Changeset 143424 in webkit
- Timestamp:
- Feb 19, 2013 6:46:28 PM (11 years ago)
- Location:
- trunk/Source/WTF
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
wtf/FastMalloc.cpp (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WTF/ChangeLog
r143400 r143424 1 2013-02-19 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r143400. 4 http://trac.webkit.org/changeset/143400 5 https://bugs.webkit.org/show_bug.cgi?id=110290 6 7 breaks everything (instacrash launching Safari) (Requested by 8 thorton on #webkit). 9 10 * wtf/FastMalloc.cpp: 11 (WTF::internalEntropyValue): 12 (WTF): 13 (WTF::TCMalloc_Central_FreeList::Populate): 14 (WTF::TCMalloc_ThreadCache::Allocate): 15 (WTF::TCMalloc_ThreadCache::Deallocate): 16 1 17 2013-02-19 Oliver Hunt <oliver@apple.com> 2 18 -
trunk/Source/WTF/wtf/FastMalloc.cpp
r143400 r143424 545 545 }; 546 546 547 static ALWAYS_INLINE uintptr_t internalEntropyValue() 548 { 547 static ALWAYS_INLINE uintptr_t internalEntropyValue() { 549 548 static uintptr_t value = EntropySource<sizeof(uintptr_t)>::value(); 550 549 ASSERT(value); … … 556 555 #define XOR_MASK_PTR_WITH_KEY(ptr, key, entropy) (reinterpret_cast<typeof(ptr)>(reinterpret_cast<uintptr_t>(ptr)^(ROTATE_VALUE(reinterpret_cast<uintptr_t>(key), MaskKeyShift)^entropy))) 557 556 558 559 static ALWAYS_INLINE uint32_t freedObjectStartPoison() 560 { 561 static uint32_t value = EntropySource<sizeof(uint32_t)>::value(); 562 ASSERT(value); 563 return value; 564 } 565 566 static ALWAYS_INLINE uint32_t freedObjectEndPoison() 567 { 568 static uint32_t value = EntropySource<sizeof(uint32_t)>::value(); 569 ASSERT(value); 570 return value; 571 } 572 573 #define PTR_TO_UINT32(ptr) static_cast<uint32_t>(reinterpret_cast<uintptr_t>(ptr)) 574 #define END_POISON_INDEX(allocationSize) (((allocationSize) - sizeof(uint32_t)) / sizeof(uint32_t)) 575 #define POISON_ALLOCATION(allocation, allocationSize) do { \ 576 reinterpret_cast<uint32_t*>(allocation)[0] = 1; \ 577 reinterpret_cast<uint32_t*>(allocation)[1] = 1; \ 578 if (allocationSize < 4 * sizeof(uint32_t)) \ 579 break; \ 580 reinterpret_cast<uint32_t*>(allocation)[2] = 1; \ 581 reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] = 1; \ 582 } while (false); 583 584 #define POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, startPoison, endPoison) do { \ 585 if (allocationSize < 4 * sizeof(uint32_t)) \ 586 break; \ 587 reinterpret_cast<uint32_t*>(allocation)[2] = (startPoison) ^ PTR_TO_UINT32(allocation); \ 588 reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] = (endPoison) ^ PTR_TO_UINT32(allocation); \ 589 } while (false) 590 591 #define POISON_DEALLOCATION(allocation, allocationSize) \ 592 POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, freedObjectStartPoison(), freedObjectEndPoison()) 593 594 #define MAY_BE_POISONED(allocation, allocationSize) (((allocationSize) >= 4 * sizeof(uint32_t)) && ( \ 595 (reinterpret_cast<uint32_t*>(allocation)[2] == (freedObjectStartPoison() ^ PTR_TO_UINT32(allocation))) || \ 596 (reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] == (freedObjectEndPoison() ^ PTR_TO_UINT32(allocation))) \ 597 )) 598 599 #define IS_DEFINITELY_POISONED(allocation, allocationSize) (((allocationSize) < 4 * sizeof(uint32_t)) || ( \ 600 (reinterpret_cast<uint32_t*>(allocation)[2] == (freedObjectStartPoison() ^ PTR_TO_UINT32(allocation))) && \ 601 (reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] == (freedObjectEndPoison() ^ PTR_TO_UINT32(allocation))) \ 602 )) 603 604 #else 605 606 #define POISON_ALLOCATION(allocation, allocationSize) 607 #define POISON_DEALLOCATION(allocation, allocationSize) 608 #define POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, startPoison, endPoison) 609 #define MAY_BE_POISONED(allocation, allocationSize) (false) 610 #define IS_DEFINITELY_POISONED(allocation, allocationSize) (true) 557 #else 611 558 #define XOR_MASK_PTR_WITH_KEY(ptr, key, entropy) (((void)entropy), ((void)key), ptr) 612 613 559 #define HARDENING_ENTROPY 0 614 615 #endif 560 #endif 561 616 562 617 563 //------------------------------------------------------------------- … … 2585 2531 } 2586 2532 2587 // Runs through the linked list to ensure that2588 // we can do that, and ensures that 'missing'2589 // is not present2590 NEVER_INLINE void Validate(HardenedSLL missing) {2591 HardenedSLL node = list_;2592 while (node) {2593 RELEASE_ASSERT(node != missing);2594 node = SLL_Next(node, entropy_);2595 }2596 }2597 2598 2533 #ifdef WTF_CHANGES 2599 2534 template <class Finder, class Reader> … … 3107 3042 char* ptr = start + (npages << kPageShift) - ((npages << kPageShift) % size); 3108 3043 int num = 0; 3109 #if ENABLE(TCMALLOC_HARDENING)3110 uint32_t startPoison = freedObjectStartPoison();3111 uint32_t endPoison = freedObjectEndPoison();3112 #endif3113 3114 3044 while (ptr > start) { 3115 3045 ptr -= size; 3116 3046 HardenedSLL node = HardenedSLL::create(ptr); 3117 POISON_DEALLOCATION_EXPLICIT(ptr, size, startPoison, endPoison);3118 3047 SLL_SetNext(node, head, entropy_); 3119 3048 head = node; … … 3187 3116 } 3188 3117 size_ -= allocationSize; 3189 void* result = list->Pop(); 3190 if (!result) 3191 return 0; 3192 RELEASE_ASSERT(IS_DEFINITELY_POISONED(result, allocationSize)); 3193 POISON_ALLOCATION(result, allocationSize); 3194 return result; 3118 return list->Pop(); 3195 3119 } 3196 3120 3197 3121 inline void TCMalloc_ThreadCache::Deallocate(HardenedSLL ptr, size_t cl) { 3198 size_t allocationSize = ByteSizeForClass(cl); 3199 size_ += allocationSize; 3122 size_ += ByteSizeForClass(cl); 3200 3123 FreeList* list = &list_[cl]; 3201 if (MAY_BE_POISONED(ptr.value(), allocationSize))3202 list->Validate(ptr);3203 3204 POISON_DEALLOCATION(ptr.value(), allocationSize);3205 3124 list->Push(ptr); 3206 3125 // If enough data is free, put back into central cache
Note: See TracChangeset
for help on using the changeset viewer.
