| blob | 6cde04bf968ec5ed4bc2ad017221823609e9ba2a |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 // PHC is a probabilistic heap checker. A tiny fraction of randomly chosen heap
8 // allocations are subject to some expensive checking via the use of OS page
9 // access protection. A failed check triggers a crash, whereupon useful
10 // information about the failure is put into the crash report. The cost and
11 // coverage for each user is minimal, but spread over the entire user base the
12 // coverage becomes significant.
13 //
14 // The idea comes from Chromium, where it is called GWP-ASAN. (Firefox uses PHC
15 // as the name because GWP-ASAN is long, awkward, and doesn't have any
16 // particular meaning.)
17 //
18 // In the current implementation up to 64 allocations per process can become
19 // PHC allocations. These allocations must be page-sized or smaller. Each PHC
20 // allocation gets its own page, and when the allocation is freed its page is
21 // marked inaccessible until the page is reused for another allocation. This
22 // means that a use-after-free defect (which includes double-frees) will be
23 // caught if the use occurs before the page is reused for another allocation.
24 // The crash report will contain stack traces for the allocation site, the free
25 // site, and the use-after-free site, which is often enough to diagnose the
26 // defect.
27 //
28 // Also, each PHC allocation is followed by a guard page. The PHC allocation is
29 // positioned so that its end abuts the guard page (or as close as possible,
30 // given alignment constraints). This means that a bounds violation at the end
31 // of the allocation (overflow) will be caught. The crash report will contain
32 // stack traces for the allocation site and the bounds violation use site,
33 // which is often enough to diagnose the defect.
34 //
35 // (A bounds violation at the start of the allocation (underflow) will not be
36 // caught, unless it is sufficiently large to hit the preceding allocation's
37 // guard page, which is not that likely. It would be possible to look more
38 // assiduously for underflow by randomly placing some allocations at the end of
39 // the page and some at the start of the page, and GWP-ASAN does this. PHC does
40 // not, however, because overflow is likely to be much more common than
41 // underflow in practice.)
42 //
43 // We use a simple heuristic to categorize a guard page access as overflow or
44 // underflow: if the address falls in the lower half of the guard page, we
45 // assume it is overflow, otherwise we assume it is underflow. More
46 // sophisticated heuristics are possible, but this one is very simple, and it is
47 // likely that most overflows/underflows in practice are very close to the page
48 // boundary.
49 //
50 // The design space for the randomization strategy is large. The current
51 // implementation has a large random delay before it starts operating, and a
52 // small random delay between each PHC allocation attempt. Each freed PHC
53 // allocation is quarantined for a medium random delay before being reused, in
54 // order to increase the chance of catching UAFs.
55 //
56 // The basic cost of PHC's operation is as follows.
57 //
58 // - The physical memory cost is 64 pages plus some metadata (including stack
59 // traces) for each page. This amounts to 256 KiB per process on
60 // architectures with 4 KiB pages and 1024 KiB on macOS/AArch64 which uses
61 // 16 KiB pages.
62 //
63 // - The virtual memory cost is the physical memory cost plus the guard pages:
64 // another 64 pages. This amounts to another 256 KiB per process on
65 // architectures with 4 KiB pages and 1024 KiB on macOS/AArch64 which uses
66 // 16 KiB pages. PHC is currently only enabled on 64-bit platforms so the
67 // impact of the virtual memory usage is negligible.
68 //
69 // - Every allocation requires a size check and a decrement-and-check of an
70 // atomic counter. When the counter reaches zero a PHC allocation can occur,
71 // which involves marking a page as accessible and getting a stack trace for
72 // the allocation site. Otherwise, mozjemalloc performs the allocation.
73 //
74 // - Every deallocation requires a range check on the pointer to see if it
75 // involves a PHC allocation. (The choice to only do PHC allocations that are
76 // a page or smaller enables this range check, because the 64 pages are
77 // contiguous. Allowing larger allocations would make this more complicated,
78 // and we definitely don't want something as slow as a hash table lookup on
79 // every deallocation.) PHC deallocations involve marking a page as
80 // inaccessible and getting a stack trace for the deallocation site.
81 //
82 // Note that calls to realloc(), free(), and malloc_usable_size() will
83 // immediately crash if the given pointer falls within a page allocation's
84 // page, but does not point to the start of the allocation itself.
85 //
86 // void* p = malloc(64);
87 // free(p + 1); // p+1 doesn't point to the allocation start; crash
88 //
89 // Such crashes will not have the PHC fields in the crash report.
90 //
91 // PHC-specific tests can be run with the following commands:
92 // - gtests: `./mach gtest '*PHC*'`
93 // - xpcshell-tests: `./mach test toolkit/crashreporter/test/unit`
94 // - This runs some non-PHC tests as well.
