RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-14 05:05:00 +00:00
Code Issues Activity Actions
serenity/Userland/Libraries/LibJS/Heap/CellAllocator.cpp
Andreas Kling b6d4eea7ac LibJS: Never give back virtual memory once it belongs to a cell type 
Instead of returning HeapBlock memory to the kernel (or a non-type
specific shared cache), we now keep a BlockAllocator per CellAllocator
and implement "deallocation" by basically informing the kernel that we
don't need the physical memory right now.

This is done with MADV_FREE or MADV_DONTNEED if available, but for other
platforms (including SerenityOS) we munmap and then re-mmap the memory
to achieve the same effect. It's definitely clunky, so I've added a
FIXME about implementing the madvise options on SerenityOS too.

The important outcome of this change is that GC types that use a
type-specific allocator become immune to use-after-free type confusion
attacks, since their virtual addresses will only ever be re-used for
the same exact type again and again.

Fixes #22274
2023-12-31 15:35:56 +01:00

52 lines
1.3 KiB
C++
Raw Blame History

/*
* Copyright (c) 2020-2023, Andreas Kling <kling@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <AK/Badge.h>
#include <LibJS/Heap/BlockAllocator.h>
#include <LibJS/Heap/CellAllocator.h>
#include <LibJS/Heap/Heap.h>
#include <LibJS/Heap/HeapBlock.h>
namespace JS {
CellAllocator::CellAllocator(size_t cell_size)
: m_cell_size(cell_size)
{
}
Cell* CellAllocator::allocate_cell(Heap& heap)
{
if (!m_list_node.is_in_list())
heap.register_cell_allocator({}, *this);
if (m_usable_blocks.is_empty()) {
auto block = HeapBlock::create_with_cell_size(heap, *this, m_cell_size);
m_usable_blocks.append(*block.leak_ptr());
}
auto& block = *m_usable_blocks.last();
auto* cell = block.allocate();
VERIFY(cell);
if (block.is_full())
m_full_blocks.append(*m_usable_blocks.last());
return cell;
}
void CellAllocator::block_did_become_empty(Badge<Heap>, HeapBlock& block)
{
block.m_list_node.remove();
// NOTE: HeapBlocks are managed by the BlockAllocator, so we don't want to `delete` the block here.
block.~HeapBlock();
m_block_allocator.deallocate_block(&block);
}
void CellAllocator::block_did_become_usable(Badge<Heap>, HeapBlock& block)
{
VERIFY(!block.is_full());
m_usable_blocks.append(block);
}
}
Reference in a new issue View git blame Copy permalink