Skip to content

[libc++] Properly implement array cookies in the ARM ABI #160182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
+126 −8
Open

[libc++] Properly implement array cookies in the ARM ABI #160182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a7c7ceb
[libc++] Properly implement array cookies in the ARM ABI
ldionne Sep 22, 2025
11c3519
Review comments
ldionne Oct 8, 2025
68627d8
Fix C++03
ldionne Oct 8, 2025
2317797
Review comments
ldionne Oct 8, 2025
57c6da5
Merge branch 'main' into review/fix-array-cookie-on-arm
ldionne Oct 8, 2025
a4ae527
Fix __maybe_unused__
ldionne Oct 8, 2025
22c9a78
Fix aliasing violation in Itanium and new ARM implementation
ldionne Oct 8, 2025
563aef6
Review comments
ldionne Oct 9, 2025
69e8b8f
More fixes
ldionne Oct 9, 2025
d0026cc
Comment fix
ldionne Oct 9, 2025
588aace
addressof
ldionne Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions libcxx/include/__configuration/abi.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,20 @@
#elif _LIBCPP_ABI_FORCE_MICROSOFT
# define _LIBCPP_ABI_MICROSOFT
#else
// Windows uses the Microsoft ABI
# if defined(_WIN32) && defined(_MSC_VER)
# define _LIBCPP_ABI_MICROSOFT

// 32-bit ARM uses the Itanium ABI with a few differences (array cookies, etc),
// and so does 64-bit ARM on Apple platforms.
# elif defined(__arm__) || (defined(__APPLE__) && defined(__aarch64__))
# define _LIBCPP_ABI_ITANIUM_WITH_ARM_DIFFERENCES

// Non-Apple 64-bit ARM uses the vanilla Itanium ABI
# elif defined(__aarch64__)
# define _LIBCPP_ABI_ITANIUM
Comment on lines +42 to +44
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we define this separately?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we can have a comment and call it out explicitly, because it's subtle otherwise.


// We assume that other architectures also use the vanilla Itanium ABI too
# else
# define _LIBCPP_ABI_ITANIUM
# endif
Expand Down
89 changes: 81 additions & 8 deletions libcxx/include/__memory/array_cookie.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
#include <__config>
#include <__configuration/abi.h>
#include <__cstddef/size_t.h>
#include <__memory/addressof.h>
#include <__type_traits/integral_constant.h>
#include <__type_traits/is_trivially_destructible.h>
#include <__type_traits/negation.h>
Expand All @@ -26,28 +27,100 @@ _LIBCPP_BEGIN_NAMESPACE_STD
// Trait representing whether a type requires an array cookie at the start of its allocation when
// allocated as `new T[n]` and deallocated as `delete[] array`.
//
// Under the Itanium C++ ABI [1], we know that an array cookie is available unless `T` is trivially
// destructible and the call to `operator delete[]` is not a sized operator delete. Under ABIs other
// than the Itanium ABI, we assume there are no array cookies.
// Under the Itanium C++ ABI [1] and the ARM ABI which derives from it, we know that an array cookie is available
// unless `T` is trivially destructible and the call to `operator delete[]` is not a sized operator delete. Under
// other ABIs, we assume there are no array cookies.
//
// [1]: https://itanium-cxx-abi.github.io/cxx-abi/abi.html#array-cookies
#ifdef _LIBCPP_ABI_ITANIUM
#if defined(_LIBCPP_ABI_ITANIUM) || defined(_LIBCPP_ABI_ITANIUM_WITH_ARM_DIFFERENCES)
// TODO: Use a builtin instead
// TODO: We should factor in the choice of the usual deallocation function in this determination.
// TODO: We should factor in the choice of the usual deallocation function in this determination:
// a cookie may be available in more cases but we ignore those for now.
template <class _Tp>
struct __has_array_cookie : _Not<is_trivially_destructible<_Tp> > {};
#else
template <class _Tp>
struct __has_array_cookie : false_type {};
#endif

template <class _Tp, bool _HasPadding = (_LIBCPP_PREFERRED_ALIGNOF(_Tp) > sizeof(size_t))>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure _LIBCPP_PREFERRED_ALIGNOF is correct here? The Itanium ABI only talks about alignof. If so, we're definitely missing tests.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes:

llvm-project/clang/lib/CodeGen/ItaniumCXXABI.cpp

Line 2513 in 36bce68

CGM.getContext().getPreferredTypeAlignInChars(elementType));

I suspect that's because the Itanium C++ ABI document predates the point where Clang changed alignof to be the ABI alignment instead of the preferred alignment (which happened several years ago IIRC).

