Attachment 359341 Details for Bug 193523 – Patch

[patch] Patch

bug-193523-20190116183801.patch (text/plain), 17.92 KB, created by Keith Miller on 2019-01-16 18:38:06 PST

(hide)

Description:

Filename:

MIME Type:

Creator: Keith Miller

Created: 2019-01-16 18:38:06 PST

Size: 17.92 KB

patch

obsolete

>Subversion Revision: 240100
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 347fa49aa02a81b56932835e99c3d950d849432b..d275613b18499f38c42d7af1fb9f1e2b549665b2 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,15 @@
>+2019-01-16  Keith Miller  <keith_miller@apple.com>
>+
>+        Gigacages should start allocations from a slide
>+        https://bugs.webkit.org/show_bug.cgi?id=193523
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        This patch changes some macros into constants since macros are the
>+        devil.
>+
>+        * llint/LowLevelInterpreter64.asm:
>+
> 2019-01-16  Mark Lam  <mark.lam@apple.com>
> 
>         Refactor new bytecode structs so that the fields are prefixed with "m_".
>diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
>index 121e6bfeea9fb9d01bb1fd785ebb2cbcdec10c72..16236aad4af8c8bdb39c48de68d5c6add2fac528 100644
>--- a/Source/WTF/ChangeLog
>+++ b/Source/WTF/ChangeLog
>@@ -1,3 +1,16 @@
>+2019-01-16  Keith Miller  <keith_miller@apple.com>
>+
>+        Gigacages should start allocations from a slide
>+        https://bugs.webkit.org/show_bug.cgi?id=193523
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        This patch changes some macros into constants since macros are the
>+        devil.
>+
>+        * wtf/Gigacage.cpp:
>+        * wtf/Gigacage.h:
>+
> 2019-01-16  Keith Miller  <keith_miller@apple.com>
> 
>         bmalloc should use JSC VM tag for gigacage
>diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog
>index b30d125432c9ff0e36cc383dd78aadb167420dbe..f33c1307e01f3abbfc0db49ab9a2ee555ba8cc73 100644
>--- a/Source/bmalloc/ChangeLog
>+++ b/Source/bmalloc/ChangeLog
>@@ -1,3 +1,30 @@
>+2019-01-16  Keith Miller  <keith_miller@apple.com>
>+
>+        Gigacages should start allocations from a slide
>+        https://bugs.webkit.org/show_bug.cgi?id=193523
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        This patch makes is so that Gigacage Heaps slide the start of the
>+        cage by some random amount. We still ensure that there is always
>+        at least 4/2GB, on MacOS/iOS respectively, of VA space available
>+        for allocation.
>+
>+        Also, this patch changes some macros into constants since macros
>+        are the devil.
>+
>+        * bmalloc/Gigacage.cpp:
>+        (Gigacage::bmalloc::protectGigacageBasePtrs):
>+        (Gigacage::bmalloc::unprotectGigacageBasePtrs):
>+        (Gigacage::bmalloc::runwaySize):
>+        * bmalloc/Gigacage.h:
>+        (Gigacage::gigacageSizeToMask):
>+        (Gigacage::size):
>+        (Gigacage::mask):
>+        * bmalloc/Heap.cpp:
>+        (bmalloc::Heap::Heap):
>+        * bmalloc/Sizes.h:
>+
> 2019-01-16  Keith Miller  <keith_miller@apple.com>
> 
>         bmalloc should use JSC VM tag for gigacage
>diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>index 810592c5feed673b92f5390bf9f8a8808be0487a..d1491f96666afc577a93730431fcaa1ae87acdd8 100644
