tree: 3253c3fee53ffbdf1195f735bef5275da769322d [path history] [tgz]
  1. stack/
  2. logging.h
  3. metadata_allocator.cc
  4. metadata_allocator.h
  5. OWNERS
  6. pcscan.cc
  7. pcscan.h
  8. pcscan_internal.cc
  9. pcscan_internal.h
  10. pcscan_scheduling.cc
  11. pcscan_scheduling.h
  12. pcscan_scheduling_unittest.cc
  13. pcscan_unittest.cc
  14. raceful_worklist.h
  15. README.md
  16. scan_loop.h
  17. scan_loop_unittest.cc
  18. snapshot.cc
  19. snapshot.h
  20. starscan_fwd.h
  21. state_bitmap.h
  22. state_bitmap_unittest.cc
  23. stats_collector.cc
  24. stats_collector.h
  25. stats_reporter.h
  26. write_protector.cc
  27. write_protector.h
base/allocator/partition_allocator/starscan/README.md

StarScan: Heap scanning use-after-free prevention

C++ and other languages that rely on explicit memory management using malloc() and free() are prone to memory corruptions and the resulting security issues. The fundamental idea behind these heap scanning algorithms is to intercept an underlying allocator and delay releasing of memory until the corresponding memory block is provably unreachable from application code.

The basic ingredients for such algorithms are:

  1. Quarantine: When an object is deemed unused with a free() call, it is put into quarantine instead of being returned to the allocator. The object is not actually freed by the underlying allocator and cannot be used for future allocation requests until it is found that no pointers are pointing to the given memory block.
  2. Scan: When the quarantine reaches a certain quarantine limit (e.g. based on memory size of quarantine list entries), the quarantine scan is triggered. The scan iterates over the application memory and checks if references are pointing to quarantined memory. If objects in the quarantine are still referenced then they are kept in quarantine, if not they are flagged to be released.
  3. Sweep: All objects that are flagged to be released are actually returned to the underlying memory allocator.

Heap scanning algorithms come in different flavors that offer different performance and security characteristics.

Probabilistic conservative scan (PCScan) (pcscan.{h,cc}) is one particular kind of heap scanning algorithm implemented on top of PartitionAlloc with the following properties:

  • Memory blocks are scanned conservatively for pointers.
  • Scanning and sweeping are generally performed on a separate thread to maximize application performance.
  • Lazy safe points prohibit certain operations from modifying the memory graph and provide convenient entry points for scanning the stack.

PCScan is currently considered experimental - please do not use it in production code just yet. It can be enabled in the following configurations via --enable-features on builds that use PartitionAlloc as the main allocator:

  • PartitionAllocPCScan: All processes and all supporting partitions enable PCScan.
  • PartitionAllocPCScanBrowserOnly: Enables PCScan in the browser process for the default malloc partition.