• Home
Name Date Size #Lines LOC

..--

stack/03-May-2024-784510

README.mdD03-May-20242.4 KiB4638

logging.hD03-May-20241.8 KiB4018

metadata_allocator.ccD03-May-20241.6 KiB4529

metadata_allocator.hD03-May-20242.5 KiB8661

pcscan.ccD03-May-20243.3 KiB11484

pcscan.hD03-May-202410 KiB279155

pcscan_internal.ccD03-May-202459.4 KiB1,6401,214

pcscan_internal.hD03-May-20245 KiB15099

pcscan_scheduling.ccD03-May-20247.6 KiB216142

pcscan_scheduling.hD03-May-20247.3 KiB202115

pcscan_scheduling_unittest.ccD03-May-20245.9 KiB170122

pcscan_unittest.ccD03-May-202431.3 KiB878622

raceful_worklist.hD03-May-20244.4 KiB143105

scan_loop.hD03-May-202410.1 KiB242164

scan_loop_unittest.ccD03-May-20245.3 KiB173142

snapshot.ccD03-May-20241.7 KiB4732

snapshot.hD03-May-20242.9 KiB9568

starscan_fwd.hD03-May-2024768 3116

state_bitmap.hD03-May-202419.8 KiB492345

state_bitmap_unittest.ccD03-May-20249.7 KiB344268

stats_collector.ccD03-May-20244.6 KiB11392

stats_collector.hD03-May-20248 KiB249197

stats_reporter.hD03-May-20241.6 KiB3721

write_protector.ccD03-May-20244.2 KiB13596

write_protector.hD03-May-20242.3 KiB7649

README.md

1# StarScan: Heap scanning use-after-free prevention
2
3C++ and other languages that rely on explicit memory management using `malloc()`
4and `free()` are prone to memory corruptions and the resulting security issues.
5The fundamental idea behind these heap scanning algorithms is to intercept an
6underlying allocator and delay releasing of memory until the corresponding
7memory block is provably unreachable from application code.
8
9The basic ingredients for such algorithms are:
101.  *Quarantine*: When an object is deemed unused with a `free()` call, it is
11    put into quarantine instead of being returned to the allocator. The object
12    is not actually freed by the underlying allocator and cannot be used for
13    future allocation requests until it is found that no pointers are pointing
14    to the given memory block.
152.  *Scan*: When the quarantine reaches a certain quarantine limit (e.g. based
16    on memory size of quarantine list entries), the quarantine scan is
17    triggered. The scan iterates over the application memory and checks if
18    references are pointing to quarantined memory. If objects in the quarantine
19    are still referenced then they are kept in quarantine, if not they are
20    flagged to be released.
213.  *Sweep*: All objects that are flagged to be released are actually returned
22    to the underlying memory allocator.
23
24[Heap scanning algorithms](http://bit.ly/conservative-heap-scan) come in
25different flavors that offer different performance and security characteristics.
26
27*Probabilistic conservative scan (PCScan)* (`pcscan.{h,cc}`) is one particular
28kind of heap scanning  algorithm implemented on top of
29[PartitionAlloc](../PartitionAlloc.md) with the following properties:
30
31*   Memory blocks are scanned conservatively for pointers.
32*   Scanning and sweeping are generally performed on a separate thread to
33    maximize application performance.
34*   Lazy safe points prohibit certain operations from modifying the memory graph
35    and provide convenient entry points for scanning the stack.
36
37PCScan is currently considered **experimental** - please do not use it in
38production code just yet. It can be enabled in the following configurations via
39`--enable-features` on builds that use PartitionAlloc as the
40[main allocator](../../README.md):
41
42*   `PartitionAllocPCScan`: All processes and all supporting partitions enable
43    PCScan.
44*   `PartitionAllocPCScanBrowserOnly`: Enables PCScan in the browser process
45    for the default malloc partition.
46