| blob | 2141d413ed50c3ebde4fe61dd81965a90ed59b93 |
1 // Copyright (c) 2005, Google Inc.
2 // All rights reserved.
3 //
4 // Redistribution and use in source and binary forms, with or without
5 // modification, are permitted provided that the following conditions are
6 // met:
7 //
8 // * Redistributions of source code must retain the above copyright
9 // notice, this list of conditions and the following disclaimer.
10 // * Redistributions in binary form must reproduce the above
11 // copyright notice, this list of conditions and the following disclaimer
12 // in the documentation and/or other materials provided with the
13 // distribution.
14 // * Neither the name of Google Inc. nor the names of its
15 // contributors may be used to endorse or promote products derived from
16 // this software without specific prior written permission.
17 //
18 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 // ---
31 // Author: Sanjay Ghemawat
33 #include <config.h>
37 #if defined HAVE_STDINT_H
39 #elif defined HAVE_INTTYPES_H
40 #include <inttypes.h>
41 #else
42 #include <sys/types.h>
43 #endif
44 #ifdef HAVE_MMAP
46 #endif
47 #ifdef HAVE_UNISTD_H
49 #endif
51 #include <gperftools/malloc_extension.h>
58 // On systems (like freebsd) that don't define MAP_ANONYMOUS, use the old
59 // form of the name instead.
60 #ifndef MAP_ANONYMOUS
61 # define MAP_ANONYMOUS MAP_ANON
62 #endif
64 // MADV_FREE is specifically designed for use by malloc(), but only
65 // FreeBSD supports it; in linux we fall back to the somewhat inferior
66 // MADV_DONTNEED.
67 #if !defined(MADV_FREE) && defined(MADV_DONTNEED)
68 # define MADV_FREE MADV_DONTNEED
69 #endif
71 // Solaris has a bug where it doesn't declare madvise() for C++.
72 // http://www.opensolaris.org/jive/thread.jspa?threadID=21035&tstart=0
73 #if defined(__sun) && defined(__SVR4)
76 #endif
78 // Set kDebugMode mode so that we can have use C++ conditionals
79 // instead of preprocessor conditionals.
80 #ifdef NDEBUG
82 #else
84 #endif
86 // TODO(sanjay): Move the code below into the tcmalloc namespace
90 // Anonymous namespace to avoid name conflicts on "CheckAddressBits".
93 // Check that no bit is set at position ADDRESS_BITS or higher.
96 }
98 // Specialize for the bit width of a pointer to avoid undefined shift.
101 }
103 #if (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__)
104 #define ASLR_IS_SUPPORTED
105 #endif
107 #if defined(ASLR_IS_SUPPORTED)
108 // From libdieharder, public domain library by Bob Jenkins (rngav.c).
109 // Described at http://burtleburtle.net/bob/rand/smallprng.html.
110 // Not cryptographically secure, but good enough for what we need.
113 u4 a;
114 u4 b;
115 u4 c;
116 u4 d;
117 };
119 #define rot(x,k) (((x)<<(k))|((x)>>(32-(k))))
122 /* xxx: the generator being tested */
129 }
132 u4 i;
137 }
138 }
140 // If the kernel cannot honor the hint in arch_get_unmapped_area_topdown, it
141 // will simply ignore it. So we give a hint that has a good chance of
142 // working.
143 // The mmap top-down allocator will normally allocate below TASK_SIZE - gap,
144 // with a gap that depends on the max stack size. See x86/mm/mmap.c. We
145 // should make allocations that are below this area, which would be
146 // 0x7ffbf8000000.
147 // We use 0x3ffffffff000 as the mask so that we only "pollute" half of the
148 // address space. In the unlikely case where fragmentation would become an
149 // issue, the kernel will still have another half to use.
154 // Give a random "hint" that is suitable for use with mmap(). This cannot make
155 // mmap fail, as the kernel will simply not follow the hint if it can't.
