Moar hardening
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Feb 2013 00:13:26 +0000 (00:13 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Feb 2013 00:13:26 +0000 (00:13 +0000)
commit6cb8394a951b0178f62cf23bf51c371c3a840e36
tree5d584710dde88f0c8194daf129aeefa88f8c741e
parent3f9b226dd904faaac3fa734f98313bc343519124
Moar hardening
https://bugs.webkit.org/show_bug.cgi?id=110275

Reviewed by Anders Carlsson.

We now poison objects when they get freed, and verify that
any object that is being freed is not poisoned.  If the
object looks like it's poisoned we validate the freelist,
and ensure the object is not already present.  If it is
we crash.

On allocation, we ensure that the object being allocated
is poisoned, then clear the poisoning fields.

* wtf/FastMalloc.cpp:
(WTF::internalEntropyValue):
(WTF):
(WTF::freedObjectStartPoison):
(WTF::freedObjectEndPoison):
(TCMalloc_ThreadCache_FreeList):
(WTF::TCMalloc_ThreadCache_FreeList::Validate):
(WTF::TCMalloc_Central_FreeList::Populate):
(WTF::TCMalloc_ThreadCache::Allocate):
(WTF::TCMalloc_ThreadCache::Deallocate):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@143400 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WTF/ChangeLog
Source/WTF/wtf/FastMalloc.cpp