1 // Copyright 2021 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BASE_ALLOCATOR_PARTITION_ALLOCATOR_SRC_PARTITION_ALLOC_PARTITION_ALLOC_CONFIG_H_ 6 #define BASE_ALLOCATOR_PARTITION_ALLOCATOR_SRC_PARTITION_ALLOC_PARTITION_ALLOC_CONFIG_H_ 7 8 #include "build/build_config.h" 9 #include "partition_alloc/partition_alloc_base/debug/debugging_buildflags.h" 10 #include "partition_alloc/partition_alloc_buildflags.h" 11 12 // PA_CONFIG() uses a similar trick as BUILDFLAG() to allow the compiler catch 13 // typos or a missing #include. 14 // 15 // ----------------------------------------------------------------------------- 16 // Housekeeping Rules 17 // ----------------------------------------------------------------------------- 18 // 1. Prefix all config macros in this file with PA_CONFIG_ and define them in 19 // a function-like manner, e.g. PA_CONFIG_MY_SETTING(). 20 // 2. Both positive and negative cases must be defined. 21 // 3. Don't use PA_CONFIG_MY_SETTING() directly outside of its definition, use 22 // PA_CONFIG(flag-without-PA_CONFIG_) instead, e.g. PA_CONFIG(MY_SETTING). 23 // 4. Do not use PA_CONFIG() when defining config macros, or it will lead to 24 // recursion. Either use #if/#else, or PA_CONFIG_MY_SETTING() directly. 25 // 5. Similarly to above, but for a different reason, don't use defined() when 26 // defining config macros. It'd violate -Wno-expansion-to-defined. 27 // 6. Try to use constexpr instead of macros wherever possible. 28 // TODO(bartekn): Convert macros to constexpr or BUILDFLAG as much as possible. 29 #define PA_CONFIG(flag) (PA_CONFIG_##flag()) 30 31 // Assert that the heuristic in partition_alloc.gni is accurate on supported 32 // configurations. 33 #if BUILDFLAG(HAS_64_BIT_POINTERS) 34 static_assert(sizeof(void*) == 8, ""); 35 #else 36 static_assert(sizeof(void*) != 8, ""); 37 #endif // PA_CONFIG(HAS_64_BITS_POINTERS) 38 39 #if BUILDFLAG(HAS_64_BIT_POINTERS) && \ 40 (defined(__ARM_NEON) || defined(__ARM_NEON__)) && defined(__ARM_FP) 41 #define PA_CONFIG_STARSCAN_NEON_SUPPORTED() 1 42 #else 43 #define PA_CONFIG_STARSCAN_NEON_SUPPORTED() 0 44 #endif 45 46 #if BUILDFLAG(HAS_64_BIT_POINTERS) && BUILDFLAG(IS_IOS) 47 // Allow PA to select an alternate pool size at run-time before initialization, 48 // rather than using a single constexpr value. 49 // 50 // This is needed on iOS because iOS test processes can't handle large pools 51 // (see crbug.com/1250788). 52 // 53 // This setting is specific to 64-bit, as 32-bit has a different implementation. 54 #define PA_CONFIG_DYNAMICALLY_SELECT_POOL_SIZE() 1 55 #else 56 #define PA_CONFIG_DYNAMICALLY_SELECT_POOL_SIZE() 0 57 #endif // BUILDFLAG(HAS_64_BIT_POINTERS) && BUILDFLAG(IS_IOS) 58 59 #if BUILDFLAG(HAS_64_BIT_POINTERS) && \ 60 (BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_ANDROID)) 61 #include <linux/version.h> 62 // TODO(bikineev): Enable for ChromeOS. 63 #define PA_CONFIG_STARSCAN_UFFD_WRITE_PROTECTOR_SUPPORTED() \ 64 (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)) 65 #else 66 #define PA_CONFIG_STARSCAN_UFFD_WRITE_PROTECTOR_SUPPORTED() 0 67 #endif // BUILDFLAG(HAS_64_BIT_POINTERS) && 68 // (BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_ANDROID)) 69 70 #if BUILDFLAG(USE_STARSCAN) 71 // Use card table to avoid races for PCScan configuration without safepoints. 72 // The card table provides the guaranteee that for a marked card the underling 73 // super-page is fully initialized. 74 #define PA_CONFIG_STARSCAN_USE_CARD_TABLE() 1 75 #else 76 // The card table is permanently disabled for 32-bit. 77 #define PA_CONFIG_STARSCAN_USE_CARD_TABLE() 0 78 #endif // BUILDFLAG(USE_STARSCAN) 79 80 // Use batched freeing when sweeping pages. This builds up a freelist in the 81 // scanner thread and appends to the slot-span's freelist only once. 82 #define PA_CONFIG_STARSCAN_BATCHED_FREE() 1 83 84 // TODO(bikineev): Temporarily disable inlining in *Scan to get clearer 85 // stacktraces. 