Oilpan: Improve address space randomization for the Oilpan heap.

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 16 matching lines @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "platform/heap/Heap.h"
 
 #include "platform/TraceEvent.h"
 #include "platform/heap/ThreadState.h"
 #include "public/platform/Platform.h"
+#include "wtf/AddressSpaceRandomization.h"
 #include "wtf/Assertions.h"
 #include "wtf/LeakAnnotations.h"
 #include "wtf/PassOwnPtr.h"
 #if ENABLE(GC_TRACING)
 #include "wtf/HashMap.h"
 #include "wtf/HashSet.h"
 #include "wtf/text/StringBuilder.h"
 #include "wtf/text/StringHash.h"
 #include <stdio.h>
 #include <utility>
@@ skipping 118 matching lines @@
     }
 
     Address base() const { return m_base; }
     size_t size() const { return m_size; }
 
 private:
     Address m_base;
     size_t m_size;
 };
 
+// A PageMemoryRegion represents a chunk of reserved virtual address
+// space containing a number of blink heap pages. On Windows, reserved
+// virtual address space can only be given back to the system as a
+// whole. The PageMemoryRegion allows us to do that by keeping track
+// of the number of pages using it in order to be able to release all
+// of the virtual address space when there are no more pages using it.
+class PageMemoryRegion : public MemoryRegion {
+public:
+    ~PageMemoryRegion()
+    {
+        release();
+    }
+
+    void pageRemoved()
+    {
+        if (!--m_numPages)
+            delete this;
+    }
+
+    static PageMemoryRegion* allocate(size_t size, unsigned numPages)
+    {
+        ASSERT(Heap::heapDoesNotContainCacheIsEmpty());
+
+        // Compute a random blink page aligned address for the page memory
+        // region and attempt to get the memory there.
+        Address randomAddress = reinterpret_cast<Address>(WTF::getRandomPageBase());
+        Address alignedRandomAddress = roundToBlinkPageBoundary(randomAddress);
+
+#if OS(POSIX)
+        Address base = static_cast<Address>(mmap(alignedRandomAddress, size, PROT_NONE, MAP_ANON | MAP_PRIVATE, -1, 0));
+        RELEASE_ASSERT(base != MAP_FAILED);
+        if (base == roundToBlinkPageBoundary(base))
+            return new PageMemoryRegion(base, size, numPages);
+
+        // We failed to get a blink page aligned chunk of
+        // memory. Unmap the chunk that we got and fall back to
+        // overallocating and selecting an aligned sub part of what
+        // we allocate.
+        int error = munmap(base, size);
+        RELEASE_ASSERT(!error);
+        size_t allocationSize = size + blinkPageSize;
+        base = static_cast<Address>(mmap(alignedRandomAddress, allocationSize, PROT_NONE, MAP_ANON | MAP_PRIVATE, -1, 0));
+        RELEASE_ASSERT(base != MAP_FAILED);
+
+        Address end = base + allocationSize;
+        Address alignedBase = roundToBlinkPageBoundary(base);
+        Address regionEnd = alignedBase + size;
+
+        // If the allocated memory was not blink page aligned release
+        // the memory before the aligned address.
+        if (alignedBase != base)
+            MemoryRegion(base, alignedBase - base).release();
+
+        // Free the additional memory at the end of the page if any.
+        if (regionEnd < end)
