base / allocator / partition_allocator / partition_alloc.gni [blame]

# Copyright 2022 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import("//build_overrides/partition_alloc.gni")

# PartitionAlloc have limited support for MSVC's cl.exe compiler. It can only
# access the generate "buildflags" and the "raw_ptr" definitions implemented
# with RawPtrNoOpImpl. Everything else is considered not supported.
#
# Since there are no other good ways to detect MSVC's cl.exe, we are reusing the
# same definition used by Chrome in //base/BUILD.gn. See
# https://crbug.com/988071.
is_clang_or_gcc = is_clang || !is_win

# Whether 64-bit pointers are used.
# A static_assert in partition_alloc_config.h verifies that.
if (is_nacl) {
  # NaCl targets don't use 64-bit pointers.
  has_64_bit_pointers = false
} else if (current_cpu == "x64" || current_cpu == "arm64" ||
           current_cpu == "loong64" || current_cpu == "riscv64") {
  has_64_bit_pointers = true
} else if (current_cpu == "x86" || current_cpu == "arm") {
  has_64_bit_pointers = false
} else {
  assert(false, "Unknown CPU: $current_cpu")
}

# Makes the number of empty slot spans that can remain committed larger in
# foreground mode compared to background mode
# (see `PartitionRoot::AdjustFor(Background|Foreground)`).
#
# Foreground/background modes are used by default on macOS and Windows so this
# must be true on these platforms. It's also true on other platforms to allow
# experiments.
#
# TODO(crbug.com/329199197): Clean this up when experiments are complete.
use_large_empty_slot_span_ring = true

has_memory_tagging =
    current_cpu == "arm64" && is_clang && !is_asan && (is_linux || is_android)

declare_args() {
  # Causes all the allocations to be routed via allocator_shim.cc. Usually,
  # the allocator shim will, in turn, route them to PartitionAlloc, but
  # other allocators are also supported by the allocator shim.
  use_allocator_shim = use_allocator_shim_default && is_clang_or_gcc

  # Whether PartitionAlloc should be available for use or not.
  # true makes PartitionAlloc linked to the executable or shared library and
  # makes it available for use. It doesn't mean that the default allocator
  # is PartitionAlloc, which is governed by |use_partition_alloc_as_malloc|.
  #
  # N.B. generally, embedders should look at this GN arg and at the
  # corresponding buildflag to determine whether to interact with PA
  # source at all (pulling the component in via GN, including headers,
  # etc.). There is nothing stopping a lazy embedder from ignoring this
  # and unconditionally using PA, but such a setup is inadvisable.
  #
  # In Chromium, this is set true, except:
  #
  # 1.  On Cronet bots, because Cronet doesn't use PartitionAlloc at all,
  #     and doesn't wish to incur the library size increase (crbug.com/674570).
  # 2.  On NaCl (through this declaration), where PartitionAlloc doesn't
  #     build at all.
  use_partition_alloc = !is_nacl && is_clang_or_gcc
}

if (!is_clang_or_gcc) {
  assert(!use_partition_alloc,
         "PartitionAlloc's allocator does not support this compiler")
  assert(!use_allocator_shim,
         "PartitionAlloc's allocator shim does not support this compiler")
}

if (is_nacl) {
  assert(!use_partition_alloc, "PartitionAlloc doesn't build on NaCl")
}

declare_args() {
  # PartitionAlloc-Everywhere (PA-E). Causes allocator_shim.cc to route
  # calls to PartitionAlloc, rather than some other platform allocator.
  use_partition_alloc_as_malloc = use_partition_alloc && use_allocator_shim &&
                                  use_partition_alloc_as_malloc_default
}

declare_args() {
  # Whether PartitionAlloc dispatch can be replaced with another dispatch with
  # some more safety checks at runtime or not.  When true, the allocator shim
  # provides an extended API to swap PartitionAlloc.
  enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support =
      use_partition_alloc_as_malloc
}

declare_args() {
  # This is a flag for binary experiment on iOS. When BRP for iOS is enabled,
  # we see some un-actionable `DoubleFreeOrCorruptionDetected` crashes.
  # This flag enables some extra `CHECK`s to get actionable crash reports.
  # TODO(crbug.com/371135823): Remove upon completion of investigation.
  enable_ios_corruption_hardening = use_partition_alloc_as_malloc && is_ios &&
                                    enable_ios_corruption_hardening_default
}

assert(
    !enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support || use_partition_alloc_as_malloc,
    "PartitionAlloc with advanced checks requires PartitionAlloc itself.")

