Why all these stuff needs to be static?

@vitalybuka Because the allocators don't receive an instance of RemoteAddressSpaceView, they receive the type as a template parameter (e.g. SizeClassAllocator64). This design choice means that everything in an implementation of the AddressSpaceView interface (i.e. LocalAddressSpaceView and RemoteAddressSpaceView) needs to be static.

To implement RemoteAddressSpaceView we have to store some state. All of this state and the read operations are encapsulated in the VMReadContext object. We cannot store any of this state inside the allocators because that could change the data-layout.

This design is not thread-safe of course but for allocator enumeration on Darwin will only ever be doing that in a single thread anyway.

Can you add some CHECKs validate this single thread assumption?

could you please init these inline?

struct -> class

maybe nested: ScopedRemoteAddressSpaceViewContext -> RemoteAddressSpaceView::ScopedContest
and make RemoteAddressSpaceView::set_context private

class and
private:

VMReadContext vmrc_;

Just define "typedef int ProcessHandle;" and remove process_vm_read_handle_t
On other platforms it does not matter, and we will add more specific type if needed later.

historically sanitizer common uses Google C++ naming convention so members need to have _ suffux.

Please remove all stuff you are not using in upcoming patches.
When can extend API when needed

If you can calculate it from target_process please remove member and simplify state

As I understand we do not expect a lot of context callers
so let remove default "writable = true" and make calls more verbose

Remove it if you don't use it.
I'd expected ScopedContext is the why to reset it.

Just remove it. You'll add it when needed

LocalAddressSpaceView is a struct. Making RemoteAddressSpaceView be a class seems inconsistent. Why do you want to make this change?

Can you add some CHECKs validate this single thread assumption?

@vitalybuka

I don't see an easy way to do this because this code will be used in a context where there is no ThreadRegistry and there is no interception on pthread_create and other thread functions. I also couldn't see a non-asan specific (e.g. I found AsanThread* GetCurrentThread()) API to use because this code will be common to all sanitizers.

There are also examples of existing code that don't check the single thread assumption. E.g. from lib/asan/asan_thread.cc

ThreadRegistry &asanThreadRegistry() {
  static bool initialized;
  // Don't worry about thread_safety - this should be called when there is
  // a single thread.
...

I'm not against adding some sort of check to validate the single thread assumption but I need more guidance on how to do this using the available sanitizer internal APIs.

maybe nested: ScopedRemoteAddressSpaceViewContext -> RemoteAddressSpaceView::ScopedContest

and make RemoteAddressSpaceView::set_context private

That's a great idea. I'll do that.

Apart from that fact that it needs to be unsigned on Darwin. I'm not super comfortable doing that because the declaration of __sanitizer::process_vm_read_handle_t in sanitizer_internal_defs.h allows to detect if the system declaration of task_t disagrees with the Sanitizer runtimes type. This is because on Darwin we include system headers that do define the task_t type.

Yes. I'll do that.

I'll try to fix that.

I'll have a look through my out-of-tree implementation and see what I can remove.

Sure.

Reset() gets called if the read call fails. Although I've just realised that's actually inconsistent with the API comments. I'll fix that.

By "it" I presume you mean that writable argument?

But if I do that, how far up the stack should I go? Taken to the extreme that means reverting what was landed in https://reviews.llvm.org/D54879 . I really don't want to do that because the distinction between writable and read-only access is likely important.

We cannot calculate it. It needs to be part of the sate.

I've removed several fields/methods from this patch that weren't being used in my internal implementation.

Historically sanitizers follow google c++ style and class is more appropriate here
https://google.github.io/styleguide/cppguide.html#Structs_vs._Classes

as well for LocalAddressSpaceView

what about saving GetTid() on the first call of set_context()
then check that saved id matches GetTid() for all subsequent calls to
set_context()
get_context()
Load*()

I assume this is not going to be main thread?

same for class

please init target_process_ to something target_process_ as well

empty live between define and include

then just define process_vm_read_handle_t as task_t in sanitizer_internal_defs for Darwin?

why copying is not acceptable?