98 #include <stdlib.h>
99 #include <time.h>
101 #include <algorithm>
103 #ifdef XP_WIN
104 # include <process.h>
105 #else
106 # include <sys/mman.h>
107 # include <sys/types.h>
108 # include <pthread.h>
109 # include <unistd.h>
110 #endif
128 //---------------------------------------------------------------------------
129 // Utilities
130 //---------------------------------------------------------------------------
132 #ifdef ANDROID
133 // Android doesn't have pthread_atfork defined in pthread.h.
136 #endif
138 #ifndef DISALLOW_COPY_AND_ASSIGN
139 # define DISALLOW_COPY_AND_ASSIGN(T) \
140 T(const T&); \
141 void operator=(const T&)
142 #endif
144 // This class provides infallible operations for the small number of heap
145 // allocations that PHC does for itself. It would be nice if we could use the
146 // InfallibleAllocPolicy from mozalloc, but PHC cannot use mozalloc.
152 }
153 }
160 }
161 };
163 //---------------------------------------------------------------------------
164 // Stack traces
165 //---------------------------------------------------------------------------
167 // This code is similar to the equivalent code within DMD.
185 }
186 };
188 // WARNING WARNING WARNING: this function must only be called when PHC::mMutex
189 // is *not* locked, otherwise we might get deadlocks.
190 //
191 // How? On Windows, MozStackWalk() can lock a mutex, M, from the shared library
192 // loader. Another thread might call malloc() while holding M locked (when
193 // loading a shared library) and try to lock PHC::mMutex, causing a deadlock.
194 // So PHC::mMutex can't be locked during the call to MozStackWalk(). (For
195 // details, see https://bugzilla.mozilla.org/show_bug.cgi?id=374829#c8. On
196 // Linux, something similar can happen; see bug 824340. So we just disallow it
197 // on all platforms.)
198 //
199 // In DMD, to avoid this problem we temporarily unlock the equivalent mutex for
200 // the MozStackWalk() call. But that's grotty, and things are a bit different
201 // here, so we just require that stack traces be obtained before locking
202 // PHC::mMutex.
203 //
204 // Unfortunately, there is no reliable way at compile-time or run-time to ensure
205 // this pre-condition. Hence this large comment.
206 //
210 // These ifdefs should be kept in sync with the conditions in
211 // phc_implies_frame_pointers in build/moz.configure/memory.configure
212 #if defined(XP_WIN) && defined(_M_IX86)
213 // This avoids MozStackWalk(), which causes unusably slow startup on Win32
214 // when it is called during static initialization (see bug 1241684).
215 //
216 // This code is cribbed from the Gecko Profiler, which also uses
217 // FramePointerStackWalk() on Win32: Registers::SyncPopulate() for the
218 // frame pointer, and GetStackTop() for the stack end.
219 CONTEXT context;
226 #elif defined(XP_DARWIN)
227 // This avoids MozStackWalk(), which has become unusably slow on Mac due to
228 // changes in libunwind.
229 //
230 // This code is cribbed from the Gecko Profiler, which also uses
231 // FramePointerStackWalk() on Mac: Registers::SyncPopulate() for the frame
232 // pointer, and GetStackTop() for the stack end.
233 # pragma GCC diagnostic push
236 # pragma GCC diagnostic pop
239 #else
241 #endif
242 }
244 //---------------------------------------------------------------------------
245 // Logging
246 //---------------------------------------------------------------------------
248 // Change this to 1 to enable some PHC logging. Useful for debugging.
249 #define PHC_LOGGING 0
251 #if PHC_LOGGING
256 # if defined(XP_WIN)
258 # else
260 # endif
261 }
263 # if defined(XP_WIN)
264 # define LOG_STDERR \
265 reinterpret_cast<intptr_t>(GetStdHandle(STD_ERROR_HANDLE))
266 # else
267 # define LOG_STDERR 2
268 # endif
269 # define LOG(fmt, ...) \
271 size_t(PHC::Now()), ##__VA_ARGS__)
273 #else
275 # define LOG(fmt, ...)
279 //---------------------------------------------------------------------------
280 // Global state
281 //---------------------------------------------------------------------------
283 // Throughout this entire file time is measured as the number of sub-page
284 // allocations performed (by PHC and mozjemalloc combined). `Time` is 64-bit
285 // because we could have more than 2**32 allocations in a long-running session.
286 // `Delay` is 32-bit because the delays used within PHC are always much smaller
287 // than 2**32. Delay must be unsigned so that IsPowerOfTwo() can work on some
288 // Delay values.
293 // PHC only runs if the page size is 4 KiB; anything more is uncommon and would
294 // use too much memory. So we hardwire this size for all platforms but macOS
295 // on ARM processors. For the latter we make an exception because the minimum
296 // page size supported is 16KiB so there's no way to go below that.
298 #if defined(XP_DARWIN) && defined(__aarch64__)
299 16384
300 #else
301 4096
302 #endif
303 ;
305 // We align the PHC area to a multiple of the jemalloc and JS GC chunk size
306 // (both use 1MB aligned chunks) so that their address computations don't lead
307 // from non-PHC memory into PHC memory causing misleading PHC stacks to be
308 // attached to a crash report.
