This change brings in a new approach to managing address space.
It wraps the Pal with a power of two reservation system, that
guarantees all returned blocks are naturally aligned to their size. It
either lets the Pal perform aligned requests, or over allocates and
splits into power of two blocks.
This changes the implementation of the open enclacve pal to support
aligned allocations. This reduces the amount of memory required for
the initial reservation as the large allocator doesn't have to
overallocate to get alignment.
PALOpenEnclave object is lazily constructed. I couldn't
figure out a straight-forward way to pass the heap bounds to
the constructor of PALOpenEnclave object.
As an alternative, store the bounds in inline static variables of
the PALOpenEnclave class and set them via static setup_initial_range
function.
- two_alloc_types/alloc1.cc
Define oe_allocator_init to forward base, end values to
PALOpenEnclave::setup_inital_range
- two_alloc_types/main.cc
Use oe_allocator_init function to set up heap range.
- fixed_region/fixed_region.cc
Initialize heap range via call to PALOpenEnclave::setup_inital_range.
Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
* Make binaries more compatible by default
Turn `-march=native` off by default. This makes binaries more portable,
but may harm performance. However, fast paths look unaltered
* Change setting to on if specified.
The Pal should include address.h, this was masked as other Pals included
it, but are only included for simulating OE scenarios, rather than
the actual build for OE.
With large pages (e.g. the 64K that Debian defaults to for ppc64), this
is a bit much to ask. It's only not true for the bottom few medium size
classes, tho', as all sizes above 256K are multiples of 64K with the
current two mantissa bits size schedule.
Since we anticipate address_t not carrying provenance on CHERI, but
rather being vaddr_t there, it doesn't make sense to offer conversion
back to a provenance-carrying pointer.
Thankfully, there is not much to be done here: the uses were few and
could be replaced with the vocabulary of other pointer operations in
ds/address.h
Just always work with pointers using the functions defined in
ds/address.h. This more obviously preserves provenance through the
chain of reasoning. Note that there is still risk of malloc() being
used as an amplification oracle on CHERI, but there's no additional risk
from this change.
Rename the external_address into external_pointer.
It is important, in test_tasks_f, that the store of the size to the
allocated block be made visible to other processors before the store of
the pointer itself. Otherwise, other cores are justified in reading
junk.
This manifests on PowerPC as tripping the "Deallocating with incorrect
size supplied" assertion in alloc.h:/check_size because the value read
from the allocated block may not be a size but rather an internal queue
pointer, which is implausibly large, as sizes go.
* Fix sized delete of nullptr
The core snmalloc code assumes if you know the size, then it is not
nullptr. However, the C++ delete operator can be called with nullptr.
This change checks for that case.
* Improved malloc style tests
Added comprehensive testing of realloc, and other minor improvements
to reporting errors.
* Fix realloc resizing for large sizeclasses.
The rounding by sizeclass was incorrect for large allocation. This fixes
that.
* Ensure alloc_size is committed
There is an awkward interaction between alloc_size and
committing only what is requested. If the user assumes
everything up to alloc_size is available, then we need to
either store the more precise size for alloc_size to return
or commit the whole 2^n range, so that alloc_size stays simple.
This changes to just make the whole range committed.
In the future, we might want to store a more precise size, so
that the allocation can be sized more precisely.
* Reduce size of objects.
* Don't require 16-byte CAS on x86.
We only need to CAS 2 pointers, which is always possible on x86.
* Fix the way the Image variable is referenced.
* Replace failOnStderr by `set -eo pipefail` on Linux.
The x86 image doesn't have clangformat, which causes cmake to print a
warning on the stderr. Exit codes should be enough to detect failure.
* Use x86 images from snmallocciteam.
* clang-format
This change does two things
* correctly passes the template parameters into the callbacks fixing
correct zeroing of memory.
* By making the callbacks more specific it removes the warnings that GCC
was generating.
Matthew Parkinson
Schrodinger ZHU Yifan
Matthew Parkinson
Theo Butler
Anand Krishnamoorthi
Nathaniel Filardo
Amaury Chamayou
Paul Liétar