Add a guard page in front of metadata allocations.

third_party/tcmalloc/chromium/src/page_heap_allocator.h

 // Copyright (c) 2008, Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 20 matching lines @@
 // Author: Sanjay Ghemawat <opensource@google.com>
 
 #ifndef TCMALLOC_PAGE_HEAP_ALLOCATOR_H_
 #define TCMALLOC_PAGE_HEAP_ALLOCATOR_H_
 
 #include <stddef.h>                     // for NULL, size_t
 
 #include "common.h"            // for MetaDataAlloc
 #include "free_list.h"          // for FL_Push/FL_Pop
 #include "internal_logging.h"  // for ASSERT, CRASH
+#include "system-alloc.h"      // for TCMalloc_SystemAddGuard
 
 namespace tcmalloc {
 
 // Simple allocator for objects of a specified type.  External locking
 // is required before accessing one of these objects.
 template <class T>
 class PageHeapAllocator {
  public:
   // We use an explicit Init function because these variables are statically
   // allocated and their constructors might not have run by the time some
@@ skipping 16 matching lines @@
     } else {
       if (free_avail_ < sizeof(T)) {
         // Need more room. We assume that MetaDataAlloc returns
         // suitably aligned memory.
         free_area_ = reinterpret_cast<char*>(MetaDataAlloc(kAllocIncrement));
         if (free_area_ == NULL) {
           CRASH("FATAL ERROR: Out of memory trying to allocate internal "
                 "tcmalloc data (%d bytes, object-size %d)\n",
                 kAllocIncrement, static_cast<int>(sizeof(T)));
         }
-        free_avail_ = kAllocIncrement;
+
+        // This guard page protects the metadata from being corrupted by a
+        // buffer overrun. We currently have no mechanism for freeing it, since
+        // we never release the metadata buffer. If that changes we'll need to
+        // add something like TCMalloc_SystemRemoveGuard.
+        size_t guard_size = TCMalloc_SystemAddGuard(free_area_, kAllocIncrement);
+        free_area_ += guard_size;
+        free_avail_ = kAllocIncrement - guard_size;
       }
       result = free_area_;

[jar (doing other things), 2011/11/24 01:08:07]

This code assumes that when we get back memory, that free-avail_ is larger than
sizeof(T).  I think you cut it too close when you agreed to guard when the page
size matched the kAllocIncrement.

You probably want ot CRASH if you're still < sizeof(T)

[jschuh, 2011/11/28 18:33:36]

Yes I do.

       free_area_ += sizeof(T);
       free_avail_ -= sizeof(T);
     }
     inuse_++;
     return reinterpret_cast<T*>(result);
   }
 
   void Delete(T* p) {
     FL_Push(&free_list_, p);
     inuse_--;
@@ skipping 12 matching lines @@
   // Free list of already carved objects
   void* free_list_;
 
   // Number of allocated but unfreed objects
   int inuse_;
 };
 
 }  // namespace tcmalloc
 
 #endif  // TCMALLOC_PAGE_HEAP_ALLOCATOR_H_