assert(!use_allocator_shim || !is_nacl,
       "The allocator shim supports every platform, except nacl")

if (use_allocator_shim && is_win) {
  # It's hard to override CRT's malloc family in every case in the component
  # build, and it's very easy to override it partially and to be inconsistent
  # among allocations and deallocations. Then, we'll crash when PA deallocates
  # a memory region allocated by the CRT's malloc or vice versa.
  # Since PartitionAlloc depends on libc++, it is difficult to link libc++.dll
  # with PartitionAlloc to replace its allocator with PartitionAlloc.
  # If using libcxx_is_shared=true,
  # a. since inline methods or inline functions defined in some libc++ headers,
  #    e.g. vector, use new, malloc(), and so on, the memory allocation will
  #    be done inside a client code.
  # b. on the other hand, libc++.dll deallocates the memory allocated by the
  #    inline methods or inline functions. It will not be run inside the client
  #    code.
  # So a.'s allocation is done by PartitionAlloc, but b.'s deallocation is
  # done by system allocator. This will cause heap check failure (WinHeap
  # doesn't know PartitionAlloc) and crash.
  # If libcxx_is_shared=false, libc++ is a static library. All libc++ code
  # will be run inside the client. The above issue will disappear.
  assert(
      !is_component_build || (!libcxx_is_shared && !is_debug),
      "The allocator shim for the Windows component build needs !libcxx_is_shared && !is_debug.")
}

declare_args() {
  use_freeslot_bitmap = false

  # Introduces pointer compression support in PA. These are 4-byte
  # pointers that can point within the core pools (regular and BRP).
  #
  # This is effective only for memory allocated from PartitionAlloc, so it is
  # recommended to enable PA-E above, but isn't strictly necessary. Embedders
  # can create and use PA partitions explicitly.
  enable_pointer_compression_support = false

  # Enables a bounds check when two pointers (at least one being raw_ptr) are
  # subtracted (if supported by the underlying implementation).
  enable_pointer_subtraction_check = false

  # Enables a compile-time check that all raw_ptrs to which arithmetic
  # operations are to be applied are annotated with the AllowPtrArithmetic
  # trait,
  enable_pointer_arithmetic_trait_check = true

  # Forwards all the allocation/freeing calls in shim (e.g. operator new)
  # through malloc. Useful for using with tools that intercept malloc, e.g.
  # heaptrack.
  forward_through_malloc = false

  # Enable reentrancy checks at `partition_alloc::internal::Lock`.
  # TODO(crbug.com/371135823): Remove upon completion of investigation.
  enable_partition_lock_reentrancy_check = enable_ios_corruption_hardening

  # This will write a fixed cookie pattern at the end of each allocation, and
  # later verify the pattern remain unchanged to ensure there is no OOB write.
  # It comes with performance and memory cost, hence enabled only in debug.
  use_partition_cookie =
      is_debug || dcheck_always_on || enable_ios_corruption_hardening

  # This will change partition cookie size to 4B or 8B, whichever equivalent to
  # size of InSlotMetadata. This option is useful for InSlotMetadata corruption
  # investigation.
  # TODO(crbug.com/371135823): Remove upon completion of investigation.
  smaller_partition_cookie = enable_ios_corruption_hardening
}

declare_args() {
  # Build support for Use-after-Free protection via BackupRefPtr (BRP),
  # making the raw_ptr<T> implementation to RawPtrBackupRefImpl if active.
  #
  # These are effective only for memory allocated from PartitionAlloc, so it is
  # recommended to enable PA-E above, but isn't strictly necessary. Embedders
  # can create and use PA partitions explicitly.
  #
  # Note that |enable_backup_ref_ptr_support = true| doesn't necessarily enable
  # BRP protection. It'll be enabled only for partition created with
  # partition_alloc::PartitionOptions::kEnabled.
  enable_backup_ref_ptr_support =
      use_partition_alloc && enable_backup_ref_ptr_support_default

  # RAW_PTR_EXCLUSION macro is disabled on official builds because it increased
  # binary size. This flag can be used to enable it for official builds too.
  force_enable_raw_ptr_exclusion = false
}

assert(!enable_pointer_compression_support || glue_core_pools,
       "Pointer compression relies on core pools being contiguous.")

