LibJS: Never give back virtual memory once it belongs to a cell type

Instead of returning HeapBlock memory to the kernel (or a non-type specific shared cache), we now keep a BlockAllocator per CellAllocator and implement "deallocation" by basically informing the kernel that we don't need the physical memory right now. This is done with MADV_FREE or MADV_DONTNEED if available, but for other platforms (including SerenityOS) we munmap and then re-mmap the memory to achieve the same effect. It's definitely clunky, so I've added a FIXME about implementing the madvise options on SerenityOS too. The important outcome of this change is that GC types that use a type-specific allocator become immune to use-after-free type confusion attacks, since their virtual addresses will only ever be re-used for the same exact type again and again. Fixes #22274
Author: https://github.com/awesomekling Commit: b6d4eea7ac Pull-request: https://github.com/SerenityOS/serenity/pull/22515 Issue: https://github.com/SerenityOS/serenity/issues/22274 Reviewed-by: https://github.com/ADKaster
2025-06-10 18:10:56 +09:00 · 2023-12-31 11:36:18 +01:00 · 2023-12-31 11:36:18 +01:00 · b6d4eea7ac · 2024-07-17 01:11:48 +09:00
commit b6d4eea7ac
parent bcb1e548f1
10 changed files with 47 additions and 36 deletions
--- a/Userland/Services/WebContent/main.cpp
+++ b/Userland/Services/WebContent/main.cpp
@ -27,7 +27,7 @@
 ErrorOr<int> serenity_main(Main::Arguments)
 {
    Core::EventLoop event_loop;
-    TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath thread proc"));
+    TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath thread proc map_fixed"));

    // This must be first; we can't check if /tmp/webdriver exists once we've unveiled other paths.
    auto webdriver_socket_path = ByteString::formatted("{}/webdriver", TRY(Core::StandardPaths::runtime_directory()));