base/allocator/allocator_shim.cc - Issue 1675143004: Allocator shim skeleton + Linux impl behind a build flag

Side by Side Diff: base/allocator/allocator_shim.cc

Issue 1675143004: Allocator shim skeleton + Linux impl behind a build flag (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@shim_exp_flag

Patch Set: rebase Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« base/allocator/allocator_shim.h ('K') | « base/allocator/allocator_shim.h ('k') | base/allocator/allocator_shim_default_dispatch_to_glibc.cc » ('j') | base/allocator/allocator_shim_default_dispatch_to_glibc.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "base/allocator/allocator_shim.h"

	6

	7 #include <errno.h>

	8 #include <unistd.h>

	9

	10 #include <new>

	11

	12 #include "base/atomicops.h"

	13 #include "base/logging.h"

	14 #include "base/macros.h"

	15 #include "base/threading/platform_thread.h"

	16 #include "build/build_config.h"

	17

	18 // No calls to malloc / new in this file. They would would cause re-entrancy of

	19 // the shim, which is hard to deal with. Keep this code as simple as possible

	20 // and don't use any external C++ object here, not even //base ones. Even if

	21 // they are safe to use today, in future they might be refactored.

	22

	23 namespace {

	24

	25 using namespace base;

	26

	27 const allocator::AllocatorDispatch* volatile g_chain_head =
	Nico 2016/03/08 03:08:42 why volatile? should this be an atomicptr? why volatile? should this be an atomicptr? Primiano Tucci (use gerrit) 2016/03/08 20:54:05 Removed volatile and switched to AtomicWord after Removed volatile and switched to AtomicWord after lot of thoughts. Here's the braindump. I originally wrote the reply below because I was convinced I still needed volatile. By the time I reached the end I changed my mind (in essence: this is my rationale. If you don't like I have another, better, one :P): On 2016/03/08 03:08:42, Nico wrote: Show quoted text > why volatile? Now, this is the real reason why I waited for a compiler-master-of-puppets on this cl :-) So my rationale for the volatile here is: - InsertAllocationDispatch is, by design, guaranteed to be called on the same thread, so I don't have to worry about races on insertion (good). - However, I want to guarantee that when you InsertAllocationDispatch from thread X, thread Y does always see the sequence of [update next pointer, update chain head] in this order, as that guarantees that Y either sees the old chain head, or the new chain head properly setup. Now I am convinced that from an OOO execution viewpoint, the MemoryBarrier in InsertAllocatorDispatch is enough (The dispatch functions are supposed to be static and indefinitely-lived anyways, so I don't think I need any happens-before semantic w.r.t. the Insert). However, I don't know if the compiler can do some unexpected optimization when accessing g_chain_head. Not even sure which optimizations we are talking about, but in my naive mind, volatile is a way to tell the compiler "mind your business with this var". Show quoted text > should this be an atomicptr? Hmm is your suggestion that this should be volatile AND atomicptr, or atomicptr should be enough. I speculated on the fact that on all architectures we care about, writing a pointer word is intrinstically atomic. But now that you let me think more about this, you are right, I should have used AtomicWord (where NoBarrier_Load/Store really end up just dereferencing a pointer anyways IIRC). My question on volatile still remains though. Having established this should be AtomicWord, should this be Atomic AND volatile, or am I over-worrying about the volatile part? Edit 1h later: just looked at the code and it seems that NoBarrier_Load/Store have volatile in the signature, so I believe that having this switched to AtomicPtr catches three birds with a stone: - I don't have to speculate anymore about r/w ptr-size being intrinsically atomic. - I think I don't need a volatile anymore at this point. - I have the unique opportunity to make a nerdy pun with birds and volatile :-) <img src="self_high_five.gif">
	28 &allocator::AllocatorDispatch::default_dispatch;

	29

	30 bool g_call_new_handler_on_malloc_failure = false;

	31 subtle::Atomic32 g_new_handler_lock = 0;

	32

	33 // In theory this should be just base::ThreadChecker. But we can't afford

	34 // the luxury of a LazyInstance<ThreadChecker> here as it would cause a new().

