| OLD | NEW |
|---|
| 1 # PartitionAlloc Design | 1 # PartitionAlloc Design |
| 2 | 2 |
| 3 This document explains a high-level design of PartitionAlloc. | 3 This document describes PartitionAlloc at a high level. For documentation about |
| 4 If you're interested in its in-depth implementation, see comments | 4 its implementation, see the comments in `partition_alloc.h`. |
| 5 in partition_alloc.h. | |
| 6 | 5 |
| 7 [TOC] | 6 [TOC] |
| 8 | 7 |
| 9 ## Overview | 8 ## Overview |
| 10 | 9 |
| 11 PartitionAlloc is a memory allocator optimized for performance and security | 10 PartitionAlloc is a memory allocator optimized for security, low allocation |
| 12 in Blink. All objects in Blink are expected to be allocated with | 11 latency (when called appropriately), and good space efficiency (when called |
| 13 PartitionAlloc or Oilpan (but not yet done). | 12 appropriately). This document aims to help you understand how PartitionAlloc |
| 13 works so that you can use it effectively. |
| 14 | 14 |
| 15 ## Partitions and buckets | 15 ## Partitions And Buckets |
| 16 | 16 |
| 17 PartitionAlloc has three partitions. A partition is a heap that contains | 17 A *partition* is a heap that contains certain object types, objects of certain |
| 18 certain types of objects. Specifically, PartitionAlloc allocates objects | 18 sizes, or objects of a certain lifetime (as the caller prefers). Callers can |
| 19 on either of the following three partitions depending on their types: | 19 create as many partitions as they need. Each partition is separate and protected |
| 20 from any other partitions. |
| 20 | 21 |
| 21 * LayoutObject partition: A partition to allocate LayoutObjects. | 22 Each partition holds multiple buckets. A *bucket* is a region in a partition |
| 23 that contains similar-sized objects. |
| 22 | 24 |
| 23 * Buffer partition: A partition to allocate objects that have a strong risk | 25 PartitionAlloc aligns each object allocation with the closest bucket size. For |
| 24 that the length and/or the contents are exploited by user scripts. | 26 example, if a partition has 3 buckets for 64 bytes, 256 bytes, and 1024 bytes, |
| 25 Specifically, Vectors, HashTables, ArrayBufferContents and Strings are | 27 then PartitionAlloc will satisfy an allocation request for 128 bytes by rounding |
| 26 allocated on the Buffer partition. | 28 it up to 256 bytes and allocating from the second bucket. |
| 27 | 29 |
| 28 * FastMalloc partition: A partition to allocate all other objects. | 30 The special allocator class `template <size_t N> class |
| 29 Objects marked with USING_FAST_MALLOC are allocated on the FastMalloc partition. | 31 SizeSpecificPartitionAllocator` will satisfy allocations only of size |
| 32 `kMaxAllocation = N - kAllocationGranularity` or less, and contains buckets for |
| 33 all `n * kAllocationGranularity` (n = 1, 2, ..., `kMaxAllocation`). Attempts to |
| 34 allocate more than `kMaxAllocation` will fail. |
| 30 | 35 |
| 31 Each partition holds multiple buckets. A bucket is a region in a partition | 36 ## Performance |
| 32 that contains similar-sized objects. Each object allocation must be aligned | |
| 33 with the closest bucket size. For example, if a partition has three buckets | |
| 34 for 64 bytes, 256 bytes and 1024 bytes, then an object of 128 bytes is | |
| 35 rounded up to 256 bytes and allocated on the second bucket. | |
| 36 | 37 |
| 37 The LayoutObject partition has buckets for all N * sizeof(void*) (N = 1, 2, ...,
N_max). | 38 The current implementation is optimized for the main thread use-case. For |
| 38 This means that no extra padding is needed to allocate a LayoutObject object. | 39 example, PartitionAlloc doesn't have threaded caches. |
| 39 Different sizes of LayoutObjects are allocated in different buckets. | |
| 40 | 40 |
| 41 The Buffer partition and the FastMalloc partition have many buckets. | 41 PartitionAlloc is designed to be extremely fast in its fast paths. The fast |
| 42 They support any arbitrary size of allocations but padding may be added | 42 paths of allocation and deallocation require just 2 (reasonably predictable) |
| 43 to align the allocation with the closest bucket size. The bucket sizes are | 43 branches. The number of operations in the fast paths is minimal, leading to the |
| 44 chosen to keep the worst-case memory overhead less than 10%. | 44 possibility of inlining. |
| 45 |
| 46 For an example of how to use partitions to get good performance and good safety, |
| 47 see Blink's usage, as described in `wtf/allocator/Allocator.md`. |
| 45 | 48 |
| 46 Large allocations (> 1 MB) are realized by direct memory mmapping. | 49 Large allocations (> 1 MB) are realized by direct memory mmapping. |
| 47 | 50 |
| 48 ## Performance | 51 `PartitionAllocGeneric` acquires a lock for thread safety. (The current |
| 52 implementation uses a spin lock on the assumption that thread contention will be |
