.github/workflows/build.yml

@@ -10,7 +10,7 @@ defaults:
     shell: bash
     working-directory: src
 env:
-  CACHE_EPOCH: 4
+  CACHE_EPOCH: 1
   CCACHE_MAXSIZE: 200M
   CCACHE_MAXFILES: 0
   SCCACHE_CACHE_SIZE: 200M
@@ -25,7 +25,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache PGO (Linux, OpenWrt)
         uses: actions/cache@v4
@@ -45,8 +45,8 @@ jobs:
       - run: ./get-clang.sh
       - run: EXTRA_FLAGS='target_os="android"' ./get-clang.sh
       - run: |
-          if [ ! -f qemu-user-static*.deb ]; then
+          if [ ! -f qemu-user*.deb ]; then
-            wget https://snapshot.debian.org/archive/debian/20230611T210420Z/pool/main/q/qemu/qemu-user-static_8.0%2Bdfsg-4_amd64.deb
+            wget https://snapshot.debian.org/archive/debian/20250405T083429Z/pool/main/q/qemu/qemu-user_9.2.2%2Bds-1%2Bb2_amd64.deb
           fi
   cache-toolchains-win:
     runs-on: windows-2022
@@ -97,7 +97,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: [x64, x86, arm64, arm, mipsel, mips64el, riscv64]
+        arch: [x64, x86, arm64, arm, mipsel, mips64el, riscv64, loong64]
     env:
       EXTRA_FLAGS: 'target_cpu="${{ matrix.arch }}"'
       BUNDLE: naiveproxy-${{ github.event.release.tag_name }}-${{ github.job }}-${{ matrix.arch }}
@@ -109,7 +109,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache PGO (Linux, OpenWrt)
         uses: actions/cache@v4
@@ -138,7 +138,7 @@ jobs:
           sudo apt update
           sudo apt install ninja-build pkg-config ccache bubblewrap
           sudo apt remove -y qemu-user-binfmt
-          sudo dpkg -i qemu-user-static*.deb
+          sudo dpkg -i qemu-user*.deb
           # libc6-i386 interferes with x86 build
           sudo apt remove libc6-i386
       - run: ./get-clang.sh
@@ -192,7 +192,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache AFDO (Android)
         uses: actions/cache@v4
@@ -222,7 +222,7 @@ jobs:
           sudo apt update
           sudo apt install ninja-build pkg-config ccache bubblewrap
           sudo apt remove -y qemu-user-binfmt
-          sudo dpkg -i qemu-user-static*.deb
+          sudo dpkg -i qemu-user*.deb
           # libc6-i386 interferes with x86 build
           sudo apt remove libc6-i386
       - run: ./get-clang.sh
@@ -396,8 +396,8 @@ jobs:
             openwrt: "target=sunxi subtarget=cortexa53"
             target_cpu: arm64
             extra: 'arm_cpu="cortex-a53" build_static=true use_allocator_shim=false use_partition_alloc=false'
-            openwrt_release: '23.05.0'
+            openwrt_release: '24.10.0'
-            openwrt_gcc_ver: '12.3.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: aarch64_cortex-a72
             openwrt: "target=mvebu subtarget=cortexa72"
             target_cpu: arm64
@@ -406,8 +406,14 @@ jobs:
             openwrt: "target=mvebu subtarget=cortexa72"
             target_cpu: arm64
             extra: 'arm_cpu="cortex-a72" build_static=true use_allocator_shim=false use_partition_alloc=false'
-            openwrt_release: '23.05.0'
+            openwrt_release: '24.10.0'
-            openwrt_gcc_ver: '12.3.0'
+            openwrt_gcc_ver: '13.3.0'
+          - arch: aarch64_cortex-a76
+            openwrt: "target=bcm27xx subtarget=bcm2712"
+            target_cpu: arm64
+            extra: 'arm_cpu="cortex-a76"'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: aarch64_generic
             openwrt: "target=layerscape subtarget=armv8_64b"
             target_cpu: arm64
@@ -415,8 +421,8 @@ jobs:
             openwrt: "target=layerscape subtarget=armv8_64b"
             target_cpu: arm64
             extra: "build_static=true use_allocator_shim=false use_partition_alloc=false"
-            openwrt_release: '23.05.0'
+            openwrt_release: '24.10.0'
-            openwrt_gcc_ver: '12.3.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: arm_arm1176jzf-s_vfp
             openwrt: "target=brcm2708 subtarget=bcm2708"
             target_cpu: arm
@@ -447,8 +453,8 @@ jobs:
             openwrt: "target=sunxi subtarget=cortexa7"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a7" arm_fpu="neon-vfpv4" arm_float_abi="hard" arm_use_neon=true build_static=true use_allocator_shim=false use_partition_alloc=false'
-            openwrt_release: '23.05.0'
+            openwrt_release: '24.10.0'
-            openwrt_gcc_ver: '12.3.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: arm_cortex-a7_vfpv4
             openwrt: "target=at91 subtarget=sama7"
             target_cpu: arm
@@ -467,8 +473,8 @@ jobs:
             openwrt: "target=bcm53xx subtarget=generic"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a9" arm_float_abi="soft" arm_use_neon=false build_static=true use_allocator_shim=false use_partition_alloc=false'
-            openwrt_release: '23.05.0'
+            openwrt_release: '24.10.0'
-            openwrt_gcc_ver: '12.3.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: arm_cortex-a9_neon
             openwrt: "target=imx6 subtarget=generic"
             target_cpu: arm
@@ -493,8 +499,8 @@ jobs:
             openwrt: "target=ramips subtarget=rt305x"
             target_cpu: mipsel
             extra: 'mips_arch_variant="r2" mips_float_abi="soft" build_static=true use_allocator_shim=false use_partition_alloc=false'
-            openwrt_release: '23.05.0'
+            openwrt_release: '24.10.0'
-            openwrt_gcc_ver: '12.3.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: mipsel_mips32
             openwrt: "target=brcm47xx subtarget=legacy"
             target_cpu: mipsel
@@ -504,8 +510,13 @@ jobs:
             target_cpu: riscv64
             openwrt_release: '23.05.0'
             openwrt_gcc_ver: '12.3.0'
+          - arch: loongarch64
+            openwrt: "target=loongarch64 subtarget=generic"
+            target_cpu: loong64
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
     env:
-      EXTRA_FLAGS: target_cpu="${{ matrix.target_cpu }}" target_os="openwrt" ${{ matrix.extra }}
+      EXTRA_FLAGS: target_cpu="${{ matrix.target_cpu }}" target_os="openwrt" ${{ matrix.extra }} enable_shadow_metadata=false
       OPENWRT_FLAGS: arch=${{ matrix.arch }} release=${{ matrix.openwrt_release || '18.06.0' }} gcc_ver=${{ matrix.openwrt_gcc_ver || '7.3.0' }} ${{ matrix.openwrt }}
       BUNDLE: naiveproxy-${{ github.event.release.tag_name }}-${{ github.job }}-${{ matrix.arch }}
     steps:
@@ -516,7 +527,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache PGO (Linux, OpenWrt)
         uses: actions/cache@v4
@@ -541,7 +552,7 @@ jobs:
           sudo apt update
           sudo apt install ninja-build pkg-config ccache bubblewrap
           sudo apt remove -y qemu-user-binfmt
-          sudo dpkg -i qemu-user-static*.deb
+          sudo dpkg -i qemu-user*.deb
           # libc6-i386 interferes with x86 build
           sudo apt remove libc6-i386
       - run: ./get-clang.sh

CHROMIUM_VERSION

@@ -1 +1 @@
-130.0.6723.40
+135.0.7049.38

README.md

@@ -21,7 +21,7 @@ The Naïve server here works as a forward proxy and a packet length padding laye
 
 ## Download NaïveProxy
 
-Download [here](https://github.com/klzgrad/naiveproxy/releases/latest). Supported platforms include: Windows, Android (with [Exclave](https://github.com/dyhkwong/Exclave), [NekoBox](https://github.com/MatsuriDayo/NekoBoxForAndroid)), Linux, Mac OS, and OpenWrt ([support status](https://github.com/klzgrad/naiveproxy/wiki/OpenWrt-Support)).
+Download [here](https://github.com/klzgrad/naiveproxy/releases/latest). Supported platforms include: Windows, Android (with [Exclave](https://github.com/dyhkwong/Exclave), [husi](https://github.com/xchacha20-poly1305/husi), [NekoBox](https://github.com/MatsuriDayo/NekoBoxForAndroid)), Linux, Mac OS, and OpenWrt ([support status](https://github.com/klzgrad/naiveproxy/wiki/OpenWrt-Support)).
 
 Users should always use the latest version to keep signatures identical to Chrome.
 
@@ -79,10 +79,7 @@ Or `quic://user:pass@example.com`, if it works better. See also [parameter usage
 
 ## Third-party integration
 
-* [v2rayN](https://github.com/2dust/v2rayN), GUI client, Windows
+* [v2rayN](https://github.com/2dust/v2rayN), GUI client
-* [NekoBox for Android](https://github.com/MatsuriDayo/NekoBoxForAndroid), Proxy toolchain, Android
-* [NekoRay / NekoBox For PC](https://github.com/MatsuriDayo/nekoray), Qt based GUI, Windows, Linux
-* [Yet Another Shadow Socket](https://github.com/Chilledheart/yass), NaïveProxy-compatible forward proxy, Android, iOS, Windows, macOS, Linux, FreeBSD
 
 ## Notes for downstream
 

src/.clang-format

@@ -28,10 +28,10 @@ IncludeCategories:
   # LINT.IfChange(winheader)
   - Regex:           '^<objbase\.h>' # This has to be before initguid.h.
     Priority:        1
-  - Regex:           '^<(initguid|mmdeviceapi|windows|winsock2|ws2tcpip|shobjidl|atlbase|ole2|unknwn|tchar|ocidl)\.h>'
+  - Regex:           '^<(atlbase|initguid|mmdeviceapi|ocidl|ole2|shobjidl|tchar|unknwn|windows|winsock2|winternl|ws2tcpip)\.h>'
     Priority:        2
   # LINT.ThenChange(/tools/add_header.py:winheader)
-  # UIAutomation*.h need to be after base/win/atl.h.
+  # UIAutomation*.h needs to be after base/win/atl.h.
   # Note the low priority number.
   - Regex:           '^<UIAutomation.*\.h>'
     Priority:        6
@@ -39,8 +39,11 @@ IncludeCategories:
   - Regex:           '^<.*\.h>'
     Priority:        3
   # C++ standard library headers.
-  - Regex:           '^<.*'
+  - Regex:           '^<.*>'
     Priority:        4
+  # windows_h_disallowed.h should appear last. Note the low priority number.
+  - Regex:           '"(.*/)?windows_h_disallowed\.h"'
+    Priority:        7
   # Other libraries.
   - Regex:           '.*'
     Priority:        5

src/.gn

@@ -90,7 +90,7 @@ no_check_targets = [
   "//v8:v8_libplatform",  # 2 errors
 ]
 
-# These are the list of GN files that run exec_script. This whitelist exists
+# These are the list of GN files that run exec_script. This allowlist exists
 # to force additional review for new uses of exec_script, which is strongly
 # discouraged.
 #
@@ -145,11 +145,11 @@ no_check_targets = [
 #      this situation much easier to create. if the build always lists the
 #      files and passes them to a script, it will always be correct.
 
-exec_script_whitelist =
+exec_script_allowlist =
-    build_dotfile_settings.exec_script_whitelist +
+    build_dotfile_settings.exec_script_allowlist +
     angle_dotfile_settings.exec_script_whitelist +
     [
-      # Whitelist entries for //build should go into
+      # Allowlist entries for //build should go into
       # //build/dotfile_settings.gni instead, so that they can be shared
       # with other repos. The entries in this list should be only for files
       # in the Chromium repo outside of //build.

src/AUTHORS

@@ -17,6 +17,7 @@ Aaron Jacobs <samusaaron3@gmail.com>
 Aaron Leventhal <aaronlevbugs@gmail.com>
 Aaron Randolph <aaron.randolph@gmail.com>
 Aaryaman Vasishta <jem456.vasishta@gmail.com>
+AbdAlRahman Gad <abdobngad@gmail.com>
 Abdu Ameen <abdu.ameen000@gmail.com>
 Abdullah Abu Tasneem <a.tasneem@samsung.com>
 Abhijeet Kandalkar <abhijeet.k@samsung.com>
@@ -117,6 +118,7 @@ Andreas Papacharalampous <andreas@apap04.com>
 Andrei Borza <andrei.borza@gmail.com>
 Andrei Parvu <andrei.prv@gmail.com>
 Andrei Parvu <parvu@adobe.com>
+Andrei Volykhin <andrei.volykhin@gmail.com>
 Andres Salomon <dilinger@queued.net>
 Andreu Botella <andreu@andreubotella.com>
 Andrew Boyarshin <andrew.boyarshin@gmail.com>
@@ -192,6 +194,7 @@ Ben Noordhuis <ben@strongloop.com>
 Benedek Heilig <benecene@gmail.com>
 Benjamin Dupont <bedupont@cisco.com>
 Benjamin Jemlich <pcgod99@gmail.com>
+Beomsik Min <beomsikm@gmail.com>
 Bernard Cafarelli <voyageur@gentoo.org>
 Bernhard M. Wiedemann <bwiedemann@suse.de>
 Bert Belder <bertbelder@gmail.com>
@@ -310,6 +313,7 @@ Daniel Lockyer <thisisdaniellockyer@gmail.com>
 Daniel Nishi <dhnishi@gmail.com>
 Daniel Platz <daplatz@googlemail.com>
 Daniel Playfair Cal <daniel.playfair.cal@gmail.com>
+Daniel Richard G. <iskunk@gmail.com>
 Daniel Shaulov <dshaulov@ptc.com>
 Daniel Trebbien <dtrebbien@gmail.com>
 Daniel Waxweiler <daniel.waxweiler@gmail.com>
@@ -327,8 +331,10 @@ Darshini KN <kn.darshini@samsung.com>
 Dave Vandyke <kzar@kzar.co.uk>
 David Benjamin <davidben@mit.edu>
 David Brown <develop.david.brown@gmail.com>
+David Cernoch <dcernoch@uplandsoftware.com>
 David Davidovic <david@davidovic.io>
 David Erceg <erceg.david@gmail.com>
+David Faden <dfaden@gmail.com>
 David Fox <david@davidjfox.com>
 David Futcher <david.mike.futcher@gmail.com>
 David Jin <davidjin@amazon.com>
@@ -345,6 +351,7 @@ Dax Kelson <dkelson@gurulabs.com>
 Dean Leitersdorf <dean.leitersdorf@gmail.com>
 Debadree Chatterjee <debadree333@gmail.com>
 Debashish Samantaray <d.samantaray@samsung.com>
+Debin Zhang <debinzhang3@gmail.com>
 Debug Wang <debugwang@tencent.com>
 Deep Shah <deep.shah@samsung.com>
 Deepak Dilip Borade <deepak.db@samsung.com>
@@ -364,6 +371,7 @@ Diana Suvorova <diana.suvorova@gmail.com>
 Diego Fernández Santos <agujaydedal@gmail.com>
 Diego Ferreiro Val <elfogris@gmail.com>
 Dillon Sellars <dill.sellars@gmail.com>
+Dingming Liu <liudingming@bytedance.com>
 Divya Bansal <divya.bansal@samsung.com>
 Dmitry Shachnev <mitya57@gmail.com>
 Dmitry Sokolov <dimanne@gmail.com>
@@ -500,6 +508,7 @@ Hansel Lee <mr.hansel.lee@gmail.com>
 Hanwen Zheng <eserinc.z@gmail.com>
 Hao Li <hao.x.li@intel.com>
 Haojian Wu <hokein.wu@gmail.com>
+Haoran Tang <haoran.tang.personal@gmail.com>
 Haoxuan Zhang <zhanghaoxuan.59@bytedance.com>
 Hari Singh <hari.singh1@samsung.com>
 Harpreet Singh Khurana <harpreet.sk@samsung.com>
@@ -573,6 +582,7 @@ Ivan Naydonov <samogot@gmail.com>
 Ivan Pavlotskiy <ivan.pavlotskiy@lgepartner.com>
 Ivan Sham <ivansham@amazon.com>
 Ivan Sidorov <ivansid@gmail.com>
+Jacek Fedoryński <jfedor@gmail.com>
 Jack Bates <jack@nottheoilrig.com>
 Jack Shi <flystone2020@gmail.com>
 Jackson Loeffler <j@jloeffler.com>
@@ -580,6 +590,7 @@ Jacky Hu <flameddd@gmail.com>
 Jacob Clark <jacob.jh.clark@googlemail.com>
 Jacob Mandelson <jacob@mandelson.org>
 Jaehun Lim <ljaehun.lim@samsung.com>
+Jaehyun Chung <jaehyun.chung@amd.com>
 Jaehyun Ko <jaehyun.dev@gmail.com>
 Jaehyun Lee <j-hyun.lee@samsung.com>
 Jaekyeom Kim <btapiz@gmail.com>
@@ -619,8 +630,10 @@ Jared Wein <weinjared@gmail.com>
 Jari Karppanen <jkarp@amazon.com>
 Jason Gronn <jasontopia03@gmail.com>
 Javayhu <javayhu@gmail.com>
+Jay Kapadia <jaykapadia389@gmail.com>
 Jay Oster <jay@kodewerx.org>
 Jay Soffian <jaysoffian@gmail.com>
+Jay Yang <sjyang1126@gmail.com>
 Jeado Ko <haibane84@gmail.com>
 Jeffrey C <jeffreyca16@gmail.com>
 Jeffrey Yeung <jeffrey.yeung@poly.com>
@@ -719,6 +732,7 @@ Joseph Lolak <joseph.lolak@samsung.com>
 Josh Triplett <josh.triplett@intel.com>
 Josh Triplett <josh@joshtriplett.org>
 Joshua Lock <joshua.lock@intel.com>
+Joshua Olaoye <joshuaolaoye46@gmail.com>
 Joshua Roesslein <jroesslein@gmail.com>
 Josué Ratelle <jorat1346@gmail.com>
 Josyula Venkat Narasimham <venkat.nj@samsung.com>
@@ -753,7 +767,7 @@ Jüri Valdmann <juri.valdmann@qt.io>
 Juyoung Kim <chattank05@gmail.com>
 Jingge Yu <jinggeyu423@gmail.com>
 Jing Peiyang <jingpeiyang@eswincomputing.com>
-Jinli Wu <wujinli.cn@gmail.com>
+Jinli Wu <wujinli@bytedance.com>
 K. M. Merajul Arefin <m.arefin@samsung.com>
 Kai Jiang <jiangkai@gmail.com>
 Kai Köhne <kai.koehne@qt.io>
@@ -768,6 +782,7 @@ Kangyuan Shu <kangyuan.shu@intel.com>
 Karan Thakkar <karanjthakkar@gmail.com>
 Karel Král <kralkareliv@gmail.com>
 Karl <karlpolicechromium@gmail.com>
+Karl Piper <karl4piper@gmail.com>
 Kartikey Bhatt <kartikey@amazon.com>
 Kaspar Brand <googlecontrib@velox.ch>
 Kaushalendra Mishra <k.mishra@samsung.com>
@@ -927,6 +942,7 @@ Martin Persson <mnpn03@gmail.com>
 Martin Rogalla <martin@martinrogalla.com>
 Martina Kollarova <martina.kollarova@intel.com>
 Martino Fontana <tinozzo123@gmail.com>
+Marvin Giessing <marvin.giessing@gmail.com>
 Masahiro Yado <yado.masa@gmail.com>
 Masaru Nishida <msr.i386@gmail.com>
 Masayuki Wakizaka <mwakizaka0108@gmail.com>
@@ -937,6 +953,7 @@ Mathieu Meisser <mmeisser@logitech.com>
 Matt Arpidone <mma.public@gmail.com>
 Matt Fysh <mattfysh@gmail.com>
 Matt Harding <majaharding@gmail.com>
+Matt Jolly <kangie@gentoo.org>
 Matt Strum <mstrum@amazon.com>
 Matt Zeunert <matt@mostlystatic.com>
 Matthew "strager" Glazar <strager.nds@gmail.com>
@@ -960,16 +977,19 @@ Mc Zeng <zengmcong@gmail.com>
 Md Abdullah Al Alamin <a.alamin.cse@gmail.com>
 Md. Hasanur Rashid <hasanur.r@samsung.com>
 Md Hasibul Hasan <hasibulhasan873@gmail.com>
+Md Hasibul Hasan <hasibul.h@samsung.com>
 Md Jobed Hossain <jobed.h@samsung.com>
 Md Raiyan bin Sayeed <mrbsayee@uwaterloo.ca>
 Md. Sadiqul Amin <sadiqul.amin@samsung.com>
 Md Sami Uddin <md.sami@samsung.com>
+Mego Tan <tannal2409@gmail.com>
 Merajul Arefin <merajularefin@gmail.com>
 Micha Hanselmann <micha.hanselmann@gmail.com>
 Michael Cirone <mikecirone@gmail.com>
 Michael Constant <mconst@gmail.com>
 Michael Forney <mforney@mforney.org>
 Michael Gilbert <floppymaster@gmail.com>
+Michael Herrmann <michael@herrmann.io>
 Michael Kolomeytsev <michael.kolomeytsev@gmail.com>
 Michael Lopez <lopes92290@gmail.com>
 Michael Morrison <codebythepound@gmail.com>
@@ -990,6 +1010,7 @@ Milko Leporis <milko.leporis@imgtec.com>
 Milton Chiang <milton.chiang@mediatek.com>
 Milutin Smiljanic <msmiljanic.gm@gmail.com>
 Minchul Kang <tegongkang@gmail.com>
+Ming Lei <minggeorgelei@gmail.com>
 Mingeun Park <mindal99546@gmail.com>
 Minggang Wang <minggang.wang@intel.com>
 Mingmin Xie <melvinxie@gmail.com>
@@ -1006,10 +1027,14 @@ Mitchell Cohen <mitchell@agilebits.com>
 Miyoung Shin <myid.shin@navercorp.com>
 Mohamed I. Hammad <ibraaaa@gmail.com>
 Mohamed Mansour <m0.interactive@gmail.com>
+Mohamed Hany Youns <mohamedhyouns@gmail.com>
 Mohammad Azam <m.azam@samsung.com>
+MohammadSabri <mohammad.kh.sabri@exalt.ps>
+Mohammed Ashraf <mohammedashraf4599@gmail.com>
 Mohammed Wajahat Ali Siddiqui <wajahat.s@samsung.com>
 Mohan Reddy <mohan.reddy@samsung.com>
 Mohit Bhalla <bhallam@amazon.com>
+Mohraiel Matta <mohraielmatta@gmail.com>
 Moiseanu Rares-Marian <moiseanurares@gmail.com>
 Momoka Yamamoto <momoka.my6@gmail.com>
 Momoko Hattori <momohatt10@gmail.com>
@@ -1047,6 +1072,7 @@ Nidhi Jaju <nidhijaju127@gmail.com>
 Niek van der Maas <mail@niekvandermaas.nl>
 Nik Pavlov <nikita.pavlov.dev@gmail.com>
 Nikhil Bansal <n.bansal@samsung.com>
+Nikhil Meena <iakhilmeena@gmail.com>
 Nikhil Sahni <nikhil.sahni@samsung.com>
 Nikita Ofitserov <himikof@gmail.com>
 Niklas Hambüchen <mail@nh2.me>
@@ -1275,6 +1301,7 @@ Sergei Poletaev <spylogsster@gmail.com>
 Sergei Romanov <rsv.981@gmail.com>
 Sergey Romanov <svromanov@sberdevices.ru>
 Sergey Kipet <sergey.kipet@gmail.com>
+Sergey Markelov <sergionso@gmail.com>
 Sergey Putilin <p.sergey@samsung.com>
 Sergey Shekyan <shekyan@gmail.com>
 Sergey Talantov <sergey.talantov@gmail.com>
@@ -1285,6 +1312,7 @@ Serhii Matrunchyk <sergiy.matrunchyk@gmail.com>
 Seshadri Mahalingam <seshadri.mahalingam@gmail.com>
 Seungkyu Lee <zx6658@gmail.com>
 Sevan Janiyan <venture37@geeklan.co.uk>
+Shaheen Fazim <fazim.pentester@gmail.com>
 Shahriar Rostami <shahriar.rostami@gmail.com>
 Shail Singhal <shail.s@samsung.com>
 Shane Hansen <shanemhansen@gmail.com>
@@ -1442,6 +1470,7 @@ Tom Harwood <tfh@skip.org>
 Tomas Popela <tomas.popela@gmail.com>
 Tomasz Edward Posłuszny <tom@devpeer.net>
 Tony Shen <legendmastertony@gmail.com>
+Topi Lassila <tolassila@gmail.com>
 Torsten Kurbad <google@tk-webart.de>
 Toshihito Kikuchi <leamovret@gmail.com>
 Toshiaki Tanaka <zokutyou2@gmail.com>
@@ -1485,6 +1514,7 @@ Vishal Bhatnagar <vishal.b@samsung.com>
 Vishal Lingam <vishal.reddy@samsung.com>
 Vitaliy Kharin <kvserr@gmail.com>
 Vivek Galatage <vivek.vg@samsung.com>
+Vlad Zahorodnii <vlad.zahorodnii@kde.org>
 Volker Sorge <volker.sorge@gmail.com>
 Waihung Fu <fufranci@amazon.com>
 wafuwafu13 <mariobaske@i.softbank.jp>
@@ -1492,6 +1522,7 @@ Wojciech Bielawski <wojciech.bielawski@gmail.com>
 Wang Chen <wangchen20@iscas.ac.cn>
 Wang Chen <unicornxw@gmail.com>
 Wang Weiwei <wangww@dingdao.com>
+Wang Zirui <kingzirvi@gmail.com>
 Wangyang Dai <jludwy@gmail.com>
 Wanming Lin <wanming.lin@intel.com>
 Wei Li <wei.c.li@intel.com>
@@ -1600,6 +1631,7 @@ Zeqin Chen <talonchen@tencent.com>
 Zhanbang He <hezhanbang@gmail.com>
 Zhang Hao <zhanghao.m@bytedance.com>
 Zhang Hao <15686357310a@gmail.com>
+Zhao Qin <qzmiss@gmail.com>
 Zhaoming Jiang <zhaoming.jiang@intel.com>
 Zhaoze Zhou <zhaoze.zhou@partner.samsung.com>
 Zheda Chen <zheda.chen@intel.com>
@@ -1625,6 +1657,7 @@ Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
 迷渡 <justjavac@gmail.com>
 郑苏波 (Super Zheng) <superzheng@tencent.com>
 一丝 (Yisi) <yiorsi@gmail.com>
+林训杰 (XunJie Lin) <wick.linxunjie@gmail.com>
 # Please DO NOT APPEND here. See comments at the top of the file.
 # END individuals section.
 
@@ -1654,6 +1687,7 @@ EngFlow, Inc. <*@engflow.com>
 Estimote, Inc. <*@estimote.com>
 Google Inc. <*@google.com>
 Grammarly, Inc. <*@grammarly.com>
+Here Inc. <*@here.io>
 Hewlett-Packard Development Company, L.P. <*@hp.com>
 HyperConnect Inc. <*@hpcnt.com>
 IBM Inc. <*@*.ibm.com>
@@ -1683,6 +1717,7 @@ NVIDIA Corporation <*@nvidia.com>
 OpenFin Inc. <*@openfin.co>
 Opera Software ASA <*@opera.com>
 Optical Tone Ltd <*@opticaltone.com>
+Palo Alto Networks, Inc. <*@paloaltonetworks.com>
 Pengutronix e.K. <*@pengutronix.de>
 Quality First Software GmbH <*@qf-software.com>
 Rakuten Kobo Inc. <*@kobo.com>

src/BUILD.gn

@@ -12,7 +12,6 @@ import("//build/config/compiler/compiler.gni")
 import("//build/config/cronet/config.gni")
 import("//build/config/dcheck_always_on.gni")
 import("//build/config/features.gni")
-import("//build/config/ios/config.gni")
 import("//build/config/rust.gni")
 import("//build/config/sanitizers/sanitizers.gni")
 import("//build/config/ui.gni")

src/base/BUILD.gn

@@ -25,12 +25,9 @@ import("//build/buildflag_header.gni")
 import("//build/config/arm.gni")
 import("//build/config/c++/c++.gni")
 import("//build/config/cast.gni")
-import("//build/config/chromeos/ui_mode.gni")
 import("//build/config/compiler/compiler.gni")
 import("//build/config/cronet/config.gni")
 import("//build/config/dcheck_always_on.gni")
-import("//build/config/features.gni")
-import("//build/config/ios/config.gni")
 import("//build/config/logging.gni")
 import("//build/config/nacl/config.gni")
 import("//build/config/profiling/profiling.gni")
@@ -43,6 +40,9 @@ import("//build/util/process_version.gni")
 import("//build_overrides/build.gni")
 
 if (is_ios) {
+  # Used to access target_environment and target_platform.
+  import("//build/config/apple/mobile_config.gni")
+
   # Used to access ios_is_app_extension variable definition.
   import("//build/config/ios/ios_sdk.gni")
 }
@@ -101,30 +101,6 @@ if (is_fuchsia) {
   import("//third_party/fuchsia-gn-sdk/src/fidl_library.gni")
 }
 
-# The Rust implementation of base::JSONReader. NaCl depends on base and doesn't
-# have a Rust toolchain, so we need a fallback to C++ for it until it removes
-# its dependency on //base.
-#
-# TODO(crbug.com/40811643): Drop toolchain_has_rust and move the C++ parser into
-# components/nacl to just run in-process there. Don't compile base::JSONReader
-# on NaCL at all.
-build_rust_json_reader = toolchain_has_rust && enable_rust_json
-
-# Rust to C++ type conversions. Also can not be enabled while NaCl depends on
-# //base.
-build_rust_base_conversions = toolchain_has_rust && enable_rust_base_conversions
-
-assert(build_rust_base_conversions || !build_rust_json_reader,
-       "Cannot enable Rust JSON decoder without also base conversions")
-
-buildflag_header("rust_buildflags") {
-  header = "rust_buildflags.h"
-  flags = [
-    "BUILD_RUST_JSON_READER=$build_rust_json_reader",
-    "BUILD_RUST_BASE_CONVERSIONS=$build_rust_base_conversions",
-  ]
-}
-
 if (is_win) {
   # This is in a separate config so the flags can be applied to dependents.
   # ldflags in GN aren't automatically inherited.
@@ -194,8 +170,6 @@ component("base") {
     "allocator/dispatcher/internal/dispatch_data.h",
     "allocator/dispatcher/internal/dispatcher_internal.h",
     "allocator/dispatcher/internal/tools.h",
-    "allocator/dispatcher/memory_tagging.cc",
-    "allocator/dispatcher/memory_tagging.h",
     "allocator/dispatcher/notification_data.h",
     "allocator/dispatcher/reentry_guard.cc",
     "allocator/dispatcher/reentry_guard.h",
@@ -206,6 +180,7 @@ component("base") {
     "at_exit.h",
     "atomic_ref_count.h",
     "atomic_sequence_num.h",
+    "atomicops.cc",
     "atomicops.h",
     "atomicops_internals_atomicword_compat.h",
     "atomicops_internals_portable.h",
@@ -237,11 +212,11 @@ component("base") {
     "compiler_specific.h",
     "component_export.h",
     "containers/adapters.h",
+    "containers/adapters_internal.h",
     "containers/buffer_iterator.h",
     "containers/checked_iterators.h",
     "containers/circular_deque.h",
     "containers/contains.h",
-    "containers/dynamic_extent.h",
     "containers/enum_set.h",
     "containers/extend.h",
     "containers/fixed_flat_map.h",
@@ -268,8 +243,6 @@ component("base") {
     "containers/unique_ptr_adapters.h",
     "containers/util.h",
     "containers/vector_buffer.h",
-    "cpu_reduction_experiment.cc",
-    "cpu_reduction_experiment.h",
     "critical_closure.h",
     "dcheck_is_on.h",
     "debug/alias.cc",
@@ -292,6 +265,7 @@ component("base") {
     "export_template.h",
     "feature_list.cc",
     "feature_list.h",
+    "feature_visitor.h",
     "features.cc",
     "features.h",
     "file_version_info.h",
@@ -358,6 +332,7 @@ component("base") {
     "location.h",
     "logging.cc",
     "logging.h",
+    "logging/log_severity.h",
     "macros/concat.h",
     "macros/if.h",
     "macros/is_empty.h",
@@ -365,6 +340,7 @@ component("base") {
     "macros/uniquify.h",
     "memory/aligned_memory.cc",
     "memory/aligned_memory.h",
+    "memory/asan_interface.h",
     "memory/free_deleter.h",
     "memory/memory_pressure_listener.cc",
     "memory/memory_pressure_listener.h",
@@ -390,7 +366,6 @@ component("base") {
     "memory/raw_ptr_cast.h",
     "memory/raw_ptr_exclusion.h",
     "memory/raw_ref.h",
-    "memory/raw_scoped_refptr_mismatch_checker.h",
     "memory/raw_span.h",
     "memory/read_only_shared_memory_region.cc",
     "memory/read_only_shared_memory_region.h",
@@ -427,6 +402,8 @@ component("base") {
     "memory/weak_ptr.h",
     "memory/writable_shared_memory_region.cc",
     "memory/writable_shared_memory_region.h",
+    "message_loop/io_watcher.cc",
+    "message_loop/io_watcher.h",
     "message_loop/message_pump.cc",
     "message_loop/message_pump.h",
     "message_loop/message_pump_default.cc",
@@ -480,6 +457,7 @@ component("base") {
     "metrics/record_histogram_checker.h",
     "metrics/sample_map.cc",
     "metrics/sample_map.h",
+    "metrics/sample_map_iterator.h",
     "metrics/sample_vector.cc",
     "metrics/sample_vector.h",
     "metrics/single_sample_metrics.cc",
@@ -539,16 +517,18 @@ component("base") {
     "process/process_info.h",
     "process/set_process_title.cc",
     "process/set_process_title.h",
-    "profiler/call_stack_profile_params.h",
+    "profiler/core_unwinders.h",
     "profiler/frame.cc",
     "profiler/frame.h",
     "profiler/metadata_recorder.cc",
     "profiler/metadata_recorder.h",
     "profiler/module_cache.cc",
     "profiler/module_cache.h",
-    "profiler/process_type.h",
+    "profiler/periodic_sampling_scheduler.cc",
+    "profiler/periodic_sampling_scheduler.h",
     "profiler/profile_builder.h",
     "profiler/register_context.h",
+    "profiler/register_context_registers.h",
     "profiler/sample_metadata.cc",
     "profiler/sample_metadata.h",
     "profiler/sampling_profiler_thread_token.cc",
@@ -567,18 +547,19 @@ component("base") {
     "profiler/stack_unwind_data.h",
     "profiler/suspendable_thread_delegate.h",
     "profiler/thread_delegate.h",
+    "profiler/thread_group_profiler.cc",
+    "profiler/thread_group_profiler.h",
+    "profiler/thread_group_profiler_client.h",
     "profiler/unwinder.cc",
     "profiler/unwinder.h",
     "rand_util.cc",
     "rand_util.h",
-    "ranges/algorithm.h",
-    "ranges/from_range.h",
-    "ranges/functional.h",
-    "ranges/ranges.h",
     "run_loop.cc",
     "run_loop.h",
     "sampling_heap_profiler/lock_free_address_hash_set.cc",
     "sampling_heap_profiler/lock_free_address_hash_set.h",
+    "sampling_heap_profiler/lock_free_bloom_filter.cc",
+    "sampling_heap_profiler/lock_free_bloom_filter.h",
     "sampling_heap_profiler/poisson_allocation_sampler.cc",
     "sampling_heap_profiler/poisson_allocation_sampler.h",
     "sampling_heap_profiler/sampling_heap_profiler.cc",
@@ -603,6 +584,7 @@ component("base") {
     "strings/abseil_string_number_conversions.cc",
     "strings/abseil_string_number_conversions.h",
     "strings/cstring_view.h",
+    "strings/durable_string_view.h",
     "strings/escape.cc",
     "strings/escape.h",
     "strings/latin1_string_conversions.cc",
@@ -613,12 +595,14 @@ component("base") {
     "strings/pattern.h",
     "strings/safe_sprintf.cc",
     "strings/safe_sprintf.h",
+    "strings/span_printf.h",
     "strings/strcat.cc",
     "strings/strcat.h",
     "strings/strcat_internal.h",
     "strings/string_number_conversions.cc",
     "strings/string_number_conversions.h",
     "strings/string_number_conversions_internal.h",
+    "strings/string_slice.h",
     "strings/string_split.cc",
     "strings/string_split.h",
     "strings/string_split_internal.h",
@@ -649,6 +633,8 @@ component("base") {
     "supports_user_data.h",
     "synchronization/atomic_flag.cc",
     "synchronization/atomic_flag.h",
+    "synchronization/cancelable_event.cc",
+    "synchronization/cancelable_event.h",
     "synchronization/condition_variable.h",
     "synchronization/lock.cc",
     "synchronization/lock.h",
@@ -704,7 +690,6 @@ component("base") {
     "task/sequence_manager/enqueue_order_generator.h",
     "task/sequence_manager/fence.cc",
     "task/sequence_manager/fence.h",
-    "task/sequence_manager/lazily_deallocated_deque.h",
     "task/sequence_manager/sequence_manager.cc",
     "task/sequence_manager/sequence_manager.h",
     "task/sequence_manager/sequence_manager_impl.cc",
@@ -883,6 +868,8 @@ component("base") {
     "trace_event/heap_profiler_allocation_context.h",
     "trace_event/heap_profiler_allocation_context_tracker.cc",
     "trace_event/heap_profiler_allocation_context_tracker.h",
+    "trace_event/histogram_scope.cc",
+    "trace_event/histogram_scope.h",
     "trace_event/memory_allocator_dump_guid.cc",
     "trace_event/memory_allocator_dump_guid.h",
     "trace_event/named_trigger.cc",
@@ -892,6 +879,7 @@ component("base") {
     "traits_bag.h",
     "tuple.h",
     "types/always_false.h",
+    "types/cxx23_from_range.h",
     "types/cxx23_is_scoped_enum.h",
     "types/cxx23_to_underlying.h",
     "types/expected.h",
@@ -905,11 +893,14 @@ component("base") {
     "types/optional_ref.h",
     "types/optional_util.h",
     "types/pass_key.h",
+    "types/same_as_any.h",
     "types/strong_alias.h",
     "types/supports_ostream_operator.h",
+    "types/supports_to_string.h",
     "types/to_address.h",
     "types/token_type.h",
     "types/variant_util.h",
+    "types/zip.h",
     "unguessable_token.cc",
     "unguessable_token.h",
     "uuid.cc",
@@ -1002,10 +993,6 @@ component("base") {
     ]
   }
 
-  if (is_chromeos_ash) {
-    sources += [ "feature_visitor.h" ]
-  }
-
   if (is_linux || is_chromeos || is_android) {
     sources += [
       "files/file_path_watcher_inotify.cc",
@@ -1050,12 +1037,8 @@ component("base") {
   # to provide the appropriate `#define` here.
   defines += [ "IS_RAW_PTR_IMPL" ]
 
-  if (build_rust_json_reader) {
+  # native_unwinder_android is split into a separate target to avoid pulling
-    deps += [ "//third_party/rust/serde_json_lenient/v0_2/wrapper" ]
+  # libunwindstack dependencies into cronet's base.
-  }
-
-  # native_unwinder_android is intended for use solely via a dynamic feature
-  # module, to avoid increasing Chrome's executable size.
   assert_no_deps = [ ":native_unwinder_android" ]
 
   public_deps = [
@@ -1067,12 +1050,10 @@ component("base") {
     ":debugging_buildflags",
     ":feature_list_buildflags",
     ":ios_cronet_buildflags",
-    ":logging_buildflags",
     ":orderfile_buildflags",
     ":power_monitor_buildflags",
     ":profiler_buildflags",
     ":protected_memory_buildflags",
-    ":rust_buildflags",
     ":sanitizer_buildflags",
     ":synchronization_buildflags",
     ":tracing_buildflags",
@@ -1081,20 +1062,12 @@ component("base") {
     "//base/numerics:base_numerics",
     "//base/third_party/icu",
     "//build:chromecast_buildflags",
-    "//build:chromeos_buildflags",
     "//third_party/abseil-cpp:absl",
   ]
 
-  if (build_rust_base_conversions) {
+  # TODO(crbug.com/354842935): Remove this dependency once other modules don't
-    sources += [
+  # accidentally (transitively) depend on it anymore.
-      "containers/span_rust.h",
+  public_deps += [ "//build:chromeos_buildflags" ]
-      "strings/string_view_rust.h",
-    ]
-
-    # Base provides conversions between CXX types and base types (e.g.
-    # std::string_view).
-    public_deps += [ "//build/rust:cxx_cppdeps" ]
-  }
 
   # Needed for <atomic> if using newer C++ library than sysroot, except if
   # building inside the cros_sdk environment - use host_toolchain as a
@@ -1143,7 +1116,8 @@ component("base") {
       "android/scoped_hardware_buffer_fence_sync.h",
       "android/scoped_hardware_buffer_handle.cc",
       "android/scoped_hardware_buffer_handle.h",
-      "android/sys_utils.h",
+      "android/scoped_input_event.cc",
+      "android/scoped_input_event.h",
       "debug/stack_trace_android.cc",
       "files/file_util_android.cc",
       "files/scoped_file_android.cc",
@@ -1183,18 +1157,12 @@ component("base") {
     # well when doing a component build.
     public_configs = [ ":android_system_libs" ]
 
-    if (can_unwind_with_cfi_table) {
-      sources += [
-        "trace_event/cfi_backtrace_android.cc",
-        "trace_event/cfi_backtrace_android.h",
-      ]
-    }
     if (current_cpu == "arm") {
       sources += [
-        "profiler/chrome_unwind_info_android.cc",
+        "profiler/chrome_unwind_info_android_32.cc",
-        "profiler/chrome_unwind_info_android.h",
+        "profiler/chrome_unwind_info_android_32.h",
-        "profiler/chrome_unwinder_android.cc",
+        "profiler/chrome_unwinder_android_32.cc",
-        "profiler/chrome_unwinder_android.h",
+        "profiler/chrome_unwinder_android_32.h",
       ]
     }
 
@@ -1220,7 +1188,6 @@ component("base") {
   if (is_robolectric) {
     # Make jni.h available.
     configs += [ "//third_party/jdk" ]
-    deps += [ ":base_robolectric_jni" ]
   }
   if (is_robolectric) {
     sources += [
@@ -1229,6 +1196,8 @@ component("base") {
       "android/callback_android.cc",
       "android/callback_android.h",
       "android/command_line_android.cc",
+      "android/int_string_callback.cc",
+      "android/int_string_callback.h",
       "android/java_exception_reporter.cc",
       "android/java_exception_reporter.h",
       "android/jni_android.cc",
@@ -1237,6 +1206,8 @@ component("base") {
       "android/jni_array.h",
       "android/jni_bytebuffer.cc",
       "android/jni_bytebuffer.h",
+      "android/jni_callback.cc",
+      "android/jni_callback.h",
       "android/jni_registrar.cc",
       "android/jni_registrar.h",
       "android/jni_string.cc",
@@ -1244,8 +1215,13 @@ component("base") {
       "android/jni_utils.cc",
       "android/jni_utils.h",
       "android/jni_weak_ref.h",
+      "android/library_loader/anchor_functions.cc",
+      "android/library_loader/anchor_functions.h",
       "android/library_loader/library_loader_hooks.cc",
       "android/library_loader/library_loader_hooks.h",
+      "android/library_loader/library_prefetcher.cc",
+      "android/library_loader/library_prefetcher.h",
+      "android/library_loader/library_prefetcher_hooks.cc",
       "android/native_uma_recorder.cc",
       "android/scoped_java_ref.h",
       "android/token_android.cc",
@@ -1468,6 +1444,8 @@ component("base") {
       "debug/crash_logging.h",
       "debug/stack_trace.cc",
       "debug/stack_trace.h",
+      "files/drive_info.cc",
+      "files/drive_info.h",
       "files/file_enumerator.cc",
       "files/file_enumerator.h",
       "files/file_proxy.cc",
@@ -1484,6 +1462,8 @@ component("base") {
       "files/scoped_temp_file.h",
       "json/json_file_value_serializer.cc",
       "json/json_file_value_serializer.h",
+      "logging/rust_log_integration.cc",
+      "logging/rust_log_integration.h",
       "memory/discardable_memory.cc",
       "memory/discardable_memory.h",
       "memory/discardable_memory_allocator.cc",
@@ -1556,6 +1536,10 @@ component("base") {
         "files/file_util_posix.cc",
         "memory/page_size_posix.cc",
       ]
+
+      if (!is_apple) {
+        sources += [ "files/drive_info_posix.cc" ]
+      }
     }
 
     if ((is_posix && !is_ios) || is_fuchsia) {
@@ -1588,6 +1572,13 @@ component("base") {
     if (is_posix && !is_ios) {
       sources += [ "process/process_posix.cc" ]
     }
+    if (!is_win && !is_chromeos && !is_android && !is_linux) {
+      sources += [ "synchronization/cancelable_event_default.cc" ]
+    }
+
+    if (is_linux || is_chromeos || is_android) {
+      sources += [ "synchronization/cancelable_event_posix.cc" ]
+    }
 
     if (use_blink) {
       sources += [
@@ -1622,8 +1613,12 @@ component("base") {
       ]
     }
     if (use_partition_alloc) {
-      # Add stuff that doesn't work in NaCl.
+      # Add stuff that doesn't work in NaCl or other environments that disable
+      # partition_alloc.
       sources += [
+        "allocator/dispatcher/memory_tagging.cc",
+        "allocator/dispatcher/memory_tagging.h",
+
         # PartitionAlloc uses SpinLock, which doesn't work in NaCl (see below).
         "allocator/miracle_parameter.cc",
         "allocator/miracle_parameter.h",
@@ -1633,15 +1628,9 @@ component("base") {
         "allocator/partition_alloc_support.h",
       ]
     }
-
+    if (use_allocator_shim) {
-    # Need this to pass gn check, because gn check doesn't see
+      public_deps += [ "allocator/partition_allocator:allocator_shim" ]
-    # BUILDFLAG(USE_PARTITION_ALLOC). A linker will remove all
+    }
-    # partition_alloc code if use_partition_alloc = false because no code uses
-    # partition_alloc.
-    public_deps += [
-      "allocator/partition_allocator:partition_alloc",
-      "allocator/partition_allocator:raw_ptr",
-    ]
   }
 
   # Windows.
@@ -1660,6 +1649,7 @@ component("base") {
       "enterprise_util_win.cc",
       "file_version_info_win.cc",
       "file_version_info_win.h",
+      "files/drive_info_win.cc",
       "files/file_enumerator_win.cc",
       "files/file_path_watcher_win.cc",
       "files/file_util_win.cc",
@@ -1687,6 +1677,7 @@ component("base") {
       "process/process_iterator_win.cc",
       "process/process_metrics_win.cc",
       "process/process_win.cc",
+      "profiler/core_unwinders_win.cc",
       "profiler/module_cache_win.cc",
       "profiler/native_unwinder_win.cc",
       "profiler/native_unwinder_win.h",
@@ -1707,6 +1698,7 @@ component("base") {
       "strings/string_util_win.h",
       "strings/sys_string_conversions_win.cc",
       "sync_socket_win.cc",
+      "synchronization/cancelable_event_win.cc",
       "synchronization/condition_variable_win.cc",
       "synchronization/lock_impl_win.cc",
       "synchronization/waitable_event_watcher_win.cc",
@@ -1749,6 +1741,8 @@ component("base") {
       "win/event_trace_controller.h",
       "win/event_trace_provider.cc",
       "win/event_trace_provider.h",
+      "win/hardware_check.cc",
+      "win/hardware_check.h",
       "win/hstring_reference.cc",
       "win/hstring_reference.h",
       "win/i18n.cc",
@@ -1760,10 +1754,12 @@ component("base") {
       "win/message_window.h",
       "win/nt_status.cc",
       "win/nt_status.h",
+      "win/ntsecapi_shim.h",
       "win/object_watcher.cc",
       "win/object_watcher.h",
       "win/patch_util.cc",
       "win/patch_util.h",
+      "win/pdh_shim.h",
       "win/pe_image_reader.cc",
       "win/pe_image_reader.h",
       "win/post_async_results.h",
@@ -1782,6 +1778,7 @@ component("base") {
       "win/scoped_co_mem.h",
       "win/scoped_com_initializer.cc",
       "win/scoped_com_initializer.h",
+      "win/scoped_gdi_object.cc",
       "win/scoped_gdi_object.h",
       "win/scoped_handle.cc",
       "win/scoped_handle.h",
@@ -1821,10 +1818,13 @@ component("base") {
       "win/variant_vector.h",
       "win/vector.cc",
       "win/vector.h",
+      "win/wbemidl_shim.h",
       "win/win_handle_types.h",
       "win/win_handle_types_list.inc",
       "win/win_util.cc",
       "win/win_util.h",
+      "win/winbase_shim.h",
+      "win/wincred_shim.h",
       "win/wincrypt_shim.h",
       "win/window_enumerator.cc",
       "win/window_enumerator.h",
@@ -1838,6 +1838,7 @@ component("base") {
       "win/winrt_foundation_helpers.h",
       "win/winrt_storage_util.cc",
       "win/winrt_storage_util.h",
+      "win/wintrust_shim.h",
       "win/wmi.cc",
       "win/wmi.h",
       "win/wrapped_window_proc.cc",
@@ -1893,8 +1894,8 @@ component("base") {
       "apple/call_with_eh_frame.cc",
       "apple/call_with_eh_frame.h",
       "apple/call_with_eh_frame_asm.S",
-      "apple/dispatch_source_mach.cc",
+      "apple/dispatch_source.cc",
-      "apple/dispatch_source_mach.h",
+      "apple/dispatch_source.h",
       "apple/foundation_util.h",
       "apple/foundation_util.mm",
       "apple/mach_logging.cc",
@@ -1918,16 +1919,16 @@ component("base") {
       "apple/scoped_typeref.h",
       "file_version_info_apple.h",
       "file_version_info_apple.mm",
+      "files/drive_info_apple.mm",
       "files/file_util_apple.mm",
       "memory/platform_shared_memory_mapper_apple.cc",
       "memory/platform_shared_memory_region_apple.cc",
       "message_loop/message_pump_apple.h",
       "message_loop/message_pump_apple.mm",
       "native_library_apple.mm",
-      "process/process_metrics_apple.cc",
+      "process/process_metrics_apple.mm",
       "profiler/module_cache_apple.cc",
       "strings/sys_string_conversions_apple.mm",
-      "synchronization/waitable_event_apple.cc",
       "system/sys_info_apple.mm",
       "threading/platform_thread_apple.mm",
       "time/time_apple.mm",
@@ -1939,11 +1940,17 @@ component("base") {
       "Foundation.framework",
       "Security.framework",
     ]
+
+    if (!is_ios || !use_blink) {
+      sources += [ "synchronization/waitable_event_apple.cc" ]
+    }
   }
 