+            MemoryRegion(regionEnd, end - regionEnd).release();
+
+        return new PageMemoryRegion(alignedBase, size, numPages);
+#else
+        Address base = static_cast<Address>(VirtualAlloc(alignedRandomAddress, size, MEM_RESERVE, PAGE_NOACCESS));
+        if (base) {
+            ASSERT(base == alignedRandomAddress);
+            return new PageMemoryRegion(base, size, numPages);
+        }
+
+        // We failed to get the random aligned address that we asked
+        // for. Fall back to overallocating. On Windows it is
+        // impossible to partially release a region of memory
+        // allocated by VirtualAlloc. To avoid wasting virtual address
+        // space we attempt to release a large region of memory
+        // returned as a whole and then allocate an aligned region
+        // inside this larger region.
+        size_t allocationSize = size + blinkPageSize;
+        for (int attempt = 0; attempt < 3; attempt++) {
+            base = static_cast<Address>(VirtualAlloc(0, allocationSize, MEM_RESERVE, PAGE_NOACCESS));
+            RELEASE_ASSERT(base);
+            VirtualFree(base, 0, MEM_RELEASE);
+
+            Address alignedBase = roundToBlinkPageBoundary(base);
+            base = static_cast<Address>(VirtualAlloc(alignedBase, size, MEM_RESERVE, PAGE_NOACCESS));
+            if (base) {
+                ASSERT(base == alignedBase);
+                return new PageMemoryRegion(alignedBase, size, numPages);
+            }
+        }
+
+        // We failed to avoid wasting virtual address space after
+        // several attempts.
+        base = static_cast<Address>(VirtualAlloc(0, allocationSize, MEM_RESERVE, PAGE_NOACCESS));
+        RELEASE_ASSERT(base);
+
+        // FIXME: If base is by accident blink page size aligned
+        // here then we can create two pages out of reserved
+        // space. Do this.
+        Address alignedBase = roundToBlinkPageBoundary(base);
+
+        return new PageMemoryRegion(alignedBase, size, numPages);
+#endif
+    }
+
+private:
+    PageMemoryRegion(Address base, size_t size, unsigned numPages)
+        : MemoryRegion(base, size)
+        , m_numPages(numPages)
+    {
+    }
+
+    unsigned m_numPages;
+};
+
 // Representation of the memory used for a Blink heap page.
 //
 // The representation keeps track of two memory regions:
 //
-// 1. The virtual memory reserved from the sytem in order to be able
-//    to free all the virtual memory reserved on destruction.
+// 1. The virtual memory reserved from the system in order to be able
+//    to free all the virtual memory reserved. Multiple PageMemory
+//    instances can share the same reserved memory region and
+//    therefore notify the reserved memory region on destruction so
+//    that the system memory can be given back when all PageMemory
+//    instances for that memory are gone.
 //
 // 2. The writable memory (a sub-region of the reserved virtual
 //    memory region) that is used for the actual heap page payload.
 //
 // Guard pages are created before and after the writable memory.
 class PageMemory {
 public:
     ~PageMemory()
     {
         __lsan_unregister_root_region(m_writable.base(), m_writable.size());
-        m_reserved.release();
+        m_reserved->pageRemoved();
     }
 