86 #define PA_CONFIG_STARSCAN_NOINLINE_SCAN_FUNCTIONS() 1 87 88 // TODO(bikineev): Temporarily disable *Scan in MemoryReclaimer as it seems to 89 // cause significant jank. 90 #define PA_CONFIG_STARSCAN_ENABLE_STARSCAN_ON_RECLAIM() 0 91 92 // Double free detection comes with expensive cmpxchg (with the loop around it). 93 // We currently disable it to improve the runtime. 94 #define PA_CONFIG_STARSCAN_EAGER_DOUBLE_FREE_DETECTION_ENABLED() 0 95 96 // POSIX is not only UNIX, e.g. macOS and other OSes. We do use Linux-specific 97 // features such as futex(2). 98 #define PA_CONFIG_HAS_LINUX_KERNEL() \ 99 (BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_ANDROID)) 100 101 // On some platforms, we implement locking by spinning in userspace, then going 102 // into the kernel only if there is contention. This requires platform support, 103 // namely: 104 // - On Linux, futex(2) 105 // - On Windows, a fast userspace "try" operation which is available with 106 // SRWLock 107 // - On macOS, pthread_mutex_trylock() is fast by default starting with macOS 108 // 10.14. Chromium targets an earlier version, so it cannot be known at 109 // compile-time. So we use something different. 110 // TODO(https://crbug.com/1459032): macOS 10.15 is now required; switch to 111 // better locking. 112 // - Otherwise, on POSIX we assume that a fast userspace pthread_mutex_trylock() 113 // is available. 114 // 115 // Otherwise, a userspace spinlock implementation is used. 116 #if PA_CONFIG(HAS_LINUX_KERNEL) || BUILDFLAG(IS_WIN) || BUILDFLAG(IS_APPLE) || \ 117 BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA) 118 #define PA_CONFIG_HAS_FAST_MUTEX() 1 119 #else 120 #define PA_CONFIG_HAS_FAST_MUTEX() 0 121 #endif 122 123 // If defined, enables zeroing memory on Free() with roughly 1% probability. 124 // This applies only to normal buckets, as direct-map allocations are always 125 // decommitted. 126 // TODO(bartekn): Re-enable once PartitionAlloc-Everywhere evaluation is done. 127 #define PA_CONFIG_ZERO_RANDOMLY_ON_FREE() 0 128 129 // Need TLS support. 130 #define PA_CONFIG_THREAD_CACHE_SUPPORTED() \ 131 (BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_WIN) || BUILDFLAG(IS_FUCHSIA)) 132 133 // Too expensive for official builds, as it adds cache misses to all 134 // allocations. On the other hand, we want wide metrics coverage to get 135 // realistic profiles. 136 #if BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) && !defined(OFFICIAL_BUILD) 137 #define PA_CONFIG_THREAD_CACHE_ALLOC_STATS() 1 138 #else 139 #define PA_CONFIG_THREAD_CACHE_ALLOC_STATS() 0 140 #endif 141 142 // Optional statistics collection. Lightweight, contrary to the ones above, 143 // hence enabled by default. 144 #define PA_CONFIG_THREAD_CACHE_ENABLE_STATISTICS() 1 145 146 // Enable free list shadow entry to strengthen hardening as much as possible. 147 // The shadow entry is an inversion (bitwise-NOT) of the encoded `next` pointer. 148 // 149 // Disabled when ref-count is placed in the previous slot, as it will overlap 150 // with the shadow for the smallest slots. 151 // 152 // Disabled on Big Endian CPUs, because encoding is also a bitwise-NOT there, 153 // making the shadow entry equal to the original, valid pointer to the next 154 // slot. In case Use-after-Free happens, we'd rather not hand out a valid, 155 // ready-to-use pointer. 156 #if !BUILDFLAG(PUT_REF_COUNT_IN_PREVIOUS_SLOT) && \ 157 defined(ARCH_CPU_LITTLE_ENDIAN) 158 #define PA_CONFIG_HAS_FREELIST_SHADOW_ENTRY() 1 159 #else 160 #define PA_CONFIG_HAS_FREELIST_SHADOW_ENTRY() 0 161 #endif 162 163 #if defined(ARCH_CPU_ARM64) && defined(__clang__) && \ 164 !defined(ADDRESS_SANITIZER) && \ 165 (BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_ANDROID)) 166 #define PA_CONFIG_HAS_MEMORY_TAGGING() 1 167 #else 168 #define PA_CONFIG_HAS_MEMORY_TAGGING() 0 169 #endif 170 171 #if PA_CONFIG(HAS_MEMORY_TAGGING) 172 static_assert(sizeof(void*) == 8); 173 #endif 174 175 // If memory tagging is enabled with BRP previous slot, the MTE tag and BRP ref 176 // count will cause a race (crbug.com/1445816). To prevent this, the 177 // ref_count_size is increased to the MTE granule size and the ref count is not 178 // tagged. 