We cannot calculate it. It needs to be part of the sate.

I read this as:

bool IsLocal() const {
  return config_ == nullptr || mach_task_self() == target_process_;
}

can you remove "config" argument and just initialize config_ to darwin specific stuff here?

if we keep it please remove {} for consistency

It still looks like better to split Read and ReadWriteble when we have different implementation for them.
So If you have/expect such patch quite soon, then fine, let's keep it. If this is just expectation that some-when in undefined future we will likely need to spit them, then I'd prefer we split when it's actually necessary.

why do we need config_?
from here looks like you expect a particular function
could you call it directly here?

Not doing inline initialisation here is deliberate. The type is platform specific so we might not be able to initialise it using an int. This is why the platform specific constructors do the initialisation.

Technically we could initialise to 0 now because task_t happens to be a typedef for unsigned on Darwin but this might not work for other platforms in the future.

Because a VMReadContext object is supposed to manage the lifetime of memory it copies from another. The implementation might hold data structures to manage this memory and so copying a VMReadContext object is almost certainly a mistake.

For the Darwin implementation VMReadContext delegates this task to a Darwin specific framework that guarantees the lifetime of the copied memory will be longer than its client (VMReadContext). So technically nothing would go wrong right now if the VMReadContext copy constructor was called. However calling the VMReadContext is almost certainly a mistake and so it should be disallowed.

bool IsLocal() const {
 return config_ == nullptr || mach_task_self() == target_process_;
}

Oh I see. I thought you where talking about GetTargetProcess(). However in this latest revision IsLocal() has actually been removed because my internal implementation never called it.

I can probably bring it back though.

No. On Darwin config is a function pointer but on other platforms it can be anything (that's why it has type void*) that's needed to get access to the target process's memory. The config argument must be there to provide a consistent and flexible interface on all platforms.

There is no special function we can call from inside VMReadContext to get the function pointer. The client creating the VMReadContext on Darwin knows the value of the pointer and must pass it in.

Ok. I'll fix this.

No we cannot. It must be passed in via the VMReadContext constructor.

Fixed.

Fixed.

I've brought the implementation back and removed the is_local_ field.

Done.

I tried doing this in my internal implementation. It breaks compilation because sanitizer_internal_defs gets included very early and task_t at that point is not defined. Let's just keep it.

Using the read-only/writable information will land much later so I'm going to remove passing this information to VMReadContext.

Okay I've added the thread check. I don't know if this code will be called on the main thread or not. Presumably that's irrelevant here?

includes are not ordered

Why did you obfuscate context type?
There is not point in atomic if you are going to use single thread
maybe OK for owning_tid_ but we will crash immediately if this does not match

probably you should check if owning_tid_ is already set that they match

Please avoid reinterpret_cast, just return VMReadContext* as member

Maybe platform specific invalid_vm_read_handle near process_vm_read_handle_t?
also process_vm_read_handle_t is too specific, why not just some task_id?

"operator=" ?

(void*) -> reinterpret_cast<>

Instead of void* can you make it function pointer?
With type similar to memory_reader_t
If you make memory_reader_t return bool and handle error there, the only platform specific part of VMReadContext will be the callback.

also config_ -> native_reader_;

Oops. Good catch. Fixed.

Originally I did that because I was going to make this a DCHECK and I didn't want it to be possible for the pointer to change non-atomically. You're right though. Now that the CHECK happens in all builds I should just use VMContext*.

I've fixed this now.

That would require that I guarantee that owning_tid is 0 initially (i.e. before RemoteAddressSpaceView is ever used). I think this might already be the case because atomic_uint64_t RemoteAddressSpaceView::owning_tid is a global but I wasn't 100% sure. I wasn't sure how I was supposed to write an initializer for the global in sanitizer_remote_address_space_view.cc so I just left it out.

