This is an archive of the discontinued LLVM Phabricator instance.

Differential D43949

[scudo] Secondary allocator overhaul to support Windows
ClosedPublic

Authored by cryptoad on Mar 1 2018, 9:12 AM.

Details

Reviewers
alekseyshl
flowerhack
Commits
rGe95ef87663ee: [scudo] Secondary allocator overhaul to support Windows
rL327321: [scudo] Secondary allocator overhaul to support Windows
rCRT327321: [scudo] Secondary allocator overhaul to support Windows
Summary

The need for this change stems from the fact that Windows doesn't support
partial unmapping (MEM_RELEASE implies the entire allocated region). So we
now have to keep track of the reserved region and the committed region, so that
we can function without the trimming we did when dealing with larger alignments.

Instead of just having a ReservedAddressRange per chunk, we introduce a
LargeChunkHeader (and LargeChunk namespace) that additionally holds the
committed size and the usable size. The former is needed for stats purposes,
the latter is used by the frontend. Requiring both is debatable, we could only
work with the usable size but then be off by up to a page per chunk when
dealing with stats.

Additionally, we introduce more stats since they turned out to be useful for
experiments, and a PrintStats function that will be used by the combined
allocator in later patch.

Diff Detail

Event Timeline

cryptoad created this revision.Mar 1 2018, 9:12 AM
Harbormaster completed remote builds in B15576: Diff 136550.Mar 1 2018, 9:12 AM
Herald added subscribers: Restricted Project, delcypher. · View Herald TranscriptMar 1 2018, 9:12 AM
cryptoad updated this revision to Diff 136551.Mar 1 2018, 9:33 AM

Reordering a couple of lines, adding an UNLIKELY.

Harbormaster completed remote builds in B15577: Diff 136551.Mar 1 2018, 9:35 AM
cryptoad added a reviewer: flowerhack.Mar 1 2018, 9:35 AM
alekseyshl added a comment.Mar 2 2018, 7:55 AM

Seems sane and I like the fact that it is more uniform now, but need some more time processing it. Meanwhile, since Windows requirements are so different, have you thought about having a separate, Windows-specific secondary allocator?

alekseyshl added inline comments.Mar 2 2018, 3:23 PM
lib/scudo/scudo_allocator_secondary.h
135–138

This is definitely confusing. One getHeader() expects user mem ptr, another expects chunk header ptr. Not sure what's the best way to improve it yet.

cryptoad added inline comments.Mar 5 2018, 8:07 AM
lib/scudo/scudo_allocator_secondary.h
135–138

Initially I was going to add a comment with some chunk layout, eg:

+------------------+
| Guard page(s)    |
+------------------+
| Unused space*    |
+------------------+
| LargeChunkHeader |
+------------------+
| PackedHeader     |
+------------------+
| Data             |
+------------------+
| Unused space**   |
+------------------+
| Guard page(s)    |
+------------------+

The frontend deals with the {Unp,P}ackedHeader, and the Secondary being part of the Backend deals with the LargeChunkHeader.
While I agree that the distinction can be tenuous to make, it makes sense to me that the 2 getHeader work on different pointers.

alekseyshl added inline comments.Mar 5 2018, 10:06 AM
lib/scudo/scudo_allocator_secondary.h
135–138

I would agree with Frontend/Backend separation argument, should this class not be aware of and not use "Chunk::getHeaderSize()".

cryptoad added inline comments.Mar 5 2018, 10:21 AM
lib/scudo/scudo_allocator_secondary.h
135–138

This is indeed the annoying part.
I was thinking about this recently: in the current state of things we need the frontend header size because the user pointer has to be aligned, so we have to know how much space the frontend header is taking. I could pass that header size as ExtraBytes or something to the Secondary that would still do the necessary adjustments.
I don't see a way out without the secondary taking care of it's own alignment needs.

alekseyshl accepted this revision.Mar 8 2018, 1:10 PM
alekseyshl added inline comments.
lib/scudo/scudo_allocator_secondary.h
135–138

Ok, I have no better ideas at the moment. let's add the comment with the chunk alignment graphics and leave it at that.

