Check if all FreelistEntry pointers in the linked list are valid

Check if all FreelistEntry pointers in the linked list are valid.
By making sure the FreelistEntry and the next one are on the same super page.

Bug: 1137799
Change-Id: Ic37f4fb80a0a14251247fa39912f9d4cc8f90901
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2500652
Commit-Queue: Keishi Hattori <keishi@chromium.org>
Reviewed-by: Bartek Nowierski <bartekn@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#822058}

base/allocator/partition_allocator/partition_bucket.cc

@@ -96,7 +96,7 @@ PartitionDirectMap(PartitionRoot<thread_safe>* root, int flags, size_t raw_size)
       reinterpret_cast<PartitionFreelistEntry*>(slot));
 
   auto* next_entry = reinterpret_cast<PartitionFreelistEntry*>(slot);
-  next_entry->next = PartitionFreelistEntry::Encode(nullptr);
+  next_entry->SetNext(nullptr);
 
   PA_DCHECK(!metadata->bucket.active_slot_spans_head);
   PA_DCHECK(!metadata->bucket.empty_slot_spans_head);
@@ -476,10 +476,10 @@ ALWAYS_INLINE char* PartitionBucket<thread_safe>::AllocAndFillFreelist(
       freelist_pointer += size;
       auto* next_entry =
           reinterpret_cast<PartitionFreelistEntry*>(freelist_pointer);
-      entry->next = PartitionFreelistEntry::Encode(next_entry);
+      entry->SetNext(next_entry);
       entry = next_entry;
     }
-    entry->next = PartitionFreelistEntry::Encode(nullptr);
+    entry->SetNext(nullptr);
   } else {
     slot_span->SetFreelistHead(nullptr);
   }

base/allocator/partition_allocator/partition_freelist_entry.h

@@ -28,6 +28,13 @@ struct PartitionFreelistEntry {
     return reinterpret_cast<EncodedPartitionFreelistEntry*>(Transform(ptr));
   }
 
+  ALWAYS_INLINE void SetNext(PartitionFreelistEntry* ptr) {
+    PA_DCHECK(!ptr ||
+              (reinterpret_cast<uintptr_t>(this) & kSuperPageBaseMask) ==
+                  (reinterpret_cast<uintptr_t>(ptr) & kSuperPageBaseMask));
+    next = Encode(ptr);
+  }
+
  private:
   friend struct EncodedPartitionFreelistEntry;
   static ALWAYS_INLINE void* Transform(void* ptr) {

base/allocator/partition_allocator/partition_page.h

@@ -419,7 +419,7 @@ ALWAYS_INLINE DeferredUnmap SlotSpanMetadata<thread_safe>::Free(void* ptr) {
   PA_DCHECK(!freelist_head ||
             ptr != EncodedPartitionFreelistEntry::Decode(freelist_head->next));
   auto* entry = static_cast<internal::PartitionFreelistEntry*>(ptr);
-  entry->next = internal::PartitionFreelistEntry::Encode(freelist_head);
+  entry->SetNext(freelist_head);
   SetFreelistHead(entry);
   --num_allocated_slots;
   if (UNLIKELY(num_allocated_slots <= 0)) {

base/allocator/partition_allocator/partition_root.cc

@@ -129,7 +129,7 @@ static size_t PartitionPurgeSlotSpan(
           head = entry;
           back = entry;
         } else {
-          back->next = internal::PartitionFreelistEntry::Encode(entry);
+          back->SetNext(entry);
           back = entry;
         }
         num_new_entries++;
@@ -140,7 +140,7 @@ static size_t PartitionPurgeSlotSpan(
 
       slot_span->SetFreelistHead(head);
       if (back)
-        back->next = internal::PartitionFreelistEntry::Encode(nullptr);
+        back->SetNext(nullptr);
 
       PA_DCHECK(num_new_entries == num_slots - slot_span->num_allocated_slots);
       // Discard the memory.

base/allocator/partition_allocator/thread_cache.h

@@ -246,7 +246,7 @@ ALWAYS_INLINE bool ThreadCache::MaybePutInCache(void* address,
   PA_DCHECK(bucket.count != 0 || bucket.freelist_head == nullptr);
 
   auto* entry = reinterpret_cast<PartitionFreelistEntry*>(address);
-  entry->next = PartitionFreelistEntry::Encode(bucket.freelist_head);
+  entry->next = internal::PartitionFreelistEntry::Encode(bucket.freelist_head);
   bucket.freelist_head = entry;
   bucket.count++;