314 // There are two kinds of page.
315 // - Allocation pages, from which allocations are made.
316 // - Guard pages, which are never touched by PHC.
317 //
318 // These page kinds are interleaved; each allocation page has a guard page on
319 // either side.
320 #ifdef EARLY_BETA_OR_EARLIER
322 #else
323 // This will use between 82KiB and 1.1MiB per process (depending on how many
324 // objects are currently allocated). We will tune this in the future.
326 #endif
329 // The total size of the allocation pages and guard pages.
332 // jemalloc adds a guard page to the end of our allocation, see the comment in
333 // AllocAllPages() for more information.
336 // The amount to decrement from the shared allocation delay each time a thread's
337 // local allocation delay reaches zero.
340 // When PHC is disabled on the current thread wait this many allocations before
341 // accessing sAllocDelay once more.
344 // When PHC is disabled globally reset the shared delay by this many allocations
345 // to keep code running on the fast path.
348 // The default state for PHC. Either Enabled or OnlyFree.
349 #define DEFAULT_STATE mozilla::phc::OnlyFree
351 // The maximum time.
354 // Truncate aRnd to the range (1 .. aAvgDelay*2). If aRnd is random, this
355 // results in an average value of aAvgDelay + 0.5, which is close enough to
356 // aAvgDelay. aAvgDelay must be a power-of-two for speed.
361 }
364 // Limit delays calculated from prefs to 0x80000000, this is the largest
365 // power-of-two that fits in a Delay since it is a uint32_t.
366 // The minimum is 2 that way not every allocation goes straight to PHC.
368 }
370 // Maps a pointer to a PHC-specific structure:
371 // - Nothing
372 // - A guard page (it is unspecified which one)
373 // - An allocation page (with an index < kNumAllocPages)
374 //
375 // The standard way of handling a PtrKind is to check IsNothing(), and if that
376 // fails, to check IsGuardPage(), and if that fails, to call AllocPage().
380 Nothing,
381 GuardPage,
382 AllocPage,
383 };
385 Tag mTag;
389 // Detect what a pointer points to. This constructor must be fast because it
390 // is called for every call to free(), realloc(), malloc_usable_size(), and
391 // jemalloc_ptr_info().
401 // Odd-indexed pages are allocation pages.
407 // Even-numbered pages are guard pages.
409 }
410 }
411 }
416 // This should only be called after IsNothing() and IsGuardPage() have been
417 // checked and failed.
421 }
422 };
424 // On MacOS, the first __thread/thread_local access calls malloc, which leads
425 // to an infinite loop. So we use pthread-based TLS instead, which somehow
426 // doesn't have this problem.
427 #if !defined(XP_DARWIN)
428 # define PHC_THREAD_LOCAL(T) MOZ_THREAD_LOCAL(T)
429 #else
430 # define PHC_THREAD_LOCAL(T) \
431 detail::ThreadLocal<T, detail::ThreadLocalKeyStorage>
432 #endif
434 // The virtual address space reserved by PHC. It is shared, immutable global
435 // state. Initialized by phc_init() and never changed after that. phc_init()
436 // runs early enough that no synchronization is needed.
439 // The bounds of the allocated pages.
443 // Allocates the allocation pages and the guard pages, contiguously.
445 // The memory allocated here is never freed, because it would happen at
446 // process termination when it would be of little use.
448 // We can rely on jemalloc's behaviour that when it allocates memory aligned
449 // with its own chunk size it will over-allocate and guarantee that the
450 // memory after the end of our allocation, but before the next chunk, is
451 // decommitted and inaccessible. Elsewhere in PHC we assume that we own
452 // that page (so that memory errors in it get caught by PHC) but here we
453 // use kAllPagesJemallocSize which subtracts jemalloc's guard page.
457 }
459 // Make the pages inaccessible.
460 #ifdef XP_WIN
463 }
464 #else
468 }
469 #endif
472 }
480 }
484 }
486 // Get the address of the allocation page referred to via an index. Used when
487 // marking the page as accessible/inaccessible.
490 // Multiply by two and add one to account for allocation pages *and* guard
491 // pages.
493 }
494 };
496 // This type is used as a proof-of-lock token, to make it clear which functions
497 // require mMutex to be locked.
500 // Shared, mutable global state. Many fields are protected by sMutex; functions
501 // that access those feilds should take a PHCLock as proof that mMutex is held.
502 // Other fields are TLS or Atomic and don't need the lock.
508 };
510 // Metadata for each allocation page.
518 // The current allocation page state.
519 AllocPageState mState;
521 // The arena that the allocation is nominally from. This isn't meaningful
522 // within PHC, which has no arenas. But it is necessary for reallocation of
523 // page allocations as normal allocations, such as in this code:
524 //
525 // p = moz_arena_malloc(arenaId, 4096);
526 // realloc(p, 8192);
527 //
528 // The realloc is more than one page, and thus too large for PHC to handle.
