I ran a mondo comparing the new allocator base vs. old allocator base; the results are within statistical noise (ordinary flakiness).

Q: Let a = 0x555555555000 + 2**CONFIG_ARCH_MMAP_RND_BITS * 4096 (is this the max load base in the kernel?), is this patch try to make [a, a+image_size) and [kAllocatorSpace,kAllocatorSpace+kAllocatorSize) not interact?

If yes, 0x500000000000ULL looks like a good choice!

In D147984#4263779, @MaskRay wrote:

Q: Let a = 0x555555555000 + 2**CONFIG_ARCH_MMAP_RND_BITS * 4096 (is this the max load base in the kernel?), is this patch try to make [a, a+image_size) and [kAllocatorSpace,kAllocatorSpace+kAllocatorSize) not interact?

Yes, that is one of the constraints.

The other constraint is: let b be the library segments, which start at roughly (ignoring the stack) 0x7FFFFFFFFFFF - 2**CONFIG_ARCH_MMAP_RND_BITS * 4096, growing downwards. We need to have [b, b-library_images_size] and [kAllocatorSpace,kAllocatorSpace+kAllocatorSize) not conflict either.

For "reasonable" sizes of image_size, library_images_size and allocator_size, it's actually possible to squeeze the allocator in between the program segment and library segment regions ((0x7fffffffffff - 0x555500000000 - 2* ((2**32) * 4096)) = 10.7TB that can be distributed between the three sizes), but placing it underneath the program segments sidesteps the issue entirely.

Bonus pics of the ASan memory layout before and after the change: https://docs.google.com/presentation/d/1z39DhQxUCT31OBOWWAtjd48BwCm0PgXeaG67QDs3TZI/edit

In D147984#4263790, @thurston wrote:

In D147984#4263779, @MaskRay wrote:

Q: Let a = 0x555555555000 + 2**CONFIG_ARCH_MMAP_RND_BITS * 4096 (is this the max load base in the kernel?), is this patch try to make [a, a+image_size) and [kAllocatorSpace,kAllocatorSpace+kAllocatorSize) not interact?

Yes, that is one of the constraints.

The other constraint is: let b be the library segments, which start at roughly (ignoring the stack) 0x7FFFFFFFFFFF - 2**CONFIG_ARCH_MMAP_RND_BITS * 4096, growing downwards. We need to have [b, b-library_images_size] and [kAllocatorSpace,kAllocatorSpace+kAllocatorSize) not conflict either.

For "reasonable" sizes of image_size, library_images_size and allocator_size, it's actually possible to squeeze the allocator in between the program segment and library segment regions ((0x7fffffffffff - 0x555500000000 - 2* ((2**32) * 4096)) = 10.7TB that can be distributed between the three sizes), but placing it underneath the program segments sidesteps the issue entirely.

Bonus pics of the ASan memory layout before and after the change: https://docs.google.com/presentation/d/1z39DhQxUCT31OBOWWAtjd48BwCm0PgXeaG67QDs3TZI/edit

Thank you! The formula and the doc are very useful. I have some understanding of CONFIG_ARCH_MMAP_RND_BITS now...

This broke the lit tests on Mac: LeakSanitizer-AddressSanitizer-x86_64 :: TestCases/Darwin/trampoline.mm
@lgrey who added that in D129385 maybe has some idea of what's going on?

I'll revert this for now.

In D147984#4264112, @hans wrote:

This broke the lit tests on Mac: LeakSanitizer-AddressSanitizer-x86_64 :: TestCases/Darwin/trampoline.mm
@lgrey who added that in D129385 maybe has some idea of what's going on?

I'll revert this for now.

Thanks, looking now. Since this wasn't intended to affect Darwin anyway, it can probably reland with SANITIZER_APPLE excluded

Confining this to non-Apple platforms looks good to me.

Note that this change (I believe) also affects other less-used 64-bit platforms like s390x/mips64 that I don't know how to test... I think they are likely fine with the change but I cannot say for sure.
Does the Linux kernel documentation give some way to derive the memory mapping layout easily? ;-)

In D147984#4266106, @MaskRay wrote:

Confining this to non-Apple platforms looks good to me.

Note that this change (I believe) also affects other less-used 64-bit platforms like s390x/mips64 that I don't know how to test... I think they are likely fine with the change but I cannot say for sure.

Good point. How about limiting the change to SANITIZER_LINUX && (defined(__x86_64__)?

Does the Linux kernel documentation give some way to derive the memory mapping layout easily? ;-)

Dynamically or statically?

In D147984#4266183, @thurston wrote:

In D147984#4266106, @MaskRay wrote:

Confining this to non-Apple platforms looks good to me.

Note that this change (I believe) also affects other less-used 64-bit platforms like s390x/mips64 that I don't know how to test... I think they are likely fine with the change but I cannot say for sure.

