partition_alloc.gni

# Copyright 2022 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import("//build/config/sanitizers/sanitizers.gni")
import("//build_overrides/partition_alloc.gni")

if (use_partition_alloc_as_malloc_default) {
  _default_allocator = "partition"
} else {
  _default_allocator = "none"
}

declare_args() {
  # Whether PartitionAlloc should be available for use or not.
  # true makes PartitionAlloc linked to the executable or shared library and
  # makes it available for use. It doesn't mean that the default allocator
  # is PartitionAlloc, which is governed by |use_partition_alloc_as_malloc|.
  #
  # N.B. generally, embedders should look at this GN arg and at the
  # corresponding buildflag to determine whether to interact with PA
  # source at all (pulling the component in via GN, including headers,
  # etc.). There is nothing stopping a lazy embedder from ignoring this
  # and unconditionally using PA, but such a setup is inadvisable.
  #
  # In Chromium, this is set true, except:
  #
  # 1.  On Cronet bots, because Cronet doesn't use PartitionAlloc at all,
  #     and doesn't wish to incur the library size increase (crbug.com/674570).
  # 2.  On NaCl (through this declaration), where PartitionAlloc doesn't
  #     build at all.
  use_partition_alloc = !is_nacl
}

declare_args() {
  # PartitionAlloc-Everywhere (PA-E).
  use_partition_alloc_as_malloc =
      use_partition_alloc && use_partition_alloc_as_malloc_default
}

declare_args() {
  use_freeslot_bitmap = false

  # Puts the regular and BRP pools right next to each other, so that we can
  # check "belongs to one of the two pools" with a single bitmask operation.
  glue_core_pools = false

  # Introduces pointer compression support in PA.
  #
  # This is effective only for memory allocated from PartitionAlloc, so it is
  # recommended to enable PA-E above, but isn't strictly necessary. Embedders
  # can create and use PA partitions explicitly.
  enable_pointer_compression_support = false
}

declare_args() {
  # Build support for Use-after-Free protection via BackupRefPtr (BRP) or
  # MTECheckedPtr, and switch the raw_ptr<T> implementation to RawPtrBackupRefImpl
  # and MTECheckedPtrImp, respectively. They're mutually exclusive.
  #
  # These are effective only for memory allocated from PartitionAlloc, so it is
  # recommended to enable PA-E above, but isn't strictly necessary. Embedders
  # can create and use PA partitions explicitly.
  #
  # Note that |enable_backup_ref_ptr_support = true| doesn't necessarily enable
  # BRP protection. It'll be enabled only for partition created with
  # partition_alloc::PartitionOptions::BackupRefPtr::kEnabled.
  enable_backup_ref_ptr_support =
      use_partition_alloc && enable_backup_ref_ptr_support_default
  enable_mte_checked_ptr_support =
      use_partition_alloc && enable_mte_checked_ptr_support_default

  # RAW_PTR_EXCLUSION macro is disabled on official builds because it increased
  # binary size. This flag can be used to enable it for official builds too.
  force_enable_raw_ptr_exclusion = false
}

assert(!(enable_backup_ref_ptr_support && enable_mte_checked_ptr_support),
       "MTECheckedPtrSupport conflicts with BRPSupport.")

assert(!enable_pointer_compression_support || glue_core_pools,
       "Pointer compression relies on core pools being contiguous.")

declare_args() {
  # The supported platforms are supposed to match `_is_brp_supported`, but we
  # enable the feature on Linux early because it's most widely used for security
  # research.
  #
  # The implementation of ASan BRP is purpose-built to inspect Chromium
  # internals and is entangled with `//base` s.t. it cannot be used
  # outside of Chromium.
  use_asan_backup_ref_ptr =
      build_with_chromium && is_asan && (is_win || is_android || is_linux)

  # Use probe-on-destruct unowned ptr detection with ASAN.
  use_asan_unowned_ptr = false
}

# Use the version of raw_ptr<T> that allows the embedder to implement custom
# logic.
use_hookable_raw_ptr = use_asan_backup_ref_ptr

declare_args() {
  # - put_ref_count_in_previous_slot: place the ref-count at the end of the
  #   previous slot (or in metadata if a slot starts on the page boundary), as
  #   opposed to the beginning of the slot.
  # - enable_backup_ref_ptr_slow_checks: enable additional safety checks that
  #   are too expensive to have on by default.
  # - enable_dangling_raw_ptr_checks: enable checking raw_ptr do not become
  #   dangling during their lifetime.
  # - backup_ref_ptr_poison_oob_ptr: poison out-of-bounds (OOB) pointers to
  #   generate an exception in the event that an OOB pointer is dereferenced.
  put_ref_count_in_previous_slot =
      put_ref_count_in_previous_slot_default && enable_backup_ref_ptr_support

  enable_backup_ref_ptr_slow_checks =
      enable_backup_ref_ptr_slow_checks_default && enable_backup_ref_ptr_support

  enable_dangling_raw_ptr_checks =
      enable_dangling_raw_ptr_checks_default && enable_backup_ref_ptr_support

  # Enables the dangling raw_ptr checks feature for the performance experiment.
  # Not every dangling pointers have been fixed or annotated yet. To avoid
  # accounting for the cost of calling the PA's embedder's callbacks when a
  # dangling pointer has been detected, this simulates the raw_ptr to be
  # allowed to dangle.
  #
  # This flag is temporary, and isn't used by PA embedders, so it doesn't need
  # to go through build_overrides
  enable_dangling_raw_ptr_perf_experiment = false

