Changeset 239245 in webkit
- Timestamp:
- Dec 14, 2018 7:05:59 PM (5 years ago)
- Location:
- trunk/Source/bmalloc
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/bmalloc/ChangeLog
r239185 r239245 1 2018-12-14 Keith Miller <keith_miller@apple.com> 2 3 Gigacage runway should immediately follow the primitive cage 4 https://bugs.webkit.org/show_bug.cgi?id=192733 5 6 Reviewed by Saam Barati. 7 8 This patch makes sure that the Gigacage runway is always 9 immediately after the primitive cage. Since writing outside the 10 primitive gigacage is likely to be more dangerous than the JSValue 11 cage. The ordering of the cages is still random however. 12 13 * bmalloc/Gigacage.cpp: 14 (Gigacage::ensureGigacage): 15 1 16 2018-12-13 Mark Lam <mark.lam@apple.com> 2 17 -
trunk/Source/bmalloc/bmalloc/Gigacage.cpp
r230380 r239245 100 100 }; 101 101 102 #if GIGACAGE_ENABLED 103 size_t runwaySize(Kind kind) 104 { 105 switch (kind) { 106 case Kind::Primitive: 107 return static_cast<size_t>(GIGACAGE_RUNWAY); 108 case Kind::JSValue: 109 return static_cast<size_t>(0); 110 } 111 } 112 #endif 113 102 114 } // anonymous namespace 103 115 … … 141 153 for (Kind kind : shuffledKinds) { 142 154 totalSize = bump(kind, alignTo(kind, totalSize)); 155 totalSize += runwaySize(kind); 143 156 maxAlignment = std::max(maxAlignment, alignment(kind)); 144 157 } 145 totalSize += GIGACAGE_RUNWAY; 146 158 147 159 // FIXME: Randomize where this goes. 148 160 // https://bugs.webkit.org/show_bug.cgi?id=175245 … … 156 168 } 157 169 158 if (GIGACAGE_RUNWAY > 0) {159 char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;160 // Make OOB accesses into the runway crash.161 vmRevokePermissions(runway, GIGACAGE_RUNWAY);162 }163 164 vmDeallocatePhysicalPages(base, totalSize);165 166 170 size_t nextCage = 0; 167 171 for (Kind kind : shuffledKinds) { … … 169 173 basePtr(kind) = reinterpret_cast<char*>(base) + nextCage; 170 174 nextCage = bump(kind, nextCage); 171 } 172 175 if (runwaySize(kind) > 0) { 176 char* runway = reinterpret_cast<char*>(base) + nextCage; 177 // Make OOB accesses into the runway crash. 178 vmRevokePermissions(runway, runwaySize(kind)); 179 nextCage += runwaySize(kind); 180 } 181 } 182 183 vmDeallocatePhysicalPages(base, totalSize); 173 184 protectGigacageBasePtrs(); 174 185 g_wasEnabled = true;
Note: See TracChangeset
for help on using the changeset viewer.