[PA] Propose "ExternalMetadata" synthetic finch trials if enabled

If `enable_move_metadata_outside_gigacage_trial`(gn var) is true,
propose synthetic finch trials: 10% enabled and 10% disabled(control).

Design Doc:
https://docs.google.com/document/d/1Mn-qRAWuDhS_gRL_OG2TYL-EW5D8yljaCyM40S0ocVc/edit?tab=t.0

Bug: crbug.com/435341877

Change-Id: Ib0987efc576d4ba797bed119e18dd595e4d807f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6795727
Reviewed-by: Yuki Shiino <[email protected]>
Commit-Queue: Takashi Sakamoto <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1495230}
NOKEYCHECK=True
GitOrigin-RevId: a322032394786af17da7fac775932f9050440707

Author: tasak

partition_alloc.gni

@@ -343,6 +343,16 @@ declare_args() {
   move_metadata_outside_gigacage = false && has_64_bit_pointers && !is_ios
 }
 
+declare_args() {
+  enable_move_metadata_outside_gigacage_trial =
+      false && move_metadata_outside_gigacage
+}
+
+assert(!enable_move_metadata_outside_gigacage_trial ||
+           move_metadata_outside_gigacage,
+       "Can't enable PartitionAllocExternalMetadata synthetic trial " +
+           "without move_metadata_outside_gigacage=true.")
+
 declare_args() {
   # Use full MTE protection available by changing the feature flag default
   # values. So sync mode on all processes. Also disables permissive MTE.

src/partition_alloc/BUILD.gn

@@ -156,6 +156,7 @@ pa_buildflag_header("buildflags") {
     "ENABLE_POINTER_COMPRESSION=$enable_pointer_compression",
     "ENABLE_POINTER_SUBTRACTION_CHECK=$enable_pointer_subtraction_check",
     "MOVE_METADATA_OUT_OF_GIGACAGE_FOR_64_BITS_POINTERS=$move_metadata_outside_gigacage",
+    "ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL=$enable_move_metadata_outside_gigacage_trial",
     "ENABLE_THREAD_ISOLATION=$enable_pkeys",
     "EXPENSIVE_DCHECKS_ARE_ON=$enable_expensive_dchecks",
     "FORCE_DISABLE_BACKUP_REF_PTR_FEATURE=$force_disable_backup_ref_ptr_feature",
@@ -400,6 +401,8 @@ if (is_clang_or_gcc) {
       "address_space_stats.h",
       "allocation_guard.cc",
       "allocation_guard.h",
+      "allocator_config.cc",
+      "allocator_config.h",
       "bucket_lookup.h",
       "compressed_pointer.cc",
       "compressed_pointer.h",

src/partition_alloc/allocator_config.cc

@@ -0,0 +1,60 @@
+// Copyright 2025 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "partition_alloc/allocator_config.h"
+
+#include <limits>
+
+#include "partition_alloc/random.h"
+
+namespace partition_alloc {
+
+#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) && \
+    PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+namespace {
+
+enum ExternalMetadataTrialGroupPercentage {
+  kEnabled = 10,   // 10%
+  kDisabled = 10,  // 10%
+};
+
+ExternalMetadataTrialGroup s_externalMetadataJoinedGroup =
+    ExternalMetadataTrialGroup::kUndefined;
+
+void SetExternalMetadataTrialGroup(ExternalMetadataTrialGroup group) {
+  s_externalMetadataJoinedGroup = group;
+}
+
+}  // namespace
+
+namespace internal {
+
+ExternalMetadataTrialGroup SelectExternalMetadataTrialGroup() {
+  uint32_t random = internal::RandomValue() /
+                    static_cast<double>(std::numeric_limits<uint32_t>::max()) *
+                    100.0;
+
+  ExternalMetadataTrialGroup group;
+  if (random < ExternalMetadataTrialGroupPercentage::kEnabled) {
+    group = ExternalMetadataTrialGroup::kEnabled;
+  } else if (random < ExternalMetadataTrialGroupPercentage::kEnabled +
+                          ExternalMetadataTrialGroupPercentage::kDisabled) {
+    group = ExternalMetadataTrialGroup::kDisabled;
+  } else {
+    group = ExternalMetadataTrialGroup::kDefault;
+  }
+  SetExternalMetadataTrialGroup(group);
+  return group;
+}
+
+}  // namespace internal
+
+ExternalMetadataTrialGroup GetExternalMetadataTrialGroup() {
+  return s_externalMetadataJoinedGroup;
+}
+
+#endif  // PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) &&
+        // PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+
+}  // namespace partition_alloc

