Limit all memory allocations in the MemoryAllocator layer #2706
Conversation
| 4L * OneGigabyte : | ||
| OneGigabyte; | ||
|
|
||
| internal int SingleBufferAllocationLimitBytes { get; private set; } = OneGigabyte; |
There was a problem hiding this comment.
Actually, there is no good reason to set this to 1GB. Contiguous buffers have a natural limit of int.MaxValue ~ 2GB so I think we should set the contiguous limit to min(int.MaxValue, MemoryAllocatorOptions.AllocationLimitMegabytes * 1MB). That would get rid of all obscure logic and make the semantics of MemoryAllocatorOptions.AllocationLimitMegabytes very obvious.
There was a problem hiding this comment.
Yeah. I like that. The only risk we have with this stuff is in our decoders which can be easily mitigated with some care (PNG tweaks)
| /// Gets or sets a value defining the maximum (discontiguous) buffer size that can be allocated by the allocator in Megabytes. | ||
| /// <see langword="null"/> means platform default: 1GB on 32-bit processes, 4GB on 64-bit processes. | ||
| /// </summary> | ||
| public int? AllocationLimitMegabytes |
There was a problem hiding this comment.
You got it in the options! Nice!
| public static MemoryAllocator Create(MemoryAllocatorOptions options) | ||
| { | ||
| UniformUnmanagedMemoryPoolMemoryAllocator allocator = new(options.MaximumPoolSizeMegabytes); | ||
| if (options.AllocationLimitMegabytes.HasValue) |
There was a problem hiding this comment.
For V4 I think we should introduce UniformUnmanagedMemoryPoolOptions which has the standard options as a property.
There was a problem hiding this comment.
Actually, AllocatorOptions is specific to UniformUnmanagedMemoryAllocator (which is intantiated with MemoryAllocator.Create(), the type itself is not public). I don't think anyone ever would need another allocator IRL. The design keeps allocators pluggable just in case + SimpleGcMemoryAllocator can be useful for diagnostic purposes since managed allocations are easy to track with standard .NET tools. But SimpleGcMemoryAllocator should not be used in production.
To secure users who still use it (mostly legacy code designed to workaround 1.* issues), I applied the default limits, but you cannot configure SimpleGcMemoryAllocator with MemoryAllocatorOptions.
| @@ -24,4 +26,8 @@ public InvalidMemoryOperationException(string message) | |||
| public InvalidMemoryOperationException() | |||
| { | |||
| } | |||
|
|
|||
| [DoesNotReturn] | |||
| internal static void ThrowAllocationOverLimitException(long length, long limit) => | |||
There was a problem hiding this comment.
I like this sitting here.
| @@ -19,6 +20,13 @@ public override IMemoryOwner<T> Allocate<T>(int length, AllocationOptions option | |||
| { | |||
| Guard.MustBeGreaterThanOrEqualTo(length, 0, nameof(length)); | |||
|
|
|||
| int lengthInBytes = length * Unsafe.SizeOf<T>(); | |||
There was a problem hiding this comment.
For V4 I'd like to have this in MemoryAllocator so we don't have to repeat the check.
| long totalLength, | ||
| int bufferAlignment, | ||
| AllocationOptions options = AllocationOptions.None) | ||
| where T : struct | ||
| => MemoryGroup<T>.Allocate(this, totalLength, bufferAlignment, options); | ||
| { | ||
| long totalLengthInBytes = totalLength * Unsafe.SizeOf<T>(); |
There was a problem hiding this comment.
I think it might be possible to overflow this. I think one of our tests that allocates a 256 byte struct does so.
| /// Gets or sets a value defining the maximum (discontiguous) buffer size that can be allocated by the allocator in Megabytes. | ||
| /// <see langword="null"/> means platform default: 1GB on 32-bit processes, 4GB on 64-bit processes. | ||
| /// </summary> | ||
| public int? AllocationLimitMegabytes |
There was a problem hiding this comment.
Is this consistent with how we talk about memory across the public api? do we talk about megabytes anywhere else in the public api or is it all bytes?
we want to make sure we are being consistent on our units of measure in the public api surface.
There was a problem hiding this comment.
The other property on MemoryAllocatiorOptions is MaximumPoolSizeMegabytes. When I designed the MemoryAllocator configuration API it seemed like Megabytes are easier to reason about when talking about limits.
JimBobSquarePants
changed the title
There was a problem hiding this comment.
I'm happy with this @antonfirsov and have created a backport PR for V2.
I'll wait for your final read-through to merge though.
| { | ||
| using Image<TPixel> image = provider.GetImage(BmpDecoder.Instance); | ||
| }); | ||
| Assert.IsType<InvalidMemoryOperationException>(ex.InnerException); |
Fix an overlook from #2706. See 92b8277#r141770676.
Fix an overlook from #2706. See 92b8277#r141770676.
Fix an overlook from #2706. See 92b8277#r141770676. # Conflicts: # src/ImageSharp/Memory/Allocators/MemoryAllocator.cs
Prerequisites
Description
Fixes #2696.
This is an alternative take for #2704. Differences:
MemoryAllocatorOptions(together with the pool size).32k x 32kofRgba32which is more conservative than the limit in Limit all memory allocations to configurable values.聽#2704. For me this feels somewhat safer while I don't see many downsides. Note that this is the absolute hardcoded limit in WIC, while newer skia builds have a hardcoded 2GB limit (this hasn't been merged to in SkiaSharp 2.* yet)width * heightsizes so a 64MB limit would be easy to exceed with sane images.MaxAllocationAttemptsso we don't block too long if an OOM is still being hit.The PR is missing tests and PNG tweak from #2704. Will finalize it after agreeing on the direction.