[Tracing] Add hook to PartitionAlloc for heap profiling

third_party/WebKit/Source/wtf/PartitionAlloc.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 393 matching lines @@
 WTF_EXPORT void partitionPurgeMemory(PartitionRoot*, int);
 WTF_EXPORT void partitionPurgeMemoryGeneric(PartitionRootGeneric*, int);
 
 WTF_EXPORT NEVER_INLINE void* partitionAllocSlowPath(PartitionRootBase*, int, size_t, PartitionBucket*);
 WTF_EXPORT NEVER_INLINE void partitionFreeSlowPath(PartitionPage*);
 WTF_EXPORT NEVER_INLINE void* partitionReallocGeneric(PartitionRootGeneric*, void*, size_t);
 
 WTF_EXPORT void partitionDumpStats(PartitionRoot*, const char* partitionName, bool isLightDump, PartitionStatsDumper*);
 WTF_EXPORT void partitionDumpStatsGeneric(PartitionRootGeneric*, const char* partitionName, bool isLightDump, PartitionStatsDumper*);
 
+class WTF_EXPORT PartitionAllocHooks {
+public:
+    typedef void AllocationHook(void* address, size_t);
+    typedef void FreeHook(void* address);
+
+    static void setAllocationHook(AllocationHook* hook) { m_allocationHook = hook; }
+    static void setFreeHook(FreeHook* hook) { m_freeHook = hook; }
+
+    static void maybeInvokeAllocationHook(void* address, size_t size)

[haraken, 2015/10/20 00:14:19]

I'd rename maybeInvokeAllocationHook() to allocationHook(), simply. Or
allocationHookIfEnabled().

[Ruud van Asseldonk, 2015/10/20 11:43:57]

Done.

+    {
+        AllocationHook* hook = m_allocationHook;

[Primiano Tucci (use gerrit), 2015/10/19 21:32:03]

probably a bit more readable if you s/hook/allocationHook/
same below

[Ruud van Asseldonk, 2015/10/20 11:43:57]

Done.

+        if (UNLIKELY(hook != nullptr))

[bashi, 2015/10/20 00:33:49]

nit: UNLIKELY(hook).

We don't use ptr != nullptr in blink (not sure this is still a preferred style
though)

BTW, do you have any idea whether this branch would have negative impact on
performance when tracing is disabled? My guess is that this doesn't cause
performance regression, but not sure.

[Ruud van Asseldonk, 2015/10/20 11:43:57]

This is because |UNLIKELY(ptr)| expands to |__builtin_expect(ptr, 0)| which
makes the compiler complain about initializing a parameter of type |long| with a
pointer. I could replace it with |UNLIKELY(!!ptr)| if you like.
I found no significant performance impact, see https://crbug.com/530502. I'll
wait a few days before landing anything that depends on this CL, so if a
regression is detected after all this CL can be reverted cleanly.

+            hook(address, size);
+    }
+
+    static void maybeInvokeFreeHook(void* address)
+    {
+        FreeHook* hook = m_freeHook;
+        if (UNLIKELY(hook != nullptr))
+            hook(address);
+    }
+
+    static void maybeInvokeReallocationHook(void* oldAddress, void* newAddress, size_t size)

[haraken, 2015/10/20 00:14:19]

You won't need this method if you insert the allocation/free hooks to
partitionAlloc/partitionFree. See my comment below.

[Ruud van Asseldonk, 2015/10/20 11:43:57]

Wouldn't I still need it for |partitionReallocGeneric|?