This revision is now accepted and ready to land.Mar 8 2018, 1:10 PM
cryptoad updated this revision to Diff 137772.Mar 9 2018, 9:06 AM

Added comment with chunk layout.
Moved the LargeChunkHeader inside the LargeChunk namespace as Header,
because it makes more sense to me.

cryptoad marked 5 inline comments as done.Mar 9 2018, 9:07 AM
Harbormaster completed remote builds in B15886: Diff 137772.Mar 9 2018, 9:07 AM
alekseyshl accepted this revision.Mar 9 2018, 11:19 AM
Closed by commit rCRT327321: [scudo] Secondary allocator overhaul to support Windows (authored by cryptoad). · Explain WhyMar 12 2018, 12:34 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

Diff 138074

lib/scudo/scudo_allocator_combined.h

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines public:
void deallocateSecondary(void *Ptr) { void deallocateSecondary(void *Ptr) {
Secondary.Deallocate(&Stats, Ptr); Secondary.Deallocate(&Stats, Ptr);
} }
uptr getActuallyAllocatedSize(void *Ptr, uptr ClassId) { uptr getActuallyAllocatedSize(void *Ptr, uptr ClassId) {
if (ClassId) if (ClassId)
return PrimaryAllocator::ClassIdToSize(ClassId); return PrimaryAllocator::ClassIdToSize(ClassId);
return Secondary.GetActuallyAllocatedSize(Ptr); return SecondaryAllocator::GetActuallyAllocatedSize(Ptr);
} }
void initCache(AllocatorCache *Cache) { void initCache(AllocatorCache *Cache) {
Cache->Init(&Stats); Cache->Init(&Stats);
} }
void destroyCache(AllocatorCache *Cache) { void destroyCache(AllocatorCache *Cache) {
Cache->Destroy(&Primary, &Stats); Cache->Destroy(&Primary, &Stats);
Show All 13 Lines

