Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(19)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/WebCore/rendering/RenderArena.cpp

Issue 12334103: Merge 143811 (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1364/
Patch Set: Created 7 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2003 Apple Computer, Inc. 2 * Copyright (C) 2003 Apple Computer, Inc.
3 * Copyright (C) Research In Motion Limited 2010. All rights reserved. 3 * Copyright (C) Research In Motion Limited 2010. All rights reserved.
4 * 4 *
5 * Portions are Copyright (C) 1998 Netscape Communications Corporation. 5 * Portions are Copyright (C) 1998 Netscape Communications Corporation.
6 * 6 *
7 * This library is free software; you can redistribute it and/or 7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public 8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either 9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version. 10 * version 2.1 of the License, or (at your option) any later version.
(...skipping 18 matching lines...) Expand all
29 * version of this file under the LGPL, indicate your decision by 29 * version of this file under the LGPL, indicate your decision by
30 * deletingthe provisions above and replace them with the notice and 30 * deletingthe provisions above and replace them with the notice and
31 * other provisions required by the MPL or the GPL, as the case may be. 31 * other provisions required by the MPL or the GPL, as the case may be.
32 * If you do not delete the provisions above, a recipient may use your 32 * If you do not delete the provisions above, a recipient may use your
33 * version of this file under any of the LGPL, the MPL or the GPL. 33 * version of this file under any of the LGPL, the MPL or the GPL.
34 */ 34 */
35 35
36 #include "config.h" 36 #include "config.h"
37 #include "RenderArena.h" 37 #include "RenderArena.h"
38 38
39 #include <limits>
39 #include <stdlib.h> 40 #include <stdlib.h>
40 #include <string.h> 41 #include <string.h>
41 #include <wtf/Assertions.h> 42 #include <wtf/Assertions.h>
43 #include <wtf/CryptographicallyRandomNumber.h>
42 44
43 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 45 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
44 46
45 #ifdef NDEBUG 47 #ifdef NDEBUG
46 static void* MaskPtr(void* p, uintptr_t mask) 48 static void* MaskPtr(void* p, uintptr_t mask)
47 { 49 {
48 return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ mask); 50 return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ mask);
49 } 51 }
50 #endif 52 #endif
51 53
(...skipping 30 matching lines...) Expand all
82 memset(m_recyclers, 0, sizeof(m_recyclers)); 84 memset(m_recyclers, 0, sizeof(m_recyclers));
83 85
84 // Mask freelist pointers to detect corruption and stop freelist spraying. 86 // Mask freelist pointers to detect corruption and stop freelist spraying.
85 // We use an arbitray function and rely on ASLR to randomize it. 87 // We use an arbitray function and rely on ASLR to randomize it.
86 // The first value in RenderObject (or any class) is a vtable pointer, which 88 // The first value in RenderObject (or any class) is a vtable pointer, which
87 // always overlaps with the next pointer. This change guarantees that the 89 // always overlaps with the next pointer. This change guarantees that the
88 // masked vtable/next pointer will never point to valid memory. So, we 90 // masked vtable/next pointer will never point to valid memory. So, we
89 // should immediately crash on the first invalid vtable access for a stale 91 // should immediately crash on the first invalid vtable access for a stale
90 // RenderObject pointer. 92 // RenderObject pointer.
91 // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf. 93 // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf.
92 94 WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask));
93 // The bottom bits are predictable because the binary is loaded on a 95 m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::dig its - 2)) | 1;
94 // boundary. This just shifts most of those predictable bits out.
95 m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13);
96 } 96 }
97 97
98 RenderArena::~RenderArena() 98 RenderArena::~RenderArena()
99 { 99 {
100 FinishArenaPool(&m_pool); 100 FinishArenaPool(&m_pool);
101 } 101 }
102 102
103 void* RenderArena::allocate(size_t size) 103 void* RenderArena::allocate(size_t size)
104 { 104 {
105 ASSERT(size <= gMaxRecycledSize - 32); 105 ASSERT(size <= gMaxRecycledSize - 32);
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
161 size = ROUNDUP(size, sizeof(void*)); 161 size = ROUNDUP(size, sizeof(void*));
162 162
163 const size_t index = size >> kRecyclerShift; 163 const size_t index = size >> kRecyclerShift;
164 void* currentTop = m_recyclers[index]; 164 void* currentTop = m_recyclers[index];
165 m_recyclers[index] = ptr; 165 m_recyclers[index] = ptr;
166 *((void**)ptr) = MaskPtr(currentTop, m_mask); 166 *((void**)ptr) = MaskPtr(currentTop, m_mask);
167 #endif 167 #endif
168 } 168 }
169 169
170 } // namespace WebCore 170 } // namespace WebCore
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698