Further harden FastMalloc
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 21 Dec 2012 22:22:24 +0000 (22:22 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 21 Dec 2012 22:22:24 +0000 (22:22 +0000)
commitcc6409b3831c050fa587ca2011e272b22940605f
tree6739ade7d020b515c68f58747166aec7876609a6
parentb54626015a091ea523e3511ca8090882ac361e5b
Further harden FastMalloc
https://bugs.webkit.org/show_bug.cgi?id=105656

Reviewed by Gavin Barraclough.

This increases the degree to which we harden the FastMalloc
linked lists.  We now also mask the previous and next pointers
in the doubly linked list implementation.  I've also made
the masking itself somewhat more complex without a measurable
cost.  We still use ASLR to provide some general entropy, but
we blind the pointers against each nodes 'this' pointer.

* wtf/FastMalloc.cpp:
(WTF::ClassIndex):
(WTF::SLL_Next):
(WTF::SLL_SetNext):
(WTF::Span::next):
(WTF::Span::prev):
(WTF::Span::setNext):
(WTF::Span::setPrev):
(Span):
  As Span now has to do masking on the next and previous pointers,
  I've updated the code to use accessors instead.
(WTF::DLL_Init):
(WTF::DLL_Remove):
(WTF::DLL_IsEmpty):
(WTF::DLL_Length):
(WTF::DLL_Prepend):
(WTF::TCMalloc_Central_FreeList::enumerateFreeObjects):
(WTF::TCMalloc_PageHeap::scavenge):
(WTF::TCMalloc_PageHeap::New):
(WTF::TCMalloc_PageHeap::AllocLarge):
(WTF::TCMalloc_PageHeap::ReturnedBytes):
(WTF::TCMalloc_PageHeap::Check):
(WTF::TCMalloc_PageHeap::CheckList):
(WTF::TCMalloc_PageHeap::ReleaseFreeList):
(WTF::TCMalloc_Central_FreeList::FetchFromSpans):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138398 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WTF/ChangeLog
Source/WTF/wtf/FastMalloc.cpp