   # Desktop Mac.
   if (is_mac) {
     sources += [
+      "apple/mach_port_rendezvous.cc",
+      "apple/mach_port_rendezvous.h",
       "enterprise_util.cc",
       "enterprise_util.h",
       "enterprise_util_mac.mm",
@@ -1955,6 +1962,11 @@ component("base") {
       "mac/authorization_util.h",
       "mac/authorization_util.mm",
       "mac/close_nocancel.cc",
+      "mac/code_signature.cc",
+      "mac/code_signature.h",
+      "mac/code_signature_spi.h",
+      "mac/info_plist_data.h",
+      "mac/info_plist_data.mm",
       "mac/launch_application.h",
       "mac/launch_application.mm",
       "mac/launch_services_spi.h",
@@ -1964,10 +1976,10 @@ component("base") {
       "mac/login_util.h",
       "mac/mac_util.h",
       "mac/mac_util.mm",
-      "mac/mach_port_rendezvous.cc",
-      "mac/mach_port_rendezvous.h",
       "mac/os_crash_dumps.cc",
       "mac/os_crash_dumps.h",
+      "mac/process_requirement.cc",
+      "mac/process_requirement.h",
       "mac/scoped_aedesc.h",
       "mac/scoped_authorizationref.h",
       "mac/scoped_authorizationref.mm",
@@ -1993,10 +2005,11 @@ component("base") {
       "process/port_provider_mac.cc",
       "process/port_provider_mac.h",
       "process/process_handle_mac.cc",
-      "process/process_info_mac.cc",
+      "process/process_info_mac.mm",
       "process/process_iterator_mac.cc",
       "process/process_mac.cc",
       "process/process_metrics_mac.cc",
+      "profiler/core_unwinders_mac.cc",
       "profiler/frame_pointer_unwinder.cc",
       "profiler/frame_pointer_unwinder.h",
       "profiler/stack_sampler_mac.cc",
@@ -2015,6 +2028,7 @@ component("base") {
       "ApplicationServices.framework",
       "AppKit.framework",
       "CoreFoundation.framework",
+      "DiskArbitration.framework",
       "IOKit.framework",
       "OpenDirectory.framework",
     ]
@@ -2038,6 +2052,7 @@ component("base") {
       "power_monitor/power_monitor_device_source_ios.mm",
       "process/process_metrics_ios.cc",
       "process/process_metrics_posix.cc",
+      "profiler/core_unwinders_ios.cc",
       "profiler/stack_sampler_ios.cc",
       "system/sys_info_ios.mm",
     ]
@@ -2052,12 +2067,12 @@ component("base") {
 
     if (use_blink) {
       sources += [
+        "apple/mach_port_rendezvous.cc",
+        "apple/mach_port_rendezvous.h",
         "files/file_path_watcher_kqueue.cc",
         "files/file_path_watcher_kqueue.h",
         "files/file_path_watcher_mac.cc",
         "ios/sim_header_shims.h",
-        "mac/mach_port_rendezvous.cc",
-        "mac/mach_port_rendezvous.h",
         "process/kill_ios.cc",
         "process/memory_mac.mm",
         "process/port_provider_mac.cc",
@@ -2065,12 +2080,20 @@ component("base") {
         "process/process_handle_mac.cc",
         "process/process_ios.cc",
         "process/process_iterator_mac.cc",
-        "process/process_mac.cc",
         "process/process_posix.cc",
         "sync_socket_posix.cc",
-        "synchronization/waitable_event_watcher_mac.cc",
+        "synchronization/waitable_event_posix.cc",
+        "synchronization/waitable_event_watcher_posix.cc",
       ]
 
+      if (target_platform == "tvos") {
+        # tvOS apps must be single-process. Build a Process version that does
+        # the bare minimum and does not use Mach ports.
+        sources += [ "process/process_tvos.cc" ]
+      } else {
+        sources += [ "process/process_mac.cc" ]
+      }
+
       # We include launch_mac on simulator builds so unittests can fork.
       if (target_environment == "simulator") {
         sources += [
@@ -2093,6 +2116,11 @@ component("base") {
         "message_loop/message_pump_io_ios.cc",
         "message_loop/message_pump_io_ios.h",
       ]
+    } else if (use_blink) {
+      sources += [
+        "message_loop/message_pump_io_ios_libdispatch.cc",
+        "message_loop/message_pump_io_ios_libdispatch.h",
+      ]
     } else {
       sources += [
         "message_loop/message_pump_kqueue.cc",
@@ -2222,7 +2250,10 @@ component("base") {
   }
 
   if ((is_posix && !is_apple && !is_android) || is_fuchsia) {
-    sources += [ "profiler/stack_sampler_posix.cc" ]
+    sources += [
+      "profiler/core_unwinders_posix.cc",
+      "profiler/stack_sampler_posix.cc",
+    ]
   }
 
   if ((is_posix && !is_apple && !is_android && !is_chromeos) || is_fuchsia) {
@@ -2245,10 +2276,7 @@ component("base") {
   if (enable_base_tracing) {
     sources += [
       "trace_event/auto_open_close_event.h",
-      "trace_event/builtin_categories.cc",
       "trace_event/builtin_categories.h",
-      "trace_event/category_registry.cc",
-      "trace_event/category_registry.h",
       "trace_event/heap_profiler.h",
       "trace_event/interned_args_helper.cc",
       "trace_event/interned_args_helper.h",
@@ -2275,13 +2303,14 @@ component("base") {
       "trace_event/memory_usage_estimator.cc",
       "trace_event/memory_usage_estimator.h",
       "trace_event/optional_trace_event.h",
+      "trace_event/perfetto_proto_appender.cc",
+      "trace_event/perfetto_proto_appender.h",
       "trace_event/process_memory_dump.cc",
       "trace_event/process_memory_dump.h",
       "trace_event/trace_arguments.cc",
       "trace_event/trace_arguments.h",
       "trace_event/trace_buffer.cc",
       "trace_event/trace_buffer.h",
-      "trace_event/trace_category.h",
       "trace_event/trace_config.cc",
       "trace_event/trace_config.h",
       "trace_event/trace_config_category_filter.cc",
@@ -2289,11 +2318,8 @@ component("base") {
       "trace_event/trace_event.h",
       "trace_event/trace_event_impl.cc",
       "trace_event/trace_event_impl.h",
-      "trace_event/trace_event_memory_overhead.cc",
-      "trace_event/trace_event_memory_overhead.h",
       "trace_event/trace_log.cc",
       "trace_event/trace_log.h",
-      "trace_event/trace_log_constants.cc",
       "trace_event/traced_value.cc",
       "trace_event/traced_value.h",
       "trace_event/traced_value_support.h",
@@ -2301,8 +2327,6 @@ component("base") {
       "trace_event/tracing_agent.h",
       "trace_event/typed_macros.h",
       "trace_event/typed_macros_embedder_support.h",
-      "trace_event/typed_macros_internal.cc",
-      "trace_event/typed_macros_internal.h",
       "tracing/perfetto_platform.cc",
       "tracing/perfetto_platform.h",
       "tracing/perfetto_task_runner.cc",
@@ -2329,8 +2353,6 @@ component("base") {
       sources += [
         "trace_event/etw_interceptor_win.cc",
         "trace_event/etw_interceptor_win.h",
-        "trace_event/trace_event_etw_export_win.cc",
-        "trace_event/trace_event_etw_export_win.h",
         "trace_event/trace_logging_minimal_win.cc",
         "trace_event/trace_logging_minimal_win.h",
       ]
@@ -2456,7 +2478,7 @@ buildflag_header("debugging_buildflags") {
 buildflag_header("feature_list_buildflags") {
   header = "feature_list_buildflags.h"
 
-  if (is_chromeos_ash) {
+  if (is_chromeos) {
     flags = [
       "ENABLE_BANNED_BASE_FEATURE_PREFIX=true",
       "BANNED_BASE_FEATURE_PREFIX=\"CrOSLateBoot\"",
@@ -2466,12 +2488,6 @@ buildflag_header("feature_list_buildflags") {
   }
 }
 
-buildflag_header("logging_buildflags") {
-  header = "logging_buildflags.h"
-
-  flags = [ "ENABLE_LOG_ERROR_NOT_REACHED=$enable_log_error_not_reached" ]
-}
-
 buildflag_header("orderfile_buildflags") {
   header = "orderfile_buildflags.h"
   header_dir = "base/android/orderfile"
@@ -2584,10 +2600,7 @@ static_library("base_static") {
     "immediate_crash.h",
   ]
 
-  deps = [
+  deps = [ ":fuzzing_buildflags" ]
-    ":fuzzing_buildflags",
-    "//build:chromeos_buildflags",
-  ]
 
   if (is_win) {
     sources += [

src/base/DEPS

@@ -3,6 +3,7 @@ include_rules = [
   "+third_party/apple_apsl",
   "+third_party/boringssl/src/include",
   "+third_party/ced",
+  "+third_party/fuzztest",
   # We are moving the old jni_generator to jni_zero, some references will remain
   # in //base.
   "+third_party/jni_zero",

src/base/OWNERS

@@ -4,7 +4,6 @@ set noparent
 # NOTE: keep this in sync with global-owners-override@chromium.org owners
 # by emailing lsc-policy@chromium.org when this list changes.
 altimin@chromium.org
-danakj@chromium.org
 dcheng@chromium.org
 fdoray@chromium.org
 gab@chromium.org

src/base/allocator/dispatcher/configuration.h

@@ -21,4 +21,4 @@ constexpr size_t kMaximumNumberOfObservers = 4;
 
 }  // namespace base::allocator::dispatcher::configuration
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_CONFIGURATION_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_CONFIGURATION_H_

src/base/allocator/dispatcher/dispatcher.cc

@@ -16,7 +16,7 @@
 #endif
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC)
-#include "partition_alloc/partition_alloc_hooks.h"
+#include "partition_alloc/partition_alloc_hooks.h"  // nogncheck
 #endif
 
 namespace base::allocator::dispatcher {
@@ -34,7 +34,7 @@ struct Dispatcher::Impl {
 
   void Reset() {
 #if DCHECK_IS_ON()
-    DCHECK([&]() {
+    DCHECK([&] {
       auto const was_set = is_initialized_check_flag_.test_and_set();
       is_initialized_check_flag_.clear();
       return was_set;

src/base/allocator/dispatcher/dispatcher.h

@@ -5,11 +5,11 @@
 #ifndef BASE_ALLOCATOR_DISPATCHER_DISPATCHER_H_
 #define BASE_ALLOCATOR_DISPATCHER_DISPATCHER_H_
 
+#include <memory>
+
 #include "base/allocator/dispatcher/internal/dispatcher_internal.h"
 #include "base/base_export.h"
 
-#include <memory>
-
 namespace base::allocator::dispatcher {
 
 namespace internal {

src/base/allocator/dispatcher/initializer.h

@@ -5,13 +5,13 @@
 #ifndef BASE_ALLOCATOR_DISPATCHER_INITIALIZER_H_
 #define BASE_ALLOCATOR_DISPATCHER_INITIALIZER_H_
 
+#include <tuple>
+#include <utility>
+
 #include "base/allocator/dispatcher/configuration.h"
 #include "base/allocator/dispatcher/dispatcher.h"
 #include "base/allocator/dispatcher/internal/tools.h"
 
-#include <tuple>
-#include <utility>
-
 namespace base::allocator::dispatcher {
 namespace internal {
 

src/base/allocator/dispatcher/internal/dispatch_data.h

@@ -10,11 +10,11 @@
 #include "partition_alloc/buildflags.h"
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC)
-#include "partition_alloc/partition_alloc_hooks.h"
+#include "partition_alloc/partition_alloc_hooks.h"  // nogncheck
 #endif
 
 #if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-#include "partition_alloc/shim/allocator_shim.h"
+#include "partition_alloc/shim/allocator_shim.h"  // nogncheck
 #endif
 
 namespace base::allocator::dispatcher::internal {

src/base/allocator/dispatcher/internal/dispatcher_internal.h

@@ -16,7 +16,7 @@
 #include "partition_alloc/buildflags.h"
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC)
-#include "partition_alloc/partition_alloc_allocation_data.h"
+#include "partition_alloc/partition_alloc_allocation_data.h"  // nogncheck
 #endif
 
 #if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)

src/base/allocator/dispatcher/subsystem.h

@@ -24,4 +24,4 @@ enum class AllocationSubsystem {
 };
 }  // namespace base::allocator::dispatcher
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_SUBSYSTEM_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_SUBSYSTEM_H_

src/base/allocator/dispatcher/testing/dispatcher_test.h

@@ -24,4 +24,4 @@ struct DispatcherTest : public ::testing::Test {
 
 }  // namespace base::allocator::dispatcher::testing
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_DISPATCHER_TEST_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_DISPATCHER_TEST_H_

src/base/allocator/dispatcher/testing/observer_mock.h

@@ -30,4 +30,4 @@ struct ObserverMock {
 }  // namespace testing
 }  // namespace base::allocator::dispatcher
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_OBSERVER_MOCK_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_OBSERVER_MOCK_H_

src/base/allocator/dispatcher/tls.cc

@@ -8,14 +8,14 @@
 
 #if USE_LOCAL_TLS_EMULATION()
 
+#include <sys/mman.h>
+
 #include "base/check.h"
 #include "base/dcheck_is_on.h"
 #include "base/debug/crash_logging.h"
 #include "base/immediate_crash.h"
 #include "build/build_config.h"
 
-#include <sys/mman.h>
-
 #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX)
 #include <sys/prctl.h>
 #endif
@@ -96,7 +96,7 @@ PThreadTLSSystem& PThreadTLSSystem::operator=(PThreadTLSSystem&& other) {
 
 bool PThreadTLSSystem::Setup(
     OnThreadTerminationFunction thread_termination_function,
-    const std::string_view instance_id) {
+    std::string_view instance_id) {
 #if DCHECK_IS_ON()
   // Initialize must happen outside of the allocation path. Therefore, it is
   // secure to verify with DCHECK.

src/base/allocator/dispatcher/tls.h

@@ -17,17 +17,21 @@
 #endif
 
 #if USE_LOCAL_TLS_EMULATION()
+#include <pthread.h>
+
 #include <algorithm>
 #include <atomic>
+#include <functional>
 #include <memory>
 #include <mutex>
 
 #include "base/base_export.h"
 #include "base/check.h"
 #include "base/compiler_specific.h"
-#include "partition_alloc/partition_alloc_constants.h"
 
-#include <pthread.h>
+#if PA_BUILDFLAG(USE_PARTITION_ALLOC)
+#include "partition_alloc/partition_alloc_constants.h"  // nogncheck
+#endif
 
 #if HAS_FEATURE(thread_sanitizer)
 #define DISABLE_TSAN_INSTRUMENTATION __attribute__((no_sanitize("thread")))
@@ -111,7 +115,7 @@ class BASE_EXPORT PThreadTLSSystem {
   // @param thread_termination_function An optional function which will be
   // invoked upon termination of a thread.
   bool Setup(OnThreadTerminationFunction thread_termination_function,
-             const std::string_view instance_id);
+             std::string_view instance_id);
   // Tear down the TLS system. After completing tear down, the thread
   // termination function passed to Setup will not be invoked anymore.
   bool TearDownForTesting();
@@ -199,7 +203,7 @@ template <typename PayloadType,
           size_t AllocationChunkSize,
           bool IsDestructibleForTesting>
 struct ThreadLocalStorage {
-  explicit ThreadLocalStorage(const std::string_view instance_id)
+  explicit ThreadLocalStorage(std::string_view instance_id)
       : root_(AllocateAndInitializeChunk()) {
     Initialize(instance_id);
   }
@@ -207,7 +211,7 @@ struct ThreadLocalStorage {
   // Create a new instance of |ThreadLocalStorage| using the passed allocator
   // and TLS system. This initializes the underlying TLS system and creates the
   // first chunk of data.
-  ThreadLocalStorage(const std::string_view instance_id,
+  ThreadLocalStorage(std::string_view instance_id,
                      AllocatorType allocator,
                      TLSSystemType tls_system)
       : allocator_(std::move(allocator)),
@@ -360,7 +364,7 @@ struct ThreadLocalStorage {
   }
 
   // Perform common initialization during construction of an instance.
-  void Initialize(const std::string_view instance_id) {
+  void Initialize(std::string_view instance_id) {
     // The constructor must be called outside of the allocation path. Therefore,
     // it is secure to verify with CHECK.
 

src/base/allocator/miracle_parameter.h

@@ -166,7 +166,7 @@ Enum GetMiracleParameterAsEnum(
                                    default_value, type, options)            \
   type function_name() {                                                    \
     static const type value = miracle_parameter::GetMiracleParameterAsEnum( \
-        feature, param_name, default_value, base::make_span(options));      \
+        feature, param_name, default_value, base::span(options));           \
     return value;                                                           \
   }
 

src/base/allocator/partition_alloc_features.cc

@@ -12,7 +12,6 @@
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "build/chromecast_buildflags.h"
-#include "build/chromeos_buildflags.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/partition_alloc_base/time/time.h"
 #include "partition_alloc/partition_alloc_constants.h"
@@ -20,8 +19,22 @@
 #include "partition_alloc/shim/allocator_shim_dispatch_to_noop_on_free.h"
 #include "partition_alloc/thread_cache.h"
 
-namespace base {
+namespace base::features {
-namespace features {
+
+namespace {
+
+static constexpr char kPAFeatureEnabledProcessesStr[] = "enabled-processes";
+static constexpr char kBrowserOnlyStr[] = "browser-only";
+static constexpr char kBrowserAndRendererStr[] = "browser-and-renderer";
+static constexpr char kNonRendererStr[] = "non-renderer";
+static constexpr char kAllProcessesStr[] = "all-processes";
+
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+static constexpr char kRendererOnlyStr[] = "renderer-only";
+static constexpr char kAllChildProcessesStr[] = "all-child-processes";
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace
 
 BASE_FEATURE(kPartitionAllocUnretainedDanglingPtr,
              "PartitionAllocUnretainedDanglingPtr",
@@ -33,7 +46,8 @@ constexpr FeatureParam<UnretainedDanglingPtrMode>::Option
         {UnretainedDanglingPtrMode::kDumpWithoutCrashing,
          "dump_without_crashing"},
 };
-const base::FeatureParam<UnretainedDanglingPtrMode>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<UnretainedDanglingPtrMode>
     kUnretainedDanglingPtrModeParam = {
         &kPartitionAllocUnretainedDanglingPtr,
         "mode",
@@ -41,6 +55,10 @@ const base::FeatureParam<UnretainedDanglingPtrMode>
         &kUnretainedDanglingPtrModeOption,
 };
 
+// Note: DPD conflicts with no-op `free()` (see
+// `base::allocator::MakeFreeNoOp()`). No-op `free()` stands down in the
+// presence of DPD, but hypothetically fully launching DPD should prompt
+// a rethink of no-op `free()`.
 BASE_FEATURE(kPartitionAllocDanglingPtr,
              "PartitionAllocDanglingPtr",
 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_FEATURE_FLAG)
@@ -54,7 +72,8 @@ constexpr FeatureParam<DanglingPtrMode>::Option kDanglingPtrModeOption[] = {
     {DanglingPtrMode::kCrash, "crash"},
     {DanglingPtrMode::kLogOnly, "log_only"},
 };
-const base::FeatureParam<DanglingPtrMode> kDanglingPtrModeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<DanglingPtrMode> kDanglingPtrModeParam{
     &kPartitionAllocDanglingPtr,
     "mode",
     DanglingPtrMode::kCrash,
@@ -64,7 +83,8 @@ constexpr FeatureParam<DanglingPtrType>::Option kDanglingPtrTypeOption[] = {
     {DanglingPtrType::kAll, "all"},
     {DanglingPtrType::kCrossTask, "cross_task"},
 };
-const base::FeatureParam<DanglingPtrType> kDanglingPtrTypeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<DanglingPtrType> kDanglingPtrTypeParam{
     &kPartitionAllocDanglingPtr,
     "type",
     DanglingPtrType::kAll,
@@ -90,7 +110,7 @@ MIRACLE_PARAMETER_FOR_INT(
 
 BASE_FEATURE(kPartitionAllocLargeEmptySlotSpanRing,
              "PartitionAllocLargeEmptySlotSpanRing",
-#if BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
              FEATURE_ENABLED_BY_DEFAULT);
 #else
              FEATURE_DISABLED_BY_DEFAULT);
@@ -102,16 +122,17 @@ BASE_FEATURE(kPartitionAllocWithAdvancedChecks,
 constexpr FeatureParam<PartitionAllocWithAdvancedChecksEnabledProcesses>::Option
     kPartitionAllocWithAdvancedChecksEnabledProcessesOptions[] = {
         {PartitionAllocWithAdvancedChecksEnabledProcesses::kBrowserOnly,
-         "browser-only"},
+         kBrowserOnlyStr},
         {PartitionAllocWithAdvancedChecksEnabledProcesses::kBrowserAndRenderer,
-         "browser-and-renderer"},
+         kBrowserAndRendererStr},
         {PartitionAllocWithAdvancedChecksEnabledProcesses::kNonRenderer,
-         "non-renderer"},
+         kNonRendererStr},
         {PartitionAllocWithAdvancedChecksEnabledProcesses::kAllProcesses,
-         "all-processes"}};
+         kAllProcessesStr}};
-const base::FeatureParam<PartitionAllocWithAdvancedChecksEnabledProcesses>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<PartitionAllocWithAdvancedChecksEnabledProcesses>
     kPartitionAllocWithAdvancedChecksEnabledProcessesParam{
-        &kPartitionAllocWithAdvancedChecks, "enabled-processes",
+        &kPartitionAllocWithAdvancedChecks, kPAFeatureEnabledProcessesStr,
         PartitionAllocWithAdvancedChecksEnabledProcesses::kBrowserOnly,
         &kPartitionAllocWithAdvancedChecksEnabledProcessesOptions};
 
@@ -119,14 +140,29 @@ BASE_FEATURE(kPartitionAllocSchedulerLoopQuarantine,
              "PartitionAllocSchedulerLoopQuarantine",
              FEATURE_DISABLED_BY_DEFAULT);
 // Scheduler Loop Quarantine's per-branch capacity in bytes.
-const base::FeatureParam<int>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<int>
     kPartitionAllocSchedulerLoopQuarantineBranchCapacity{
         &kPartitionAllocSchedulerLoopQuarantine,
         "PartitionAllocSchedulerLoopQuarantineBranchCapacity", 0};
+// Scheduler Loop Quarantine's capacity for the UI thread in bytes.
+BASE_FEATURE_PARAM(int,
+                   kPartitionAllocSchedulerLoopQuarantineBrowserUICapacity,
+                   &kPartitionAllocSchedulerLoopQuarantine,
+                   "PartitionAllocSchedulerLoopQuarantineBrowserUICapacity",
+                   0);
 
 BASE_FEATURE(kPartitionAllocZappingByFreeFlags,
              "PartitionAllocZappingByFreeFlags",
              FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kPartitionAllocEventuallyZeroFreedMemory,
+             "PartitionAllocEventuallyZeroFreedMemory",
+             FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kPartitionAllocFewerMemoryRegions,
+             "PartitionAllocFewerMemoryRegions",
+             FEATURE_DISABLED_BY_DEFAULT);
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
 BASE_FEATURE(kPartitionAllocBackupRefPtr,
@@ -140,34 +176,41 @@ BASE_FEATURE(kPartitionAllocBackupRefPtr,
 
 constexpr FeatureParam<BackupRefPtrEnabledProcesses>::Option
     kBackupRefPtrEnabledProcessesOptions[] = {
-        {BackupRefPtrEnabledProcesses::kBrowserOnly, "browser-only"},
+        {BackupRefPtrEnabledProcesses::kBrowserOnly, kBrowserOnlyStr},
         {BackupRefPtrEnabledProcesses::kBrowserAndRenderer,
-         "browser-and-renderer"},
+         kBrowserAndRendererStr},
-        {BackupRefPtrEnabledProcesses::kNonRenderer, "non-renderer"},
+        {BackupRefPtrEnabledProcesses::kNonRenderer, kNonRendererStr},
-        {BackupRefPtrEnabledProcesses::kAllProcesses, "all-processes"}};
+        {BackupRefPtrEnabledProcesses::kAllProcesses, kAllProcessesStr}};
 
-const base::FeatureParam<BackupRefPtrEnabledProcesses>
+BASE_FEATURE_ENUM_PARAM(BackupRefPtrEnabledProcesses,
-    kBackupRefPtrEnabledProcessesParam{
+                        kBackupRefPtrEnabledProcessesParam,
-        &kPartitionAllocBackupRefPtr, "enabled-processes",
+                        &kPartitionAllocBackupRefPtr,
+                        kPAFeatureEnabledProcessesStr,
 #if PA_BUILDFLAG(IS_MAC) && PA_BUILDFLAG(PA_ARCH_CPU_ARM64)
-        BackupRefPtrEnabledProcesses::kNonRenderer,
+                        BackupRefPtrEnabledProcesses::kNonRenderer,
 #else
-        BackupRefPtrEnabledProcesses::kAllProcesses,
+                        BackupRefPtrEnabledProcesses::kAllProcesses,
 #endif
-        &kBackupRefPtrEnabledProcessesOptions};
+                        &kBackupRefPtrEnabledProcessesOptions);
 
 constexpr FeatureParam<BackupRefPtrMode>::Option kBackupRefPtrModeOptions[] = {
     {BackupRefPtrMode::kDisabled, "disabled"},
     {BackupRefPtrMode::kEnabled, "enabled"},
 };
 
-const base::FeatureParam<BackupRefPtrMode> kBackupRefPtrModeParam{
+BASE_FEATURE_ENUM_PARAM(BackupRefPtrMode,
-    &kPartitionAllocBackupRefPtr, "brp-mode", BackupRefPtrMode::kEnabled,
+                        kBackupRefPtrModeParam,
-    &kBackupRefPtrModeOptions};
+                        &kPartitionAllocBackupRefPtr,
+                        "brp-mode",
+                        BackupRefPtrMode::kEnabled,
+                        &kBackupRefPtrModeOptions);
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<int> kBackupRefPtrExtraExtrasSizeParam{
+    &kPartitionAllocBackupRefPtr, "brp-extra-extras-size", 0};
 
 BASE_FEATURE(kPartitionAllocMemoryTagging,
              "PartitionAllocMemoryTagging",
-#if PA_BUILDFLAG(USE_FULL_MTE)
+#if PA_BUILDFLAG(USE_FULL_MTE) || BUILDFLAG(IS_ANDROID)
              FEATURE_ENABLED_BY_DEFAULT
 #else
              FEATURE_DISABLED_BY_DEFAULT
@@ -178,7 +221,8 @@ constexpr FeatureParam<MemtagMode>::Option kMemtagModeOptions[] = {
     {MemtagMode::kSync, "sync"},
     {MemtagMode::kAsync, "async"}};
 
-const base::FeatureParam<MemtagMode> kMemtagModeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<MemtagMode> kMemtagModeParam{
     &kPartitionAllocMemoryTagging, "memtag-mode",
 #if PA_BUILDFLAG(USE_FULL_MTE)
     MemtagMode::kSync,
@@ -192,23 +236,25 @@ constexpr FeatureParam<RetagMode>::Option kRetagModeOptions[] = {
     {RetagMode::kRandom, "random"},
 };
 
-const base::FeatureParam<RetagMode> kRetagModeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<RetagMode> kRetagModeParam{
     &kPartitionAllocMemoryTagging, "retag-mode", RetagMode::kIncrement,
     &kRetagModeOptions};
 
 constexpr FeatureParam<MemoryTaggingEnabledProcesses>::Option
     kMemoryTaggingEnabledProcessesOptions[] = {
-        {MemoryTaggingEnabledProcesses::kBrowserOnly, "browser-only"},
+        {MemoryTaggingEnabledProcesses::kBrowserOnly, kBrowserOnlyStr},
-        {MemoryTaggingEnabledProcesses::kNonRenderer, "non-renderer"},
+        {MemoryTaggingEnabledProcesses::kNonRenderer, kNonRendererStr},
-        {MemoryTaggingEnabledProcesses::kAllProcesses, "all-processes"}};
+        {MemoryTaggingEnabledProcesses::kAllProcesses, kAllProcessesStr}};
 
-const base::FeatureParam<MemoryTaggingEnabledProcesses>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<MemoryTaggingEnabledProcesses>
     kMemoryTaggingEnabledProcessesParam{
-        &kPartitionAllocMemoryTagging, "enabled-processes",
+        &kPartitionAllocMemoryTagging, kPAFeatureEnabledProcessesStr,
 #if PA_BUILDFLAG(USE_FULL_MTE)
         MemoryTaggingEnabledProcesses::kAllProcesses,
 #else
-        MemoryTaggingEnabledProcesses::kBrowserOnly,
+        MemoryTaggingEnabledProcesses::kNonRenderer,
 #endif
         &kMemoryTaggingEnabledProcessesOptions};
 
@@ -227,13 +273,15 @@ BASE_FEATURE(kPartitionAllocPermissiveMte,
 #endif
 );
 
-const base::FeatureParam<bool> kBackupRefPtrAsanEnableDereferenceCheckParam{
+BASE_FEATURE(kAsanBrpDereferenceCheck,
-    &kPartitionAllocBackupRefPtr, "asan-enable-dereference-check", true};
+             "AsanBrpDereferenceCheck",
-const base::FeatureParam<bool> kBackupRefPtrAsanEnableExtractionCheckParam{
+             FEATURE_ENABLED_BY_DEFAULT);
-    &kPartitionAllocBackupRefPtr, "asan-enable-extraction-check",
+BASE_FEATURE(kAsanBrpExtractionCheck,
-    false};  // Not much noise at the moment to enable by default.
+             "AsanBrpExtractionCheck",      // Not much noise at the moment to
-const base::FeatureParam<bool> kBackupRefPtrAsanEnableInstantiationCheckParam{
+             FEATURE_DISABLED_BY_DEFAULT);  // enable by default.
-    &kPartitionAllocBackupRefPtr, "asan-enable-instantiation-check", true};
+BASE_FEATURE(kAsanBrpInstantiationCheck,
+             "AsanBrpInstantiationCheck",
+             FEATURE_ENABLED_BY_DEFAULT);
 
 // If enabled, switches the bucket distribution to a denser one.
 //
@@ -247,29 +295,31 @@ BASE_FEATURE(kPartitionAllocUseDenserDistribution,
              FEATURE_ENABLED_BY_DEFAULT
 #endif  // BUILDFLAG(IS_ANDROID) && defined(ARCH_CPU_32_BITS)
 );
-const base::FeatureParam<BucketDistributionMode>::Option
+const FeatureParam<BucketDistributionMode>::Option
     kPartitionAllocBucketDistributionOption[] = {
         {BucketDistributionMode::kDefault, "default"},
         {BucketDistributionMode::kDenser, "denser"},
 };
-const base::FeatureParam<BucketDistributionMode>
+// Note: Do not use the prepared macro as of no need for a local cache.
-    kPartitionAllocBucketDistributionParam {
+constinit const FeatureParam<BucketDistributionMode>
-  &kPartitionAllocUseDenserDistribution, "mode",
+    kPartitionAllocBucketDistributionParam{
+        &kPartitionAllocUseDenserDistribution, "mode",
 #if BUILDFLAG(IS_ANDROID) && defined(ARCH_CPU_32_BITS)
-      BucketDistributionMode::kDefault,
+        BucketDistributionMode::kDefault,
 #else
-      BucketDistributionMode::kDenser,
+        BucketDistributionMode::kDenser,
 #endif  // BUILDFLAG(IS_ANDROID) && defined(ARCH_CPU_32_BITS)
-      &kPartitionAllocBucketDistributionOption
+        &kPartitionAllocBucketDistributionOption};
-};
 
 BASE_FEATURE(kPartitionAllocMemoryReclaimer,
              "PartitionAllocMemoryReclaimer",
              FEATURE_ENABLED_BY_DEFAULT);
-const base::FeatureParam<TimeDelta> kPartitionAllocMemoryReclaimerInterval = {
+BASE_FEATURE_PARAM(TimeDelta,
-    &kPartitionAllocMemoryReclaimer, "interval",
+                   kPartitionAllocMemoryReclaimerInterval,
-    TimeDelta(),  // Defaults to zero.
+                   &kPartitionAllocMemoryReclaimer,
-};
+                   "interval",
+                   TimeDelta()  // Defaults to zero.
+);
 
 // Configures whether we set a lower limit for renderers that do not have a main
 // frame, similar to the limit that is already done for backgrounded renderers.
@@ -282,16 +332,17 @@ BASE_FEATURE(kLowerPAMemoryLimitForNonMainRenderers,
 BASE_FEATURE(kPartitionAllocStraightenLargerSlotSpanFreeLists,
              "PartitionAllocStraightenLargerSlotSpanFreeLists",
              FEATURE_ENABLED_BY_DEFAULT);
-const base::FeatureParam<
+const FeatureParam<partition_alloc::StraightenLargerSlotSpanFreeListsMode>::
-    partition_alloc::StraightenLargerSlotSpanFreeListsMode>::Option
+    Option kPartitionAllocStraightenLargerSlotSpanFreeListsModeOption[] = {
-    kPartitionAllocStraightenLargerSlotSpanFreeListsModeOption[] = {
         {partition_alloc::StraightenLargerSlotSpanFreeListsMode::
              kOnlyWhenUnprovisioning,
          "only-when-unprovisioning"},
         {partition_alloc::StraightenLargerSlotSpanFreeListsMode::kAlways,
          "always"},
 };
-const base::FeatureParam<partition_alloc::StraightenLargerSlotSpanFreeListsMode>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<
+    partition_alloc::StraightenLargerSlotSpanFreeListsMode>
     kPartitionAllocStraightenLargerSlotSpanFreeListsMode = {
         &kPartitionAllocStraightenLargerSlotSpanFreeLists,
         "mode",
@@ -324,9 +375,11 @@ BASE_FEATURE(kPageAllocatorRetryOnCommitFailure,
 // The feature: kPartialLowEndModeOnMidRangeDevices is defined in
 // //base/features.cc. Since the following feature param is related to
 // PartitionAlloc, define the param here.
-const FeatureParam<bool> kPartialLowEndModeExcludePartitionAllocSupport{
+BASE_FEATURE_PARAM(bool,
-    &kPartialLowEndModeOnMidRangeDevices, "exclude-partition-alloc-support",
+                   kPartialLowEndModeExcludePartitionAllocSupport,
-    false};
+                   &kPartialLowEndModeOnMidRangeDevices,
+                   "exclude-partition-alloc-support",
+                   false);
 #endif
 
 BASE_FEATURE(kEnableConfigurableThreadCacheMultiplier,
@@ -344,19 +397,19 @@ MIRACLE_PARAMETER_FOR_DOUBLE(GetThreadCacheMultiplierForAndroid,
                              1.)
 
 constexpr partition_alloc::internal::base::TimeDelta ToPartitionAllocTimeDelta(
-    base::TimeDelta time_delta) {
+    TimeDelta time_delta) {
   return partition_alloc::internal::base::Microseconds(
       time_delta.InMicroseconds());
 }
 
-constexpr base::TimeDelta FromPartitionAllocTimeDelta(
+constexpr TimeDelta FromPartitionAllocTimeDelta(
     partition_alloc::internal::base::TimeDelta time_delta) {
-  return base::Microseconds(time_delta.InMicroseconds());
+  return Microseconds(time_delta.InMicroseconds());
 }
 
 BASE_FEATURE(kEnableConfigurableThreadCachePurgeInterval,
              "EnableConfigurableThreadCachePurgeInterval",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             FEATURE_DISABLED_BY_DEFAULT);
 
 MIRACLE_PARAMETER_FOR_TIME_DELTA(
     GetThreadCacheMinPurgeIntervalValue,
@@ -393,7 +446,7 @@ GetThreadCacheDefaultPurgeInterval() {
 
 BASE_FEATURE(kEnableConfigurableThreadCacheMinCachedMemoryForPurging,
              "EnableConfigurableThreadCacheMinCachedMemoryForPurging",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             FEATURE_DISABLED_BY_DEFAULT);
 
 MIRACLE_PARAMETER_FOR_INT(
     GetThreadCacheMinCachedMemoryForPurgingBytes,
@@ -413,69 +466,9 @@ BASE_FEATURE(kPartitionAllocDisableBRPInBufferPartition,
              "PartitionAllocDisableBRPInBufferPartition",
              FEATURE_DISABLED_BY_DEFAULT);
 
-#if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
-BASE_FEATURE(kUsePoolOffsetFreelists,
-             "PartitionAllocUsePoolOffsetFreelists",
-             base::FEATURE_DISABLED_BY_DEFAULT);
-#endif
-
-BASE_FEATURE(kPartitionAllocMakeFreeNoOpOnShutdown,
-             "PartitionAllocMakeFreeNoOpOnShutdown",
-#if PA_BUILDFLAG(IS_CHROMEOS)
-             FEATURE_ENABLED_BY_DEFAULT
-#else
-             FEATURE_DISABLED_BY_DEFAULT
-#endif
-);
-
-constexpr FeatureParam<WhenFreeBecomesNoOp>::Option
-    kPartitionAllocMakeFreeNoOpOnShutdownOptions[] = {
-        {WhenFreeBecomesNoOp::kBeforePreShutdown, "before-preshutdown"},
-        {WhenFreeBecomesNoOp::kBeforeHaltingStartupTracingController,
-         "before-halting-startup-tracing-controller"},
-        {
-            WhenFreeBecomesNoOp::kBeforeShutDownThreads,
-            "before-shutdown-threads",
-        },
-        {
-            WhenFreeBecomesNoOp::kInShutDownThreads,
-            "in-shutdown-threads",
-        },
-        {
-            WhenFreeBecomesNoOp::kAfterShutDownThreads,
-            "after-shutdown-threads",
-        },
-};
-
-const base::FeatureParam<WhenFreeBecomesNoOp>
-    kPartitionAllocMakeFreeNoOpOnShutdownParam{
-        &kPartitionAllocMakeFreeNoOpOnShutdown, "callsite",
-        WhenFreeBecomesNoOp::kBeforePreShutdown,
-        &kPartitionAllocMakeFreeNoOpOnShutdownOptions};
-
-void MakeFreeNoOp(WhenFreeBecomesNoOp callsite) {
-  CHECK(base::FeatureList::GetInstance());
-  // Ignoring `free()` during Shutdown would allow developers to introduce new
-  // dangling pointers. So we want to avoid ignoring free when it is enabled.
-  // Note: For now, the DanglingPointerDetector is only enabled on 5 bots, and
-  // on linux non-official configuration.
-  // TODO(b/40802063): Reconsider this decision after the experiment.
-#if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
-  if (base::FeatureList::IsEnabled(features::kPartitionAllocDanglingPtr)) {
-    return;
-  }
-#endif  // PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
-#if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-  if (base::FeatureList::IsEnabled(kPartitionAllocMakeFreeNoOpOnShutdown) &&
-      kPartitionAllocMakeFreeNoOpOnShutdownParam.Get() == callsite) {
-    allocator_shim::InsertNoOpOnFreeAllocatorShimOnShutDown();
-  }
-#endif  // PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-}
-
 BASE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground,
              "PartitionAllocAdjustSizeWhenInForeground",
-#if BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
              FEATURE_ENABLED_BY_DEFAULT);
 #else
              FEATURE_DISABLED_BY_DEFAULT);
@@ -483,7 +476,25 @@ BASE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground,
 
 BASE_FEATURE(kPartitionAllocUseSmallSingleSlotSpans,
              "PartitionAllocUseSmallSingleSlotSpans",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             FEATURE_ENABLED_BY_DEFAULT);
 
-}  // namespace features
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
-}  // namespace base
+BASE_FEATURE(kPartitionAllocShadowMetadata,
+             "PartitionAllocShadowMetadata",
+             FEATURE_DISABLED_BY_DEFAULT);
+
+constexpr FeatureParam<ShadowMetadataEnabledProcesses>::Option
+    kShadowMetadataEnabledProcessesOptions[] = {
+        {ShadowMetadataEnabledProcesses::kRendererOnly, kRendererOnlyStr},
+        {ShadowMetadataEnabledProcesses::kAllChildProcesses,
+         kAllChildProcessesStr}};
+
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<ShadowMetadataEnabledProcesses>
+    kShadowMetadataEnabledProcessesParam{
+        &kPartitionAllocShadowMetadata, kPAFeatureEnabledProcessesStr,
+        ShadowMetadataEnabledProcesses::kRendererOnly,
+        &kShadowMetadataEnabledProcessesOptions};
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace base::features

src/base/allocator/partition_alloc_features.h

@@ -15,16 +15,34 @@
 #include "partition_alloc/partition_alloc_base/time/time.h"
 #include "partition_alloc/partition_root.h"
 
-namespace base {
+namespace base::features {
-namespace features {
 
-extern const BASE_EXPORT Feature kPartitionAllocUnretainedDanglingPtr;
+namespace internal {
+
+enum class PAFeatureEnabledProcesses {
+  // Enabled only in the browser process.
+  kBrowserOnly,
+  // Enabled only in the browser and renderer processes.
+  kBrowserAndRenderer,
+  // Enabled in all processes, except renderer.
+  kNonRenderer,
+  // Enabled only in renderer processes.
+  kRendererOnly,
+  // Enabled in all child processes, except zygote.
+  kAllChildProcesses,
+  // Enabled in all processes.
+  kAllProcesses,
+};
+
+}  // namespace internal
+
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocUnretainedDanglingPtr);
 enum class UnretainedDanglingPtrMode {
   kCrash,
   kDumpWithoutCrashing,
 };
-extern const BASE_EXPORT base::FeatureParam<UnretainedDanglingPtrMode>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(UnretainedDanglingPtrMode,
-    kUnretainedDanglingPtrModeParam;
+                                       kUnretainedDanglingPtrModeParam);
 
 // See /docs/dangling_ptr.md
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocDanglingPtr);
@@ -43,8 +61,7 @@ enum class DanglingPtrMode {
 
   // Note: This will be extended with a single shot DumpWithoutCrashing.
 };
-extern const BASE_EXPORT base::FeatureParam<DanglingPtrMode>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(DanglingPtrMode, kDanglingPtrModeParam);
-    kDanglingPtrModeParam;
 enum class DanglingPtrType {
   // Act on any dangling raw_ptr released after being freed.
   kAll,  // (default)
@@ -55,19 +72,10 @@ enum class DanglingPtrType {
 
   // Note: This will be extended with LongLived
 };
-extern const BASE_EXPORT base::FeatureParam<DanglingPtrType>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(DanglingPtrType, kDanglingPtrTypeParam);
-    kDanglingPtrTypeParam;
 
-enum class PartitionAllocWithAdvancedChecksEnabledProcesses {
+using PartitionAllocWithAdvancedChecksEnabledProcesses =
-  // Enabled only in the browser process.
+    internal::PAFeatureEnabledProcesses;
-  kBrowserOnly,
-  // Enabled only in the browser and renderer processes.
-  kBrowserAndRenderer,
-  // Enabled in all processes, except renderer.
-  kNonRenderer,
-  // Enabled in all processes.
-  kAllProcesses,
-};
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocLargeThreadCacheSize);
@@ -77,27 +85,34 @@ BASE_EXPORT int GetPartitionAllocLargeThreadCacheSizeValueForLowRAMAndroid();
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocLargeEmptySlotSpanRing);
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocWithAdvancedChecks);
-extern const BASE_EXPORT
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    base::FeatureParam<PartitionAllocWithAdvancedChecksEnabledProcesses>
+    PartitionAllocWithAdvancedChecksEnabledProcesses,
-        kPartitionAllocWithAdvancedChecksEnabledProcessesParam;
+    kPartitionAllocWithAdvancedChecksEnabledProcessesParam);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocSchedulerLoopQuarantine);
 // Scheduler Loop Quarantine's per-thread capacity in bytes.
-extern const BASE_EXPORT base::FeatureParam<int>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    kPartitionAllocSchedulerLoopQuarantineBranchCapacity;
+    int,
+    kPartitionAllocSchedulerLoopQuarantineBranchCapacity);
+// Scheduler Loop Quarantine's capacity for the UI thread in bytes.
+// TODO(https://crbug.com/387470567): Support more thread types.
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
+    int,
+    kPartitionAllocSchedulerLoopQuarantineBrowserUICapacity);
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocZappingByFreeFlags);
+
+// Eventually zero out most PartitionAlloc memory. This is not meant as a
+// security guarantee, but to increase the compression ratio of PartitionAlloc's
+// fragmented super pages.
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocEventuallyZeroFreedMemory);
+
+// Whether to make PartitionAlloc use fewer memory regions. This matters on
+// Linux-based systems, where there is a per-process limit that we hit in some
+// cases. See the comment in PartitionBucket::SlotSpanCOmmitedSize() for detail.
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocFewerMemoryRegions);
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
-enum class BackupRefPtrEnabledProcesses {
+using BackupRefPtrEnabledProcesses = internal::PAFeatureEnabledProcesses;
-  // BRP enabled only in the browser process.
-  kBrowserOnly,
-  // BRP enabled only in the browser and renderer processes.
-  kBrowserAndRenderer,
-  // BRP enabled in all processes, except renderer.
-  kNonRenderer,
-  // BRP enabled in all processes.
-  kAllProcesses,
-};
 
 enum class BackupRefPtrMode {
   // BRP is disabled across all partitions. Equivalent to the Finch flag being
@@ -124,72 +139,46 @@ enum class RetagMode {
   kRandom,
 };
 
-enum class MemoryTaggingEnabledProcesses {
+using MemoryTaggingEnabledProcesses = internal::PAFeatureEnabledProcesses;
-  // Memory tagging enabled only in the browser process.
-  kBrowserOnly,
-  // Memory tagging enabled in all processes, except renderer.
-  kNonRenderer,
-  // Memory tagging enabled in all processes.
-  kAllProcesses,
-};
 
 enum class BucketDistributionMode : uint8_t {
   kDefault,
   kDenser,
 };
 