179 #if PA_CONFIG(HAS_MEMORY_TAGGING) && \ 180 BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) && \ 181 BUILDFLAG(PUT_REF_COUNT_IN_PREVIOUS_SLOT) 182 #define PA_CONFIG_INCREASE_REF_COUNT_SIZE_FOR_MTE() 1 183 #else 184 #define PA_CONFIG_INCREASE_REF_COUNT_SIZE_FOR_MTE() 0 185 #endif 186 187 // Specifies whether allocation extras need to be added. 188 #if BUILDFLAG(PA_DCHECK_IS_ON) || BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) 189 #define PA_CONFIG_EXTRAS_REQUIRED() 1 190 #else 191 #define PA_CONFIG_EXTRAS_REQUIRED() 0 192 #endif 193 194 // Count and total wall clock time spent in memory related system calls. This 195 // doesn't cover all system calls, in particular the ones related to locking. 196 // 197 // Not enabled by default, as it has a runtime cost, and causes issues with some 198 // builds (e.g. Windows). 199 // However the total count is collected on all platforms. 200 #define PA_CONFIG_COUNT_SYSCALL_TIME() 0 201 202 // On Windows, |thread_local| variables cannot be marked "dllexport", see 203 // compiler error C2492 at 204 // https://docs.microsoft.com/en-us/cpp/error-messages/compiler-errors-1/compiler-error-c2492?view=msvc-160. 205 // Don't use it there. 206 // 207 // On macOS and iOS: 208 // - With PartitionAlloc-Everywhere, thread_local allocates, reentering the 209 // allocator. 210 // - Component builds triggered a clang bug: crbug.com/1243375 211 // 212 // On GNU/Linux and ChromeOS: 213 // - `thread_local` allocates, reentering the allocator. 214 // 215 // Regardless, the "normal" TLS access is fast on x86_64 (see partition_tls.h), 216 // so don't bother with thread_local anywhere. 217 #if !(BUILDFLAG(IS_WIN) && defined(COMPONENT_BUILD)) && \ 218 !BUILDFLAG(IS_APPLE) && !BUILDFLAG(IS_LINUX) && !BUILDFLAG(IS_CHROMEOS) 219 #define PA_CONFIG_THREAD_LOCAL_TLS() 1 220 #else 221 #define PA_CONFIG_THREAD_LOCAL_TLS() 0 222 #endif 223 224 // When PartitionAlloc is malloc(), detect malloc() becoming re-entrant by 225 // calling malloc() again. 226 // 227 // Limitations: 228 // - BUILDFLAG(PA_DCHECK_IS_ON) due to runtime cost 229 // - thread_local TLS to simplify the implementation 230 // - Not on Android due to bot failures 231 #if BUILDFLAG(PA_DCHECK_IS_ON) && BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) && \ 232 PA_CONFIG(THREAD_LOCAL_TLS) && !BUILDFLAG(IS_ANDROID) 233 #define PA_CONFIG_HAS_ALLOCATION_GUARD() 1 234 #else 235 #define PA_CONFIG_HAS_ALLOCATION_GUARD() 0 236 #endif 237 238 // On Android, we have to go through emutls, since this is always a shared 239 // library, so don't bother. 240 #if PA_CONFIG(THREAD_LOCAL_TLS) && !BUILDFLAG(IS_ANDROID) 241 #define PA_CONFIG_THREAD_CACHE_FAST_TLS() 1 242 #else 243 #define PA_CONFIG_THREAD_CACHE_FAST_TLS() 0 244 #endif 245 246 // Lazy commit should only be enabled on Windows, because commit charge is 247 // only meaningful and limited on Windows. It affects performance on other 248 // platforms and is simply not needed there due to OS supporting overcommit. 249 #if BUILDFLAG(IS_WIN) 250 constexpr bool kUseLazyCommit = true; 251 #else 252 constexpr bool kUseLazyCommit = false; 253 #endif 254 255 // On these platforms, lock all the partitions before fork(), and unlock after. 256 // This may be required on more platforms in the future. 257 #define PA_CONFIG_HAS_ATFORK_HANDLER() \ 258 (BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) 259 260 // PartitionAlloc uses PartitionRootEnumerator to acquire all 261 // PartitionRoots at BeforeFork and to release at AfterFork. 