>--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>@@ -1315,7 +1315,7 @@ llintOpWithMetadata(op_get_by_id, OpGetById, macro (size, get, dispatch, metadat
>     arrayProfile(OpGetById::Metadata::m_modeMetadata.arrayLengthMode.arrayProfile, t0, t2, t5)
>     btiz t0, IsArray, .opGetByIdSlow
>     btiz t0, IndexingShapeMask, .opGetByIdSlow
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr JSVALUE_GIGACAGE_MASK, JSObject::m_butterfly[t3], t0, t1)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t3], t0, t1)
>     loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0
>     bilt t0, 0, .opGetByIdSlow
>     orq tagTypeNumber, t0
>@@ -1438,7 +1438,7 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad
>     loadConstantOrVariableInt32(size, t3, t1, .opGetByValSlow)
>     sxi2q t1, t1
> 
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr JSVALUE_GIGACAGE_MASK, JSObject::m_butterfly[t0], t3, tagTypeNumber)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t0], t3, tagTypeNumber)
>     move TagTypeNumber, tagTypeNumber
> 
>     andi IndexingShapeMask, t2
>@@ -1504,7 +1504,7 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad
>     bia t2, Int8ArrayType - FirstTypedArrayType, .opGetByValUint8ArrayOrUint8ClampedArray
> 
>     # We have Int8ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadbs [t3, t1], t0
>     finishIntGetByVal(t0, t1)
> 
>@@ -1512,13 +1512,13 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad
>     bia t2, Uint8ArrayType - FirstTypedArrayType, .opGetByValUint8ClampedArray
> 
>     # We have Uint8ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadb [t3, t1], t0
>     finishIntGetByVal(t0, t1)
> 
> .opGetByValUint8ClampedArray:
>     # We have Uint8ClampedArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadb [t3, t1], t0
>     finishIntGetByVal(t0, t1)
> 
>@@ -1527,13 +1527,13 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad
>     bia t2, Int16ArrayType - FirstTypedArrayType, .opGetByValUint16Array
> 
>     # We have Int16ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadhs [t3, t1, 2], t0
>     finishIntGetByVal(t0, t1)
> 
> .opGetByValUint16Array:
>     # We have Uint16ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadh [t3, t1, 2], t0
>     finishIntGetByVal(t0, t1)
> 
>@@ -1545,13 +1545,13 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad
>     bia t2, Int32ArrayType - FirstTypedArrayType, .opGetByValUint32Array
> 
>     # We have Int32ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadi [t3, t1, 4], t0
>     finishIntGetByVal(t0, t1)
> 
> .opGetByValUint32Array:
>     # We have Uint32ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     # This is the hardest part because of large unsigned values.
>     loadi [t3, t1, 4], t0
>     bilt t0, 0, .opGetByValSlow # This case is still awkward to implement in LLInt.
>@@ -1563,7 +1563,7 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad
>     bieq t2, Float32ArrayType - FirstTypedArrayType, .opGetByValSlow
> 
>     # We have Float64ArrayType.
>-    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
>+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
>     loadd [t3, t1, 8], ft0
>     bdnequn ft0, ft0, .opGetByValSlow
>     finishDoubleGetByVal(ft0, t0, t1)
>@@ -1599,7 +1599,7 @@ macro putByValOp(name, op)
>         get(m_property, t0)