src/partition_alloc/allocator_config.h

@@ -0,0 +1,47 @@
+// Copyright 2025 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PARTITION_ALLOC_ALLOCATOR_CONFIG_H_
+#define PARTITION_ALLOC_ALLOCATOR_CONFIG_H_
+
+#include "partition_alloc/buildflags.h"
+#include "partition_alloc/partition_alloc_base/compiler_specific.h"
+#include "partition_alloc/partition_alloc_base/component_export.h"
+#include "partition_alloc/partition_alloc_config.h"
+
+namespace partition_alloc {
+
+// partition_alloc_support.cc will see the configuration and invoke
+// RegisterSyntheticTrialGroup().
+#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) && \
+    PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+
+inline constexpr const char kExternalMetadataTrialName[] =
+    "PartitionAllocExternalMetadata";
+inline constexpr const char kExternalMetadataTrialGroup_Enabled[] = "Enabled";
+inline constexpr const char kExternalMetadataTrialGroup_Disabled[] = "Disabled";
+
+// For synthetic field trial: PartitionAllocExternalMetadata
+enum ExternalMetadataTrialGroup {
+  kUndefined = 0,
+  kDefault,
+  kDisabled,
+  kEnabled,
+};
+
+PA_COMPONENT_EXPORT(PARTITION_ALLOC)
+ExternalMetadataTrialGroup GetExternalMetadataTrialGroup();
+
+namespace internal {
+
+ExternalMetadataTrialGroup SelectExternalMetadataTrialGroup();
+
+}  // namespace internal
+
+#endif  // PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) &&
+        // PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+
+}  // namespace partition_alloc
+
+#endif  // PARTITION_ALLOC_ALLOCATOR_CONFIG_H_

src/partition_alloc/hardening_unittest.cc

@@ -6,6 +6,7 @@
 #include <string>
 #include <vector>
 
+#include "partition_alloc/allocator_config.h"
 #include "partition_alloc/build_config.h"
 #include "partition_alloc/partition_alloc_config.h"
 #include "partition_alloc/partition_alloc_for_testing.h"
@@ -81,17 +82,29 @@ TEST(HardeningTest, MetadataPointerCrashing) {
   uintptr_t slot_start = root.ObjectToSlotStart(data);
   auto* metadata = SlotSpanMetadata::FromSlotStart(slot_start, &root);
 
-#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE)
-  // Crashes, because `metadata` points outside of giga cage.
-  // `GetPoolInfo()` will hit NOTREACHED().
+#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) && \
+    !PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
   EXPECT_DEATH(FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true),
                "");
-#else
-  FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true);
+#endif
 
-  // Crashes, because |metadata| points inside the metadata area.
-  EXPECT_DEATH(root.Alloc(kAllocSize), "");
+#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) && \
+    PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+  if (ExternalMetadataTrialGroup::kEnabled == GetExternalMetadataTrialGroup()) {
+    EXPECT_DEATH(
+        FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true), "");
+  } else
 #endif
+#if !PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) || \
+    PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+  {
+    FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true);
+
+    // Crashes, because |metadata| points inside the metadata area.
+    EXPECT_DEATH(root.Alloc(kAllocSize), "");
+  }
+#endif  // !PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) ||
+        // PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
 }
 #endif  // PA_USE_DEATH_TESTS() && PA_CONFIG(HAS_FREELIST_SHADOW_ENTRY)
 
@@ -169,15 +182,28 @@ TEST(HardeningTest, PoolOffsetMetadataPointerCrashing) {
   uintptr_t slot_start = root.ObjectToSlotStart(data);
   auto* metadata = SlotSpanMetadata::FromSlotStart(slot_start, &root);
 
-#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE)
+#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) && \
+    !PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
   EXPECT_DEATH(FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true),
                "");
-#else
-  FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true);
-
-  // Crashes, because |metadata| points inside the metadata area.
-  EXPECT_DEATH(root.Alloc(kAllocSize), "");
 #endif
+#if PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) && \
+    PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+  if (ExternalMetadataTrialGroup::kEnabled == GetExternalMetadataTrialGroup()) {
+    EXPECT_DEATH(
+        FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true), "");
+  } else
+#endif
+#if !PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) || \
+    PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+  {
+    FreelistEntry::EmplaceAndInitForTest(slot_start, metadata, true);
+
+    // Crashes, because |metadata| points inside the metadata area.
+    EXPECT_DEATH(root.Alloc(kAllocSize), "");
+  }
+#endif  // !PA_CONFIG(MOVE_METADATA_OUT_OF_GIGACAGE) ||
+        // PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
 }
 #endif  // PA_USE_DEATH_TESTS() && PA_CONFIG(HAS_FREELIST_SHADOW_ENTRY)
 

src/partition_alloc/partition_address_space.cc

@@ -12,6 +12,7 @@
 #include <string>
 
 #include "partition_alloc/address_pool_manager.h"
+#include "partition_alloc/allocator_config.h"
 #include "partition_alloc/build_config.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/compressed_pointer.h"
@@ -400,6 +401,19 @@ void PartitionAddressSpace::InitMetadataRegionAndOffsets() {
     return;
   }
 
+#if PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+  if (ExternalMetadataTrialGroup::kUndefined ==
+      GetExternalMetadataTrialGroup()) {
+    if (SelectExternalMetadataTrialGroup() !=
+        ExternalMetadataTrialGroup::kEnabled) {
+      for (size_t i = 0; i < kMaxPoolHandle; ++i) {
+        offsets_to_metadata_[i] = SystemPageSize();
+      }
+      return;
+    }
+  }
+#endif  // PA_BUILDFLAG(ENABLE_MOVE_METADATA_OUT_OF_GIGACAGE_TRIAL)
+
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
   metadata_region_size_ = std::max(kConfigurablePoolMaxSize, CorePoolSize());
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)