529 // Therefore, if PHC handles the first allocation, it must ask mozjemalloc
530 // to allocate the 8192 bytes in the correct arena, and to do that, it must
531 // call MozJemalloc::moz_arena_malloc with the correct arenaId under the
532 // covers. Therefore it must record that arenaId.
533 //
534 // This field is also needed for jemalloc_ptr_info() to work, because it
535 // also returns the arena ID (but only in debug builds).
536 //
537 // - NeverAllocated: must be 0.
538 // - InUse | Freed: can be any valid arena ID value.
541 // The starting address of the allocation. Will not be the same as the page
542 // address unless the allocation is a full page.
543 // - NeverAllocated: must be 0.
544 // - InUse | Freed: must be within the allocation page.
547 // Usable size is computed as the number of bytes between the pointer and
548 // the end of the allocation page. This might be bigger than the requested
549 // size, especially if an outsized alignment is requested.
555 }
557 // The internal fragmentation for this allocation.
561 }
563 // The allocation stack.
564 // - NeverAllocated: Nothing.
565 // - InUse | Freed: Some.
568 // The free stack.
569 // - NeverAllocated | InUse: Nothing.
570 // - Freed: Some.
573 // The time at which the page is available for reuse, as measured against
574 // mNow. When the page is in use this value will be kMaxTime.
575 // - NeverAllocated: must be 0.
576 // - InUse: must be kMaxTime.
577 // - Freed: must be > 0 and < kMaxTime.
578 Time mReuseTime;
580 // The next index for a free list of pages.`
582 };
585 // The RNG seeds here are poor, but non-reentrant since this can be called
586 // from malloc(). SetState() will reset the RNG later.
591 }
594 }
597 }
599 // This constructor is part of PHC's very early initialisation,
600 // see phc_init(), and if PHC is default-on it'll start marking allocations
601 // and we must setup the delay. However once XPCOM starts it'll call
602 // SetState() which will re-initialise the RNG and allocation delay.
609 }
610 }
616 }
618 // Is the page free? And if so, has enough time passed that we can use it?
622 }
624 // Get the address of the allocation page referred to via an index. Used
625 // when checking pointers against page boundaries.
628 }
635 }
642 }
644 // The total fragmentation in PHC
649 }
651 }
666 }
668 #if PHC_LOGGING
670 #endif
678 // page.mState is not changed.
680 // Crash if the arenas don't match.
682 }
684 // We could just keep the original alloc stack, but the realloc stack is
685 // more recent and therefore seems more useful.
687 // page.mFreeStack is not changed.
688 // page.mReuseTime is not changed.
689 // page.mNextPage is not changed.
690 };
700 // page.mArenaId is left unchanged, for jemalloc_ptr_info() calls that
701 // occur after freeing (e.g. in the PtrInfo test in TestJemalloc.cpp).
703 // Crash if the arenas don't match.
705 }
707 // page.musableSize is left unchanged, for reporting on UAF, and for
708 // jemalloc_ptr_info() calls that occur after freeing (e.g. in the PtrInfo
709 // test in TestJemalloc.cpp).
711 // page.mAllocStack is left unchanged, for reporting on UAF.
715 #if PHC_LOGGING
717 #endif
722 }
725 // An operation on a guard page? This is a bounds violation. Deliberately
726 // touch the page in question to cause a crash that triggers the usual PHC
727 // machinery.
731 }
737 // The pointer must point to the start of the allocation.
742 // An operation on a freed page? This is a particular kind of
743 // use-after-free. Deliberately touch the page in question, in order to
744 // cause a crash that triggers the usual PHC machinery. But unlock mMutex
745 // first, because that self-same PHC machinery needs to re-lock it, and
746 // the crash causes non-local control flow so mMutex won't be unlocked
747 // the normal way in the caller.
751 }
752 }
754 // This expects GMUt::mMutex to be locked but can't check it with a parameter
755 // since we try-lock it.
777 }
778 }
783 }
793 // Only return TagLiveAlloc if the pointer is within the bounds of the
794 // allocation's usable size.
801 }
803 }
806 // Only return TagFreedAlloc if the pointer is within the bounds of the
807 // former allocation's usable size.
814 }
816 }
820 }
822 // Pointers into guard pages will end up here, as will pointers into
823 // allocation pages that aren't within the allocation's bounds.
825 }
827 #ifndef XP_WIN
830 }
833 }
835 #endif
837 #if PHC_LOGGING
840 #else
843 #endif
851 }
856 }
858 #if PHC_LOGGING
862 }
864 // This is an integer because FdPrintf only supports integer printing.
867 }
868 #endif
870 // Should we make new PHC allocations?
873 }
879 // Reset the RNG at this point with a better seed.
