[PATCH] D70762: scudo: Add initial memory tagging support.

Peter Collingbourne via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Nov 27 15:13:53 PST 2019 

pcc added a comment.

In D70762#1762282 <https://reviews.llvm.org/D70762#1762282>, @eugenis wrote:

> In D70762#1762272 <https://reviews.llvm.org/D70762#1762272>, @pcc wrote:
>
> > In the case where the granule on the right is not in the current chunk, there are two possibilities:
> >
> > - We are at the next chunk, which will have a tag 0 at the beginning for the header granule.
> > - We are at the end of the mapping. Either way we will get a SEGV when we access the next granule.
>
>
> Yes, of course. SG.
>
> > Interesting. So:
> > 
> > - On mmap we do a separate IRG for each block and tag the entire block except for first granule.
> > - On free we IRG and tag the entire block except first granule.
> > - On malloc we tag the granule before and after (modulo end-of-block) with 0.
> > 
> >   So we would do about 1.5x the amount of work (because we don't know how big the malloc is going to be), with additional upfront work. Maybe the upfront work is fine on Android because of the zygote.
> > 
> >   That said, maybe we could cut the 1.5x down to about 1x by only tagging max(half block size, usable size) on free, and the remainder on malloc.
>
> We don't need the upfront work if we can track the "has never been tagged" state of the chunk somewhere. Ideally, not in the chunk header to avoid paging everything in too early.
>  Maybe we can optimize for size of malloc <= size of the previous free by storing the size of the free() in the header.


There is already a header field 'SizeOrUnusedBytes" that stores the allocation size. When a chunk is freed, we don't disturb that field. That gives us a way to recover the size of the previous allocation. We can call getChunkFromBlock() (modifying it to accept deallocated chunks) to recover the location of the chunk header given a block.

I think we can use the header itself to store the "has never been tagged" state. If the header read as a word is equal to 0, that means that the chunk has never been used before and we need to IRG before setting tags. That won't result in early paging because by the time we read the header we've already decided to use that block for the allocation.

One complication is that we need to handle the case where the new allocation has lower alignment than the old allocation. In that case, malloc will need to set tags on both sides of the allocation (because the previous free will have retagged starting from a higher address).


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D70762/new/

https://reviews.llvm.org/D70762

More information about the llvm-commits mailing list