Mask freelist entries in tcmalloc

third_party/tcmalloc/chromium/src/free_list.cc

Index: third_party/tcmalloc/chromium/src/free_list.cc
===================================================================
--- third_party/tcmalloc/chromium/src/free_list.cc	(revision 157450)
+++ third_party/tcmalloc/chromium/src/free_list.cc	(working copy)
@@ -59,8 +59,10 @@
 // head to NULL.
 
 
+#include <limits>
 #include <stddef.h>
 #include "free_list.h"
+#include "system-alloc.h"
 
 #if defined(TCMALLOC_USE_DOUBLYLINKED_FREELIST)
 
@@ -78,15 +80,27 @@
   Log(kCrash, __FILE__, __LINE__, "Circular loop in list detected: ", next);
 }
 
+inline void* MaskPtr(void* p) {
+  // Maximize ASLR entropy and guarantee the result is an invalid address.
+  const uintptr_t q = ~(reinterpret_cast<intptr_t>(TCMalloc_SystemAlloc) >> 13);
+  // Do not mask NULL pointers, otherwise we could leak address state.
+  const uintptr_t mask = static_cast<intptr_t>(!p) - 1;

[jar (doing other things), 2012/09/20 17:13:57]

Why play these fancy math games? Why not:

if (!p)
  return p;

[jschuh, 2012/09/20 17:26:14]

Because I thought you'd be displeased with me for adding a branch. But I'm happy
to assume the compiler will do the cleverness instead.

[jar (doing other things), 2012/09/20 17:33:30]

I would never be displeased with you ;-).

IF you want to play compiler optimizer, you could hope that we don't hit the end
of the lists that often, and optimized for the "fast" case of XOR:

if (p)
  return ... ^ p;
return p;

I think the compiler optimizes for the if-true case... but I suspect this will
not break us (or be any where near measurable, compared with the forward-back
pointer stuff we've already landed).

+  return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ (mask & q));
+}
+
+inline void* UnmaskPtr(void* p) {
+  return MaskPtr(p);
+}
+
 // Returns value of the |previous| pointer w/out running a sanity
 // check.
 inline void *FL_Previous_No_Check(void *t) {
-  return reinterpret_cast<void**>(t)[1];
+  return UnmaskPtr(reinterpret_cast<void**>(t)[1]);
 }
 
 // Returns value of the |next| pointer w/out running a sanity check.
 inline void *FL_Next_No_Check(void *t) {
-  return reinterpret_cast<void**>(t)[0];
+  return UnmaskPtr(reinterpret_cast<void**>(t)[0]);
 }
 
 void *FL_Previous(void *t) {
@@ -99,12 +113,12 @@
 
 inline void FL_SetPrevious(void *t, void *n) {
   EnsureNonLoop(t, n);
-  reinterpret_cast<void**>(t)[1] = n;
+  reinterpret_cast<void**>(t)[1] = MaskPtr(n);
 }
 
 inline void FL_SetNext(void *t, void *n) {
   EnsureNonLoop(t, n);
-  reinterpret_cast<void**>(t)[0] = n;
+  reinterpret_cast<void**>(t)[0] = MaskPtr(n);
 }
 
 } // namespace