Good point. How about limiting the change to SANITIZER_LINUX && (defined(__x86_64__)?

Not needed:) I have tested this on an AArch64 Linux machine and it works fine.
I think it works with aarch64/amd64 FreeBSD as well and have a fair chance to work on s390x/mips.
Perhaps just Apple platforms need to be excluded.

Does the Linux kernel documentation give some way to derive the memory mapping layout easily? ;-)

Dynamically or statically?

Statically to judge whether a kAllocatorSpace choice without having to run programs in a qemu-system environment:)

In D147984#4266218, @MaskRay wrote:

In D147984#4266183, @thurston wrote:

In D147984#4266106, @MaskRay wrote:

Confining this to non-Apple platforms looks good to me.

Note that this change (I believe) also affects other less-used 64-bit platforms like s390x/mips64 that I don't know how to test... I think they are likely fine with the change but I cannot say for sure.

Good point. How about limiting the change to SANITIZER_LINUX && (defined(__x86_64__)?

Not needed:) I have tested this on an AArch64 Linux machine and it works fine.
I think it works with aarch64/amd64 FreeBSD as well and have a fair chance to work on s390x/mips.
Perhaps just Apple platforms need to be excluded.

I wouldn't want to risk breaking anyone's S390 or MIPS setups. How about making it (SANITIZER_FREEBSD || SANITIZER_LINUX) && (defined(__x86_64__)?
(It's not necessary to opt-in aarch64 because the old mapping also works for them.)

Does the Linux kernel documentation give some way to derive the memory mapping layout easily? ;-)

Dynamically or statically?

Statically to judge whether a kAllocatorSpace choice without having to run programs in a qemu-system environment:)

That's pretty hard AFAICS. The kernel source code doesn't actually define constants such as 0x555555550000 (the program segment start location) - which made it fun trying to reverse engineer :-). The magic happens in:

#define ELF_ET_DYN_BASE		(2 * DEFAULT_MAP_WINDOW_64 / 3)

and then you need to go down the rabbit hole to find the DEFAULT_MAP_WINDOW_64 value (which is defined in terms of VA_BITS_MIN ...). We also need to calculate ASLR, and the library segments start location and stack size (if we want to place the allocator in between the library and program segments).

We also need to make sure that the allocator doesn't conflict with ASan's shadow mappings, though that can be trivially solved at runtime.

In D147984#4266390, @thurston wrote:

In D147984#4266218, @MaskRay wrote:

In D147984#4266183, @thurston wrote:

In D147984#4266106, @MaskRay wrote:

Confining this to non-Apple platforms looks good to me.

Note that this change (I believe) also affects other less-used 64-bit platforms like s390x/mips64 that I don't know how to test... I think they are likely fine with the change but I cannot say for sure.

Good point. How about limiting the change to SANITIZER_LINUX && (defined(__x86_64__)?

Not needed:) I have tested this on an AArch64 Linux machine and it works fine.
I think it works with aarch64/amd64 FreeBSD as well and have a fair chance to work on s390x/mips.
Perhaps just Apple platforms need to be excluded.

I wouldn't want to risk breaking anyone's S390 or MIPS setups. How about making it (SANITIZER_FREEBSD || SANITIZER_LINUX) && (defined(__x86_64__)?
(It's not necessary to opt-in aarch64 because the old mapping also works for them.)

I have checked mappings on an x86-64 FreeBSD machine. The address is fine. aarch64 FreeBSD should behave similarly.

I think there is very large chance that 0x500000000000ULL will work for s390x and mips64, so we don't need to be too defensive here.
In the worst case s390x and mips64 can opt out in a future commit...

Does the Linux kernel documentation give some way to derive the memory mapping layout easily? ;-)

Dynamically or statically?

Statically to judge whether a kAllocatorSpace choice without having to run programs in a qemu-system environment:)

That's pretty hard AFAICS. The kernel source code doesn't actually define constants such as 0x555555550000 (the program segment start location) - which made it fun trying to reverse engineer :-). The magic happens in:

#define ELF_ET_DYN_BASE		(2 * DEFAULT_MAP_WINDOW_64 / 3)

and then you need to go down the rabbit hole to find the DEFAULT_MAP_WINDOW_64 value (which is defined in terms of VA_BITS_MIN ...). We also need to calculate ASLR, and the library segments start location and stack size (if we want to place the allocator in between the library and program segments).

We also need to make sure that the allocator doesn't conflict with ASan's shadow mappings, though that can be trivially solved at runtime.

Reading #define ELF_ET_DYN_BASE is how I approached this as well. Sigh, no good way...

Thanks hans for the heads up about the failed test and taking care of the revert, and lgrey and MaskRay for the advice on how to revise the patch! It's been re-landed (with the suggested change) in D148280.