Looks like long long on x86-64 when compiling with -m32 is a type where these two alignments differ. However, wrapping that into a struct makes the ABI and preferred alignments the same again. So I'm not sure how to actually test that, suggestions welcome. https://godbolt.org/z/hP44Ed79E

struct [[__gnu__::__aligned__(_LIBCPP_PREFERRED_ALIGNOF(_Tp))]] __itanium_array_cookie {
size_t __element_count;
};

template <class _Tp>
struct [[__gnu__::__aligned__(_LIBCPP_PREFERRED_ALIGNOF(_Tp))]] __itanium_array_cookie<_Tp, /* _HasPadding */ true> {
char __padding[_LIBCPP_PREFERRED_ALIGNOF(_Tp) - sizeof(size_t)];
size_t __element_count;
};
Comment on lines +52 to +55
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICT if we just ignore the template argument we don't need the __padding here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what you mean, can you explain?

I like that we're being explicit about the layout of the cookie (padding + payload). This is subtle code -- it should be as explicit as possible. Cleverness or terseness of the code here is the wrong thing to optimize for.


template <class _Tp>
struct [[__gnu__::__aligned__(_LIBCPP_ALIGNOF(_Tp))]] __arm_array_cookie {
size_t __element_size;
size_t __element_count;
};

// Return the element count in the array cookie located before the given pointer.
//
// In the Itanium ABI [1]
// ----------------------
// The element count is stored immediately before the first element of the array. If the preferred alignment
// of array elements (which is different from the ABI alignment) is more than that of size_t, additional
// padding bytes exist at the beginning of the array cookie. Assuming array elements of size and alignment 16
// bytes, that gives us the following layout:
//
// |ooooooooxxxxxxxxaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd|
// ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
// | ^^^^^^^^ |
// | | array elements
// padding |
// element count
//
// In practice, it is sufficient to read the bytes immediately before the first array element.
//
//
// In the Itanium ABI with ARM differences [2]
// -------------------------------------------
// The array cookie is stored at the very start of the allocation and it has the following form:
//
// struct array_cookie {
// std::size_t element_size; // element_size != 0
// std::size_t element_count;
// };
//
// Assuming elements of size and alignment 32 bytes, this gives us the following layout:
//
// |xxxxxxxxXXXXXXXXooooooooooooooooaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb|
// ^^^^^^^^ ^^^^^^^^^^^^^^^^
// | ^^^^^^^^ | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
// element size | padding |
// element count array elements
//
// We calculate the starting address of the allocation by taking into account the ABI alignment (not
// the preferred alignment) of the type.
//
// [1]: https://itanium-cxx-abi.github.io/cxx-abi/abi.html#array-cookies
// [2]: https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms#Handle-C++-differences
template <class _Tp>
// Avoid failures when -fsanitize-address-poison-custom-array-cookie is enabled
_LIBCPP_HIDE_FROM_ABI _LIBCPP_NO_SANITIZE("address") size_t __get_array_cookie(_Tp const* __ptr) {
_LIBCPP_HIDE_FROM_ABI _LIBCPP_NO_SANITIZE("address") size_t __get_array_cookie([[__maybe_unused__]] _Tp const* __ptr) {
static_assert(
__has_array_cookie<_Tp>::value, "Trying to access the array cookie of a type that is not guaranteed to have one");
size_t const* __cookie = reinterpret_cast<size_t const*>(__ptr) - 1; // TODO: Use a builtin instead
return *__cookie;

#if defined(_LIBCPP_ABI_ITANIUM)
using _ArrayCookie = __itanium_array_cookie<_Tp>;
#elif defined(_LIBCPP_ABI_ITANIUM_WITH_ARM_DIFFERENCES)
using _ArrayCookie = __arm_array_cookie<_Tp>;
#else
static_assert(false, "The array cookie layout is unknown on this ABI");
#endif

char const* __allocation_start = reinterpret_cast<char const*>(__ptr) - sizeof(_ArrayCookie);
_ArrayCookie __cookie;
// This is necessary to avoid violating strict aliasing. It's valid because _ArrayCookie is an
// implicit lifetime type.
__builtin_memcpy(std::addressof(__cookie), __allocation_start, sizeof(_ArrayCookie));
return __cookie.__element_count;
}