-// Parameter for 'kPartitionAllocMakeFreeNoOpOnShutdown' feature which
-// controls when free() becomes a no-op during Shutdown()
-enum class WhenFreeBecomesNoOp {
-  kBeforePreShutdown,
-  kBeforeHaltingStartupTracingController,
-  kBeforeShutDownThreads,
-  kInShutDownThreads,
-  kAfterShutDownThreads,
-};
-
-// Inserts a no-op on 'free()' allocator shim at the front of the
-// dispatch chain if called from the appropriate callsite.
-BASE_EXPORT void MakeFreeNoOp(WhenFreeBecomesNoOp callsite);
-
-BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocMakeFreeNoOpOnShutdown);
-extern const BASE_EXPORT base::FeatureParam<WhenFreeBecomesNoOp>
-    kPartitionAllocMakeFreeNoOpOnShutdownParam;
-
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocBackupRefPtr);
-extern const BASE_EXPORT base::FeatureParam<BackupRefPtrEnabledProcesses>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BackupRefPtrEnabledProcesses,
-    kBackupRefPtrEnabledProcessesParam;
+                                       kBackupRefPtrEnabledProcessesParam);
-extern const BASE_EXPORT base::FeatureParam<BackupRefPtrMode>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BackupRefPtrMode,
-    kBackupRefPtrModeParam;
+                                       kBackupRefPtrModeParam);
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(int,
+                                       kBackupRefPtrExtraExtrasSizeParam);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocMemoryTagging);
-extern const BASE_EXPORT base::FeatureParam<MemtagMode> kMemtagModeParam;
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(MemtagMode, kMemtagModeParam);
-extern const BASE_EXPORT base::FeatureParam<RetagMode> kRetagModeParam;
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(RetagMode, kRetagModeParam);
-extern const BASE_EXPORT base::FeatureParam<MemoryTaggingEnabledProcesses>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(MemoryTaggingEnabledProcesses,
-    kMemoryTaggingEnabledProcessesParam;
+                                       kMemoryTaggingEnabledProcessesParam);
 // Kill switch for memory tagging. Skips any code related to memory tagging when
 // enabled.
 BASE_EXPORT BASE_DECLARE_FEATURE(kKillPartitionAllocMemoryTagging);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocPermissiveMte);
-extern const BASE_EXPORT base::FeatureParam<bool>
+BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpDereferenceCheck);
-    kBackupRefPtrAsanEnableDereferenceCheckParam;
+BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpExtractionCheck);
-extern const BASE_EXPORT base::FeatureParam<bool>
+BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpInstantiationCheck);
-    kBackupRefPtrAsanEnableExtractionCheckParam;
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BucketDistributionMode,
-extern const BASE_EXPORT base::FeatureParam<bool>
+                                       kPartitionAllocBucketDistributionParam);
-    kBackupRefPtrAsanEnableInstantiationCheckParam;
-extern const BASE_EXPORT base::FeatureParam<BucketDistributionMode>
-    kPartitionAllocBucketDistributionParam;
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kLowerPAMemoryLimitForNonMainRenderers);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocUseDenserDistribution);
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocMemoryReclaimer);
-extern const BASE_EXPORT base::FeatureParam<TimeDelta>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(TimeDelta,
-    kPartitionAllocMemoryReclaimerInterval;
+                                       kPartitionAllocMemoryReclaimerInterval);
 BASE_EXPORT BASE_DECLARE_FEATURE(
     kPartitionAllocStraightenLargerSlotSpanFreeLists);
-extern const BASE_EXPORT
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    base::FeatureParam<partition_alloc::StraightenLargerSlotSpanFreeListsMode>
+    partition_alloc::StraightenLargerSlotSpanFreeListsMode,
-        kPartitionAllocStraightenLargerSlotSpanFreeListsMode;
+    kPartitionAllocStraightenLargerSlotSpanFreeListsMode);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocSortSmallerSlotSpanFreeLists);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocSortActiveSlotSpans);
 
@@ -198,8 +187,9 @@ BASE_EXPORT BASE_DECLARE_FEATURE(kPageAllocatorRetryOnCommitFailure);
 #endif
 
 #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_CHROMEOS)
-extern const base::FeatureParam<bool>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    kPartialLowEndModeExcludePartitionAllocSupport;
+    bool,
+    kPartialLowEndModeExcludePartitionAllocSupport);
 #endif
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kEnableConfigurableThreadCacheMultiplier);
@@ -220,13 +210,6 @@ BASE_EXPORT int GetThreadCacheMinCachedMemoryForPurgingBytes();
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocDisableBRPInBufferPartition);
 
-// This feature is additionally gated behind a buildflag because
-// pool offset freelists cannot be represented when PartitionAlloc uses
-// 32-bit pointers.
-#if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
-BASE_EXPORT BASE_DECLARE_FEATURE(kUsePoolOffsetFreelists);
-#endif
-
 // When set, partitions use a larger ring buffer and free memory less
 // aggressively when in the foreground.
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground);
@@ -237,7 +220,14 @@ BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground);
 // See also: https://crbug.com/333443437
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocUseSmallSingleSlotSpans);
 
-}  // namespace features
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
-}  // namespace base
+using ShadowMetadataEnabledProcesses = internal::PAFeatureEnabledProcesses;
+
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocShadowMetadata);
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(ShadowMetadataEnabledProcesses,
+                                       kShadowMetadataEnabledProcessesParam);
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace base::features
 
 #endif  // BASE_ALLOCATOR_PARTITION_ALLOC_FEATURES_H_

src/base/allocator/partition_alloc_support.cc

@@ -4,6 +4,7 @@
 
 #include "base/allocator/partition_alloc_support.h"
 
+#include <algorithm>
 #include <array>
 #include <cinttypes>
 #include <cstdint>
@@ -31,7 +32,6 @@
 #include "base/metrics/histogram_macros.h"
 #include "base/no_destructor.h"
 #include "base/pending_task.h"
-#include "base/ranges/algorithm.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "base/system/sys_info.h"
@@ -48,6 +48,7 @@
 #include "partition_alloc/memory_reclaimer.h"
 #include "partition_alloc/page_allocator.h"
 #include "partition_alloc/partition_alloc_base/debug/alias.h"
+#include "partition_alloc/partition_alloc_base/immediate_crash.h"
 #include "partition_alloc/partition_alloc_base/threading/platform_thread.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_config.h"
@@ -58,6 +59,7 @@
 #include "partition_alloc/pointers/raw_ptr.h"
 #include "partition_alloc/shim/allocator_shim.h"
 #include "partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.h"
+#include "partition_alloc/shim/allocator_shim_dispatch_to_noop_on_free.h"
 #include "partition_alloc/stack/stack.h"
 #include "partition_alloc/thread_cache.h"
 
@@ -105,12 +107,9 @@ BootloaderOverride GetBootloaderOverride() {
 }
 #endif
 
-// When under this experiment avoid running periodic purging or reclaim for the
+// Avoid running periodic purging or reclaim for the first minute after the
-// first minute after the first attempt. This is based on the insight that
+// first attempt. This is based on the insight that processes often don't live
-// processes often don't live paste this minute.
+// paste this minute.
-static BASE_FEATURE(kDelayFirstPeriodicPAPurgeOrReclaim,
-                    "DelayFirstPeriodicPAPurgeOrReclaim",
-                    base::FEATURE_ENABLED_BY_DEFAULT);
 constexpr base::TimeDelta kFirstPAPurgeOrReclaimDelay = base::Minutes(1);
 
 // This is defined in content/public/common/content_switches.h, which is not
@@ -169,6 +168,8 @@ void MemoryReclaimerSupport::Start(scoped_refptr<TaskRunner> task_runner) {
     return;
   }
 
+  task_runner_ = task_runner;
+
   // The caller of the API fully controls where running the reclaim.
   // However there are a few reasons to recommend that the caller runs
   // it on the main thread:
@@ -184,13 +185,7 @@ void MemoryReclaimerSupport::Start(scoped_refptr<TaskRunner> task_runner) {
   // seconds is useful. Since this is meant to run during idle time only, it is
   // a reasonable starting point balancing effectivenes vs cost. See
   // crbug.com/942512 for details and experimental results.
-  TimeDelta delay;
+  MaybeScheduleTask(kFirstPAPurgeOrReclaimDelay);
-  if (base::FeatureList::IsEnabled(kDelayFirstPeriodicPAPurgeOrReclaim)) {
-    delay = std::max(delay, kFirstPAPurgeOrReclaimDelay);
-  }
-
-  task_runner_ = task_runner;
-  MaybeScheduleTask(delay);
 }
 
 void MemoryReclaimerSupport::SetForegrounded(bool in_foreground) {
@@ -251,12 +246,9 @@ void MemoryReclaimerSupport::MaybeScheduleTask(TimeDelta delay) {
 
 void StartThreadCachePeriodicPurge() {
   auto& instance = ::partition_alloc::ThreadCacheRegistry::Instance();
-  TimeDelta delay =
+  TimeDelta delay = std::max(
-      Microseconds(instance.GetPeriodicPurgeNextIntervalInMicroseconds());
+      Microseconds(instance.GetPeriodicPurgeNextIntervalInMicroseconds()),
-
+      kFirstPAPurgeOrReclaimDelay);
-  if (base::FeatureList::IsEnabled(kDelayFirstPeriodicPAPurgeOrReclaim)) {
-    delay = std::max(delay, kFirstPAPurgeOrReclaimDelay);
-  }
 
   SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask(
       FROM_HERE, BindOnce(RunThreadCachePeriodicPurge), delay);
@@ -337,6 +329,40 @@ std::map<std::string, std::string> ProposeSyntheticFinchTrials() {
   return trials;
 }
 
+namespace {
+
+bool ShouldEnableFeatureOnProcess(
+    features::internal::PAFeatureEnabledProcesses enabled_processes,
+    const std::string& process_type) {
+  switch (enabled_processes) {
+    case features::internal::PAFeatureEnabledProcesses::kBrowserOnly:
+      return process_type.empty();
+    case features::internal::PAFeatureEnabledProcesses::kNonRenderer:
+      return process_type != switches::kRendererProcess;
+    case features::internal::PAFeatureEnabledProcesses::kBrowserAndRenderer:
+      return process_type.empty() || process_type == switches::kRendererProcess;
+    case features::internal::PAFeatureEnabledProcesses::kRendererOnly:
+      return process_type == switches::kRendererProcess;
+    case features::internal::PAFeatureEnabledProcesses::kAllChildProcesses:
+      return !process_type.empty() && process_type != switches::kZygoteProcess;
+    case features::internal::PAFeatureEnabledProcesses::kAllProcesses:
+      return true;
+  }
+}
+
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+bool ShouldEnableShadowMetadata(const std::string& process_type) {
+  if (!base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocShadowMetadata)) {
+    return false;
+  }
+  return ShouldEnableFeatureOnProcess(
+      features::kShadowMetadataEnabledProcessesParam.Get(), process_type);
+}
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace
+
 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
 
 namespace {
@@ -429,7 +455,7 @@ std::string ExtractDanglingPtrSignature(std::string stacktrace) {
   size_t caller_index = 0;
   for (size_t i = 0; i < lines.size(); ++i) {
     for (const auto& patterns : callee_patterns) {
-      if (ranges::all_of(patterns, [&](std::string_view pattern) {
+      if (std::ranges::all_of(patterns, [&](std::string_view pattern) {
             return lines[i].find(pattern) != std::string_view::npos;
           })) {
         caller_index = i + 1;
@@ -552,38 +578,55 @@ void DanglingRawPtrReleased(uintptr_t id) {
 
   std::string dangling_signature = ExtractDanglingPtrSignature(
       free_info, stack_trace_release, task_trace_release);
-  static const char dangling_ptr_footer[] =
+
-      "\n"
+  {
-      "\n"
+    // Log the full error in a single LogMessage. Printing StackTrace is
-      "Please check for more information on:\n"
+    // expensive, so we want to avoid interleaving the output with other logs.
-      "https://chromium.googlesource.com/chromium/src/+/main/docs/"
+    logging::LogMessage log_message(__FILE__, __LINE__, logging::LOGGING_ERROR);
-      "dangling_ptr_guide.md\n"
+    std::ostream& error = log_message.stream();
-      "\n"
+
-      "Googlers: Please give us your feedback about the dangling pointer\n"
+    // The dangling signature can be used by script to locate the origin of
-      "          detector at:\n"
+    // every dangling pointers.
-      "          http://go/dangling-ptr-cq-survey\n";
+    error << "\n\n"
-  if (free_info) {
+          << ExtractDanglingPtrSignature(free_info, stack_trace_release,
-    LOG(ERROR) << "Detected dangling raw_ptr with id="
+                                         task_trace_release)
-               << StringPrintf("0x%016" PRIxPTR, id) << ":\n"
+          << "\n\n";
-               << dangling_signature << "\n\n"
+
-               << "The memory was freed at:\n"
+    error << "[DanglingPtr](1/3) A raw_ptr/raw_ref is dangling.\n\n";
-               << free_info->stack_trace << "\n"
+
-               << free_info->task_trace << "\n"
+    auto print_traces = [](debug::StackTrace stack_trace,
-               << "The dangling raw_ptr was released at:\n"
+                           debug::TaskTrace task_trace, std::ostream& error) {
-               << stack_trace_release << "\n"
+      error << "Stack trace:\n";
-               << task_trace_release << dangling_ptr_footer;
+      error << stack_trace << "\n";
-  } else {
+
-    LOG(ERROR) << "Detected dangling raw_ptr with id="
+      // Printing "Task trace:" is implied by the TaskTrace itself.
-               << StringPrintf("0x%016" PRIxPTR, id) << ":\n\n"
+      if (!task_trace.empty()) {
-               << dangling_signature << "\n\n"
+        error << task_trace << "\n";
-               << "It was not recorded where the memory was freed.\n\n"
+      }
-               << "The dangling raw_ptr was released at:\n"
+    };
-               << stack_trace_release << "\n"
+
-               << task_trace_release << dangling_ptr_footer;
+    error << "[DanglingPtr](2/3) ";
+    if (free_info) {
+      error << "First, the memory was freed at:\n\n";
+      print_traces(free_info->stack_trace, free_info->task_trace, error);
+    } else {
+      error << "It was not recorded where the memory was freed.\n";
+    }
+
+    error << "[DanglingPtr](3/3) Later, the dangling raw_ptr was released "
+             "at:\n\n";
+    print_traces(stack_trace_release, task_trace_release, error);
+
+    error << "Please check for more information on:\n";
+    error << "https://chromium.googlesource.com/chromium/src/+/main/docs/";
+    error << "dangling_ptr_guide.md\n";
+    error << "\n";
   }
 
   if constexpr (dangling_pointer_mode == features::DanglingPtrMode::kCrash) {
-    ImmediateCrash();
+    // We use `PA_IMMEDIATE_CRASH()` instead of base's ImmediateCrash() to avoid
+    // printing the raw_ptr release stack trace twice.
+    PA_IMMEDIATE_CRASH();
   }
 }
 
@@ -614,16 +657,16 @@ void CheckDanglingRawPtrBufferEmpty() {
     std::vector<std::array<const void*, 32>> stack_traces =
         internal::InstanceTracer::GetStackTracesForDanglingRefs(entry->id);
     for (const auto& raw_stack_trace : stack_traces) {
-      CHECK(ranges::is_partitioned(raw_stack_trace, is_frame_ptr_not_null))
+      CHECK(std::ranges::is_partitioned(raw_stack_trace, is_frame_ptr_not_null))
           << "`raw_stack_trace` is expected to be partitioned: non-null values "
              "at the begining followed by `nullptr`s.";
       LOG(ERROR) << "Dangling reference from:\n";
       LOG(ERROR) << debug::StackTrace(
                         // This call truncates the `nullptr` tail of the stack
                         // trace (see the `is_partitioned` CHECK above).
-                        make_span(raw_stack_trace.begin(),
+                        span(raw_stack_trace.begin(),
-                                  ranges::partition_point(
+                             std::ranges::partition_point(
-                                      raw_stack_trace, is_frame_ptr_not_null)))
+                                 raw_stack_trace, is_frame_ptr_not_null)))
                  << "\n";
     }
 #else
@@ -748,6 +791,22 @@ void ReconfigurePartitionForKnownProcess(const std::string& process_type) {
   // experiments.
 }
 
+void MakeFreeNoOp() {
+  // Ignoring `free()` during Shutdown would allow developers to introduce new
+  // dangling pointers. So we want to avoid ignoring free when it is enabled.
+  // Note: For now, the DanglingPointerDetector is only enabled on 5 bots, and
+  // on linux non-official configuration.
+#if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
+  CHECK(base::FeatureList::GetInstance());
+  if (base::FeatureList::IsEnabled(features::kPartitionAllocDanglingPtr)) {
+    return;
+  }
+#endif  // PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
+#if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
+  allocator_shim::InsertNoOpOnFreeAllocatorShimOnShutDown();
+#endif  // PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
+}
+
 PartitionAllocSupport* PartitionAllocSupport::Get() {
   static auto* singleton = new PartitionAllocSupport();
   return singleton;
@@ -779,14 +838,8 @@ bool PartitionAllocSupport::ShouldEnableMemoryTagging(
           base::features::kKillPartitionAllocMemoryTagging)) {
     return false;
   }
-  switch (base::features::kMemoryTaggingEnabledProcessesParam.Get()) {
+  return ShouldEnableFeatureOnProcess(
-    case base::features::MemoryTaggingEnabledProcesses::kBrowserOnly:
+      base::features::kMemoryTaggingEnabledProcessesParam.Get(), process_type);
-      return process_type.empty();
-    case base::features::MemoryTaggingEnabledProcesses::kNonRenderer:
-      return process_type != switches::kRendererProcess;
-    case base::features::MemoryTaggingEnabledProcesses::kAllProcesses:
-      return true;
-  }
 }
 
 // static
@@ -804,85 +857,41 @@ bool PartitionAllocSupport::ShouldEnablePartitionAllocWithAdvancedChecks(
           base::features::kPartitionAllocWithAdvancedChecks)) {
     return false;
   }
-
+  return ShouldEnableFeatureOnProcess(
-  switch (base::features::kPartitionAllocWithAdvancedChecksEnabledProcessesParam
+      base::features::kPartitionAllocWithAdvancedChecksEnabledProcessesParam
-              .Get()) {
+          .Get(),
-    case base::features::PartitionAllocWithAdvancedChecksEnabledProcesses::
+      process_type);
-        kBrowserOnly:
-      return process_type.empty();
-    case base::features::PartitionAllocWithAdvancedChecksEnabledProcesses::
-        kBrowserAndRenderer:
-      return process_type.empty() || process_type == switches::kRendererProcess;
-    case base::features::PartitionAllocWithAdvancedChecksEnabledProcesses::
-        kNonRenderer:
-      return process_type != switches::kRendererProcess;
-    case base::features::PartitionAllocWithAdvancedChecksEnabledProcesses::
-        kAllProcesses:
-      return true;
-  }
 #endif  // !PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 }
 
-#if PA_BUILDFLAG( \
-    ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
-allocator_shim::AllocatorDispatch g_dispatch_for_advanced_checks = {
-    .realloc_function =
-        &allocator_shim::internal::PartitionReallocWithAdvancedChecks,
-    .free_function = &allocator_shim::internal::PartitionFreeWithAdvancedChecks,
-    .next = nullptr,
-};
-#endif  // PA_BUILDFLAG(
-        // ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
-
 // static
 PartitionAllocSupport::BrpConfiguration
 PartitionAllocSupport::GetBrpConfiguration(const std::string& process_type) {
   // TODO(bartekn): Switch to DCHECK once confirmed there are no issues.
   CHECK(base::FeatureList::GetInstance());
 
-  bool process_affected_by_brp_flag = false;
-#if (PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) &&  \
-     PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)) || \
-    PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
-  if (base::FeatureList::IsEnabled(
-          base::features::kPartitionAllocBackupRefPtr)) {
-    // No specified process type means this is the Browser process.
-    switch (base::features::kBackupRefPtrEnabledProcessesParam.Get()) {
-      case base::features::BackupRefPtrEnabledProcesses::kBrowserOnly:
-        process_affected_by_brp_flag = process_type.empty();
-        break;
-      case base::features::BackupRefPtrEnabledProcesses::kBrowserAndRenderer:
-        process_affected_by_brp_flag =
-            process_type.empty() ||
-            (process_type == switches::kRendererProcess);
-        break;
-      case base::features::BackupRefPtrEnabledProcesses::kNonRenderer:
-        process_affected_by_brp_flag =
-            (process_type != switches::kRendererProcess);
-        break;
-      case base::features::BackupRefPtrEnabledProcesses::kAllProcesses:
-        process_affected_by_brp_flag = true;
-        break;
-    }
-  }
-#endif  // (PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) &&
-        // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)) ||
-        // PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
-
-  const bool enable_brp =
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) && \
-    PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
+    PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) && \
-      // kDisabled is equivalent to !IsEnabled(kPartitionAllocBackupRefPtr).
+    !PA_BUILDFLAG(FORCE_DISABLE_BACKUP_REF_PTR_FEATURE)
-      process_affected_by_brp_flag &&
+
+  if (base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocBackupRefPtr) &&
       base::features::kBackupRefPtrModeParam.Get() !=
-          base::features::BackupRefPtrMode::kDisabled;
+          base::features::BackupRefPtrMode::kDisabled &&
-#else
+      ShouldEnableFeatureOnProcess(
-      false;
+          base::features::kBackupRefPtrEnabledProcessesParam.Get(),
+          process_type)) {
+    return {
+        .enable_brp = true,
+        .extra_extras_size = static_cast<size_t>(
+            base::features::kBackupRefPtrExtraExtrasSizeParam.Get()),
+    };
+  }
 #endif
 
   return {
-      enable_brp,
+      .enable_brp = false,
-      process_affected_by_brp_flag,
+      .extra_extras_size = 0,
   };
 }
 
@@ -985,20 +994,26 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
   [[maybe_unused]] BrpConfiguration brp_config =
       GetBrpConfiguration(process_type);
 
-#if PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
+  // Configure ASAN hooks to report the `MiraclePtr status`. This is enabled
-  if (brp_config.process_affected_by_brp_flag) {
+  // only if BackupRefPtr is normally enabled in the current process for the
-    base::RawPtrAsanService::GetInstance().Configure(
+  // current platform. Note that CastOS and iOS aren't protected by BackupRefPtr
-        base::EnableDereferenceCheck(
+  // a the moment, so they are excluded.
-            base::features::kBackupRefPtrAsanEnableDereferenceCheckParam.Get()),
+#if PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR) && !PA_BUILDFLAG(IS_CASTOS) && \
-        base::EnableExtractionCheck(
+    !PA_BUILDFLAG(IS_IOS)
-            base::features::kBackupRefPtrAsanEnableExtractionCheckParam.Get()),
+  if (ShouldEnableFeatureOnProcess(
-        base::EnableInstantiationCheck(
+          base::features::kBackupRefPtrEnabledProcessesParam.Get(),
-            base::features::kBackupRefPtrAsanEnableInstantiationCheckParam
+          process_type)) {
-                .Get()));
+    RawPtrAsanService::GetInstance().Configure(
+        EnableDereferenceCheck(
+            FeatureList::IsEnabled(features::kAsanBrpDereferenceCheck)),
+        EnableExtractionCheck(
+            FeatureList::IsEnabled(features::kAsanBrpExtractionCheck)),
+        EnableInstantiationCheck(
+            FeatureList::IsEnabled(features::kAsanBrpInstantiationCheck)));
   } else {
-    base::RawPtrAsanService::GetInstance().Configure(
+    RawPtrAsanService::GetInstance().Configure(EnableDereferenceCheck(false),
-        base::EnableDereferenceCheck(false), base::EnableExtractionCheck(false),
+                                               EnableExtractionCheck(false),
-        base::EnableInstantiationCheck(false));
+                                               EnableInstantiationCheck(false));
   }
 #endif  // PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
 
@@ -1023,13 +1038,10 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
               .Get());
   const bool zapping_by_free_flags = base::FeatureList::IsEnabled(
       base::features::kPartitionAllocZappingByFreeFlags);
-
+  const bool eventually_zero_freed_memory = base::FeatureList::IsEnabled(
-#if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
+      base::features::kPartitionAllocEventuallyZeroFreedMemory);
-  const bool use_pool_offset_freelists =
+  const bool fewer_memory_regions = base::FeatureList::IsEnabled(
-      base::FeatureList::IsEnabled(base::features::kUsePoolOffsetFreelists);
+      base::features::kPartitionAllocFewerMemoryRegions);
-#else
-  const bool use_pool_offset_freelists = false;
-#endif  // PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
 
   bool enable_memory_tagging = false;
   partition_alloc::TagViolationReportingMode memory_tagging_reporting_mode =
@@ -1040,17 +1052,37 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
   // check here too to wrap the GetMemoryTaggingModeForCurrentThread() call.
   if (!base::FeatureList::IsEnabled(
           base::features::kKillPartitionAllocMemoryTagging)) {
-    // If synchronous mode is enabled from startup it means this is a test and
+    // If synchronous mode is enabled from startup it means this is a test or it
-    // memory tagging should be enabled.
+    // was force enabled in Chrome some how so honor that choice.
-    if (partition_alloc::internal::GetMemoryTaggingModeForCurrentThread() ==
+    partition_alloc::TagViolationReportingMode
+        startup_memory_tagging_reporting_mode =
+            partition_alloc::internal::GetMemoryTaggingModeForCurrentThread();
+    if (startup_memory_tagging_reporting_mode ==
         partition_alloc::TagViolationReportingMode::kSynchronous) {
       enable_memory_tagging = true;
       memory_tagging_reporting_mode =
           partition_alloc::TagViolationReportingMode::kSynchronous;
+      // Not enabling permissive mode as this config is used to crash and detect
+      // bugs.
+      VLOG(1) << "PartitionAlloc: Memory tagging enabled in SYNC mode at "
+                 "startup (Process: "
+              << process_type << ")";
     } else {
       enable_memory_tagging = ShouldEnableMemoryTagging(process_type);
 #if BUILDFLAG(IS_ANDROID)
+      // Android Scudo does not allow MTE to be re-enabled if MTE was disabled.
+      if (enable_memory_tagging &&
+          startup_memory_tagging_reporting_mode ==
+              partition_alloc::TagViolationReportingMode::kDisabled) {
+        LOG(ERROR) << "PartitionAlloc: Failed to enable memory tagging due to "
+                      "MTE disabled at startup (Process: "
+                   << process_type << ")";
+        debug::DumpWithoutCrashing();
+        enable_memory_tagging = false;
+      }
+
       if (enable_memory_tagging) {
+        // Configure MTE.
         switch (base::features::kMemtagModeParam.Get()) {
           case base::features::MemtagMode::kSync:
             memory_tagging_reporting_mode =
@@ -1061,15 +1093,28 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
                 partition_alloc::TagViolationReportingMode::kAsynchronous;
             break;
         }
-        partition_alloc::PermissiveMte::SetEnabled(base::FeatureList::IsEnabled(
+        bool enable_permissive_mte = base::FeatureList::IsEnabled(
-            base::features::kPartitionAllocPermissiveMte));
+            base::features::kPartitionAllocPermissiveMte);
+        partition_alloc::PermissiveMte::SetEnabled(enable_permissive_mte);
         CHECK(partition_alloc::internal::
                   ChangeMemoryTaggingModeForAllThreadsPerProcess(
                       memory_tagging_reporting_mode));
         CHECK_EQ(
             partition_alloc::internal::GetMemoryTaggingModeForCurrentThread(),
             memory_tagging_reporting_mode);
+        VLOG(1)
+            << "PartitionAlloc: Memory tagging enabled in "
+            << (memory_tagging_reporting_mode ==
+                        partition_alloc::TagViolationReportingMode::kSynchronous
+                    ? "SYNC"
+                    : "ASYNC")
+            << " mode (Process: " << process_type << ")";
+        if (enable_permissive_mte) {
+          VLOG(1) << "PartitionAlloc: Permissive MTE enabled (Process: "
+                  << process_type << ")";
+        }
       } else if (base::CPU::GetInstanceNoAllocation().has_mte()) {
+        // Disable MTE.
         memory_tagging_reporting_mode =
             partition_alloc::TagViolationReportingMode::kDisabled;
         CHECK(partition_alloc::internal::
@@ -1078,36 +1123,28 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
         CHECK_EQ(
             partition_alloc::internal::GetMemoryTaggingModeForCurrentThread(),
             memory_tagging_reporting_mode);
+        VLOG(1) << "PartitionAlloc: Memory tagging disabled (Process: "
+                << process_type << ")";
       }
 #endif  // BUILDFLAG(IS_ANDROID)
     }
   }
 #endif  // PA_BUILDFLAG(HAS_MEMORY_TAGGING)
 
-  if (enable_memory_tagging) {
-    CHECK((memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kSynchronous) ||
-          (memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kAsynchronous));
-  } else {
-    CHECK((memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kUndefined) ||
-          (memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kDisabled));
-  }
-
   allocator_shim::UseSmallSingleSlotSpans use_small_single_slot_spans(
       base::FeatureList::IsEnabled(
           features::kPartitionAllocUseSmallSingleSlotSpans));
 
   allocator_shim::ConfigurePartitions(
       allocator_shim::EnableBrp(brp_config.enable_brp),
+      brp_config.extra_extras_size,
       allocator_shim::EnableMemoryTagging(enable_memory_tagging),
       memory_tagging_reporting_mode, bucket_distribution,
       allocator_shim::SchedulerLoopQuarantine(scheduler_loop_quarantine),
       scheduler_loop_quarantine_branch_capacity_in_bytes,
       allocator_shim::ZappingByFreeFlags(zapping_by_free_flags),
-      allocator_shim::UsePoolOffsetFreelists(use_pool_offset_freelists),
+      allocator_shim::EventuallyZeroFreedMemory(eventually_zero_freed_memory),
+      allocator_shim::FewerMemoryRegions(fewer_memory_regions),
       use_small_single_slot_spans);
 
   const uint32_t extras_size = allocator_shim::GetMainPartitionRootExtrasSize();
@@ -1117,12 +1154,8 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
   UmaHistogramCounts100("Memory.PartitionAlloc.PartitionRoot.ExtrasSize",
                         int(extras_size));
 
-#if !defined(__MUSL__)
-  // This call causes hanging in pthread_getattr_np() under qemu-user, see
-  // https://www.openwall.com/lists/musl/2017/06/15/9.
   partition_alloc::internal::StackTopRegistry::Get().NotifyThreadCreated(
       partition_alloc::internal::GetStackTop());
-#endif
 
   allocator_shim::internal::PartitionAllocMalloc::Allocator()
       ->EnableThreadCacheIfSupported();
@@ -1133,13 +1166,24 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
         ->EnableLargeEmptySlotSpanRing();
   }
 
+  if (process_type == "" &&
+      base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocSchedulerLoopQuarantine)) {
+    // `ReconfigureAfterTaskRunnerInit()` is called on the UI thread.
+    const size_t capacity_in_bytes = static_cast<size_t>(
+        base::features::kPartitionAllocSchedulerLoopQuarantineBrowserUICapacity
+            .Get());
+    allocator_shim::internal::PartitionAllocMalloc::Allocator()
+        ->SetSchedulerLoopQuarantineThreadLocalBranchCapacity(
+            capacity_in_bytes);
+  }
+
 #if PA_BUILDFLAG( \
     ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
   bool enable_pa_with_advanced_checks =
       ShouldEnablePartitionAllocWithAdvancedChecks(process_type);
   if (enable_pa_with_advanced_checks) {
-    allocator_shim::InstallDispatchToPartitionAllocWithAdvancedChecks(
+    allocator_shim::InstallCustomDispatchForPartitionAllocWithAdvancedChecks();
-        &g_dispatch_for_advanced_checks);
   }
 #endif  // PA_BUILDFLAG(
         // ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
@@ -1254,6 +1298,15 @@ void PartitionAllocSupport::ReconfigureAfterTaskRunnerInit(
   partition_alloc::PartitionRoot::SetSortActiveSlotSpansEnabled(
       base::FeatureList::IsEnabled(
           base::features::kPartitionAllocSortActiveSlotSpans));
+
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+  if (ShouldEnableShadowMetadata(process_type)) {
+    partition_alloc::PartitionRoot::EnableShadowMetadata(
+        partition_alloc::internal::PoolHandleMask::kRegular |
+        partition_alloc::internal::PoolHandleMask::kBRP |
+        partition_alloc::internal::PoolHandleMask::kConfigurable);
+  }
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 }
 
 void PartitionAllocSupport::OnForegrounded(bool has_main_frame) {
@@ -1308,9 +1361,8 @@ void PartitionAllocSupport::OnBackgrounded() {
   // TODO(lizeb): Remove once/if the behavior of idle tasks changes.
   base::PostDelayedMemoryReductionTask(
       base::SingleThreadTaskRunner::GetCurrentDefault(), FROM_HERE,
-      base::BindOnce([]() {
+      base::BindOnce(
-        ::partition_alloc::MemoryReclaimer::Instance()->ReclaimAll();
+          [] { ::partition_alloc::MemoryReclaimer::Instance()->ReclaimAll(); }),
-      }),
       base::Seconds(10));
 
 #endif  // PA_CONFIG(THREAD_CACHE_SUPPORTED)

src/base/allocator/partition_alloc_support.h

@@ -37,12 +37,21 @@ BASE_EXPORT std::map<std::string, std::string> ProposeSyntheticFinchTrials();
 BASE_EXPORT void InstallDanglingRawPtrChecks();
 BASE_EXPORT void InstallUnretainedDanglingRawPtrChecks();
 
+// Once called, makes `free()` do nothing. This is done to reduce
+// shutdown hangs on CrOS.
+// Does nothing if Dangling Pointer Detector (`docs/dangling_ptr.md`)
+// is not active.
+// Does nothing if allocator shim support is not built.
+BASE_EXPORT void MakeFreeNoOp();
+
 // Allows to re-configure PartitionAlloc at run-time.
 class BASE_EXPORT PartitionAllocSupport {
  public:
   struct BrpConfiguration {
     bool enable_brp = false;
-    bool process_affected_by_brp_flag = false;
+
+    // TODO(https://crbug.com/371135823): Remove after the investigation.
+    size_t extra_extras_size = 0;
   };
 
   // Reconfigure* functions re-configure PartitionAlloc. It is impossible to

src/base/allocator/partition_allocator/.clang-tidy

@@ -0,0 +1,7 @@
+---
+  Checks: 'google-build-namespaces,
+           readability-redundant-smartptr-get,
+           readability-static-accessed-through-instance'
+  InheritParentConfig: true
+  HeaderFilterRegex: 'partition_alloc/*'
+...

src/base/allocator/partition_allocator/BUILD.gn

@@ -11,8 +11,14 @@ group("buildflags") {
   public_deps = [ "src/partition_alloc:buildflags" ]
 }
 
-if (is_clang_or_gcc) {
+if (use_partition_alloc && is_clang_or_gcc) {
   group("partition_alloc") {
     public_deps = [ "src/partition_alloc:partition_alloc" ]
   }
 }
+
+if (use_allocator_shim) {
+  group("allocator_shim") {
+    public_deps = [ "src/partition_alloc:allocator_shim" ]
+  }
+}

src/base/allocator/partition_allocator/OWNERS

@@ -1,4 +1,3 @@
-bartekn@chromium.org
 haraken@chromium.org
 keishi@chromium.org
 lizeb@chromium.org

src/base/allocator/partition_allocator/PRESUBMIT.py

@@ -134,7 +134,7 @@ def CheckCpp17CompatibleHeaders(input_api, output_api):
     CPP_20_HEADERS = [
         "barrier",
         "bit",
-        "compare",
+        #"compare",  Three-way comparison may be used under appropriate guards.
         "format",
         "numbers",
         "ranges",
@@ -161,7 +161,10 @@ def CheckCpp17CompatibleHeaders(input_api, output_api):
 
     sources = lambda affected_file: input_api.FilterSourceFile(
         affected_file,
-        files_to_skip=[],
+        # compiler_specific.h may use these headers in guarded ways.
+        files_to_skip=[
+            r'.*partition_alloc_base/augmentations/compiler_specific\.h'
+        ],
         files_to_check=[_SOURCE_FILE_PATTERN])
 
     errors = []
@@ -227,3 +230,20 @@ def CheckCpp17CompatibleKeywords(input_api, output_api):
                         '%s:%d\nPartitionAlloc disallows C++20 keywords: %s'
                         % (f.LocalPath(), line_number + 1, keyword)))
     return errors
+
+# Check `NDEBUG` is not used inside partition_alloc. We prefer to use the
+# buildflags `#if PA_BUILDFLAG(IS_DEBUG)` instead.
+def CheckNoNDebug(input_api, output_api):
+    sources = lambda affected_file: input_api.FilterSourceFile(
+        affected_file,
+        files_to_skip=[],
+        files_to_check=[_SOURCE_FILE_PATTERN])
+
+    errors = []
+    for f in input_api.AffectedSourceFiles(sources):
+        for line_number, line in f.ChangedContents():
+            if 'NDEBUG' in line:
+                errors.append(output_api.PresubmitError('%s:%d\nPartitionAlloc'
+                  % (f.LocalPath(), line_number + 1)
+                  + 'disallows NDEBUG, use PA_BUILDFLAG(IS_DEBUG) instead'))
+    return errors

src/base/allocator/partition_allocator/build_overrides/partition_alloc.gni

@@ -15,6 +15,7 @@ use_allocator_shim_default = false
 enable_backup_ref_ptr_support_default = false
 enable_backup_ref_ptr_slow_checks_default = false
 enable_dangling_raw_ptr_checks_default = false
+enable_ios_corruption_hardening_default = false
 
 # This is the default build configuration for pointers/raw_ptr*.
 raw_ptr_zero_on_construct_default = true

src/base/allocator/partition_allocator/gn/BUILDCONFIG.gn

@@ -52,7 +52,6 @@ is_nacl = false
 is_win = current_os == "win" || current_os == "winuwp"
 is_cast_android = false
 is_castos = false
-is_chromeos_ash = false
 is_cronet_build = false
 enable_expensive_dchecks = false
 dcheck_is_configurable = false

src/base/allocator/partition_allocator/partition_alloc.gni

@@ -4,6 +4,56 @@
 
 import("//build_overrides/partition_alloc.gni")
 
+# -----------------------------------------------------------------------------
+# Note on the use of `xxx_default` variable in partition_alloc.
+#
+# GN provides default_args() instruction. It is meant to be used by embedders,
+# to override the default args declared by the embeddees (e.g. partition_alloc).
+# This is the intended way to use GN. It properly interacts with the args.gn
+# user's file.
+#
+# Unfortunately, Chrome and others embedders aren't using it. Instead, they
+# expect embeddees to import global '.gni' file from the embedder, e.g.
+# `//build_overrides/partition_alloc.gni`. This file sets some `xxx_default`
+# variable that will be transferred to the declared args. For instance
+# a library would use:
+# ```
+#     import("//build_overrides/library.gni")
+#     declare_args() {
+#       xxx = xxx_default
+#     }
+# ```
+#
+# We don't really want to break embedders when introducing new args. Ideally,
+# We would have liked to have defaults for default variables. That would be
+# a recursive problem. To resolve it, we sometimes use the `defined(...)`
+# instruction to check if the embedder has defined the `xxx_default` variable or
+# not.
+#
+# In general, we should aim to support the embedders that are using GN normally,
+# and avoid requiring them to define `xxx_default` in the `//build_overrides`
+# -----------------------------------------------------------------------------
+
+# Some embedders uses `is_debug`, it can be used to set the default value of
+# `partition_alloc_is_debug_default`.
+if (!defined(partition_alloc_is_debug_default)) {
+  if (defined(is_debug)) {
+    partition_alloc_is_debug_default = is_debug
+  } else {
+    partition_alloc_is_debug_default = false
+  }
+}
+
+# Some embedders uses `dcheck_always_on`, it can be used to set the default
+# value of `partition_alloc_dcheck_always_on_default`.
+if (!defined(partition_alloc_dcheck_always_on_default)) {
+  if (defined(dcheck_always_on)) {
+    partition_alloc_dcheck_always_on_default = dcheck_always_on
+  } else {
+    partition_alloc_dcheck_always_on_default = false
+  }
+}
+
 # PartitionAlloc have limited support for MSVC's cl.exe compiler. It can only
 # access the generate "buildflags" and the "raw_ptr" definitions implemented
 # with RawPtrNoOpImpl. Everything else is considered not supported.
@@ -28,8 +78,16 @@ if (is_nacl) {
   assert(false, "Unknown CPU: $current_cpu")
 }
 
-# Increases the size of the empty slot span ring.
+# Makes the number of empty slot spans that can remain committed larger in
-use_large_empty_slot_span_ring = is_mac
+# foreground mode compared to background mode
+# (see `PartitionRoot::AdjustFor(Background|Foreground)`).
+#
+# Foreground/background modes are used by default on macOS and Windows so this
+# must be true on these platforms. It's also true on other platforms to allow
+# experiments.
+#
+# TODO(crbug.com/329199197): Clean this up when experiments are complete.
+use_large_empty_slot_span_ring = true
 
 # Disables for Android ARM64 because it actually requires API 31+.
 # See partition_alloc/tagging.cc:
@@ -40,6 +98,12 @@ has_memory_tagging =
     current_cpu == "arm64" && is_clang && !is_asan && is_linux && current_os != "openwrt"
 
 declare_args() {
+  # Debug configuration.
+  partition_alloc_is_debug = partition_alloc_is_debug_default
+
+  # Enable PA_DCHECKs in PartitionAlloc in release mode.
+  partition_alloc_dcheck_always_on = partition_alloc_dcheck_always_on_default
+
   # Causes all the allocations to be routed via allocator_shim.cc. Usually,
   # the allocator shim will, in turn, route them to PartitionAlloc, but
   # other allocators are also supported by the allocator shim.
@@ -87,9 +151,17 @@ declare_args() {
   # Whether PartitionAlloc dispatch can be replaced with another dispatch with
   # some more safety checks at runtime or not.  When true, the allocator shim
   # provides an extended API to swap PartitionAlloc.
-  # TODO(https://crbug.com/351974425): Enable this when `use_partition_alloc_as_malloc` is true.
   enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support =
-      false
+      use_partition_alloc_as_malloc
+}
+
+declare_args() {
+  # This is a flag for binary experiment on iOS. When BRP for iOS is enabled,
+  # we see some un-actionable `DoubleFreeOrCorruptionDetected` crashes.
+  # This flag enables some extra `CHECK`s to get actionable crash reports.
+  # TODO(crbug.com/371135823): Remove upon completion of investigation.
+  enable_ios_corruption_hardening = use_partition_alloc_as_malloc && is_ios &&
+                                    enable_ios_corruption_hardening_default
 }
 
 assert(
@@ -119,18 +191,13 @@ if (use_allocator_shim && is_win) {
   # If libcxx_is_shared=false, libc++ is a static library. All libc++ code
   # will be run inside the client. The above issue will disappear.
   assert(
-      !is_component_build || (!libcxx_is_shared && !is_debug),
+      !is_component_build || (!libcxx_is_shared && !partition_alloc_is_debug),
-      "The allocator shim for the Windows component build needs !libcxx_is_shared && !is_debug.")
+      "The allocator shim for the Windows component build needs !libcxx_is_shared && !partition_alloc_is_debug.")
 }
 
 declare_args() {
   use_freeslot_bitmap = false
 
-  # Puts the regular and BRP pools right next to each other, so that we can
-  # check "belongs to one of the two pools" with a single bitmask operation.
-  # TODO(crbug.com/350104111): Fix ios-simulator failures to remove `!is_ios`.
-  glue_core_pools = use_partition_alloc_as_malloc && !is_ios
-
   # Introduces pointer compression support in PA. These are 4-byte
   # pointers that can point within the core pools (regular and BRP).
   #
@@ -152,6 +219,23 @@ declare_args() {
   # through malloc. Useful for using with tools that intercept malloc, e.g.
   # heaptrack.
   forward_through_malloc = false
+
+  # Enable reentrancy checks at `partition_alloc::internal::Lock`.
+  # TODO(crbug.com/371135823): Remove upon completion of investigation.
+  enable_partition_lock_reentrancy_check = enable_ios_corruption_hardening
+
+  # This will write a fixed cookie pattern at the end of each allocation, and
+  # later verify the pattern remain unchanged to ensure there is no OOB write.
+  # It comes with performance and memory cost, hence enabled only in debug.
+  use_partition_cookie =
+      partition_alloc_is_debug || partition_alloc_dcheck_always_on ||
+      enable_ios_corruption_hardening
+
+  # This will change partition cookie size to 4B or 8B, whichever equivalent to
+  # size of InSlotMetadata. This option is useful for InSlotMetadata corruption
+  # investigation.
+  # TODO(crbug.com/371135823): Remove upon completion of investigation.
+  smaller_partition_cookie = enable_ios_corruption_hardening
 }
 
 declare_args() {
@@ -231,6 +315,12 @@ declare_args() {
       # Platforms where BackupRefPtr hasn't shipped yet:
       !is_castos && !is_ios
 
+  # While keeping BRP support, override a feature flag to make it disabled
+  # state. This will overwrite `enable_backup_ref_ptr_feature_flag`.
+  # TODO(https://crbug.com/372183586): Fix the bug and remove this arg.
+  force_disable_backup_ref_ptr_feature =
+      enable_backup_ref_ptr_support && enable_ios_corruption_hardening
+
   # Build support for Dangling Ptr Detection (DPD) via BackupRefPtr (BRP),
   # making the raw_ptr<T> implementation to RawPtrBackupRefImpl if active.
   enable_dangling_raw_ptr_checks =
@@ -263,7 +353,7 @@ declare_args() {
 declare_args() {
   # Shadow metadata is still under development and only supports Linux
   # for now.
-  enable_shadow_metadata = false
+  enable_shadow_metadata = is_linux && has_64_bit_pointers
 }
 
 declare_args() {
@@ -278,19 +368,28 @@ declare_args() {
 
 stack_scan_supported =
     current_cpu == "x64" || current_cpu == "x86" || current_cpu == "arm" ||
-    current_cpu == "arm64" || current_cpu == "riscv64"
+    current_cpu == "arm64" || current_cpu == "riscv64" || current_cpu == "loong64"
 
 # We want to provide assertions that guard against inconsistent build
 # args, but there is no point in having them fire if we're not building
 # PartitionAlloc at all. If `use_partition_alloc` is false, we jam all
 # related args to `false`.
 #
+# We also disable PA-Everywhere and PA-based features in two types of
+# toolchains:
+# - Toolchains that disable PA-Everywhere explicitly.
+# - The rust host build tools toochain, which builds DLLs to dlopen into the
+#   compiler for proc macros. We would want any allocations to use the same
+#   paths as the compiler.
+#
 # Do not clear the following, as they can function outside of PartitionAlloc
 # - has_64_bit_pointers
 # - has_memory_tagging
 if (!use_partition_alloc ||
     (defined(toolchain_allows_use_partition_alloc_as_malloc) &&
-     !toolchain_allows_use_partition_alloc_as_malloc)) {
+     !toolchain_allows_use_partition_alloc_as_malloc) ||
+    (defined(toolchain_for_rust_host_build_tools) &&
+     toolchain_for_rust_host_build_tools)) {
   use_partition_alloc_as_malloc = false
   glue_core_pools = false
   enable_backup_ref_ptr_support = false

src/base/allocator/partition_allocator/src/partition_alloc/BUILD.gn

@@ -29,16 +29,14 @@ record_alloc_info = false
 # GWP-ASan is tied to BRP's enablement.
 enable_gwp_asan_support = enable_backup_ref_ptr_support
 
-# Pools are a logical concept when address space is 32-bit.
-glue_core_pools = glue_core_pools && has_64_bit_pointers
-
 # Pointer compression requires 64-bit pointers.
 enable_pointer_compression =
     enable_pointer_compression_support && has_64_bit_pointers
 
 # Duplicates the setup Chromium uses to define `DCHECK_IS_ON()`, but avails it
 # as a buildflag.
-dchecks_are_on = is_debug || dcheck_always_on
+partition_alloc_dchecks_are_on =
+    partition_alloc_is_debug || partition_alloc_dcheck_always_on
 
 # Building PartitionAlloc for Windows component build.
 # Currently use build_with_chromium not to affect any third_party code,
@@ -125,12 +123,34 @@ source_set("buildflag_macro") {
   public_configs = [ ":public_includes" ]
 }
 