If we can confidently assume that owning_tid_ is zero initialized then I'll add the check.

I've gone ahead and made the fix. Seems to work.

That would also be bad. I've deleted that and also the move variants.

Fixed.

Instead of void* can you make it function pointer?
With type similar to memory_reader_t
If you make memory_reader_t return bool and handle error there, the only platform specific part of VMReadContext will be the callback.

I could but I'm strongly against that because.

• A function pointer isn't great. It can't hold any state. Even in Darwin's case I'd have to write a wrapper function that implements the callback interface. That function needs to know the address of the actual function to call. So the callback would need to be able to receive arbitrary data (i.e. passing a void*) so I could pass that address.
• Having a function pointer encourages implementations to actually live outside of VMReadContext. This is the opposite of what VMReadContext() tries to do -- Hide as much platform specific behaviour as possible inside VMReadContext. It is a Darwin specific implementation detail that we have to pass a function pointer to VMReadContext, other platforms should not be forced to do that in-order to write their implementations. They should be able to pass whatever makes sense for their platform.
• On other platforms the interface may need to work differently. More parameters might need to be passed to the reader. In this case the void* would be a pointer to a struct containing the extra data needed by the platform.
• It ties the design of VMReadContext very closely to Darwin's memory_reader_t.

Besides, I could probably achieve the non-platform specific error handling simplify by refactoring Read(...) into the platform agnostic part Read(...) and the platform specific part ReadImpl(...).

I think we could clean up the interface in a better way. Instead of a void* argument to the constructor it could be

VMReadContextConfig* which would be

class VMReadContextConfig {
   public:
    __sanitizer::process_vm_read_handle_t target_process;
};

Then other platforms could sub-class this and add their own platform specific fields. For Darwin we'd add a function pointer field so that the Darwin specific function pointer can be passed.

That way

• At most one argument needs to be passed VMReadContext
• It allows for platform specific implementations in a way that's slightly more type safe than void*.
• We can pass arbitrary data to be passed to VMReadContext.
  
  We don't have RTTI or LLVM's dyn_cast so we would have to statically cast inside each implementation to the expected VMReadContextConfig sub-class.

Please return )

So data race is possible when one thread is releasing context and another is setting.
For simplicity I think you should never reset owning_tid_
As soon as one thread used it, no other allowed to interact with that.

Otherwise we need to design proper synchronization which is inconvenient with all these statics. E.g. as soon someone called Load and saved returned pointer
we will need to make sure that caller release the pointers before letting other threads to interact with context.

And maybe it's not bad idea. But you have option to go with "never reset owning_tid_" now and switch to Load/Unload with mutexes later, when needed.

Nothing prevents one thread to create ScopedContext and another thread to do LoadWritable. We need to check owning_tid_ in Load and LoadWritable

: vmrc() is not needed

Maybe platform specific invalid_vm_read_handle near process_vm_read_handle_t?
also process_vm_read_handle_t is too specific, why not just some task_id?

I still think you should remove process_vm_read_handle_t from sanitizer_internal_defs.h and just define it in the Context. u64 everywhere, like for tid_t, is good enough for me.

So data race is possible when one thread is releasing context and another is setting.
For simplicity I think you should never reset owning_tid_
As soon as one thread used it, no other allowed to interact with that.

I'm fine with that. Currently RemoteAddressSpaceView should only be used within a single-thread.

I'll update the patch as you suggest.

Did I miss something? Won't the CHECK_EQ(atomic_load_relaxed(&owning_tid_), current_tid) fire inside get_context() fire due to LoadWritable() or Load() eventually triggering a call to get_context()?

@vitalybuka I had a go at adding VMReadContextConfig (see the header file below). The advantage of this is I'm able to pull the definition of task_t out of sanitizer_internal_defs.h and make the constructor of VMReadContextConfig a little nicer by not having it take a void*.