lib/scudo/scudo_allocator_secondary.h

Show All 15 Lines
#ifndef SCUDO_ALLOCATOR_SECONDARY_H_ #ifndef SCUDO_ALLOCATOR_SECONDARY_H_
#define SCUDO_ALLOCATOR_SECONDARY_H_ #define SCUDO_ALLOCATOR_SECONDARY_H_
#ifndef SCUDO_ALLOCATOR_H_ #ifndef SCUDO_ALLOCATOR_H_
# error "This file must be included inside scudo_allocator.h." # error "This file must be included inside scudo_allocator.h."
#endif #endif
// Secondary backed allocations are standalone chunks that contain extra
// information stored in a LargeChunk::Header prior to the frontend's header.
//
// The secondary takes care of alignment requirements (so that it can release
// unnecessary pages in the rare event of larger alignments), and as such must
// know about the frontend's header size.
//
// Since Windows doesn't support partial releasing of a reserved memory region,
// we have to keep track of both the reserved and the committed memory.
//
// The resulting chunk resembles the following:
//
// +--------------------+
// | Guard page(s) |
// +--------------------+
// | Unused space* |
// +--------------------+
// | LargeChunk::Header |
// +--------------------+
// | {Unp,P}ackedHeader |
// +--------------------+
// | Data (aligned) |
// +--------------------+
// | Unused space** |
// +--------------------+
// | Guard page(s) |
// +--------------------+
namespace LargeChunk {
struct Header {
ReservedAddressRange StoredRange;
uptr CommittedSize;
uptr Size;
};
constexpr uptr getHeaderSize() {
return RoundUpTo(sizeof(Header), MinAlignment);
}
static Header *getHeader(uptr Ptr) {
return reinterpret_cast<Header *>(Ptr - getHeaderSize());
}
static Header *getHeader(const void *Ptr) {
return getHeader(reinterpret_cast<uptr>(Ptr));
}
} // namespace LargeChunk
class ScudoLargeMmapAllocator { class ScudoLargeMmapAllocator {
public: public:
void Init() { void Init() {
PageSizeCached = GetPageSizeCached(); NumberOfAllocs = 0;
NumberOfFrees = 0;
AllocatedBytes = 0;
FreedBytes = 0;
LargestSize = 0;
} }
void *Allocate(AllocatorStats *Stats, uptr Size, uptr Alignment) { void *Allocate(AllocatorStats *Stats, uptr Size, uptr Alignment) {
const uptr UserSize = Size - Chunk::getHeaderSize(); const uptr UserSize = Size - Chunk::getHeaderSize();
// The Scudo frontend prevents us from allocating more than // The Scudo frontend prevents us from allocating more than
// MaxAllowedMallocSize, so integer overflow checks would be superfluous. // MaxAllowedMallocSize, so integer overflow checks would be superfluous.
uptr MapSize = Size + AlignedReservedAddressRangeSize; uptr ReservedSize = Size + LargeChunk::getHeaderSize();
if (Alignment > MinAlignment) if (UNLIKELY(Alignment > MinAlignment))
MapSize += Alignment; ReservedSize += Alignment;
const uptr PageSize = PageSizeCached; const uptr PageSize = GetPageSizeCached();
MapSize = RoundUpTo(MapSize, PageSize); ReservedSize = RoundUpTo(ReservedSize, PageSize);
// Account for 2 guard pages, one before and one after the chunk. // Account for 2 guard pages, one before and one after the chunk.
MapSize += 2 * PageSize; ReservedSize += 2 * PageSize;
ReservedAddressRange AddressRange; ReservedAddressRange AddressRange;
uptr MapBeg = AddressRange.Init(MapSize); uptr ReservedBeg = AddressRange.Init(ReservedSize);
if (UNLIKELY(MapBeg == ~static_cast<uptr>(0))) if (UNLIKELY(ReservedBeg == ~static_cast<uptr>(0)))
return ReturnNullOrDieOnFailure::OnOOM(); return ReturnNullOrDieOnFailure::OnOOM();
// A page-aligned pointer is assumed after that, so check it now. // A page-aligned pointer is assumed after that, so check it now.
CHECK(IsAligned(MapBeg, PageSize)); DCHECK(IsAligned(ReservedBeg, PageSize));
uptr MapEnd = MapBeg + MapSize; uptr ReservedEnd = ReservedBeg + ReservedSize;
// The beginning of the user area for that allocation comes after the // The beginning of the user area for that allocation comes after the
// initial guard page, and both headers. This is the pointer that has to // initial guard page, and both headers. This is the pointer that has to
// abide by alignment requirements. // abide by alignment requirements.
uptr UserBeg = MapBeg + PageSize + HeadersSize; uptr CommittedBeg = ReservedBeg + PageSize;
uptr UserBeg = CommittedBeg + HeadersSize;
uptr UserEnd = UserBeg + UserSize; uptr UserEnd = UserBeg + UserSize;
uptr CommittedEnd = RoundUpTo(UserEnd, PageSize);
// In the rare event of larger alignments, we will attempt to fit the mmap // In the rare event of larger alignments, we will attempt to fit the mmap
// area better and unmap extraneous memory. This will also ensure that the // area better and unmap extraneous memory. This will also ensure that the
// offset and unused bytes field of the header stay small. // offset and unused bytes field of the header stay small.
if (Alignment > MinAlignment) { if (UNLIKELY(Alignment > MinAlignment)) {
if (!IsAligned(UserBeg, Alignment)) { if (!IsAligned(UserBeg, Alignment)) {
UserBeg = RoundUpTo(UserBeg, Alignment); UserBeg = RoundUpTo(UserBeg, Alignment);
DCHECK_GE(UserBeg, MapBeg); CommittedBeg = RoundDownTo(UserBeg - HeadersSize, PageSize);
const uptr NewMapBeg = RoundDownTo(UserBeg - HeadersSize, PageSize) - const uptr NewReservedBeg = CommittedBeg - PageSize;
PageSize; DCHECK_GE(NewReservedBeg, ReservedBeg);
DCHECK_GE(NewMapBeg, MapBeg); if (!SANITIZER_WINDOWS && NewReservedBeg != ReservedBeg) {
if (NewMapBeg != MapBeg) { AddressRange.Unmap(ReservedBeg, NewReservedBeg - ReservedBeg);
AddressRange.Unmap(MapBeg, NewMapBeg - MapBeg); ReservedBeg = NewReservedBeg;
MapBeg = NewMapBeg;
} }
UserEnd = UserBeg + UserSize; UserEnd = UserBeg + UserSize;
CommittedEnd = RoundUpTo(UserEnd, PageSize);
}
const uptr NewReservedEnd = CommittedEnd + PageSize;
DCHECK_LE(NewReservedEnd, ReservedEnd);
if (!SANITIZER_WINDOWS && NewReservedEnd != ReservedEnd) {
AddressRange.Unmap(NewReservedEnd, ReservedEnd - NewReservedEnd);
ReservedEnd = NewReservedEnd;
} }
const uptr NewMapEnd = RoundUpTo(UserEnd, PageSize) + PageSize;
if (NewMapEnd != MapEnd) {
AddressRange.Unmap(NewMapEnd, MapEnd - NewMapEnd);
MapEnd = NewMapEnd;
}
MapSize = MapEnd - MapBeg;
} }
DCHECK_LE(UserEnd, MapEnd - PageSize); DCHECK_LE(UserEnd, CommittedEnd);
// Actually mmap the memory, preserving the guard pages on either side const uptr CommittedSize = CommittedEnd - CommittedBeg;
CHECK_EQ(MapBeg + PageSize, // Actually mmap the memory, preserving the guard pages on either sides.
AddressRange.Map(MapBeg + PageSize, MapSize - 2 * PageSize)); CHECK_EQ(CommittedBeg, AddressRange.Map(CommittedBeg, CommittedSize));
const uptr Ptr = UserBeg - Chunk::getHeaderSize(); const uptr Ptr = UserBeg - Chunk::getHeaderSize();
ReservedAddressRange *StoredRange = getReservedAddressRange(Ptr); LargeChunk::Header *H = LargeChunk::getHeader(Ptr);
*StoredRange = AddressRange; H->StoredRange = AddressRange;
H->Size = CommittedEnd - Ptr;
H->CommittedSize = CommittedSize;
alekseyshlUnsubmitted
Done
ReplyInline Actions