+# When developers are repeatedly growing a buffer with `realloc`, they are
+# expected to request a new size that is larger than the current size by
+# some growth factor. This growth factor allows to amortize the cost of
+# memcpy. Unfortunately, some nVidia drivers have a bug where they repeatedly
+# increase the buffer by 4144 byte only.
+#
+# In particular, most Skia Linux bots are using the affected nVidia driver. So
+# this flag is used as a workaround for Skia standalone, not in production.
+#
+# External link:
+#   https://forums.developer.nvidia.com/t/550-54-14-very-bad-performance-due-to-bunch-of-reallocations-during-glcore-initialization/287027
+#
+# Internal discussion at @chrome-memory-safety:
+#   https://groups.google.com/a/google.com/d/msgid/chrome-memory-safety/CAAzos5HrexY2njz2YzWrffTq1xEfkx15GVpSvHUyQED6wBSXvA%40mail.gmail.com?utm_medium=email&utm_source=footer
+declare_args() {
+  partition_alloc_realloc_growth_factor_mitigation = false
+}
+
 pa_buildflag_header("buildflags") {
   header = "buildflags.h"
   flags = [
     "ASSERT_CPP_20=$assert_cpp20",
     "BACKUP_REF_PTR_EXTRA_OOB_CHECKS=$backup_ref_ptr_extra_oob_checks",
     "BACKUP_REF_PTR_POISON_OOB_PTR=$backup_ref_ptr_poison_oob_ptr",
+    "CAN_UNWIND_WITH_FRAME_POINTERS=$can_unwind_with_frame_pointers",
+    "DCHECKS_ARE_ON=$partition_alloc_dchecks_are_on",
+    "DCHECK_IS_CONFIGURABLE=$dcheck_is_configurable",
+    "ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT=$enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support",
     "ENABLE_BACKUP_REF_PTR_FEATURE_FLAG=$enable_backup_ref_ptr_feature_flag",
     "ENABLE_BACKUP_REF_PTR_INSTANCE_TRACER=$enable_backup_ref_ptr_instance_tracer",
     "ENABLE_BACKUP_REF_PTR_SLOW_CHECKS=$enable_backup_ref_ptr_slow_checks",
@@ -138,26 +158,30 @@ pa_buildflag_header("buildflags") {
     "ENABLE_DANGLING_RAW_PTR_CHECKS=$enable_dangling_raw_ptr_checks",
     "ENABLE_DANGLING_RAW_PTR_FEATURE_FLAG=$enable_dangling_raw_ptr_feature_flag",
     "ENABLE_GWP_ASAN_SUPPORT=$enable_gwp_asan_support",
+    "ENABLE_PARTITION_LOCK_REENTRANCY_CHECK=$enable_partition_lock_reentrancy_check",
     "ENABLE_PKEYS=$enable_pkeys",
     "ENABLE_POINTER_ARITHMETIC_TRAIT_CHECK=$enable_pointer_arithmetic_trait_check",
     "ENABLE_POINTER_COMPRESSION=$enable_pointer_compression",
     "ENABLE_POINTER_SUBTRACTION_CHECK=$enable_pointer_subtraction_check",
     "ENABLE_SHADOW_METADATA_FOR_64_BITS_POINTERS=$enable_shadow_metadata",
     "ENABLE_THREAD_ISOLATION=$enable_pkeys",
+    "EXPENSIVE_DCHECKS_ARE_ON=$enable_expensive_dchecks",
+    "FORCE_DISABLE_BACKUP_REF_PTR_FEATURE=$force_disable_backup_ref_ptr_feature",
     "FORCE_ENABLE_RAW_PTR_EXCLUSION=$force_enable_raw_ptr_exclusion",
     "FORWARD_THROUGH_MALLOC=$forward_through_malloc",
-    "GLUE_CORE_POOLS=$glue_core_pools",
     "HAS_64_BIT_POINTERS=$has_64_bit_pointers",
     "HAS_MEMORY_TAGGING=$has_memory_tagging",
     "IS_ANDROID=$is_android",
     "IS_CASTOS=$is_castos",
     "IS_CAST_ANDROID=$is_cast_android",
     "IS_CHROMEOS=$is_chromeos",
-    "IS_DEBUG=$is_debug",
+    "IS_DEBUG=$partition_alloc_is_debug",
     "RAW_PTR_ZERO_ON_CONSTRUCT=$raw_ptr_zero_on_construct",
     "RAW_PTR_ZERO_ON_DESTRUCT=$raw_ptr_zero_on_destruct",
     "RAW_PTR_ZERO_ON_MOVE=$raw_ptr_zero_on_move",
+    "REALLOC_GROWTH_FACTOR_MITIGATION=$partition_alloc_realloc_growth_factor_mitigation",
     "RECORD_ALLOC_INFO=$record_alloc_info",
+    "SMALLER_PARTITION_COOKIE=$smaller_partition_cookie",
     "STACK_SCAN_SUPPORTED=$stack_scan_supported",
     "USE_ALLOCATOR_SHIM=$use_allocator_shim",
     "USE_ASAN_BACKUP_REF_PTR=$use_asan_backup_ref_ptr",
@@ -167,14 +191,10 @@ pa_buildflag_header("buildflags") {
     "USE_LARGE_EMPTY_SLOT_SPAN_RING=$use_large_empty_slot_span_ring",
     "USE_PARTITION_ALLOC=$use_partition_alloc",
     "USE_PARTITION_ALLOC_AS_MALLOC=$use_partition_alloc_as_malloc",
+    "USE_PARTITION_COOKIE=$use_partition_cookie",
     "USE_RAW_PTR_ASAN_UNOWNED_IMPL=$use_raw_ptr_asan_unowned_impl",
     "USE_RAW_PTR_BACKUP_REF_IMPL=$use_raw_ptr_backup_ref_impl",
     "USE_RAW_PTR_HOOKABLE_IMPL=$use_raw_ptr_hookable_impl",
-    "ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT=$enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support",
-    "DCHECKS_ARE_ON=$dchecks_are_on",
-    "EXPENSIVE_DCHECKS_ARE_ON=$enable_expensive_dchecks",
-    "DCHECK_IS_CONFIGURABLE=$dcheck_is_configurable",
-    "CAN_UNWIND_WITH_FRAME_POINTERS=$can_unwind_with_frame_pointers",
   ]
 }
 
@@ -330,7 +350,7 @@ if (is_clang_or_gcc) {
     }
   }
 
-  if (enable_pkeys && is_debug) {
+  if (enable_pkeys && partition_alloc_is_debug) {
     config("no_stack_protector") {
       cflags = [ "-fno-stack-protector" ]
     }
@@ -427,6 +447,7 @@ if (is_clang_or_gcc) {
       "partition_bucket.cc",
       "partition_bucket.h",
       "partition_bucket_lookup.h",
+      "partition_cookie.cc",
       "partition_cookie.h",
       "partition_dcheck_helper.cc",
       "partition_dcheck_helper.h",
@@ -441,6 +462,7 @@ if (is_clang_or_gcc) {
       "partition_page_constants.h",
       "partition_root.cc",
       "partition_root.h",
+      "partition_shared_mutex.h",
       "partition_stats.cc",
       "partition_stats.h",
       "partition_superpage_extent_entry.h",
@@ -499,6 +521,9 @@ if (is_clang_or_gcc) {
     } else if (current_cpu == "riscv64") {
       assert(stack_scan_supported)
       sources += [ "stack/asm/riscv64/push_registers_asm.cc" ]
+    } else if (current_cpu == "loong64") {
+      assert(stack_scan_supported)
+      sources += [ "stack/asm/loong64/push_registers_asm.cc" ]
     } else {
       # To support a trampoline for another arch, please refer to v8/src/heap/base.
       assert(!stack_scan_supported)
@@ -565,7 +590,7 @@ if (is_clang_or_gcc) {
 
     # We want to be able to test pkey mode without access to the default pkey.
     # This is incompatible with stack protectors since the TLS won't be pkey-tagged.
-    if (enable_pkeys && is_debug) {
+    if (enable_pkeys && partition_alloc_is_debug) {
       configs += [ ":no_stack_protector" ]
     }
   }
@@ -598,6 +623,7 @@ if (is_clang_or_gcc) {
       "partition_alloc_base/debug/stack_trace.cc",
       "partition_alloc_base/debug/stack_trace.h",
       "partition_alloc_base/export_template.h",
+      "partition_alloc_base/files/platform_file.h",
       "partition_alloc_base/immediate_crash.h",
       "partition_alloc_base/log_message.cc",
       "partition_alloc_base/log_message.h",
@@ -643,11 +669,13 @@ if (is_clang_or_gcc) {
       "partition_alloc_base/time/time.h",
       "partition_alloc_base/time/time_override.cc",
       "partition_alloc_base/time/time_override.h",
+      "partition_alloc_base/types/same_as_any.h",
       "partition_alloc_base/types/strong_alias.h",
       "partition_alloc_base/win/win_handle_types.h",
       "partition_alloc_base/win/win_handle_types_list.inc",
       "partition_alloc_base/win/windows_types.h",
     ]
+    libs = []
 
     if (is_win) {
       sources += [
@@ -659,6 +687,9 @@ if (is_clang_or_gcc) {
         "partition_alloc_base/threading/platform_thread_win.cc",
         "partition_alloc_base/time/time_win.cc",
       ]
+      libs += [
+        "winmm.lib",  # For timeGetTime.
+      ]
     }
 
     if (is_posix) {
@@ -782,8 +813,6 @@ if (is_clang_or_gcc) {
   }
 
   component("allocator_shim") {
-    visibility = [ ":*" ]
-
     sources = []
     deps = []
     all_dependent_configs = []
@@ -1009,7 +1038,7 @@ if (build_with_chromium) {
       ]
     }
 
-    if (enable_pkeys && is_debug && !is_component_build) {
+    if (enable_pkeys && partition_alloc_is_debug && !is_component_build) {
       # This test requires RELRO, which is not enabled in component builds.
       # Also, require a debug build, since we only disable stack protectors in
       # debug builds in PartitionAlloc (see below why it's needed).

src/base/allocator/partition_allocator/src/partition_alloc/address_space_randomization.h

@@ -292,7 +292,7 @@ AslrMask(uintptr_t bits) {
 
 #endif  // PA_BUILDFLAG(PA_ARCH_CPU_32_BITS)
 
-    // clang-format on
+// clang-format on
 
 }  // namespace internal
 

src/base/allocator/partition_allocator/src/partition_alloc/allocation_guard.cc

@@ -3,6 +3,7 @@
 // found in the LICENSE file.
 
 #include "partition_alloc/allocation_guard.h"
+
 #include "partition_alloc/partition_alloc_base/immediate_crash.h"
 #include "partition_alloc/partition_alloc_config.h"
 

src/base/allocator/partition_allocator/src/partition_alloc/extended_api.cc

@@ -77,7 +77,17 @@ ThreadCacheProcessScopeForTesting::ThreadCacheProcessScopeForTesting(
     // Replace ThreadCache's PartitionRoot.
     ThreadCache::SwapForTesting(root_);
   } else {
-    if (!regular_was_enabled_) {
+    bool regular_was_disabled = !regular_was_enabled_;
+#if PA_BUILDFLAG(IS_WIN)
+    // ThreadCache may be tombstone because of the previous test. In the
+    // case, we have to remove tombstone and re-create ThreadCache for
+    // a new test.
+    if (ThreadCache::IsTombstone(ThreadCache::Get())) {
+      ThreadCache::RemoveTombstoneForTesting();
+      regular_was_disabled = true;
+    }
+#endif
+    if (regular_was_disabled) {
       EnablePartitionAllocThreadCacheForRootIfDisabled(root_);
       ThreadCache::SwapForTesting(root_);
     }
@@ -89,6 +99,7 @@ ThreadCacheProcessScopeForTesting::ThreadCacheProcessScopeForTesting(
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
   PA_CHECK(ThreadCache::Get());
+  PA_CHECK(!ThreadCache::IsTombstone(ThreadCache::Get()));
 }
 
 ThreadCacheProcessScopeForTesting::~ThreadCacheProcessScopeForTesting() {

src/base/allocator/partition_allocator/src/partition_alloc/in_slot_metadata.h

@@ -46,7 +46,6 @@ PA_ALWAYS_INLINE constexpr size_t AlignUpInSlotMetadataSizeForApple(
 
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
 
-namespace {
 // Utility functions to define a bit field.
 template <typename CountType>
 static constexpr CountType SafeShift(CountType lhs, int rhs) {
@@ -64,7 +63,6 @@ struct BitField {
            ~(SafeShift<CountType>(1, lo) - 1);
   }
 };
-}  // namespace
 
 // Special-purpose atomic bit field class mainly used by RawPtrBackupRefImpl.
 // Formerly known as `PartitionRefCount`, but renamed to support usage that is

src/base/allocator/partition_allocator/src/partition_alloc/internal_allocator.cc

@@ -7,7 +7,7 @@
 namespace partition_alloc::internal {
 PA_COMPONENT_EXPORT(PARTITION_ALLOC)
 PartitionRoot& InternalAllocatorRoot() {
-  static internal::base::NoDestructor<PartitionRoot> allocator([]() {
+  static internal::base::NoDestructor<PartitionRoot> allocator([] {
     // Disable features using the internal root to avoid reentrancy issue.
     PartitionOptions opts;
     opts.thread_cache = PartitionOptions::kDisabled;
@@ -37,8 +37,4 @@ void InternalPartitionAllocated::operator delete(void* ptr, std::align_val_t) {
   InternalAllocatorRoot().Free<FreeFlags::kNoHooks>(ptr);
 }
 
-// A deleter for `std::unique_ptr<T>`.
-void InternalPartitionDeleter::operator()(void* ptr) const {
-  InternalAllocatorRoot().Free<FreeFlags::kNoHooks>(ptr);
-}
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/internal_allocator.h

@@ -48,8 +48,6 @@ T* ConstructAtInternalPartition(Args&&... args) {
 }
 
 // Destroy an object on heap in the internal partition.
-// TODO(crbug.com/40274826) This is an unused function. Start using it in tests
-// and/or in production code.
 template <typename T>
 void DestroyAtInternalPartition(T* ptr) {
   // Destroying an array is not supported.

src/base/allocator/partition_allocator/src/partition_alloc/internal_allocator_forward.h

@@ -67,14 +67,13 @@ template <typename T, typename... Args>
 T* ConstructAtInternalPartition(Args&&... args);
 
 // Destroy an object on heap in the internal partition.
-// TODO(crbug.com/40274826) This is an unused function. Start using it in tests
-// and/or in production code.
 template <typename T>
 void DestroyAtInternalPartition(T* ptr);
 
 // A deleter for `std::unique_ptr<T>`.
-struct PA_COMPONENT_EXPORT(PARTITION_ALLOC) InternalPartitionDeleter final {
+template <typename T>
-  void operator()(void* ptr) const;
+struct InternalPartitionDeleter final {
+  void operator()(T* ptr) const { DestroyAtInternalPartition(ptr); }
 };
 
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/lightweight_quarantine.cc

@@ -9,19 +9,51 @@
 #include "partition_alloc/partition_root.h"
 
 namespace partition_alloc::internal {
-namespace {
 
-// An utility to lock only if a condition is met.
+// Utility classes to lock only if a condition is met.
-class PA_SCOPED_LOCKABLE ConditionalScopedGuard {
+
+template <>
+class PA_SCOPED_LOCKABLE
+    LightweightQuarantineBranch::CompileTimeConditionalScopedGuard<
+        LightweightQuarantineBranch::LockRequired::kNotRequired> {
  public:
-  PA_ALWAYS_INLINE ConditionalScopedGuard(bool condition, Lock& lock)
+  PA_ALWAYS_INLINE explicit CompileTimeConditionalScopedGuard(Lock& lock)
+      PA_EXCLUSIVE_LOCK_FUNCTION(lock) {}
+  // For some reason, defaulting this causes a thread safety annotation failure.
+  PA_ALWAYS_INLINE
+  ~CompileTimeConditionalScopedGuard()  // NOLINT(modernize-use-equals-default)
+      PA_UNLOCK_FUNCTION() {}
+};
+
+template <>
+class PA_SCOPED_LOCKABLE
+    LightweightQuarantineBranch::CompileTimeConditionalScopedGuard<
+        LightweightQuarantineBranch::LockRequired::kRequired> {
+ public:
+  PA_ALWAYS_INLINE explicit CompileTimeConditionalScopedGuard(Lock& lock)
+      PA_EXCLUSIVE_LOCK_FUNCTION(lock)
+      : lock_(lock) {
+    lock_.Acquire();
+  }
+  PA_ALWAYS_INLINE ~CompileTimeConditionalScopedGuard() PA_UNLOCK_FUNCTION() {
+    lock_.Release();
+  }
+
+ private:
+  Lock& lock_;
+};
+
+class PA_SCOPED_LOCKABLE
+    LightweightQuarantineBranch::RuntimeConditionalScopedGuard {
+ public:
+  PA_ALWAYS_INLINE RuntimeConditionalScopedGuard(bool condition, Lock& lock)
       PA_EXCLUSIVE_LOCK_FUNCTION(lock)
       : condition_(condition), lock_(lock) {
     if (condition_) {
       lock_.Acquire();
     }
   }
-  PA_ALWAYS_INLINE ~ConditionalScopedGuard() PA_UNLOCK_FUNCTION() {
+  PA_ALWAYS_INLINE ~RuntimeConditionalScopedGuard() PA_UNLOCK_FUNCTION() {
     if (condition_) {
       lock_.Release();
     }
@@ -32,8 +64,6 @@ class PA_SCOPED_LOCKABLE ConditionalScopedGuard {
   Lock& lock_;
 };
 
-}  // namespace
-
 LightweightQuarantineBranch LightweightQuarantineRoot::CreateBranch(
     const LightweightQuarantineBranchConfig& config) {
   return LightweightQuarantineBranch(*this, config);
@@ -44,7 +74,12 @@ LightweightQuarantineBranch::LightweightQuarantineBranch(
     const LightweightQuarantineBranchConfig& config)
     : root_(root),
       lock_required_(config.lock_required),
-      branch_capacity_in_bytes_(config.branch_capacity_in_bytes) {}
+      branch_capacity_in_bytes_(config.branch_capacity_in_bytes) {
+  if (lock_required_) {
+    to_be_freed_working_memory_ =
+        ConstructAtInternalPartition<ToBeFreedArray>();
+  }
+}
 
 LightweightQuarantineBranch::LightweightQuarantineBranch(
     LightweightQuarantineBranch&& b)
@@ -55,57 +90,23 @@ LightweightQuarantineBranch::LightweightQuarantineBranch(
       branch_capacity_in_bytes_(
           b.branch_capacity_in_bytes_.load(std::memory_order_relaxed)) {
   b.branch_size_in_bytes_ = 0;
+  if (lock_required_) {
+    to_be_freed_working_memory_.store(b.to_be_freed_working_memory_.exchange(
+                                          nullptr, std::memory_order_relaxed),
+                                      std::memory_order_relaxed);
+  }
 }
 
 LightweightQuarantineBranch::~LightweightQuarantineBranch() {
   Purge();
-}
+  if (lock_required_) {
-
+    DestroyAtInternalPartition(to_be_freed_working_memory_.exchange(
-bool LightweightQuarantineBranch::Quarantine(
+        nullptr, std::memory_order_relaxed));
-    void* object,
-    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
-    uintptr_t slot_start,
-    size_t usable_size) {
-  PA_DCHECK(usable_size == root_.allocator_root_.GetSlotUsableSize(slot_span));
-
-  const size_t capacity_in_bytes =
-      branch_capacity_in_bytes_.load(std::memory_order_relaxed);
-
-  if (capacity_in_bytes < usable_size) [[unlikely]] {
-    // Even if this branch dequarantines all entries held by it, this entry
-    // cannot fit within the capacity.
-    root_.allocator_root_.FreeNoHooksImmediate(object, slot_span, slot_start);
-    root_.quarantine_miss_count_.fetch_add(1u, std::memory_order_relaxed);
-    return false;
   }
-
-  {
-    ConditionalScopedGuard guard(lock_required_, lock_);
-
-    // Dequarantine some entries as required.
-    PurgeInternal(capacity_in_bytes - usable_size);
-
-    // Put the entry onto the list.
-    branch_size_in_bytes_ += usable_size;
-    slots_.push_back({slot_start, usable_size});
-
-    // Swap randomly so that the quarantine list remain shuffled.
-    // This is not uniformly random, but sufficiently random.
-    const size_t random_index = random_.RandUint32() % slots_.size();
-    std::swap(slots_[random_index], slots_.back());
-  }
-
-  // Update stats (not locked).
-  root_.count_.fetch_add(1, std::memory_order_relaxed);
-  root_.size_in_bytes_.fetch_add(usable_size, std::memory_order_relaxed);
-  root_.cumulative_count_.fetch_add(1, std::memory_order_relaxed);
-  root_.cumulative_size_in_bytes_.fetch_add(usable_size,
-                                            std::memory_order_relaxed);
-  return true;
 }
 
 bool LightweightQuarantineBranch::IsQuarantinedForTesting(void* object) {
-  ConditionalScopedGuard guard(lock_required_, lock_);
+  RuntimeConditionalScopedGuard guard(lock_required_, lock_);
   uintptr_t slot_start =
       root_.allocator_root_.ObjectToSlotStartUnchecked(object);
   for (const auto& slot : slots_) {
@@ -121,12 +122,120 @@ void LightweightQuarantineBranch::SetCapacityInBytes(size_t capacity_in_bytes) {
 }
 
 void LightweightQuarantineBranch::Purge() {
-  ConditionalScopedGuard guard(lock_required_, lock_);
+  RuntimeConditionalScopedGuard guard(lock_required_, lock_);
   PurgeInternal(0);
-  PA_DCHECK(slots_.empty());
   slots_.shrink_to_fit();
 }
 
+template <LightweightQuarantineBranch::LockRequired lock_required>
+bool LightweightQuarantineBranch::QuarantineInternal(
+    void* object,
+    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+    uintptr_t slot_start,
+    size_t usable_size) {
+  PA_DCHECK(lock_required_ ? lock_required == LockRequired::kRequired
+                           : lock_required == LockRequired::kNotRequired);
+  PA_DCHECK(usable_size == root_.allocator_root_.GetSlotUsableSize(slot_span));
+
+  const size_t capacity_in_bytes =
+      branch_capacity_in_bytes_.load(std::memory_order_relaxed);
+  if (capacity_in_bytes < usable_size) [[unlikely]] {
+    // Even if this branch dequarantines all entries held by it, this entry
+    // cannot fit within the capacity.
+    root_.allocator_root_.FreeNoHooksImmediate(object, slot_span, slot_start);
+    root_.quarantine_miss_count_.fetch_add(1u, std::memory_order_relaxed);
+    return false;
+  }
+
+  if constexpr (lock_required == LockRequired::kNotRequired) {
+    // Although there is no need to actually acquire the lock as
+    // LockRequired::kNotRequired is specified,
+    // a CompileTimeConditionalScopedGuard is necessary in order to touch
+    // `slots_` as `slots_` is annotated with `PA_GUARDED_BY(lock_)`.
+    // CompileTimeConditionalScopedGuard's ctor and dtor behave as
+    // PA_EXCLUSIVE_LOCK_FUNCTION and PA_UNLOCK_FUNCTION.
+    CompileTimeConditionalScopedGuard<lock_required> guard(lock_);
+
+    // Dequarantine some entries as required.
+    PurgeInternal(capacity_in_bytes - usable_size);
+
+    // Put the entry onto the list.
+    branch_size_in_bytes_ += usable_size;
+    slots_.push_back({slot_start, usable_size});
+
+    // Swap randomly so that the quarantine list remain shuffled.
+    // This is not uniformly random, but sufficiently random.
+    const size_t random_index = random_.RandUint32() % slots_.size();
+    std::swap(slots_[random_index], slots_.back());
+  } else {
+    std::unique_ptr<ToBeFreedArray, InternalPartitionDeleter<ToBeFreedArray>>
+        to_be_freed;
+    size_t num_of_slots = 0;
+
+    {
+      CompileTimeConditionalScopedGuard<lock_required> guard(lock_);
+
+      // Borrow the reserved working memory from to_be_freed_working_memory_,
+      // and set nullptr to it indicating that it's in use.
+      to_be_freed.reset(to_be_freed_working_memory_.exchange(nullptr));
+      if (!to_be_freed) {
+        // When the reserved working memory has already been in use by another
+        // thread, fall back to allocate another chunk of working memory.
+        to_be_freed.reset(ConstructAtInternalPartition<ToBeFreedArray>());
+      }
+
+      // Dequarantine some entries as required. Save the objects to be
+      // deallocated into `to_be_freed`.
+      PurgeInternalWithDefferedFree(capacity_in_bytes - usable_size,
+                                    *to_be_freed, num_of_slots);
+
+      // Put the entry onto the list.
+      branch_size_in_bytes_ += usable_size;
+      slots_.push_back({slot_start, usable_size});
+
+      // Swap randomly so that the quarantine list remain shuffled.
+      // This is not uniformly random, but sufficiently random.
+      const size_t random_index = random_.RandUint32() % slots_.size();
+      std::swap(slots_[random_index], slots_.back());
+    }
+
+    // Actually deallocate the dequarantined objects.
+    BatchFree(*to_be_freed, num_of_slots);
+
+    // Return the possibly-borrowed working memory to
+    // to_be_freed_working_memory_. It doesn't matter much if it's really
+    // borrowed or locally-allocated. The important facts are 1) to_be_freed is
+    // non-null, and 2) to_be_freed_working_memory_ may likely be null (because
+    // this or another thread has already borrowed it). It's simply good to make
+    // to_be_freed_working_memory_ non-null whenever possible. Maybe yet another
+    // thread would be about to borrow the working memory.
+    to_be_freed.reset(
+        to_be_freed_working_memory_.exchange(to_be_freed.release()));
+  }
+
+  // Update stats (not locked).
+  root_.count_.fetch_add(1, std::memory_order_relaxed);
+  root_.size_in_bytes_.fetch_add(usable_size, std::memory_order_relaxed);
+  root_.cumulative_count_.fetch_add(1, std::memory_order_relaxed);
+  root_.cumulative_size_in_bytes_.fetch_add(usable_size,
+                                            std::memory_order_relaxed);
+  return true;
+}
+
+template bool LightweightQuarantineBranch::QuarantineInternal<
+    LightweightQuarantineBranch::LockRequired::kNotRequired>(
+    void* object,
+    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+    uintptr_t slot_start,
+    size_t usable_size);
+
+template bool LightweightQuarantineBranch::QuarantineInternal<
+    LightweightQuarantineBranch::LockRequired::kRequired>(
+    void* object,
+    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+    uintptr_t slot_start,
+    size_t usable_size);
+
 PA_ALWAYS_INLINE void LightweightQuarantineBranch::PurgeInternal(
     size_t target_size_in_bytes) {
   int64_t freed_count = 0;
@@ -163,4 +272,53 @@ PA_ALWAYS_INLINE void LightweightQuarantineBranch::PurgeInternal(
   root_.count_.fetch_sub(freed_count, std::memory_order_relaxed);
 }
 
+PA_ALWAYS_INLINE void
+LightweightQuarantineBranch::PurgeInternalWithDefferedFree(
+    size_t target_size_in_bytes,
+    ToBeFreedArray& to_be_freed,
+    size_t& num_of_slots) {
+  num_of_slots = 0;
+
+  int64_t freed_size_in_bytes = 0;
+
+  // Dequarantine some entries as required.
+  while (target_size_in_bytes < branch_size_in_bytes_) {
+    PA_DCHECK(!slots_.empty());
+
+    // As quarantined entries are shuffled, picking last entry is equivalent to
+    // picking random entry.
+    const QuarantineSlot& to_free = slots_.back();
+    const size_t to_free_size = to_free.usable_size;
+
+    to_be_freed[num_of_slots++] = to_free.slot_start;
+    slots_.pop_back();
+
+    freed_size_in_bytes += to_free_size;
+    branch_size_in_bytes_ -= to_free_size;
+
+    if (num_of_slots >= kMaxFreeTimesPerPurge) {
+      break;
+    }
+  }
+
+  root_.size_in_bytes_.fetch_sub(freed_size_in_bytes,
+                                 std::memory_order_relaxed);
+  root_.count_.fetch_sub(num_of_slots, std::memory_order_relaxed);
+}
+
+PA_ALWAYS_INLINE void LightweightQuarantineBranch::BatchFree(
+    const ToBeFreedArray& to_be_freed,
+    size_t num_of_slots) {
+  for (size_t i = 0; i < num_of_slots; ++i) {
+    const uintptr_t slot_start = to_be_freed[i];
+    PA_DCHECK(slot_start);
+    auto* slot_span =
+        SlotSpanMetadata<MetadataKind::kReadOnly>::FromSlotStart(slot_start);
+    void* object = root_.allocator_root_.SlotStartToObject(slot_start);
+    PA_DCHECK(slot_span ==
+              SlotSpanMetadata<MetadataKind::kReadOnly>::FromObject(object));
+    root_.allocator_root_.FreeNoHooksImmediate(object, slot_span, slot_start);
+  }
+}
+
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/lightweight_quarantine.h

@@ -108,10 +108,35 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   // as much as possible.  If the object is too large, this may return
   // `false`, meaning that quarantine request has failed (and freed
   // immediately). Otherwise, returns `true`.
-  bool Quarantine(void* object,
+  PA_ALWAYS_INLINE bool Quarantine(
-                  SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+      void* object,
-                  uintptr_t slot_start,
+      SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
-                  size_t usable_size);
+      uintptr_t slot_start,
+      size_t usable_size) {
+    return lock_required_ ? QuarantineWithAcquiringLock(object, slot_span,
+                                                        slot_start, usable_size)
+                          : QuarantineWithoutAcquiringLock(
+                                object, slot_span, slot_start, usable_size);
+  }
+  // Despite that LightweightQuarantineBranchConfig::lock_required_ is already
+  // specified, we provide two versions `With/WithoutAcquiringLock` so that we
+  // can avoid the overhead of runtime conditional branches.
+  PA_ALWAYS_INLINE bool QuarantineWithAcquiringLock(
+      void* object,
+      SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+      uintptr_t slot_start,
+      size_t usable_size) {
+    PA_MUSTTAIL return QuarantineInternal<LockRequired::kRequired>(
+        object, slot_span, slot_start, usable_size);
+  }
+  PA_ALWAYS_INLINE bool QuarantineWithoutAcquiringLock(
+      void* object,
+      SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+      uintptr_t slot_start,
+      size_t usable_size) {
+    PA_MUSTTAIL return QuarantineInternal<LockRequired::kNotRequired>(
+        object, slot_span, slot_start, usable_size);
+  }
 
   // Dequarantine all entries **held by this branch**.
   // It is possible that another branch with entries and it remains untouched.
@@ -130,9 +155,27 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   void SetCapacityInBytes(size_t capacity_in_bytes);
 
  private:
+  enum class LockRequired { kNotRequired, kRequired };
+  template <LockRequired lock_required>
+  class PA_SCOPED_LOCKABLE CompileTimeConditionalScopedGuard;
+  class PA_SCOPED_LOCKABLE RuntimeConditionalScopedGuard;
+  // `ToBeFreedArray` is used in `PurgeInternalInTwoPhases1of2` and
+  // `PurgeInternalInTwoPhases2of2`. See the function comment about the purpose.
+  // In order to avoid reentrancy issues, we must not deallocate any object in
+  // `Quarantine`. So, std::vector is not an option. std::array doesn't
+  // deallocate, plus, std::array has perf advantages.
+  static constexpr size_t kMaxFreeTimesPerPurge = 1024;
+  using ToBeFreedArray = std::array<uintptr_t, kMaxFreeTimesPerPurge>;
+
   LightweightQuarantineBranch(Root& root,
                               const LightweightQuarantineBranchConfig& config);
 
+  template <LockRequired lock_required>
+  bool QuarantineInternal(void* object,
+                          SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+                          uintptr_t slot_start,
+                          size_t usable_size);
+
   // Try to dequarantine entries to satisfy below:
   //   root_.size_in_bytes_ <=  target_size_in_bytes
   // It is possible that this branch cannot satisfy the
@@ -140,6 +183,19 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   // constraint, call `Purge()` for each branch in sequence, synchronously.
   PA_ALWAYS_INLINE void PurgeInternal(size_t target_size_in_bytes)
       PA_EXCLUSIVE_LOCKS_REQUIRED(lock_);
+  // In order to reduce thread contention, dequarantines entries in two phases:
+  //   Phase 1) With the lock acquired, saves `slot_start`s of the quarantined
+  //     objects in an array, and shrinks `slots_`. Then, releases the lock so
+  //     that another thread can quarantine an object.
+  //   Phase 2) Without the lock acquired, deallocates objects saved in the
+  //     array in Phase 1. This may take some time, but doesn't block other
+  //     threads.
+  PA_ALWAYS_INLINE void PurgeInternalWithDefferedFree(
+      size_t target_size_in_bytes,
+      ToBeFreedArray& to_be_freed,
+      size_t& num_of_slots) PA_EXCLUSIVE_LOCKS_REQUIRED(lock_);
+  PA_ALWAYS_INLINE void BatchFree(const ToBeFreedArray& to_be_freed,
+                                  size_t num_of_slots);
 
   Root& root_;
 
@@ -161,9 +217,35 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   // Using `std::atomic` here so that other threads can update this value.
   std::atomic_size_t branch_capacity_in_bytes_;
 
+  // This working memory is temporarily needed only while dequarantining
+  // objects in slots_ when lock_required_ is true. However, allocating this
+  // working memory on stack may cause stack overflow [1]. Plus, it's non-
+  // negligible perf penalty to allocate and deallocate this working memory on
+  // heap only while dequarantining. So, we reserve one chunk of working memory
+  // on heap during the entire lifetime of this branch object and try to reuse
+  // this working memory among threads. Only when thread contention occurs, we
+  // allocate and deallocate another chunk of working memory.
+  // [1] https://issues.chromium.org/issues/387508217
+  std::atomic<ToBeFreedArray*> to_be_freed_working_memory_ = nullptr;
+
   friend class LightweightQuarantineRoot;
 };
 
+extern template PA_COMPONENT_EXPORT(
+    PARTITION_ALLOC) bool LightweightQuarantineBranch::
+    QuarantineInternal<LightweightQuarantineBranch::LockRequired::kNotRequired>(
+        void* object,
+        SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+        uintptr_t slot_start,
+        size_t usable_size);
+extern template PA_COMPONENT_EXPORT(
+    PARTITION_ALLOC) bool LightweightQuarantineBranch::
+    QuarantineInternal<LightweightQuarantineBranch::LockRequired::kRequired>(
+        void* object,
+        SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+        uintptr_t slot_start,
+        size_t usable_size);
+
 }  // namespace internal
 
 }  // namespace partition_alloc

src/base/allocator/partition_allocator/src/partition_alloc/oom.cc

@@ -15,6 +15,7 @@
 
 #include <array>
 #include <cstdlib>
+#include <limits>
 #endif  // PA_BUILDFLAG(IS_WIN)
 
 namespace partition_alloc {
@@ -26,7 +27,8 @@ namespace internal {
 // Crash server classifies base::internal::OnNoMemoryInternal as OOM.
 // TODO(crbug.com/40158212): Update to
 // partition_alloc::internal::base::internal::OnNoMemoryInternal
-PA_NOINLINE void OnNoMemoryInternal(size_t size) {
+[[noreturn]] PA_NOINLINE PA_NOT_TAIL_CALLED void OnNoMemoryInternal(
+    size_t size) {
   g_oom_size = size;
   size_t tmp_size = size;
   internal::base::debug::Alias(&tmp_size);

src/base/allocator/partition_allocator/src/partition_alloc/oom.h

@@ -22,8 +22,8 @@ namespace partition_alloc {
 // |size| is the size of the failed allocation, or 0 if not known.
 // Crash reporting classifies such crashes as OOM.
 // Must be allocation-safe.
-PA_COMPONENT_EXPORT(PARTITION_ALLOC)
+[[noreturn]] PA_NOT_TAIL_CALLED PA_COMPONENT_EXPORT(
-void TerminateBecauseOutOfMemory(size_t size);
+    PARTITION_ALLOC) void TerminateBecauseOutOfMemory(size_t size);
 
 // Records the size of the allocation that caused the current OOM crash, for
 // consumption by Breakpad.

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_constants.h

@@ -26,7 +26,7 @@
 #define PAGE_ALLOCATOR_CONSTANTS_DECLARE_CONSTEXPR __attribute__((const))
 
 #elif (PA_BUILDFLAG(IS_ANDROID) && PA_BUILDFLAG(PA_ARCH_CPU_64_BITS)) || \
-    (PA_BUILDFLAG(IS_LINUX) && PA_BUILDFLAG(PA_ARCH_CPU_ARM64)) || \
+    (PA_BUILDFLAG(IS_LINUX) && PA_BUILDFLAG(PA_ARCH_CPU_ARM64)) ||       \
     (PA_BUILDFLAG(IS_LINUX) && PA_BUILDFLAG(PA_ARCH_CPU_PPC64))
 // This should work for all POSIX (if needed), but currently all other
 // supported OS/architecture combinations use either hard-coded values
@@ -39,6 +39,7 @@
 #define PAGE_ALLOCATOR_CONSTANTS_DECLARE_CONSTEXPR __attribute__((const))
 
 #include <unistd.h>
+
 #include <atomic>
 
 namespace partition_alloc::internal {
@@ -69,9 +70,30 @@ extern PageCharacteristics page_characteristics;
 
 // Ability to name anonymous VMAs is available on some, but not all Linux-based
 // systems.
-#if PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_LINUX)
+#if PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_LINUX) || \
+    PA_BUILDFLAG(IS_CHROMEOS)
 #include <sys/prctl.h>
 
+#if (PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)) && \
+    !(defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME))
+
+// The PR_SET_VMA* symbols are originally from
+// https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
+// and were subsequently added to mainline Linux in Jan 2022, see
+// https://github.com/torvalds/linux/commit/9a10064f5625d5572c3626c1516e0bebc6c9fe9b.
+//
+// Define them to support compiling with older headers.
+#if !defined(PR_SET_VMA)
+#define PR_SET_VMA 0x53564d41
+#endif
+
+#if !defined(PR_SET_VMA_ANON_NAME)
+#define PR_SET_VMA_ANON_NAME 0
+#endif
+
+#endif  // (PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)) &&
+        // !(defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME))
+
 #if defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME)
 #define LINUX_NAME_REGION 1
 #endif

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_fuchsia.h

@@ -28,8 +28,6 @@
 
 namespace partition_alloc::internal {
 
-namespace {
-
 zx::resource GetVmexResource() {
   auto vmex_resource_client =
       component::Connect<fuchsia_kernel::VmexResource>();
@@ -94,8 +92,6 @@ zx_vm_option_t PageAccessibilityToZxVmOptions(
   PA_NOTREACHED();
 }
 
-}  // namespace
-
 // zx_vmar_map() will fail if the VMO cannot be mapped at |vmar_offset|, i.e.
 // |hint| is not advisory.
 constexpr bool kHintIsAdvisory = false;

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_posix.cc

@@ -7,10 +7,39 @@
 #include "partition_alloc/build_config.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/page_allocator.h"
+#include "partition_alloc/partition_alloc_base/notreached.h"
+
+#if PA_BUILDFLAG(IS_APPLE)
+#include "partition_alloc/partition_alloc_base/apple/foundation_util.h"
+#if PA_BUILDFLAG(IS_IOS)
+#include "partition_alloc/partition_alloc_base/ios/ios_util.h"
+#elif PA_BUILDFLAG(IS_MAC)
+#include "partition_alloc/partition_alloc_base/mac/mac_util.h"
+#else
+#error "Unknown platform"
+#endif
+#include <Availability.h>
+#include <Security/Security.h>
+#include <mach/mach.h>
+
+#include "partition_alloc/partition_alloc_base/apple/scoped_cftyperef.h"
+#endif
+
+#if PA_BUILDFLAG(IS_MAC)
+
+// SecTaskGetCodeSignStatus is marked as unavailable on macOS, although it’s
+// available on iOS and other Apple operating systems. It is, in fact, present
+// on the system since macOS 10.12.
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wavailability"
+uint32_t SecTaskGetCodeSignStatus(SecTaskRef task) API_AVAILABLE(macos(10.12));
+#pragma clang diagnostic pop
+
+#endif  // PA_BUILDFLAG(IS_MAC)
 
 #if PA_BUILDFLAG(HAS_MEMORY_TAGGING) ||                                        \
     (defined(__ARM_FEATURE_BTI_DEFAULT) && (__ARM_FEATURE_BTI_DEFAULT == 1) && \
-     !defined(__MUSL__))
+     __has_include(<sys/ifunc.h>))
 struct __ifunc_arg_t;
 
 #include "partition_alloc/aarch64_support.h"
@@ -91,4 +120,88 @@ int GetAccessFlags(PageAccessibilityConfiguration accessibility)
 }
 #endif
 
+#if defined(LINUX_NAME_REGION)
+
+void NameRegion(void* start, size_t length, PageTag page_tag) {
+  // Important: All the names should be string literals. As per prctl.h in
+  // //third_party/android_toolchain/ndk the kernel keeps a pointer to the name
+  // instead of copying it.
+  //
+  // Having the name in .rodata ensures that the pointer remains valid as
+  // long as the mapping is alive.
+  const char* name = nullptr;
+  switch (page_tag) {
+    case PageTag::kSimulation:
+      name = "simulation";
+      break;
+    case PageTag::kBlinkGC:
+      name = "blink_gc";
+      break;
+    case PageTag::kPartitionAlloc:
+      name = "partition_alloc";
+      break;
+    case PageTag::kChromium:
+      name = "chromium";
+      break;
+    case PageTag::kV8:
+      name = "v8";
+      break;
+    default:
+      PA_NOTREACHED();
+  }
+
+  // No error checking on purpose, used for debugging only.
+  prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start, length, name);
+}
+
+#endif  // defined(LINUX_NAME_REGION)
+
+#if PA_BUILDFLAG(IS_MAC)
+// Tests whether the version of macOS supports the MAP_JIT flag and if the
+// current process is signed with the hardened runtime and the allow-jit
+// entitlement, returning whether MAP_JIT should be used to allocate regions
+// that will contain JIT-compiled executable code.
+bool UseMapJit() {
+  // Until determining that the hardened runtime is enabled, early returns will
+  // return true, so that MAP_JIT will be used. This is important on arm64,
+  // which only allows pages to be simultaneously writable and executable when
+  // in a region allocated with MAP_JIT, regardless of code signing options. On
+  // arm64, an attempt to set a non-MAP_JIT page as simultaneously writable and
+  // executable fails with EPERM. Although this is not enforced on x86_64,
+  // MAP_JIT is harmless in that case.
+
+  base::apple::ScopedCFTypeRef<SecTaskRef> task(
+      SecTaskCreateFromSelf(kCFAllocatorDefault));
+  if (!task) {
+    return true;
+  }
+
+  uint32_t flags = SecTaskGetCodeSignStatus(task);
+  if (!(flags & kSecCodeSignatureRuntime)) {
+    // The hardened runtime is not enabled. Note that kSecCodeSignatureRuntime
+    // == CS_RUNTIME.
+    return true;
+  }
+
+  // The hardened runtime is enabled. From this point on, early returns must
+  // return false, indicating that MAP_JIT is not to be used. It’s an error
+  // (EINVAL) to use MAP_JIT with the hardened runtime unless the JIT
+  // entitlement is specified.
+
+  base::apple::ScopedCFTypeRef<CFTypeRef> jit_entitlement(
+      SecTaskCopyValueForEntitlement(
+          task.get(), CFSTR("com.apple.security.cs.allow-jit"), nullptr));
+  if (!jit_entitlement) {
+    return false;
+  }
+
+  return base::apple::CFCast<CFBooleanRef>(jit_entitlement.get()) ==
+         kCFBooleanTrue;
+}
+#elif PA_BUILDFLAG(IS_IOS)
+bool UseMapJit() {
+  return true;
+}
+#endif  // PA_BUILDFLAG(IS_IOS)
+
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_posix.h

@@ -19,29 +19,14 @@
 #include "partition_alloc/oom.h"
 #include "partition_alloc/page_allocator.h"
 #include "partition_alloc/page_allocator_constants.h"
-#include "partition_alloc/partition_alloc_base/notreached.h"
 #include "partition_alloc/partition_alloc_base/posix/eintr_wrapper.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/thread_isolation/thread_isolation.h"
 
-#if PA_BUILDFLAG(IS_APPLE)
-#include "partition_alloc/partition_alloc_base/apple/foundation_util.h"
-#if PA_BUILDFLAG(IS_IOS)
-#include "partition_alloc/partition_alloc_base/ios/ios_util.h"
-#elif PA_BUILDFLAG(IS_MAC)
-#include "partition_alloc/partition_alloc_base/mac/mac_util.h"
-#else
-#error "Unknown platform"
-#endif
-#include "partition_alloc/partition_alloc_base/apple/scoped_cftyperef.h"
-
-#include <Availability.h>
-#include <Security/Security.h>
-#include <mach/mach.h>
-#endif
 #if PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_LINUX)
 #include <sys/prctl.h>
 #endif
+
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 #include <sys/resource.h>
 #endif
@@ -50,114 +35,19 @@
 #define MAP_ANONYMOUS MAP_ANON
 #endif
 
-#if PA_BUILDFLAG(IS_MAC)
-
-// SecTaskGetCodeSignStatus is marked as unavailable on macOS, although it’s
-// available on iOS and other Apple operating systems. It is, in fact, present
-// on the system since macOS 10.12.
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wavailability"
-uint32_t SecTaskGetCodeSignStatus(SecTaskRef task) API_AVAILABLE(macos(10.12));
-#pragma clang diagnostic pop
-
-#endif  // PA_BUILDFLAG(IS_MAC)
-
 namespace partition_alloc::internal {
 
-namespace {
-
 #if defined(LINUX_NAME_REGION)
-
+void NameRegion(void* start, size_t length, PageTag page_tag);
-void NameRegion(void* start, size_t length, PageTag page_tag) {
-  // Important: All the names should be string literals. As per prctl.h in
-  // //third_party/android_toolchain/ndk the kernel keeps a pointer to the name
-  // instead of copying it.
-  //
-  // Having the name in .rodata ensures that the pointer remains valid as
-  // long as the mapping is alive.
-  const char* name = nullptr;
-  switch (page_tag) {
-    case PageTag::kSimulation:
-      name = "simulation";
-      break;
-    case PageTag::kBlinkGC:
-      name = "blink_gc";
-      break;
-    case PageTag::kPartitionAlloc:
-      name = "partition_alloc";
-      break;
-    case PageTag::kChromium:
-      name = "chromium";
-      break;
-    case PageTag::kV8:
-      name = "v8";
-      break;
-    default:
-      PA_NOTREACHED();
-      break;
-  }
-
-  // No error checking on purpose, testing only.
-  prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start, length, name);
-}
-
 #endif  // defined(LINUX_NAME_REGION)
 
-#if PA_BUILDFLAG(IS_MAC)
+#if PA_BUILDFLAG(IS_APPLE)
 // Tests whether the version of macOS supports the MAP_JIT flag and if the
 // current process is signed with the hardened runtime and the allow-jit
 // entitlement, returning whether MAP_JIT should be used to allocate regions
 // that will contain JIT-compiled executable code.
-bool UseMapJit() {
+bool UseMapJit();
-  // Until determining that the hardened runtime is enabled, early returns will
-  // return true, so that MAP_JIT will be used. This is important on arm64,
-  // which only allows pages to be simultaneously writable and executable when
-  // in a region allocated with MAP_JIT, regardless of code signing options. On
-  // arm64, an attempt to set a non-MAP_JIT page as simultaneously writable and
-  // executable fails with EPERM. Although this is not enforced on x86_64,
-  // MAP_JIT is harmless in that case.
-
-  base::apple::ScopedCFTypeRef<SecTaskRef> task(
-      SecTaskCreateFromSelf(kCFAllocatorDefault));
-  if (!task) {
-    return true;
-  }
-
-  uint32_t flags = SecTaskGetCodeSignStatus(task);
-  if (!(flags & kSecCodeSignatureRuntime)) {
-    // The hardened runtime is not enabled. Note that kSecCodeSignatureRuntime
-    // == CS_RUNTIME.
-    return true;
-  }
-
-  // The hardened runtime is enabled. From this point on, early returns must
-  // return false, indicating that MAP_JIT is not to be used. It’s an error
-  // (EINVAL) to use MAP_JIT with the hardened runtime unless the JIT
-  // entitlement is specified.
-
-  base::apple::ScopedCFTypeRef<CFTypeRef> jit_entitlement(
-      SecTaskCopyValueForEntitlement(
-          task.get(), CFSTR("com.apple.security.cs.allow-jit"), nullptr));
-  if (!jit_entitlement) {
-    return false;
-  }
-
-  return base::apple::CFCast<CFBooleanRef>(jit_entitlement.get()) ==
-         kCFBooleanTrue;
-}
-#elif PA_BUILDFLAG(IS_IOS)
-bool UseMapJit() {
-// Always enable MAP_JIT in simulator as it is supported unconditionally.
-#if TARGET_IPHONE_SIMULATOR
-  return true;
-#else
-  // TODO(crbug.com/40255826): Fill this out when the API it is
-  // available.
-  return false;
-#endif  // TARGET_IPHONE_SIMULATOR
-}
 #endif  // PA_BUILDFLAG(IS_IOS)
-}  // namespace
 
 // |mmap| uses a nearby address if the hint address is blocked.
 constexpr bool kHintIsAdvisory = true;
@@ -193,6 +83,13 @@ uintptr_t SystemAllocPagesInternal(uintptr_t hint,
           PageAccessibilityConfiguration::kInaccessibleWillJitLater &&
       kUseMapJit) {
     map_flags |= MAP_JIT;
+    // iOS devices do not support toggling the page permissions after a MAP_JIT
+    // call, they must be set initially. iOS has per-thread W^X state that
+    // takes precedence over the mapping's permissions for MAP_JIT regions.
+    // See https://developer.apple.com/forums/thread/672804
+#if PA_BUILDFLAG(IS_IOS)
+    access_flag = PROT_READ | PROT_WRITE | PROT_EXEC;
+#endif
   }
 #endif
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_address_space.cc

