Use the Oilpan heap canary only on 64-bit.

third_party/WebKit/Source/platform/heap/HeapPage.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 156 matching lines @@
     nonLargeObjectPageSizeMax >= blinkPageSize,
     "max size supported by HeapObjectHeader must at least be blinkPageSize");
 
 class PLATFORM_EXPORT HeapObjectHeader {
   DISALLOW_NEW_EXCEPT_PLACEMENT_NEW();
 
  public:
   // If |gcInfoIndex| is 0, this header is interpreted as a free list header.
   NO_SANITIZE_ADDRESS
   HeapObjectHeader(size_t size, size_t gcInfoIndex) {
-    m_magic = getMagic();
     // sizeof(HeapObjectHeader) must be equal to or smaller than
     // |allocationGranularity|, because |HeapObjectHeader| is used as a header
     // for a freed entry. Given that the smallest entry size is
     // |allocationGranurarity|, |HeapObjectHeader| must fit into the size.
     static_assert(
         sizeof(HeapObjectHeader) <= allocationGranularity,
         "size of HeapObjectHeader must be smaller than allocationGranularity");
+#if CPU(64BIT)
     static_assert(sizeof(HeapObjectHeader) == 8,
                   "sizeof(HeapObjectHeader) must be 8 bytes");
+    m_magic = getMagic();
+#endif
 
     ASSERT(gcInfoIndex < GCInfoTable::maxIndex);
     ASSERT(size < nonLargeObjectPageSizeMax);
     ASSERT(!(size & allocationMask));
     m_encoded = static_cast<uint32_t>(
         (gcInfoIndex << headerGCInfoIndexShift) | size |
         (gcInfoIndex == gcInfoIndexForFreeListHeader ? headerFreedBitMask : 0));
   }
 
   NO_SANITIZE_ADDRESS
@@ skipping 25 matching lines @@
 
   Address payload();
   size_t payloadSize();
   Address payloadEnd();
 
   // TODO(633030): Make |checkHeader| and |zapMagic| private. This class should
   // manage its integrity on its own, without requiring outside callers to
   // explicitly check.
   bool checkHeader() const;
 
+#if DCHECK_IS_ON() && CPU(64BIT)
   // Zap |m_magic| with a new magic number that means there was once an object
   // allocated here, but it was freed because nobody marked it during GC.
   void zapMagic();
+#endif
 
   void finalize(Address, size_t);
   static HeapObjectHeader* fromPayload(const void*);
 
   static const uint32_t zappedMagic = 0xDEAD4321;
 
  private:
+#if CPU(64BIT)
   // Returns a random value.
   //
   // The implementation gets its randomness from the locations of 2 independent
   // sources of address space layout randomization: a function in a Chrome
   // executable image, and a function in an external DLL/so. This implementation
   // should be fast and small, and should have the benefit of requiring
   // attackers to discover and use 2 independent weak infoleak bugs, or 1
   // arbitrary infoleak bug (used twice).
   uint32_t getMagic() const;
+  uint32_t m_magic;
+#endif
 
-  uint32_t m_magic;
   uint32_t m_encoded;
 };
 
 class FreeListEntry final : public HeapObjectHeader {
  public:
   NO_SANITIZE_ADDRESS
   explicit FreeListEntry(size_t size)
       : HeapObjectHeader(size, gcInfoIndexForFreeListHeader), m_next(nullptr) {
-#if DCHECK_IS_ON()
+#if DCHECK_IS_ON() && CPU(64BIT)
     ASSERT(size >= sizeof(HeapObjectHeader));
     zapMagic();
 #endif
   }
 