declare_args() {
  # We want to use RawPtrBackupRefImpl as the raw_ptr<> implementation
  # iff BRP support is enabled. However, for purpose of performance
  # investigations we want to be able to control each separately.
  #
  # TEST ONLY! Don't touch unless you think you know what you're doing. Play
  # with enable_backup_ref_ptr_support instead.
  use_raw_ptr_backup_ref_impl = enable_backup_ref_ptr_support

  # Make explicit calls to ASAN at runtime, e.g. to mark quarrantined memory
  # as poisoned. Allows ASAN to tell if a particular memory error is protected
  # by BRP in its reports.
  #
  # The implementation of ASan BRP is purpose-built to inspect Chromium
  # internals and is entangled with `//base` s.t. it cannot be used
  # outside of Chromium.
  use_asan_backup_ref_ptr =
      build_with_chromium && is_asan &&
      (is_win || is_android || is_linux || is_mac || is_chromeos)

  # Use probe-on-destruct unowned ptr detection with ASAN.
  use_raw_ptr_asan_unowned_impl = false
}

# Use the version of raw_ptr<T> that allows the embedder to implement custom
# logic.
use_raw_ptr_hookable_impl = use_asan_backup_ref_ptr

declare_args() {
  # - enable_backup_ref_ptr_slow_checks: enable additional safety checks that
  #   are too expensive to have on by default.
  # - enable_dangling_raw_ptr_checks: enable checking raw_ptr do not become
  #   dangling during their lifetime.
  # - backup_ref_ptr_poison_oob_ptr: poison out-of-bounds (OOB) pointers to
  #   generate an exception in the event that an OOB pointer is dereferenced.
  # - enable_backup_ref_ptr_instance_tracer: use a global table to track all
  #   live raw_ptr/raw_ref instances to help debug dangling pointers at test
  #   end.

  enable_backup_ref_ptr_slow_checks =
      enable_backup_ref_ptr_slow_checks_default && enable_backup_ref_ptr_support

  # Enable the feature flag required to activate backup ref pointers. That is to
  # say `PartitionAllocBackupRefPtr`.
  #
  # This is meant to be modified primarily on bots. It is much easier to
  # override the feature flags using a binary flag instead of updating multiple
  # bots's scripts to pass command line arguments.
  #
  # TODO(328104161): Remove this flag.
  enable_backup_ref_ptr_feature_flag =
      enable_backup_ref_ptr_support && use_raw_ptr_backup_ref_impl &&
      # Platforms where BackupRefPtr hasn't shipped yet:
      !is_castos && !is_ios

  # While keeping BRP support, override a feature flag to make it disabled
  # state. This will overwrite `enable_backup_ref_ptr_feature_flag`.
  # TODO(https://crbug.com/372183586): Fix the bug and remove this arg.
  force_disable_backup_ref_ptr_feature =
      enable_backup_ref_ptr_support && enable_ios_corruption_hardening

  # Build support for Dangling Ptr Detection (DPD) via BackupRefPtr (BRP),
  # making the raw_ptr<T> implementation to RawPtrBackupRefImpl if active.
  enable_dangling_raw_ptr_checks =
      enable_dangling_raw_ptr_checks_default && enable_backup_ref_ptr_support &&
      use_raw_ptr_backup_ref_impl

  enable_backup_ref_ptr_instance_tracer = false

  backup_ref_ptr_extra_oob_checks =
      enable_backup_ref_ptr_support && use_raw_ptr_backup_ref_impl
}

declare_args() {
  # Enable the feature flag required to check for dangling pointers. That is to
  # say `PartitionAllocDanglingPtr`.
  #
  # This is meant to be modified primarily on bots. It is much easier to
  # override the feature flags using a binary flag instead of updating multiple
  # bots's scripts to pass command line arguments.
  #
  # TODO(328104161): Remove this flag.
  enable_dangling_raw_ptr_feature_flag = enable_dangling_raw_ptr_checks
}

declare_args() {
  backup_ref_ptr_poison_oob_ptr =
      false && backup_ref_ptr_extra_oob_checks && has_64_bit_pointers
}

declare_args() {
  # Shadow metadata is still under development and only supports Linux
  # for now.
  enable_shadow_metadata = is_linux && has_64_bit_pointers
}

declare_args() {
  # Use full MTE protection available by changing the feature flag default
  # values. So sync mode on all processes. Also disables permissive MTE.
  #
  # This is meant to be used primarily on bots. It is much easier to override
  # the feature flags using a binary flag instead of updating multiple bots's
  # scripts to pass command line arguments.
  use_full_mte = false
}

stack_scan_supported =
    current_cpu == "x64" || current_cpu == "x86" || current_cpu == "arm" ||
    current_cpu == "arm64" || current_cpu == "riscv64"