@@ -7,6 +7,7 @@
 #include <array>
 #include <cstddef>
 #include <cstdint>
+#include <cstring>
 #include <ostream>
 #include <string>
 
@@ -18,6 +19,7 @@
 #include "partition_alloc/partition_alloc_base/bits.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 #include "partition_alloc/partition_alloc_base/debug/alias.h"
+#include "partition_alloc/partition_alloc_base/files/platform_file.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_config.h"
 #include "partition_alloc/partition_alloc_constants.h"
@@ -88,9 +90,12 @@ std::ptrdiff_t PartitionAddressSpace::brp_pool_shadow_offset_ = 0;
 std::ptrdiff_t PartitionAddressSpace::configurable_pool_shadow_offset_ = 0;
 
 // File descriptors for shared mappings.
-int PartitionAddressSpace::regular_pool_fd_ = -1;
+base::PlatformFile PartitionAddressSpace::regular_pool_fd_ =
-int PartitionAddressSpace::brp_pool_fd_ = -1;
+    base::kInvalidPlatformFile;
-int PartitionAddressSpace::configurable_pool_fd_ = -1;
+base::PlatformFile PartitionAddressSpace::brp_pool_fd_ =
+    base::kInvalidPlatformFile;
+base::PlatformFile PartitionAddressSpace::configurable_pool_fd_ =
+    base::kInvalidPlatformFile;
 
 uintptr_t PartitionAddressSpace::pool_shadow_address_ =
     PartitionAddressSpace::kUninitializedPoolBaseAddress;
@@ -101,8 +106,7 @@ uintptr_t PartitionAddressSpace::pool_shadow_address_ =
 #error Dynamic pool size is only supported on iOS.
 #endif
 
-namespace {
+bool PartitionAddressSpace::IsIOSTestProcess() {
-bool IsIOSTestProcess() {
   // On iOS, only applications with the extended virtual addressing entitlement
   // can use a large address space. Since Earl Grey test runner apps cannot get
   // entitlements, they must use a much smaller pool size. Similarly,
@@ -133,24 +137,11 @@ bool IsIOSTestProcess() {
 
   return has_suffix("Runner") || has_suffix("ios_web_view_inttests");
 }
-}  // namespace
-
-PA_ALWAYS_INLINE size_t PartitionAddressSpace::RegularPoolSize() {
-  return IsIOSTestProcess() ? kRegularPoolSizeForIOSTestProcess
-                            : kRegularPoolSize;
-}
-PA_ALWAYS_INLINE size_t PartitionAddressSpace::BRPPoolSize() {
-  return IsIOSTestProcess() ? kBRPPoolSizeForIOSTestProcess : kBRPPoolSize;
-}
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
-size_t PartitionAddressSpace::RegularPoolShadowSize() {
+size_t PartitionAddressSpace::CorePoolShadowSize() {
-  return RegularPoolSize();
+  return CorePoolSize();
-}
-
-size_t PartitionAddressSpace::BRPPoolShadowSize() {
-  return BRPPoolSize();
 }
 
 size_t PartitionAddressSpace::ConfigurablePoolShadowSize() {
@@ -163,26 +154,16 @@ void PartitionAddressSpace::Init() {
     return;
   }
 
-  const size_t regular_pool_size = RegularPoolSize();
+  const size_t core_pool_size = CorePoolSize();
-  const size_t brp_pool_size = BRPPoolSize();
 
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
+  size_t glued_pool_sizes = core_pool_size * 2;
-  // Gluing core pools (regular & BRP) makes sense only when both pools are of
-  // the same size. This the only way we can check belonging to either of the
-  // two with a single bitmask operation.
-  PA_CHECK(regular_pool_size == brp_pool_size);
-
-  // TODO(crbug.com/40238514): Support PA_ENABLE_SHADOW_METADATA.
-  int pools_fd = -1;
-
-  size_t glued_pool_sizes = regular_pool_size * 2;
   // Note, BRP pool requires to be preceded by a "forbidden zone", which is
   // conveniently taken care of by the last guard page of the regular pool.
   setup_.regular_pool_base_address_ =
       AllocPages(glued_pool_sizes, glued_pool_sizes,
                  PageAccessibilityConfiguration(
                      PageAccessibilityConfiguration::kInaccessible),
-                 PageTag::kPartitionAlloc, pools_fd);
+                 PageTag::kPartitionAlloc);
 #if PA_BUILDFLAG(IS_ANDROID)
   // On Android, Adreno-GSL library fails to mmap if we snatch address
   // 0x400000000. Find a different address instead.
@@ -191,7 +172,7 @@ void PartitionAddressSpace::Init() {
         AllocPages(glued_pool_sizes, glued_pool_sizes,
                    PageAccessibilityConfiguration(
                        PageAccessibilityConfiguration::kInaccessible),
-                   PageTag::kPartitionAlloc, pools_fd);
+                   PageTag::kPartitionAlloc);
     FreePages(setup_.regular_pool_base_address_, glued_pool_sizes);
     setup_.regular_pool_base_address_ = new_base_address;
   }
@@ -200,81 +181,45 @@ void PartitionAddressSpace::Init() {
     HandlePoolAllocFailure();
   }
   setup_.brp_pool_base_address_ =
-      setup_.regular_pool_base_address_ + regular_pool_size;
+      setup_.regular_pool_base_address_ + core_pool_size;
-#else  // PA_BUILDFLAG(GLUE_CORE_POOLS)
-  setup_.regular_pool_base_address_ =
-      AllocPages(regular_pool_size, regular_pool_size,
-                 PageAccessibilityConfiguration(
-                     PageAccessibilityConfiguration::kInaccessible),
-                 PageTag::kPartitionAlloc);
-  if (!setup_.regular_pool_base_address_) {
-    HandlePoolAllocFailure();
-  }
-
-  // Reserve an extra allocation granularity unit before the BRP pool, but keep
-  // the pool aligned at BRPPoolSize(). A pointer immediately past an allocation
-  // is a valid pointer, and having a "forbidden zone" before the BRP pool
-  // prevents such a pointer from "sneaking into" the pool.
-  const size_t kForbiddenZoneSize = PageAllocationGranularity();
-  uintptr_t base_address = AllocPagesWithAlignOffset(
-      0, brp_pool_size + kForbiddenZoneSize, brp_pool_size,
-      brp_pool_size - kForbiddenZoneSize,
-      PageAccessibilityConfiguration(
-          PageAccessibilityConfiguration::kInaccessible),
-      PageTag::kPartitionAlloc, -1);
-  if (!base_address) {
-    HandlePoolAllocFailure();
-  }
-  setup_.brp_pool_base_address_ = base_address + kForbiddenZoneSize;
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  setup_.regular_pool_base_mask_ = ~(regular_pool_size - 1);
+  setup_.core_pool_base_mask_ = ~(core_pool_size - 1);
-  setup_.brp_pool_base_mask_ = ~(brp_pool_size - 1);
+  // The BRP pool is placed at the end of the regular pool, effectively forming
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
+  // one virtual pool of a twice bigger size. Adjust the mask appropriately.
-  // When PA_GLUE_CORE_POOLS is on, the BRP pool is placed at the end of the
+  setup_.glued_pools_base_mask_ = setup_.core_pool_base_mask_ << 1;
-  // regular pool, effectively forming one virtual pool of a twice bigger
-  // size. Adjust the mask appropriately.
-  setup_.core_pools_base_mask_ = setup_.regular_pool_base_mask_ << 1;
-  PA_DCHECK(setup_.core_pools_base_mask_ == (setup_.brp_pool_base_mask_ << 1));
-#endif
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
   AddressPoolManager::GetInstance().Add(
-      kRegularPoolHandle, setup_.regular_pool_base_address_, regular_pool_size);
+      kRegularPoolHandle, setup_.regular_pool_base_address_, core_pool_size);
   AddressPoolManager::GetInstance().Add(
-      kBRPPoolHandle, setup_.brp_pool_base_address_, brp_pool_size);
+      kBRPPoolHandle, setup_.brp_pool_base_address_, core_pool_size);
 
   // Sanity check pool alignment.
-  PA_DCHECK(!(setup_.regular_pool_base_address_ & (regular_pool_size - 1)));
+  PA_DCHECK(!(setup_.regular_pool_base_address_ & (core_pool_size - 1)));
-  PA_DCHECK(!(setup_.brp_pool_base_address_ & (brp_pool_size - 1)));
+  PA_DCHECK(!(setup_.brp_pool_base_address_ & (core_pool_size - 1)));
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   PA_DCHECK(!(setup_.regular_pool_base_address_ & (glued_pool_sizes - 1)));
-#endif
 
   // Sanity check pool belonging.
   PA_DCHECK(!IsInRegularPool(setup_.regular_pool_base_address_ - 1));
   PA_DCHECK(IsInRegularPool(setup_.regular_pool_base_address_));
-  PA_DCHECK(IsInRegularPool(setup_.regular_pool_base_address_ +
-                            regular_pool_size - 1));
   PA_DCHECK(
-      !IsInRegularPool(setup_.regular_pool_base_address_ + regular_pool_size));
+      IsInRegularPool(setup_.regular_pool_base_address_ + core_pool_size - 1));
+  PA_DCHECK(
+      !IsInRegularPool(setup_.regular_pool_base_address_ + core_pool_size));
   PA_DCHECK(!IsInBRPPool(setup_.brp_pool_base_address_ - 1));
   PA_DCHECK(IsInBRPPool(setup_.brp_pool_base_address_));
-  PA_DCHECK(IsInBRPPool(setup_.brp_pool_base_address_ + brp_pool_size - 1));
+  PA_DCHECK(IsInBRPPool(setup_.brp_pool_base_address_ + core_pool_size - 1));
-  PA_DCHECK(!IsInBRPPool(setup_.brp_pool_base_address_ + brp_pool_size));
+  PA_DCHECK(!IsInBRPPool(setup_.brp_pool_base_address_ + core_pool_size));
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   PA_DCHECK(!IsInCorePools(setup_.regular_pool_base_address_ - 1));
   PA_DCHECK(IsInCorePools(setup_.regular_pool_base_address_));
   PA_DCHECK(
-      IsInCorePools(setup_.regular_pool_base_address_ + regular_pool_size - 1));
+      IsInCorePools(setup_.regular_pool_base_address_ + core_pool_size - 1));
-  PA_DCHECK(
+  PA_DCHECK(IsInCorePools(setup_.regular_pool_base_address_ + core_pool_size));
-      IsInCorePools(setup_.regular_pool_base_address_ + regular_pool_size));
   PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_ - 1));
   PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_));
-  PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_ + brp_pool_size - 1));
+  PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_ + core_pool_size - 1));
-  PA_DCHECK(!IsInCorePools(setup_.brp_pool_base_address_ + brp_pool_size));
+  PA_DCHECK(!IsInCorePools(setup_.brp_pool_base_address_ + core_pool_size));
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
 #if PA_BUILDFLAG(ENABLE_POINTER_COMPRESSION)
   CompressedPointerBaseGlobal::SetBase(setup_.regular_pool_base_address_);
@@ -356,18 +301,9 @@ void PartitionAddressSpace::UninitForTesting() {
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
   UninitThreadIsolatedPoolForTesting();  // IN-TEST
 #endif
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   // The core pools (regular & BRP) were allocated using a single allocation of
   // double size.
-  FreePages(setup_.regular_pool_base_address_, 2 * RegularPoolSize());
+  FreePages(setup_.regular_pool_base_address_, 2 * CorePoolSize());
-#else   // PA_BUILDFLAG(GLUE_CORE_POOLS)
-  FreePages(setup_.regular_pool_base_address_, RegularPoolSize());
-  // For BRP pool, the allocation region includes a "forbidden zone" before the
-  // pool.
-  const size_t kForbiddenZoneSize = PageAllocationGranularity();
-  FreePages(setup_.brp_pool_base_address_ - kForbiddenZoneSize,
-            BRPPoolSize() + kForbiddenZoneSize);
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
   // Do not free pages for the configurable pool, because its memory is owned
   // by someone else, but deinitialize it nonetheless.
   setup_.regular_pool_base_address_ = kUninitializedPoolBaseAddress;
@@ -421,9 +357,10 @@ void PartitionAddressSpace::UninitThreadIsolatedPoolForTesting() {
 
 namespace {
 
-int CreateAnonymousFileForMapping([[maybe_unused]] const char* name,
+base::PlatformFile CreateAnonymousFileForMapping(
-                                  [[maybe_unused]] size_t size) {
+    [[maybe_unused]] const char* name,
-  int fd = -1;
+    [[maybe_unused]] size_t size) {
+  base::PlatformFile fd = base::kInvalidPlatformFile;
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
   // TODO(crbug.com/40238514): if memfd_secret() is available, try
   // memfd_secret() first.
@@ -444,7 +381,7 @@ void PartitionAddressSpace::InitShadowMetadata(PoolHandleMask mask) {
     // Reserve 1 address space for all pools.
     const size_t shadow_pool_size =
         std::max(ConfigurablePoolShadowSize(),
-                 std::max(RegularPoolShadowSize(), BRPPoolShadowSize()));
+                 std::max(CorePoolShadowSize(), CorePoolShadowSize()));
 
     // Reserve virtual address space for the shadow pool.
     uintptr_t pool_shadow_address =
@@ -461,7 +398,7 @@ void PartitionAddressSpace::InitShadowMetadata(PoolHandleMask mask) {
 
   // Set up a memory file for the given pool, and init |offset|.
   if (ContainsFlags(mask, PoolHandleMask::kConfigurable)) {
-    if (configurable_pool_fd_ == -1) {
+    if (configurable_pool_fd_ == base::kInvalidPlatformFile) {
       PA_DCHECK(pool_shadow_address_);
       PA_DCHECK(configurable_pool_shadow_offset_ == 0);
       configurable_pool_fd_ = CreateAnonymousFileForMapping(
@@ -472,22 +409,22 @@ void PartitionAddressSpace::InitShadowMetadata(PoolHandleMask mask) {
     }
   }
   if (ContainsFlags(mask, PoolHandleMask::kBRP)) {
-    if (brp_pool_fd_ == -1) {
+    if (brp_pool_fd_ == base::kInvalidPlatformFile) {
       PA_DCHECK(pool_shadow_address_);
       PA_DCHECK(brp_pool_shadow_offset_ == 0);
-      brp_pool_fd_ =
+      brp_pool_fd_ = CreateAnonymousFileForMapping("brp_pool_shadow",
-          CreateAnonymousFileForMapping("brp_pool_shadow", BRPPoolShadowSize());
+                                                   CorePoolShadowSize());
       brp_pool_shadow_offset_ =
           pool_shadow_address_ - BRPPoolBase() +
           SystemPageSize() * kSystemPageOffsetOfBRPPoolShadow;
     }
   }
   if (ContainsFlags(mask, PoolHandleMask::kRegular)) {
-    if (regular_pool_fd_ == -1) {
+    if (regular_pool_fd_ == base::kInvalidPlatformFile) {
       PA_DCHECK(pool_shadow_address_);
       PA_DCHECK(regular_pool_shadow_offset_ == 0);
       regular_pool_fd_ = CreateAnonymousFileForMapping("regular_pool_shadow",
-                                                       RegularPoolShadowSize());
+                                                       CorePoolShadowSize());
       regular_pool_shadow_offset_ =
           pool_shadow_address_ - RegularPoolBase() +
           SystemPageSize() * kSystemPageOffsetOfRegularPoolShadow;
@@ -502,7 +439,7 @@ void PartitionAddressSpace::MapMetadata(uintptr_t super_page,
   PA_DCHECK(pool_shadow_address_);
   PA_DCHECK(0u == (super_page & kSuperPageOffsetMask));
   std::ptrdiff_t offset;
-  int pool_fd = -1;
+  base::PlatformFile pool_fd = base::kInvalidPlatformFile;
   uintptr_t base_address;
 
   if (IsInRegularPool(super_page)) {
@@ -561,13 +498,13 @@ void PartitionAddressSpace::UnmapShadowMetadata(uintptr_t super_page,
   switch (pool) {
     case kRegularPoolHandle:
       PA_DCHECK(RegularPoolBase() <= super_page);
-      PA_DCHECK((super_page - RegularPoolBase()) < RegularPoolSize());
+      PA_DCHECK((super_page - RegularPoolBase()) < CorePoolSize());
       PA_DCHECK(IsShadowMetadataEnabled(kRegularPoolHandle));
       offset = regular_pool_shadow_offset_;
       break;
     case kBRPPoolHandle:
       PA_DCHECK(BRPPoolBase() <= super_page);
-      PA_DCHECK((super_page - BRPPoolBase()) < BRPPoolSize());
+      PA_DCHECK((super_page - BRPPoolBase()) < CorePoolSize());
       PA_DCHECK(IsShadowMetadataEnabled(kBRPPoolHandle));
       offset = brp_pool_shadow_offset_;
       break;

src/base/allocator/partition_allocator/src/partition_alloc/partition_address_space.h

@@ -15,6 +15,7 @@
 #include "partition_alloc/partition_alloc_base/bits.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 #include "partition_alloc/partition_alloc_base/component_export.h"
+#include "partition_alloc/partition_alloc_base/files/platform_file.h"
 #include "partition_alloc/partition_alloc_base/notreached.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_config.h"
@@ -46,18 +47,12 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   };
 
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  PA_ALWAYS_INLINE static uintptr_t BRPPoolBaseMask() {
+  PA_ALWAYS_INLINE static uintptr_t CorePoolBaseMask() {
-    return setup_.brp_pool_base_mask_;
+    return setup_.core_pool_base_mask_;
-  }
-  PA_ALWAYS_INLINE static uintptr_t RegularPoolBaseMask() {
-    return setup_.regular_pool_base_mask_;
   }
 #else
-  PA_ALWAYS_INLINE static constexpr uintptr_t BRPPoolBaseMask() {
+  PA_ALWAYS_INLINE static constexpr uintptr_t CorePoolBaseMask() {
-    return kBRPPoolBaseMask;
+    return kCorePoolBaseMask;
-  }
-  PA_ALWAYS_INLINE static constexpr uintptr_t RegularPoolBaseMask() {
-    return kRegularPoolBaseMask;
   }
 #endif
 
@@ -73,13 +68,13 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
     if (IsInBRPPool(address)) {
       pool = kBRPPoolHandle;
       base = setup_.brp_pool_base_address_;
-      base_mask = BRPPoolBaseMask();
+      base_mask = CorePoolBaseMask();
     } else
 #endif  // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
       if (IsInRegularPool(address)) {
         pool = kRegularPoolHandle;
         base = setup_.regular_pool_base_address_;
-        base_mask = RegularPoolBaseMask();
+        base_mask = CorePoolBaseMask();
       } else if (IsInConfigurablePool(address)) {
         PA_DCHECK(IsConfigurablePoolInitialized());
         pool = kConfigurablePoolHandle;
@@ -150,9 +145,9 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // Returns false for nullptr.
   PA_ALWAYS_INLINE static bool IsInRegularPool(uintptr_t address) {
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    const uintptr_t regular_pool_base_mask = setup_.regular_pool_base_mask_;
+    const uintptr_t regular_pool_base_mask = setup_.core_pool_base_mask_;
 #else
-    constexpr uintptr_t regular_pool_base_mask = kRegularPoolBaseMask;
+    constexpr uintptr_t regular_pool_base_mask = kCorePoolBaseMask;
 #endif
     return (address & regular_pool_base_mask) ==
            setup_.regular_pool_base_address_;
@@ -165,34 +160,29 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // Returns false for nullptr.
   PA_ALWAYS_INLINE static bool IsInBRPPool(uintptr_t address) {
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    const uintptr_t brp_pool_base_mask = setup_.brp_pool_base_mask_;
+    const uintptr_t brp_pool_base_mask = setup_.core_pool_base_mask_;
 #else
-    constexpr uintptr_t brp_pool_base_mask = kBRPPoolBaseMask;
+    constexpr uintptr_t brp_pool_base_mask = kCorePoolBaseMask;
 #endif
     return (address & brp_pool_base_mask) == setup_.brp_pool_base_address_;
   }
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
   PA_ALWAYS_INLINE static uintptr_t BRPPoolBase() {
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
+    return RegularPoolBase() + CorePoolSize();
-    return RegularPoolBase() + RegularPoolSize();
-#else
-    return setup_.brp_pool_base_address_;
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
   }
 #endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   // Checks whether the address belongs to either regular or BRP pool.
   // Returns false for nullptr.
   PA_ALWAYS_INLINE static bool IsInCorePools(uintptr_t address) {
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    const uintptr_t core_pools_base_mask = setup_.core_pools_base_mask_;
+    const uintptr_t core_pools_base_mask = setup_.glued_pools_base_mask_;
 #else
-    // When PA_GLUE_CORE_POOLS is on, the BRP pool is placed at the end of the
+    // The BRP pool is placed at the end of the regular pool, effectively
-    // regular pool, effectively forming one virtual pool of a twice bigger
+    // forming one virtual pool of a twice bigger size. Adjust the mask
-    // size. Adjust the mask appropriately.
+    // appropriately.
-    constexpr uintptr_t core_pools_base_mask = kRegularPoolBaseMask << 1;
+    constexpr uintptr_t core_pools_base_mask = kCorePoolBaseMask << 1;
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
     bool ret =
         (address & core_pools_base_mask) == setup_.regular_pool_base_address_;
@@ -200,15 +190,12 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
     return ret;
   }
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  PA_ALWAYS_INLINE static size_t CorePoolsSize() {
+  PA_ALWAYS_INLINE static size_t CorePoolsSize() { return CorePoolSize() * 2; }
-    return RegularPoolSize() * 2;
-  }
 #else
   PA_ALWAYS_INLINE static constexpr size_t CorePoolsSize() {
-    return RegularPoolSize() * 2;
+    return CorePoolSize() * 2;
   }
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
   PA_ALWAYS_INLINE static uintptr_t OffsetInBRPPool(uintptr_t address) {
     PA_DCHECK(IsInBRPPool(address));
@@ -235,15 +222,15 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabledOnRegularPool() {
-    return regular_pool_fd_ != -1;
+    return regular_pool_fd_ != base::kInvalidPlatformFile;
   }
 
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabledOnBRPPool() {
-    return brp_pool_fd_ != -1;
+    return brp_pool_fd_ != base::kInvalidPlatformFile;
   }
 
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabledOnConfigurablePool() {
-    return configurable_pool_fd_ != -1;
+    return configurable_pool_fd_ != base::kInvalidPlatformFile;
   }
 
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabled(pool_handle pool) {
@@ -290,8 +277,7 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   static constexpr size_t kSystemPageOffsetOfBRPPoolShadow = 2u;
   static constexpr size_t kSystemPageOffsetOfConfigurablePoolShadow = 4u;
 
-  static size_t RegularPoolShadowSize();
+  static size_t CorePoolShadowSize();
-  static size_t BRPPoolShadowSize();
   static size_t ConfigurablePoolShadowSize();
 
   PA_ALWAYS_INLINE static std::ptrdiff_t RegularPoolShadowOffset() {
@@ -327,8 +313,7 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   PA_ALWAYS_INLINE static bool IsInPoolShadow(const void* ptr) {
     uintptr_t ptr_as_uintptr = reinterpret_cast<uintptr_t>(ptr);
     return (pool_shadow_address_ <= ptr_as_uintptr &&
-            (ptr_as_uintptr < pool_shadow_address_ + RegularPoolSize() ||
+            (ptr_as_uintptr < pool_shadow_address_ + CorePoolSize() ||
-             ptr_as_uintptr < pool_shadow_address_ + BRPPoolSize() ||
              ptr_as_uintptr < pool_shadow_address_ + kConfigurablePoolMaxSize));
   }
 #endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
@@ -346,15 +331,15 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
 
  private:
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  PA_ALWAYS_INLINE static size_t RegularPoolSize();
+  static bool IsIOSTestProcess();
-  PA_ALWAYS_INLINE static size_t BRPPoolSize();
+
+  PA_ALWAYS_INLINE static size_t CorePoolSize() {
+    return IsIOSTestProcess() ? kCorePoolSizeForIOSTestProcess : kCorePoolSize;
+  }
 #else
   // The pool sizes should be as large as maximum whenever possible.
-  PA_ALWAYS_INLINE static constexpr size_t RegularPoolSize() {
+  PA_ALWAYS_INLINE static constexpr size_t CorePoolSize() {
-    return kRegularPoolSize;
+    return kCorePoolSize;
-  }
-  PA_ALWAYS_INLINE static constexpr size_t BRPPoolSize() {
-    return kBRPPoolSize;
   }
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
@@ -383,10 +368,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // certain PA allocations must be located inside a given virtual address
   // region. One use case for this Pool is V8 Sandbox, which requires that
   // ArrayBuffers be located inside of it.
-  static constexpr size_t kRegularPoolSize = kPoolMaxSize;
+  static constexpr size_t kCorePoolSize = kPoolMaxSize;
-  static constexpr size_t kBRPPoolSize = kPoolMaxSize;
+  static_assert(base::bits::HasSingleBit(kCorePoolSize));
-  static_assert(base::bits::HasSingleBit(kRegularPoolSize));
-  static_assert(base::bits::HasSingleBit(kBRPPoolSize));
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
   static constexpr size_t kThreadIsolatedPoolSize = kGiB / 4;
   static_assert(base::bits::HasSingleBit(kThreadIsolatedPoolSize));
@@ -406,22 +389,16 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // We can't afford pool sizes as large as kPoolMaxSize in iOS EarlGrey tests,
   // since the test process cannot use an extended virtual address space (see
   // crbug.com/1250788).
-  static constexpr size_t kRegularPoolSizeForIOSTestProcess = kGiB / 4;
+  static constexpr size_t kCorePoolSizeForIOSTestProcess = kGiB / 4;
-  static constexpr size_t kBRPPoolSizeForIOSTestProcess = kGiB / 4;
+  static_assert(kCorePoolSizeForIOSTestProcess < kCorePoolSize);
-  static_assert(kRegularPoolSizeForIOSTestProcess < kRegularPoolSize);
+  static_assert(base::bits::HasSingleBit(kCorePoolSizeForIOSTestProcess));
-  static_assert(kBRPPoolSizeForIOSTestProcess < kBRPPoolSize);
-  static_assert(base::bits::HasSingleBit(kRegularPoolSizeForIOSTestProcess));
-  static_assert(base::bits::HasSingleBit(kBRPPoolSizeForIOSTestProcess));
 #endif  // PA_BUILDFLAG(IOS_IOS)
 
 #if !PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
   // Masks used to easy determine belonging to a pool.
-  static constexpr uintptr_t kRegularPoolOffsetMask =
+  static constexpr uintptr_t kCorePoolOffsetMask =
-      static_cast<uintptr_t>(kRegularPoolSize) - 1;
+      static_cast<uintptr_t>(kCorePoolSize) - 1;
-  static constexpr uintptr_t kRegularPoolBaseMask = ~kRegularPoolOffsetMask;
+  static constexpr uintptr_t kCorePoolBaseMask = ~kCorePoolOffsetMask;
-  static constexpr uintptr_t kBRPPoolOffsetMask =
-      static_cast<uintptr_t>(kBRPPoolSize) - 1;
-  static constexpr uintptr_t kBRPPoolBaseMask = ~kBRPPoolOffsetMask;
 #endif  // !PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
@@ -451,11 +428,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
         kUninitializedPoolBaseAddress;
 #endif
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    uintptr_t regular_pool_base_mask_ = 0;
+    uintptr_t core_pool_base_mask_ = 0;
-    uintptr_t brp_pool_base_mask_ = 0;
+    uintptr_t glued_pools_base_mask_ = 0;
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
-    uintptr_t core_pools_base_mask_ = 0;
-#endif
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
     uintptr_t configurable_pool_base_mask_ = 0;
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
@@ -481,10 +455,9 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   static std::ptrdiff_t regular_pool_shadow_offset_;
   static std::ptrdiff_t brp_pool_shadow_offset_;
   static std::ptrdiff_t configurable_pool_shadow_offset_;
-  // TODO(crbug.com/40238514): Use platform file handles instead of |int|.
+  static base::PlatformFile regular_pool_fd_;
-  static int regular_pool_fd_;
+  static base::PlatformFile brp_pool_fd_;
-  static int brp_pool_fd_;
+  static base::PlatformFile configurable_pool_fd_;
-  static int configurable_pool_fd_;
   static uintptr_t pool_shadow_address_;
 #endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 
@@ -517,19 +490,11 @@ PA_ALWAYS_INLINE bool IsManagedByPartitionAlloc(uintptr_t address) {
   PA_DCHECK(!internal::PartitionAddressSpace::IsInBRPPool(address));
 #endif
 
-  return
+  return internal::PartitionAddressSpace::IsInCorePools(address)
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
-      internal::PartitionAddressSpace::IsInCorePools(address)
-#else
-#if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
-      internal::PartitionAddressSpace::IsInBRPPool(address) ||
-#endif
-      internal::PartitionAddressSpace::IsInRegularPool(address)
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
-      || internal::PartitionAddressSpace::IsInThreadIsolatedPool(address)
+         || internal::PartitionAddressSpace::IsInThreadIsolatedPool(address)
 #endif
-      || internal::PartitionAddressSpace::IsInConfigurablePool(address);
+         || internal::PartitionAddressSpace::IsInConfigurablePool(address);
 }
 
 // Returns false for nullptr.
@@ -542,13 +507,11 @@ PA_ALWAYS_INLINE bool IsManagedByPartitionAllocBRPPool(uintptr_t address) {
   return internal::PartitionAddressSpace::IsInBRPPool(address);
 }
 
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
 // Checks whether the address belongs to either regular or BRP pool.
 // Returns false for nullptr.
 PA_ALWAYS_INLINE bool IsManagedByPartitionAllocCorePools(uintptr_t address) {
   return internal::PartitionAddressSpace::IsInCorePools(address);
 }
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
 // Returns false for nullptr.
 PA_ALWAYS_INLINE bool IsManagedByPartitionAllocConfigurablePool(

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc-inl.h

@@ -65,7 +65,7 @@ PA_ALWAYS_INLINE void DebugMemset(void* ptr, int value, size_t size) {
   // faster. Note that for direct-mapped allocations, memory is decomitted at
   // free() time, so freed memory usage cannot happen.
 
-#if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
+#if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION) && PA_BUILDFLAG(ENABLE_PKEYS)
   LiftThreadIsolationScope lift_thread_isolation_restrictions;
 #endif
   size_t size_to_memset = std::min(size, size_t{1} << 19);

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/augmentations/compiler_specific.h

@@ -9,6 +9,18 @@
 
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 
+// Indicate whether `operator<=>()` is supported by both language and library.
+// This can be removed once the minimum C++ version is C++20.
+#if __has_include(<version>)
+#include <version>
+#endif
+#if defined(__cpp_lib_three_way_comparison) && \
+    __cpp_lib_three_way_comparison >= 201907L
+#define PA_HAVE_SPACESHIP_OPERATOR 1
+#else
+#define PA_HAVE_SPACESHIP_OPERATOR 0
+#endif
+
 // PA_ATTRIBUTE_RETURNS_NONNULL
 //
 // Tells the compiler that a function never returns a null pointer.

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/check.h

@@ -20,11 +20,12 @@
 // This header defines the CHECK, DCHECK, and DPCHECK macros.
 //
 // CHECK dies with a fatal error if its condition is not true. It is not
-// controlled by NDEBUG, so the check will be executed regardless of compilation
+// controlled by PA_BUILDFLAG(IS_DEBUG), so the check will be executed
-// mode.
+// regardless of compilation mode.
 //
-// DCHECK, the "debug mode" check, is enabled depending on NDEBUG and
+// DCHECK, the "debug mode" check, is enabled depending on
-// DCHECK_ALWAYS_ON, and its severity depends on DCHECK_IS_CONFIGURABLE.
+// PA_BUILDFLAG(IS_DEBUG) and PA_BUILDFLAG(DCHECK_ALWAYS_ON), and its severity
+// depends on PA_BUILDFLAG(DCHECK_IS_CONFIGURABLE).
 //
 // (D)PCHECK is like (D)CHECK, but includes the system error code (c.f.
 // perror(3)).
@@ -141,9 +142,9 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) NotImplemented
 
 }  // namespace check_error
 
-#if defined(OFFICIAL_BUILD) && !defined(NDEBUG)
+#if defined(OFFICIAL_BUILD) && PA_BUILDFLAG(IS_DEBUG)
 #error "Debug builds are not expected to be optimized as official builds."
-#endif  // defined(OFFICIAL_BUILD) && !defined(NDEBUG)
+#endif  // defined(OFFICIAL_BUILD) && BUILDFLAG(IS_DEBUG)
 
 #if defined(OFFICIAL_BUILD) && !PA_BUILDFLAG(DCHECKS_ARE_ON)
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/compiler_specific.h

@@ -6,90 +6,168 @@
 #define PARTITION_ALLOC_PARTITION_ALLOC_BASE_COMPILER_SPECIFIC_H_
 
 #include "partition_alloc/build_config.h"
+#include "partition_alloc/buildflags.h"
 
-// A wrapper around `__has_cpp_attribute`.
+// A wrapper around `__has_cpp_attribute()`, which is in C++20 and thus not yet
+// available for all targets PA supports (since PA's minimum C++ version is 17).
+// This works similarly to `PA_HAS_ATTRIBUTE()` below, in that where it's
+// unavailable it will map to `0`.
 #if defined(__has_cpp_attribute)
 #define PA_HAS_CPP_ATTRIBUTE(x) __has_cpp_attribute(x)
 #else
 #define PA_HAS_CPP_ATTRIBUTE(x) 0
 #endif
 
-// A wrapper around `__has_attribute`, similar to PA_HAS_CPP_ATTRIBUTE.
+// A wrapper around `__has_attribute()`, which is similar to the C++20-standard
+// `__has_cpp_attribute()`, but tests for support for `__attribute__(())`s.
+// Compilers that do not support this (e.g. MSVC) are also assumed not to
+// support `__attribute__`, so this is simply mapped to `0` there.
+//
+// See also:
+//   https://clang.llvm.org/docs/LanguageExtensions.html#has-attribute
 #if defined(__has_attribute)
 #define PA_HAS_ATTRIBUTE(x) __has_attribute(x)
 #else
 #define PA_HAS_ATTRIBUTE(x) 0
 #endif
 
-// A wrapper around `__has_builtin`, similar to PA_HAS_CPP_ATTRIBUTE.
+// A wrapper around `__has_builtin`, similar to `PA_HAS_ATTRIBUTE()`.
+//
+// See also:
+//   https://clang.llvm.org/docs/LanguageExtensions.html#has-builtin
 #if defined(__has_builtin)
 #define PA_HAS_BUILTIN(x) __has_builtin(x)
 #else
 #define PA_HAS_BUILTIN(x) 0
 #endif
 
-// Annotate a function indicating it should not be inlined.
+// A wrapper around `__has_feature`, similar to `PA_HAS_ATTRIBUTE()`.
-// Use like:
+//
-//   NOINLINE void DoStuff() { ... }
+// See also:
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(noinline)
+//   https://clang.llvm.org/docs/LanguageExtensions.html#has-feature-and-has-extension
-#define PA_NOINLINE [[clang::noinline]]
+#if defined(__has_feature)
-#elif PA_BUILDFLAG(PA_COMPILER_GCC) && PA_HAS_ATTRIBUTE(noinline)
+#define PA_HAS_FEATURE(FEATURE) __has_feature(FEATURE)
-#define PA_NOINLINE __attribute__((noinline))
+#else
-#elif PA_BUILDFLAG(PA_COMPILER_MSVC)
+#define PA_HAS_FEATURE(FEATURE) 0
-#define PA_NOINLINE __declspec(noinline)
+#endif
+
+// Annotates a function indicating it should not be inlined.
+//
+// Note that this may still fail to preserve function calls in the most trivial
+// cases, due to optimizations like constant folding; see
+// https://stackoverflow.com/questions/54481855/clang-ignoring-attribute-noinline/54482070#54482070.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#noinline
+//
+// Usage:
+// ```
+//   PA_NOINLINE void Func() {
+//     // This body will not be inlined into callers.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(gnu::noinline)
+#define PA_NOINLINE [[gnu::noinline]]
+#elif PA_HAS_CPP_ATTRIBUTE(msvc::noinline)
+#define PA_NOINLINE [[msvc::noinline]]
 #else
 #define PA_NOINLINE
 #endif
 
-#if defined(__clang__) && defined(NDEBUG) && PA_HAS_ATTRIBUTE(always_inline)
+// Annotates a function indicating it should always be inlined.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#always-inline-force-inline
+//
+// Usage:
+// ```
+//   PA_ALWAYS_INLINE void Func() {
+//     // This body will be inlined into callers whenever possible.
+//   }
+// ```
+//
+// Since `ALWAYS_INLINE` is performance-oriented but can hamper debugging,
+// ignore it in debug mode.
+#if !PA_BUILDFLAG(IS_DEBUG)
+#if PA_HAS_CPP_ATTRIBUTE(clang::always_inline)
 #define PA_ALWAYS_INLINE [[clang::always_inline]] inline
-#elif PA_BUILDFLAG(PA_COMPILER_GCC) && defined(NDEBUG) && \
+#elif PA_HAS_CPP_ATTRIBUTE(gnu::always_inline)
-    PA_HAS_ATTRIBUTE(always_inline)
+#define PA_ALWAYS_INLINE [[gnu::always_inline]] inline
-#define PA_ALWAYS_INLINE inline __attribute__((__always_inline__))
+#elif defined(PA_COMPILER_MSVC)
-#elif PA_BUILDFLAG(PA_COMPILER_MSVC) && defined(NDEBUG)
 #define PA_ALWAYS_INLINE __forceinline
-#else
+#endif
+#endif  // !PA_BUILDFLAG(IS_DEBUG)
+#if !defined(PA_ALWAYS_INLINE)
 #define PA_ALWAYS_INLINE inline
 #endif
 
-// Annotate a function indicating it should never be tail called. Useful to make
+// Annotates a function indicating it should never be tail called. Useful to
-// sure callers of the annotated function are never omitted from call-stacks.
+// make sure callers of the annotated function are never omitted from call
-// To provide the complementary behavior (prevent the annotated function from
+// stacks. Often useful with `PA_NOINLINE` to make sure the function itself is
-// being omitted) look at NOINLINE. Also note that this doesn't prevent code
+// also not omitted from call stacks. Note: this does not prevent code folding
-// folding of multiple identical caller functions into a single signature. To
+// of multiple identical callers into a single signature; to do that, see
-// prevent code folding, see NO_CODE_FOLDING() in base/debug/alias.h.
+// `PA_NO_CODE_FOLDING()` in partition_alloc_base/debug/alias.h.
-// Use like:
+//
-//   void NOT_TAIL_CALLED FooBar();
+// See also:
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(not_tail_called)
+//   https://clang.llvm.org/docs/AttributeReference.html#not-tail-called
+//
+// Usage:
+// ```
+//   // Calls to this method will not be tail calls.
+//   PA_NOT_TAIL_CALLED void Func();
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::not_tail_called)
 #define PA_NOT_TAIL_CALLED [[clang::not_tail_called]]
 #else
 #define PA_NOT_TAIL_CALLED
 #endif
 
-// Annotate a function indicating it must be tail called.
+// Annotates a return statement indicating the compiler must convert it to a
-// Can be used only on return statements, even for functions returning void.
+// tail call. Can be used only on return statements, even for functions
-// Caller and callee must have the same number of arguments and its types must
+// returning void. Caller and callee must have the same number of arguments and
-// be "similar".
+// the argument types must be "similar". While the compiler may automatically
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(musttail)
+// convert compatible calls to tail calls when optimizing, this annotation
+// requires it to occur if doing so is valid, and will not compile otherwise.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#musttail
+//
+// Usage:
+// ```
+//   int Func1(double);
+//   int Func2(double d) {
+//     PA_MUSTTAIL return Func1(d + 1);  // `Func1()` will be tail-called.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::musttail) && !defined(__MIPSEL__)
 #define PA_MUSTTAIL [[clang::musttail]]
 #else
 #define PA_MUSTTAIL
 #endif
 
-// In case the compiler supports it PA_NO_UNIQUE_ADDRESS evaluates to the C++20
+// Annotates a data member indicating it need not have an address distinct from
-// attribute [[no_unique_address]]. This allows annotating data members so that
+// all other non-static data members of the class, and its tail padding may be
-// they need not have an address distinct from all other non-static data members
+// used for other objects' storage. This can have subtle and dangerous effects,
-// of its class.
+// including on containing objects; use with caution.
+//
+// See also:
+//   https://en.cppreference.com/w/cpp/language/attributes/no_unique_address
+//   https://wg21.link/dcl.attr.nouniqueaddr
+// Usage:
+// ```
+//   // In the following struct, `t` might not have a unique address from `i`,
+//   // and `t`'s tail padding (if any) may be reused by subsequent objects.
+//   struct S {
+//     int i;
+//     PA_NO_UNIQUE_ADDRESS T t;
+//   };
+// ```
 //
-// References:
-// * https://en.cppreference.com/w/cpp/language/attributes/no_unique_address
-// * https://wg21.link/dcl.attr.nouniqueaddr
-#if PA_BUILDFLAG(PA_COMPILER_MSVC) && \
-    PA_HAS_CPP_ATTRIBUTE(msvc::no_unique_address)
 // Unfortunately MSVC ignores [[no_unique_address]] (see
 // https://devblogs.microsoft.com/cppblog/msvc-cpp20-and-the-std-cpp20-switch/#msvc-extensions-and-abi),
 // and clang-cl matches it for ABI compatibility reasons. We need to prefer
 // [[msvc::no_unique_address]] when available if we actually want any effect.
+#if PA_HAS_CPP_ATTRIBUTE(msvc::no_unique_address)
 #define PA_NO_UNIQUE_ADDRESS [[msvc::no_unique_address]]
 #elif PA_HAS_CPP_ATTRIBUTE(no_unique_address)
 #define PA_NO_UNIQUE_ADDRESS [[no_unique_address]]
@@ -97,176 +175,305 @@
 #define PA_NO_UNIQUE_ADDRESS
 #endif
 
-// Tells the compiler a function is using a printf-style format string.
+// Annotates a function indicating it takes a `printf()`-style format string.
-// |format_param| is the one-based index of the format string parameter;
+// The compiler will check that the provided arguments match the type specifiers
-// |dots_param| is the one-based index of the "..." parameter.
+// in the format string. Useful to detect mismatched format strings/args.
-// For v*printf functions (which take a va_list), pass 0 for dots_param.
+//
-// (This is undocumented but matches what the system C headers do.)
+// `format_param` is the one-based index of the format string parameter;
-// For member functions, the implicit this parameter counts as index 1.
+// `dots_param` is the one-based index of the "..." parameter.
-#if (PA_BUILDFLAG(PA_COMPILER_GCC) || defined(__clang__)) && \
+// For `v*printf()` functions (which take a `va_list`), `dots_param` should be
-    PA_HAS_ATTRIBUTE(format)
+// 0. For member functions, the implicit `this` parameter is at index 1.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#format
+//   https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-format-function-attribute
+//
+// Usage:
+// ```
+//   PA_PRINTF_FORMAT(1, 2)
+//   void Print(const char* format, ...);
+//   void Func() {
+//     // The following call will not compile; diagnosed as format and argument
+//     // types mismatching.
+//     Print("%s", 1);
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(gnu::format)
 #define PA_PRINTF_FORMAT(format_param, dots_param) \
-  __attribute__((format(printf, format_param, dots_param)))
+  [[gnu::format(printf, format_param, dots_param)]]
 #else
 #define PA_PRINTF_FORMAT(format_param, dots_param)
 #endif
 
-// Sanitizers annotations.
+// Annotates a function disabling the named sanitizer within its body.
-#if PA_HAS_ATTRIBUTE(no_sanitize)
+//
-#define PA_NO_SANITIZE(what) __attribute__((no_sanitize(what)))
+// See also:
-#endif
+//   https://clang.llvm.org/docs/AttributeReference.html#no-sanitize
-#if !defined(PA_NO_SANITIZE)
+//   https://clang.llvm.org/docs/UsersManual.html#controlling-code-generation
-#define PA_NO_SANITIZE(what)
+//
+// Usage:
+// ```
+//   PA_NO_SANITIZE("cfi-icall") void Func() {
+//     // CFI indirect call checks will not be performed in this body.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::no_sanitize)
+#define PA_NO_SANITIZE(sanitizer) [[clang::no_sanitize(sanitizer)]]
+#else
+#define PA_NO_SANITIZE(sanitizer)
 #endif
 
-// MemorySanitizer annotations.
+// Annotates a pointer and size directing MSAN to treat that memory region as
+// fully initialized. Useful for e.g. code that deliberately reads uninitialized
+// data, such as a GC scavenging root set pointers from the stack.
+//
+// See also:
+//   https://github.com/google/sanitizers/wiki/MemorySanitizer
+//
+// Usage:
+// ```
+//   T* ptr = ...;
+//   // After the next statement, MSAN will assume `ptr` points to an
+//   // initialized `T`.
+//   PA_MSAN_UNPOISON(ptr, sizeof(T));
+// ```
 #if defined(MEMORY_SANITIZER)
 #include <sanitizer/msan_interface.h>
-
-// Mark a memory region fully initialized.
-// Use this to annotate code that deliberately reads uninitialized data, for
-// example a GC scavenging root set pointers from the stack.
 #define PA_MSAN_UNPOISON(p, size) __msan_unpoison(p, size)
-#else  // MEMORY_SANITIZER
-#define PA_MSAN_UNPOISON(p, size)
-#endif  // MEMORY_SANITIZER
-
-// Compiler feature-detection.
-// clang.llvm.org/docs/LanguageExtensions.html#has-feature-and-has-extension
-#if defined(__has_feature)
-#define PA_HAS_FEATURE(FEATURE) __has_feature(FEATURE)
 #else
-#define PA_HAS_FEATURE(FEATURE) 0
+#define PA_MSAN_UNPOISON(p, size)
 #endif
 
-// The ANALYZER_ASSUME_TRUE(bool arg) macro adds compiler-specific hints
+// Annotates a codepath suppressing static analysis along that path. Useful when
-// to Clang which control what code paths are statically analyzed,
+// code is safe in practice for reasons the analyzer can't detect, e.g. because
-// and is meant to be used in conjunction with assert & assert-like functions.
+// the condition leading to that path guarantees a param is non-null.
-// The expression is passed straight through if analysis isn't enabled.
 //
-// ANALYZER_SKIP_THIS_PATH() suppresses static analysis for the current
+// Usage:
-// codepath and any other branching codepaths that might follow.
+// ```
+//   if (cond) {
+//     PA_ANALYZER_SKIP_THIS_PATH();
+//     // Static analysis will be disabled for the remainder of this block.
+//     delete ptr;
+//   }
+// ```
 #if defined(__clang_analyzer__)
-
 namespace partition_alloc::internal {
-
+inline constexpr bool AnalyzerNoReturn()
-inline constexpr bool AnalyzerNoReturn() __attribute__((analyzer_noreturn)) {
+#if PA_HAS_ATTRIBUTE(analyzer_noreturn)
+    __attribute__((analyzer_noreturn))
+#endif
+{
   return false;
 }
-
-inline constexpr bool AnalyzerAssumeTrue(bool arg) {
-  // PartitionAllocAnalyzerNoReturn() is invoked and analysis is terminated if
-  // |arg| is false.
-  return arg || AnalyzerNoReturn();
-}
-
 }  // namespace partition_alloc::internal
-
-#define PA_ANALYZER_ASSUME_TRUE(arg) \
-  ::partition_alloc::internal::AnalyzerAssumeTrue(!!(arg))
 #define PA_ANALYZER_SKIP_THIS_PATH() \
   static_cast<void>(::partition_alloc::internal::AnalyzerNoReturn())
-
+#else
-#else  // !defined(__clang_analyzer__)
+// The above definition would be safe even outside the analyzer, but defining
-
+// the macro away entirely avoids the need for the optimizer to eliminate it.
-#define PA_ANALYZER_ASSUME_TRUE(arg) (arg)
 #define PA_ANALYZER_SKIP_THIS_PATH()
+#endif
 
-#endif  // defined(__clang_analyzer__)
+// Annotates a condition directing static analysis to assume it is always true.
+// Evaluates to the provided `arg` as a `bool`.
+//
+// Usage:
+// ```
+//   // Static analysis will assume the following condition always holds.
+//   if (PA_ANALYZER_ASSUME_TRUE(cond)) ...
+// ```
+#if defined(__clang_analyzer__)
+namespace partition_alloc::internal {
+inline constexpr bool AnalyzerAssumeTrue(bool arg) {
+  return arg || AnalyzerNoReturn();
+}
+}  // namespace partition_alloc::internal
+#define PA_ANALYZER_ASSUME_TRUE(arg) \
+  ::partition_alloc::internal::AnalyzerAssumeTrue(!!(arg))
+#else
+// Again, the above definition is safe, this is just simpler for the optimizer.
+#define PA_ANALYZER_ASSUME_TRUE(arg) (arg)
+#endif
 