	35 bool CalledOnValidThread() {

	36 static PlatformThreadId thread_id = kInvalidThreadId;

	37 if (thread_id == kInvalidThreadId)
	Nico 2016/03/08 03:08:42 This looks racy for the first few calls. Does it m This looks racy for the first few calls. Does it matter? Primiano Tucci (use gerrit) 2016/03/08 20:54:05 Oh you are right. fail. I made a new version using Show quoted text On 2016/03/08 03:08:42, Nico wrote: > This looks racy for the first few calls. Does it matter? Oh you are right. fail. I made a new version using a CAS, which if I am reasoning correctly, should guarantee that in case of a race one of the two threads will hit the DCHECK. P.S. If my reasoning is correct, we should probably benchmark and update thread_checker_impl.cc. I suspect a single CAS is more efficient than a lock acquire + release as in thread_checker_impl.cc, but right now have no data to back this hypothesis. In my case I really don't have alternatives as I can't afford a base::Lock here :) but maybe we just found a way to make debug builds slightly faster.
	38 thread_id = PlatformThread::CurrentId();

	39 return thread_id == PlatformThread::CurrentId();

	40 }

	41

	42 inline size_t GetPageSize() {

	43 static size_t pagesize = 0;

	44 if (!pagesize)

	45 pagesize = sysconf(_SC_PAGESIZE);

	46 return pagesize;

	47 }

	48

	49 // Calls the std::new handler thread-safely. Returns true if a new_handler was

	50 // set and called, false if no new_handler was set.

	51 bool CallNewHandler() {

	52 // TODO(primiano): C++11 has introduced ::get_new_handler() which is supposed

	53 // to be thread safe and would avoid the spinlock boilerplate here. However

	54 // it doesn't seem to be available yet in the Linux chroot headers yet.

	55 std::new_handler nh;

	56 {

	57 while (subtle::Acquire_CompareAndSwap(&g_new_handler_lock, 0, 1))

	58 PlatformThread::YieldCurrentThread();

	59 nh = std::set_new_handler(0);

	60 ignore_result(std::set_new_handler(nh));

	61 subtle::Release_Store(&g_new_handler_lock, 0);

	62 }

	63 if (!nh)

	64 return false;

	65 (*nh)();

	66 return true; // Assume the new_handler will abort if it fails.
	Nico 2016/03/08 03:08:42 This should probably mention that we don't want ne This should probably mention that we don't want new handlers that throw bad_alloc (no exceptions etc) Primiano Tucci (use gerrit) 2016/03/08 20:54:05 Oh right. (std::new_handler is such an utopistic A Show quoted text On 2016/03/08 03:08:42, Nico wrote: > This should probably mention that we don't want new handlers that throw > bad_alloc (no exceptions etc) Oh right. (std::new_handler is such an utopistic API btw.. "The new-handler function may try to make more storage available" yeahhh)
	67 }

	68

	69 } // namespace

	70

	71 namespace base {

	72 namespace allocator {

	73

	74 void SetCallNewHandlerOnMallocFailure(bool value) {

	75 g_call_new_handler_on_malloc_failure = value;

	76 }

	77

	78 void* UncheckedAlloc(size_t size) {

	79 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	80 return chain_head->alloc_function(size, chain_head);

	81 }

	82

	83 void InsertAllocatorDispatch(AllocatorDispatch* dispatch) {

	84 // Ensure this is always called on the same thread.

	85 DCHECK(CalledOnValidThread());

	86

	87 dispatch->next = g_chain_head;

	88

	89 // This function does not guarantee to be thread-safe w.r.t. concurrent

	90 // insertions, but still has to guarantee that all the threads always

	91 // see a consistent chain, hence the MemoryBarrier() below.

	92 // InsertAllocatorDispatch() is NOT a fastpath, as opposite to malloc(), so

	93 // we don't really want this to be a release-store with a corresponding

	94 // acquire-load during malloc().

	95 base::subtle::MemoryBarrier();

	96

	97 g_chain_head = dispatch;

	98 }

	99

	100 } // namespace allocator

	101 } // namespace base

	102

	103 // THe Shim* functions below are the entry-points into the shim-layer and
	Nico 2016/03/08 03:08:42 s/THe/The/ s/THe/The/ Primiano Tucci (use gerrit) 2016/03/08 20:54:05 Done. Show quoted text On 2016/03/08 03:08:42, Nico wrote: > s/THe/The/ Done.
	104 // are supposed to be invoked / aliased by the allocator_shim_override_*

	105 // headers to route the malloc / new symbols through the shim layer.