>         loadConstantOrVariableInt32(size, t0, t3, .opPutByValSlow)
>         sxi2q t3, t3
>-        loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr JSVALUE_GIGACAGE_MASK, JSObject::m_butterfly[t1], t0, tagTypeNumber)
>+        loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t1], t0, tagTypeNumber)
>         move TagTypeNumber, tagTypeNumber
>         btinz t2, CopyOnWrite, .opPutByValSlow
>         andi IndexingShapeMask, t2
>diff --git a/Source/WTF/wtf/Gigacage.cpp b/Source/WTF/wtf/Gigacage.cpp
>index ad93fa42859d6a1379c46871a75b4646af183d71..f79a844355c2feef9f34c3575a2b0bb4c6d8e239 100644
>--- a/Source/WTF/wtf/Gigacage.cpp
>+++ b/Source/WTF/wtf/Gigacage.cpp
>@@ -32,7 +32,7 @@
> 
> #if defined(USE_SYSTEM_MALLOC) && USE_SYSTEM_MALLOC
> 
>-alignas(void*) char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE];
>+alignas(void*) char g_gigacageBasePtrs[gigacageBasePtrsSize];
> 
> namespace Gigacage {
> 
>diff --git a/Source/WTF/wtf/Gigacage.h b/Source/WTF/wtf/Gigacage.h
>index 1b048313a362821b1f887fa5b7e3d3e002938b69..25675114035b93bb6a7c5e4618395cc900b8149b 100644
>--- a/Source/WTF/wtf/Gigacage.h
>+++ b/Source/WTF/wtf/Gigacage.h
>@@ -29,16 +29,15 @@
> 
> #if defined(USE_SYSTEM_MALLOC) && USE_SYSTEM_MALLOC
> #define GIGACAGE_ENABLED 0
>-#define PRIMITIVE_GIGACAGE_MASK 0
>-#define JSVALUE_GIGACAGE_MASK 0
>-#define GIGACAGE_BASE_PTRS_SIZE 8192
>-
>-extern "C" {
>-alignas(void*) extern WTF_EXPORT_PRIVATE char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE];
>-}
> 
> namespace Gigacage {
> 
>+const size_t primitiveGigacageMask = gigacageSizeToMask(primitiveGigacageSize);
>+const size_t jsValueGigacageMask = gigacageSizeToMask(jsValueGigacageSize);
>+const size_t gigacageBasePtrsSize = 8 * 1024;
>+
>+extern "C" alignas(void*) extern WTF_EXPORT_PRIVATE char g_gigacageBasePtrs[gigacageBasePtrsSize];
>+
> struct BasePtrs {
>     uintptr_t reservedForFlags;
>     void* primitive;
>diff --git a/Source/bmalloc/bmalloc/Gigacage.cpp b/Source/bmalloc/bmalloc/Gigacage.cpp
>index a88623d69ee370ee9ddee3457159128f03f0cb3a..b595263728008e754b31bb9922c7cdf4f71b9dd9 100644
>--- a/Source/bmalloc/bmalloc/Gigacage.cpp
>+++ b/Source/bmalloc/bmalloc/Gigacage.cpp
>@@ -35,23 +35,23 @@
> #include <cstdio>
> #include <mutex>
> 
>+namespace Gigacage {
>+
> // This is exactly 32GB because inside JSC, indexed accesses for arrays, typed arrays, etc,
> // use unsigned 32-bit ints as indices. The items those indices access are 8 bytes or less
> // in size. 2^32 * 8 = 32GB. This means if an access on a caged type happens to go out of
> // bounds, the access is guaranteed to land somewhere else in the cage or inside the runway.
> // If this were less than 32GB, those OOB accesses could reach outside of the cage.
>-#define GIGACAGE_RUNWAY (32llu * 1024 * 1024 * 1024)
>+const size_t gigacageRunway = 32llu * 1024 * 1024 * 1024;
> 
> // Note: g_gigacageBasePtrs[0] is reserved for storing the wasEnabled flag.
> // The first gigacageBasePtr will start at g_gigacageBasePtrs[sizeof(void*)].
> // This is done so that the wasEnabled flag will also be protected along with the
> // gigacageBasePtrs.
>-alignas(GIGACAGE_BASE_PTRS_SIZE) char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE];
>+alignas(gigacageBasePtrsSize) char g_gigacageBasePtrs[gigacageBasePtrsSize];