     bool commit() WARN_UNUSED_RETURN { return m_writable.commit(); }
     void decommit() { m_writable.decommit(); }
 
     Address writableStart() { return m_writable.base(); }
 
-    // Allocate a virtual address space for the blink page with the
+    static PageMemory* setupPageMemoryInRegion(PageMemoryRegion* region, size_t pageOffset, size_t payloadSize)
+    {
+        // Setup the payload one OS page into the page memory. The
+        // first os page is the guard page.
+        Address payloadAddress = region->base() + pageOffset + osPageSize();
+        return new PageMemory(region, MemoryRegion(payloadAddress, payloadSize));
+    }
+
+    // Allocate a virtual address space for one blink page with the
     // following layout:
     //
     //    [ guard os page | ... payload ... | guard os page ]
     //    ^---{ aligned to blink page size }
     //
     static PageMemory* allocate(size_t payloadSize)
     {
         ASSERT(payloadSize > 0);
 
         // Virtual memory allocation routines operate in OS page sizes.
         // Round up the requested size to nearest os page size.
         payloadSize = roundToOsPageSize(payloadSize);
 
-        // Overallocate by blinkPageSize and 2 times OS page size to
-        // ensure a chunk of memory which is blinkPageSize aligned and
-        // has a system page before and after to use for guarding. We
-        // unmap the excess memory before returning.
-        size_t allocationSize = payloadSize + 2 * osPageSize() + blinkPageSize;
-
-        ASSERT(Heap::heapDoesNotContainCacheIsEmpty());
-#if OS(POSIX)
-        Address base = static_cast<Address>(mmap(0, allocationSize, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0));
-        RELEASE_ASSERT(base != MAP_FAILED);
-
-        Address end = base + allocationSize;
-        Address alignedBase = roundToBlinkPageBoundary(base);
-        Address payloadBase = alignedBase + osPageSize();
-        Address payloadEnd = payloadBase + payloadSize;
-        Address blinkPageEnd = payloadEnd + osPageSize();
-
-        // If the allocate memory was not blink page aligned release
-        // the memory before the aligned address.
-        if (alignedBase != base)
-            MemoryRegion(base, alignedBase - base).release();
-
-        // Create guard pages by decommiting an OS page before and
-        // after the payload.
-        MemoryRegion(alignedBase, osPageSize()).decommit();
-        MemoryRegion(payloadEnd, osPageSize()).decommit();
-
-        // Free the additional memory at the end of the page if any.
-        if (blinkPageEnd < end)
-            MemoryRegion(blinkPageEnd, end - blinkPageEnd).release();
-
-        return new PageMemory(MemoryRegion(alignedBase, blinkPageEnd - alignedBase), MemoryRegion(payloadBase, payloadSize));
-#else
-        Address base = 0;
-        Address alignedBase = 0;
-
-        // On Windows it is impossible to partially release a region
-        // of memory allocated by VirtualAlloc. To avoid wasting
-        // virtual address space we attempt to release a large region
-        // of memory returned as a whole and then allocate an aligned
-        // region inside this larger region.
-        for (int attempt = 0; attempt < 3; attempt++) {
-            base = static_cast<Address>(VirtualAlloc(0, allocationSize, MEM_RESERVE, PAGE_NOACCESS));
-            RELEASE_ASSERT(base);
-            VirtualFree(base, 0, MEM_RELEASE);
-
-            alignedBase = roundToBlinkPageBoundary(base);
-            base = static_cast<Address>(VirtualAlloc(alignedBase, payloadSize + 2 * osPageSize(), MEM_RESERVE, PAGE_NOACCESS));
-            if (base) {
-                RELEASE_ASSERT(base == alignedBase);
-                allocationSize = payloadSize + 2 * osPageSize();
-                break;
-            }
-        }
-
-        if (!base) {
-            // We failed to avoid wasting virtual address space after
-            // several attempts.
-            base = static_cast<Address>(VirtualAlloc(0, allocationSize, MEM_RESERVE, PAGE_NOACCESS));
-            RELEASE_ASSERT(base);
-
-            // FIXME: If base is by accident blink page size aligned
-            // here then we can create two pages out of reserved
-            // space. Do this.
-            alignedBase = roundToBlinkPageBoundary(base);
-        }
-
-        Address payloadBase = alignedBase + osPageSize();
-        PageMemory* storage = new PageMemory(MemoryRegion(base, allocationSize), MemoryRegion(payloadBase, payloadSize));
-        bool res = storage->commit();
-        RELEASE_ASSERT(res);
+        // Overallocate by 2 times OS page size to have space for a
+        // guard page at the beginning and end of blink heap page.
+        size_t allocationSize = payloadSize + 2 * osPageSize();
+        PageMemoryRegion* pageMemoryRegion = PageMemoryRegion::allocate(allocationSize, 1);
+        PageMemory* storage = setupPageMemoryInRegion(pageMemoryRegion, 0, payloadSize);
+        RELEASE_ASSERT(storage->commit());
         return storage;
-#endif
     }
 
 private:
-    PageMemory(const MemoryRegion& reserved, const MemoryRegion& writable)
+    PageMemory(PageMemoryRegion* reserved, const MemoryRegion& writable)
         : m_reserved(reserved)
         , m_writable(writable)
     {
-        ASSERT(reserved.contains(writable));
+        ASSERT(reserved->contains(writable));
 
         // Register the writable area of the memory as part of the LSan root set.
         // Only the writable area is mapped and can contain C++ objects. Those
         // C++ objects can contain pointers to objects outside of the heap and
         // should therefore be part of the LSan root set.
         __lsan_register_root_region(m_writable.base(), m_writable.size());
     }
 