156 // However, this will create address space fragmentation. Currently, we only
157 // implement it on x86_64, where we have a 47 bits userland address space and
158 // fragmentation is not an issue.
160 #if !defined(ASLR_IS_SUPPORTED)
162 #else
163 // Note: we are protected by the general TCMalloc_SystemAlloc spinlock. Given
164 // the nature of what we're doing, it wouldn't be critical if we weren't for
165 // ctx, but it is for the "initialized" variable.
166 // It's nice to share the state between threads, because scheduling will add
167 // some randomness to the succession of ranval() calls.
172 // We really want this to be a stack variable and don't want any compiler
173 // optimization. We're using its address as a poor-man source of
174 // randomness.
176 // Pre-initialize our seed with a "random" address in case /dev/urandom is
177 // not available.
182 ssize_t len;
187 }
189 }
192 // A a bit-wise "and" won't bias our random distribution.
196 }
198 // Allocate |length| bytes of memory using mmap(). The memory will be
199 // readable and writeable, but not executable.
200 // Like mmap(), we will return MAP_FAILED on failure.
201 // |is_aslr_enabled| controls address space layout randomization. When true, we
202 // will put the first mapping at a random address and will then try to grow it.
203 // If it's not possible to grow an existing mapping, a new one will be created.
205 // Note: we are protected by the general TCMalloc_SystemAlloc spinlock.
207 #if defined(ASLR_IS_SUPPORTED)
212 }
215 // address_hint is likely to make us grow an existing mapping.
218 #if defined(ASLR_IS_SUPPORTED)
220 // If mmap() succeeded at a address_hint, our next mmap() will try to grow
221 // the current mapping as long as it's compatible with our ASLR mask.
222 // This has been done for performance reasons, see crbug.com/173371.
223 // It should be possible to strike a better balance between performance
224 // and security but will be done at a later date.
225 // If this overflows, it could only set address_hint to NULL, which is
226 // what we want (and can't happen on the currently supported architecture).
229 // mmap failed or a collision prevented the kernel from honoring the hint,
230 // reset the hint.
232 }
235 }
240 address_bits_larger_than_pointer_size);
242 // Structure for discovering alignment
251 #if defined(HAVE_MMAP) || defined(MADV_FREE)
252 #ifdef HAVE_GETPAGESIZE
254 #endif
255 #endif
257 // The current system allocator
260 // Configuration parameters.
263 "Physical memory starting location in MB for /dev/mem allocation."
267 "Physical memory limit location in MB for /dev/mem allocation."
277 #if defined(ASLR_IS_SUPPORTED)
279 #else
281 #endif
284 // static allocators
288 }
290 };
296 }
298 };
304 }
306 };
315 }
316 }
323 }
324 }
332 };
340 #ifndef HAVE_SBRK
342 #else
343 // Check if we should use sbrk allocation.
344 // FLAGS_malloc_skip_sbrk starts out as false (its uninitialized
345 // state) and eventually gets initialized to the specified value. Note
346 // that this code runs for a while before the flags are initialized.
347 // That means that even if this flag is set to true, some (initial)
348 // memory will be allocated with sbrk before the flag takes effect.
351 }
353 // sbrk will release memory if passed a negative number, so we do
354 // a strict check here
357 // This doesn't overflow because TCMalloc_SystemAlloc has already
358 // tested for overflow at the alignment boundary.
361 // "actual_size" indicates that the bytes from the returned pointer
362 // p up to and including (p + actual_size - 1) have been allocated.
365 }
367 // Check that we we're not asking for so much more memory that we'd
368 // wrap around the end of the virtual address space. (This seems
369 // like something sbrk() should check for us, and indeed opensolaris
370 // does, but glibc does not:
371 // http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libc/port/sys/sbrk.c?a=true
372 // http://sourceware.org/cgi-bin/cvsweb.cgi/~checkout~/libc/misc/sbrk.c?rev=1.1.2.1&content-type=text/plain&cvsroot=glibc
373 // Without this check, sbrk may succeed when it ought to fail.)