883 }
886 }
890 }
899 }
904 }
909 }
916 }
919 }
924 }
926 // Decrements the delay and returns true if it's time to make a new PHC
927 // allocation.
934 }
935 // The local delay has expired, check the shared delay. This path is also
936 // executed on a new thread's first allocation, the result is the same: all
937 // the thread's TLS fields will be initialised.
939 // This accesses sPHC but we want to ensure it's still a static member
940 // function so that sPHC isn't dereferenced until after the hot path above.
944 // Use an atomic fetch-and-subtract. This uses unsigned underflow semantics
945 // to avoid doing a full compare-and-swap.
949 // Normal case, we decremented the shared delay but it's not yet
950 // underflowed.
956 }
959 // The shared delay only just underflowed, so unless we hit exactly zero
960 // we should set our local counter and continue.
964 // We don't need to set tlsAllocDelay because it's already zero, we know
965 // because the condition at the beginning of this function failed.
967 }
971 }
973 // The delay underflowed on another thread or a previous failed allocation
974 // by this thread. Return true and attempt the next allocation, if the
975 // other thread wins we'll check for that before committing.
979 }
982 // We could take some delay from the shared delay but we'd need a
983 // compare-and-swap because this is called on paths that don't make
984 // allocations. Or we can set the local delay to zero and let it get
985 // initialised on the next allocation.
988 }
994 }
996 // Set a new allocation delay and return true if the delay was less than zero
997 // (but it's unsigned so interpret it as signed) indicating that we won the
998 // race to make the next allocation.
1002 // We read the current delay on every iteration, we consider that the PHC
1003 // allocation is still "up for grabs" if sAllocDelay < 0. This is safe
1004 // even while other threads continuing to fetch-and-subtract sAllocDelay
1005 // in DecrementDelay(), up to DELAY_MAX (2^31) calls to DecrementDelay().
1008 // Another thread already set a valid delay.
1015 }
1021 // We raced against another thread and lost.
1022 }
1027 }
1035 Time now) {
1038 }
1048 }
1054 }
1057 }
1067 }
1068 }
1078 // The list is empty this page will become the beginning and end.
1086 }
1089 }
1094 // An older version of this code used RandomUint64() here, but on Mac that
1095 // function uses arc4random(), which can allocate, which would cause
1096 // re-entry, which would be bad. So we just use time(), a local variable
1097 // address and a global variable address. These are mediocre sources of
1098 // entropy, but good enough for PHC.
1108 }
1110 }
1114 // There is nothing to assert about aPage.mArenaId.
1121 }
1124 // We can assert a lot about `NeverAllocated` pages, but not much about
1125 // `Freed` pages.
1126 #ifdef DEBUG
1134 #endif
1135 }
1137 // To improve locality we try to order this file by how frequently different
1138 // fields are modified and place all the modified-together fields early and
1139 // ideally within a single cache line.
1141 // The mutex that protects the other members.
1145 // The current time. We use ReleaseAcquire semantics since we attempt to
1146 // update this by larger increments and don't want to lose an entire update.
1149 // This will only ever be updated from one thread. The other threads should
1150 // eventually get the update.
1154 // RNG for deciding which allocations to treat specially. It doesn't need to
1155 // be high quality.
1156 //
1157 // This is a raw pointer for the reason explained in the comment above
1158 // PHC's constructor. Don't change it to UniquePtr or anything like that.
1161 // A linked list of free pages. Pages are allocated from the head of the list
1162 // and returned to the tail. The list will naturally order itself by "last
1163 // freed time" so if the head of the list can't satisfy an allocation due to
1164 // time then none of the pages can.
1168 #if PHC_LOGGING
1169 // How many allocations that could have been page allocs actually were? As
1170 // constrained kNumAllocPages. If the hit ratio isn't close to 100% it's
1171 // likely that the global constants are poorly chosen.
1174 #endif
1176 // The remaining fields are updated much less often, place them on the next
1177 // cache line.
1179 // The average delay before doing any page allocations at the start of a
1180 // process. Note that roughly 1 million allocations occur in the main process
1181 // while starting the browser. The delay range is 1..gAvgFirstAllocDelay*2.
1184 // The average delay until the next attempted page allocation, once we get
1185 // past the first delay. The delay range is 1..kAvgAllocDelay*2.
1188 // The average delay before reusing a freed page. Should be significantly
1189 // larger than kAvgAllocDelay, otherwise there's not much point in having it.
1190 // The delay range is (kAvgAllocDelay / 2)..(kAvgAllocDelay / 2 * 3). This is
1191 // different to the other delay ranges in not having a minimum of 1, because
1192 // that's such a short delay that there is a high likelihood of bad stacks in
1193 // any crash report.
1196 // When true, PHC does as little as possible.
1197 //
1198 // (a) It does not allocate any new page allocations.