-    MemoryRegion m_reserved;
+
+    PageMemoryRegion* m_reserved;
     MemoryRegion m_writable;
 };
 
 class GCScope {
 public:
     explicit GCScope(ThreadState::StackState stackState)
         : m_state(ThreadState::current())
         , m_safePointScope(stackState)
         , m_parkedAllThreads(false)
     {
@@ skipping 400 matching lines @@
             return storage;
 
         // Failed to commit pooled storage. Release it.
         delete storage;
     }
 
     return 0;
 }
 
 template<typename Header>
-void ThreadHeap<Header>::addPageToPool(HeapPage<Header>* unused)
+void ThreadHeap<Header>::addPageMemoryToPool(PageMemory* storage)
 {
     flushHeapContainsCache();
-    PageMemory* storage = unused->storage();
     PagePoolEntry* entry = new PagePoolEntry(storage, m_pagePool);
     m_pagePool = entry;
+}
+
+template <typename Header>
+void ThreadHeap<Header>::addPageToPool(HeapPage<Header>* page)
+{
+    PageMemory* storage = page->storage();
     storage->decommit();
+    addPageMemoryToPool(storage);
 }
 
 template<typename Header>
 void ThreadHeap<Header>::allocatePage(const GCInfo* gcInfo)
 {
     Heap::flushHeapDoesNotContainCache();
     PageMemory* pageMemory = takePageFromPool();
     if (!pageMemory) {
-        pageMemory = PageMemory::allocate(blinkPagePayloadSize());
+        // Allocate a memory region for blinkPagesPerRegion pages that
+        // will each have the following layout.

[haraken, 2014/06/27 06:50:17]

I guess "each" is confusing. Also "... payload ..." is confusing since the
"payload" of "... payload ..." is different from the "payload" of
blinkPage"Payload"Size().

Slightly better:

Allocate a memory region for blinkPagesPerRegion pages that have the following
layout.

[guard os page | page payload | page payload | ... | page payload | guard os
page]
^---{ aligned to blink page size }

[Mads Ager (chromium), 2014/06/27 07:01:04]

They layout that we get in a region is:

[guard | payload | guard | guard | payload | guard ]
--------------------------
|       page size        |

^ size aligned           ^ size aligned

So it really is for that many pages that each have the layout of the ascii art.
:)

[haraken, 2014/06/27 07:16:43]

Now I understood!

+        //
+        //    [ guard os page | ... payload ... | guard os page ]
+        //    ^---{ aligned to blink page size }
+        PageMemoryRegion* region = PageMemoryRegion::allocate(blinkPageSize * blinkPagesPerRegion, blinkPagesPerRegion);
+        // Setup the PageMemory object for each of the pages in the
+        // region.
+        size_t offset = 0;
+        for (size_t i = 0; i < blinkPagesPerRegion; i++) {
+            addPageMemoryToPool(PageMemory::setupPageMemoryInRegion(region, offset, blinkPagePayloadSize()));
+            offset += blinkPageSize;
+        }
+        pageMemory = takePageFromPool();
         RELEASE_ASSERT(pageMemory);
     }
     HeapPage<Header>* page = new (pageMemory->writableStart()) HeapPage<Header>(pageMemory, this, gcInfo);
     // FIXME: Oilpan: Linking new pages into the front of the list is
     // crucial when performing allocations during finalization because
     // it ensures that those pages are not swept in the current GC
     // round. We should create a separate page list for that to
     // separate out the pages allocated during finalization clearly
     // from the pages currently being swept.
     page->link(&m_firstPage);
@@ skipping 1152 matching lines @@
 template class ThreadHeap<HeapObjectHeader>;
 
 Visitor* Heap::s_markingVisitor;
 CallbackStack* Heap::s_markingStack;
 CallbackStack* Heap::s_weakCallbackStack;
 CallbackStack* Heap::s_ephemeronStack;
 HeapDoesNotContainCache* Heap::s_heapDoesNotContainCache;
 bool Heap::s_shutdownCalled = false;
 bool Heap::s_lastGCWasConservative = false;
 }