+    {
+        // Report a reallocation as a free followed by an allocation.
+        AllocationHook* allocHook = m_allocationHook;
+        FreeHook* freeHook = m_freeHook;
+        if (UNLIKELY(allocHook && freeHook)) {
+            freeHook(oldAddress);
+            allocHook(newAddress, size);
+        }
+    }
+
+private:
+    // Pointers to hook functions that PartitionAlloc will call on allocation and
+    // free if the pointers are non-null.
+    static AllocationHook* m_allocationHook;
+    static FreeHook* m_freeHook;
+};
+
 ALWAYS_INLINE PartitionFreelistEntry* partitionFreelistMask(PartitionFreelistEntry* ptr)
 {
     // We use bswap on little endian as a fast mask for two reasons:
     // 1) If an object is freed and its vtable used where the attacker doesn't
     // get the chance to run allocations between the free and use, the vtable
     // dereference is likely to fault.
     // 2) If the attacker has a linear buffer overflow and elects to try and
     // corrupt a freelist pointer, partial pointer overwrite attacks are
     // thwarted.
     // For big endian, similar guarantees are arrived at with a negation.
@@ skipping 182 matching lines @@
         slotSize = rawSize;
     }
     size_t noCookieSize = partitionCookieSizeAdjustSubtract(slotSize);
     char* charRet = static_cast<char*>(ret);
     // The value given to the application is actually just after the cookie.
     ret = charRet + kCookieSize;
     memset(ret, kUninitializedByte, noCookieSize);
     partitionCookieWriteValue(charRet);
     partitionCookieWriteValue(charRet + kCookieSize + noCookieSize);
 #endif
+
+    PartitionAllocHooks::maybeInvokeAllocationHook(ret, size);

[haraken, 2015/10/20 00:14:19]

You need to insert the allocation hook to partitionDirectMap() as well.

[haraken, 2015/10/20 00:14:19]

And you need to insert the allocation hook to
partitionPageAllocAndFillFreelist() as well...

+
     return ret;
 }
 
 ALWAYS_INLINE void* partitionAlloc(PartitionRoot* root, size_t size)
 {
 #if defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
     void* result = malloc(size);
     RELEASE_ASSERT(result);
     return result;
 #else
@@ skipping 12 matching lines @@
     // If these asserts fire, you probably corrupted memory.
 #if ENABLE(ASSERT)
     size_t slotSize = page->bucket->slotSize;
     size_t rawSize = partitionPageGetRawSize(page);
     if (rawSize)
         slotSize = rawSize;
     partitionCookieCheckValue(ptr);
     partitionCookieCheckValue(reinterpret_cast<char*>(ptr) + slotSize - kCookieSize);
     memset(ptr, kFreedByte, slotSize);
 #endif
+
+    PartitionAllocHooks::maybeInvokeFreeHook(ptr);

[haraken, 2015/10/20 00:14:19]

You need to insert the free hook to partitionDirectUnmap() as well.

OK, now I realized that it's not a good idea to insert the hooks to the places
where we actually allocate/free objects. Alternatively, we can insert the hooks
to PartitionAlloc's allocation/free APIs. In other words, you can insert the
hooks to
partitionAlloc/partitionFree/partitionAllocGeneric/partitionFreeGeneric.

[Ruud van Asseldonk, 2015/10/20 11:43:57]

That makes sense. Fixed. What about |partitionReallocGeneric|?

+
     ASSERT(page->numAllocatedSlots);
     PartitionFreelistEntry* freelistHead = page->freelistHead;
     ASSERT(!freelistHead || partitionPointerIsValid(freelistHead));
     RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(ptr != freelistHead); // Catches an immediate double free.
     ASSERT_WITH_SECURITY_IMPLICATION(!freelistHead || ptr != partitionFreelistMask(freelistHead->next)); // Look for double free one level deeper in debug.
     PartitionFreelistEntry* entry = static_cast<PartitionFreelistEntry*>(ptr);
     entry->next = partitionFreelistMask(freelistHead);
     page->freelistHead = entry;
     --page->numAllocatedSlots;
     if (UNLIKELY(page->numAllocatedSlots <= 0)) {
@@ skipping 156 matching lines @@
 using WTF::partitionAlloc;
 using WTF::partitionFree;
 using WTF::partitionAllocGeneric;
 using WTF::partitionFreeGeneric;
 using WTF::partitionReallocGeneric;
 using WTF::partitionAllocActualSize;
 using WTF::partitionAllocSupportsGetSize;
 using WTF::partitionAllocGetSize;
 
 #endif // WTF_PartitionAlloc_h