PSA: Close the tree and land Big Rewrite for MiraclePtr

2,606 views
Skip to first unread message

Keishi Hattori

unread,
Nov 15, 2021, 10:16:00 PM11/15/21
to Chromium-dev, memory-s...@chromium.org, blink-dev, bar...@chromium.org, Kentaro Hara

TL;DR; We plan to close the tree during the weekend from Friday, Nov 25th, 7pm PST to Sunday Nov 27th 4 PM PST to land a Big Rewrite for MiraclePtr (T* => raw_ptr<T>).

 

We are still in the process of getting final confirmation with metrics owners, but we would like to send a PSA early to let everyone know that we plan to close the tree and do a massive code rewrite on the weekend of Nov 26 to Nov 27, under the condition that we get approval.

 

What: We are landing a massive clang rewrite that replaces most class/struct field raw pointers T* with raw_ptr<T>.

 

class Foo {

  Bar* bar_;  // This will be rewritten to 'raw_ptr<Bar> bar_'.

};

 

When: We will be closing the tree on Friday, Nov 25th, 7pm PST and expect to have the tree reopened by Sunday Nov 27th 4 PM PST. The chromium tree will be closed for an estimated 44 hours.

 

Why are we doing the "Big Rewrite"?

MiraclePtr is our response to Chromium's biggest security problem, i.e. a constant stream of exploitable (and exploited) Use-after-Free bugs. The algorithm we've chosen (BackupRefPtr) is based on quarantining freed memory that has known pointer references.

We have evaluated the performance cost of BackupRefPtr using binary experiments and the cost is likely to be acceptable (internal doc). However, given the constraints of the binary experiments, we need to run a finch trial to be fully confident that the performance cost is acceptable. To run a finch trial, we need to rewrite T* with raw_ptr<T> in the codebase. The performance cost of the rewrite itself is likely to be negligible (we are doing a final confirmation with metrics owners right now).

 

What will change after the "Big Rewrite"?

We have a developer guide for when to use raw_ptr<T>. We made the rule as simple as possible: you need to use raw_ptr<T> instead of T* in classes and structs (but not in local variables and function parameters).

 

The rule will not be enforced until we enable MiraclePtr, which will happen in a few months from now. We encourage you to use raw_ptr<T> when adding new pointer fields to your classes and structs, but it's ok to use raw pointers for now. They're semantically the same.

 

The Big Rewrite will be based on Android and Windows. Code specific to other platforms will be rewritten later. 

 

Planned schedule

 

  1. Nov 26 - 27: Close the tree and do the Big Rewrite. Use a clang rewriter to automatically convert almost all class/struct fields from T* to raw_ptr<T>. The performance overhead will be negligible (we are doing the final confirmation with metrics owners).

  2. Dec -: Start Finch trials to measure the performance cost of MiraclePtr.

  3. If the results look good, we will enable MiraclePtr and enable a clang plugin that enforces the coding rule.

 

If you have any questions / concerns, please let us know. Thanks!

 

Keishi


Reply all
Reply to author
Forward
0 new messages