1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
|
## Unreleased
Released YYYY-MM-DD.
### Added
* TODO (or remove section if none)
### Changed
* TODO (or remove section if none)
### Deprecated
* TODO (or remove section if none)
### Removed
* TODO (or remove section if none)
### Fixed
* TODO (or remove section if none)
### Security
* TODO (or remove section if none)
--------------------------------------------------------------------------------
## 3.4.0
Released 2020-06-01.
### Added
* Added the `bumpalo::boxed::Box<T>` type. It is an owned pointer referencing a
bump-allocated value, and it runs `T`'s `Drop` implementation on the
referenced value when dropped. This type can be used by enabling the `"boxed"`
cargo feature flag.
--------------------------------------------------------------------------------
## 3.3.0
Released 2020-05-13.
### Added
* Added fallible allocation methods to `Bump`: `try_new`, `try_with_capacity`,
and `try_alloc_layout`.
* Added `Bump::chunk_capacity`
* Added `bumpalo::collections::Vec::try_reserve[_exact]`
--------------------------------------------------------------------------------
## 3.2.1
Released 2020-03-24.
### Security
* When `realloc`ing, if we allocate new space, we need to copy the old
allocation's bytes into the new space. There are `old_size` number of bytes in
the old allocation, but we were accidentally copying `new_size` number of
bytes, which could lead to copying bytes into the realloc'd space from past
the chunk that we're bump allocating out of, from unknown memory.
If an attacker can cause `realloc`s, and can read the `realoc`ed data back,
this could allow them to read things from other regions of memory that they
shouldn't be able to. For example, if some crypto keys happened to live in
memory right after a chunk we were bump allocating out of, this could allow
the attacker to read the crypto keys.
Beyond just fixing the bug and adding a regression test, I've also taken two
additional steps:
1. While we were already running the testsuite under `valgrind` in CI, because
`valgrind` exits with the same code that the program did, if there are
invalid reads/writes that happen not to trigger a segfault, the program can
still exit OK and we will be none the wiser. I've enabled the
`--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail
in these scenarios.
2. I've written a quickcheck test to exercise `realloc`. Without the bug fix
in this patch, this quickcheck immediately triggers invalid reads when run
under `valgrind`. We didn't previously have quickchecks that exercised
`realloc` beacuse `realloc` isn't publicly exposed directly, and instead
can only be indirectly called. This new quickcheck test exercises `realloc`
via `bumpalo::collections::Vec::resize` and
`bumpalo::collections::Vec::shrink_to_fit` calls.
This bug was introduced in version 3.0.0.
See [#69](https://github.com/fitzgen/bumpalo/issues/69) for details.
--------------------------------------------------------------------------------
## 3.2.0
Released 2020-02-07.
### Added
* Added the `bumpalo::collections::Vec::into_bump_slice_mut` method to turn a
`bumpalo::collections::Vec<'bump, T>` into a `&'bump mut [T]`.
--------------------------------------------------------------------------------
## 3.1.2
Released 2020-01-07.
### Fixed
* The `bumpalo::collections::format!` macro did not used to accept a trailing
comma like `format!(in bump; "{}", 1,)`, but it does now.
--------------------------------------------------------------------------------
## 3.1.1
Released 2020-01-03.
### Fixed
* The `bumpalo::collections::vec!` macro did not used to accept a trailing
comma like `vec![in bump; 1, 2,]`, but it does now.
--------------------------------------------------------------------------------
## 3.1.0
Released 2019-12-27.
### Added
* Added the `Bump::allocated_bytes` diagnostic method for counting the total
number of bytes a `Bump` has allocated.
--------------------------------------------------------------------------------
# 3.0.0
Released 2019-12-20.
## Added
* Added `Bump::alloc_str` for copying string slices into a `Bump`.
* Added `Bump::alloc_slice_copy` and `Bump::alloc_slice_clone` for copying or
cloning slices into a `Bump`.
* Added `Bump::alloc_slice_fill_iter` for allocating a slice in the `Bump` from
an iterator.
* Added `Bump::alloc_slice_fill_copy` and `Bump::alloc_slice_fill_clone` for
creating slices of length `n` that are filled with copies or clones of an
inital element.
* Added `Bump::alloc_slice_fill_default` for creating slices of length `n` with
the element type's default instance.
* Added `Bump::alloc_slice_fill_with` for creating slices of length `n` whose
elements are initialized with a function or closure.
* Added `Bump::iter_allocated_chunks` as a replacement for the old
`Bump::each_allocated_chunk`. The `iter_allocated_chunks` version returns an
iterator, which is more idiomatic than its old, callback-taking counterpart.
Additionally, `iter_allocated_chunks` exposes the chunks as `MaybeUninit`s
instead of slices, which makes it usable in more situations without triggering
undefined behavior. See also the note about bump direction in the "changed"
section; if you're iterating chunks, you're likely affected by that change!
* Added `Bump::with_capacity` so that you can pre-allocate a chunk with the
requested space.
### Changed
* **BREAKING:** The direction we allocate within a chunk has changed. It used to
be "upwards", from low addresses within a chunk towards high addresses. It is
now "downwards", from high addresses towards lower addresses.
Additionally, the order in which we iterate over allocated chunks has changed!
We used to iterate over chunks from oldest chunk to youngest chunk, and now we
do the opposite: the youngest chunks are iterated over first, and the oldest
chunks are iterated over last.
If you were using `Bump::each_allocated_chunk` to iterate over data that you
had previously allocated, and *you want to iterate in order of
oldest-to-youngest allocation*, you need to reverse the chunks iterator and
also reverse the order in which you loop through the data within a chunk!
