[PartitionAlloc] Poison memory regions when freeing.

A last-ditch sanity check in case of memory corruption. Bug: 680657 Change-Id: I79934eceb4fcb6ce64422cee5004f057d40a6cab Reviewed-on: https://chromium-review.googlesource.com/1134523Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#580297}

[PartitionAlloc] Poison memory regions when freeing.
A last-ditch sanity check in case of memory corruption. Bug: 680657 Change-Id: I79934eceb4fcb6ce64422cee5004f057d40a6cab Reviewed-on: https://chromium-review.googlesource.com/1134523Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#580297}
d5d8bc3a · Chris Palmer · Commit Bot · a89b53f6 · d5d8bc3a
Commit d5d8bc3a authored Aug 02, 2018 by Chris Palmer Committed by Commit Bot Aug 02, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 21 deletions

base/allocator/partition_allocator/partition_alloc.h base/allocator/partition_allocator/partition_alloc.h +28 -21

No files found.
--- a/base/allocator/partition_allocator/partition_alloc.h
+++ b/base/allocator/partition_allocator/partition_alloc.h
@@ -281,17 +281,44 @@ ALWAYS_INLINE void* PartitionRoot::Alloc(size_t size, const char* type_name) {
 #endif  // defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
 }
+ALWAYS_INLINE bool PartitionAllocSupportsGetSize() {
+#if defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
+  return false;
+#else
+  return true;
+#endif
+}
+ALWAYS_INLINE size_t PartitionAllocGetSize(void* ptr) {
+  // No need to lock here. Only |ptr| being freed by another thread could
+  // cause trouble, and the caller is responsible for that not happening.
+  DCHECK(PartitionAllocSupportsGetSize());
+  ptr = internal::PartitionCookieFreePointerAdjust(ptr);
+  internal::PartitionPage* page = internal::PartitionPage::FromPointer(ptr);
+  // TODO(palmer): See if we can afford to make this a CHECK.
+  DCHECK(internal::PartitionRootBase::IsValidPage(page));
+  size_t size = page->bucket->slot_size;
+  return internal::PartitionCookieSizeAdjustSubtract(size);
+}
 ALWAYS_INLINE void PartitionFree(void* ptr) {
 #if defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
  free(ptr);
 #else
+  void* original_ptr = ptr;
  // TODO(palmer): Check ptr alignment before continuing. Shall we do the check
  // inside PartitionCookieFreePointerAdjust?
-  PartitionAllocHooks::FreeHookIfEnabled(ptr);
+  PartitionAllocHooks::FreeHookIfEnabled(original_ptr);
  ptr = internal::PartitionCookieFreePointerAdjust(ptr);
  internal::PartitionPage* page = internal::PartitionPage::FromPointer(ptr);
  // TODO(palmer): See if we can afford to make this a CHECK.
  DCHECK(internal::PartitionRootBase::IsValidPage(page));
+  // This is somewhat redundant with |PartitionPage::Free|.
+  // TODO(crbug.com/680657): Doing this here might? make it OK to not do it
+  // there.
+  memset(original_ptr, 0xCD, PartitionAllocGetSize(original_ptr));
  page->Free(ptr);
 #endif
 }
@@ -386,26 +413,6 @@ ALWAYS_INLINE size_t PartitionRootGeneric::ActualSize(size_t size) {
 #endif
 }
-ALWAYS_INLINE bool PartitionAllocSupportsGetSize() {
-#if defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
-  return false;
-#else
-  return true;
-#endif
-}
-ALWAYS_INLINE size_t PartitionAllocGetSize(void* ptr) {
-  // No need to lock here. Only |ptr| being freed by another thread could
-  // cause trouble, and the caller is responsible for that not happening.
-  DCHECK(PartitionAllocSupportsGetSize());
-  ptr = internal::PartitionCookieFreePointerAdjust(ptr);
-  internal::PartitionPage* page = internal::PartitionPage::FromPointer(ptr);
-  // TODO(palmer): See if we can afford to make this a CHECK.
-  DCHECK(internal::PartitionRootBase::IsValidPage(page));
-  size_t size = page->bucket->slot_size;
-  return internal::PartitionCookieSizeAdjustSubtract(size);
-}
 template <size_t N>
 class SizeSpecificPartitionAllocator {
 public: