Commit graph

13 commits

Author SHA1 Message Date
Andreas Kling
db91552621 AK: Fix memory corruption due to BumpAllocator mmap reuse
There was a subtle mismatch between the obviously expected behavior
of BumpAllocator::for_each_chunk() and its actual implementation.

You'd think it would invoke the callback with the address of each chunk,
but actually it also took the liberty of adding sizeof(ChunkHeader) to
this address. UniformBumpAllocator::destroy_all() relied on this to
get the right address for objects to delete.

The bug happened in BumpAllocator::deallocate_all(), where we use
for_each_chunk() to walk the list of chunks and munmap() them.

To avoid memory mapping churn, we keep a global cache of 1 chunk around.
Since we were being called with the offset chunk address, it meant that
the cached chunk shifted 16 bytes away from its real address every time
we re-added it to the cache.

Eventually the cached chunk address would leave its memory region
entirely, and at that point, any attempt to allocate from it would yield
an address outside the region, causing memory corruption.
2022-11-21 12:37:49 +03:30
Ali Mohammad Pur
bee9412ae4 AK: Align last bump allocated chunk's end offset to the type size too
Otherwise we can end up freeing garbage memory with some type sizes.
2022-11-17 20:13:04 +03:30
Andrew Kaster
828441852f Everywhere: Replace uses of __serenity__ with AK_OS_SERENITY
Now that we have OS macros for essentially every supported OS, let's try
to use them everywhere.
2022-10-10 12:23:12 +02:00
Daniel Bertalan
42e22f89a4 AK+LibGfx+LibJS: Pass -1 as the file descriptor to anonymous mmap
Serenity/Linux/macOS ignore the file descriptor when an anonymous
mapping is requested. However, BSDs require the fd to be -1.
2022-07-19 12:39:24 +02:00
Ben Wiederhake
03526a7f2b AK: Make BumpAllocator work in multi-threaded environments
Fixes #10578.
2021-10-31 18:43:03 +01:00
Ben Wiederhake
50698a0db4 AK: Prevent accidental misuse of BumpAllocator
In particular, we implicitly required that the caller initializes the
returned instances themselves (solved by making
UniformBumpAllocator::allocate call the constructor), and BumpAllocator
itself cannot handle classes that are not trivially deconstructible
(solved by deleting the method).

Co-authored-by: Ali Mohammad Pur <ali.mpfard@gmail.com>
2021-10-23 19:02:54 +01:00
Ben Wiederhake
5d865d574a AK: Fix BumpAllocator iteration if last object doesn't align
This fixes two bugs:

1. `end_offset` was missing the alignment that might have been
   introduced while computing `base_ptr`.
2. Ignoring point 1, `end_offset` computed the offset of the first byte
   that is outside the current chunk. However, this might be in the
   middle of a (hypothetical) object! The loop treats `end_offset` as if
   it points to the first byte beyond the last (valid) object. So if the
   last few bytes of the chunk are unused, the loop iterates once too
   often.

Found by OSS Fuzz, long-standing issue (since 2021-07-31)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38733
(This probably also resolves some other issues that go through
RegexMatcher.)

See also: 0f1425c895
2021-10-23 19:02:54 +01:00
Ben Wiederhake
885b69c877 AK: Check consistency during BumpAllocator allocation 2021-10-23 19:02:54 +01:00
Ali Mohammad Pur
a72eea6408 AK: Give BumpAllocator a single-block cache
This avoid excessive mmap/munmap traffic in normal operation.
2021-09-13 14:38:53 +04:30
Ali Mohammad Pur
0f1425c895 AK: Avoid OOB access in UniformBumpAllocator::destroy_all()
Otherwise we would end up calling T::~T() on some random memory right
after our mapped block, which is most likely a pretty bad thing to do :P
2021-08-13 04:42:34 +04:30
Daniel Bertalan
301cab188c AK: Use explode_byte in BumpAllocator.h
When compiling this code with Clang, both branches of the ternary
operator get evaluated at compile-time, triggering a warning about a
narrowing implicit conversion. We can use `explode_byte` instead.
2021-08-08 10:55:36 +02:00
Timothy Flynn
dae7674ca9 AK: Allow configuring the BumpAllocator chunk size 2021-08-04 11:18:24 +02:00
Ali Mohammad Pur
b034fa9f1f AK: Add a simple bump allocator 2021-08-02 17:22:50 +04:30