--- libmalloc/libmalloc-474.0.13/src/vm.c
+++ libmalloc/libmalloc-521.100.59/src/vm.c
@@ -23,9 +23,11 @@
 
 #include "internal.h"
 
+#if !MALLOC_TARGET_EXCLAVES
 static volatile uintptr_t entropic_address = 0;
 static volatile uintptr_t entropic_base = 0;
 static volatile uintptr_t entropic_limit = 0;
+#endif // !MALLOC_TARGET_EXCLAVES
 
 MALLOC_NOEXPORT
 uint64_t malloc_entropy[2] = {0, 0};
@@ -44,7 +46,9 @@
 mvm_aslr_init(void)
 {
 	// Prepare ASLR
-#if defined(__i386__) || defined(__x86_64__) || defined(__arm64__) || TARGET_OS_DRIVERKIT || (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
+#if MALLOC_TARGET_EXCLAVES
+	arc4random_buf(malloc_entropy, sizeof(malloc_entropy));
+#elif defined(__i386__) || defined(__x86_64__) || defined(__arm64__) || TARGET_OS_DRIVERKIT || (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
 #if defined(__i386__)
 	uintptr_t stackbase = 0x8fe00000;
 	int entropic_bits = 3;
@@ -107,8 +111,73 @@
 }
 
 void *
-mvm_allocate_pages(size_t size, unsigned char align, uint32_t debug_flags,
-		int vm_page_label) {
+mvm_allocate_plat(uintptr_t addr, size_t size, uint8_t align, int flags, int debug_flags, int vm_page_label, plat_map_t *map_out)
+{
+	if (addr && (flags & VM_FLAGS_ANYWHERE)) {
+		// Pass MALLOC_ABORT_ON_ERROR to make this call abort
+		malloc_zone_error(MALLOC_ABORT_ON_ERROR | debug_flags, false,
+			"Unsupported anywhere allocation at address 0x%lx of size 0x%lx with flags %d\n",
+			(unsigned long) addr, (unsigned long) size, flags);
+	}
+#if MALLOC_TARGET_EXCLAVES
+	// This call can have different behavior depending on `flags` and `map_out`:
+	// 1. If the input handle is invalid and MALLOC_NO_POPULATE is not present,
+	//	  the handle is initialized and memory is both reserved and populated
+	// 2. If the input handle is invalid and MALLOC_NO_POPULATE is present,
+	//	  the handle is initialized and memory is only reserved
+	// 3. If the input handle is valid and MALLOC_NO_POPULATE is not present,
+	//    memory is populated
+	const _liblibc_map_type_t type = LIBLIBC_MAP_TYPE_PRIVATE |
+		((flags & VM_FLAGS_ANYWHERE) ? LIBLIBC_MAP_TYPE_NONE : LIBLIBC_MAP_TYPE_FIXED) |
+		((debug_flags & MALLOC_NO_POPULATE) ? LIBLIBC_MAP_TYPE_NOCOMMIT : LIBLIBC_MAP_TYPE_NONE) |
+		((debug_flags & DISABLE_ASLR) ? LIBLIBC_MAP_TYPE_NORAND : LIBLIBC_MAP_TYPE_NONE);
+	const _liblibc_map_perm_t perm = LIBLIBC_MAP_PERM_READ | LIBLIBC_MAP_PERM_WRITE;
+	void * __unsafe_indexable map = mmap_plat(map_out, addr, size, perm,
+			type, align, (unsigned)vm_page_label);
+	if (!map) {
+		malloc_zone_error(debug_flags, false,
+			"Failed to allocate memory at address 0x%lx of size 0x%lx with flags %d\n", addr, size, flags);
+	}
+	return __unsafe_forge_bidi_indexable(void *, map, size);
+#else
+	(void)map_out;
+	if (debug_flags & MALLOC_NO_POPULATE) {
+		// Pass MALLOC_ABORT_ON_ERROR to make this call abort
+		malloc_zone_error(MALLOC_ABORT_ON_ERROR | debug_flags, false,
+				"Unsupported unpopulated allocation at address 0x%lx of size 0x%lx with flags %d\n",
+				(unsigned long) addr, (unsigned long) size, flags);
+	}
+	mach_vm_address_t vm_addr = addr;
+	mach_vm_offset_t allocation_mask = ((mach_vm_offset_t)1 << align) - 1;
+	kern_return_t kr = mach_vm_map(mach_task_self(), &vm_addr,
+			(mach_vm_size_t)size, allocation_mask,
+			flags | VM_MAKE_TAG(vm_page_label), MEMORY_OBJECT_NULL, 0, FALSE,
+			VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
+	if (kr) {
+		malloc_zone_error(debug_flags, false,
+				"Failed to allocate memory at address 0x%lx of size 0x%lx with flags %d\n",
+				(unsigned long) addr, (unsigned long) size, flags);
+		return NULL;
+	}
+	return __unsafe_forge_bidi_indexable(void *, vm_addr, size);
+#endif // MALLOC_TARGET_EXCLAVES
+}
+
+void *
+mvm_allocate_pages(size_t size, uint8_t align, uint32_t debug_flags,
+		int vm_page_label)
+{
+	return mvm_allocate_pages_plat(size, align, debug_flags, vm_page_label, NULL);
+}
+
+void *
+mvm_allocate_pages_plat(size_t size, uint8_t align, uint32_t debug_flags,
+		int vm_page_label, plat_map_t *map_out)
+{
+#if MALLOC_TARGET_EXCLAVES
+	return mvm_allocate_plat(0, size, align, VM_FLAGS_ANYWHERE, debug_flags, vm_page_label, map_out);
+#else
+	(void)map_out;
 	boolean_t add_prelude_guard_page = debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE;
 	boolean_t add_postlude_guard_page = debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE;
 	boolean_t purgeable = debug_flags & MALLOC_PURGEABLE;
@@ -224,19 +293,54 @@
 		} else if (add_prelude_guard_page) {
 			addr += large_vm_page_quanta_size;
 		}
-		mvm_protect((void *)addr, size, PROT_NONE, debug_flags);
+		mvm_protect_plat((void *)addr, size, PROT_NONE, debug_flags, map_out);
 	}
 	return (void *)addr;
+#endif // MALLOC_TARGET_EXCLAVES
 }
 