   Address getAddress() { return reinterpret_cast<Address>(this); }
 
   NO_SANITIZE_ADDRESS
   void unlink(FreeListEntry** prevNext) {
     *prevNext = m_next;
@@ skipping 554 matching lines @@
 NO_SANITIZE_ADDRESS inline size_t HeapObjectHeader::size() const {
   size_t result = m_encoded & headerSizeMask;
   // Large objects should not refer to header->size(). The actual size of a
   // large object is stored in |LargeObjectPage::m_payloadSize|.
   ASSERT(result != largeObjectSizeInHeader);
   ASSERT(!pageFromObject(this)->isLargeObjectPage());
   return result;
 }
 
 NO_SANITIZE_ADDRESS inline bool HeapObjectHeader::checkHeader() const {
+#if CPU(64BIT)
   return m_magic == getMagic();
+#else
+  return true;
+#endif
 }
 
 inline Address HeapObjectHeader::payload() {
   return reinterpret_cast<Address>(this) + sizeof(HeapObjectHeader);
 }
 
 inline Address HeapObjectHeader::payloadEnd() {
   return reinterpret_cast<Address>(this) + size();
 }
 
 NO_SANITIZE_ADDRESS inline size_t HeapObjectHeader::payloadSize() {
   size_t size = m_encoded & headerSizeMask;
   if (UNLIKELY(size == largeObjectSizeInHeader)) {
     ASSERT(pageFromObject(this)->isLargeObjectPage());
     return static_cast<LargeObjectPage*>(pageFromObject(this))->payloadSize();
   }
   ASSERT(!pageFromObject(this)->isLargeObjectPage());
   return size - sizeof(HeapObjectHeader);
 }
 
 inline HeapObjectHeader* HeapObjectHeader::fromPayload(const void* payload) {
   Address addr = reinterpret_cast<Address>(const_cast<void*>(payload));
   HeapObjectHeader* header =
       reinterpret_cast<HeapObjectHeader*>(addr - sizeof(HeapObjectHeader));
   ASSERT(header->checkHeader());
   return header;
 }
 
+#if CPU(64BIT)
 inline uint32_t HeapObjectHeader::getMagic() const {
   const uintptr_t random1 =
       ~(reinterpret_cast<uintptr_t>(
             base::trace_event::MemoryAllocatorDump::kNameSize) >>
         16);
 
 #if OS(WIN)
   const uintptr_t random2 = ~(reinterpret_cast<uintptr_t>(::ReadFile) << 16);
 #elif OS(POSIX)
   const uintptr_t random2 = ~(reinterpret_cast<uintptr_t>(::read) << 16);
 #else
 #error OS not supported
 #endif
 
 #if CPU(64BIT)
   static_assert(sizeof(uintptr_t) == sizeof(uint64_t),
                 "uintptr_t is not uint64_t");
   const uint32_t random = static_cast<uint32_t>(
       (random1 & 0x0FFFFULL) | ((random2 >> 32) & 0x0FFFF0000ULL));
 #elif CPU(32BIT)
+  // Although we don't use heap metadata canaries on 32-bit due to memory
+  // pressure, keep this code around just in case we do, someday.
   static_assert(sizeof(uintptr_t) == sizeof(uint32_t),
                 "uintptr_t is not uint32_t");
   const uint32_t random = (random1 & 0x0FFFFUL) | (random2 & 0xFFFF0000UL);
 #else
 #error architecture not supported
 #endif
 
   return random;
 }
+#endif
 
 NO_SANITIZE_ADDRESS inline bool HeapObjectHeader::isWrapperHeaderMarked()
     const {
   ASSERT(checkHeader());
   return m_encoded & headerWrapperMarkBitMask;
 }
 
 NO_SANITIZE_ADDRESS inline void HeapObjectHeader::markWrapperHeader() {
   ASSERT(checkHeader());
   ASSERT(!isWrapperHeaderMarked());
@@ skipping 41 matching lines @@
   return outOfLineAllocate(allocationSize, gcInfoIndex);
 }
 
 inline NormalPageArena* NormalPage::arenaForNormalPage() const {
   return static_cast<NormalPageArena*>(arena());
 }
 
 }  // namespace blink
 
 #endif  // HeapPage_h