* Add indirect range
The ranges currently either completely own the parent range, or it is
a static and thus completely shared.
The indirect range allows sharing without it being global.
Co-authored-by: Nathaniel Filardo <nfilardo@microsoft.com>
* [NFC] Simplify static constexpr inline
`constexpr` => `inline`
and when not in a class scope
`constexpr` => `static`
This PR removes the redundant use of `inline` and `static`. It also
prefers
`static constexpr`
over
`constexpr static`
* Extend pagemap test
Check for possible overlap between heap and pagemap, but writing and
reading the heap.
* Return unalign memory from the pagemap
This commit allows the pagemap to return unaligned range of memory. This
means that bump allocation of multiple pagemaps doesn't
waste as much space.
* Fail more abruptly if the bounds are not exact.
* Move bounding from Pool into Backend.
This commit makes the rounding and the bounding occur in the same
function.
* Enable smallbuddyrange to handle larger requests
The smallbuddy can now pass the larger requests up the range chain if
it cannot satisfy it itself.
* Test larger requests for meta-data.
Pull a part the locking from the static range. This enables
locking to be added to a range directly, and does not require
it to be made static. This is useful in cases where the source
of memory is shared between threads, but not static. I.e. there
are multiple instances of the same type.
StrictProvenance architectures are likely to impose additional alignment
requirements on their pointer-sized loads and stores. On the other
hand, we must use pointer-sized loads and stores wherever possible to
ensure achieve copy. Add a StrictProvenance-aware memcpy architecture
implementation.
Thanks to Matt for suggesting the trick of avoiding even thinking about
capability operations in the too-misaligned 16-31 byte cases as well as
other helpful suggestions.
Co-authored-by: Matthew Parkinson <mattpark@microsoft.com>
Although, double frees are generally caught on large allocs. This is
done very late in the process after many operations more operations have
occurred.
This change brings that check much earlier in the process.
Make it easier to justify our avoidance of capptr_from_client and
capptr_reveal in external_pointer by performing address_cast earlier.
In particular, with this change, we can see that the pointer (and so its
authority, in CHERI) is not passed to any called function other than
address_cast and pointer_offset, and so authority is merely propagated
and neither exercised nor amplified.
Remove the long-disused capptr_reveal_wild, which was added for earlier
versions of external_pointer.
* Fix pal_linux.h for older linux systems
Where MADV_FREE is not defined - replaced with MADV_DONTNEED
Where GRND_NONBLOCK is not defined in <sys/random.h> but in <linux/random.h>
* Check for linux/random.h in CMake
as __has_include seems to not be reliable
* Use CMake module CheckIncludeFilesCXX
as C language isn't enabled by default everywhere
* Move madvise flag ifdefs into constexpr for cleaner code
These pieces of metadata (specifically, the Allocator structures) are never
deallocated at the moment, so we need not consider how we might amplify these
bounded pointers back to higher authority.
Wrap the FrontendSlabMetadata with a struct that holds the Arena-bounded
authority for Chunks that the Backend ships out to the Frontend or, for
non-StrictProvenance architecture, encapsulates the sleight of hand that turns
Chunk-bounded CapPtr-s to Arena-bounded ones.
This allows us to have a single Pipe-line of ranges where we can, nevertheless,
jump over the small buddy allocator when making large allocations. This, in
turn, will let us differentiate the types coming from the small end and the
large "tap" on this Pipe-line.
Make these generic, with the SmallBuddyRange taking its cue from the parent
Range, since we're about to change them anyway and might want to vary them again
in the future.
Expose a static CapPtr<T,B>::unsafe_from() and use that everywhere instead
(though continue to allow implicit and explicit construction of CapPtr from
nullptr).