1199 //
1200 // (b) It avoids doing any operations that might call malloc/free/etc., which
1201 // would cause re-entry into PHC. (In practice, MozStackWalk() is the
1202 // only such operation.) Note that calls to the functions in MozJemalloc
1203 // are ok.
1204 //
1205 // For example, replace_malloc() will just fall back to mozjemalloc. However,
1206 // operations involving existing allocations are more complex, because those
1207 // existing allocations may be page allocations. For example, if
1208 // replace_free() is passed a page allocation on a PHC-disabled thread, it
1209 // will free the page allocation in the usual way, but it will get a dummy
1210 // freeStack in order to avoid calling MozStackWalk(), as per (b) above.
1211 //
1212 // This single disabling mechanism has two distinct uses.
1213 //
1214 // - It's used to prevent re-entry into PHC, which can cause correctness
1215 // problems. For example, consider this sequence.
1216 //
1217 // 1. enter replace_free()
1218 // 2. which calls PageFree()
1219 // 3. which calls MozStackWalk()
1220 // 4. which locks a mutex M, and then calls malloc
1221 // 5. enter replace_malloc()
1222 // 6. which calls MaybePageAlloc()
1223 // 7. which calls MozStackWalk()
1224 // 8. which (re)locks a mutex M --> deadlock
1225 //
1226 // We avoid this sequence by "disabling" the thread in PageFree() (at step
1227 // 2), which causes MaybePageAlloc() to fail, avoiding the call to
1228 // MozStackWalk() (at step 7).
1229 //
1230 // In practice, realloc or free of a PHC allocation is unlikely on a thread
1231 // that is disabled because of this use: MozStackWalk() will probably only
1232 // realloc/free allocations that it allocated itself, but those won't be
1233 // page allocations because PHC is disabled before calling MozStackWalk().
1234 //
1235 // (Note that MaybePageAlloc() could safely do a page allocation so long as
1236 // it avoided calling MozStackWalk() by getting a dummy allocStack. But it
1237 // wouldn't be useful, and it would prevent the second use below.)
1238 //
1239 // - It's used to prevent PHC allocations in some tests that rely on
1240 // mozjemalloc's exact allocation behaviour, which PHC does not replicate
1241 // exactly. (Note that (b) isn't necessary for this use -- MozStackWalk()
1242 // could be safely called -- but it is necessary for the first use above.)
1243 //
1246 // Delay until the next attempt at a page allocation. The delay is made up of
1247 // two parts the global delay and each thread's local portion of that delay:
1248 //
1249 // delay = sDelay + sum_all_threads(tlsAllocDelay)
1250 //
1251 // Threads use their local delay to reduce contention on the shared delay.
1252 //
1253 // See the comment in MaybePageAlloc() for an explanation of why it uses
1254 // ReleaseAcquire semantics.
1258 // The last value we set tlsAllocDelay to before starting to count down.
1262 #if PHC_LOGGING
1264 #endif
1270 }
1273 }
1275 // Both of these are accessed early on hot code paths. We make them both
1276 // static variables rathan making sRegion a member of sPHC to keep these hot
1277 // code paths as fast as possible. They're both "write once" so they can
1278 // share a cache line.
1281 };
1283 // These globals are read together and hardly ever written. They should be on
1284 // the same cache line. They should be in a different cache line to data that
1285 // is manipulated often (sMutex and mNow are members of sPHC for that reason) so
1286 // that this cache line can be shared amoung cores. This makes a measurable
1287 // impact to calls to maybe_init()
1296 // This must be defined after the PHC class.
1300 }
1302 // When PHC wants to crash we first have to unlock so that the crash reporter
1303 // can call into PHC to lockup its pointer. That also means that before calling
1304 // PHCCrash please ensure that state is consistent. Because this can report an
1305 // arbitrary string, use of it must be reviewed by Firefox data stewards.
1310 }
1321 };
1323 //---------------------------------------------------------------------------
1324 // Initialisation
1325 //---------------------------------------------------------------------------
1327 // WARNING: this function runs *very* early -- before all static initializers
1328 // have run. For this reason, non-scalar globals (sRegion, sPHC) are allocated
1329 // dynamically (so we can guarantee their construction in this function) rather
1330 // than statically.
1334 }
1336 // sRegion and sPHC are never freed. They live for the life of the process.
1341 #ifndef XP_WIN
1342 // Avoid deadlocks when forking by acquiring our state lock prior to forking
1343 // and releasing it after forking. See |LogAlloc|'s |phc_init| for
1344 // in-depth details.
1346 #endif
1349 }
1352 // This runs on hot paths and we can save some memory accesses by using sPHC
1353 // to test if we've already initialised PHC successfully.
1355 // The lambda will only be called once and is thread safe.
1358 }
1361 }
1363 //---------------------------------------------------------------------------
1364 // Page allocation operations
1365 //---------------------------------------------------------------------------
1367 // This is the hot-path for testing if we should make a PHC allocation, it
1368 // should be inlined into the caller while the remainder of the tests that are
1369 // in MaybePageAlloc need not be inlined.
