merge from dev

include/mimalloc-internal.h

@@ -415,7 +415,7 @@ static inline bool mi_is_in_same_segment(const void* p, const void* q) {
 }
 
 static inline mi_block_t* mi_block_nextx( uintptr_t cookie, const mi_block_t* block ) {
-  #if MI_SECURE 
+  #ifdef MI_ENCODE_FREELIST
   return (mi_block_t*)(block->next ^ cookie);
   #else
   UNUSED(cookie);
@@ -424,7 +424,7 @@ static inline mi_block_t* mi_block_nextx( uintptr_t cookie, const mi_block_t* bl
 }
 
 static inline void mi_block_set_nextx(uintptr_t cookie, mi_block_t* block, const mi_block_t* next) {  
-  #if MI_SECURE
+  #ifdef MI_ENCODE_FREELIST
   block->next = (mi_encoded_t)next ^ cookie;
   #else
   UNUSED(cookie);
@@ -433,16 +433,15 @@ static inline void mi_block_set_nextx(uintptr_t cookie, mi_block_t* block, const
 }
 
 static inline mi_block_t* mi_block_next(const mi_page_t* page, const mi_block_t* block) {
-  #if MI_SECURE
+  #ifdef MI_ENCODE_FREELIST
   mi_block_t* next = mi_block_nextx(page->cookie,block);
-    #if MI_SECURE >= 4
-    // check if next is at least in our segment range
-    // TODO: it is better to check if it is actually inside our page but that is more expensive 
-    // to calculate. Perhaps with a relative free list this becomes feasible?
-    if (next!=NULL && !mi_is_in_same_segment(block, next)) {
-      _mi_fatal_error("corrupted free list entry at %p: %zx\n", block, (uintptr_t)next);
-    }
-    #endif
+  // check for free list corruption: is `next` at least in our segment range?
+  // TODO: it is better to check if it is actually inside our page but that is more expensive 
+  // to calculate. Perhaps with a relative free list this becomes feasible?
+  if (next!=NULL && !mi_is_in_same_segment(block, next)) {
+    _mi_fatal_error("corrupted free list entry of size %zub at %p: value 0x%zx\n", page->block_size, block, (uintptr_t)next);
+    next = NULL;
+  }   
   return next;
   #else
   UNUSED(page);
@@ -451,7 +450,7 @@ static inline mi_block_t* mi_block_next(const mi_page_t* page, const mi_block_t*
 }
 
 static inline void mi_block_set_next(const mi_page_t* page, mi_block_t* block, const mi_block_t* next) {
-  #if MI_SECURE
+  #ifdef MI_ENCODE_FREELIST
   mi_block_set_nextx(page->cookie,block,next);
   #else
   UNUSED(page);

include/mimalloc-types.h

@@ -25,24 +25,30 @@ terms of the MIT license. A copy of the license can be found in the file
 // Define MI_SECURE to enable security mitigations
 // #define MI_SECURE 1  // guard page around metadata
 // #define MI_SECURE 2  // guard page around each mimalloc page
-// #define MI_SECURE 3  // encode free lists
-// #define MI_SECURE 4  // all security enabled (checks for double free, corrupted free list and invalid pointer free)
+// #define MI_SECURE 3  // encode free lists (detect corrupted free list (buffer overflow), and invalid pointer free)
+// #define MI_SECURE 4  // experimental, may be more expensive: checks for double free.
 
 #if !defined(MI_SECURE)
-#define MI_SECURE 0
+#define MI_SECURE 4
 #endif
 
-// Define MI_DEBUG as 1 for basic assert checks and statistics
-// set it to 2 to do internal asserts,
-// and to 3 to do extensive invariant checking.
+// Define MI_DEBUG for debug mode
+// #define MI_DEBUG 1  // basic assertion checks and statistics, check double free, corrupted free list, and invalid pointer free.
+// #define MI_DEBUG 2  // + internal assertion checks
+// #define MI_DEBUG 3  // + extensive internal invariant checking
 #if !defined(MI_DEBUG)
 #if !defined(NDEBUG) || defined(_DEBUG)
-#define MI_DEBUG 1
+#define MI_DEBUG 2
 #else
 #define MI_DEBUG 0
 #endif
 #endif
 
+// Encoded free lists allow detection of corrupted free lists
+// and can detect buffer overflows and double `free`s.
+#if (MI_SECURE>=3 || MI_DEBUG>=1) 
+#define MI_ENCODE_FREELIST  1
+#endif
 
 // ------------------------------------------------------
 // Platform specific values
@@ -119,6 +125,8 @@ terms of the MIT license. A copy of the license can be found in the file
 // Maximum slice offset (7)
 #define MI_MAX_SLICE_OFFSET               ((MI_MEDIUM_PAGE_SIZE / MI_SEGMENT_SLICE_SIZE) - 1)
 
+// The free lists use encoded next fields
+// (Only actually encodes when MI_ENCODED_FREELIST is defined.)
 typedef uintptr_t mi_encoded_t;
 
 // free lists contain blocks
@@ -127,6 +135,7 @@ typedef struct mi_block_s {
 } mi_block_t;
 
 
+// The delayed flags are used for efficient multi-threaded free-ing
 typedef enum mi_delayed_e {
   MI_NO_DELAYED_FREE = 0,
   MI_USE_DELAYED_FREE = 1,
@@ -182,7 +191,7 @@ typedef struct mi_page_s {
   bool                  is_zero;           // `true` if the blocks in the free list are zero initialized
 
   mi_block_t*           free;              // list of available free blocks (`malloc` allocates from this list)
-  #if MI_SECURE
+  #ifdef MI_ENCODE_FREELIST
   uintptr_t             cookie;            // random cookie to encode the free lists
   #endif
   size_t                used;              // number of blocks in use (including blocks in `local_free` and `thread_free`)
@@ -198,8 +207,8 @@ typedef struct mi_page_s {
   struct mi_page_s*     prev;              // previous page owned by this thread with the same `block_size`
 
   // improve page index calculation
-  // without padding: 11 words on 64-bit, 13 on 32-bit. Secure adds one word
-  #if (MI_SECURE==0)
+  // without padding: 11 words on 64-bit, 13 on 32-bit. 
+  #ifndef MI_ENCODE_FREELIST
   void*                 padding[1];        // 12 words on 64-bit, 14 words on 32-bit 
   #endif
 } mi_page_t;
@@ -355,14 +364,14 @@ typedef struct mi_stats_s {
   mi_stat_count_t page_committed;
   mi_stat_count_t segments_abandoned;
   mi_stat_count_t pages_abandoned;
-  mi_stat_count_t pages_extended;
-  mi_stat_count_t mmap_calls;
-  mi_stat_count_t commit_calls;
   mi_stat_count_t threads;
   mi_stat_count_t huge;
   mi_stat_count_t large;
   mi_stat_count_t malloc;
   mi_stat_count_t segments_cache;
+  mi_stat_counter_t pages_extended;
+  mi_stat_counter_t mmap_calls;
+  mi_stat_counter_t commit_calls;
   mi_stat_counter_t page_no_retire;
   mi_stat_counter_t searches;
   mi_stat_counter_t huge_count;