stronger encoding of free lists using two keys per page

2025-07-06 19:38:41 +03:00 · 2019-12-27 23:33:50 -08:00 · 2019-12-27 23:33:50 -08:00 · e3391d9a53
commit e3391d9a53
parent ce02986d56
8 changed files with 83 additions and 50 deletions
--- a/include/mimalloc-types.h
+++ b/include/mimalloc-types.h
@ -191,7 +191,7 @@ typedef struct mi_page_s {

  mi_block_t*           free;              // list of available free blocks (`malloc` allocates from this list)
  #ifdef MI_ENCODE_FREELIST
-  uintptr_t             cookie;            // random cookie to encode the free lists
+  uintptr_t             key[2];            // two random keys to encode the free lists (see `_mi_block_next`)
  #endif
  size_t                used;              // number of blocks in use (including blocks in `local_free` and `thread_free`)
  
@ -206,9 +206,9 @@ typedef struct mi_page_s {
  struct mi_page_s*     prev;              // previous page owned by this thread with the same `block_size`

  // improve page index calculation
-  // without padding: 10 words on 64-bit, 11 on 32-bit. Secure adds one word
-  #if (MI_INTPTR_SIZE==8 && defined(MI_ENCODE_FREELIST)) || (MI_INTPTR_SIZE==4 && !defined(MI_ENCODE_FREELIST))
-  void*                 padding[1];        // 12 words on 64-bit with cookie, 12 words on 32-bit plain
+  // without padding: 10 words on 64-bit, 11 on 32-bit. Secure adds two words
+  #if (MI_INTPTR_SIZE==4)
+  void*                 padding[1];        // 12/14 words on 32-bit plain
  #endif
 } mi_page_t;

@ -239,8 +239,8 @@ typedef struct mi_segment_s {
  size_t          capacity;    // count of available pages (`#free + used`)
  size_t          segment_size;// for huge pages this may be different from `MI_SEGMENT_SIZE`
  size_t          segment_info_size;  // space we are using from the first page for segment meta-data and possible guard pages.
-  uintptr_t       cookie;      // verify addresses in debug mode: `mi_ptr_cookie(segment) == segment->cookie`
-
+  uintptr_t       cookie;      // verify addresses in secure mode: `_mi_ptr_cookie(segment) == segment->cookie`
+ 
  // layout like this to optimize access in `mi_free`
  size_t          page_shift;  // `1 << page_shift` == the page sizes == `page->block_size * page->reserved` (unless the first page, then `-segment_info_size`).
  volatile _Atomic(uintptr_t) thread_id;   // unique id of the thread owning this segment
@ -289,8 +289,9 @@ struct mi_heap_s {
  mi_page_queue_t       pages[MI_BIN_FULL + 1];                      // queue of pages for each size class (or "bin")
  volatile _Atomic(mi_block_t*) thread_delayed_free;
  uintptr_t             thread_id;                                   // thread this heap belongs too
-  uintptr_t             cookie;
-  mi_random_ctx_t       random;                                      // random number used for secure allocation
+  uintptr_t             cookie;                                      // random cookie to verify pointers (see `_mi_ptr_cookie`)
+  uintptr_t             key[2];                                      // twb random keys used to encode the `thread_delayed_free` list
+  mi_random_ctx_t       random;                                      // random number context used for secure allocation
  size_t                page_count;                                  // total number of pages in the `pages` queues.
  bool                  no_reclaim;                                  // `true` if this heap should not reclaim abandoned pages
 };