[vm] Don't leave code pages unprotected when a free-list element's header straddles a page boundary.

sjindel-google · commit-bot@chromium.org · commit b359ac0a1e5b · 2019-10-23T14:46:53.000Z
The old code breaks in this situation. ^ indicates page boundary: | <allocated code> | <header> | <remainder> | <other code> | | ^ ^ ^ | It would have unprotected the start of <other code> without re-protecting it after updating the header. Fixes #38528 Change-Id: I989becc3ade434fac6ec0eba5b7f8130178f6f68 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/122643 Commit-Queue: Samir Jindel <sjindel@google.com> Reviewed-by: Martin Kustermann <kustermann@google.com>
diff --git a/runtime/vm/heap/freelist.cc b/runtime/vm/heap/freelist.cc
@@ -323,14 +323,24 @@ void FreeList::SplitElementAfterAndEnqueue(FreeListElement* element,
   intptr_t remainder_index = IndexForSize(remainder_size);
   EnqueueElement(element, remainder_index);
 
-  // Postcondition: when allocating in a protected page, the remainder
-  // element is no longer writable unless it is in the same page as the
-  // allocated element.  (The allocated element is still writable, and the
-  // remainder element will be protected when the allocated one is).
-  if (is_protected &&
-      !VirtualMemory::InSamePage(remainder_address - 1, remainder_address)) {
-    VirtualMemory::Protect(reinterpret_cast<void*>(remainder_address),
-                           remainder_size, VirtualMemory::kReadExecute);
+  // Postcondition: when allocating in a protected page, the fraction of the
+  // remainder element which does not share a page with the allocated element is
+  // no longer writable. This means that if the remainder's header is not fully
+  // contained in the last page of the allocation, we need to re-protect the
+  // page it ends on.
+  if (is_protected) {
+    const uword remainder_header_size =
+        FreeListElement::HeaderSizeFor(remainder_size);
+    if (!VirtualMemory::InSamePage(
+            remainder_address - 1,
+            remainder_address + remainder_header_size - 1)) {
+      VirtualMemory::Protect(
+          reinterpret_cast<void*>(
+              Utils::RoundUp(remainder_address, VirtualMemory::PageSize())),
+          remainder_address + remainder_header_size -
+              Utils::RoundUp(remainder_address, VirtualMemory::PageSize()),
+          VirtualMemory::kReadExecute);
+    }
   }
 }
 
