*************************************************/
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim maintainers 2019 */
+/* Copyright (c) The Exim maintainers 2019 - 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* Exim gets and frees all its store through these functions. In the original
This means it can be freed when search_tidyup() is called to close down all
the lookup caching.
+- There is another pool (POOL_MESSAGE) used for medium-lifetime objects; within
+ a single message transaction but needed for longer than the use of the main
+ pool permits. Currently this means only receive-time DKIM information.
+
. Orthogonal to the three pool types, there are two classes of memory: untainted
and tainted. The latter is used for values derived from untrusted input, and
the string-expansion mechanism refuses to operate on such values (obviously,
it can expand an untainted value to return a tainted result). The classes
- are implemented by duplicating the three pool types. Pool resets are requested
+ are implemented by duplicating the four pool types. Pool resets are requested
against the nontainted sibling and apply to both siblings.
Only memory blocks requested for tainted use are regarded as tainted; anything
(((sizeof(storeblock) + alignment - 1) / alignment) * alignment)
/* Size of block to get from malloc to carve up into smaller ones. This
-must be a multiple of the alignment. We assume that 8192 is going to be
-suitably aligned. */
-
-#define STORE_BLOCK_SIZE (8192 - ALIGNED_SIZEOF_STOREBLOCK)
+must be a multiple of the alignment. We assume that 4096 is going to be
+suitably aligned. Double the size per-pool for every malloc, to mitigate
+certain denial-of-service attacks. Don't bother to decrease on block frees.
+We waste average half the current alloc size per pool. This could be several
+hundred kB now, vs. 4kB with a constant-size block size. But the search time
+for is_tainted(), linear in the number of blocks for the pool, is O(n log n)
+rather than O(n^2).
+A test of 2000 RCPTs and just accept ACL had 370kB in 21 blocks before,
+504kB in 6 blocks now, for the untainted-main (largest) pool.
+Builds for restricted-memory system can disable the expansion by
+defining RESTRICTED_MEMORY */
+/*XXX should we allow any for malloc's own overhead? But how much? */
+
+/* #define RESTRICTED_MEMORY */
+#define STORE_BLOCK_SIZE(order) ((1U << (order)) - ALIGNED_SIZEOF_STOREBLOCK)
/* Variables holding data for the local pools of store. The current pool number
is held in store_pool, which is global so that it can be changed from outside.
int store_pool = POOL_MAIN;
-#define NPOOLS 6
static storeblock *chainbase[NPOOLS];
static storeblock *current_block[NPOOLS];
static void *next_yield[NPOOLS];
-static int yield_length[NPOOLS] = { -1, -1, -1, -1, -1, -1 };
+static int yield_length[NPOOLS];
+static unsigned store_block_order[NPOOLS];
/* pool_malloc holds the amount of memory used by the store pools; this goes up
and down as store is reset or released. nonpool_malloc is the total got by
static int maxbytes[NPOOLS]; /* max number reached */
static int nblocks[NPOOLS]; /* current number of blocks allocated */
static int maxblocks[NPOOLS];
+static unsigned maxorder[NPOOLS];
static int n_nonpool_blocks; /* current number of direct store_malloc() blocks */
static int max_nonpool_blocks;
static int max_pool_malloc; /* max value for pool_malloc */
[POOL_MAIN] = US"main",
[POOL_PERM] = US"perm",
[POOL_SEARCH] = US"search",
+[POOL_MESSAGE] = US"message",
[POOL_TAINT_MAIN] = US"main",
[POOL_TAINT_PERM] = US"perm",
[POOL_TAINT_SEARCH] = US"search",
+[POOL_TAINT_SEARCH] = US"search",
+[POOL_TAINT_MESSAGE] = US"message",
};
static const uschar * poolclass[NPOOLS] = {
[POOL_MAIN] = US"untainted",
[POOL_PERM] = US"untainted",
[POOL_SEARCH] = US"untainted",
+[POOL_MESSAGE] = US"untainted",
[POOL_TAINT_MAIN] = US"tainted",
[POOL_TAINT_PERM] = US"tainted",
[POOL_TAINT_SEARCH] = US"tainted",
+[POOL_TAINT_MESSAGE] = US"tainted",
};
#endif
static void * internal_store_malloc(int, const char *, int);
static void internal_store_free(void *, const char *, int linenumber);
+/******************************************************************************/
+/* Initialisation, for things fragile with parameter channges when using
+static initialisers. */
+
+void
+store_init(void)
+{
+for (int i = 0; i < NPOOLS; i++)
+ {
+ yield_length[i] = -1;
+ store_block_order[i] = 12; /* log2(allocation_size) ie. 4kB */
+ }
+store_block_order[POOL_MAIN] = 13;
+}
+
/******************************************************************************/
/* Test if a pointer refers to tainted memory.