# We want to provide assertions that guard against inconsistent build
# args, but there is no point in having them fire if we're not building
# PartitionAlloc at all. If `use_partition_alloc` is false, we jam all
# related args to `false`.
#
# We also disable PA-Everywhere and PA-based features in two types of
# toolchains:
# - Toolchains that disable PA-Everywhere explicitly.
# - The rust host build tools toochain, which builds DLLs to dlopen into the
#   compiler for proc macros. We would want any allocations to use the same
#   paths as the compiler.
#
# Do not clear the following, as they can function outside of PartitionAlloc
# - has_64_bit_pointers
# - has_memory_tagging
if (!use_partition_alloc ||
    (defined(toolchain_allows_use_partition_alloc_as_malloc) &&
     !toolchain_allows_use_partition_alloc_as_malloc) ||
    (defined(toolchain_for_rust_host_build_tools) &&
     toolchain_for_rust_host_build_tools)) {
  use_partition_alloc_as_malloc = false
  glue_core_pools = false
  enable_backup_ref_ptr_support = false
  use_raw_ptr_backup_ref_impl = false
  use_asan_backup_ref_ptr = false
  use_raw_ptr_asan_unowned_impl = false
  use_raw_ptr_hookable_impl = false
  enable_backup_ref_ptr_slow_checks = false
  enable_dangling_raw_ptr_checks = false
  enable_dangling_raw_ptr_feature_flag = false
  enable_pointer_subtraction_check = false
  backup_ref_ptr_poison_oob_ptr = false
  backup_ref_ptr_extra_oob_checks = false
  enable_backup_ref_ptr_instance_tracer = false
  use_full_mte = false
}

# Disable |use_full_mte| if memory tagging is not available. This is for targets that run as part the build process.
if (!has_memory_tagging) {
  use_full_mte = false
}

# use_raw_ptr_backup_ref_impl can only be used if
# enable_backup_ref_ptr_support is true.
assert(enable_backup_ref_ptr_support || !use_raw_ptr_backup_ref_impl,
       "Can't use RawPtrBackupRefImpl if BRP isn't enabled at all")

# enable_backup_ref_ptr_slow_checks can only be used if
# enable_backup_ref_ptr_support is true.
assert(enable_backup_ref_ptr_support || !enable_backup_ref_ptr_slow_checks,
       "Can't enable additional BRP checks if it isn't enabled at all")

# enable_dangling_raw_ptr_checks can only be used if
# enable_backup_ref_ptr_support & use_raw_ptr_backup_ref_impl are true.
assert((enable_backup_ref_ptr_support && use_raw_ptr_backup_ref_impl) ||
           !enable_dangling_raw_ptr_checks,
       "Can't enable dangling raw_ptr checks if BRP isn't enabled and used")

# It's meaningless to force on DPD (e.g. on bots) if the support isn't compiled
# in.
assert(enable_dangling_raw_ptr_checks || !enable_dangling_raw_ptr_feature_flag,
       "Meaningless to enable DPD without it compiled.")

# To enable extra OOB checks for BRP, the underlying feature must be
# enabled, too.
assert((enable_backup_ref_ptr_support && use_raw_ptr_backup_ref_impl) ||
           !backup_ref_ptr_extra_oob_checks,
       "Can't enable extra OOB checks if BRP isn't enabled and used")

# To poison OOB pointers for BRP, the underlying feature must be
# enabled, too.
assert(backup_ref_ptr_extra_oob_checks || !backup_ref_ptr_poison_oob_ptr,
       "Can't enable poisoning for OOB pointers if OOB checks aren't enabled " +
           "at all")
assert(has_64_bit_pointers || !backup_ref_ptr_poison_oob_ptr,
       "Can't enable poisoning for OOB pointers if pointers are only 32-bit")

