0

[PA] Disable BRP zapping on iOS

This helps us to investigate Metadata corruption issue on iOS.

Bug: 371135823
Change-Id: Id67489c7e989bc528e7ff078454c623d7c23aef9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6427158
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Mikihito Matsuura <mikt@google.com>
Cr-Commit-Position: refs/heads/main@{#1442619}
This commit is contained in:
mikt
2025-04-04 01:25:54 -07:00
committed by Chromium LUCI CQ
parent 436a507735
commit 8b121d32e3
3 changed files with 10 additions and 0 deletions
base/allocator/partition_allocator/src/partition_alloc

@ -4549,7 +4549,9 @@ TEST_P(PartitionAllocTest, RefCountBasic) {
}
constexpr uint64_t kCookie = 0x1234567890ABCDEF;
#if !PA_BUILDFLAG(IS_IOS)
constexpr uint64_t kQuarantined = 0xEFEFEFEFEFEFEFEF;
#endif // !PA_BUILDFLAG(IS_IOS)
size_t alloc_size = 64 - ExtraAllocSize(allocator);
uint64_t* ptr1 =
@ -4574,8 +4576,10 @@ TEST_P(PartitionAllocTest, RefCountBasic) {
// The allocation shouldn't be reclaimed, and its contents should be zapped.
// Retag ptr1 to get its correct MTE tag.
ptr1 = TagPtr(ptr1);
#if !PA_BUILDFLAG(IS_IOS)
EXPECT_NE(*ptr1, kCookie);
EXPECT_EQ(*ptr1, kQuarantined);
#endif // !PA_BUILDFLAG(IS_IOS)
// The allocator should not reuse the original slot since its reference count
// doesn't equal zero.

@ -1983,7 +1983,11 @@ PA_NOINLINE void PartitionRoot::QuarantineForBrp(
if (hook) [[unlikely]] {
hook(object, usable_size);
} else {
// TODO(https://crbug.com/371135823): Enable zapping again once finished
// investigation.
#if !PA_BUILDFLAG(IS_IOS)
internal::SecureMemset(object, internal::kQuarantinedByte, usable_size);
#endif // !PA_BUILDFLAG(IS_IOS)
}
}
#endif // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)

@ -1265,6 +1265,7 @@ PA_ALWAYS_INLINE void PartitionAllocFreeForRefCounting(uintptr_t slot_start) {
// Iterating over the entire slot can be really expensive.
#if PA_BUILDFLAG(EXPENSIVE_DCHECKS_ARE_ON)
#if !PA_BUILDFLAG(IS_IOS)
auto hook = PartitionAllocHooks::GetQuarantineOverrideHook();
// If we have a hook the object segment is not necessarily filled
// with |kQuarantinedByte|.
@ -1275,6 +1276,7 @@ PA_ALWAYS_INLINE void PartitionAllocFreeForRefCounting(uintptr_t slot_start) {
PA_DCHECK(object[i] == kQuarantinedByte);
}
}
#endif // !PA_BUILDFLAG(IS_IOS)
DebugMemset(SlotStartAddr2Ptr(slot_start), kFreedByte,
slot_span->GetUtilizedSlotSize());
#endif // PA_BUILDFLAG(EXPENSIVE_DCHECKS_ARE_ON)