Chromium Code Reviews Chromium Code Reviews
Issue 2870213002:
Update the PartitionAlloc documentation. (Closed)
| OLD | NEW |
|---|---|
| 1 # PartitionAlloc Design | 1 # PartitionAlloc Design |
| 2 | 2 |
| 3 This document explains a high-level design of PartitionAlloc. | 3 This document describes PartitionAlloc at a high level. For documentation about |
| 4 If you're interested in its in-depth implementation, see comments | 4 its implementation, see the comments in `partition_alloc.h`. |
| 5 in partition_alloc.h. | |
| 6 | 5 |
| 7 [TOC] | 6 [TOC] |
| 8 | 7 |
| 9 ## Overview | 8 ## Overview |
| 10 | 9 |
| 11 PartitionAlloc is a memory allocator optimized for performance and security | 10 PartitionAlloc is a memory allocator optimized for security, low allocation |
| 12 in Blink. All objects in Blink are expected to be allocated with | 11 latency (when called appropriately), and good space efficiency (when called |
| 13 PartitionAlloc or Oilpan (but not yet done). | 12 appropriately). This document aims to help you understand how PartitionAlloc |
| 13 works so that you can use it effectively. | |
| 14 | 14 |
| 15 ## Partitions and buckets | 15 ## Partitions And Buckets |
|
haraken
2017/05/10 01:02:20
Add the following points somewhere:
- The virtual
Chris Palmer
2017/05/10 23:45:43
Added these notes under ## Performance.
| |
| 16 | 16 |
| 17 PartitionAlloc has three partitions. A partition is a heap that contains | 17 A *partition* is a heap that contains certain object types, objects of certain |
| 18 certain types of objects. Specifically, PartitionAlloc allocates objects | 18 sizes, or objects of a certain lifetime (as the caller prefers). Callers can |
| 19 on either of the following three partitions depending on their types: | 19 create as many partitions as they need. Each partition is separate and protected |
| 20 from any other partitions. | |
| 20 | 21 |
| 21 * LayoutObject partition: A partition to allocate LayoutObjects. | 22 Each partition holds multiple buckets. A *bucket* is a region in a partition |
| 23 that contains similar-sized objects. | |
| 22 | 24 |
| 23 * Buffer partition: A partition to allocate objects that have a strong risk | 25 PartitionAlloc aligns each object allocation with the closest bucket size. For |
| 24 that the length and/or the contents are exploited by user scripts. | 26 example, if a partition has 3 buckets for 64 bytes, 256 bytes, and 1024 bytes, |
| 25 Specifically, Vectors, HashTables, ArrayBufferContents and Strings are | 27 then PartitionAlloc will satisfy an allocation request for 128 bytes by rounding |
| 26 allocated on the Buffer partition. | 28 it up to 256 bytes and allocating from the second bucket. |
| 27 | 29 |
| 28 * FastMalloc partition: A partition to allocate all other objects. | 30 The special allocator class `template <size_t N> class |
| 29 Objects marked with USING_FAST_MALLOC are allocated on the FastMalloc partition. | 31 SizeSpecificPartitionAllocator` will satisfy allocations only of size |
| 32 `kMaxAllocation = N - kAllocationGranularity` or less, and contains buckets for | |
| 33 all `n * kAllocationGranularity` (n = 1, 2, ..., `kMaxAllocation`). Attempts to | |
| 34 allocate more than `kMaxAllocation` will fail. | |
| 30 | 35 |
| 31 Each partition holds multiple buckets. A bucket is a region in a partition | 36 ## Performance |
|
haraken
2017/05/10 01:02:20
Also explicitly mention that the current Partition
Chris Palmer
2017/05/10 23:45:43
Done.
| |
| 32 that contains similar-sized objects. Each object allocation must be aligned | |
| 33 with the closest bucket size. For example, if a partition has three buckets | |
| 34 for 64 bytes, 256 bytes and 1024 bytes, then an object of 128 bytes is | |
| 35 rounded up to 256 bytes and allocated on the second bucket. | |
| 36 | 37 |
| 37 The LayoutObject partition has buckets for all N * sizeof(void*) (N = 1, 2, ..., N_max). | 38 PartitionAlloc is designed to be extremely fast in its fast paths. The fast |
| 38 This means that no extra padding is needed to allocate a LayoutObject object. | 39 paths of allocation and deallocation require just 2 (reasonably predictable) |
| 39 Different sizes of LayoutObjects are allocated in different buckets. | 40 branches. The number of operations in the fast paths is minimal, leading to the |
| 41 possibility of inlining. | |
| 40 | 42 |
| 41 The Buffer partition and the FastMalloc partition have many buckets. | 43 For an example of how to use partitions to get good performance and good safety, |
| 42 They support any arbitrary size of allocations but padding may be added | 44 see Blink's usage, as described in `wtf/allocator/Allocator.md`. |
| 43 to align the allocation with the closest bucket size. The bucket sizes are | |
| 44 chosen to keep the worst-case memory overhead less than 10%. | |
| 45 | 45 |
| 46 Large allocations (> 1 MB) are realized by direct memory mmapping. | 46 Large allocations (> 1 MB) are realized by direct memory mmapping. |
| 47 | 47 |
| 48 ## Performance | 48 `PartitionAllocGeneric` acquires a lock for thread safety. (The current |
| 49 implementation uses a spin lock on the assumption that thread contention will be | |
| 50 rare in its callers. The original caller was Blink, where this is generally | |
| 51 true. Spin locks also have the benefit of simplicity.) | |
| 49 | 52 |
| 50 PartitionAlloc doesn't acquire a lock when allocating on the LayoutObject | 53 Callers can get lock-free performance using a `SizeSpecificPartitionAllocator` |
|
haraken
2017/05/10 01:02:20
"lock-free" is a bit confusing. It normally means
Chris Palmer
2017/05/10 23:45:43
Done.
