thread. Leave the stack empty.
1353 // Disable on this thread *before* getting the stack trace.
1356 }
1360 // Check for realloc() of a freed block.
1364 // A page-to-page transition. Just keep using the page allocation. We do
1365 // this even if the thread is disabled, because it doesn't create a new
1366 // page allocation. Note that ResizePageInUse() checks aArenaId.
1367 //
1368 // Move the bytes with memmove(), because the old allocation and the new
1369 // allocation overlap. Move the usable size rather than the requested size,
1370 // because the user might have used malloc_usable_size() and filled up the
1371 // usable size.
1380 }
1382 // A page-to-normal transition (with the new size greater than page-sized).
1383 // (Note that aArenaId is checked below.)
1392 }
1395 }
1399 // Copy the usable size rather than the requested size, because the user
1400 // might have used malloc_usable_size() and filled up the usable size. Note
1401 // that FreePage() checks aArenaId (via SetPageFreed()).
1410 }
1414 }
1416 // This handles both free and moz_arena_free.
1421 // Not a page allocation.
1424 }
1428 }
1430 // At this point we know we have an allocation page.
1433 // Note that `disable` has no effect unless it is emplaced below.
1435 // Get the stack trace *before* locking the mutex.
1436 StackTrace freeStack;
1438 // PHC is disabled on this thread. Leave the stack empty.
1440 // Disable on this thread *before* getting the stack trace.
1443 }
1447 // Check for a double-free.
1450 // Note that FreePage() checks aArenaId (via SetPageFreed()).
1454 #if PHC_LOGGING
1456 #endif
1460 }
1464 // This handles memalign and moz_arena_memalign.
1470 // PHC can't satisfy an alignment greater than a page size, so fall back to
1471 // mozjemalloc in that case.
1475 }
1479 aReqSize)
1481 }
1485 }
1490 // Not a page allocation. Measure it normally.
1492 }
1496 }
1498 // At this point we know aPtr lands within an allocation page, due to the
1499 // math done in the PtrKind constructor. But if aPtr points to memory
1500 // before the base address of the allocation, we return 0.
1509 }
1512 }
1517 }
1523 // We allocate our memory from jemalloc so it has already counted our memory
1524 // usage within "mapped" and "allocated", we must subtract the memory we
1525 // allocated from jemalloc from allocated before adding in only the parts that
1526 // we have allocated out to Firefox.
1531 {
1534 // Add usable space of in-use allocations to `allocated`.
1538 }
1539 }
1540 }
1543 // guards is the gap between `allocated` and `mapped`. In some ways this
1544 // almost fits into aStats->wasted since it feels like wasted memory. However
1545 // wasted should only include committed memory and these guard pages are
1546 // uncommitted. Therefore we don't include it anywhere.
1547 // size_t guards = mapped - allocated;
1549 // aStats.page_cache and aStats.bin_unused are left unchanged because PHC
1550 // doesn't have anything corresponding to those.
1552 // The metadata is stored in normal heap allocations, so they're measured by
1553 // mozjemalloc as `allocated`. Move them into `bookkeeping`.
1554 // They're also reported under explicit/heap-overhead/phc/fragmentation in
1555 // about:memory.
1559 }
1562 // We need to implement this properly, because various code locations do
1563 // things like checking that allocations are in the expected arena.
1566 // Not a page allocation.
1568 }
1571 // Treat a guard page as unknown because there's no better alternative.
1574 }
1576 // At this point we know we have an allocation page.
1582 #if DEBUG
1585 #else
1588 #endif
1589 }
1592 // No need to do anything special here.
1594 }
1597 // No need to do anything special here.
1599 }
1602 // No need to do anything special here.
1604 }
1608 }
1613 }
1618 }
1622 }
1627 }
1634 }
1639 // The address is in the lower half of a guard page, so it's probably an
1640 // overflow. But first check that it is not on the very first guard
1641 // page, in which case it cannot be an overflow, and we ignore it.
1644 }
1646 // Get the allocation page preceding this guard page.
1650 // The address is in the upper half of a guard page, so it's probably an
1651 // underflow. Get the allocation page following this guard page.
1653 }
1655 // Make a note of the fact that we hit a guard page.
1657 }
1659 // At this point we know we have an allocation page.
1673 }
1674 }
1676 }
1681 }
1686 }
1692 }
1702 }
1703 }
1705 // Enable or Disable PHC at runtime. If PHC is disabled it will still trap
1706 // bad uses of previous allocations, but won't track any new allocations.
1709 }
1710 };
1712 // WARNING: this function runs *very* early -- before all static initializers
1713 // have run. For this reason, non-scalar globals (gConst, gMut) are allocated
1714 // dynamically (so we can guarantee their construction in this function) rather
1715 // than statically. GAtomic and GTls contain simple static data that doesn't
1716 // involve static initializers so they don't need to be allocated dynamically.
1718 // Don't run PHC if the page size isn't what we statically defined.
1719 jemalloc_stats_t stats;
1723 }
1727 // The choices of which functions to replace are complex enough that we set
1728 // them individually instead of using MALLOC_FUNCS/malloc_decls.h.
1736 // posix_memalign, aligned_alloc & valloc: unset, which means they fall back
1737 // to replace_memalign.
1739 // default malloc_good_size: the default suffices.
1742 // jemalloc_purge_freed_pages: the default suffices.
1743 // jemalloc_free_dirty_pages: the default suffices.
1744 // jemalloc_thread_local_arena: the default suffices.
1748 replace_moz_create_arena_with_params;
1759 #ifndef XP_WIN
1760 // Avoid deadlocks when forking by acquiring our state lock prior to forking
1761 // and releasing it after forking. See |LogAlloc|'s |replace_init| for
1762 // in-depth details.
1763 //
1764 // Note: This must run after attempting an allocation so as to give the
1765 // system malloc a chance to insert its own atfork handler.
1768 #endif
1770 // gConst and gMut are never freed. They live for the life of the process.
1774 {
1776 Delay firstAllocDelay =
1779 }
1780 }