	106 extern "C" {

	107

	108 // The general pattern for allocations is:

	109 // - Try to allocate, if succeded return the pointer.

	110 // - If the allocation failed:

	111 // - Call the std::new_handler if it was a C++ allocation.

	112 // - Call the std::new_handler if it was a malloc() (or calloc() or similar)

	113 // AND SetCallNewHandlerOnMallocFailure(true).

	114 // - If the std::new_handler is NOT set just return nullptr.

	115 // - If the std::new_handler is set:

	116 // - Assume it will abort() if it fails (very likely the new_handler will

	117 // just suicide priting a message).

	118 // - Assume it did succeed if it returns, in which case reattempt the alloc.

	119

	120 void* ShimCppNew(size_t size) {

	121 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	122 void* ptr;

	123 do {

	124 ptr = chain_head->alloc_function(size, chain_head);

	125 } while (!ptr && CallNewHandler());
	Nico 2016/03/08 03:08:42 Do we currently have new handlers that try to free Do we currently have new handlers that try to free up memory and then call again? Is this loop really needed? Primiano Tucci (use gerrit) 2016/03/08 20:54:05 both tcmalloc [1] and the win_shim [2] do this. I Show quoted text On 2016/03/08 03:08:42, Nico wrote: > Do we currently have new handlers that try to free up memory and then call > again? Is this loop really needed? both tcmalloc [1] and the win_shim [2] do this. I think the rationale is: in theory a new handler could return true to say "I freed up some memory, trust me, try again and you will get !=nullptr this time, pinky swear" Realistically the handler will just suicide. If that doesn't happen, the most reasonable thing we can do here, to comply both with the utopistic world (new handler will free memory, ha!) API and safety (never return null) is keep looping until some memory becomes available. From a more practical viewpoint, I like to stick the current behavior, regardless of the reason, I feel this CL is adventurous enough :) [1] https://chromium.googlesource.com/chromium/src/+/f7b03f4b26ee936818a896f244d5... [2] https://chromium.googlesource.com/chromium/src/+/f7b03f4b26ee936818a896f244d5...
	126 return ptr;

	127 }

	128

	129 void ShimCppDelete(void* address) {

	130 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	131 return chain_head->free_function(address, chain_head);

	132 }

	133

	134 void* ShimMalloc(size_t size) {

	135 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	136 void* ptr;

	137 do {

	138 ptr = chain_head->alloc_function(size, chain_head);

	139 } while (!ptr && g_call_new_handler_on_malloc_failure && CallNewHandler());

	140 return ptr;

	141 }

	142

	143 void* ShimCalloc(size_t n, size_t size) {

	144 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	145 void* ptr;

	146 do {

	147 ptr = chain_head->alloc_zero_initialized_function(n, size, chain_head);
	Nico 2016/03/08 03:08:42 Since the wrapper is called calloc and the c funct Since the wrapper is called calloc and the c function is called calloc, maybe call the member fn calloc too? (as-is is fine too i suppose; calloc isn't a great name :-P) Primiano Tucci (use gerrit) 2016/03/08 20:54:05 Yeah I think this is mostly driven by: - my long Show quoted text On 2016/03/08 03:08:42, Nico wrote: > Since the wrapper is called calloc and the c function is called calloc, maybe > call the member fn calloc too? (as-is is fine too i suppose; calloc isn't a > great name :-P) Yeah I think this is mostly driven by: - my long standing hate towards calloc (both the name and the silly two-arg signature). - a headache I had while developing this, when I typoed /calloc/alloc/ and had to blur my eyes to figure out the missing c. No strong opinion, can do this change it in the final pathcset once everything is clear. Up to your preference really.
	148 } while (!ptr && g_call_new_handler_on_malloc_failure && CallNewHandler());

	149 return ptr;

	150 }

	151

	152 void* ShimRealloc(void* address, size_t size) {

	153 // realloc(size == 0) means free() and might return a nullptr. We should

	154 // not call the std::new_handler in that case, though.