262 #if BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) && PA_CONFIG(HAS_ATFORK_HANDLER) 263 #define PA_CONFIG_USE_PARTITION_ROOT_ENUMERATOR() 1 264 #else 265 #define PA_CONFIG_USE_PARTITION_ROOT_ENUMERATOR() 0 266 #endif 267 268 // Due to potential conflict with the free list pointer in the "previous slot" 269 // mode in the smallest bucket, we can't check both the cookie and the dangling 270 // raw_ptr at the same time. 271 #define PA_CONFIG_REF_COUNT_CHECK_COOKIE() \ 272 (!(BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS) && \ 273 BUILDFLAG(PUT_REF_COUNT_IN_PREVIOUS_SLOT)) && \ 274 (BUILDFLAG(PA_DCHECK_IS_ON) || \ 275 BUILDFLAG(ENABLE_BACKUP_REF_PTR_SLOW_CHECKS))) 276 277 // Use available space in the reference count to store the initially requested 278 // size from the application. This is used for debugging. 279 #if !PA_CONFIG(REF_COUNT_CHECK_COOKIE) && \ 280 !BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS) 281 // Set to 1 when needed. 282 #define PA_CONFIG_REF_COUNT_STORE_REQUESTED_SIZE() 0 283 #else 284 // You probably want it at 0, outside of local testing, or else 285 // PartitionRefCount will grow past 8B. 286 #define PA_CONFIG_REF_COUNT_STORE_REQUESTED_SIZE() 0 287 #endif 288 289 #if PA_CONFIG(REF_COUNT_STORE_REQUESTED_SIZE) && \ 290 PA_CONFIG(REF_COUNT_CHECK_COOKIE) 291 #error "Cannot use a cookie *and* store the allocation size" 292 #endif 293 294 // Prefer smaller slot spans. 295 // 296 // Smaller slot spans may improve dirty memory fragmentation, but may also 297 // increase address space usage. 298 // 299 // This is intended to roll out more broadly, but only enabled on Linux for now 300 // to get performance bot and real-world data pre-A/B experiment. 301 // 302 // Also enabled on ARM64 macOS, as the 16kiB pages on this platform lead to 303 // larger slot spans. 304 #if BUILDFLAG(IS_LINUX) || (BUILDFLAG(IS_MAC) && defined(ARCH_CPU_ARM64)) 305 #define PA_CONFIG_PREFER_SMALLER_SLOT_SPANS() 1 306 #else 307 #define PA_CONFIG_PREFER_SMALLER_SLOT_SPANS() 0 308 #endif 309 310 // Enable shadow metadata. 311 // 312 // With this flag, shadow pools will be mapped, on which writable shadow 313 // metadatas are placed, and the real metadatas are set to read-only instead. 314 // This feature is only enabled with 64-bit environment because pools work 315 // differently with 32-bits pointers (see glossary). 316 #if BUILDFLAG(ENABLE_SHADOW_METADATA_FOR_64_BITS_POINTERS) && \ 317 BUILDFLAG(HAS_64_BIT_POINTERS) 318 #define PA_CONFIG_ENABLE_SHADOW_METADATA() 1 319 #else 320 #define PA_CONFIG_ENABLE_SHADOW_METADATA() 0 321 #endif 322 323 // According to crbug.com/1349955#c24, macOS 11 has a bug where they asset that 324 // malloc_size() of an allocation is equal to the requested size. This is 325 // generally not true. The assert passed only because it happened to be true for 326 // the sizes they requested. BRP changes that, hence can't be deployed without a 327 // workaround. 328 // 329 // The bug has been fixed in macOS 12. Here we can only check the platform, and 330 // the version is checked dynamically later. 331 #define PA_CONFIG_ENABLE_MAC11_MALLOC_SIZE_HACK() \ 332 (BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) && BUILDFLAG(IS_MAC)) 333 334 #if BUILDFLAG(ENABLE_POINTER_COMPRESSION) 335 336 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE) 337 #error "Dynamically selected pool size is currently not supported" 338 #endif 339 #if PA_CONFIG(HAS_MEMORY_TAGGING) 340 // TODO(1376980): Address MTE once it's enabled. 341 #error "Compressed pointers don't support tag in the upper bits" 342 #endif 343 344 #endif // BUILDFLAG(ENABLE_POINTER_COMPRESSION) 345 346 // PA_CONFIG(IS_NONCLANG_MSVC): mimics the compound condition used by 347 // Chromium's `//base/compiler_specific.h` to detect true (non-Clang) 348 // MSVC. 349 #if defined(COMPILER_MSVC) && !defined(__clang__) 350 #define PA_CONFIG_IS_NONCLANG_MSVC() 1 351 #else 352 #define PA_CONFIG_IS_NONCLANG_MSVC() 0 353 #endif 354 355 #endif // BASE_ALLOCATOR_PARTITION_ALLOCATOR_SRC_PARTITION_ALLOC_PARTITION_ALLOC_CONFIG_H_ 356