> 
> using namespace bmalloc;
> 
>-namespace Gigacage {
>-
> namespace {
> 
> bool s_isDisablingPrimitiveGigacageDisabled;
>@@ -61,12 +61,12 @@ void protectGigacageBasePtrs()
>     uintptr_t basePtrs = reinterpret_cast<uintptr_t>(g_gigacageBasePtrs);
>     // We might only get page size alignment, but that's also the minimum we need.
>     RELEASE_BASSERT(!(basePtrs & (vmPageSize() - 1)));
>-    mprotect(g_gigacageBasePtrs, GIGACAGE_BASE_PTRS_SIZE, PROT_READ);
>+    mprotect(g_gigacageBasePtrs, gigacageBasePtrsSize, PROT_READ);
> }
> 
> void unprotectGigacageBasePtrs()
> {
>-    mprotect(g_gigacageBasePtrs, GIGACAGE_BASE_PTRS_SIZE, PROT_READ | PROT_WRITE);
>+    mprotect(g_gigacageBasePtrs, gigacageBasePtrsSize, PROT_READ | PROT_WRITE);
> }
> 
> class UnprotectGigacageBasePtrsScope {
>@@ -108,7 +108,7 @@ size_t runwaySize(Kind kind)
>     case Kind::ReservedForFlagsAndNotABasePtr:
>         RELEASE_BASSERT_NOT_REACHED();
>     case Kind::Primitive:
>-        return static_cast<size_t>(GIGACAGE_RUNWAY);
>+        return static_cast<size_t>(gigacageRunway);
>     case Kind::JSValue:
>         return static_cast<size_t>(0);
>     }
>diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h
>index eab80fd2d3e24228cb9ffcdd83479d1ebdcb1d38..0ae6c05dc4f7d9ec97c498beb5b4ff0cb6256d59 100644
>--- a/Source/bmalloc/bmalloc/Gigacage.h
>+++ b/Source/bmalloc/bmalloc/Gigacage.h
>@@ -30,16 +30,25 @@
> #include "BExport.h"
> #include "BInline.h"
> #include "BPlatform.h"
>+#include "Sizes.h"
> #include <cstddef>
> #include <inttypes.h>
> 
>+
>+
>+namespace Gigacage {
>+
> #if BCPU(ARM64)
>-#define PRIMITIVE_GIGACAGE_SIZE 0x80000000llu
>-#define JSVALUE_GIGACAGE_SIZE 0x40000000llu
>+const size_t primitiveGigacageSize = 0x80000000;
>+const size_t jsValueGigacageSize = 0x40000000;
>+const size_t gigacageBasePtrsSize = 16 * Sizes::kB;
>+const size_t minimumCageSizeAfterSlide = 2 * Sizes::GB;
> #define GIGACAGE_ALLOCATION_CAN_FAIL 1
> #else
>-#define PRIMITIVE_GIGACAGE_SIZE 0x800000000llu
>-#define JSVALUE_GIGACAGE_SIZE 0x400000000llu
>+const size_t primitiveGigacageSize = 0x800000000;
>+const size_t jsValueGigacageSize = 0x400000000;
>+const size_t gigacageBasePtrsSize = 4 * bmalloc::Sizes::kB;
>+const size_t minimumCageSizeAfterSlide = 4 * bmalloc::Sizes::GB;
> #define GIGACAGE_ALLOCATION_CAN_FAIL 0
> #endif
> 
>@@ -50,30 +59,22 @@
> #define GIGACAGE_ALLOCATION_CAN_FAIL 1
> #endif
> 
>-static_assert(bmalloc::isPowerOfTwo(PRIMITIVE_GIGACAGE_SIZE), "");
>-static_assert(bmalloc::isPowerOfTwo(JSVALUE_GIGACAGE_SIZE), "");
>+static_assert(bmalloc::isPowerOfTwo(primitiveGigacageSize), "");
>+static_assert(bmalloc::isPowerOfTwo(jsValueGigacageSize), "");
> 
>-#define GIGACAGE_SIZE_TO_MASK(size) ((size) - 1)
>+constexpr size_t gigacageSizeToMask(size_t size) { return size - 1; }
> 
>-#define PRIMITIVE_GIGACAGE_MASK GIGACAGE_SIZE_TO_MASK(PRIMITIVE_GIGACAGE_SIZE)
>-#define JSVALUE_GIGACAGE_MASK GIGACAGE_SIZE_TO_MASK(JSVALUE_GIGACAGE_SIZE)
>+const size_t primitiveGigacageMask = gigacageSizeToMask(primitiveGigacageSize);
>+const size_t jsValueGigacageMask = gigacageSizeToMask(jsValueGigacageSize);
> 
> #if ((BOS(DARWIN) || BOS(LINUX)) && \
>-    (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
>+(BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