1373 }
1377 }
1379 // Decrement the delay. If it's zero, we do a page allocation and reset the
1380 // delay to a random number.
1383 }
1386 }
1389 Delay newAllocDelay) {
1390 // No pages are available, or VirtualAlloc/mprotect failed.
1391 #if PHC_LOGGING
1393 #endif
1399 }
1401 // Attempt a page allocation if the time and the size are right. Allocated
1402 // memory is zeroed if aZero is true. On failure, the caller should attempt a
1403 // normal allocation via MozJemalloc. Can be called in a context where
1404 // PHC::mMutex is locked.
1410 // Reset the allocation delay so that we take the fast path most of the
1411 // time. Rather than take the lock and use the RNG which are unnecessary
1412 // when PHC is disabled, instead set the delay to a reasonably high number,
1413 // the default average first allocation delay. This is reset when PHC is
1414 // re-enabled anyway.
1417 }
1420 // We don't reset sAllocDelay since that might affect other threads. We
1421 // assume this is okay because either this thread will be re-enabled after
1422 // less than DELAY_MAX allocations or that there are other active threads
1423 // that will reset sAllocDelay. We do reset our local delay which will
1424 // cause this thread to "back off" from updating sAllocDelay on future
1425 // allocations.
1428 }
1430 // Disable on this thread *before* getting the stack trace.
1431 AutoDisableOnCurrentThread disable;
1433 // Get the stack trace *before* locking the mutex. If we return nullptr then
1434 // it was a waste, but it's not so frequent, and doing a stack walk while
1435 // the mutex is locked is problematic (see the big comment on
1436 // StackTrace::Fill() for details).
1437 StackTrace allocStack;
1448 }
1450 // Pages are allocated from a free list populated in order of when they're
1451 // freed. If the page at the head of the list is too recently freed to be
1452 // reused then no other pages on the list will be either.
1459 }
1462 #if PHC_LOGGING
1464 #endif
1468 #ifdef XP_WIN
1470 #else
1472 #endif
1479 }
1484 // Put the allocation as close to the end of the page as possible,
1485 // allowing for alignment requirements.
1490 }
1492 #if PHC_LOGGING
1495 #endif
1502 #ifdef DEBUG
1504 #endif
1505 }
1508 #if PHC_LOGGING
1510 #endif
1517 lifetime);
1520 }
1528 #ifdef XP_WIN
1531 }
1532 #else
1536 }
1537 #endif
1540 }
1542 //---------------------------------------------------------------------------
1543 // replace-malloc machinery
1544 //---------------------------------------------------------------------------
1546 // This handles malloc, moz_arena_malloc, and realloc-with-a-nullptr.
1550 // The test on aArenaId here helps the compiler optimise away
1551 // the construction of Nothing() in the caller.
1560 }
1564 }
1570 }
1572 // This handles both calloc and moz_arena_calloc.
1578 }
1581 // The test on aArenaId here helps the compiler optimise away
1582 // the construction of Nothing() in the caller.
1591 }
1595 }
1597 // This function handles both realloc and moz_arena_realloc.
1598 //
1599 // As always, realloc is complicated, and doubly so when there are two
1600 // different kinds of allocations in play. Here are the possible transitions,
1601 // and what we do in practice.
1602 //
1603 // - normal-to-normal: This is straightforward and obviously necessary.
1604 //
1605 // - normal-to-page: This is disallowed because it would require getting the
1606 // arenaId of the normal allocation, which isn't possible in non-DEBUG builds
1607 // for security reasons.
1608 //
1609 // - page-to-page: This is done whenever possible, i.e. whenever the new size
1610 // is less than or equal to 4 KiB. This choice counterbalances the
1611 // disallowing of normal-to-page allocations, in order to avoid biasing
1612 // towards or away from page allocations. It always occurs in-place.
1613 //
1614 // - page-to-normal: this is done only when necessary, i.e. only when the new
1615 // size is greater than 4 KiB. This choice naturally flows from the
1616 // prior choice on page-to-page transitions.
1617 //
1618 // In summary: realloc doesn't change the allocation kind unless it must.
1619 //
1620 // This function may return:
1621 // - Some(pointer) when PHC handled the reallocation.
1622 // - Some(nullptr) when PHC should have handled a page-to-normal transition
1623 // but couldn't because of OOM.
1624 // - Nothing() when PHC is disabled or the original allocation was not
1625 // under PHC.
1629 // Null pointer. Treat like malloc(aNewSize).
1631 }
1635 }
1639 // A normal-to-normal transition.
1641 }
1645 }
1647 // At this point we know we have an allocation page.
1650 // A page-to-something transition.
1653 // Note that `disable` has no effect unless it is emplaced below.
1655 // Get the stack trace *before* locking the mutex.
1656 StackTrace stack;
1658 // PHC is disabled on this thread. Leave the stack empty.