-// Use nomerge attribute to disable optimization of merging multiple same calls.
+// Annotates a function, function pointer, or statement to disallow
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(nomerge)
+// optimizations that merge calls. Useful to ensure the source locations of such
+// calls are not obscured.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#nomerge
+//
+// Usage:
+// ```
+//   PA_NOMERGE void Func();  // No direct calls to `Func()` will be merged.
+//
+//   using Ptr = decltype(&Func);
+//   PA_NOMERGE Ptr ptr = &Func;  // No calls through `ptr` will be merged.
+//
+//   PA_NOMERGE if (cond) {
+//     // No calls in this block will be merged.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::nomerge)
 #define PA_NOMERGE [[clang::nomerge]]
 #else
 #define PA_NOMERGE
 #endif
 
-// Marks a type as being eligible for the "trivial" ABI despite having a
+// Annotates a type as being suitable for passing in registers despite having a
-// non-trivial destructor or copy/move constructor. Such types can be relocated
+// non-trivial copy or move constructor or destructor. This requires the type
-// after construction by simply copying their memory, which makes them eligible
+// not be concerned about its address remaining constant, be safely usable after
-// to be passed in registers. The canonical example is std::unique_ptr.
+// copying its memory, and have a destructor that may be safely omitted on
+// moved-from instances; an example is `std::unique_ptr`. Unnecessary if the
+// copy/move constructor(s) and destructor are unconditionally trivial; likely
+// ineffective if the type is too large to be passed in one or two registers
+// with the target ABI. However, annotating a type this way will also cause
+// `IS_TRIVIALLY_RELOCATABLE()` to return true for that type, and so may be
+// desirable even for large types, if they are placed in containers that
+// optimize based on that check.
 //
-// Use with caution; this has some subtle effects on constructor/destructor
+// NOTE: Use with caution; this has subtle effects on constructor/destructor
-// ordering and will be very incorrect if the type relies on its address
+// ordering. When used with types passed or returned by value, values may be
-// remaining constant. When used as a function argument (by value), the value
+// constructed in the source stack frame, passed in a register, and then used
-// may be constructed in the caller's stack frame, passed in a register, and
+// and destroyed in the target stack frame.
-// then used and destructed in the callee's stack frame. A similar thing can
-// occur when values are returned.
-//
-// TRIVIAL_ABI is not needed for types which have a trivial destructor and
-// copy/move constructors, such as base::TimeTicks and other POD.
-//
-// It is also not likely to be effective on types too large to be passed in one
-// or two registers on typical target ABIs.
 //
 // See also:
 //   https://clang.llvm.org/docs/AttributeReference.html#trivial-abi
 //   https://libcxx.llvm.org/docs/DesignDocs/UniquePtrTrivialAbi.html
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(trivial_abi)
+//
+// Usage:
+// ```
+//   // Instances of type `S` will be eligible to be passed in registers despite
+//   // `S`'s nontrivial destructor.
+//   struct PA_TRIVIAL_ABI S { ~S(); }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::trivial_abi)
 #define PA_TRIVIAL_ABI [[clang::trivial_abi]]
 #else
 #define PA_TRIVIAL_ABI
 #endif
 
-// Requires constant initialization. See constinit in C++20. Allows to rely on a
+// Makes C++20's `constinit` functionality available even pre-C++20, by falling
-// variable being initialized before execution, and not requiring a global
+// back to a custom attribute.
-// constructor.
+// TODO(crbug.com/365046216): Use `constinit` directly when C++20 is available
-#if PA_HAS_ATTRIBUTE(require_constant_initialization)
+// and all usage sites have been reordered to be compatible with doing so.
-#define PA_CONSTINIT __attribute__((require_constant_initialization))
+//
-#endif
+// See also:
-#if !defined(PA_CONSTINIT)
+//   https://clang.llvm.org/docs/AttributeReference.html#require-constant-initialization-constinit-c-20
+//
+// Usage:
+// ```
+// struct S {
+//   constexpr S() = default;
+//   S(int) {}
+// };
+//
+// // Compiles (constant initialization via `constexpr` default constructor).
+// PA_CONSTINIT S s0;
+//
+// // Will not compile; diagnosed as usage of non-constexpr constructor in a
+// // constant expression.
+// PA_CONSTINIT S s1(1);
+//
+// // Compiles (non-constant initialization via non-`constexpr` constructor).
+// S s2(2);
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::require_constant_initialization)
+#define PA_CONSTINIT [[clang::require_constant_initialization]]
+#else
 #define PA_CONSTINIT
 #endif
 
-#if defined(__clang__)
+// Annotates a type as holding a pointer into an owner object (an appropriate
+// STL or `[[gsl::Owner]]`-annotated type). If an instance of the pointer type
+// is constructed from an instance of the owner type, and the owner instance is
+// destroyed, the pointer instance is considered to be dangling. Useful to
+// diagnose some cases of lifetime errors.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#pointer
+//
+// Usage:
+// ```
+//  struct [[gsl::Owner]] T {};
+//  struct PA_GSL_POINTER S {
+//    S(const T&);
+//  };
+//  S Func() {
+//    // The following return will not compile; diagnosed as returning address
+//    // of local temporary.
+//    return S(T());
+//  }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(gsl::Pointer)
 #define PA_GSL_POINTER [[gsl::Pointer]]
 #else
 #define PA_GSL_POINTER
 #endif
 
-// Constexpr destructors were introduced in C++20. PartitionAlloc's minimum
+// Annotates a destructor marking it `constexpr` only if the language supports
-// supported C++ version is C++17.
+// it (C++20 and onward).
+//
+// Usage:
+// ```
+//  struct S {
+//    PA_CONSTEXPR_DTOR ~S() {}  // N.B.: Compiles even pre-C++20
+//  };
+//  // The following declaration will only compile in C++20; diagnosed as an
+//  // invalid constexpr variable of non-literal type otherwise.
+//  constexpr S s;
+// ```
 #if defined(__cpp_constexpr) && __cpp_constexpr >= 201907L
 #define PA_CONSTEXPR_DTOR constexpr
 #else
 #define PA_CONSTEXPR_DTOR
 #endif
 
-// PA_LIFETIME_BOUND indicates that a resource owned by a function parameter or
+// Annotates a pointer or reference parameter or return value for a member
-// implicit object parameter is retained by the return value of the annotated
+// function as having lifetime intertwined with the instance on which the
-// function (or, for a parameter of a constructor, in the value of the
+// function is called. For parameters, the function is assumed to store the
-// constructed object). This attribute causes warnings to be produced if a
+// value into the called-on object, so if the referred-to object is later
-// temporary object does not live long enough.
+// destroyed, the called-on object is also considered to be dangling. For return
+// values, the value is assumed to point into the called-on object, so if that
+// object is destroyed, the returned value is also considered to be dangling.
+// Useful to diagnose some cases of lifetime errors.
 //
-// When applied to a reference parameter, the referenced object is assumed to be
+// See also:
-// retained by the return value of the function. When applied to a non-reference
+//   https://clang.llvm.org/docs/AttributeReference.html#lifetimebound
-// parameter (for example, a pointer or a class type), all temporaries
-// referenced by the parameter are assumed to be retained by the return value of
-// the function.
 //
-// See also the upstream documentation:
+// Usage:
-// https://clang.llvm.org/docs/AttributeReference.html#lifetimebound
+// ```
-//
+//   struct S {
-// This attribute is based on `ABSL_ATTRIBUTE_LIFETIME_BOUND`, but:
+//      S(int* p PA_LIFETIME_BOUND);
-// * A separate definition is provided to avoid PartitionAlloc => Abseil
+//      int* Get() PA_LIFETIME_BOUND;
-//   dependency
+//   };
-// * The definition is tweaked to avoid `__attribute__(lifetime))` because it
+//   S Func1() {
-//   can't be applied in the same places as `[[clang::lifetimebound]]`.  In
+//     int i = 0;
-//   particular `operator T*&() && __attribute__(lifetime))` fails to compile on
+//     // The following return will not compile; diagnosed as returning address
-//   `clang` with the following error: 'lifetimebound' attribute only applies to
+//     // of a stack object.
-//   parameters and implicit object parameters
+//     return S(&i);
+//   }
+//   int* Func2(int* p) {
+//     // The following return will not compile; diagnosed as returning address
+//     // of a local temporary.
+//     return S(p).Get();
+//   }
+// ```
 #if PA_HAS_CPP_ATTRIBUTE(clang::lifetimebound)
 #define PA_LIFETIME_BOUND [[clang::lifetimebound]]
 #else
 #define PA_LIFETIME_BOUND
 #endif
 
-// Clang instrumentation may allocate, leading to reentrancy in the allocator,
+// Annotates a function disabling PGO profiling. This may be necessary to avoid
-// and crashes when generating a PGO profile. This attribute disables profiling
+// runtime crashes due to re-entrancy when allocator functions are instrumented
-// for a function.
+// for PGO profiling and the instrumentation attempts to allocate.
 //
-// See
+// See also:
-// https://clang.llvm.org/docs/AttributeReference.html#no-profile-instrument-function
+//   https://clang.llvm.org/docs/AttributeReference.html#no-profile-instrument-function
+//
+// Usage:
+// ```
+// ```
 #if PA_HAS_CPP_ATTRIBUTE(gnu::no_profile_instrument_function)
 #define PA_NOPROFILE [[gnu::no_profile_instrument_function]]
 #else

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/cpu.cc

@@ -97,7 +97,7 @@ uint64_t xgetbv(uint32_t xcr) {
 
 void CPU::Initialize() {
 #if PA_BUILDFLAG(PA_ARCH_CPU_X86_FAMILY)
-  int cpu_info[4] = {-1};
+  int cpu_info[4] = {-1, 0, 0, 0};
 
   // __cpuid with an InfoType argument of 0 returns the number of
   // valid Ids in CPUInfo[0] and the CPU identification string in
@@ -112,7 +112,7 @@ void CPU::Initialize() {
 
   // Interpret CPU feature information.
   if (num_ids > 0) {
-    int cpu_info7[4] = {0};
+    int cpu_info7[4] = {};
     __cpuid(cpu_info, 1);
     if (num_ids >= 7) {
       __cpuid(cpu_info7, 7);

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/debug/alias.h

@@ -35,7 +35,7 @@ namespace partition_alloc::internal::base::debug {
 //   strncpy(name_copy, p->name, sizeof(name_copy)-1);
 //   name_copy[sizeof(name_copy)-1] = '\0';;
 //   base::debug::alias(name_copy);
-//   CHECK(false);
+//   NOTREACHED();
 //
 // Case #2: Prevent a tail call into a function. This is useful to make sure the
 // function containing the call to base::debug::Alias() will be present in the

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/files/platform_file.h

@@ -0,0 +1,39 @@
+// Copyright 2017 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PARTITION_ALLOC_PARTITION_ALLOC_BASE_FILES_PLATFORM_FILE_H_
+#define PARTITION_ALLOC_PARTITION_ALLOC_BASE_FILES_PLATFORM_FILE_H_
+
+#include "partition_alloc/build_config.h"
+
+#if PA_BUILDFLAG(IS_WIN)
+#include "partition_alloc/partition_alloc_base/win/windows_types.h"
+#endif
+
+// This file defines platform-independent types for dealing with
+// platform-dependent files. If possible, use the higher-level base::File class
+// rather than these primitives.
+
+namespace partition_alloc::internal::base {
+
+#if PA_BUILDFLAG(IS_WIN)
+
+using PlatformFile = HANDLE;
+
+// It would be nice to make this constexpr but INVALID_HANDLE_VALUE is a
+// ((void*)(-1)) which Clang rejects since reinterpret_cast is technically
+// disallowed in constexpr. Visual Studio accepts this, however.
+const PlatformFile kInvalidPlatformFile = INVALID_HANDLE_VALUE;
+
+#elif PA_BUILDFLAG(IS_POSIX) || PA_BUILDFLAG(IS_FUCHSIA)
+
+using PlatformFile = int;
+
+inline constexpr PlatformFile kInvalidPlatformFile = -1;
+
+#endif
+
+}  // namespace partition_alloc::internal::base
+
+#endif  // PARTITION_ALLOC_PARTITION_ALLOC_BASE_FILES_PLATFORM_FILE_H_

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/numerics/safe_conversions_impl.h

@@ -9,6 +9,8 @@
 #include <limits>
 #include <type_traits>
 
+#include "partition_alloc/buildflags.h"
+
 namespace partition_alloc::internal::base::internal {
 
 // The std library doesn't provide a binary max_exponent for integers, however
@@ -83,13 +85,13 @@ constexpr typename std::make_unsigned<T>::type SafeUnsignedAbs(T value) {
 // TODO(jschuh): Debug builds don't reliably propagate constants, so we restrict
 // some accelerated runtime paths to release builds until this can be forced
 // with consteval support in C++20 or C++23.
-#if defined(NDEBUG)
+#if PA_BUILDFLAG(IS_DEBUG)
-constexpr bool kEnableAsmCode = true;
+inline constexpr bool kEnableAsmCode = false;
 #else
-constexpr bool kEnableAsmCode = false;
+inline constexpr bool kEnableAsmCode = true;
 #endif
 
-// Forces a crash, like a CHECK(false). Used for numeric boundary errors.
+// Forces a crash, like a NOTREACHED(). Used for numeric boundary errors.
 // Also used in a constexpr template to trigger a compilation failure on
 // an error condition.
 struct CheckOnFailure {

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/posix/eintr_wrapper.h

@@ -18,6 +18,7 @@
 #define PARTITION_ALLOC_PARTITION_ALLOC_BASE_POSIX_EINTR_WRAPPER_H_
 
 #include "partition_alloc/build_config.h"
+#include "partition_alloc/buildflags.h"
 
 #if PA_BUILDFLAG(IS_POSIX)
 #include <cerrno>
@@ -31,7 +32,7 @@ template <typename Fn>
 inline auto WrapEINTR(Fn fn) {
   return [fn](auto&&... args) {
     int out = -1;
-#if defined(NDEBUG)
+#if !PA_BUILDFLAG(IS_DEBUG)
     while (true)
 #else
     for (int retry_count = 0; retry_count < 100; ++retry_count)

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/strings/cstring_builder.h

@@ -7,13 +7,8 @@
 
 #include <cstddef>
 
-#include "partition_alloc/build_config.h"
 #include "partition_alloc/partition_alloc_base/component_export.h"
 
-#if !PA_BUILDFLAG(IS_WIN)
-#include <unistd.h>
-#endif
-
 namespace partition_alloc::internal::base::strings {
 
 // Similar to std::ostringstream, but creates a C string, i.e. nul-terminated

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/strings/safe_sprintf.cc

@@ -10,8 +10,9 @@
 #include <limits>
 
 #include "partition_alloc/build_config.h"
+#include "partition_alloc/buildflags.h"
 
-#if !defined(NDEBUG)
+#if PA_BUILDFLAG(IS_DEBUG)
 // In debug builds, we use RAW_CHECK() to print useful error messages, if
 // SafeSPrintf() is called with broken arguments.
 // As our contract promises that SafeSPrintf() can be called from any
@@ -41,7 +42,7 @@
     if (x) {           \
     }                  \
   } while (0)
-#endif
+#endif  // PA_BUILDFLAG(IS_DEBUG)
 
 namespace partition_alloc::internal::base::strings {
 
@@ -74,7 +75,7 @@ const char kUpCaseHexDigits[] = "0123456789ABCDEF";
 const char kDownCaseHexDigits[] = "0123456789abcdef";
 }  // namespace
 
-#if defined(NDEBUG)
+#if !PA_BUILDFLAG(IS_DEBUG)
 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
 // but C++ doesn't allow us to do that for constants. Instead, we have to
 // use careful casting and shifting. We later use a static_assert to
@@ -82,7 +83,7 @@ const char kDownCaseHexDigits[] = "0123456789abcdef";
 namespace {
 const size_t kSSizeMax = kSSizeMaxConst;
 }
-#else   // defined(NDEBUG)
+#else   // !PA_BUILDFLAG(IS_DEBUG)
 // For efficiency, we really need kSSizeMax to be a constant. But for unit
 // tests, it should be adjustable. This allows us to verify edge cases without
 // having to fill the entire available address space. As a compromise, we make
@@ -101,7 +102,7 @@ size_t GetSafeSPrintfSSizeMaxForTest() {
   return kSSizeMax;
 }
 }  // namespace internal
-#endif  // defined(NDEBUG)
+#endif  // !PA_BUILDFLAG(IS_DEBUG)
 
 namespace {
 class Buffer {
@@ -111,10 +112,7 @@ class Buffer {
   // to ensure that the buffer is at least one byte in size, so that it fits
   // the trailing NUL that will be added by the destructor. The buffer also
   // must be smaller or equal to kSSizeMax in size.
-  Buffer(char* buffer, size_t size)
+  Buffer(char* buffer, size_t size) : buffer_(buffer), size_(size - 1) {
-      : buffer_(buffer),
-        size_(size - 1),  // Account for trailing NUL byte
-        count_(0) {
 // MSVS2013's standard library doesn't mark max() as constexpr yet. cl.exe
 // supports static_cast but doesn't really implement constexpr yet so it doesn't
 // complain, but clang does.
@@ -276,7 +274,7 @@ class Buffer {
   // Number of bytes that would have been emitted to the buffer, if the buffer
   // was sufficiently big. This number always excludes the trailing NUL byte
   // and it is guaranteed to never grow bigger than kSSizeMax-1.
-  size_t count_;
+  size_t count_ = 0;
 };
 
 bool Buffer::IToASCII(bool sign,

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/threading/platform_thread_posix.cc

@@ -20,6 +20,7 @@
 
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 #include <sys/syscall.h>
+
 #include <atomic>
 #endif
 
@@ -27,6 +28,10 @@
 #include <zircon/process.h>
 #endif
 
+#if defined(__MUSL__)
+#include "partition_alloc/shim/allocator_shim.h"
+#endif
+
 namespace partition_alloc::internal::base {
 
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
@@ -58,7 +63,22 @@ thread_local bool g_is_main_thread = true;
 class InitAtFork {
  public:
   InitAtFork() {
+#if defined(__MUSL__)
+    allocator_shim::AllocatorDispatch d =
+        *allocator_shim::GetAllocatorDispatchChainHeadForTesting();
+    d.alloc_function = +[](size_t size, void*) -> void* {
+      // The size of the scratch fits struct atfork_funcs in Musl pthread_atfork.c.
+      static char scratch[5 * sizeof(void*)];
+      return size != sizeof(scratch) ? nullptr : scratch;
+    };
+    allocator_shim::InsertAllocatorDispatch(&d);
+#endif
+
     pthread_atfork(nullptr, nullptr, internal::InvalidateTidCache);
+
+#if defined(__MUSL__)
+    allocator_shim::RemoveAllocatorDispatchForTesting(&d);
+#endif
   }
 };
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/threading/platform_thread_win_for_testing.cc

@@ -132,7 +132,6 @@ bool CreateThreadInternal(size_t stack_size,
       case ERROR_COMMITMENT_LIMIT:
       case ERROR_COMMITMENT_MINIMUM:
         TerminateBecauseOutOfMemory(stack_size);
-        break;
 
       default:
         break;

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time.cc

@@ -248,7 +248,7 @@ TimeTicks TimeTicks::Now() {
 
 // static
 TimeTicks TimeTicks::UnixEpoch() {
-  static const TimeTicks epoch([]() {
+  static const TimeTicks epoch([] {
     return subtle::TimeTicksNowIgnoringOverride() -
            (subtle::TimeNowIgnoringOverride() - Time::UnixEpoch());
   }());

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time_apple.mm

@@ -31,7 +31,7 @@ namespace {
 
 // Returns a pointer to the initialized Mach timebase info struct.
 mach_timebase_info_data_t* MachTimebaseInfo() {
-  static mach_timebase_info_data_t timebase_info = []() {
+  static mach_timebase_info_data_t timebase_info = [] {
     mach_timebase_info_data_t info;
     kern_return_t kr = mach_timebase_info(&info);
     PA_BASE_DCHECK(kr == KERN_SUCCESS) << "mach_timebase_info";

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time_win.cc

@@ -7,8 +7,9 @@
 // A good article:  http://www.ddj.com/windows/184416651
 // A good mozilla bug:  http://bugzilla.mozilla.org/show_bug.cgi?id=363258
 //
-// The default windows timer, GetSystemTimeAsFileTime is not very precise.
+// The default windows timer, GetSystemTimePreciseAsFileTime is quite precise.
-// It is only good to ~15.5ms.
+// However it is not always fast on some hardware and is slower than the
+// performance counters.
 //
 // QueryPerformanceCounter is the logical choice for a high-precision timer.
 // However, it is known to be buggy on some hardware.  Specifically, it can
@@ -77,7 +78,7 @@ FILETIME MicrosecondsToFileTime(int64_t us) {
 
 int64_t CurrentWallclockMicroseconds() {
   FILETIME ft;
-  ::GetSystemTimeAsFileTime(&ft);
+  ::GetSystemTimePreciseAsFileTime(&ft);
   return FileTimeToMicroseconds(ft);
 }
 
@@ -113,8 +114,8 @@ Time TimeNowIgnoringOverride() {
   }
 
   // We implement time using the high-resolution timers so that we can get
-  // timeouts which are smaller than 10-15ms.  If we just used
+  // timeouts which likely are smaller than those if we just used
-  // CurrentWallclockMicroseconds(), we'd have the less-granular timer.
+  // CurrentWallclockMicroseconds().
   //
   // To make this work, we initialize the clock (g_initial_time) and the
   // counter (initial_ctr).  To compute the initial time, we can check

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/types/same_as_any.h

@@ -0,0 +1,19 @@
+// Copyright 2024 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PARTITION_ALLOC_PARTITION_ALLOC_BASE_TYPES_SAME_AS_ANY_H_
+#define PARTITION_ALLOC_PARTITION_ALLOC_BASE_TYPES_SAME_AS_ANY_H_
+
+#include <type_traits>
+
+namespace partition_alloc::internal::base {
+
+// True when `T` is any of the subsequent types.
+// TODO(crbug.com/344963951): Switch to a concept when C++20 is allowed.
+template <typename T, typename... Ts>
+inline constexpr bool kSameAsAny = (std::is_same_v<T, Ts> || ...);
+
+}  // namespace partition_alloc::internal::base
+
+#endif  // PARTITION_ALLOC_PARTITION_ALLOC_BASE_TYPES_SAME_AS_ANY_H_

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/win/windows_types.h

@@ -10,6 +10,7 @@
 
 // Needed for function prototypes.
 #include <specstrings.h>
+
 #include <cstdint>
 
 #ifdef __cplusplus
@@ -41,6 +42,11 @@ typedef DWORD ULONG;
 typedef unsigned short WORD;
 typedef WORD UWORD;
 typedef WORD ATOM;
+#if defined(_WIN64)
+typedef int64_t PA_LONG_PTR, *PA_PLONG_PTR;
+#else
+typedef int32_t PA_LONG_PTR, *PA_PLONG_PTR;
+#endif
 
 // Forward declare some Windows struct/typedef sets.
 
@@ -53,6 +59,16 @@ struct PA_CHROME_SRWLOCK {
   PVOID Ptr;
 };
 
+// Define some commonly used Windows constants. Note that the layout of these
+// macros - including internal spacing - must be 100% consistent with windows.h.
+
+// clang-format off
+
+#ifndef INVALID_HANDLE_VALUE
+// Work around there being two slightly different definitions in the SDK.
+#define INVALID_HANDLE_VALUE ((HANDLE)(PA_LONG_PTR)-1)
+#endif
+
 // The trailing white-spaces after this macro are required, for compatibility
 // with the definition in winnt.h.
 // clang-format off

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_check.h

@@ -61,11 +61,11 @@
 
 // Expensive dchecks that run within *Scan. These checks are only enabled in
 // debug builds with dchecks enabled.
-#if !defined(NDEBUG)
+#if PA_BUILDFLAG(IS_DEBUG)
 #define PA_SCAN_DCHECK_IS_ON() PA_BUILDFLAG(DCHECKS_ARE_ON)
 #else
 #define PA_SCAN_DCHECK_IS_ON() 0
-#endif
+#endif  // PA_BUILDFLAG(IS_DEBUG)
 
 #if PA_SCAN_DCHECK_IS_ON()
 #define PA_SCAN_DCHECK(expr) PA_DCHECK(expr)

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_config.h

@@ -95,7 +95,9 @@ static_assert(sizeof(void*) == 8);
 #endif
 
 // Specifies whether allocation extras need to be added.
-#if PA_BUILDFLAG(DCHECKS_ARE_ON) || PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
+#if PA_BUILDFLAG(DCHECKS_ARE_ON) ||                \
+    PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) || \
+    PA_BUILDFLAG(USE_PARTITION_COOKIE)
 #define PA_CONFIG_EXTRAS_REQUIRED() 1
 #else
 #define PA_CONFIG_EXTRAS_REQUIRED() 0

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_constants.h

@@ -63,9 +63,7 @@ enum class FreeFlags {
   kNoHooks = 1 << 1,  // Internal.
   // Quarantine for a while to ensure no UaF from on-stack pointers.
   kSchedulerLoopQuarantine = 1 << 2,
-  // Zap the object region on `Free()`.
+  kMaxValue = kSchedulerLoopQuarantine,
-  kZap = 1 << 3,
-  kMaxValue = kZap,
 };
 PA_DEFINE_OPERATORS_FOR_FLAGS(FreeFlags);
 }  // namespace internal
@@ -467,7 +465,7 @@ constexpr size_t kBitsPerSizeT = sizeof(void*) * CHAR_BIT;
 // the place used by a previous one will lead the previous SlotSpan to be
 // decommitted immediately, provided that it is still empty.
 //
-// Setting this value higher means giving more time for reuse to happen, at the
+// Increasing the ring size means giving more time for reuse to happen, at the
 // cost of possibly increasing peak committed memory usage (and increasing the
 // size of PartitionRoot a bit, since the ring buffer is there). Note that the
 // ring buffer doesn't necessarily contain an empty SlotSpan, as SlotSpans are
@@ -478,24 +476,28 @@ constexpr size_t kBitsPerSizeT = sizeof(void*) * CHAR_BIT;
 // PurgeFlags::kDecommitEmptySlotSpans flag will eagerly decommit all entries
 // in the ring buffer, so with periodic purge enabled, this typically happens
 // every few seconds.
+//
+// The constants below define the empty ring size:
+// - In foreground mode (see `PartitionRoot::AdjustForForeground`).
+constexpr size_t kForegroundEmptySlotSpanRingSize =
 #if PA_BUILDFLAG(USE_LARGE_EMPTY_SLOT_SPAN_RING)
-// USE_LARGE_EMPTY_SLOT_SPAN_RING results in two size. kMaxEmptyCacheIndexBits,
+    1 << 10;
-// which is used when the renderer is in the foreground, and
-// kMinEmptyCacheIndexBits which is used when the renderer is in the background.
-constexpr size_t kMaxEmptyCacheIndexBits = 10;
-constexpr size_t kMinEmptyCacheIndexBits = 7;
 #else
-constexpr size_t kMaxEmptyCacheIndexBits = 7;
+    1 << 7;
-constexpr size_t kMinEmptyCacheIndexBits = 7;
 #endif
-static_assert(kMinEmptyCacheIndexBits <= kMaxEmptyCacheIndexBits,
+// - In background mode or large empty slot span ring mode (see
-              "min size must be <= max size");
+//   `PartitionRoot::AdjustForBackground` and
-// kMaxFreeableSpans is the buffer size, but is never used as an index value,
+//   `PartitionRoot::EnableLargeEmptySlotSpanRing`).
-// hence <= is appropriate.
+constexpr size_t kBackgroundEmptySlotSpanRingSize = 1 << 7;
-constexpr size_t kMaxFreeableSpans = 1 << kMaxEmptyCacheIndexBits;
+// - By default.
-constexpr size_t kMinFreeableSpans = 1 << kMinEmptyCacheIndexBits;
 constexpr size_t kDefaultEmptySlotSpanRingSize = 16;
 
+// This is the maximum ring size supported across all modes:
+constexpr size_t kMaxEmptySlotSpanRingSize = kForegroundEmptySlotSpanRingSize;
+static_assert(kMaxEmptySlotSpanRingSize >= kForegroundEmptySlotSpanRingSize);
+static_assert(kMaxEmptySlotSpanRingSize >= kBackgroundEmptySlotSpanRingSize);
+static_assert(kMaxEmptySlotSpanRingSize >= kDefaultEmptySlotSpanRingSize);
+
 // If the total size in bytes of allocated but not committed pages exceeds this
 // value (probably it is a "out of virtual address space" crash), a special
 // crash stack trace is generated at

src/base/allocator/partition_allocator/src/partition_alloc/partition_bucket.cc

@@ -223,6 +223,18 @@ SlotSpanMetadata<MetadataKind::kReadOnly>* PartitionDirectMap(
   PartitionPageMetadata<MetadataKind::kReadOnly>* page_metadata = nullptr;
 
   {
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+    // Because of the performance reason, PartitionRoot's lock is unlocked
+    // here. However this causes multi-thread issue when running
+    // EnableShadowMetadata(). If some thread is running PartitionDirectMap()
+    // and unlock PartitionRoot lock and also another thread is running
+    // EnableShadowMetadata(), the metadata page's permission will be modified
+    // by both threads and chrome will crash. c.f. crbug.com/378809882
+    // Be careful. This should not block PartitionDirectMap() in another thread.
+    internal::SharedLock shared_lock(
+        PartitionRoot::g_shadow_metadata_init_mutex_);
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
     // Getting memory for direct-mapped allocations doesn't interact with the
     // rest of the allocator, but takes a long time, as it involves several
     // system calls. Although no mmap() (or equivalent) calls are made on
@@ -672,7 +684,7 @@ PartitionBucket::AllocNewSlotSpan(PartitionRoot* root,
   for (auto* page = gap_start_page->ToWritable(root);
        page < gap_end_page->ToWritable(root); ++page) {
     PA_DCHECK(!page->is_valid);
-    page->has_valid_span_after_this = 1;
+    page->has_valid_span_after_this = true;
   }
   root->next_partition_page =
       adjusted_next_partition_page + slot_span_reservation_size;
@@ -696,7 +708,7 @@ PartitionBucket::AllocNewSlotSpan(PartitionRoot* root,
     PA_DEBUG_DATA_ON_STACK("spancmt", slot_span_committed_size);
 
     root->RecommitSystemPagesForData(
-        slot_span_start, slot_span_committed_size,
+        slot_span_start, SlotSpanCommittedSize(root),
         PageAccessibilityDisposition::kRequireUpdate,
         slot_size <= kMaxMemoryTaggingSize);
   }
@@ -1578,4 +1590,63 @@ void PartitionBucket::InitializeSlotSpanForGwpAsan(
   InitializeSlotSpan(slot_span, root);
 }
 
+size_t PartitionBucket::SlotSpanCommittedSize(PartitionRoot* root) const {
+  // With lazy commit, we certainly don't want to commit more than
+  // necessary. This is not reached, but keep the CHECK() as documentation.
+  PA_CHECK(!kUseLazyCommit);
+
+  // Memory is reserved in units of PartitionPage, but a given slot span may be
+  // smaller than the reserved area. For instance (assuming 4k pages), for a
+  // bucket where the slot span size is 40kiB, we reserve 4 PartitionPage = 16 *
+  // 4 = 48kiB, but only ever commit 40kiB out of it.
+  //
+  // This means that the address space then looks like, assuming that the
+  // PartitionPage next to it is committed:
+  //   [SlotSpan range, 40kiB]                       rw-p
+  //   [Unused area in the last PartitionPage, 8kiB] ---p
+  //   [Next PartitionPages, size unknown ]          rw-p
+  //
+  // So we have a "hole" of inaccessible memory, and 3 memory regions. If
+  // instead we commit the full PartitionPages, we get (due to the kernel
+  // merging neighboring regions with uniform permissions):
+  //
+  //   [SlotSpan range, 40kiB + Unused area, 8kiB + next PartitionPages] rw-p
+  //
+  // So 1 memory region rather then 3. This matters, because on Linux kernels,
+  // there is a maximum number of VMAs per process, with the default limit a bit
+  // less than 2^16, and Chromium sometimes hits the limit (see
+  // /proc/sys/vm/max_map_count for the current limit), largely because of
+  // PartitionAlloc contributing thousands of regions. Locally, on a Linux
+  // system, this reduces the number of PartitionAlloc regions by up to ~4x.
+  //
+  // Why is it safe?
+  // The extra memory is not used by anything, so committing it doesn't make a
+  // difference. It makes it accessible though.
+  //
+  // How much does it cost?
+  // Almost nothing. On Linux, "committing" memory merely changes its
+  // permissions, it doesn't cost any memory until the pages are touched, which
+  // they are not. However, mprotect()-ed areas that are writable count towards
+  // the RLIMIT_DATA resource limit, which is used by the sandbox. So, while
+  // this change costs 0 physical memory (and actually saves some, by reducing
+  // the size of the VMA red-black tree in the kernel), it might increase
+  // slightly the cases where we bump into the sandbox memory limit.
+  //
+  // Is it safe to do while running?
+  // Since this is decided through root settings, the value changes at runtime,
+  // so we may decommit memory that was never committed. This is safe onLinux,
+  // since decommitting is just changing permissions back to PROT_NONE, which
+  // the tail end would already have.
+  //
+  // Can we do better?
+  // For simplicity, we do not "fix" the regions that were committed before the
+  // settings are changed (after feature list initialization). This means that
+  // we end up with more regions that we could. The intent is to run a field
+  // experiment, then change the default value, at which point we get the full
+  // impact, so this is only temporary.
+  return root->settings.fewer_memory_regions
+             ? (get_pages_per_slot_span() << PartitionPageShift())
+             : get_bytes_per_span();
+}
+
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/partition_bucket.h

@@ -1,7 +1,6 @@
 // Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-
 #ifndef PARTITION_ALLOC_PARTITION_BUCKET_H_
 #define PARTITION_ALLOC_PARTITION_BUCKET_H_
 
@@ -171,6 +170,8 @@ struct PartitionBucket {
       SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
       PartitionRoot* root);
 
+  size_t SlotSpanCommittedSize(PartitionRoot* root) const;
+
  private:
   // Sets `this->can_store_raw_size`.
   void InitCanStoreRawSize(bool use_small_single_slot_spans);

src/base/allocator/partition_allocator/src/partition_alloc/partition_cookie.cc

@@ -0,0 +1,28 @@
+// Copyright 2024 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "partition_alloc/partition_cookie.h"
+
+#include <cstdint>
+#include <type_traits>
+
+#include "partition_alloc/partition_alloc_check.h"
+
+#if PA_BUILDFLAG(USE_PARTITION_COOKIE)
+namespace partition_alloc::internal {
+[[noreturn]] PA_NOINLINE PA_NOT_TAIL_CALLED void CookieCorruptionDetected(
+    unsigned char* cookie_ptr,
+    size_t slot_usable_size) {
+  using CookieValue = std::conditional_t<kCookieSize == 4, uint32_t, uint64_t>;
+  static_assert(sizeof(CookieValue) <= kCookieSize);
+  CookieValue cookie =
+      *static_cast<CookieValue*>(static_cast<void*>(cookie_ptr));
+  PA_DEBUG_DATA_ON_STACK("slotsize", slot_usable_size);
+  PA_DEBUG_DATA_ON_STACK("cookie", cookie);
+
+  PA_NO_CODE_FOLDING();
+  PA_IMMEDIATE_CRASH();
+}
+}  // namespace partition_alloc::internal
+#endif  // PA_BUILDFLAG(USE_PARTITION_COOKIE)

src/base/allocator/partition_allocator/src/partition_alloc/partition_cookie.h

@@ -9,22 +9,44 @@
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 #include "partition_alloc/partition_alloc_check.h"
 
+#if PA_BUILDFLAG(SMALLER_PARTITION_COOKIE)
+#include "partition_alloc/in_slot_metadata.h"
+#endif  // PA_BUILDFLAG(SMALLER_PARTITION_COOKIE)
+
 namespace partition_alloc::internal {
 
+#if PA_BUILDFLAG(SMALLER_PARTITION_COOKIE)
+#if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
+static constexpr size_t kCookieSize =
+    AlignUpInSlotMetadataSizeForApple(sizeof(InSlotMetadata));
+static_assert(kCookieSize == kInSlotMetadataSizeAdjustment);
+#else
+// Size of `InSlotMetadata` is unknown: using 4 bytes as an estimate.
+static constexpr size_t kCookieSize = AlignUpInSlotMetadataSizeForApple(4);
+static_assert(kCookieSize <= 16);
+#endif  //  PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
+#else
 static constexpr size_t kCookieSize = 16;
+#endif  // PA_BUILDFLAG(SMALLER_PARTITION_COOKIE)
 
-// Cookie is enabled for debug builds.
+#if PA_BUILDFLAG(USE_PARTITION_COOKIE)
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
 
-inline constexpr unsigned char kCookieValue[kCookieSize] = {
+inline constexpr unsigned char kCookieValue[] = {
     0xDE, 0xAD, 0xBE, 0xEF, 0xCA, 0xFE, 0xD0, 0x0D,
     0x13, 0x37, 0xF0, 0x05, 0xBA, 0x11, 0xAB, 0x1E};
 
 constexpr size_t kPartitionCookieSizeAdjustment = kCookieSize;
 
-PA_ALWAYS_INLINE void PartitionCookieCheckValue(unsigned char* cookie_ptr) {
+[[noreturn]] PA_NOINLINE PA_NOT_TAIL_CALLED PA_COMPONENT_EXPORT(
+    PARTITION_ALLOC) void CookieCorruptionDetected(unsigned char* cookie_ptr,
+                                                   size_t slot_usable_size);
+
+PA_ALWAYS_INLINE void PartitionCookieCheckValue(unsigned char* cookie_ptr,
+                                                size_t slot_usable_size) {
   for (size_t i = 0; i < kCookieSize; ++i, ++cookie_ptr) {
-    PA_DCHECK(*cookie_ptr == kCookieValue[i]);
+    if (*cookie_ptr != kCookieValue[i]) {
+      CookieCorruptionDetected(cookie_ptr, slot_usable_size);
+    }
   }
 }
 
@@ -38,11 +60,12 @@ PA_ALWAYS_INLINE void PartitionCookieWriteValue(unsigned char* cookie_ptr) {
 
 constexpr size_t kPartitionCookieSizeAdjustment = 0;
 
-PA_ALWAYS_INLINE void PartitionCookieCheckValue(unsigned char* address) {}
+PA_ALWAYS_INLINE void PartitionCookieCheckValue(unsigned char* address,
+                                                size_t slot_usable_size) {}
 
 PA_ALWAYS_INLINE void PartitionCookieWriteValue(unsigned char* cookie_ptr) {}
 
-#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
+#endif  // PA_BUILDFLAG(USE_PARTITION_COOKIE)
 
 }  // namespace partition_alloc::internal
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_freelist_entry.h

@@ -107,7 +107,7 @@ struct PartitionFreelistDispatcher {
 #else
   static const PartitionFreelistDispatcher* Create(
       PartitionFreelistEncoding encoding) {
-    static PA_CONSTINIT PartitionFreelistDispatcher dispatcher =
+    PA_CONSTINIT static PartitionFreelistDispatcher dispatcher =
         PartitionFreelistDispatcher();
     return &dispatcher;
   }

src/base/allocator/partition_allocator/src/partition_alloc/partition_lock.h

@@ -24,7 +24,8 @@ class PA_LOCKABLE Lock {
  public:
   inline constexpr Lock();
   void Acquire() PA_EXCLUSIVE_LOCK_FUNCTION() {
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
+#if PA_BUILDFLAG(DCHECKS_ARE_ON) || \
+    PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
     LiftThreadIsolationScope lift_thread_isolation_restrictions;
 #endif
@@ -54,55 +55,69 @@ class PA_LOCKABLE Lock {
           [[unlikely]] {
         // Trying to acquire lock while it's held by this thread: reentrancy
         // issue.
-        PA_IMMEDIATE_CRASH();
+        ReentrancyIssueDetected();
       }
       lock_.Acquire();
     }
     owning_thread_ref_.store(current_thread, std::memory_order_release);
 #else
     lock_.Acquire();
-#endif
+#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON) ||
+        // PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
   }
 
   void Release() PA_UNLOCK_FUNCTION() {
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
+#if PA_BUILDFLAG(DCHECKS_ARE_ON) || \
+    PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
     LiftThreadIsolationScope lift_thread_isolation_restrictions;
 #endif
     owning_thread_ref_.store(base::PlatformThreadRef(),
                              std::memory_order_release);
-#endif
+#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON) ||
+        // PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
     lock_.Release();
   }
   void AssertAcquired() const PA_ASSERT_EXCLUSIVE_LOCK() {
     lock_.AssertAcquired();
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
+#if PA_BUILDFLAG(DCHECKS_ARE_ON) || \
+    PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
     LiftThreadIsolationScope lift_thread_isolation_restrictions;
 #endif
     PA_DCHECK(owning_thread_ref_.load(std ::memory_order_acquire) ==
               base::PlatformThread::CurrentRef());
-#endif
+#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON) ||
+        // PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
   }
 
   void Reinit() PA_UNLOCK_FUNCTION() {
     lock_.AssertAcquired();
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
+#if PA_BUILDFLAG(DCHECKS_ARE_ON) || \
+    PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
     owning_thread_ref_.store(base::PlatformThreadRef(),
                              std::memory_order_release);
-#endif
+#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON) ||
+        // PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
     lock_.Reinit();
   }
 
  private:
+  [[noreturn]] PA_NOINLINE PA_NOT_TAIL_CALLED void ReentrancyIssueDetected() {
+    PA_NO_CODE_FOLDING();
+    PA_IMMEDIATE_CRASH();
+  }
+
   SpinningMutex lock_;
 
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
+#if PA_BUILDFLAG(DCHECKS_ARE_ON) || \
+    PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
   // Should in theory be protected by |lock_|, but we need to read it to detect
   // recursive lock acquisition (and thus, the allocator becoming reentrant).
   std::atomic<base::PlatformThreadRef> owning_thread_ref_ =
       base::PlatformThreadRef();
-#endif
+#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON) ||
+        // PA_BUILDFLAG(ENABLE_PARTITION_LOCK_REENTRANCY_CHECK)
 };
 
 class PA_SCOPED_LOCKABLE ScopedGuard {

src/base/allocator/partition_allocator/src/partition_alloc/partition_page.cc

@@ -15,6 +15,7 @@
 #include "partition_alloc/partition_address_space.h"
 #include "partition_alloc/partition_alloc_base/bits.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
+#include "partition_alloc/partition_alloc_base/numerics/safe_conversions.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_constants.h"
 #include "partition_alloc/partition_alloc_forward.h"
@@ -133,6 +134,8 @@ SlotSpanMetadata<MetadataKind::kWritable>::RegisterEmpty() {
   if (current_index == root->global_empty_slot_span_ring_size) {
     current_index = 0;
   }
+  PA_DCHECK(current_index <
+            base::checked_cast<int16_t>(internal::kMaxEmptySlotSpanRingSize));
   root->global_empty_slot_span_ring_index = current_index;
 
   // Avoid wasting too much memory on empty slot spans. Note that we only divide
@@ -245,7 +248,7 @@ void SlotSpanMetadata<MetadataKind::kWritable>::Decommit(PartitionRoot* root) {
   size_t dirty_size =
       base::bits::AlignUp(GetProvisionedSize(), SystemPageSize());
   size_t size_to_decommit =
-      kUseLazyCommit ? dirty_size : bucket->get_bytes_per_span();
+      kUseLazyCommit ? dirty_size : bucket->SlotSpanCommittedSize(root);
 
   PA_DCHECK(root->empty_slot_spans_dirty_bytes >= dirty_size);
   root->empty_slot_spans_dirty_bytes -= dirty_size;
@@ -276,7 +279,7 @@ void SlotSpanMetadata<MetadataKind::kWritable>::DecommitIfPossible(
     PartitionRoot* root) {
   PartitionRootLock(root).AssertAcquired();
   PA_DCHECK(in_empty_cache_);
-  PA_DCHECK(empty_cache_index_ < kMaxFreeableSpans);
+  PA_DCHECK(empty_cache_index_ < kMaxEmptySlotSpanRingSize);
   PA_DCHECK(ToReadOnly(root) ==
             root->global_empty_slot_span_ring[empty_cache_index_]);
   in_empty_cache_ = 0;
@@ -408,6 +411,17 @@ void UnmapNow(uintptr_t reservation_start,
     *offset_ptr++ = kOffsetTagNotAllocated;
   }
 
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+  // UnmapShadowMetadata must be done before unreserving memory, because
+  // Unreserved memory may be allocated by PartitionDirectMap() in another
+  // thread. In the case, MapShadowMetadata() and UnmapShadowMetadata()
+  // will be executed for the same system pages in wrong order. It causes
+  // memory access error.
+  if (internal::PartitionAddressSpace::IsShadowMetadataEnabled(pool)) {
+    PartitionAddressSpace::UnmapShadowMetadata(reservation_start, pool);
+  }
+#endif
+
 #if !PA_BUILDFLAG(HAS_64_BIT_POINTERS)
   AddressPoolManager::GetInstance().MarkUnused(pool, reservation_start,
                                                reservation_size);
@@ -416,12 +430,6 @@ void UnmapNow(uintptr_t reservation_start,
   // After resetting the table entries, unreserve and decommit the memory.
   AddressPoolManager::GetInstance().UnreserveAndDecommit(
       pool, reservation_start, reservation_size);
-
-#if PA_CONFIG(ENABLE_SHADOW_METADATA)
-  if (internal::PartitionAddressSpace::IsShadowMetadataEnabled(pool)) {
-    PartitionAddressSpace::UnmapShadowMetadata(reservation_start, pool);
-  }
-#endif
 }
 
 }  // namespace

src/base/allocator/partition_allocator/src/partition_alloc/partition_page.h

@@ -102,8 +102,11 @@ struct SlotSpanMetadataBase {
   // If |in_empty_cache_|==1, |empty_cache_index| is undefined and mustn't be
   // used.
   MaybeConstT<kind, uint16_t> in_empty_cache_ : 1 = 0u;
+  // Index of the page in the empty cache. This is in the range
+  // [0, `kMaxEmptySlotSpanRingSize - 1`] so it fits in
+  // `BitWidth(kMaxEmptySlotSpanRingSize - 1)`.
   MaybeConstT<kind, uint16_t> empty_cache_index_
-      : kMaxEmptyCacheIndexBits = 0u;  // < kMaxFreeableSpans.
+      : internal::base::bits::BitWidth(kMaxEmptySlotSpanRingSize - 1) = 0u;
   // Can use only 48 bits (6B) in this bitfield, as this structure is embedded
   // in PartitionPage which has 2B worth of fields and must fit in 32B.
 
