Bug 195476

Summary: Randomize the LocalAllocator free list.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: ASSIGNED ---    
Severity: Normal CC: fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
none
proposed patch. none

Description Mark Lam 2019-03-08 12:42:45 PST 
<rdar://problem/48722162>
Comment 1 Mark Lam 2019-03-08 12:48:22 PST 
Created attachment 364052 [details]
proposed patch.
Comment 2 Mark Lam 2019-03-08 12:55:07 PST 
Comment on attachment 364052 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=364052&action=review

> Source/JavaScriptCore/heap/MarkedBlockInlines.h:308
>      // This produces a free list that is ordered in reverse through the block.
>      // This is fine, since the allocation code makes no assumptions about the
>      // order of the free list.

I should also fix this comment.
Comment 3 Mark Lam 2019-03-08 13:28:18 PST 
Created attachment 364054 [details]
proposed patch.
Comment 4 Filip Pizlo 2019-03-08 13:29:10 PST 
Since this does not randomize bump pointer, I'm not sure there is much protection here.
Comment 5 Mark Lam 2019-03-08 14:34:35 PST 
Comment on attachment 364054 [details]
proposed patch.

Taking this out of review while I do some A/B testing.