if ((b = current_block[pool]))
{
uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
- if (US p >= bc && US p <= bc + b->length) return TRUE;
+ if (US p >= bc && US p < bc + b->length) return TRUE;
}
for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
for (b = chainbase[pool]; b; b = b->next)
{
uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
- if (US p >= bc && US p <= bc + b->length) return TRUE;
+ if (US p >= bc && US p < bc + b->length) return TRUE;
}
return FALSE;
}
if (size > yield_length[pool])
{
- int length = size <= STORE_BLOCK_SIZE ? STORE_BLOCK_SIZE : size;
+ int length = MAX(STORE_BLOCK_SIZE(store_block_order[pool]), size);
int mlength = length + ALIGNED_SIZEOF_STOREBLOCK;
storeblock * newblock;
newblock = internal_store_malloc(mlength, func, linenumber);
newblock->next = NULL;
newblock->length = length;
+#ifndef RESTRICTED_MEMORY
+ if (store_block_order[pool]++ > maxorder[pool])
+ maxorder[pool] = store_block_order[pool];
+#endif
if (!chainbase[pool])
chainbase[pool] = newblock;
/* Cut out the debugging stuff for utilities, but stop picky compilers from
giving warnings. */
-#ifdef COMPILE_UTILITY
-func = func;
-linenumber = linenumber;
-#else
+#ifndef COMPILE_UTILITY
DEBUG(D_memory)
debug_printf("---%d Get %6p %5d %-14s %4d\n", pool,
store_last_get[pool], size, func, linenumber);
/* Cut out the debugging stuff for utilities, but stop picky compilers from
giving warnings. */
-#ifdef COMPILE_UTILITY
-func = func;
-linenumber = linenumber;
-#else
+#ifndef COMPILE_UTILITY
DEBUG(D_memory)
debug_printf("---%d Ext %6p %5d %-14s %4d\n", pool, ptr, newsize,
func, linenumber);
+static BOOL
+is_pwr2_size(int len)
+{
+unsigned x = len;
+return (x & (x - 1)) == 0;
+}
+
+
/*************************************************
* Back up to a previous point on the stack *
*************************************************/
/* Free any subsequent block. Do NOT free the first
successor, if our current block has less than 256 bytes left. This should
prevent us from flapping memory. However, keep this block only when it has
-the default size. */
+a power-of-two size so probably is not a custom inflated one. */
if ( yield_length[pool] < STOREPOOL_MIN_SIZE
&& b->next
- && b->next->length == STORE_BLOCK_SIZE)
+ && is_pwr2_size(b->next->length + ALIGNED_SIZEOF_STOREBLOCK))
{
b = b->next;
#ifndef COMPILE_UTILITY
bb = b->next;
b->next = NULL;
+/* If there will be only one block left in the pool, drop one
+most-recent allocation size increase, ensuring it does not increase
+forever. */
+
+if (!bb && store_block_order[pool] > 12) store_block_order[pool]--;
+
while ((b = bb))
{
int siz = b->length + ALIGNED_SIZEOF_STOREBLOCK;
/* Cut out the debugging stuff for utilities, but stop picky compilers from
giving warnings. */
-#ifdef COMPILE_UTILITY
-func = func;
-linenumber = linenumber;
-#else
+#ifndef COMPILE_UTILITY
DEBUG(D_memory)
- debug_printf("---%d Rst %6p %5d %-14s %4d %d\n", pool, ptr,
+ debug_printf("---%d Rst %6p %5d %-14s %4d\tpool %d\n", pool, ptr,
count + oldmalloc - pool_malloc,
func, linenumber, pool_malloc);
#endif /* COMPILE_UTILITY */
rmark
-store_reset_3(rmark r, int pool, const char *func, int linenumber)
+store_reset_3(rmark r, const char *func, int linenumber)
{
void ** ptr = r;
-if (pool >= POOL_TAINT_BASE)
+if (store_pool >= POOL_TAINT_BASE)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
- "store_reset called for pool %d: %s %d\n", pool, func, linenumber);
+ "store_reset called for pool %d: %s %d\n", store_pool, func, linenumber);
if (!r)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"store_reset called with bad mark: %s %d\n", func, linenumber);
-internal_store_reset(*ptr, pool + POOL_TAINT_BASE, func, linenumber);
-internal_store_reset(ptr, pool, func, linenumber);
+internal_store_reset(*ptr, store_pool + POOL_TAINT_BASE, func, linenumber);
+internal_store_reset(ptr, store_pool, func, linenumber);
return NULL;
}