| |
| 51 partition, because it's guaranteed that LayoutObjects are allocated | 54 or otherwise using `PartitionAlloc` (instead of `PartitionAllocGeneric`). |
| 52 only by the main thread. | 55 Callers can also arrange for low contention, such as by using a dedicated |
| 53 | 56 partition for single-threaded, latency-critical allocations. |
| 54 PartitionAlloc acquires a lock when allocating on the Buffer partition and | |
| 55 the FastMalloc partition. PartitionAlloc uses a spin lock because thread content ion | |
| 56 would be rare in Blink. | |
| 57 | |
| 58 PartitionAlloc is designed to be extremely fast in fast paths. Just two | |
| 59 (reasonably predictable) branches are required for the fast paths of an | |
| 60 allocation and deallocation. The number of operations in the fast paths | |
| 61 is minimized, leading to the possibility of inlining. | |
| 62 | |
| 63 Having a dedicated partition for LayoutObjects is helpful to improve cache | |
| 64 locality and thus help improve performance. | |
| 65 | 57 |
| 66 ## Security | 58 ## Security |
| 67 | 59 |
| 68 Security is one of the most important goals of PartitionAlloc. | 60 Security is one of the most important goals of PartitionAlloc. |
| 69 | 61 |
| 70 Different partitions are guaranteed to exist in separate address spaces. | 62 PartitionAlloc guarantees that different partitions exist in different regions |
| 71 When objects contained in a page in a partition are all freed, | 63 of the process' address space. When the caller has freed all objects contained |
| 72 the physical memory is returned to the system but the address space | 64 in a page in a partition, PartitionAlloc returns the physical memory to the |
| 73 remains reserved. The address space may be reused later only for the partition. | 65 operating system, but continues to reserve the region of address space. |
| 74 Remember that PartitionAlloc puts LayoutObjects into a dedicated partition. | 66 PartitionAlloc will only reuse an address space region for the same partition. |
| 75 This is because LayoutObjects are likely to be a source of use-after-free. | |
| 76 Similarly, PartitionAlloc puts Strings, Vectors etc into the Buffer partition | |
| 77 because the length and/or contents may be exploited by user scripts. | |
| 78 This means that PartitionAlloc greedily uses virtual address spaces in favor of | |
| 79 security hardening. | |
| 80 | 67 |
| 81 Also the following security properties are provided: | 68 PartitionAlloc also guarantees that: |
| 82 | 69 |
| 83 * Linear overflows cannot corrupt into the partition. | 70 * Linear overflows cannot corrupt into the partition. (There is a guard page at |
| 71 the beginning of each partition.) | |
| 84 | 72 |
| 85 * Linear overflows cannot corrupt out of the partition. | 73 * Linear overflows cannot corrupt out of the partition. (There is a guard page |
| 74 at the end of each partition.) | |
| 86 | 75 |
| 87 * Metadata is recorded in a dedicated region (not next to each object). | 76 * Linear overflow or underflow cannot corrupt the allocation metadata. |
| 88 Linear overflow or underflow cannot corrupt the metadata. | 77 PartitionAlloc records metadata in a dedicated region out-of-line (not adjacent |
| 78 to objects). | |
| 89 | 79 |
| 90 * Buckets are helpful to allocate different-sized objects on different addresses . | 80 * Objects of different sizes will likely be allocated in different buckets, and |
| 91 One page can contain only similar-sized objects. | 81 hence at different addresses. One page can contain only similar-sized objects. |
| 92 | 82 |
| 93 * Dereference of a freelist pointer should fault. | 83 * Dereference of a freelist pointer should fault. |
| 94 | 84 |
| 95 * Partial pointer overwrite of freelist pointer should fault. | 85 * Partial pointer overwrite of freelist pointer should fault. |
| 96 | 86 |
| 97 * Large allocations are guard-paged at the beginning and end. | 87 * Large allocations have guard pages at the beginning and end. |
| OLD | NEW |