1660 // Disable on this thread *before* getting the stack trace.
1663 }
1667 // Check for realloc() of a freed block.
1671 // A page-to-page transition. Just keep using the page allocation. We do
1672 // this even if the thread is disabled, because it doesn't create a new
1673 // page allocation. Note that ResizePageInUse() checks aArenaId.
1674 //
1675 // Move the bytes with memmove(), because the old allocation and the new
1676 // allocation overlap. Move the usable size rather than the requested size,
1677 // because the user might have used malloc_usable_size() and filled up the
1678 // usable size.
1687 }
1689 // A page-to-normal transition (with the new size greater than page-sized).
1690 // (Note that aArenaId is checked below.)
1699 }
1702 }
1706 // Copy the usable size rather than the requested size, because the user
1707 // might have used malloc_usable_size() and filled up the usable size. Note
1708 // that FreePage() checks aArenaId (via SetPageFreed()).
1717 }
1724 ? *ptr
1728 }
1732 }
1734 // This handles both free and moz_arena_free.
1739 }
1741 // At this point we know we have an allocation page.
1745 // Note that `disable` has no effect unless it is emplaced below.
1747 // Get the stack trace *before* locking the mutex.
1748 StackTrace freeStack;
1750 // PHC is disabled on this thread. Leave the stack empty.
1752 // Disable on this thread *before* getting the stack trace.
1755 }
1759 // Check for a double-free.
1762 // Note that FreePage() checks aArenaId (via SetPageFreed()).
1766 #if PHC_LOGGING
1768 #endif
1772 }
1777 }
1781 }
1786 // The tenery expression here helps the compiler optimise away the
1787 // construction of Nothing() in the caller.
1790 }
1794 }
1798 // This handles memalign and moz_arena_memalign.
1804 // PHC can't satisfy an alignment greater than a page size, so fall back to
1805 // mozjemalloc in that case.
1808 // The test on aArenaId here helps the compiler optimise away
1809 // the construction of Nothing() in the caller.
1812 }
1816 aReqSize)
1818 }
1822 }
1827 }
1831 // Not a page allocation. Measure it normally.
1833 }
1837 }
1839 // At this point we know aPtr lands within an allocation page, due to the
1840 // math done in the PtrKind constructor. But if aPtr points to memory
1841 // before the base address of the allocation, we return 0.
1850 }
1853 }
1858 }
1865 // If we're not initialised, then we're not using any additional memory and
1866 // have nothing to add to the report.
1868 }
1870 // We allocate our memory from jemalloc so it has already counted our memory
1871 // usage within "mapped" and "allocated", we must subtract the memory we
1872 // allocated from jemalloc from allocated before adding in only the parts that
1873 // we have allocated out to Firefox.
1878 {
1881 // Add usable space of in-use allocations to `allocated`.
1885 }
1886 }
1887 }
1890 // guards is the gap between `allocated` and `mapped`. In some ways this
1891 // almost fits into aStats->wasted since it feels like wasted memory. However
1892 // wasted should only include committed memory and these guard pages are
1893 // uncommitted. Therefore we don't include it anywhere.
1894 // size_t guards = mapped - allocated;
1896 // aStats.page_cache and aStats.bin_unused are left unchanged because PHC
1897 // doesn't have anything corresponding to those.
1899 // The metadata is stored in normal heap allocations, so they're measured by
1900 // mozjemalloc as `allocated`. Move them into `bookkeeping`.
1901 // They're also reported under explicit/heap-overhead/phc/fragmentation in
1902 // about:memory.
1906 }
1910 }
1916 }
1918 // We need to implement this properly, because various code locations do
1919 // things like checking that allocations are in the expected arena.
1922 // Not a page allocation.
1924 }
1927 // Treat a guard page as unknown because there's no better alternative.
1930 }
1932 // At this point we know we have an allocation page.
1938 #if DEBUG
1941 #else
1944 #endif
1945 }
1950 }
1955 }
1960 }
1964 }
1970 }
1977 }
1982 }
1987 // The address is in the lower half of a guard page, so it's probably an
1988 // overflow. But first check that it is not on the very first guard
1989 // page, in which case it cannot be an overflow, and we ignore it.
1992 }
1994 // Get the allocation page preceding this guard page.
1998 // The address is in the upper half of a guard page, so it's probably an
1999 // underflow. Get the allocation page following this guard page.
2001 }
2003 // Make a note of the fact that we hit a guard page.
2005 }
2007 // At this point we know we have an allocation page.
2021 }
2022 }
2024 }
2029 }
2034 }
2040 }
2046 }
2054 }
2055 }
2061 }
2066 }
2068 // Enable or Disable PHC at runtime. If PHC is disabled it will still trap
2069 // bad uses of previous allocations, but won't track any new allocations.
2073 }
2076 }
2082 }
2085 aAvgDelayPageReuse);
2086 }