Oilpan: Improve address space randomization for the Oilpan heap.

Source/wtf/PageAllocator.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 13 matching lines @@
  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "wtf/PageAllocator.h"
 
+#include "wtf/AddressSpaceRandomization.h"
 #include "wtf/Assertions.h"
-#include "wtf/ProcessID.h"
-#include "wtf/SpinLock.h"
 
 #include <limits.h>
 
 #if OS(POSIX)
 
 #include <sys/mman.h>
 
 #ifndef MADV_FREE
 #define MADV_FREE MADV_DONTNEED
 #endif
@@ skipping 48 matching lines @@
     }
     size_t postLen = (basePtr + baseLen) - (trimPtr + trimLen);
     if (postLen) {
         int ret = munmap(trimPtr + trimLen, postLen);
         RELEASE_ASSERT(!ret);
     }
     return true;
 #endif
 }
 
-// This is the same PRNG as used by tcmalloc for mapping address randomness;
-// see http://burtleburtle.net/bob/rand/smallprng.html
-struct ranctx {
-    int lock;
-    bool initialized;
-    uint32_t a;
-    uint32_t b;
-    uint32_t c;
-    uint32_t d;
-};
-
-#define rot(x, k) (((x) << (k)) | ((x) >> (32 - (k))))
-
-uint32_t ranvalInternal(ranctx* x)
-{
-    uint32_t e = x->a - rot(x->b, 27);
-    x->a = x->b ^ rot(x->c, 17);
-    x->b = x->c + x->d;
-    x->c = x->d + e;
-    x->d = e + x->a;
-    return x->d;
-}
-
-#undef rot
-
-uint32_t ranval(ranctx* x)
-{
-    spinLockLock(&x->lock);
-    if (UNLIKELY(!x->initialized)) {
-        x->initialized = true;
-        char c;
-        uint32_t seed = static_cast<uint32_t>(reinterpret_cast<uintptr_t>(&c));
-        seed ^= static_cast<uint32_t>(getCurrentProcessID());
-        x->a = 0xf1ea5eed;
-        x->b = x->c = x->d = seed;
-        for (int i = 0; i < 20; ++i) {
-            (void) ranvalInternal(x);
-        }
-    }
-    uint32_t ret = ranvalInternal(x);
-    spinLockUnlock(&x->lock);
-    return ret;
-}
-
-static struct ranctx s_ranctx;
-
-// This internal function calculates a random preferred mapping address.
-// It is used when the client of allocPages() passes null as the address.
-// In calculating an address, we balance good ASLR against not fragmenting the
-// address space too badly.
-static void* getRandomPageBase()
-{
-    uintptr_t random;
-    random = static_cast<uintptr_t>(ranval(&s_ranctx));
-#if CPU(X86_64)
-    random <<= 32UL;
-    random |= static_cast<uintptr_t>(ranval(&s_ranctx));
-    // This address mask gives a low liklihood of address space collisions.
-    // We handle the situation gracefully if there is a collision.
-#if OS(WIN)
-    // 64-bit Windows has a bizarrely small 8TB user address space.
-    // Allocates in the 1-5TB region.
-    random &= 0x3ffffffffffUL;
-    random += 0x10000000000UL;
-#else
-    // Linux and OS X support the full 47-bit user space of x64 processors.
-    random &= 0x3fffffffffffUL;
-#endif
-#elif CPU(ARM64)
-    // ARM64 on Linux has 39-bit user space.
-    random &= 0x3fffffffffUL;
-    random += 0x1000000000UL;
-#else // !CPU(X86_64) && !CPU(ARM64)
-    // This is a good range on Windows, Linux and Mac.
-    // Allocates in the 0.5-1.5GB region.
-    random &= 0x3fffffff;
-    random += 0x20000000;
-#endif // CPU(X86_64)
-    random &= kPageAllocationGranularityBaseMask;
-    return reinterpret_cast<void*>(random);
-}
-
 void* allocPages(void* addr, size_t len, size_t align)
 {
     ASSERT(len >= kPageAllocationGranularity);
     ASSERT(!(len & kPageAllocationGranularityOffsetMask));
     ASSERT(align >= kPageAllocationGranularity);
     ASSERT(!(align & kPageAllocationGranularityOffsetMask));
     ASSERT(!(reinterpret_cast<uintptr_t>(addr) & kPageAllocationGranularityOffsetMask));
     size_t alignOffsetMask = align - 1;
     size_t alignBaseMask = ~alignOffsetMask;
     ASSERT(!(reinterpret_cast<uintptr_t>(addr) & alignOffsetMask));
@@ skipping 102 matching lines @@
     ASSERT(!(len & kSystemPageOffsetMask));
 #if OS(POSIX)
     (void) addr;
 #else
     setSystemPagesAccessible(addr, len);
 #endif
 }
 
 } // namespace WTF