For example, if you had this code:
```rust
unsafe {
bump.each_allocated_chunk(|chunk| {
for byte in chunk {
// Touch each byte in oldest-to-youngest allocation order...
}
});
}
```
It should become this code:
```rust
let mut chunks: Vec<_> = bump.iter_allocated_chunks().collect();
chunks.reverse();
for chunk in chunks {
for byte in chunk.iter().rev() {
let byte = unsafe { byte.assume_init() };
// Touch each byte in oldest-to-youngest allocation order...
}
}
```
The good news is that this change yielded a *speed up in allocation throughput
of 3-19%!*
See https://github.com/fitzgen/bumpalo/pull/37 and
https://fitzgeraldnick.com/2019/11/01/always-bump-downwards.html for details.
* **BREAKING:** The `collections` cargo feature is no longer on by default. You
must explicitly turn it on if you intend to use the `bumpalo::collections`
module.
* `Bump::reset` will now retain only the last allocated chunk (the biggest),
rather than only the first allocated chunk (the smallest). This should enable
`Bump` to better adapt to workload sizes and quickly reach a steady state
where new chunks are not requested from the global allocator.
### Removed
* The `Bump::each_allocated_chunk` method is removed in favor of
`Bump::iter_allocated_chunks`. Note that its safety requirements for reading
from the allocated chunks are slightly different from the old
`each_allocated_chunk`: only up to 16-byte alignment is supported now. If you
allocate anything with greater alignment than that into the bump arena, there
might be uninitilized padding inserted in the chunks, and therefore it is no
longer safe to read them via `MaybeUninit::assume_init`. See also the note
about bump direction in the "changed" section; if you're iterating chunks,
you're likely affected by that change!
* The `std` cargo feature has been removed, since this crate is now always
no-std.
## Fixed
* Fixed a bug involving potential integer overflows with large requested
allocation sizes.
--------------------------------------------------------------------------------
# 2.6.0
Released 2019-08-19.
* Implement `Send` for `Bump`.
--------------------------------------------------------------------------------
# 2.5.0
Released 2019-07-01.
* Add `alloc_slice_copy` and `alloc_slice_clone` methods that allocate space for
slices and either copy (with bound `T: Copy`) or clone (with bound `T: Clone`)
the provided slice's data into the newly allocated space.
--------------------------------------------------------------------------------
# 2.4.3
Released 2019-05-20.
* Fixed a bug where chunks were always deallocated with the default chunk
layout, not the layout that the chunk was actually allocated with (i.e. if we
started growing largers chunks with larger layouts, we would deallocate those
chunks with an incorrect layout).
--------------------------------------------------------------------------------
# 2.4.2
Released 2019-05-17.
* Added an implementation `Default` for `Bump`.
* Made it so that if bump allocation within a chunk overflows, we still try to
allocate a new chunk to bump out of for the requested allocation. This can
avoid some OOMs in scenarios where the chunk we are currently allocating out
of is very near the high end of the address space, and there is still
available address space lower down for new chunks.
--------------------------------------------------------------------------------
# 2.4.1
Released 2019-04-19.
* Added readme metadata to Cargo.toml so it shows up on crates.io
--------------------------------------------------------------------------------
# 2.4.0
Released 2019-04-19.
* Added support for `realloc`ing in-place when the pointer being `realloc`ed is
the last allocation made from the bump arena. This should speed up various
`String`, `Vec`, and `format!` operations in many cases.
--------------------------------------------------------------------------------
# 2.3.0
Released 2019-03-26.
* Add the `alloc_with` method, that (usually) avoids stack-allocating the
allocated value and then moving it into the bump arena. This avoids potential
stack overflows in release mode when allocating very large objects, and also
some `memcpy` calls. This is similar to the `copyless` crate. Read [the
`alloc_with` doc comments][alloc-with-doc-comments] and [the original issue
proposing this API][issue-proposing-alloc-with] for more.
[alloc-with-doc-comments]: https://github.com/fitzgen/bumpalo/blob/9f47aee8a6839ba65c073b9ad5372aacbbd02352/src/lib.rs#L436-L475
[issue-proposing-alloc-with]: https://github.com/fitzgen/bumpalo/issues/10
--------------------------------------------------------------------------------
# 2.2.2
Released 2019-03-18.
* Fix a regression from 2.2.1 where chunks were not always aligned to the chunk
footer's alignment.
--------------------------------------------------------------------------------
# 2.2.1
Released 2019-03-18.
* Fix a regression in 2.2.0 where newly allocated bump chunks could fail to have
capacity for a large requested bump allocation in some corner cases.
--------------------------------------------------------------------------------
# 2.2.0
Released 2019-03-15.
* Chunks in an arena now start out small, and double in size as more chunks are
requested.
--------------------------------------------------------------------------------
# 2.1.0
Released 2019-02-12.
* Added the `into_bump_slice` method on `bumpalo::collections::Vec<T>`.
--------------------------------------------------------------------------------
# 2.0.0
Released 2019-02-11.
* Removed the `BumpAllocSafe` trait.
* Correctly detect overflows from large allocations and panic.
--------------------------------------------------------------------------------
# 1.2.0
Released 2019-01-15.
* Fixed an overly-aggressive `debug_assert!` that had false positives.
* Ported to Rust 2018 edition.
--------------------------------------------------------------------------------
# 1.1.0
Released 2018-11-28.
* Added the `collections` module, which contains ports of `std`'s collection
types that are compatible with backing their storage in `Bump` arenas.
* Lifted the limits on size and alignment of allocations.
--------------------------------------------------------------------------------
# 1.0.2
--------------------------------------------------------------------------------
# 1.0.1
--------------------------------------------------------------------------------
# 1.0.0
|