This is definitely confusing. One getHeader() expects user mem ptr, another expects chunk header ptr. Not sure what's the best way to improve it yet.

alekseyshl: This is definitely confusing. One getHeader() expects user mem ptr, another expects chunk…
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

Initially I was going to add a comment with some chunk layout, eg:

+------------------+
| Guard page(s)    |
+------------------+
| Unused space*    |
+------------------+
| LargeChunkHeader |
+------------------+
| PackedHeader     |
+------------------+
| Data             |
+------------------+
| Unused space**   |
+------------------+
| Guard page(s)    |
+------------------+

The frontend deals with the {Unp,P}ackedHeader, and the Secondary being part of the Backend deals with the LargeChunkHeader.
While I agree that the distinction can be tenuous to make, it makes sense to me that the 2 getHeader work on different pointers.

cryptoad: Initially I was going to add a comment with some chunk layout, eg: ```+------------------+ |…
alekseyshlUnsubmitted
Done
ReplyInline Actions

I would agree with Frontend/Backend separation argument, should this class not be aware of and not use "Chunk::getHeaderSize()".

alekseyshl: I would agree with Frontend/Backend separation argument, should this class not be aware of and…
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

This is indeed the annoying part.
I was thinking about this recently: in the current state of things we need the frontend header size because the user pointer has to be aligned, so we have to know how much space the frontend header is taking. I could pass that header size as ExtraBytes or something to the Secondary that would still do the necessary adjustments.
I don't see a way out without the secondary taking care of it's own alignment needs.

cryptoad: This is indeed the annoying part. I was thinking about this recently: in the current state of…
alekseyshlUnsubmitted
Done
ReplyInline Actions

Ok, I have no better ideas at the moment. let's add the comment with the chunk alignment graphics and leave it at that.

