@iii-i Any chance you have the time for commenting on the feasibility for porting the DFLTCC code to using this allocator and removing most of the custom allocation code? Any obvious problems that need to be caught early?

I have looked at the code, and I think it is doable, but I don't really know that part of the code at all, and it'd probably require trial-and-error to implement this I think. If you want to contribute a patch, that'd be awesome too. Worst case (I really want to avoid doing that though) is doing a point release without s390x DFLTCC support while it gets brought up to speed.

Hi, I think there are no huge compatibility problems for DFLTCC in this PR. I currently have a draft commit that adapts the code and survives the regtest: https://github.com/iii-i/zlib-ng/releases/tag/single-malloc-dfltcc-20240430.

Hi, I think there are no huge compatibility problems for DFLTCC in this PR. I currently have a draft commit that adapts the code and survives the regtest: iii-i/zlib-ng@single-malloc-dfltcc-20240430 (release).

That is great. Maybe you should do a PR for that based on top of this.
When looking through it, I notice it looks like a pretty substantial cleanup 👍.
I only noticed one thing I'd prefer changed; in deflate.h, move arch_deflate_state arch; ~10 lines up, to right below deflate_allocs *alloc_bufs;. That group has a natural 16-byte alignment, it should not have any negative effect whether it is there or not, and it avoids having it dangling at the end after the padding bytes 😄.
There might also be a potential for getting rid of dfltcc_common.c, as ZCOPY_WINDOW is only used from inflate.

Will do. Unfortunately I found some issues which I don't fully understand yet; but now I have at least a couple bite-sized commits that make sense on their own, which I will post as separate PRs (here is the first one: #1717).

Interesting removal of ZCOPY_DEFLATE_STATE and the one for inflate also. Is it no longer necessary? I wonder what kind of optimization DFLTCC was doing.

Configure script changes LGTM.

Interesting removal of ZCOPY_DEFLATE_STATE and the one for inflate also. Is it no longer necessary? I wonder what kind of optimization DFLTCC was doing.

I was initially uncertain whether to keep those around or not, since I was unsure what DFLTCC needed to do. But when @iii-i posted his initial patch that also removed those, I figured I might as well do so in this patch where it fits with the other changes in the same areas, and then the s390x changes will be more self-contained and easier to review as well.

Rebased

ZCOPY_DEFLATE_STATE is not an optimization - DFLTCC needs to maintain state of its own, it is allocated alongside deflate/inflate state, and needs to be copied on deflateCopy() / inflateCopy(). In order to make things as unintrusive as possible, in my zlib patch I chose not to modify the structs, but rather to introduce hooks and do pointer arithmetics there. This rewrite is an opportunity to simplify things (#1718) at the cost of making DFLTCC support a little bit more intrusive, which is hopefully okay.

P.S. I wonder in which order this and #1718 should go in? I'd prefer to land #1718 first, since it's more local and as far as I'm concerned is ready.

Fix for arch/s390/dfltcc_detail.h:222:12: error: call to undeclared function 'ZALLOC': #1728
Fix for CI: #1726, #1725

So, putting on some exploit mitigation goggles, I do worry about this one a tiny bit:

While doing alloc(), we now store pointer to corresponding free(), avoiding crashes with applications that incorrectly set alloc/free pointers after running init function.

Doesn't this mean we effectively are giving a user controlled pointer for every allocation? Granted we were already doing that at library initialization time, I'm just wondering if giving this to something possibly controllable by the user, not just the developer, becomes a bit dangerous. I get that this makes us resilient to a pretty brutal crash from mono but...it just seems like it might be easy to craft a gzip or png file that could readily exploit this. Yes, I realize that we are the allocators here and not the user, I'm just wondering if a well crafted input file could lie about remaining lengths such that we end up writing a malicious location behind a buffer. This is now several pointers that are vulnerable, rather than just one in the init structure that is outside of the purview of the user. Am I wrong or overly paranoid here?

@KungFuJesus I'm not sure this PR really changes that.

The free pointer is set during init() both now and before, but now we copy it to somewhere where the application using zlib can't easily change it after init() (at least without accessing the structs and buffers that have no exported interfaces to make sense of them).

Doesn't this mean we effectively are giving a user controlled pointer for every allocation? Granted we were already doing that at library initialization time, I'm just wondering if giving this to something possibly controllable by the user, not just the developer, becomes a bit dangerous.

How does this become controllable by the user? The developer of the application using zlib needs to set this through the z_stream struct during init(). Who is the user here?

This is now several pointers that are vulnerable, rather than just one in the init structure that is outside of the purview of the user.

I am not sure what you mean by the init structure is outside the purview of the user. The "init structure" or z_stream is passed to zlib for every function call from the application, and contains the pointer both to free, malloc and to the internal state struct. (And the internal state struct also contains a pointer back to z_stream).

We also have other function pointers in structs in various places.
I'm not sure what makes this pointer to free any worse than those.

I fear we'd have to do a lot more invasive changes if we wanted to harden all our pointers from attacks. Possibly we could use mproctect() / VirtualProtect(), but that'd mean moving all function pointers to a separate page-sized+aligned buffer. Also it'd interfere with things like changing deflate levels.

Sorry I realize some of this was poorly articulated. Looking at the code now, I see it's set in the strm struct, not per allocation as I had anticipated based on that summary. We're no worse off for that. Had it been a pointer at the beginning of the allocation it might have been another story (though, I think the inflate code always writes forward in the buffer, never backward).

So as it stands now (after this PR), if the user tries to switch out the zalloc/zfree functions after init (the situation that is causing the grief, of course), we ignore the values and use the matching free that it should be?

So as it stands now (after this PR), if the user tries to switch out the zalloc/zfree functions after init (the situation that is causing the grief, of course), we ignore the values and use the matching free that it should be?

Yes, assuming of course that the application doesn't set a mismatching free in the first place, but that would be a very clear bug in the application.

@iii-i I am getting ready to merge this, did you get anywhere with updating the DFLTCC support?

I'm currently rebasing my DFLTCC change and I believe I found a bug with my fuzzer (see #1731 for a reproducer): inflateCopy() reuses the old window pointer. I propose the following fixup to this PR:

--- a/inflate.c
+++ b/inflate.c
@@ -1405,7 +1405,6 @@ int32_t Z_EXPORT PREFIX(inflateCopy)(PREFIX3(stream) *dest, PREFIX3(stream) *sou
     if (alloc_bufs == NULL)
         return Z_MEM_ERROR;
     copy = alloc_bufs->state;
-    copy->window = alloc_bufs->window;
 
     /* copy state */
     memcpy(copy, state, sizeof(struct inflate_state));
@@ -1416,6 +1415,7 @@ int32_t Z_EXPORT PREFIX(inflateCopy)(PREFIX3(stream) *dest, PREFIX3(stream) *sou
     }
     copy->next = copy->codes + (state->next - state->codes);
     copy->alloc_bufs = alloc_bufs;
+    copy->window = alloc_bufs->window;
 
     /* window */
     memcpy(copy->window, state->window, INFLATE_ADJUST_WINDOW_SIZE((size_t)state->wsize));

Edit: the current version is here: https://github.com/iii-i/zlib-ng/releases/tag/single-malloc-dfltcc-20240521. It's based on this PR + fixup + cleanup from @phprus + the reproducer. I think it would be better if you could just squash the DFLTCC commit into this PR, since otherwise bisect will be broken on s390x in the future.

@iii-i Merged in your changes, and squashed one of my commits into the others to try to make things always be in a working state for each commit. Please have a look in case I made any merging errors.