	155 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	156 void* ptr;

	157 do {

	158 ptr = chain_head->realloc_function(address, size, chain_head);

	159 } while (!ptr && size && g_call_new_handler_on_malloc_failure &&

	160 CallNewHandler());

	161 return ptr;

	162 }

	163

	164 void* ShimMemalign(size_t alignment, size_t size) {

	165 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	166 void* ptr;

	167 do {

	168 ptr = chain_head->alloc_aligned_function(alignment, size, chain_head);

	169 } while (!ptr && g_call_new_handler_on_malloc_failure && CallNewHandler());

	170 return ptr;

	171 }

	172

	173 int ShimPosixMemalign(void** res, size_t alignment, size_t size) {

	174 // posix_memalign is supposed to check the arguments. See tc_posix_memalign()

	175 // in tc_malloc.cc.

	176 if (((alignment % sizeof(void*)) != 0) \|\|

	177 ((alignment & (alignment - 1)) != 0) \|\| (alignment == 0)) {

	178 return EINVAL;

	179 }

	180 void* ptr = ShimMemalign(alignment, size);

	181 *res = ptr;

	182 return ptr ? 0 : ENOMEM;

	183 }

	184

	185 void* ShimValloc(size_t size) {

	186 return ShimMemalign(GetPageSize(), size);
	Nico 2016/03/08 03:08:42 If this doesn't call through to valloc, why have t If this doesn't call through to valloc, why have this as part of this interface? do we call valloc anywhere? Primiano Tucci (use gerrit) 2016/03/08 20:54:05 The deal is: we want to expose the full malloc/val Show quoted text On 2016/03/08 03:08:42, Nico wrote: > If this doesn't call through to valloc, why have this as part of this interface? The deal is: we want to expose the full malloc/valloc family as we want to be sure that everything reaches into the same allocator at the end. We don't want to end up in a situation where malloc/free are from tcmalloc, and valloc from libc. However, while we want to expose valloc, there is no need to plumb it all the way through the allocator (read: require that from the final dispatch interface) as valloc can be really implemented on top of memalign. Essentially there is a mismatching between the number of functions we expose to clients (malloc/free/valloc/pvalloc) and the internal functions required from the dispatchers (the AllocatorDispatch interface). The mismatch is: the minimum set of functions (required from the dispatcher) that allows to implement the full malloc/valloc/pvalloc family consistently. Show quoted text > do we call valloc anywhere? Not sure we have it in the codebase, but we have to cover the case of chrome calling a third_party library (e.g. libcups) which calls it, in which case we want that to be still hooked properly.
	187 }

	188

	189 void* ShimPvalloc(size_t size) {

	190 // pvalloc(0) should allocate one page, according to its man page.

	191 if (size == 0) {

	192 size = GetPageSize();

	193 } else {

	194 size = (size + GetPageSize() - 1) & ~(GetPageSize() - 1);

	195 }

	196 return ShimMemalign(GetPageSize(), size);

	197 }

	198

	199 void ShimFree(void* address) {

	200 const allocator::AllocatorDispatch* const chain_head = g_chain_head;

	201 return chain_head->free_function(address, chain_head);

	202 }

	203

	204 } // extern "C"

	205

	206 // Cpp symbols (new / delete) should always be routed through the shim layer.

	207 #include "base/allocator/allocator_shim_override_cpp_symbols.h"

	208

	209 // Ditto for plain malloc() / calloc() / free() etc. symbols.

	210 #include "base/allocator/allocator_shim_override_libc_symbols.h"

	211

	212 // In the case of tcmalloc we also want to plumb into the glibc hooks

	213 // to avoid that allocations made in glibc itself (e.g., strdup()) get

	214 // accidentally performed on the glibc heap instead of the tcmalloc one.

	215 #if defined(USE_TCMALLOC)

	216 #include "base/allocator/allocator_shim_override_glibc_weak_symbols.h"

	217 #endif

	218

	219 // Cross-checks.

	220

	221 #if defined(MEMORY_TOOL_REPLACES_ALLOCATOR)

	222 #error The allocator shim should not be compiled when building for memory tools.

	223 #endif

	224

	225 #if (defined(__GNUC__) && defined(__EXCEPTIONS)) \|\| \

	226 (defined(_HAS_EXCEPTIONS) && _HAS_EXCEPTIONS)

	227 #error This code cannot be used when exceptions are turned on.

	228 #endif

OLD	NEW