Allocate mach_override "reentry islands" in high memory using vm_allocate,

rather than putting them in the heap using malloc. Ownership of page
protection bits in the heap is dubious.

BUG=93736
TEST=Watch the canary crashes tomorrow
Review URL: http://codereview.chromium.org/7710011

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97770 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 8 insertions, 2 deletions

diff --git a/third_party/mach_override/README.chromium b/third_party/mach_override/README.chromium
index 0e7e394..96b0cf7 100644
--- a/third_party/mach_override/README.chromium
+++ b/third_party/mach_override/README.chromium
@@ -19,4 +19,10 @@ implementations at run time.
 
 Local Modifications:
 
-None. All local changes have been upstreamed.
+reentryIsland is allocated in high memory with vm_allocate rather than the
+heap with malloc by changing the allocation policy to kAllocateHigh. It
+appears probable that putting the reentry island in the heap causes its page
+to lose execute permission at some point under some circumstances, which
+results in a crash on Lion. This modification is temoprary to simply test
+out the theory. If proven, the code will be improved somewhat.
+http://crbug.com/93736.
diff --git a/third_party/mach_override/mach_override.c b/third_party/mach_override/mach_override.c
index 8a4cf95..4768a57 100644
--- a/third_party/mach_override/mach_override.c
+++ b/third_party/mach_override/mach_override.c
@@ -267,7 +267,7 @@ mach_override_ptr(
 	//	Optionally allocate & return the reentry island.
 	BranchIsland	*reentryIsland = NULL;
 	if( !err && originalFunctionReentryIsland ) {
-		err = allocateBranchIsland( &reentryIsland, kAllocateNormal, NULL);
+		err = allocateBranchIsland( &reentryIsland, kAllocateHigh, NULL);
 		if( !err )
 			*originalFunctionReentryIsland = reentryIsland;
 	}