/* Cut out the debugging stuff for utilities, but stop picky compilers from
giving warnings. */
-#ifdef COMPILE_UTILITY
- func = func;
- linenumber = linenumber;
-#else
+#ifndef COMPILE_UTILITY
DEBUG(D_memory)
- debug_printf("---%d Rel %6p %5d %-14s %4d %d\n", pool, ptr, count,
+ debug_printf("---%d Rel %6p %5d %-14s %4d\tpool %d\n", pool, ptr, count,
func, linenumber, pool_malloc);
#endif
return;
{
void ** p;
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory)
+ debug_printf("---%d Mrk %-14s %4d\tpool %d\n",
+ store_pool, func, linenumber, pool_malloc);
+#endif /* COMPILE_UTILITY */
+
if (store_pool >= POOL_TAINT_BASE)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"store_mark called for pool %d: %s %d\n", store_pool, func, linenumber);
/* Cut out the debugging stuff for utilities, but stop picky compilers
from giving warnings. */
-#ifdef COMPILE_UTILITY
- func = func;
- linenumber = linenumber;
-#else
+#ifndef COMPILE_UTILITY
DEBUG(D_memory)
debug_printf("-Release %6p %-20s %4d %d\n", (void *)bb, func,
linenumber, pool_malloc);
{
void * yield;
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory) size += sizeof(int); /* space to store the size */
+#endif
+
if (size < 16) size = 16;
if (!(yield = malloc((size_t)size)))
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to malloc %d bytes of memory: "
"called from line %d in %s", size, line, func);
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory) { *(int *)yield = size; yield = US yield + sizeof(int); }
+#endif
+
if ((nonpool_malloc += size) > max_nonpool_malloc)
max_nonpool_malloc = nonpool_malloc;
/* Cut out the debugging stuff for utilities, but stop picky compilers from
giving warnings. */
-#ifdef COMPILE_UTILITY
-func = func; line = line;
-#else
-
+#ifndef COMPILE_UTILITY
/* If running in test harness, spend time making sure all the new store
is not filled with zeros so as to catch problems. */
if (f.running_in_test_harness)
- memset(yield, 0xF0, (size_t)size);
-DEBUG(D_memory) debug_printf("--Malloc %6p %5d bytes\t%-14s %4d\tpool %5d nonpool %5d\n",
+ memset(yield, 0xF0, (size_t)size - sizeof(int));
+DEBUG(D_memory) debug_printf("--Malloc %6p %5d bytes\t%-20s %4d\tpool %5d nonpool %5d\n",
yield, size, func, line, pool_malloc, nonpool_malloc);
#endif /* COMPILE_UTILITY */
static void
internal_store_free(void * block, const char * func, int linenumber)
{
-#ifdef COMPILE_UTILITY
-func = func;
-linenumber = linenumber;
-#else
-DEBUG(D_memory)
- debug_printf("----Free %6p %-20s %4d\n", block, func, linenumber);
-#endif /* COMPILE_UTILITY */
-free(block);
+uschar * p = block;
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory) { p -= sizeof(int); nonpool_malloc -= *(int *)p; }
+DEBUG(D_memory) debug_printf("----Free %6p %5d bytes\t%-20s %4d\n", block, *(int *)p, func, linenumber);
+#endif
+free(p);
}
void
(max_nonpool_malloc+1023)/1024, max_nonpool_blocks);
debug_printf("----Exit npools max: %3d kB\n", max_pool_malloc/1024);
for (int i = 0; i < NPOOLS; i++)
- debug_printf("----Exit pool %d max: %3d kB in %d blocks\t%s %s\n",
- i, maxbytes[i]/1024, maxblocks[i], poolclass[i], pooluse[i]);
+ debug_printf("----Exit pool %d max: %3d kB in %d blocks at order %u\t%s %s\n",
+ i, maxbytes[i]/1024, maxblocks[i], maxorder[i],
+ poolclass[i], pooluse[i]);
}
#endif
}
+
+/******************************************************************************/
+/* Per-message pool management */
+
+static rmark message_reset_point = NULL;
+
+void
+message_start(void)
+{
+int oldpool = store_pool;
+store_pool = POOL_MESSAGE;
+if (!message_reset_point) message_reset_point = store_mark();
+store_pool = oldpool;
+}
+
+void message_tidyup(void)
+{
+int oldpool;
+if (!message_reset_point) return;
+oldpool = store_pool;
+store_pool = POOL_MESSAGE;
+message_reset_point = store_reset(message_reset_point);
+store_pool = oldpool;
+}
+
/* End of store.c */
git://git.exim.org / exim.git / blobdiff