@@ -170,8 +173,7 @@ struct SlotSpanMetadata<MetadataKind::kReadOnly>
       : SlotSpanMetadataBase<MetadataKind::kReadOnly>(b) {}
 #endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
   // pa_tcache_inspect needs the copy constructor.
-  SlotSpanMetadata<MetadataKind::kReadOnly>(
+  SlotSpanMetadata(const SlotSpanMetadata<MetadataKind::kReadOnly>&) = default;
-      const SlotSpanMetadata<MetadataKind::kReadOnly>&) = default;
 
   // Public API
   // Pointer/address manipulation functions. These must be static as the input
@@ -936,8 +938,7 @@ PA_ALWAYS_INLINE void SlotSpanMetadata<MetadataKind::kWritable>::Reset() {
 // Iterates over all slot spans in a super-page. |Callback| must return true if
 // early return is needed.
 template <typename Callback>
-void IterateSlotSpans(uintptr_t super_page,
+void IterateSlotSpans(uintptr_t super_page, Callback callback) {
-                      Callback callback) {
 #if PA_BUILDFLAG(DCHECKS_ARE_ON)
   PA_DCHECK(!(super_page % kSuperPageAlignment));
   auto* extent_entry = PartitionSuperPageToExtent(super_page);

src/base/allocator/partition_allocator/src/partition_alloc/partition_page_constants.h

@@ -17,7 +17,7 @@ namespace partition_alloc::internal {
 // PartitionPageSize() is 4 times the OS page size.
 static constexpr size_t kMaxSlotsPerSlotSpan = 4 * (1 << 14) / kSmallestBucket;
 #elif defined(PARTITION_ALLOCATOR_CONSTANTS_POSIX_NONCONST_PAGE_SIZE) && \
-    PA_BUILDFLAG(IS_LINUX) && \
+    PA_BUILDFLAG(IS_LINUX) &&                                            \
     (PA_BUILDFLAG(PA_ARCH_CPU_ARM64) || PA_BUILDFLAG(PA_ARCH_CPU_PPC64))
 // System page size can be 4, 16, or 64 kiB on Linux on AArch64.
 // System page size can be 4 or 64 kiB on Linux on ppc64.

src/base/allocator/partition_allocator/src/partition_alloc/partition_root.cc

@@ -46,6 +46,13 @@
 
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 #include <pthread.h>
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+#include <sys/mman.h>
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+#endif  // PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
+
+#if defined(__MUSL__)
+#include "partition_alloc/shim/allocator_shim.h"
 #endif
 
 namespace partition_alloc::internal {
@@ -102,6 +109,10 @@ PtrPosWithinAlloc IsPtrWithinSameAlloc(uintptr_t orig_address,
 
 namespace partition_alloc {
 
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+internal::SharedMutex PartitionRoot::g_shadow_metadata_init_mutex_;
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
 #if PA_CONFIG(USE_PARTITION_ROOT_ENUMERATOR)
 
 namespace {
@@ -290,12 +301,7 @@ void PartitionAllocMallocInitOnce() {
     return;
   }
 
-#if defined(__MUSL__)
+#if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
-  // Musl calls malloc() in pthread_atfork(), resulting in a deadlock.
-  static_cast<void>(BeforeForkInParent);
-  static_cast<void>(AfterForkInParent);
-  static_cast<void>(AfterForkInChild);
-#elif PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
   // When fork() is called, only the current thread continues to execute in the
   // child process. If the lock is held, but *not* by this thread when fork() is
   // called, we have a deadlock.
@@ -317,9 +323,25 @@ void PartitionAllocMallocInitOnce() {
   // However, no perfect solution really exists to make threads + fork()
   // cooperate, but deadlocks are real (and fork() is used in DEATH_TEST()s),
   // and other malloc() implementations use the same techniques.
+
+#if defined(__MUSL__)
+    allocator_shim::AllocatorDispatch d =
+        *allocator_shim::GetAllocatorDispatchChainHeadForTesting();
+    d.alloc_function = +[](size_t size, void*) -> void* {
+      // The size of the scratch fits struct atfork_funcs in Musl pthread_atfork.c.
+      static char scratch[5 * sizeof(void*)];
+      return size != sizeof(scratch) ? nullptr : scratch;
+    };
+    allocator_shim::InsertAllocatorDispatch(&d);
+#endif
+
   int err =
       pthread_atfork(BeforeForkInParent, AfterForkInParent, AfterForkInChild);
   PA_CHECK(err == 0);
+
+#if defined(__MUSL__)
+    allocator_shim::RemoveAllocatorDispatchForTesting(&d);
+#endif
 #endif  // PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 }
 
@@ -1139,11 +1161,6 @@ void PartitionRoot::Init(PartitionOptions opts) {
     ReserveBackupRefPtrGuardRegionIfNeeded();
 #endif
 
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
-    settings.use_cookie = true;
-#else
-    static_assert(!Settings::use_cookie);
-#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
     settings.brp_enabled_ = opts.backup_ref_ptr == PartitionOptions::kEnabled;
 #else   // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
@@ -1155,6 +1172,10 @@ void PartitionRoot::Init(PartitionOptions opts) {
     PA_DCHECK(!settings.use_configurable_pool || IsConfigurablePoolAvailable());
     settings.zapping_by_free_flags =
         opts.zapping_by_free_flags == PartitionOptions::kEnabled;
+    settings.eventually_zero_freed_memory =
+        opts.eventually_zero_freed_memory == PartitionOptions::kEnabled;
+    settings.fewer_memory_regions =
+        opts.fewer_memory_regions == PartitionOptions::kEnabled;
 
     settings.scheduler_loop_quarantine =
         opts.scheduler_loop_quarantine == PartitionOptions::kEnabled;
@@ -1211,7 +1232,7 @@ void PartitionRoot::Init(PartitionOptions opts) {
 #if PA_CONFIG(EXTRAS_REQUIRED)
     settings.extras_size = 0;
 
-    if (settings.use_cookie) {
+    if (Settings::use_cookie) {
       settings.extras_size += internal::kPartitionCookieSizeAdjustment;
     }
 
@@ -1219,6 +1240,7 @@ void PartitionRoot::Init(PartitionOptions opts) {
     if (brp_enabled()) {
       settings.in_slot_metadata_size = internal::kInSlotMetadataSizeAdjustment;
       settings.extras_size += internal::kInSlotMetadataSizeAdjustment;
+      settings.extras_size += opts.backup_ref_ptr_extra_extras_size;
 #if PA_CONFIG(MAYBE_ENABLE_MAC11_MALLOC_SIZE_HACK)
       EnableMac11MallocSizeHackIfNeeded();
 #endif
@@ -1352,6 +1374,9 @@ void PartitionRoot::EnableThreadCacheIfSupported() {
       thread_caches_being_constructed_.fetch_add(1, std::memory_order_acquire);
   PA_CHECK(before == 0);
   ThreadCache::Init(this);
+  // Create thread cache for this thread so that we can start using it right
+  // after.
+  ThreadCache::Create(this);
   thread_caches_being_constructed_.fetch_sub(1, std::memory_order_release);
   settings.with_thread_cache = true;
 #endif  // PA_CONFIG(THREAD_CACHE_SUPPORTED)
@@ -1477,7 +1502,7 @@ bool PartitionRoot::TryReallocInPlaceForDirectMap(
   }
 
   // Write a new trailing cookie.
-  if (settings.use_cookie) {
+  if (Settings::use_cookie) {
     auto* object = static_cast<unsigned char*>(SlotStartToObject(slot_start));
     internal::PartitionCookieWriteValue(object + GetSlotUsableSize(slot_span));
   }
@@ -1526,7 +1551,7 @@ bool PartitionRoot::TryReallocInPlaceForNormalBuckets(
         // PA_BUILDFLAG(DCHECKS_ARE_ON)
     // Write a new trailing cookie only when it is possible to keep track
     // raw size (otherwise we wouldn't know where to look for it later).
-    if (settings.use_cookie) {
+    if (Settings::use_cookie) {
       internal::PartitionCookieWriteValue(static_cast<unsigned char*>(object) +
                                           GetSlotUsableSize(slot_span));
     }
@@ -1645,9 +1670,9 @@ void PartitionRoot::ShrinkEmptySlotSpansRing(size_t limit) {
     index += 1;
     // Walk through the entirety of possible slots, even though the last ones
     // are unused, if global_empty_slot_span_ring_size is smaller than
-    // kMaxFreeableSpans. It's simpler, and does not cost anything, since all
+    // kMaxEmptySlotSpanRingSize. It's simpler, and does not cost anything,
-    // the pointers are going to be nullptr.
+    // since all the pointers are going to be nullptr.
-    if (index == internal::kMaxFreeableSpans) {
+    if (index == internal::kMaxEmptySlotSpanRingSize) {
       index = 0;
     }
 
@@ -1962,6 +1987,17 @@ PA_NOINLINE void PartitionRoot::QuarantineForBrp(
 // static
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
 void PartitionRoot::EnableShadowMetadata(internal::PoolHandleMask mask) {
+#if PA_BUILDFLAG(IS_LINUX)
+  // TODO(crbug.com/40238514): implement ModuleCache() or something to
+  // load required shared libraries in advance.
+  // Since memfd_create() causes dlsym(), it is not possible to invoke
+  // memfd_create() while PartitionRoot-s are locked.
+  // So invoke memfd_create() here and invoke dysym() in advance.
+  // This is required to enable ShadowMetadata on utility processes.
+  { close(memfd_create("module_cache", MFD_CLOEXEC)); }
+#endif
+  internal::UniqueLock unique_lock(g_shadow_metadata_init_mutex_);
+
   internal::ScopedGuard guard(g_root_enumerator_lock);
   // Must lock all PartitionRoot-s and ThreadCache.
   internal::PartitionRootEnumerator::Instance().Enumerate(
@@ -2011,7 +2047,7 @@ static_assert(offsetof(PartitionRoot, sentinel_bucket) ==
               "sentinel_bucket must be just after the regular buckets.");
 
 static_assert(
-    offsetof(PartitionRoot, lock_) >= 64,
+    offsetof(PartitionRoot, lock_) >= internal::kPartitionCachelineSize,
     "The lock should not be on the same cacheline as the read-mostly flags");
 #if defined(__clang__)
 #pragma clang diagnostic pop

src/base/allocator/partition_allocator/src/partition_alloc/partition_root.h

@@ -71,6 +71,7 @@
 #include "partition_alloc/partition_lock.h"
 #include "partition_alloc/partition_oom.h"
 #include "partition_alloc/partition_page.h"
+#include "partition_alloc/partition_shared_mutex.h"
 #include "partition_alloc/reservation_offset_table.h"
 #include "partition_alloc/tagging.h"
 #include "partition_alloc/thread_cache.h"
@@ -165,14 +166,23 @@ struct PartitionOptions {
   static constexpr auto kEnabled = EnableToggle::kEnabled;
 
   EnableToggle thread_cache = kDisabled;
-  AllowToggle star_scan_quarantine = kDisallowed;
   EnableToggle backup_ref_ptr = kDisabled;
   AllowToggle use_configurable_pool = kDisallowed;
 
+  // TODO(https://crbug.com/371135823): Remove after the investigation.
+  size_t backup_ref_ptr_extra_extras_size = 0;
+
   EnableToggle scheduler_loop_quarantine = kDisabled;
   size_t scheduler_loop_quarantine_branch_capacity_in_bytes = 0;
 
   EnableToggle zapping_by_free_flags = kDisabled;
+  // As the name implies, this is not a security measure, as there is no
+  // guarantee that memorys has been zeroed out when handed back to the
+  // application, or when free() returns. This is intended to improve the
+  // compression ratio of freed memory inside partially allocated pages (due to
+  // fragmentation).
+  EnableToggle eventually_zero_freed_memory = kDisabled;
+  EnableToggle fewer_memory_regions = kDisabled;
 
   struct {
     EnableToggle enabled = kDisabled;
@@ -238,11 +248,11 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
 
     bool with_thread_cache = false;
 
-#if PA_BUILDFLAG(DCHECKS_ARE_ON)
+#if PA_BUILDFLAG(USE_PARTITION_COOKIE)
-    bool use_cookie = false;
+    static constexpr bool use_cookie = true;
 #else
     static constexpr bool use_cookie = false;
-#endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
+#endif  // PA_BUILDFLAG(USE_PARTITION_COOKIE)
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
     bool brp_enabled_ = false;
 #if PA_CONFIG(MAYBE_ENABLE_MAC11_MALLOC_SIZE_HACK)
@@ -252,8 +262,14 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
     size_t in_slot_metadata_size = 0;
 #endif  // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
     bool use_configurable_pool = false;
+    // Despite its name, `FreeFlags` for zapping is deleted and does not exist.
+    // This value is used for SchedulerLoopQuarantine.
+    // TODO(https://crbug.com/351974425): group this setting and quarantine
+    // setting in one place.
     bool zapping_by_free_flags = false;
+    bool eventually_zero_freed_memory = false;
     bool scheduler_loop_quarantine = false;
+    bool fewer_memory_regions = false;
 #if PA_BUILDFLAG(HAS_MEMORY_TAGGING)
     bool memory_tagging_enabled_ = false;
     bool use_random_memory_tagging_ = false;
@@ -348,8 +364,8 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
   ReadOnlySuperPageExtentEntry* first_extent = nullptr;
   ReadOnlyDirectMapExtent* direct_map_list
       PA_GUARDED_BY(internal::PartitionRootLock(this)) = nullptr;
-  ReadOnlySlotSpanMetadata*
+  ReadOnlySlotSpanMetadata* global_empty_slot_span_ring
-      global_empty_slot_span_ring[internal::kMaxFreeableSpans] PA_GUARDED_BY(
+      [internal::kMaxEmptySlotSpanRingSize] PA_GUARDED_BY(
           internal::PartitionRootLock(this)) = {};
   int16_t global_empty_slot_span_ring_index
       PA_GUARDED_BY(internal::PartitionRootLock(this)) = 0;
@@ -380,6 +396,12 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
   internal::base::TimeTicks (*now_maybe_overridden_for_testing)() =
       internal::base::TimeTicks::Now;
 
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+  // Locks not to run EnableShadowMetadata() and PartitionDirectMap()
+  // at the same time.
+  static internal::SharedMutex g_shadow_metadata_init_mutex_;
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
   PartitionRoot();
   explicit PartitionRoot(PartitionOptions opts);
 
@@ -609,7 +631,8 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
   void EnableLargeEmptySlotSpanRing() {
     ::partition_alloc::internal::ScopedGuard locker{
         internal::PartitionRootLock(this)};
-    global_empty_slot_span_ring_size = internal::kMinFreeableSpans;
+    global_empty_slot_span_ring_size =
+        internal::kBackgroundEmptySlotSpanRingSize;
   }
 
   void DumpStats(const char* partition_name,
@@ -751,6 +774,13 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
         internal::DirectMapAllocationGranularity());
   }
 
+  PA_ALWAYS_INLINE bool IsDirectMapped(
+      partition_alloc::internal::SlotSpanMetadata<
+          partition_alloc::internal::MetadataKind::kReadOnly>* slot_span)
+      const {
+    return IsDirectMappedBucket(slot_span->bucket);
+  }
+
   PA_ALWAYS_INLINE size_t AdjustSize0IfNeeded(size_t size) const {
     // There are known cases where allowing size 0 would lead to problems:
     // 1. If extras are present only before allocation (e.g. in-slot metadata),
@@ -823,18 +853,20 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
     max_empty_slot_spans_dirty_bytes_shift = 2;
     ::partition_alloc::internal::ScopedGuard guard{
         internal::PartitionRootLock(this)};
-    global_empty_slot_span_ring_size = internal::kMaxFreeableSpans;
+    global_empty_slot_span_ring_size =
+        internal::kForegroundEmptySlotSpanRingSize;
   }
 
   void AdjustForBackground() {
     max_empty_slot_spans_dirty_bytes_shift = 3;
-    // ShrinkEmptySlotSpansRing() will iterate through kMaxFreeableSpans, so
+    // ShrinkEmptySlotSpansRing() will iterate through
-    // no need to for this to free any empty pages now.
+    // kMaxEmptySlotSpanRingSize, so no need to free empty pages now.
     ::partition_alloc::internal::ScopedGuard guard{
         internal::PartitionRootLock(this)};
-    global_empty_slot_span_ring_size = internal::kMinFreeableSpans;
+    global_empty_slot_span_ring_size =
+        internal::kBackgroundEmptySlotSpanRingSize;
     if (global_empty_slot_span_ring_index >=
-        static_cast<int16_t>(internal::kMinFreeableSpans)) {
+        static_cast<int16_t>(internal::kBackgroundEmptySlotSpanRingSize)) {
       global_empty_slot_span_ring_index = 0;
     }
   }
@@ -867,6 +899,14 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
     return GetSchedulerLoopQuarantineBranch();
   }
 
+  void SetSchedulerLoopQuarantineThreadLocalBranchCapacity(
+      size_t capacity_in_bytes) {
+    ThreadCache* thread_cache = this->GetOrCreateThreadCache();
+    PA_CHECK(ThreadCache::IsValid(thread_cache));
+    thread_cache->GetSchedulerLoopQuarantineBranch().SetCapacityInBytes(
+        capacity_in_bytes);
+  }
+
   const internal::PartitionFreelistDispatcher* get_freelist_dispatcher() {
 #if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
     if (settings.use_pool_offset_freelists) {
@@ -913,8 +953,8 @@ struct alignas(64) PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionRoot {
   //
   // See crbug.com/1150772 for an instance of Clusterfuzz / UBSAN detecting
   // this.
-  PA_ALWAYS_INLINE PA_NO_SANITIZE("undefined") const Bucket& bucket_at(
+  PA_NO_SANITIZE("undefined")
-      size_t i) const {
+  PA_ALWAYS_INLINE const Bucket& bucket_at(size_t i) const {
     PA_DCHECK(i <= internal::kNumBuckets);
     return buckets[i];
   }
@@ -1482,17 +1522,20 @@ PA_ALWAYS_INLINE void PartitionRoot::FreeInline(void* object) {
   // cacheline ping-pong.
   PA_PREFETCH(slot_span);
 
-  if constexpr (ContainsFlags(flags, FreeFlags::kZap)) {
-    if (settings.zapping_by_free_flags) {
-      internal::SecureMemset(object, internal::kFreedByte,
-                             GetSlotUsableSize(slot_span));
-    }
-  }
   // TODO(crbug.com/40287058): Collecting objects for
   // `kSchedulerLoopQuarantineBranch` here means it "delays" other checks (BRP
   // refcount, cookie, etc.)
   // For better debuggability, we should do these checks before quarantining.
   if constexpr (ContainsFlags(flags, FreeFlags::kSchedulerLoopQuarantine)) {
+    // No need to zap direct mapped allocations, as they are unmapped right
+    // away. This also ensures that we don't needlessly memset() very large
+    // allocations.
+    if (settings.zapping_by_free_flags &&
+        !IsDirectMappedBucket(slot_span->bucket)) {
+      internal::SecureMemset(object, internal::kFreedByte,
+                             GetSlotUsableSize(slot_span));
+    }
+
     if (settings.scheduler_loop_quarantine) {
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
       // TODO(keishi): Add `[[likely]]` when brp is fully enabled as
@@ -1545,11 +1588,12 @@ PA_ALWAYS_INLINE void PartitionRoot::FreeNoHooksImmediate(
   // For more context, see the other "Layout inside the slot" comment inside
   // AllocInternalNoHooks().
 
-  if (settings.use_cookie) {
+  if (Settings::use_cookie) {
     // Verify the cookie after the allocated region.
     // If this assert fires, you probably corrupted memory.
-    internal::PartitionCookieCheckValue(static_cast<unsigned char*>(object) +
+    const size_t usable_size = GetSlotUsableSize(slot_span);
-                                        GetSlotUsableSize(slot_span));
+    internal::PartitionCookieCheckValue(
+        static_cast<unsigned char*>(object) + usable_size, usable_size);
   }
 
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
@@ -1562,11 +1606,14 @@ PA_ALWAYS_INLINE void PartitionRoot::FreeNoHooksImmediate(
     // complete before we clear kMemoryHeldByAllocatorBit in
     // ReleaseFromAllocator(), otherwise another thread may allocate and start
     // using the slot in the middle of zapping.
+    bool was_zapped = false;
     if (!ref_count->IsAliveWithNoKnownRefs()) [[unlikely]] {
+      was_zapped = true;
       QuarantineForBrp(slot_span, object);
     }
 
     if (!(ref_count->ReleaseFromAllocator())) [[unlikely]] {
+      PA_CHECK(was_zapped);
       total_size_of_brp_quarantined_bytes.fetch_add(
           slot_span->GetSlotSizeForBookkeeping(), std::memory_order_relaxed);
       total_count_of_brp_quarantined_slots.fetch_add(1,
@@ -1630,6 +1677,7 @@ PA_ALWAYS_INLINE void PartitionRoot::RawFree(uintptr_t slot_start) {
 PA_ALWAYS_INLINE void PartitionRoot::RawFree(
     uintptr_t slot_start,
     ReadOnlySlotSpanMetadata* slot_span) {
+  void* ptr = internal::SlotStartAddr2Ptr(slot_start);
   // At this point we are about to acquire the lock, so we try to minimize the
   // risk of blocking inside the locked section.
   //
@@ -1654,8 +1702,7 @@ PA_ALWAYS_INLINE void PartitionRoot::RawFree(
   // RawFreeLocked()). This is intentional, as the thread cache is purged often,
   // and the memory has a consequence the memory has already been touched
   // recently (to link the thread cache freelist).
-  *static_cast<volatile uintptr_t*>(internal::SlotStartAddr2Ptr(slot_start)) =
+  *static_cast<volatile uintptr_t*>(ptr) = 0;
-      0;
   // Note: even though we write to slot_start + sizeof(void*) as well, due to
   // alignment constraints, the two locations are always going to be in the same
   // OS page. No need to write to the second one as well.
@@ -1664,6 +1711,21 @@ PA_ALWAYS_INLINE void PartitionRoot::RawFree(
 #if !(PA_CONFIG(IS_NONCLANG_MSVC))
   __asm__ __volatile__("" : : "r"(slot_start) : "memory");
 #endif
+  // This is done for memory usage (by improving the compression ratio of heap
+  // pages), not for security, so we care more about being affordable than
+  // prompt. This is done after the thread cache, so most deallocation do not
+  // end up here. Nevertheless, we do not need to memset() direct-mapped
+  // allocations, as they are released right away. And single-slot slot spans
+  // are also excluded, because they can be entirely decommitted once leaving
+  // the global ring.
+  //
+  // This is done before acquiring the lock, to prevent page faults causing
+  // issues there.
+  if (settings.eventually_zero_freed_memory &&
+      !IsDirectMappedBucket(slot_span->bucket) &&
+      slot_span->bucket->get_slots_per_span() > 1) {
+    internal::SecureMemset(ptr, 0, GetSlotUsableSize(slot_span));
+  }
 
   ::partition_alloc::internal::ScopedGuard guard{
       internal::PartitionRootLock(this)};
@@ -2239,7 +2301,7 @@ PA_ALWAYS_INLINE void* PartitionRoot::AllocInternalNoHooks(
   void* object = SlotStartToObject(slot_start);
 
   // Add the cookie after the allocation.
-  if (settings.use_cookie) {
+  if (Settings::use_cookie) {
     internal::PartitionCookieWriteValue(static_cast<unsigned char*>(object) +
                                         usable_size);
   }
@@ -2416,7 +2478,7 @@ void* PartitionRoot::ReallocInline(void* ptr,
   constexpr bool no_hooks = ContainsFlags(alloc_flags, AllocFlags::kNoHooks);
   const bool hooks_enabled = PartitionAllocHooks::AreHooksEnabled();
   bool overridden = false;
-  size_t old_usable_size;
+  size_t old_usable_size = 0;
   if (!no_hooks && hooks_enabled) [[unlikely]] {
     overridden = PartitionAllocHooks::ReallocOverrideHookIfEnabled(
         &old_usable_size, ptr);
@@ -2459,6 +2521,21 @@ void* PartitionRoot::ReallocInline(void* ptr,
     }
   }
 
+#if PA_BUILDFLAG(REALLOC_GROWTH_FACTOR_MITIGATION)
+  // Some nVidia drivers have a performance bug where they repeatedly realloc a
+  // buffer with a small 4144 byte increment instead of using a growth factor to
+  // amortize the cost of a memcpy. To work around this, we apply a growth
+  // factor to the new size to avoid this issue. This workaround is only
+  // intended to be used for Skia bots, and is not intended to be a general
+  // solution.
+  if (new_size > old_usable_size && new_size > 12 << 20) {
+    // 1.5x growth factor.
+    // Note that in case of integer overflow, the std::max ensures that the
+    // new_size is at least as large as the old_usable_size.
+    new_size = std::max(new_size, old_usable_size * 3 / 2);
+  }
+#endif
+
   // This realloc cannot be resized in-place. Sadness.
   void* ret = AllocInternal<alloc_flags>(
       new_size, internal::PartitionPageSize(), type_name);
@@ -2529,7 +2606,7 @@ PartitionRoot::GetSchedulerLoopQuarantineBranch() {
   if (ThreadCache::IsValid(thread_cache)) [[likely]] {
     return thread_cache->GetSchedulerLoopQuarantineBranch();
   } else {
-    return *scheduler_loop_quarantine->get();
+    return **scheduler_loop_quarantine;
   }
 }
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_shared_mutex.h

@@ -0,0 +1,82 @@
+// Copyright 2024 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PARTITION_ALLOC_PARTITION_SHARED_MUTEX_H_
+#define PARTITION_ALLOC_PARTITION_SHARED_MUTEX_H_
+
+#include "partition_alloc/partition_alloc_base/thread_annotations.h"
+#include "partition_alloc/partition_lock.h"
+
+namespace partition_alloc::internal {
+
+// A partial implementation of `std::shared_mutex` for PartitionAllocator.
+// Since `std::shared_mutex` allocates memory, we cannot use it inside
+// PartitionAllocator. The difference between `std::shared_mutex` and this
+// SharedMutex, this SharedMutex doesn't support try_lock() and
+// try_lock_shared(), because no code uses the methods.
+class PA_LOCKABLE SharedMutex {
+ public:
+  inline constexpr SharedMutex() = default;
+
+  void lock() PA_EXCLUSIVE_LOCK_FUNCTION() { writer_lock_.Acquire(); }
+
+  void unlock() PA_UNLOCK_FUNCTION() { writer_lock_.Release(); }
+
+  void lock_shared() PA_SHARED_LOCK_FUNCTION() {
+    ScopedGuard lock(reader_lock_);
+    ++counter_;
+    if (counter_ == 1u) {
+      writer_lock_.Acquire();
+    }
+  }
+
+  void unlock_shared() PA_UNLOCK_FUNCTION() {
+    ScopedGuard lock(reader_lock_);
+    --counter_;
+    if (counter_ == 0u) {
+      writer_lock_.Release();
+    }
+  }
+
+ private:
+  Lock reader_lock_;
+  Lock writer_lock_;
+  size_t counter_ PA_GUARDED_BY(reader_lock_) = 0;
+};
+
+static_assert(std::is_trivially_destructible_v<SharedMutex>,
+              "SharedMutex must be trivally destructible.");
+
+// A partial implementation of `std::unique_lock` for PartitionAllocator.
+// Locking a UniqueLock locks the associated shared mutex in exclusive mode.
+class PA_SCOPED_LOCKABLE UniqueLock {
+ public:
+  explicit UniqueLock(SharedMutex& mutex) PA_EXCLUSIVE_LOCK_FUNCTION(mutex)
+      : mutex_(mutex) {
+    mutex_.lock();
+  }
+  ~UniqueLock() PA_UNLOCK_FUNCTION() { mutex_.unlock(); }
+
+ private:
+  SharedMutex& mutex_;
+};
+
+// A partial implementation of `std::shared_lock` for PartitionAllocator.
+// Locking a SharedLock locks the associated shared mutex in shared mode.
+// (like std::shared_lock).
+class PA_SCOPED_LOCKABLE SharedLock {
+ public:
+  explicit SharedLock(SharedMutex& mutex) PA_SHARED_LOCK_FUNCTION(mutex)
+      : mutex_(mutex) {
+    mutex_.lock_shared();
+  }
+  ~SharedLock() PA_UNLOCK_FUNCTION() { mutex_.unlock_shared(); }
+
+ private:
+  SharedMutex& mutex_;
+};
+
+}  // namespace partition_alloc::internal
+
+#endif  // PARTITION_ALLOC_PARTITION_SHARED_MUTEX_H_

src/base/allocator/partition_allocator/src/partition_alloc/partition_tls.h

@@ -32,7 +32,6 @@ using PartitionTlsKey = pthread_key_t;
 // which is not the case in macOS 12. See libsyscall/os/tsd.h in XNU
 // (_os_tsd_get_direct() is used by pthread_getspecific() internally).
 #if PA_BUILDFLAG(IS_MAC) && PA_BUILDFLAG(PA_ARCH_CPU_X86_64)
-namespace {
 
 PA_ALWAYS_INLINE void* FastTlsGet(PartitionTlsKey index) {
   // On macOS, pthread_getspecific() is in libSystem, so a call to it has to go
@@ -61,7 +60,6 @@ PA_ALWAYS_INLINE void* FastTlsGet(PartitionTlsKey index) {
   return reinterpret_cast<void*>(result);
 }
 
-}  // namespace
 #endif  // PA_BUILDFLAG(IS_MAC) && PA_BUILDFLAG(PA_ARCH_CPU_X86_64)
 
 PA_ALWAYS_INLINE bool PartitionTlsCreate(PartitionTlsKey* key,

src/base/allocator/partition_allocator/src/partition_alloc/pointers/raw_ptr.h

@@ -10,19 +10,27 @@
 #include <cstddef>
 #include <cstdint>
 #include <functional>
+#include <iterator>
+#include <memory>
 #include <type_traits>
 #include <utility>
 
 #include "partition_alloc/build_config.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/flags.h"
+#include "partition_alloc/partition_alloc_base/augmentations/compiler_specific.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 #include "partition_alloc/partition_alloc_base/component_export.h"
 #include "partition_alloc/partition_alloc_base/cxx20_is_constant_evaluated.h"
+#include "partition_alloc/partition_alloc_base/types/same_as_any.h"
 #include "partition_alloc/partition_alloc_config.h"
 #include "partition_alloc/partition_alloc_forward.h"
 #include "partition_alloc/pointers/instance_tracer.h"
 
+#if PA_HAVE_SPACESHIP_OPERATOR
+#include <compare>
+#endif
+
 #if PA_BUILDFLAG(IS_WIN)
 #include "partition_alloc/partition_alloc_base/win/win_handle_types.h"
 #endif
@@ -64,7 +72,7 @@ class TextureLayerImpl;
 namespace base::internal {
 class DelayTimerBase;
 class JobTaskSource;
-}
+}  // namespace base::internal
 namespace base::test {
 struct RawPtrCountingImplForTest;
 }
@@ -170,84 +178,29 @@ namespace raw_ptr_traits {
 // that raw_ptr is not used with unsupported types. As an example, see how
 // base::internal::Unretained(Ref)Wrapper uses IsSupportedType to decide whether
 // it should use `raw_ptr<T>` or `T*`.
-template <typename T, typename SFINAE = void>
-struct IsSupportedType {
-  static constexpr bool value = true;
-};
-
-// raw_ptr<T> is not compatible with function pointer types. Also, they don't
-// even need the raw_ptr protection, because they don't point on heap.
 template <typename T>
-struct IsSupportedType<T, std::enable_if_t<std::is_function_v<T>>> {
+struct IsSupportedType {
-  static constexpr bool value = false;
+  static constexpr bool value =
-};
+      // raw_ptr<T> is not compatible with function pointer types. Also, they
-
+      // don't even need the raw_ptr protection, because they don't point on
-// This section excludes some types from raw_ptr<T> to avoid them from being
+      // heap.
-// used inside base::Unretained in performance sensitive places.
+      !std::is_function_v<T> &&
-// The ones below were identified from sampling profiler data. See
-// crbug.com/1287151 for more info.
-template <>
-struct IsSupportedType<cc::Scheduler> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<base::internal::DelayTimerBase> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<content::responsiveness::Calculator> {
-  static constexpr bool value = false;
-};
-// The ones below were identified from speedometer3. See crbug.com/335556942 for
-// more info.
-template <>
-struct IsSupportedType<v8::JobTask> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<blink::scheduler::MainThreadTaskQueue> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<base::sequence_manager::internal::TaskQueueImpl> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<base::internal::JobTaskSource> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<mojo::Connector> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<blink::scheduler::NonMainThreadTaskQueue> {
-  static constexpr bool value = false;
-};
-// The ones below were identified from MotionMark. See crbug.com/335556942 for
-// more info.
-template <>
-struct IsSupportedType<cc::ImageDecodeCache> {
-  static constexpr bool value = false;
-};
-template <>
-struct IsSupportedType<cc::TextureLayerImpl> {
-  static constexpr bool value = false;
-};
 
 #if __OBJC__
-// raw_ptr<T> is not compatible with pointers to Objective-C classes for a
+      // raw_ptr<T> is not compatible with pointers to Objective-C classes for a
-// multitude of reasons. They may fail to compile in many cases, and wouldn't
+      // multitude of reasons. They may fail to compile in many cases, and
-// work well with tagged pointers. Anyway, Objective-C objects have their own
+      // wouldn't work well with tagged pointers. Anyway, Objective-C objects
-// way of tracking lifespan, hence don't need the raw_ptr protection as much.
+      // have their own way of tracking lifespan, hence don't need the raw_ptr
-//
+      // protection as much.
-// Such pointers are detected by checking if they're convertible to |id| type.
+      //
-template <typename T>
+      // Such pointers are detected by checking if they're convertible to |id|
-struct IsSupportedType<T, std::enable_if_t<std::is_convertible_v<T*, id>>> {
+      // type.
-  static constexpr bool value = false;
+      !std::is_convertible_v<T*, id> &&
-};
 #endif  // __OBJC__
 
+      // Specific disallowed types.
+      !partition_alloc::internal::base::kSameAsAny<
+          T,
 #if PA_BUILDFLAG(IS_WIN)
 // raw_ptr<HWND__> is unsafe at runtime - if the handle happens to also
 // represent a valid pointer into a PartitionAlloc-managed region then it can
@@ -263,14 +216,30 @@ struct IsSupportedType<T, std::enable_if_t<std::is_convertible_v<T*, id>>> {
 // upside of this approach is that it will safely handle base::Bind closing over
 // HANDLE.  The downside of this approach is that base::Bind closing over a
 // void* pointer will not get UaF protection.
-#define PA_WINDOWS_HANDLE_TYPE(name)       \
+#define PA_WINDOWS_HANDLE_TYPE(name) name##__,
-  template <>                              \
-  struct IsSupportedType<name##__, void> { \
-    static constexpr bool value = false;   \
-  };
 #include "partition_alloc/partition_alloc_base/win/win_handle_types_list.inc"
 #undef PA_WINDOWS_HANDLE_TYPE
 #endif
+          // Performance-sensitive types identified via sampling profiler data;
+          // see crbug.com/1287151
+          base::internal::DelayTimerBase,
+          cc::Scheduler,
+          content::responsiveness::Calculator,
+
+          // Performance-sensitive types identified via speedometer3; see
+          // crbug.com/335556942
+          base::internal::JobTaskSource,
+          base::sequence_manager::internal::TaskQueueImpl,
+          blink::scheduler::MainThreadTaskQueue,
+          blink::scheduler::NonMainThreadTaskQueue,
+          mojo::Connector,
+          v8::JobTask,
+
+          // Performance-sensitive types identified via MotionMark; see
+          // crbug.com/335556942
+          cc::ImageDecodeCache,
+          cc::TextureLayerImpl>;
+};
 
 #if PA_BUILDFLAG(USE_RAW_PTR_BACKUP_REF_IMPL)
 template <RawPtrTraits Traits>
@@ -881,18 +850,27 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
   // perform safety checks with a higher runtime cost, so to avoid this, provide
   // explicit comparison operators for all combinations of parameters.
 
-  // Comparisons between `raw_ptr`s. This unusual declaration and separate
+  // Comparisons between `raw_ptr`s. Typically, these would be defined inline as
-  // definition below is because `GetForComparison()` is a private method. The
+  // comparisons between `raw_ptr` and `raw_ptr<U>`. Unfortunately, the friend
-  // more conventional approach of defining a comparison operator between
+  // declaration grants access to `raw_ptr::GetForComparison()`, but not
-  // `raw_ptr` and `raw_ptr<U>` in the friend declaration itself does not work,
+  // `raw_ptr<U>::GetForComparison()`, since that's an unrelated type; both
-  // because a comparison operator defined inline would not be allowed to call
+  // instantiations must declare the same signature as a friend for it to access
-  // `raw_ptr<U>`'s private `GetForComparison()` method.
+  // both private methods. Switching to `raw_ptr<U>, raw_ptr<V>` achieves this,
+  // but then if the implementation is inline, the compile will generate it for
+  // both instantiations, and not know which (identical) instance to resolve to,
+  // causing a compile error. Thus the definitions must also be out-of-lined
+  // below, so they are only instantiated once.
   template <typename U, typename V, RawPtrTraits R1, RawPtrTraits R2>
   friend constexpr bool operator==(const raw_ptr<U, R1>& lhs,
                                    const raw_ptr<V, R2>& rhs);
   template <typename U, typename V, RawPtrTraits R1, RawPtrTraits R2>
   friend constexpr bool operator!=(const raw_ptr<U, R1>& lhs,
                                    const raw_ptr<V, R2>& rhs);
+#if PA_HAVE_SPACESHIP_OPERATOR
+  template <typename U, typename V, RawPtrTraits R1, RawPtrTraits R2>
+  friend constexpr auto operator<=>(const raw_ptr<U, R1>& lhs,
+                                    const raw_ptr<V, R2>& rhs);
+#else
   template <typename U, typename V, RawPtrTraits R1, RawPtrTraits R2>
   friend constexpr bool operator<(const raw_ptr<U, R1>& lhs,
                                   const raw_ptr<V, R2>& rhs);
@@ -905,9 +883,11 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
   template <typename U, typename V, RawPtrTraits R1, RawPtrTraits R2>
   friend constexpr bool operator>=(const raw_ptr<U, R1>& lhs,
                                    const raw_ptr<V, R2>& rhs);
+#endif
 
   // Comparisons with U*. These operators also handle the case where the RHS is
-  // T*.
+  // T*. Because these only call `raw_ptr::GetForComparison()`, they can be
+  // written inline in the typical way.
   template <typename U>
   PA_ALWAYS_INLINE friend constexpr bool operator==(const raw_ptr& lhs,
                                                     U* rhs) {
@@ -928,6 +908,18 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
                                                     const raw_ptr& rhs) {
     return rhs != lhs;  // Reverse order to call the operator above.
   }
+#if PA_HAVE_SPACESHIP_OPERATOR
+  template <typename U>
+  PA_ALWAYS_INLINE friend constexpr auto operator<=>(const raw_ptr& lhs,
+                                                     U* rhs) {
+    return lhs.GetForComparison() <=> rhs;
+  }
+  template <typename U>
+  PA_ALWAYS_INLINE friend constexpr auto operator<=>(U* lhs,
+                                                     const raw_ptr& rhs) {
+    return lhs <=> rhs.GetForComparison();
+  }
+#else
   template <typename U>
   PA_ALWAYS_INLINE friend constexpr bool operator<(const raw_ptr& lhs, U* rhs) {
     return lhs.GetForComparison() < rhs;
@@ -964,6 +956,7 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ptr {
                                                     const raw_ptr& rhs) {
     return lhs >= rhs.GetForComparison();
   }
+#endif
 
   // Comparisons with `std::nullptr_t`.
   PA_ALWAYS_INLINE friend constexpr bool operator==(const raw_ptr& lhs,
@@ -1040,6 +1033,13 @@ PA_ALWAYS_INLINE constexpr bool operator!=(const raw_ptr<U, Traits1>& lhs,
   return !(lhs == rhs);
 }
 
+#if PA_HAVE_SPACESHIP_OPERATOR
+template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
+PA_ALWAYS_INLINE constexpr auto operator<=>(const raw_ptr<U, Traits1>& lhs,
+                                            const raw_ptr<V, Traits2>& rhs) {
+  return lhs.GetForComparison() <=> rhs.GetForComparison();
+}
+#else
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
 PA_ALWAYS_INLINE constexpr bool operator<(const raw_ptr<U, Traits1>& lhs,
                                           const raw_ptr<V, Traits2>& rhs) {
@@ -1063,53 +1063,35 @@ PA_ALWAYS_INLINE constexpr bool operator>=(const raw_ptr<U, Traits1>& lhs,
                                            const raw_ptr<V, Traits2>& rhs) {
   return lhs.GetForComparison() >= rhs.GetForComparison();
 }
+#endif
 
 template <typename T>
-struct IsRawPtr : std::false_type {};
+inline constexpr bool IsRawPtr = false;
-
 template <typename T, RawPtrTraits Traits>
-struct IsRawPtr<raw_ptr<T, Traits>> : std::true_type {};
+inline constexpr bool IsRawPtr<raw_ptr<T, Traits>> = true;
 
 template <typename T>
-inline constexpr bool IsRawPtrV = IsRawPtr<T>::value;
+inline constexpr bool IsRawPtrMayDangle = false;
-
-template <typename T>
-inline constexpr bool IsRawPtrMayDangleV = false;
-
 template <typename T, RawPtrTraits Traits>
-inline constexpr bool IsRawPtrMayDangleV<raw_ptr<T, Traits>> =
+inline constexpr bool IsRawPtrMayDangle<raw_ptr<T, Traits>> =
     partition_alloc::internal::ContainsFlags(Traits, RawPtrTraits::kMayDangle);
 
-// Template helpers for working with T* or raw_ptr<T>.
 template <typename T>
-struct IsRawPointerHelper : std::false_type {};
+inline constexpr bool IsPointerOrRawPtr = std::is_pointer_v<T>;
-
-template <typename T>
-struct IsRawPointerHelper<T*> : std::true_type {};
-
 template <typename T, RawPtrTraits Traits>
-struct IsRawPointerHelper<raw_ptr<T, Traits>> : std::true_type {};
+inline constexpr bool IsPointerOrRawPtr<raw_ptr<T, Traits>> = true;
 
+// Like `std::remove_pointer_t<>`, but also converts `raw_ptr<T>` => `T`.
 template <typename T>
-inline constexpr bool IsRawPointer = IsRawPointerHelper<T>::value;
+struct RemovePointer {
-
+  using type = std::remove_pointer_t<T>;
-template <typename T>
-struct RemoveRawPointer {
-  using type = T;
 };
-
-template <typename T>
-struct RemoveRawPointer<T*> {
-  using type = T;
-};
-
 template <typename T, RawPtrTraits Traits>
-struct RemoveRawPointer<raw_ptr<T, Traits>> {
+struct RemovePointer<raw_ptr<T, Traits>> {
   using type = T;
 };
-
 template <typename T>
-using RemoveRawPointerT = typename RemoveRawPointer<T>::type;
+using RemovePointerT = typename RemovePointer<T>::type;
 
 }  // namespace base
 
@@ -1273,6 +1255,34 @@ struct pointer_traits<::raw_ptr<T, Traits>> {
   }
 };
 
+#if PA_BUILDFLAG(ASSERT_CPP_20)
+// Mark `raw_ptr<T>` and `T*` as having a common reference type (the type to
+// which both can be converted or bound) of `T*`. This makes them satisfy
+// `std::equality_comparable`, which allows usage like:
+// ```
+//   std::vector<raw_ptr<T>> v;
+//   T* e;
+//   auto it = std::ranges::find(v, e);
+// ```
+// Without this, the `find()` call above would fail to compile with a cryptic
+// error about being unable to invoke `std::ranges::equal_to()`.
+template <typename T,
+          base::RawPtrTraits Traits,
+          template <typename> typename TQ,
+          template <typename> typename UQ>
+struct basic_common_reference<raw_ptr<T, Traits>, T*, TQ, UQ> {
+  using type = T*;
+};
+
+template <typename T,
+          base::RawPtrTraits Traits,
+          template <typename> typename TQ,
+          template <typename> typename UQ>
+struct basic_common_reference<T*, raw_ptr<T, Traits>, TQ, UQ> {
+  using type = T*;
+};
+#endif  // PA_BUILDFLAG(ASSERT_CPP_20)
+
 }  // namespace std
 
 #endif  // PARTITION_ALLOC_POINTERS_RAW_PTR_H_

src/base/allocator/partition_allocator/src/partition_alloc/pointers/raw_ptr_asan_unowned_impl.cc

@@ -5,6 +5,7 @@
 #include "partition_alloc/pointers/raw_ptr_asan_unowned_impl.h"
 
 #include <sanitizer/asan_interface.h>
+
 #include <cstdint>
 
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"

src/base/allocator/partition_allocator/src/partition_alloc/pointers/raw_ref.h

@@ -17,23 +17,19 @@
 #include "partition_alloc/partition_alloc_config.h"
 #include "partition_alloc/pointers/raw_ptr.h"
 
+#if PA_HAVE_SPACESHIP_OPERATOR
+#include <compare>
+#endif
+
 namespace base {
 
 template <class T, RawPtrTraits Traits>
 class raw_ref;
 
-namespace internal {
-
 template <class T>
-struct is_raw_ref : std::false_type {};
+inline constexpr bool IsRawRef = false;
-
 template <class T, RawPtrTraits Traits>
-struct is_raw_ref<::base::raw_ref<T, Traits>> : std::true_type {};
+inline constexpr bool IsRawRef<::base::raw_ref<T, Traits>> = true;
-
-template <class T>
-constexpr inline bool is_raw_ref_v = is_raw_ref<T>::value;
-
-}  // namespace internal
 
 // A smart pointer for a pointer which can not be null, and which provides
 // Use-after-Free protection in the same ways as raw_ptr. This class acts like a
@@ -224,86 +220,122 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ref {
     swap(lhs.inner_, rhs.inner_);
   }
 
+  // See comments in raw_ptr.h for why these are declared with both arguments
+  // templated and defined out of line. Here the private access is to `inner_`
+  // rather than a method, but the issue is the same.
   template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-  friend bool operator==(const raw_ref<U, Traits1>& lhs,
+  friend constexpr bool operator==(const raw_ref<U, Traits1>& lhs,
-                         const raw_ref<V, Traits2>& rhs);
+                                   const raw_ref<V, Traits2>& rhs);
   template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-  friend bool operator!=(const raw_ref<U, Traits1>& lhs,
+  friend constexpr bool operator!=(const raw_ref<U, Traits1>& lhs,
-                         const raw_ref<V, Traits2>& rhs);
+                                   const raw_ref<V, Traits2>& rhs);
+#if PA_HAVE_SPACESHIP_OPERATOR
   template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-  friend bool operator<(const raw_ref<U, Traits1>& lhs,
+  friend constexpr auto operator<=>(const raw_ref<U, Traits1>& lhs,
-                        const raw_ref<V, Traits2>& rhs);
+                                    const raw_ref<V, Traits2>& rhs);
+#else
   template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-  friend bool operator>(const raw_ref<U, Traits1>& lhs,
+  friend constexpr bool operator<(const raw_ref<U, Traits1>& lhs,
-                        const raw_ref<V, Traits2>& rhs);
+                                  const raw_ref<V, Traits2>& rhs);
   template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-  friend bool operator<=(const raw_ref<U, Traits1>& lhs,
+  friend constexpr bool operator>(const raw_ref<U, Traits1>& lhs,
-                         const raw_ref<V, Traits2>& rhs);
+                                  const raw_ref<V, Traits2>& rhs);
   template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-  friend bool operator>=(const raw_ref<U, Traits1>& lhs,
+  friend constexpr bool operator<=(const raw_ref<U, Traits1>& lhs,
-                         const raw_ref<V, Traits2>& rhs);
+                                   const raw_ref<V, Traits2>& rhs);
+  template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
+  friend constexpr bool operator>=(const raw_ref<U, Traits1>& lhs,
+                                   const raw_ref<V, Traits2>& rhs);
+#endif
 
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator==(const raw_ref& lhs, const U& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator==(const raw_ref& lhs,
+                                                    const U& rhs) {
     PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
     return lhs.inner_ == &rhs;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator!=(const raw_ref& lhs, const U& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator!=(const raw_ref& lhs,
+                                                    const U& rhs) {
     PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
     return lhs.inner_ != &rhs;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator<(const raw_ref& lhs, const U& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator==(const U& lhs,
-    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+                                                    const raw_ref& rhs) {
-    return lhs.inner_ < &rhs;
-  }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator>(const raw_ref& lhs, const U& rhs) {
-    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
-    return lhs.inner_ > &rhs;
-  }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator<=(const raw_ref& lhs, const U& rhs) {
-    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
-    return lhs.inner_ <= &rhs;
-  }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator>=(const raw_ref& lhs, const U& rhs) {
-    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
-    return lhs.inner_ >= &rhs;
-  }
-
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator==(const U& lhs, const raw_ref& rhs) {
     PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
     return &lhs == rhs.inner_;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator!=(const U& lhs, const raw_ref& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator!=(const U& lhs,
+                                                    const raw_ref& rhs) {
     PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
     return &lhs != rhs.inner_;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+
-  PA_ALWAYS_INLINE friend bool operator<(const U& lhs, const raw_ref& rhs) {
+#if PA_HAVE_SPACESHIP_OPERATOR
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr auto operator<=>(const raw_ref& lhs,
+                                                     const U& rhs) {
+    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+    return lhs.inner_ <=> &rhs;
+  }
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr auto operator<=>(const U& lhs,
+                                                     const raw_ref& rhs) {
+    PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
+    return &lhs <=> rhs.inner_;
+  }
+#else
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr bool operator<(const raw_ref& lhs,
+                                                   const U& rhs) {
+    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+    return lhs.inner_ < &rhs;
+  }
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr bool operator>(const raw_ref& lhs,
+                                                   const U& rhs) {
+    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+    return lhs.inner_ > &rhs;
+  }
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr bool operator<=(const raw_ref& lhs,
+                                                    const U& rhs) {
+    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+    return lhs.inner_ <= &rhs;
+  }
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr bool operator>=(const raw_ref& lhs,
+                                                    const U& rhs) {
+    PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+    return lhs.inner_ >= &rhs;
+  }
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
+  PA_ALWAYS_INLINE friend constexpr bool operator<(const U& lhs,
+                                                   const raw_ref& rhs) {
     PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
     return &lhs < rhs.inner_;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator>(const U& lhs, const raw_ref& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator>(const U& lhs,
+                                                   const raw_ref& rhs) {
     PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
     return &lhs > rhs.inner_;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator<=(const U& lhs, const raw_ref& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator<=(const U& lhs,
+                                                    const raw_ref& rhs) {
     PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
     return &lhs <= rhs.inner_;
   }
-  template <class U, class = std::enable_if_t<!internal::is_raw_ref_v<U>, void>>
+  template <class U, class = std::enable_if_t<!IsRawRef<U>, void>>
-  PA_ALWAYS_INLINE friend bool operator>=(const U& lhs, const raw_ref& rhs) {
+  PA_ALWAYS_INLINE friend constexpr bool operator>=(const U& lhs,
+                                                    const raw_ref& rhs) {
     PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
     return &lhs >= rhs.inner_;
   }
+#endif
 
  private:
   template <class U, RawPtrTraits R>
@@ -313,47 +345,57 @@ class PA_TRIVIAL_ABI PA_GSL_POINTER raw_ref {
 };
 