_LIBCPP_END_NAMESPACE_STD
Expand Down
33 changes: 33 additions & 0 deletions ...ities/smartptr/unique.ptr/unique.ptr.class/unique.ptr.observers/assert.subscript.pass.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,18 @@ void test() {
{
{
std::unique_ptr<WithCookie[]> ptr(new WithCookie[5]);
assert(&ptr[1] == ptr.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(ptr[6], "unique_ptr<T[]>::operator[](index): index out of range");
}
{
std::unique_ptr<WithCookie[]> ptr = std::make_unique<WithCookie[]>(5);
assert(&ptr[1] == ptr.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(ptr[6], "unique_ptr<T[]>::operator[](index): index out of range");
}
#if TEST_STD_VER >= 20
{
std::unique_ptr<WithCookie[]> ptr = std::make_unique_for_overwrite<WithCookie[]>(5);
assert(&ptr[1] == ptr.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(ptr[6] = WithCookie(), "unique_ptr<T[]>::operator[](index): index out of range");
}
#endif
Expand All @@ -82,11 +85,13 @@ void test() {
{
{
std::unique_ptr<NoCookie[]> ptr = std::make_unique<NoCookie[]>(5);
assert(&ptr[1] == ptr.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(ptr[6], "unique_ptr<T[]>::operator[](index): index out of range");
}
# if TEST_STD_VER >= 20
{
std::unique_ptr<NoCookie[]> ptr = std::make_unique_for_overwrite<NoCookie[]>(5);
assert(&ptr[1] == ptr.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(ptr[6] = NoCookie(), "unique_ptr<T[]>::operator[](index): index out of range");
}
# endif
Expand All @@ -101,6 +106,7 @@ void test() {
{
std::unique_ptr<T[]> ptr = std::make_unique<T[]>(5);
std::unique_ptr<T[]> other(std::move(ptr));
assert(&other[1] == other.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(other[6], "unique_ptr<T[]>::operator[](index): index out of range");
}

Expand All @@ -109,13 +115,15 @@ void test() {
std::unique_ptr<T[]> ptr = std::make_unique<T[]>(5);
std::unique_ptr<T[]> other;
other = std::move(ptr);
assert(&other[1] == other.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(other[6], "unique_ptr<T[]>::operator[](index): index out of range");
}

// Bounds carried through converting move-constructor
{
std::unique_ptr<T[]> ptr = std::make_unique<T[]>(5);
std::unique_ptr<T[], MyDeleter> other(std::move(ptr));
assert(&other[1] == other.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(other[6], "unique_ptr<T[]>::operator[](index): index out of range");
}

Expand All @@ -124,6 +132,7 @@ void test() {
std::unique_ptr<T[]> ptr = std::make_unique<T[]>(5);
std::unique_ptr<T[], MyDeleter> other;
other = std::move(ptr);
assert(&other[1] == other.get() + 1); // ensure no assertion
TEST_LIBCPP_ASSERT_FAILURE(other[6], "unique_ptr<T[]>::operator[](index): index out of range");
}
});
Expand All @@ -144,6 +153,20 @@ struct WithCookie {
char padding[Size];
};

template <std::size_t Size>
struct alignas(128) OveralignedNoCookie {
char padding[Size];
};

template <std::size_t Size>
struct alignas(128) OveralignedWithCookie {
OveralignedWithCookie() = default;
OveralignedWithCookie(OveralignedWithCookie const&) {}
OveralignedWithCookie& operator=(OveralignedWithCookie const&) { return *this; }
~OveralignedWithCookie() {}
char padding[Size];
};

int main(int, char**) {
test<WithCookie<1>, NoCookie<1>>();
test<WithCookie<2>, NoCookie<2>>();
Expand All @@ -153,6 +176,16 @@ int main(int, char**) {
test<WithCookie<16>, NoCookie<16>>();
test<WithCookie<32>, NoCookie<32>>();
test<WithCookie<256>, NoCookie<256>>();

test<OveralignedWithCookie<1>, OveralignedNoCookie<1>>();
test<OveralignedWithCookie<2>, OveralignedNoCookie<2>>();
test<OveralignedWithCookie<3>, OveralignedNoCookie<3>>();
test<OveralignedWithCookie<4>, OveralignedNoCookie<4>>();
test<OveralignedWithCookie<8>, OveralignedNoCookie<8>>();
test<OveralignedWithCookie<16>, OveralignedNoCookie<16>>();
test<OveralignedWithCookie<32>, OveralignedNoCookie<32>>();
test<OveralignedWithCookie<256>, OveralignedNoCookie<256>>();

test<std::string, int>();

return 0;
Expand Down
Loading