| 53 rare in its callers. The original caller was Blink, where this is generally |
| 54 true. Spin locks also have the benefit of simplicity.) |
| 49 | 55 |
| 50 PartitionAlloc doesn't acquire a lock when allocating on the LayoutObject | 56 Callers can get thread-unsafe performance using a |
| 51 partition, because it's guaranteed that LayoutObjects are allocated | 57 `SizeSpecificPartitionAllocator` or otherwise using `PartitionAlloc` (instead of |
| 52 only by the main thread. | 58 `PartitionAllocGeneric`). Callers can also arrange for low contention, such as |
| 59 by using a dedicated partition for single-threaded, latency-critical |
| 60 allocations. |
| 53 | 61 |
| 54 PartitionAlloc acquires a lock when allocating on the Buffer partition and | 62 Because PartitionAlloc guarantees that address space regions used for one |
| 55 the FastMalloc partition. PartitionAlloc uses a spin lock because thread content
ion | 63 partition are never reused for other partitions, partitions can eat a large |
| 56 would be rare in Blink. | 64 amount of virtual address space (even if not of actual memory). |
| 57 | 65 |
| 58 PartitionAlloc is designed to be extremely fast in fast paths. Just two | 66 Mixing various random objects in the same partition will generally lead to lower |
| 59 (reasonably predictable) branches are required for the fast paths of an | 67 efficiency. For good performance, group similar objects into the same partition. |
| 60 allocation and deallocation. The number of operations in the fast paths | |
| 61 is minimized, leading to the possibility of inlining. | |
| 62 | |
| 63 Having a dedicated partition for LayoutObjects is helpful to improve cache | |
| 64 locality and thus help improve performance. | |
| 65 | 68 |
| 66 ## Security | 69 ## Security |
| 67 | 70 |
| 68 Security is one of the most important goals of PartitionAlloc. | 71 Security is one of the most important goals of PartitionAlloc. |
| 69 | 72 |
| 70 Different partitions are guaranteed to exist in separate address spaces. | 73 PartitionAlloc guarantees that different partitions exist in different regions |
| 71 When objects contained in a page in a partition are all freed, | 74 of the process' address space. When the caller has freed all objects contained |
| 72 the physical memory is returned to the system but the address space | 75 in a page in a partition, PartitionAlloc returns the physical memory to the |
| 73 remains reserved. The address space may be reused later only for the partition. | 76 operating system, but continues to reserve the region of address space. |
| 74 Remember that PartitionAlloc puts LayoutObjects into a dedicated partition. | 77 PartitionAlloc will only reuse an address space region for the same partition. |
| 75 This is because LayoutObjects are likely to be a source of use-after-free. | |
| 76 Similarly, PartitionAlloc puts Strings, Vectors etc into the Buffer partition | |
| 77 because the length and/or contents may be exploited by user scripts. | |
| 78 This means that PartitionAlloc greedily uses virtual address spaces in favor of | |
| 79 security hardening. | |
| 80 | 78 |
| 81 Also the following security properties are provided: | 79 PartitionAlloc also guarantees that: |
| 82 | 80 |
| 83 * Linear overflows cannot corrupt into the partition. | 81 * Linear overflows cannot corrupt into the partition. (There is a guard page at |
| 82 the beginning of each partition.) |
| 84 | 83 |
| 85 * Linear overflows cannot corrupt out of the partition. | 84 * Linear overflows cannot corrupt out of the partition. (There is a guard page |
| 85 at the end of each partition.) |
| 86 | 86 |
| 87 * Metadata is recorded in a dedicated region (not next to each object). | 87 * Linear overflow or underflow cannot corrupt the allocation metadata. |
| 88 Linear overflow or underflow cannot corrupt the metadata. | 88 PartitionAlloc records metadata in a dedicated region out-of-line (not adjacent |
| 89 to objects). |
| 89 | 90 |
| 90 * Buckets are helpful to allocate different-sized objects on different addresses
. | 91 * Objects of different sizes will likely be allocated in different buckets, and |
| 91 One page can contain only similar-sized objects. | 92 hence at different addresses. One page can contain only similar-sized objects. |
| 92 | 93 |
| 93 * Dereference of a freelist pointer should fault. | 94 * Dereference of a freelist pointer should fault. |
| 94 | 95 |
| 95 * Partial pointer overwrite of freelist pointer should fault. | 96 * Partial pointer overwrite of freelist pointer should fault. |
| 96 | 97 |
| 97 * Large allocations are guard-paged at the beginning and end. | 98 * Large allocations have guard pages at the beginning and end. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2870213002:
Update the PartitionAlloc documentation. (Closed)