# AsanBackupRefPtr and AsanUnownedPtr are mutually exclusive variants of
# raw_ptr.
assert(
    !use_raw_ptr_asan_unowned_impl || !use_asan_backup_ref_ptr,
    "Both AsanUnownedPtr and AsanBackupRefPtr can't be enabled at the same " +
        "time")

# BackupRefPtr and AsanBackupRefPtr are mutually exclusive variants of raw_ptr.
assert(
    !enable_backup_ref_ptr_support || !use_asan_backup_ref_ptr,
    "Both BackupRefPtr and AsanBackupRefPtr can't be enabled at the same time")

# BackupRefPtr and AsanUnownedPtr are mutually exclusive variants of raw_ptr.
assert(!enable_backup_ref_ptr_support || !use_raw_ptr_asan_unowned_impl,
       "Both BackupRefPtr and AsanUnownedPtr can't be enabled at the same time")

# RawPtrHookableImpl and BackupRefPtr are mutually exclusive variants of
# raw_ptr.
assert(
    !use_raw_ptr_hookable_impl || !enable_backup_ref_ptr_support,
    "Both RawPtrHookableImpl and BackupRefPtr can't be enabled at the same " +
        "time")

# RawPtrHookableImpl and AsanUnownedPtr are mutually exclusive variants of
# raw_ptr.
assert(
    !use_raw_ptr_hookable_impl || !use_raw_ptr_asan_unowned_impl,
    "Both RawPtrHookableImpl and AsanUnownedPtr can't be enabled at the same " +
        "time")

assert(!use_asan_backup_ref_ptr || is_asan,
       "AsanBackupRefPtr requires AddressSanitizer")

assert(!use_raw_ptr_asan_unowned_impl || is_asan,
       "AsanUnownedPtr requires AddressSanitizer")

# AsanBackupRefPtr is not supported outside Chromium. The implementation is
# entangled with `//base`. The code is only physically located with the rest of
# `raw_ptr` to keep it together.
assert(build_with_chromium || !use_asan_backup_ref_ptr,
       "AsanBackupRefPtr is not supported outside Chromium")

assert(!use_asan_backup_ref_ptr || use_raw_ptr_hookable_impl,
       "AsanBackupRefPtr requires RawPtrHookableImpl")

# pkeys support is explicitly disabled in all Cronet builds, as some test
# dependencies that use partition_allocator are compiled in AOSP against a
# version of glibc that does not include pkeys syscall numbers.
is_pkeys_available =
    (is_linux || is_chromeos) && current_cpu == "x64" && !is_cronet_build
declare_args() {
  enable_pkeys = is_pkeys_available
}
assert(!enable_pkeys || is_pkeys_available,
       "Pkeys are only supported on x64 linux and ChromeOS")

# Some implementations of raw_ptr<>, like BackupRefPtr, require zeroing when
# constructing, destructing or moving out of a pointer. When using these
# implementations, raw_ptrs<> will be always be zeroed, no matter what
# GN args or flags are present.
#
# Other implementations of raw_ptr<>, like NoOpImpl, don't require zeroing
# and do not do so by default. This can lead to subtle bugs when testing
# against one of the zeroing impls and then deploying on a platform that is
# using a non-zeroing implementation. Setting the following GN args to
# true triggers zeroing even for implementations that don't require it.
# This provides consistency with the other impls. This is the recommended
# setting.
#
# Setting these to false will make raw_ptr<> behave more like raw C++ pointer
# `T*`, making NoOpImpl act like an actual no-op, so use it if you're worried
# about performance of your project. Use at your own risk, as it's unsupported
# and untested within Chromium.
#
# Even when these are set to true, the raw_ptr trait AllowUninitialized
# provides a finer-grained mechanism for opting out of initialization on a
# pointer by pointer basis when using a non-zeroing implementation.
#
# Caveat: _zero_on_move and _on_destruct will prevent the type from being
# trivially copyable, _zero_on_construct and _on_destruct will prevent the
# type from being trivially default constructible.
declare_args() {
  raw_ptr_zero_on_construct = raw_ptr_zero_on_construct_default
  raw_ptr_zero_on_move = raw_ptr_zero_on_move_default
  raw_ptr_zero_on_destruct = raw_ptr_zero_on_destruct_default
}

declare_args() {
  # Assert that PartitionAlloc and MiraclePtr run on C++20 when set to true.
  # Embedders may opt-out of using C++ 20 build.
  assert_cpp20 = assert_cpp20_default
}