PSA: MiraclePtr std::vector<T*> rewrite.

236 views
Skip to first unread message

Arthur Sonzogni

unread,
Sep 25, 2023, 4:36:00 AM9/25/23
to Chromium-dev, Ali Hijazi

Hi chromium-dev,

To protect Chrome against UAF consequences, we are going to expand MiraclePtr coverage toward pointers in std::vector. It means converting every std::vector<T*> in class/struct fields into std::vector<raw_ptr<T>>. This targets code used by non-renderer processes.

Contrary to the MiraclePtr big rewrite, we will not close the tree. This will be a regular patch.

Credits goes to Ali Hijazi for creating the clang rewriter and binary experiments [@google links: (1) (2)]

Note: This is not an all-or-nothing question, and it is reversible. Similar to normal pointers, we can exclude some using RAW_PTR_EXCLUSION. If we find evidence some vectors are causing the allocator’s refcounts to be updated too frequently, they will be removed. So far, we found no evidence from two binary experiments on Android and Windows on dev. Given the associated cost and risk of running binary experiments, we would like to proceed from what we know today. See also the chrome-metrics-team thread. We will continue monitoring for potential hotspots from the sampled call stack metrics data.

Please let us know if you have any concerns, especially about metrics and performance.

What’s planned next:

  • Enforce usage of vector<raw_ptr<T>> via a clang plugin.

  • Target other templated classes, until protecting >80%:

    • std::vector (35%)

    • std::set (18%)

    • std::map (10%)

    • std::list (4%) 

    • base::flat_set (10%)

    • base::flat_map (4%)

On behalf of Chrome memory safety

Reply all
Reply to author
Forward
0 new messages