Message passing based allocator
Перейти к файлу
Robert Norton 684187bcc7 Add an SNMALLOC_CONSERVATIVE_ZERO option to zero memory on calloc even if we think it should already be zero. If we rely on zeroing on free we increase the risk that a UAF could be used to corrupt memory that is later returned by calloc, so this option is useful for evaluating the cost of being extra conservative. 2022-05-24 16:45:24 +01:00
.github/workflows Introduce header layering (#503) 2022-04-06 09:59:33 +01:00
ci CI: Add RISC-V 64 cross-build & qemu-user tests 2021-10-20 12:02:08 +01:00
docs Fix markdown (#522) 2022-05-10 15:51:59 +01:00
src Add an SNMALLOC_CONSERVATIVE_ZERO option to zero memory on calloc even if we think it should already be zero. If we rely on zeroing on free we increase the risk that a UAF could be used to corrupt memory that is later returned by calloc, so this option is useful for evaluating the cost of being extra conservative. 2022-05-24 16:45:24 +01:00
.clang-format Update to use clangformat9 2020-02-06 09:09:32 +00:00
.clang-tidy Add the const parameter checker. 2019-04-30 09:46:10 +01:00
.gitignore Nits for rust release (#419) 2021-11-17 16:02:47 +00:00
CMakeLists.txt Add an SNMALLOC_CONSERVATIVE_ZERO option to zero memory on calloc even if we think it should already be zero. If we rely on zeroing on free we increase the risk that a UAF could be used to corrupt memory that is later returned by calloc, so this option is useful for evaluating the cost of being extra conservative. 2022-05-24 16:45:24 +01:00
LICENSE Initial commit 2019-01-09 06:05:57 -08:00
README.md Fix markdown (#522) 2022-05-10 15:51:59 +01:00
security.md Update documentation 2020-02-28 09:03:41 +00:00
snmalloc.pdf Add paper. 2019-05-23 15:13:47 +01:00

README.md

snmalloc

snmalloc is a high-performance allocator. snmalloc can be used directly in a project as a header-only C++ library, it can be LD_PRELOADed on Elf platforms (e.g. Linux, BSD), and there is a crate to use it from Rust.

Its key design features are:

  • Memory that is freed by the same thread that allocated it does not require any synchronising operations.
  • Freeing memory in a different thread to initially allocated it, does not take any locks and instead uses a novel message passing scheme to return the memory to the original allocator, where it is recycled. This enables 1000s of remote deallocations to be performed with only a single atomic operation enabling great scaling with core count.
  • The allocator uses large ranges of pages to reduce the amount of meta-data required.
  • The fast paths are highly optimised with just two branches on the fast path for malloc (On Linux compiled with Clang).
  • The platform dependencies are abstracted away to enable porting to other platforms.

snmalloc's design is particular well suited to the following two difficult scenarios that can be problematic for other allocators:

  • Allocations on one thread are freed by a different thread
  • Deallocations occur in large batches

Both of these can cause massive reductions in performance of other allocators, but do not for snmalloc.

The implementation of snmalloc has evolved significantly since the initial paper. The mechanism for returning memory to remote threads has remained, but most of the meta-data layout has changed. We recommend you read docs/security to find out about the current design, and if you want to dive into the code docs/AddressSpace.md provides a good overview of the allocation and deallocation paths.

snmalloc CI

Hardening

There is a hardened version of snmalloc, it contains

  • Randomisation of the allocations' relative locations,
  • Most meta-data is stored separately from allocations, and is protected with guard pages,
  • All in-band meta-data is protected with a novel encoding that can detect corruption, and
  • Provides a memcpy that automatically checks the bounds relative to the underlying malloc.

A more comprehensive write up is in docs/security.

Further documentation

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.