376 }
381 }
383 // Is it aligned?
387 // Try to get more memory for alignment
391 // Contiguous with previous result
393 }
395 // Give up and ask for "size + alignment - 1" bytes so
396 // that we can find an aligned region within it.
400 }
404 }
407 }
411 #ifndef HAVE_MMAP
413 #else
414 // Check if we should use mmap allocation.
415 // FLAGS_malloc_skip_mmap starts out as false (its uninitialized
416 // state) and eventually gets initialized to the specified value. Note
417 // that this code runs for a while before the flags are initialized.
418 // Chances are we never get here before the flags are initialized since
419 // sbrk is used until the heap is exhausted (before mmap is used).
422 }
424 // Enforce page alignment
430 }
433 // "actual_size" indicates that the bytes from the returned pointer
434 // p up to and including (p + actual_size - 1) have been allocated.
437 }
439 // Ask for extra memory if alignment > pagesize
443 }
445 // Note: size + extra does not overflow since:
446 // size + alignment < (1<<NBITS).
447 // and extra <= alignment
448 // therefore size + extra < (1<<NBITS)
452 }
454 // Adjust the return memory so it is aligned
459 }
461 // Return the unused memory to the system
464 }
467 }
472 }
476 #ifndef HAVE_MMAP
478 #else
484 // Check if we should use /dev/mem allocation. Note that it may take
485 // a while to get this flag initialized, so meanwhile we fall back to
486 // the next allocator. (It looks like 7MB gets allocated before
487 // this flag gets initialized -khr.)
489 // NOTE: not a devmem_failure - we'd like TCMalloc_SystemAlloc to
490 // try us again next time.
492 }
498 }
502 }
504 // Enforce page alignment
510 }
513 // "actual_size" indicates that the bytes from the returned pointer
514 // p up to and including (p + actual_size - 1) have been allocated.
517 }
519 // Ask for extra memory if alignment > pagesize
523 }
525 // check to see if we have any memory left
529 }
531 // Note: size + extra does not overflow since:
532 // size + alignment < (1<<NBITS).
533 // and extra <= alignment
534 // therefore size + extra < (1<<NBITS)
539 }
542 // Adjust the return memory so it is aligned
546 }
548 // Return the unused virtual memory to the system
551 }
554 }
561 }
570 }
572 }
573 }
574 // After both failed, reset "failed_" to false so that a single failed
575 // allocation won't make the allocator never work again.
578 }
580 }
587 // In 64-bit debug mode, place the mmap allocator first since it
588 // allocates pointers that do not fit in 32 bits and therefore gives
589 // us better testing of code's 64-bit correctness. It also leads to
590 // less false negatives in heap-checking code. (Numbers are less
591 // likely to look like pointers and therefore the conservative gc in
592 // the heap-checker is less likely to misinterpret a number as a
593 // pointer).
595 // Unfortunately, this code runs before flags are initialized. So
596 // we can't use FLAGS_malloc_random_allocator.
597 #if defined(ASLR_IS_SUPPORTED)
598 // Our only random allocator is mmap.
600 #else
607 }
610 }
614 // Discard requests that overflow
622 }
624 // Enforce minimum alignment
635 }
636 }
638 }
641 #ifdef HAVE_GETPAGESIZE
650 #endif
653 }
656 #ifdef MADV_FREE
658 // It's not safe to use MADV_FREE/MADV_DONTNEED if we've been
659 // mapping /dev/mem for heap memory.
661 }
669 // Round up the starting address and round down the ending address
670 // to be page aligned:
680 // Note -- ignoring most return codes, because if this fails it
681 // doesn't matter...
685 // NOP
686 }
687 }
688 #endif
689 }
692 // Nothing to do here. TCMalloc_SystemRelease does not alter pages
693 // such that they need to be re-committed before they can be used by the
694 // application.
695 }