alekseyshl: Ok, I have no better ideas at the moment. let's add the comment with the chunk alignment…
// The primary adds the whole class size to the stats when allocating a // The primary adds the whole class size to the stats when allocating a
// chunk, so we will do something similar here. But we will not account for // chunk, so we will do something similar here. But we will not account for
// the guard pages. // the guard pages.
{ {
SpinMutexLock l(&StatsMutex); SpinMutexLock l(&StatsMutex);
Stats->Add(AllocatorStatAllocated, MapSize - 2 * PageSize); Stats->Add(AllocatorStatAllocated, CommittedSize);
Stats->Add(AllocatorStatMapped, MapSize - 2 * PageSize); Stats->Add(AllocatorStatMapped, CommittedSize);
AllocatedBytes += CommittedSize;
if (LargestSize < CommittedSize)
LargestSize = CommittedSize;
NumberOfAllocs++;
} }
return reinterpret_cast<void *>(Ptr); return reinterpret_cast<void *>(Ptr);
} }
void Deallocate(AllocatorStats *Stats, void *Ptr) { void Deallocate(AllocatorStats *Stats, void *Ptr) {
LargeChunk::Header *H = LargeChunk::getHeader(Ptr);
// Since we're unmapping the entirety of where the ReservedAddressRange // Since we're unmapping the entirety of where the ReservedAddressRange
// actually is, copy onto the stack. // actually is, copy onto the stack.
const uptr PageSize = PageSizeCached; ReservedAddressRange AddressRange = H->StoredRange;
ReservedAddressRange AddressRange = *getReservedAddressRange(Ptr); const uptr Size = H->CommittedSize;
{ {
SpinMutexLock l(&StatsMutex); SpinMutexLock l(&StatsMutex);
Stats->Sub(AllocatorStatAllocated, AddressRange.size() - 2 * PageSize); Stats->Sub(AllocatorStatAllocated, Size);
Stats->Sub(AllocatorStatMapped, AddressRange.size() - 2 * PageSize); Stats->Sub(AllocatorStatMapped, Size);
FreedBytes += Size;
NumberOfFrees++;
} }
AddressRange.Unmap(reinterpret_cast<uptr>(AddressRange.base()), AddressRange.Unmap(reinterpret_cast<uptr>(AddressRange.base()),
AddressRange.size()); AddressRange.size());
} }
uptr GetActuallyAllocatedSize(void *Ptr) { static uptr GetActuallyAllocatedSize(void *Ptr) {
const ReservedAddressRange *StoredRange = getReservedAddressRange(Ptr); return LargeChunk::getHeader(Ptr)->Size;
// Deduct PageSize as ReservedAddressRange size includes the trailing guard
// page.
const uptr MapEnd = reinterpret_cast<uptr>(StoredRange->base()) +
StoredRange->size() - PageSizeCached;
return MapEnd - reinterpret_cast<uptr>(Ptr);
} }
private: void PrintStats() {
ReservedAddressRange *getReservedAddressRange(uptr Ptr) { Printf("Stats: LargeMmapAllocator: allocated %zd times (%zd K), "
return reinterpret_cast<ReservedAddressRange*>( "freed %zd times (%zd K), remains %zd (%zd K) max %zd M\n",
Ptr - sizeof(ReservedAddressRange)); NumberOfAllocs, AllocatedBytes >> 10, NumberOfFrees,
} FreedBytes >> 10, NumberOfAllocs - NumberOfFrees,
ReservedAddressRange *getReservedAddressRange(const void *Ptr) { (AllocatedBytes - FreedBytes) >> 10, LargestSize >> 20);
return getReservedAddressRange(reinterpret_cast<uptr>(Ptr));
} }
static constexpr uptr AlignedReservedAddressRangeSize = private:
RoundUpTo(sizeof(ReservedAddressRange), MinAlignment);
static constexpr uptr HeadersSize = static constexpr uptr HeadersSize =
AlignedReservedAddressRangeSize + Chunk::getHeaderSize(); LargeChunk::getHeaderSize() + Chunk::getHeaderSize();
uptr PageSizeCached;
SpinMutex StatsMutex; SpinMutex StatsMutex;
u32 NumberOfAllocs;
u32 NumberOfFrees;
uptr AllocatedBytes;
uptr FreedBytes;
uptr LargestSize;
}; };
#endif // SCUDO_ALLOCATOR_SECONDARY_H_ #endif // SCUDO_ALLOCATOR_SECONDARY_H_