0

[PA] Disable BRP zapping on iOS

This helps us to investigate Metadata corruption issue on iOS.

Bug: 371135823
Change-Id: Id67489c7e989bc528e7ff078454c623d7c23aef9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6427158
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Mikihito Matsuura <mikt@google.com>
Cr-Commit-Position: refs/heads/main@{#1442619}
This commit is contained in:
mikt
2025-04-04 01:25:54 -07:00
committed by Chromium LUCI CQ
parent 436a507735
commit 8b121d32e3
3 changed files with 10 additions and 0 deletions
base/allocator/partition_allocator/src/partition_alloc

@ -4549,7 +4549,9 @@ TEST_P(PartitionAllocTest, RefCountBasic) {
} }
constexpr uint64_t kCookie = 0x1234567890ABCDEF; constexpr uint64_t kCookie = 0x1234567890ABCDEF;
#if !PA_BUILDFLAG(IS_IOS)
constexpr uint64_t kQuarantined = 0xEFEFEFEFEFEFEFEF; constexpr uint64_t kQuarantined = 0xEFEFEFEFEFEFEFEF;
#endif // !PA_BUILDFLAG(IS_IOS)
size_t alloc_size = 64 - ExtraAllocSize(allocator); size_t alloc_size = 64 - ExtraAllocSize(allocator);
uint64_t* ptr1 = uint64_t* ptr1 =
@ -4574,8 +4576,10 @@ TEST_P(PartitionAllocTest, RefCountBasic) {
// The allocation shouldn't be reclaimed, and its contents should be zapped. // The allocation shouldn't be reclaimed, and its contents should be zapped.
// Retag ptr1 to get its correct MTE tag. // Retag ptr1 to get its correct MTE tag.
ptr1 = TagPtr(ptr1); ptr1 = TagPtr(ptr1);
#if !PA_BUILDFLAG(IS_IOS)
EXPECT_NE(*ptr1, kCookie); EXPECT_NE(*ptr1, kCookie);
EXPECT_EQ(*ptr1, kQuarantined); EXPECT_EQ(*ptr1, kQuarantined);
#endif // !PA_BUILDFLAG(IS_IOS)
// The allocator should not reuse the original slot since its reference count // The allocator should not reuse the original slot since its reference count
// doesn't equal zero. // doesn't equal zero.

@ -1983,7 +1983,11 @@ PA_NOINLINE void PartitionRoot::QuarantineForBrp(
if (hook) [[unlikely]] { if (hook) [[unlikely]] {
hook(object, usable_size); hook(object, usable_size);
} else { } else {
// TODO(https://crbug.com/371135823): Enable zapping again once finished
// investigation.
#if !PA_BUILDFLAG(IS_IOS)
internal::SecureMemset(object, internal::kQuarantinedByte, usable_size); internal::SecureMemset(object, internal::kQuarantinedByte, usable_size);
#endif // !PA_BUILDFLAG(IS_IOS)
} }
} }
#endif // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) #endif // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)

@ -1265,6 +1265,7 @@ PA_ALWAYS_INLINE void PartitionAllocFreeForRefCounting(uintptr_t slot_start) {
// Iterating over the entire slot can be really expensive. // Iterating over the entire slot can be really expensive.
#if PA_BUILDFLAG(EXPENSIVE_DCHECKS_ARE_ON) #if PA_BUILDFLAG(EXPENSIVE_DCHECKS_ARE_ON)
#if !PA_BUILDFLAG(IS_IOS)
auto hook = PartitionAllocHooks::GetQuarantineOverrideHook(); auto hook = PartitionAllocHooks::GetQuarantineOverrideHook();
// If we have a hook the object segment is not necessarily filled // If we have a hook the object segment is not necessarily filled
// with |kQuarantinedByte|. // with |kQuarantinedByte|.
@ -1275,6 +1276,7 @@ PA_ALWAYS_INLINE void PartitionAllocFreeForRefCounting(uintptr_t slot_start) {
PA_DCHECK(object[i] == kQuarantinedByte); PA_DCHECK(object[i] == kQuarantinedByte);
} }
} }
#endif // !PA_BUILDFLAG(IS_IOS)
DebugMemset(SlotStartAddr2Ptr(slot_start), kFreedByte, DebugMemset(SlotStartAddr2Ptr(slot_start), kFreedByte,
slot_span->GetUtilizedSlotSize()); slot_span->GetUtilizedSlotSize());
#endif // PA_BUILDFLAG(EXPENSIVE_DCHECKS_ARE_ON) #endif // PA_BUILDFLAG(EXPENSIVE_DCHECKS_ARE_ON)