1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef BASE_ALLOCATOR_PARTITION_ALLOCATOR_SRC_PARTITION_ALLOC_PARTITION_ALLOC_BASE_RAND_UTIL_H_
6 #define BASE_ALLOCATOR_PARTITION_ALLOCATOR_SRC_PARTITION_ALLOC_PARTITION_ALLOC_BASE_RAND_UTIL_H_
7
8 #include <stddef.h>
9 #include <stdint.h>
10
11 #include "build/build_config.h"
12 #include "partition_alloc/partition_alloc_base/component_export.h"
13
14 namespace partition_alloc {
15 class RandomGenerator;
16
17 namespace internal {
18 template <size_t>
19 class LightweightQuarantineBranch;
20 }
21 } // namespace partition_alloc
22
23 namespace partition_alloc::internal::base {
24
25 // Returns a random number in range [0, UINT64_MAX]. Thread-safe.
26 PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) uint64_t RandUint64();
27
28 // Returns a random number in range [0, range). Thread-safe.
29 PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE)
30 uint64_t RandGenerator(uint64_t range);
31
32 // Fills |output_length| bytes of |output| with random data. Thread-safe.
33 //
34 // Although implementations are required to use a cryptographically secure
35 // random number source, code outside of base/ that relies on this should use
36 // crypto::RandBytes instead to ensure the requirement is easily discoverable.
37 PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE)
38 void RandBytes(void* output, size_t output_length);
39
40 // Fast, insecure pseudo-random number generator.
41 //
42 // WARNING: This is not the generator you are looking for. This has significant
43 // caveats:
44 // - It is non-cryptographic, so easy to miuse
45 // - It is neither fork() nor clone()-safe.
46 // - Synchronization is up to the client.
47 //
48 // Always prefer base::Rand*() above, unless you have a use case where its
49 // overhead is too high, or system calls are disallowed.
50 //
51 // Performance: As of 2021, rough overhead on Linux on a desktop machine of
52 // base::RandUint64() is ~800ns per call (it performs a system call). On Windows
53 // it is lower. On the same machine, this generator's cost is ~2ns per call,
54 // regardless of platform.
55 //
56 // This is different from |Rand*()| above as it is guaranteed to never make a
57 // system call to generate a new number, except to seed it. This should *never*
58 // be used for cryptographic applications, and is not thread-safe.
59 //
60 // It is seeded using base::RandUint64() in the constructor, meaning that it
61 // doesn't need to be seeded. It can be re-seeded though, with
62 // ReseedForTesting(). Its period is long enough that it should not need to be
63 // re-seeded during use.
64 //
65 // Uses the XorShift128+ generator under the hood.
PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE)66 class PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) InsecureRandomGenerator {
67 public:
68 // Never use outside testing, not enough entropy.
69 void ReseedForTesting(uint64_t seed);
70
71 uint32_t RandUint32();
72 uint64_t RandUint64();
73
74 static InsecureRandomGenerator ConstructForTesting() {
75 return InsecureRandomGenerator();
76 }
77
78 private:
79 InsecureRandomGenerator();
80 // State.
81 uint64_t a_ = 0, b_ = 0;
82
83 // Before adding a new friend class, make sure that the overhead of
84 // base::Rand*() is too high, using something more representative than a
85 // microbenchmark.
86 //
87 // PartitionAlloc allocations should not take more than 40-50ns per
88 // malloc()/free() pair, otherwise high-level benchmarks regress, and does not
89 // need a secure PRNG, as it's used for ASLR and zeroing some allocations at
90 // free() time.
91 friend class ::partition_alloc::RandomGenerator;
92 template <size_t>
93 friend class ::partition_alloc::internal::LightweightQuarantineBranch;
94 };
95
96 } // namespace partition_alloc::internal::base
97
98 #endif // BASE_ALLOCATOR_PARTITION_ALLOCATOR_SRC_PARTITION_ALLOC_PARTITION_ALLOC_BASE_RAND_UTIL_H_
99