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-PA_ALWAYS_INLINE bool operator==(const raw_ref<U, Traits1>& lhs,
+PA_ALWAYS_INLINE constexpr bool operator==(const raw_ref<U, Traits1>& lhs,
-                                 const raw_ref<V, Traits2>& rhs) {
+                                           const raw_ref<V, Traits2>& rhs) {
   PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
   PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
   return lhs.inner_ == rhs.inner_;
 }
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-PA_ALWAYS_INLINE bool operator!=(const raw_ref<U, Traits1>& lhs,
+PA_ALWAYS_INLINE constexpr bool operator!=(const raw_ref<U, Traits1>& lhs,
-                                 const raw_ref<V, Traits2>& rhs) {
+                                           const raw_ref<V, Traits2>& rhs) {
   PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
   PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
   return lhs.inner_ != rhs.inner_;
 }
+#if PA_HAVE_SPACESHIP_OPERATOR
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-PA_ALWAYS_INLINE bool operator<(const raw_ref<U, Traits1>& lhs,
+PA_ALWAYS_INLINE constexpr auto operator<=>(const raw_ref<U, Traits1>& lhs,
-                                const raw_ref<V, Traits2>& rhs) {
+                                            const raw_ref<V, Traits2>& rhs) {
+  PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
+  PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
+  return lhs.inner_ <=> rhs.inner_;
+}
+#else
+template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
+PA_ALWAYS_INLINE constexpr bool operator<(const raw_ref<U, Traits1>& lhs,
+                                          const raw_ref<V, Traits2>& rhs) {
   PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
   PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
   return lhs.inner_ < rhs.inner_;
 }
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-PA_ALWAYS_INLINE bool operator>(const raw_ref<U, Traits1>& lhs,
+PA_ALWAYS_INLINE constexpr bool operator>(const raw_ref<U, Traits1>& lhs,
-                                const raw_ref<V, Traits2>& rhs) {
+                                          const raw_ref<V, Traits2>& rhs) {
   PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
   PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
   return lhs.inner_ > rhs.inner_;
 }
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-PA_ALWAYS_INLINE bool operator<=(const raw_ref<U, Traits1>& lhs,
+PA_ALWAYS_INLINE constexpr bool operator<=(const raw_ref<U, Traits1>& lhs,
-                                 const raw_ref<V, Traits2>& rhs) {
+                                           const raw_ref<V, Traits2>& rhs) {
   PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
   PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
   return lhs.inner_ <= rhs.inner_;
 }
 template <typename U, typename V, RawPtrTraits Traits1, RawPtrTraits Traits2>
-PA_ALWAYS_INLINE bool operator>=(const raw_ref<U, Traits1>& lhs,
+PA_ALWAYS_INLINE constexpr bool operator>=(const raw_ref<U, Traits1>& lhs,
-                                 const raw_ref<V, Traits2>& rhs) {
+                                           const raw_ref<V, Traits2>& rhs) {
   PA_RAW_PTR_CHECK(lhs.inner_);  // Catch use-after-move.
   PA_RAW_PTR_CHECK(rhs.inner_);  // Catch use-after-move.
   return lhs.inner_ >= rhs.inner_;
 }
+#endif
 
 // CTAD deduction guide.
 template <class T>
@@ -361,26 +403,15 @@ raw_ref(T&) -> raw_ref<T>;
 template <class T>
 raw_ref(const T&) -> raw_ref<const T>;
 
-// Template helpers for working with raw_ref<T>.
+// Converts `raw_ref<T>` => `T`; leaves l/rvalue refs alone.
-template <typename T>
-struct IsRawRef : std::false_type {};
-
-template <typename T, RawPtrTraits Traits>
-struct IsRawRef<raw_ref<T, Traits>> : std::true_type {};
-
-template <typename T>
-inline constexpr bool IsRawRefV = IsRawRef<T>::value;
-
 template <typename T>
 struct RemoveRawRef {
   using type = T;
 };
-
 template <typename T, RawPtrTraits Traits>
 struct RemoveRawRef<raw_ref<T, Traits>> {
   using type = T;
 };
-
 template <typename T>
 using RemoveRawRefT = typename RemoveRawRef<T>::type;
 

src/base/allocator/partition_allocator/src/partition_alloc/pool_offset_freelist.h

@@ -23,9 +23,7 @@
 
 namespace partition_alloc::internal {
 
-namespace {
 using PoolInfo = PartitionAddressSpace::PoolInfo;
-}
 
 class PoolOffsetFreelistEntry;
 

src/base/allocator/partition_allocator/src/partition_alloc/random.cc

@@ -27,7 +27,7 @@ class RandomGenerator {
   }
 
  private:
-  ::partition_alloc::internal::Lock lock_ = {};
+  ::partition_alloc::internal::Lock lock_;
   bool initialized_ PA_GUARDED_BY(lock_) = false;
   union {
     internal::base::InsecureRandomGenerator instance_ PA_GUARDED_BY(lock_);

src/base/allocator/partition_allocator/src/partition_alloc/reservation_offset_table.h

@@ -8,7 +8,6 @@
 #include <cstddef>
 #include <cstdint>
 #include <limits>
-#include <tuple>
 
 #include "partition_alloc/address_pool_manager.h"
 #include "partition_alloc/build_config.h"

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim.cc

@@ -31,7 +31,6 @@
 // noexcept needs to be routed to
 // allocator_shim::internal::PartitionMallocUnchecked through the shim layer.
 #include "partition_alloc/shim/allocator_shim_override_cpp_symbols.h"
-
 #include "partition_alloc/shim/allocator_shim_override_libc_symbols.h"
 
 // Some glibc versions (until commit 6c444ad6e953dbdf9c7be065308a0a777)

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim.h

@@ -148,10 +148,11 @@ using SchedulerLoopQuarantine = partition_alloc::internal::base::
 using ZappingByFreeFlags =
     partition_alloc::internal::base::StrongAlias<class ZappingByFreeFlagsTag,
                                                  bool>;
-
+using EventuallyZeroFreedMemory = partition_alloc::internal::base::
-using UsePoolOffsetFreelists = partition_alloc::internal::base::
+    StrongAlias<class EventuallyZeroFreedMemoryTag, bool>;
-    StrongAlias<class UsePoolOffsetFreelistsTag, bool>;
+using FewerMemoryRegions =
-
+    partition_alloc::internal::base::StrongAlias<class FewerMemoryRegionsTag,
+                                                 bool>;
 using UseSmallSingleSlotSpans = partition_alloc::internal::base::
     StrongAlias<class UseSmallSingleSlotSpansTag, bool>;
 
@@ -161,13 +162,15 @@ using UseSmallSingleSlotSpans = partition_alloc::internal::base::
 PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
 void ConfigurePartitions(
     EnableBrp enable_brp,
+    size_t brp_extra_extras_size,
     EnableMemoryTagging enable_memory_tagging,
     partition_alloc::TagViolationReportingMode memory_tagging_reporting_mode,
     BucketDistribution distribution,
     SchedulerLoopQuarantine scheduler_loop_quarantine,
     size_t scheduler_loop_quarantine_branch_capacity_in_bytes,
     ZappingByFreeFlags zapping_by_free_flags,
-    UsePoolOffsetFreelists use_pool_offset_freelists,
+    EventuallyZeroFreedMemory eventually_zero_freed_memory,
+    FewerMemoryRegions fewer_memory_regions,
     UseSmallSingleSlotSpans use_small_single_slot_spans);
 
 PA_COMPONENT_EXPORT(ALLOCATOR_SHIM) uint32_t GetMainPartitionRootExtrasSize();

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_glibc.cc

@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <dlfcn.h>
+#include <malloc.h>
+
 #include <limits>
 
 #include "partition_alloc/oom.h"
@@ -9,9 +12,6 @@
 #include "partition_alloc/partition_alloc_base/numerics/checked_math.h"
 #include "partition_alloc/shim/allocator_shim.h"
 
-#include <dlfcn.h>
-#include <malloc.h>
-
 // This translation unit defines a default dispatch for the allocator shim which
 // routes allocations to libc functions.
 // The code here is strongly inspired from tcmalloc's libc_override_glibc.h.

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.cc

@@ -17,6 +17,7 @@
 #include "partition_alloc/partition_alloc.h"
 #include "partition_alloc/partition_alloc_base/bits.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
+#include "partition_alloc/partition_alloc_base/export_template.h"
 #include "partition_alloc/partition_alloc_base/no_destructor.h"
 #include "partition_alloc/partition_alloc_base/numerics/checked_math.h"
 #include "partition_alloc/partition_alloc_base/numerics/safe_conversions.h"
@@ -25,6 +26,7 @@
 #include "partition_alloc/partition_root.h"
 #include "partition_alloc/partition_stats.h"
 #include "partition_alloc/shim/allocator_dispatch.h"
+#include "partition_alloc/shim/allocator_shim.h"
 #include "partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_internal.h"
 #include "partition_alloc/shim/allocator_shim_internals.h"
 
@@ -100,7 +102,7 @@ class LeakySingleton {
     __cpp_lib_atomic_value_initialization < 201911L
   alignas(T) uint8_t instance_buffer_[sizeof(T)];
 #else
-  alignas(T) uint8_t instance_buffer_[sizeof(T)] = {0};
+  alignas(T) uint8_t instance_buffer_[sizeof(T)] = {};
 #endif
   std::atomic<bool> initialization_lock_;
 };
@@ -147,7 +149,6 @@ class MainPartitionConstructor {
     // the decision to turn the thread cache on until then.
     // Also tests, such as the ThreadCache tests create a thread cache.
     opts.thread_cache = partition_alloc::PartitionOptions::kDisabled;
-    opts.star_scan_quarantine = partition_alloc::PartitionOptions::kAllowed;
     opts.backup_ref_ptr = partition_alloc::PartitionOptions::kDisabled;
     auto* new_root = new (buffer) partition_alloc::PartitionRoot(opts);
 
@@ -199,44 +200,67 @@ void* AllocateAlignedMemory(size_t alignment, size_t size) {
 
 namespace allocator_shim::internal {
 
-void* PartitionMalloc(size_t size, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void* PartitionAllocFunctionsInternal<base_alloc_flags,
+                                      base_free_flags>::Malloc(size_t size,
+                                                               void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
-  return Allocator()->AllocInline<partition_alloc::AllocFlags::kNoHooks>(size);
+  return Allocator()->AllocInline<base_alloc_flags>(size);
 }
 
-void* PartitionMallocUnchecked(size_t size, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    MallocUnchecked(size_t size, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
   return Allocator()
-      ->AllocInline<partition_alloc::AllocFlags::kReturnNull |
+      ->AllocInline<base_alloc_flags |
-                    partition_alloc::AllocFlags::kNoHooks>(size);
+                    partition_alloc::AllocFlags::kReturnNull>(size);
 }
 
-void* PartitionCalloc(size_t n, size_t size, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void* PartitionAllocFunctionsInternal<base_alloc_flags,
+                                      base_free_flags>::Calloc(size_t n,
+                                                               size_t size,
+                                                               void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
   const size_t total =
       partition_alloc::internal::base::CheckMul(n, size).ValueOrDie();
   return Allocator()
-      ->AllocInline<partition_alloc::AllocFlags::kZeroFill |
+      ->AllocInline<base_alloc_flags | partition_alloc::AllocFlags::kZeroFill>(
-                    partition_alloc::AllocFlags::kNoHooks>(total);
+          total);
 }
 
-void* PartitionMemalign(size_t alignment, size_t size, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    Memalign(size_t alignment, size_t size, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
-  return AllocateAlignedMemory<partition_alloc::AllocFlags::kNoHooks>(alignment,
+  return AllocateAlignedMemory<base_alloc_flags>(alignment, size);
-                                                                      size);
 }
 
-void* PartitionAlignedAlloc(size_t size, size_t alignment, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    AlignedAlloc(size_t size, size_t alignment, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
-  return AllocateAlignedMemory<partition_alloc::AllocFlags::kNoHooks>(alignment,
+  return AllocateAlignedMemory<base_alloc_flags>(alignment, size);
-                                                                      size);
 }
 
-void* PartitionAlignedAllocUnchecked(size_t size,
+// static
-                                     size_t alignment,
+template <partition_alloc::AllocFlags base_alloc_flags,
-                                     void* context) {
+          partition_alloc::FreeFlags base_free_flags>
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    AlignedAllocUnchecked(size_t size, size_t alignment, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
-  return AllocateAlignedMemory<partition_alloc::AllocFlags::kNoHooks |
+  return AllocateAlignedMemory<base_alloc_flags |
                                partition_alloc::AllocFlags::kReturnNull>(
       alignment, size);
 }
@@ -247,20 +271,23 @@ void* PartitionAlignedAllocUnchecked(size_t size,
 // This realloc always free the original memory block and allocates a new memory
 // block.
 // TODO(tasak): Implement PartitionRoot::AlignedRealloc and use it.
-void* PartitionAlignedRealloc(void* address,
+// static
-                              size_t size,
+template <partition_alloc::AllocFlags base_alloc_flags,
-                              size_t alignment,
+          partition_alloc::FreeFlags base_free_flags>
-                              void* context) {
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    AlignedRealloc(void* address,
+                   size_t size,
+                   size_t alignment,
+                   void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
   void* new_ptr = nullptr;
   if (size > 0) {
-    new_ptr = AllocateAlignedMemory<partition_alloc::AllocFlags::kNoHooks>(
+    new_ptr = AllocateAlignedMemory<base_alloc_flags>(alignment, size);
-        alignment, size);
   } else {
     // size == 0 and address != null means just "free(address)".
     if (address) {
-      partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<
+      partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-          partition_alloc::FreeFlags::kNoHooks>(address);
+          address);
     }
   }
   // The original memory block (specified by address) is unchanged if ENOMEM.
@@ -274,27 +301,31 @@ void* PartitionAlignedRealloc(void* address,
     size_t copy_size = usage > size ? size : usage;
     memcpy(new_ptr, address, copy_size);
 
-    partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<
+    partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-        partition_alloc::FreeFlags::kNoHooks>(address);
+        address);
   }
   return new_ptr;
 }
 
-void* PartitionAlignedReallocUnchecked(void* address,
+// static
-                                       size_t size,
+template <partition_alloc::AllocFlags base_alloc_flags,
-                                       size_t alignment,
+          partition_alloc::FreeFlags base_free_flags>
-                                       void* context) {
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    AlignedReallocUnchecked(void* address,
+                            size_t size,
+                            size_t alignment,
+                            void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
   void* new_ptr = nullptr;
   if (size > 0) {
-    new_ptr = AllocateAlignedMemory<partition_alloc::AllocFlags::kNoHooks |
+    new_ptr = AllocateAlignedMemory<base_alloc_flags |
                                     partition_alloc::AllocFlags::kReturnNull>(
         alignment, size);
   } else {
     // size == 0 and address != null means just "free(address)".
     if (address) {
-      partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<
+      partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-          partition_alloc::FreeFlags::kNoHooks>(address);
+          address);
     }
   }
   // The original memory block (specified by address) is unchanged if ENOMEM.
@@ -308,17 +339,19 @@ void* PartitionAlignedReallocUnchecked(void* address,
     size_t copy_size = usage > size ? size : usage;
     memcpy(new_ptr, address, copy_size);
 
-    partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<
+    partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-        partition_alloc::FreeFlags::kNoHooks>(address);
+        address);
   }
   return new_ptr;
 }
 
-template <partition_alloc::AllocFlags alloc_flags,
+// static
-          partition_alloc::FreeFlags free_flags>
+template <partition_alloc::AllocFlags base_alloc_flags,
-PA_ALWAYS_INLINE void* PartitionReallocInternal(void* address,
+          partition_alloc::FreeFlags base_free_flags>
-                                                size_t size,
+void* PartitionAllocFunctionsInternal<base_alloc_flags,
-                                                void* context) {
+                                      base_free_flags>::Realloc(void* address,
+                                                                size_t size,
+                                                                void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
 #if PA_BUILDFLAG(IS_APPLE)
   if (!partition_alloc::IsManagedByPartitionAlloc(
@@ -331,26 +364,15 @@ PA_ALWAYS_INLINE void* PartitionReallocInternal(void* address,
   }
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
-  return Allocator()->Realloc<alloc_flags, free_flags>(address, size, "");
+  return Allocator()->Realloc<base_alloc_flags, base_free_flags>(address, size,
+                                                                 "");
 }
 
-void* PartitionRealloc(void* address, size_t size, void* context) {
+// static
-  return PartitionReallocInternal<partition_alloc::AllocFlags::kNoHooks,
+template <partition_alloc::AllocFlags base_alloc_flags,
-                                  partition_alloc::FreeFlags::kNone>(
+          partition_alloc::FreeFlags base_free_flags>
-      address, size, context);
+void* PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
-}
+    ReallocUnchecked(void* address, size_t size, void* context) {
-
-void* PartitionReallocWithAdvancedChecks(void* address,
-                                         size_t size,
-                                         void* context) {
-  return PartitionReallocInternal<
-      partition_alloc::AllocFlags::kNoHooks,
-      partition_alloc::FreeFlags::kNoHooks |
-          partition_alloc::FreeFlags::kSchedulerLoopQuarantine |
-          partition_alloc::FreeFlags::kZap>(address, size, context);
-}
-
-void* PartitionReallocUnchecked(void* address, size_t size, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
 #if PA_BUILDFLAG(IS_APPLE)
   if (!partition_alloc::IsManagedByPartitionAlloc(
@@ -364,8 +386,8 @@ void* PartitionReallocUnchecked(void* address, size_t size, void* context) {
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
   return Allocator()
-      ->Realloc<partition_alloc::AllocFlags::kNoHooks |
+      ->Realloc<base_alloc_flags | partition_alloc::AllocFlags::kReturnNull>(
-                partition_alloc::AllocFlags::kReturnNull>(address, size, "");
+          address, size, "");
 }
 
 #if PA_BUILDFLAG(IS_CAST_ANDROID)
@@ -374,8 +396,13 @@ void __real_free(void*);
 }       // extern "C"
 #endif  // PA_BUILDFLAG(IS_CAST_ANDROID)
 
-template <partition_alloc::FreeFlags flags>
+// static
-PA_ALWAYS_INLINE void PartitionFreeInternal(void* object, void* context) {
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+PA_ALWAYS_INLINE void
+PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::Free(
+    void* object,
+    void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
 #if PA_BUILDFLAG(IS_APPLE)
   // TODO(bartekn): Add MTE unmasking here (and below).
@@ -404,17 +431,8 @@ PA_ALWAYS_INLINE void PartitionFreeInternal(void* object, void* context) {
   }
 #endif  // PA_BUILDFLAG(IS_CAST_ANDROID)
 
-  partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<flags>(object);
+  partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-}
+      object);
-
-void PartitionFree(void* object, void* context) {
-  PartitionFreeInternal<partition_alloc::FreeFlags::kNoHooks>(object, context);
-}
-
-void PartitionFreeWithAdvancedChecks(void* object, void* context) {
-  PartitionFreeInternal<partition_alloc::FreeFlags::kNoHooks |
-                        partition_alloc::FreeFlags::kSchedulerLoopQuarantine |
-                        partition_alloc::FreeFlags::kZap>(object, context);
 }
 
 #if PA_BUILDFLAG(IS_APPLE)
@@ -424,16 +442,24 @@ void PartitionFreeWithAdvancedChecks(void* object, void* context) {
 //
 // So we don't need to re-check that the pointer is owned in Free(), and we
 // can use the size.
-void PartitionFreeDefiniteSize(void* address, size_t size, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    FreeDefiniteSize(void* address, size_t size, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
   // TODO(lizeb): Optimize PartitionAlloc to use the size information. This is
   // still useful though, as we avoid double-checking that the address is owned.
-  partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<
+  partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-      partition_alloc::FreeFlags::kNoHooks>(address);
+      address);
 }
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
-size_t PartitionGetSizeEstimate(void* address, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+size_t PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    GetSizeEstimate(void* address, void* context) {
   // This is used to implement malloc_usable_size(3). Per its man page, "if ptr
   // is NULL, 0 is returned".
   if (!address) {
@@ -464,43 +490,64 @@ size_t PartitionGetSizeEstimate(void* address, void* context) {
 }
 
 #if PA_BUILDFLAG(IS_APPLE)
-size_t PartitionGoodSize(size_t size, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+size_t
+PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::GoodSize(
+    size_t size,
+    void* context) {
   return Allocator()->AllocationCapacityFromRequestedSize(size);
 }
 
-bool PartitionClaimedAddress(void* address, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+bool PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    ClaimedAddress(void* address, void* context) {
   return partition_alloc::IsManagedByPartitionAlloc(
       reinterpret_cast<uintptr_t>(address));
 }
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
-unsigned PartitionBatchMalloc(size_t size,
+// static
-                              void** results,
+template <partition_alloc::AllocFlags base_alloc_flags,
-                              unsigned num_requested,
+          partition_alloc::FreeFlags base_free_flags>
-                              void* context) {
+unsigned
+PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::BatchMalloc(
+    size_t size,
+    void** results,
+    unsigned num_requested,
+    void* context) {
   // No real batching: we could only acquire the lock once for instance, keep it
   // simple for now.
   for (unsigned i = 0; i < num_requested; i++) {
     // No need to check the results, we crash if it fails.
-    results[i] = PartitionMalloc(size, nullptr);
+    results[i] = Malloc(size, nullptr);
   }
 
   // Either all succeeded, or we crashed.
   return num_requested;
 }
 
-void PartitionBatchFree(void** to_be_freed,
+// static
-                        unsigned num_to_be_freed,
+template <partition_alloc::AllocFlags base_alloc_flags,
-                        void* context) {
+          partition_alloc::FreeFlags base_free_flags>
+void PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    BatchFree(void** to_be_freed, unsigned num_to_be_freed, void* context) {
   // No real batching: we could only acquire the lock once for instance, keep it
   // simple for now.
   for (unsigned i = 0; i < num_to_be_freed; i++) {
-    PartitionFree(to_be_freed[i], nullptr);
+    Free(to_be_freed[i], nullptr);
   }
 }
 
 #if PA_BUILDFLAG(IS_APPLE)
-void PartitionTryFreeDefault(void* address, void* context) {
+// static
+template <partition_alloc::AllocFlags base_alloc_flags,
+          partition_alloc::FreeFlags base_free_flags>
+void PartitionAllocFunctionsInternal<base_alloc_flags, base_free_flags>::
+    TryFreeDefault(void* address, void* context) {
   partition_alloc::ScopedDisallowAllocations guard{};
 
   if (!partition_alloc::IsManagedByPartitionAlloc(
@@ -510,11 +557,22 @@ void PartitionTryFreeDefault(void* address, void* context) {
     return allocator_shim::TryFreeDefaultFallbackToFindZoneAndFree(address);
   }
 
-  partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<
+  partition_alloc::PartitionRoot::FreeInlineInUnknownRoot<base_free_flags>(
-      partition_alloc::FreeFlags::kNoHooks>(address);
+      address);
 }
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
+// Explicitly instantiate `PartitionAllocFunctions`.
+template class PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+    PartitionAllocFunctionsInternal<partition_alloc::AllocFlags::kNoHooks,
+                                    partition_alloc::FreeFlags::kNoHooks>;
+// Explicitly instantiate `PartitionAllocWithAdvancedChecksFunctions`.
+template class PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+    PartitionAllocFunctionsInternal<
+        partition_alloc::AllocFlags::kNoHooks,
+        partition_alloc::FreeFlags::kNoHooks |
+            partition_alloc::FreeFlags::kSchedulerLoopQuarantine>;
+
 // static
 bool PartitionAllocMalloc::AllocatorConfigurationFinalized() {
   return ::AllocatorConfigurationFinalized();
@@ -553,13 +611,15 @@ void EnablePartitionAllocMemoryReclaimer() {
 
 void ConfigurePartitions(
     EnableBrp enable_brp,
+    size_t brp_extra_extras_size,
     EnableMemoryTagging enable_memory_tagging,
     partition_alloc::TagViolationReportingMode memory_tagging_reporting_mode,
     BucketDistribution distribution,
     SchedulerLoopQuarantine scheduler_loop_quarantine,
     size_t scheduler_loop_quarantine_branch_capacity_in_bytes,
     ZappingByFreeFlags zapping_by_free_flags,
-    UsePoolOffsetFreelists use_pool_offset_freelists,
+    EventuallyZeroFreedMemory eventually_zero_freed_memory,
+    FewerMemoryRegions fewer_memory_regions,
     UseSmallSingleSlotSpans use_small_single_slot_spans) {
   // Calling Get() is actually important, even if the return value isn't
   // used, because it has a side effect of initializing the variable, if it
@@ -574,20 +634,27 @@ void ConfigurePartitions(
   // shouldn't bite us here. Mentioning just in case we move this code earlier.
   static partition_alloc::internal::base::NoDestructor<
       partition_alloc::PartitionAllocator>
-      new_main_allocator([&]() {
+      new_main_allocator([&] {
         partition_alloc::PartitionOptions opts;
         // The caller of ConfigurePartitions() will decide whether this or
         // another partition will have the thread cache enabled, by calling
         // EnableThreadCacheIfSupported().
         opts.thread_cache = partition_alloc::PartitionOptions::kDisabled;
-        opts.star_scan_quarantine = partition_alloc::PartitionOptions::kAllowed;
         opts.backup_ref_ptr =
             enable_brp ? partition_alloc::PartitionOptions::kEnabled
                        : partition_alloc::PartitionOptions::kDisabled;
+        opts.backup_ref_ptr_extra_extras_size = brp_extra_extras_size;
         opts.zapping_by_free_flags =
             zapping_by_free_flags
                 ? partition_alloc::PartitionOptions::kEnabled
                 : partition_alloc::PartitionOptions::kDisabled;
+        opts.eventually_zero_freed_memory =
+            eventually_zero_freed_memory
+                ? partition_alloc::PartitionOptions::kEnabled
+                : partition_alloc::PartitionOptions::kDisabled;
+        opts.fewer_memory_regions =
+            fewer_memory_regions ? partition_alloc::PartitionOptions::kEnabled
+                                 : partition_alloc::PartitionOptions::kDisabled;
         opts.scheduler_loop_quarantine =
             scheduler_loop_quarantine
                 ? partition_alloc::PartitionOptions::kEnabled
@@ -600,9 +667,7 @@ void ConfigurePartitions(
                            : partition_alloc::PartitionOptions::kDisabled,
             .reporting_mode = memory_tagging_reporting_mode};
         opts.use_pool_offset_freelists =
-            use_pool_offset_freelists
+            partition_alloc::PartitionOptions::kEnabled;
-                ? partition_alloc::PartitionOptions::kEnabled
-                : partition_alloc::PartitionOptions::kDisabled;
         opts.use_small_single_slot_spans =
             use_small_single_slot_spans
                 ? partition_alloc::PartitionOptions::kEnabled
@@ -675,7 +740,7 @@ SHIM_ALWAYS_EXPORT int mallopt(int cmd, int value) __THROW {
 
 #endif  // !PA_BUILDFLAG(IS_APPLE) && !PA_BUILDFLAG(IS_ANDROID)
 
-#if defined(__MUSL__) 
+#if defined(__MUSL__)
 // Musl does not support struct mallinfo.
 #elif PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 SHIM_ALWAYS_EXPORT struct mallinfo mallinfo(void) __THROW {

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.h

@@ -10,6 +10,7 @@
 #if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
 #include "partition_alloc/partition_alloc.h"
 #include "partition_alloc/partition_alloc_base/component_export.h"
+#include "partition_alloc/shim/allocator_dispatch.h"
 #include "partition_alloc/shim/allocator_shim.h"
 
 namespace allocator_shim {
@@ -27,87 +28,126 @@ class PA_COMPONENT_EXPORT(ALLOCATOR_SHIM) PartitionAllocMalloc {
   static partition_alloc::PartitionRoot* OriginalAllocator();
 };
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+template <partition_alloc::AllocFlags base_alloc_flags,
-void* PartitionMalloc(size_t size, void* context);
+          partition_alloc::FreeFlags base_free_flags>
+class PartitionAllocFunctionsInternal {
+ public:
+  static void* Malloc(size_t size, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* MallocUnchecked(size_t size, void* context);
-void* PartitionMallocUnchecked(size_t size, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* Calloc(size_t n, size_t size, void* context);
-void* PartitionCalloc(size_t n, size_t size, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* Memalign(size_t alignment, size_t size, void* context);
-void* PartitionMemalign(size_t alignment, size_t size, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* AlignedAlloc(size_t size, size_t alignment, void* context);
-void* PartitionAlignedAlloc(size_t size, size_t alignment, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* AlignedAllocUnchecked(size_t size,
-void* PartitionAlignedAllocUnchecked(size_t size,
                                      size_t alignment,
                                      void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* AlignedRealloc(void* address,
-void* PartitionAlignedRealloc(void* address,
                               size_t size,
                               size_t alignment,
                               void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* AlignedReallocUnchecked(void* address,
-void* PartitionAlignedReallocUnchecked(void* address,
                                        size_t size,
                                        size_t alignment,
                                        void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* Realloc(void* address, size_t size, void* context);
-void* PartitionRealloc(void* address, size_t size, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void* ReallocUnchecked(void* address, size_t size, void* context);
-void* PartitionReallocWithAdvancedChecks(void* address,
-                                         size_t size,
-                                         void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void Free(void* object, void* context);
-void* PartitionReallocUnchecked(void* address, size_t size, void* context);
-
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
-void PartitionFree(void* object, void* context);
-
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
-void PartitionFreeWithAdvancedChecks(void* object, void* context);
 
 #if PA_BUILDFLAG(IS_APPLE)
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void FreeDefiniteSize(void* address, size_t size, void* context);
-void PartitionFreeDefiniteSize(void* address, size_t size, void* context);
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static size_t GetSizeEstimate(void* address, void* context);
-size_t PartitionGetSizeEstimate(void* address, void* context);
 
 #if PA_BUILDFLAG(IS_APPLE)
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static size_t GoodSize(size_t size, void* context);
-size_t PartitionGoodSize(size_t size, void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static bool ClaimedAddress(void* address, void* context);
-bool PartitionClaimedAddress(void* address, void* context);
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static unsigned BatchMalloc(size_t size,
-unsigned PartitionBatchMalloc(size_t size,
                               void** results,
                               unsigned num_requested,
                               void* context);
 
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void BatchFree(void** to_be_freed,
-void PartitionBatchFree(void** to_be_freed,
                         unsigned num_to_be_freed,
                         void* context);
 
 #if PA_BUILDFLAG(IS_APPLE)
-PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+  static void TryFreeDefault(void* address, void* context);
-void PartitionTryFreeDefault(void* address, void* context);
 #endif  // PA_BUILDFLAG(IS_APPLE)
 
+  static constexpr AllocatorDispatch MakeDispatch() {
+    return {
+        &Malloc,            // alloc_function
+        &MallocUnchecked,   // alloc_unchecked_function
+        &Calloc,            // alloc_zero_initialized_function
+        &Memalign,          // alloc_aligned_function
+        &Realloc,           // realloc_function
+        &ReallocUnchecked,  // realloc_unchecked_function
+        &Free,              // free_function
+        &GetSizeEstimate,   // get_size_estimate_function
+#if PA_BUILDFLAG(IS_APPLE)
+        &GoodSize,        // good_size
+        &ClaimedAddress,  // claimed_address
+#else
+        nullptr,  // good_size
+        nullptr,  // claimed_address
+#endif
+        &BatchMalloc,  // batch_malloc_function
+        &BatchFree,    // batch_free_function
+#if PA_BUILDFLAG(IS_APPLE)
+        // On Apple OSes, free_definite_size() is always called from free(),
+        // since get_size_estimate() is used to determine whether an allocation
+        // belongs to the current zone. It makes sense to optimize for it.
+        &FreeDefiniteSize,
+        // On Apple OSes, try_free_default() is sometimes called as an
+        // optimization of free().
+        &TryFreeDefault,
+#else
+        nullptr,  // free_definite_size_function
+        nullptr,  // try_free_default_function
+#endif
+        &AlignedAlloc,             // aligned_malloc_function
+        &AlignedAllocUnchecked,    // aligned_malloc_unchecked_function
+        &AlignedRealloc,           // aligned_realloc_function
+        &AlignedReallocUnchecked,  // aligned_realloc_unchecked_function
+        &Free,                     // aligned_free_function
+        nullptr,                   // next
+    };
+  }
+};
+
+using PartitionAllocFunctions =
+    PartitionAllocFunctionsInternal<partition_alloc::AllocFlags::kNoHooks,
+                                    partition_alloc::FreeFlags::kNoHooks>;
+using PartitionAllocWithAdvancedChecksFunctions =
+    PartitionAllocFunctionsInternal<
+        partition_alloc::AllocFlags::kNoHooks,
+        partition_alloc::FreeFlags::kNoHooks |
+            partition_alloc::FreeFlags::kSchedulerLoopQuarantine>;
+
+// `PartitionAllocFunctions` in instantiated in cc file.
+extern template class PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+    PartitionAllocFunctionsInternal<partition_alloc::AllocFlags::kNoHooks,
+                                    partition_alloc::FreeFlags::kNoHooks>;
+// `PartitionAllocWithAdvancedChecksFunctions` in instantiated in cc file.
+extern template class PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+    PartitionAllocFunctionsInternal<
+        partition_alloc::AllocFlags::kNoHooks,
+        partition_alloc::FreeFlags::kNoHooks |
+            partition_alloc::FreeFlags::kSchedulerLoopQuarantine>;
+
 }  // namespace internal
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
@@ -122,6 +162,7 @@ void PartitionTryFreeDefault(void* address, void* context);
 // this function. They should call ConfigurePartitions() directly.
 PA_ALWAYS_INLINE void ConfigurePartitionsForTesting() {
   auto enable_brp = allocator_shim::EnableBrp(true);
+  size_t brp_extra_extras_size = 0;
 
   // Embedders's tests might benefit from MTE checks. However, this is costly
   // and shouldn't be used in benchmarks.
@@ -138,14 +179,16 @@ PA_ALWAYS_INLINE void ConfigurePartitionsForTesting() {
   auto scheduler_loop_quarantine = SchedulerLoopQuarantine(false);
   size_t scheduler_loop_quarantine_capacity_in_bytes = 0;
   auto zapping_by_free_flags = ZappingByFreeFlags(false);
-  auto use_pool_offset_freelists = UsePoolOffsetFreelists(true);
+  auto eventually_zero_freed_memory = EventuallyZeroFreedMemory(false);
+  auto fewer_memory_regions = FewerMemoryRegions(false);
   auto use_small_single_slot_spans = UseSmallSingleSlotSpans(true);
 
-  ConfigurePartitions(
+  ConfigurePartitions(enable_brp, brp_extra_extras_size, enable_memory_tagging,
-      enable_brp, enable_memory_tagging, memory_tagging_reporting_mode,
+                      memory_tagging_reporting_mode, distribution,
-      distribution, scheduler_loop_quarantine,
+                      scheduler_loop_quarantine,
-      scheduler_loop_quarantine_capacity_in_bytes, zapping_by_free_flags,
+                      scheduler_loop_quarantine_capacity_in_bytes,
-      use_pool_offset_freelists, use_small_single_slot_spans);
+                      zapping_by_free_flags, eventually_zero_freed_memory,
+                      fewer_memory_regions, use_small_single_slot_spans);
 }
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_internal.h

@@ -16,51 +16,8 @@ namespace allocator_shim::internal {
 // PartitionMalloc, PartitionMallocUnchecked, ... are DLL-exported when
 // is_component_build=true and is_win=true. In the case, the other component
 // needs to import the symbols from allocator_shim.dll...so, not constexpr.
-inline constexpr AllocatorDispatch kPartitionAllocDispatch = {
+inline constexpr AllocatorDispatch kPartitionAllocDispatch =
-    &allocator_shim::internal::PartitionMalloc,  // alloc_function
+    allocator_shim::internal::PartitionAllocFunctions::MakeDispatch();
-    &allocator_shim::internal::
-        PartitionMallocUnchecked,  // alloc_unchecked_function
-    &allocator_shim::internal::
-        PartitionCalloc,  // alloc_zero_initialized_function
-    &allocator_shim::internal::PartitionMemalign,  // alloc_aligned_function
-    &allocator_shim::internal::PartitionRealloc,   // realloc_function
-    &allocator_shim::internal::
-        PartitionReallocUnchecked,             // realloc_unchecked_function
-    &allocator_shim::internal::PartitionFree,  // free_function
-    &allocator_shim::internal::
-        PartitionGetSizeEstimate,  // get_size_estimate_function
-#if PA_BUILDFLAG(IS_APPLE)
-    &allocator_shim::internal::PartitionGoodSize,        // good_size
-    &allocator_shim::internal::PartitionClaimedAddress,  // claimed_address
-#else
-    nullptr,  // good_size
-    nullptr,  // claimed_address
-#endif
-    &allocator_shim::internal::PartitionBatchMalloc,  // batch_malloc_function
-    &allocator_shim::internal::PartitionBatchFree,    // batch_free_function
-#if PA_BUILDFLAG(IS_APPLE)
-    // On Apple OSes, free_definite_size() is always called from free(), since
-    // get_size_estimate() is used to determine whether an allocation belongs to
-    // the current zone. It makes sense to optimize for it.
-    &allocator_shim::internal::PartitionFreeDefiniteSize,
-    // On Apple OSes, try_free_default() is sometimes called as an optimization
-    // of free().
-    &allocator_shim::internal::PartitionTryFreeDefault,
-#else
-    nullptr,  // free_definite_size_function
-    nullptr,  // try_free_default_function
-#endif
-    &allocator_shim::internal::
-        PartitionAlignedAlloc,  // aligned_malloc_function
-    &allocator_shim::internal::
-        PartitionAlignedAllocUnchecked,  // aligned_malloc_unchecked_function
-    &allocator_shim::internal::
-        PartitionAlignedRealloc,  // aligned_realloc_function
-    &allocator_shim::internal::
-        PartitionAlignedReallocUnchecked,  // aligned_realloc_unchecked_function
-    &allocator_shim::internal::PartitionFree,  // aligned_free_function
-    nullptr,                                   // next
-};
 
 }  // namespace allocator_shim::internal
 

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_with_advanced_checks.cc

@@ -20,34 +20,152 @@ std::atomic<const AllocatorDispatch*> g_delegate_dispatch =
 PA_ALWAYS_INLINE const AllocatorDispatch* GetDelegate() {
   return g_delegate_dispatch.load(std::memory_order_relaxed);
 }
+
+void* DelegatedAllocFn(size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->alloc_function(size, context);
+}
+
+void* DelegatedAllocUncheckedFn(size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->alloc_unchecked_function(size, context);
+}
+
+void* DelegatedAllocZeroInitializedFn(size_t n, size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->alloc_zero_initialized_function(n, size,
+                                                               context);
+}
+
+void* DelegatedAllocAlignedFn(size_t alignment, size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->alloc_aligned_function(alignment, size, context);
+}
+
+void* DelegatedReallocFn(void* address, size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->realloc_function(address, size, context);
+}
+
+void* DelegatedReallocUncheckedFn(void* address, size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->realloc_unchecked_function(address, size,
+                                                          context);
+}
+
+void DelegatedFreeFn(void* address, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->free_function(address, context);
+}
+
+size_t DelegatedGetSizeEstimateFn(void* address, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->get_size_estimate_function(address, context);
+}
+
+size_t DelegatedGoodSizeFn(size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->good_size_function(size, context);
+}
+
+bool DelegatedClaimedAddressFn(void* address, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->claimed_address_function(address, context);
+}
+
+unsigned DelegatedBatchMallocFn(size_t size,
+                                void** results,
+                                unsigned num_requested,
+                                void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->batch_malloc_function(size, results,
+                                                     num_requested, context);
+}
+
+void DelegatedBatchFreeFn(void** to_be_freed,
+                          unsigned num_to_be_freed,
+                          void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->batch_free_function(to_be_freed, num_to_be_freed,
+                                                   context);
+}
+
+void DelegatedFreeDefiniteSizeFn(void* address, size_t size, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->free_definite_size_function(address, size,
+                                                           context);
+}
+
+void DelegatedTryFreeDefaultFn(void* address, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->try_free_default_function(address, context);
+}
+
+void* DelegatedAlignedMallocFn(size_t size, size_t alignment, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->aligned_malloc_function(size, alignment,
+                                                       context);
+}
+
+void* DelegatedAlignedMallocUncheckedFn(size_t size,
+                                        size_t alignment,
+                                        void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->aligned_malloc_unchecked_function(
+      size, alignment, context);
+}
+
+void* DelegatedAlignedReallocFn(void* address,
+                                size_t size,
+                                size_t alignment,
+                                void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->aligned_realloc_function(address, size,
+                                                        alignment, context);
+}
+
+void* DelegatedAlignedReallocUncheckedFn(void* address,
+                                         size_t size,
+                                         size_t alignment,
+                                         void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->aligned_realloc_unchecked_function(
+      address, size, alignment, context);
+}
+
+void DelegatedAlignedFreeFn(void* address, void* context) {
+  const AllocatorDispatch* delegate = GetDelegate();
+  PA_MUSTTAIL return delegate->aligned_free_function(address, context);
+}
 }  // namespace
 
-void InstallDispatchToPartitionAllocWithAdvancedChecks(
+void InstallCustomDispatch(AllocatorDispatch* dispatch) {
-    AllocatorDispatch* dispatch) {
   PA_DCHECK(dispatch);
 
   // Must have followings:
+  PA_DCHECK(dispatch->alloc_function != nullptr);
+  PA_DCHECK(dispatch->alloc_unchecked_function != nullptr);
+  PA_DCHECK(dispatch->alloc_zero_initialized_function != nullptr);
+  PA_DCHECK(dispatch->alloc_aligned_function != nullptr);
   PA_DCHECK(dispatch->realloc_function != nullptr);
+  PA_DCHECK(dispatch->realloc_unchecked_function != nullptr);
   PA_DCHECK(dispatch->free_function != nullptr);
-
+  PA_DCHECK(dispatch->get_size_estimate_function != nullptr);
-  // Must not have followings:
+#if PA_BUILDFLAG(IS_APPLE)
-  PA_DCHECK(dispatch->alloc_function == nullptr);
+  PA_DCHECK(dispatch->good_size_function != nullptr);
-  PA_DCHECK(dispatch->alloc_unchecked_function == nullptr);
+  PA_DCHECK(dispatch->claimed_address_function != nullptr);
-  PA_DCHECK(dispatch->alloc_zero_initialized_function == nullptr);
+#endif  // PA_BUILDFLAG(IS_APPLE)
-  PA_DCHECK(dispatch->alloc_aligned_function == nullptr);
+  PA_DCHECK(dispatch->batch_malloc_function != nullptr);
-  PA_DCHECK(dispatch->realloc_unchecked_function == nullptr);
+  PA_DCHECK(dispatch->batch_free_function != nullptr);
-  PA_DCHECK(dispatch->get_size_estimate_function == nullptr);
+#if PA_BUILDFLAG(IS_APPLE)
-  PA_DCHECK(dispatch->good_size_function == nullptr);
+  PA_DCHECK(dispatch->free_definite_size_function != nullptr);
-  PA_DCHECK(dispatch->claimed_address_function == nullptr);
+  PA_DCHECK(dispatch->try_free_default_function != nullptr);
-  PA_DCHECK(dispatch->batch_malloc_function == nullptr);
+#endif  // PA_BUILDFLAG(IS_APPLE)
-  PA_DCHECK(dispatch->batch_free_function == nullptr);
+  PA_DCHECK(dispatch->aligned_malloc_function != nullptr);
-  PA_DCHECK(dispatch->free_definite_size_function == nullptr);
+  PA_DCHECK(dispatch->aligned_malloc_unchecked_function != nullptr);
-  PA_DCHECK(dispatch->try_free_default_function == nullptr);
+  PA_DCHECK(dispatch->aligned_realloc_function != nullptr);
-  PA_DCHECK(dispatch->aligned_malloc_function == nullptr);
+  PA_DCHECK(dispatch->aligned_realloc_unchecked_function != nullptr);
-  PA_DCHECK(dispatch->aligned_malloc_unchecked_function == nullptr);
+  PA_DCHECK(dispatch->aligned_free_function != nullptr);
-  PA_DCHECK(dispatch->aligned_realloc_function == nullptr);
-  PA_DCHECK(dispatch->aligned_realloc_unchecked_function == nullptr);
-  PA_DCHECK(dispatch->aligned_free_function == nullptr);
 
   dispatch->next = &internal::kPartitionAllocDispatch;
 
@@ -65,30 +183,46 @@ void InstallDispatchToPartitionAllocWithAdvancedChecks(
 #endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
 }
 
-void UninstallDispatchToPartitionAllocWithAdvancedChecks() {
+void InstallCustomDispatchForTesting(AllocatorDispatch* dispatch) {
+  InstallCustomDispatch(dispatch);
+}
+
+void InstallCustomDispatchForPartitionAllocWithAdvancedChecks() {
+  PA_CONSTINIT static AllocatorDispatch dispatch = []() constexpr {
+    auto dispatch =
+        internal::PartitionAllocWithAdvancedChecksFunctions::MakeDispatch();
+    dispatch.next = &internal::kPartitionAllocDispatch;
+    return dispatch;
+  }();
+  InstallCustomDispatch(&dispatch);
+}
+
+void UninstallCustomDispatch() {
   g_delegate_dispatch.store(&internal::kPartitionAllocDispatch,
                             std::memory_order_relaxed);
 }
 
-namespace internal {
+const AllocatorDispatch AllocatorDispatch::default_dispatch = {
-
+    .alloc_function = &DelegatedAllocFn,
-void FreeWithAdvancedChecks(void* address, void* context) {
+    .alloc_unchecked_function = &DelegatedAllocUncheckedFn,
-  const AllocatorDispatch* delegate = GetDelegate();
+    .alloc_zero_initialized_function = &DelegatedAllocZeroInitializedFn,
-  PA_MUSTTAIL return delegate->free_function(address, context);
+    .alloc_aligned_function = &DelegatedAllocAlignedFn,
-}
+    .realloc_function = &DelegatedReallocFn,
-
+    .realloc_unchecked_function = &DelegatedReallocUncheckedFn,
-void* ReallocWithAdvancedChecks(void* address, size_t size, void* context) {
+    .free_function = &DelegatedFreeFn,
-  const AllocatorDispatch* delegate = GetDelegate();
+    .get_size_estimate_function = &DelegatedGetSizeEstimateFn,
-  PA_MUSTTAIL return delegate->realloc_function(address, size, context);
+    .good_size_function = &DelegatedGoodSizeFn,
-}
+    .claimed_address_function = &DelegatedClaimedAddressFn,
-
+    .batch_malloc_function = &DelegatedBatchMallocFn,
-}  // namespace internal
+    .batch_free_function = &DelegatedBatchFreeFn,
-
+    .free_definite_size_function = &DelegatedFreeDefiniteSizeFn,
-const AllocatorDispatch AllocatorDispatch::default_dispatch = []() constexpr {
+    .try_free_default_function = &DelegatedTryFreeDefaultFn,
-  AllocatorDispatch dispatch = internal::kPartitionAllocDispatch;
+    .aligned_malloc_function = &DelegatedAlignedMallocFn,
-  dispatch.realloc_function = &internal::ReallocWithAdvancedChecks;
+    .aligned_malloc_unchecked_function = &DelegatedAlignedMallocUncheckedFn,
-  dispatch.free_function = &internal::FreeWithAdvancedChecks;
+    .aligned_realloc_function = &DelegatedAlignedReallocFn,
-  return dispatch;
+    .aligned_realloc_unchecked_function = &DelegatedAlignedReallocUncheckedFn,
-}();
+    .aligned_free_function = &DelegatedAlignedFreeFn,
+    .next = nullptr,
+};
 
 }  // namespace allocator_shim

src/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_with_advanced_checks.h

@@ -32,11 +32,13 @@
 namespace allocator_shim {
 
 PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
-void InstallDispatchToPartitionAllocWithAdvancedChecks(
+void InstallCustomDispatchForPartitionAllocWithAdvancedChecks();
-    AllocatorDispatch* dispatch);
 
 PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
-void UninstallDispatchToPartitionAllocWithAdvancedChecks();
+void InstallCustomDispatchForTesting(AllocatorDispatch* dispatch);
+
+PA_COMPONENT_EXPORT(ALLOCATOR_SHIM)
+void UninstallCustomDispatch();
 
 }  // namespace allocator_shim