Google has recently analyzed the use of MiraclePTR (raw_ptr) to protect against vulnerabilities caused by accessing freed memory areas. MiraclePTR adds additional checks and performs emergency completion of work when accessing released memory areas. Starting in May 2022 (Chrome 102), MiraclePTR support was enabled by default on Windows and Android platforms, and in June 2023 on ChromeOS, Linux, and MacOS platforms. However, MiraclePTR protection is not applied to the Renderer process responsible for rendering.
After analyzing vulnerability reports, emergency completion of work, safety incidents, and Fuzzing testing results, Google found that MiraclePTR has been effective in addressing 57% of USE-AFTER-FREE vulnerabilities. This was achieved by applying MiraclePTR to class fields and callback parameters.
It is also worth noting that 5 out of the 6 critical vulnerabilities discovered in the stable branch of Chrome over the past year were identified through the study of emergency completion reports related to the use of MiraclePtr.
However, the use of MiraclePTR does come at a cost. It increases memory consumption due to the need to store an additional 4 bytes for link counters. The main browser process experiences a 5.5-8% increase in memory consumption in desktop assemblies and a 2% increase in the Android version. On average, memory consumption for all processes increases by 1-3%. Additionally, the use of MiraclePTR may lead to some regressions not directly affecting key metrics such as loading and drawing time. Some identified regressions include a 1.5% delay in the first input on Chrome OS, a 1.5% slowdown in opening the Android platform, and a higher likelihood of input delay due to competition in the main thread, increasing the probability by 10% in the 99th percentile.