  # TODO(bartekn): Enabled temporarily, disable before reaches Beta.
  backup_ref_ptr_poison_oob_ptr = enable_backup_ref_ptr_support
}

declare_args() {
  # Shadow metadata is still under development and only supports Linux
  # for now.
  enable_shadow_metadata = false
}

# *Scan is currently only used by Chromium.
use_starscan = build_with_chromium

# We want to provide assertions that guard against inconsistent build
# args, but there is no point in having them fire if we're not building
# PartitionAlloc at all. If `use_partition_alloc` is false, we jam all
# related args to `false`. The prime example is NaCl, where
# PartitionAlloc doesn't build at all.
if (is_nacl) {
  assert(!use_partition_alloc, "PartitionAlloc doesn't build on NaCl")
}
if (!use_partition_alloc) {
  use_partition_alloc_as_malloc = false
  enable_backup_ref_ptr_support = false
  enable_mte_checked_ptr_support = false
  use_asan_backup_ref_ptr = false
  use_asan_unowned_ptr = false
  use_hookable_raw_ptr = false
  put_ref_count_in_previous_slot = false
  enable_backup_ref_ptr_slow_checks = false
  enable_dangling_raw_ptr_checks = false
  enable_dangling_raw_ptr_perf_experiment = false
  backup_ref_ptr_poison_oob_ptr = false
  use_starscan = false
}

# put_ref_count_in_previous_slot can only be used if
# enable_backup_ref_ptr_support is true.
assert(
    enable_backup_ref_ptr_support || !put_ref_count_in_previous_slot,
    "Can't put ref count in the previous slot if BackupRefPtr isn't enabled at all")

# enable_backup_ref_ptr_slow_checks can only be used if enable_backup_ref_ptr_support
# is true.
assert(enable_backup_ref_ptr_support || !enable_backup_ref_ptr_slow_checks,
       "Can't enable additional BackupRefPtr checks if it isn't enabled at all")

# enable_dangling_raw_ptr_checks can only be used if enable_backup_ref_ptr_support
# is true.
assert(
    enable_backup_ref_ptr_support || !enable_dangling_raw_ptr_checks,
    "Can't enable dangling raw_ptr checks if BackupRefPtr isn't enabled at all")

# To run the dangling raw_ptr detector experiment, the underlying feature must
# be enabled too.
assert(
    enable_dangling_raw_ptr_checks || !enable_dangling_raw_ptr_perf_experiment,
    "Missing dangling pointer checks feature for its performance experiment")

# To poison OOB pointers for BackupRefPtr, the underlying feature must
# be enabled, too.
assert(
    enable_backup_ref_ptr_support || !backup_ref_ptr_poison_oob_ptr,
    "Can't enable poisoning for OOB pointers if BackupRefPtr isn't enabled at all")

# AsanBackupRefPtr and AsanUnownedPtr are mutually exclusive variants of raw_ptr.
assert(
    !use_asan_unowned_ptr || !use_asan_backup_ref_ptr,
    "Both AsanUnownedPtr and AsanBackupRefPtr can't be enabled at the same time")

# BackupRefPtr and AsanBackupRefPtr are mutually exclusive variants of raw_ptr.
assert(
    !enable_backup_ref_ptr_support || !use_asan_backup_ref_ptr,
    "Both BackupRefPtr and AsanBackupRefPtr can't be enabled at the same time")

# BackupRefPtr and AsanUnownedPtr are mutually exclusive variants of raw_ptr.
assert(!enable_backup_ref_ptr_support || !use_asan_unowned_ptr,
       "Both BackupRefPtr and AsanUnownedPtr can't be enabled at the same time")

# RawPtrHookableImpl and BackupRefPtr are mutually exclusive variants of raw_ptr.
assert(
    !use_hookable_raw_ptr || !enable_backup_ref_ptr_support,
    "Both RawPtrHookableImpl and BackupRefPtr can't be enabled at the same time")

# RawPtrHookableImpl and AsanUnownedPtr are mutually exclusive variants of raw_ptr.
assert(
    !use_hookable_raw_ptr || !use_asan_unowned_ptr,
    "Both RawPtrHookableImpl and AsanUnownedPtr can't be enabled at the same time")

assert(!use_asan_backup_ref_ptr || is_asan,
       "AsanBackupRefPtr requires AddressSanitizer")

assert(!use_asan_unowned_ptr || is_asan,
       "AsanUnownedPtr requires AddressSanitizer")

# AsanBackupRefPtr is not supported outside Chromium. The implementation is
# entangled with `//base`. The code is only physically located with the
# rest of `raw_ptr` to keep it together.
assert(build_with_chromium || !use_asan_backup_ref_ptr,
       "AsanBackupRefPtr is not supported outside Chromium")

assert(!use_asan_backup_ref_ptr || use_hookable_raw_ptr,
       "AsanBackupRefPtr requires RawPtrHookableImpl")

declare_args() {
  enable_pkeys = is_linux && target_cpu == "x64"
}
assert(!enable_pkeys || (is_linux && target_cpu == "x64"),
       "Pkeys are only supported on x64 linux")