> #define GIGACAGE_ENABLED 1
> #else
> #define GIGACAGE_ENABLED 0
> #endif
> 
>-#if BCPU(ARM64)
>-#define GIGACAGE_BASE_PTRS_SIZE 16384
>-#else
>-#define GIGACAGE_BASE_PTRS_SIZE 4096
>-#endif
>-
>-extern "C" alignas(GIGACAGE_BASE_PTRS_SIZE) BEXPORT char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE];
>-
>-namespace Gigacage {
>+extern "C" alignas(gigacageBasePtrsSize) BEXPORT char g_gigacageBasePtrs[gigacageBasePtrsSize];
> 
> BINLINE bool wasEnabled() { return g_gigacageBasePtrs[0]; }
> BINLINE void setWasEnabled() { g_gigacageBasePtrs[0] = true; }
>@@ -158,9 +159,9 @@ BINLINE size_t size(Kind kind)
>     case ReservedForFlagsAndNotABasePtr:
>         RELEASE_BASSERT_NOT_REACHED();
>     case Primitive:
>-        return static_cast<size_t>(PRIMITIVE_GIGACAGE_SIZE);
>+        return static_cast<size_t>(primitiveGigacageSize);
>     case JSValue:
>-        return static_cast<size_t>(JSVALUE_GIGACAGE_SIZE);
>+        return static_cast<size_t>(jsValueGigacageSize);
>     }
>     BCRASH();
>     return 0;
>@@ -173,7 +174,7 @@ BINLINE size_t alignment(Kind kind)
> 
> BINLINE size_t mask(Kind kind)
> {
>-    return GIGACAGE_SIZE_TO_MASK(size(kind));
>+    return gigacageSizeToMask(size(kind));
> }
> 
> template<typename Func>
>diff --git a/Source/bmalloc/bmalloc/Heap.cpp b/Source/bmalloc/bmalloc/Heap.cpp
>index 53b3e369193f1f5499a3acea47bc571792b30a0e..7015af6b5e1ee9a7010f05768df71eb431829ccc 100644
>--- a/Source/bmalloc/bmalloc/Heap.cpp
>+++ b/Source/bmalloc/bmalloc/Heap.cpp
>@@ -29,6 +29,7 @@
> #include "BulkDecommit.h"
> #include "BumpAllocator.h"
> #include "Chunk.h"
>+#include "CryptoRandom.h"
> #include "Environment.h"
> #include "Gigacage.h"
> #include "DebugHeap.h"
>@@ -61,7 +62,13 @@ Heap::Heap(HeapKind kind, std::lock_guard<Mutex>&)
> #if GIGACAGE_ENABLED
>         if (usingGigacage()) {
>             RELEASE_BASSERT(gigacageBasePtr());
>-            m_largeFree.add(LargeRange(gigacageBasePtr(), gigacageSize(), 0, 0));
>+            RELEASE_BASSERT(gigacageSize() / vmPageSize() <= std::numeric_limits<uint64_t>::max());
>+            uint64_t random;
>+            cryptoRandom(reinterpret_cast<unsigned char*>(&random), sizeof(random));
>+            ptrdiff_t offset = ((random * vmPageSize()) % (gigacageSize() - Gigacage::minimumCageSizeAfterSlide));
>+            RELEASE_BASSERT(!(offset % vmPageSize()) && !(offset % vmPageSizePhysical()));
>+            void* base = reinterpret_cast<unsigned char*>(gigacageBasePtr()) + offset;
>+            m_largeFree.add(LargeRange(base, gigacageSize() - offset, 0, 0));
>         }
> #endif
>     }
>diff --git a/Source/bmalloc/bmalloc/Sizes.h b/Source/bmalloc/bmalloc/Sizes.h
>index f75f7e8fcc7f67dbd503c789c8fc8540b50c14c9..5a4ff84a73c538b77dd59d330fe6747e71807bba 100644
>--- a/Source/bmalloc/bmalloc/Sizes.h
>+++ b/Source/bmalloc/bmalloc/Sizes.h
>@@ -42,6 +42,7 @@ namespace bmalloc {
> namespace Sizes {
>     static const size_t kB = 1024;
>     static const size_t MB = kB * kB;
>+    static const size_t GB = kB * kB * kB;
> 
>     static const size_t alignment = 8;
>     static const size_t alignmentMask = alignment - 1ul;

Actions: View | Formatted Diff | Diff

Attachments on bug 193523: 359341 | 359396 | 359409 | 359410 | 359425 | 359430 | 359501 | 359532