 void
-mvm_deallocate_pages(void *addr, size_t size, unsigned debug_flags)
-{
+mvm_deallocate_plat(void * __sized_by(size) addr, size_t size, int debug_flags, plat_map_t *map)
+{
+#if MALLOC_TARGET_EXCLAVES
+	if (!munmap_plat(map, addr, size)) {
+		malloc_zone_error(debug_flags, false,
+			"Failed to deallocate at address %p of size 0x%lx\n", addr, size);
+	}
+#else
+	(void)map;
+	kern_return_t kr = mach_vm_deallocate(mach_task_self(),
+		(mach_vm_address_t)addr, (mach_vm_size_t)size);
+	if (kr) {
+		malloc_zone_error(debug_flags, false,
+			"Failed to deallocate at address %p of size 0x%lx\n", addr, size);
+	}
+#endif // MALLOC_TARGET_EXCLAVES
+}
+
+void
+mvm_deallocate_pages(void * __sized_by(size) addr, size_t size,
+		unsigned debug_flags)
+{
+	mvm_deallocate_pages_plat(addr, size, debug_flags, NULL);
+}
+
+void
+mvm_deallocate_pages_plat(void * __sized_by(size) addr, size_t size,
+		unsigned debug_flags, plat_map_t *map)
+{
+#if MALLOC_TARGET_EXCLAVES
+	if (debug_flags & (MALLOC_ADD_GUARD_PAGE_FLAGS | MALLOC_PURGEABLE)) {
+		malloc_zone_error(MALLOC_ABORT_ON_ERROR | debug_flags, true,
+			"Unsupported deallocation debug flags %u\n", debug_flags);
+	}
+	mvm_deallocate_plat(addr, size, debug_flags, map);
+#else
+	(void)map;
 	boolean_t added_prelude_guard_page = debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE;
 	boolean_t added_postlude_guard_page = debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE;
 	mach_vm_address_t vm_addr = (mach_vm_address_t)addr;
 	mach_vm_size_t allocation_size = size;
-	kern_return_t kr;
 
 	if (added_prelude_guard_page) {
 		vm_addr -= large_vm_page_quanta_size;
@@ -245,15 +349,37 @@
 	if (added_postlude_guard_page) {
 		allocation_size += large_vm_page_quanta_size;
 	}
-	kr = mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
-	if (kr) {
-		malloc_zone_error(debug_flags, false, "Can't deallocate_pages region at %p\n", addr);
-	}
+	mvm_deallocate_plat(__unsafe_forge_bidi_indexable(void *, vm_addr,
+			allocation_size), (size_t)allocation_size, debug_flags, NULL);
+#endif // MALLOC_TARGET_EXCLAVES
 }
 
 void
-mvm_protect(void *address, size_t size, unsigned protection, unsigned debug_flags)
-{
+mvm_protect(void * __sized_by(size) address, size_t size, unsigned protection,
+		unsigned debug_flags)
+{
+	mvm_protect_plat(address, size, protection, debug_flags, NULL);
+}
+
+void
+mvm_protect_plat(void * __sized_by(size) address, size_t size, unsigned protection,
+		unsigned debug_flags, plat_map_t *map)
+{
+#if MALLOC_TARGET_EXCLAVES
+	const _liblibc_map_perm_t perm =
+		((protection & PROT_READ) ? LIBLIBC_MAP_PERM_READ : LIBLIBC_MAP_PERM_NONE) |
+		((protection & PROT_WRITE) ? LIBLIBC_MAP_PERM_WRITE : LIBLIBC_MAP_PERM_NONE) |
+		((protection & PROT_EXEC) ? LIBLIBC_MAP_PERM_EXECUTE : LIBLIBC_MAP_PERM_NONE);
+	if (debug_flags & (MALLOC_ADD_GUARD_PAGE_FLAGS | MALLOC_PURGEABLE)) {
+		malloc_zone_error(MALLOC_ABORT_ON_ERROR | debug_flags, true,
+			"Unsupported deallocation debug flags %u\n", debug_flags);
+	}
+	if (!mprotect_plat(map, address, size, perm)) {
+		malloc_zone_error(MALLOC_ABORT_ON_ERROR | debug_flags, true,
+			"Unsupported deallocation address %p or size %lu\n", address, size);
+	}
+#else
+	(void)map;
 	kern_return_t err;
 
 	if ((debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE) && !(debug_flags & MALLOC_DONT_PROTECT_PRELUDE)) {
@@ -270,16 +396,52 @@
 					(void *)((uintptr_t)address + size));
 		}
 	}
+#endif // MALLOC_TARGET_EXCLAVES
+}
+
+int
+mvm_madvise(void * __sized_by(sz) addr, size_t sz, int advice, unsigned debug_flags)
+{
+	return mvm_madvise_plat(addr, sz, advice, debug_flags, NULL);
+}
+
+int
+mvm_madvise_plat(void * __sized_by(sz) addr, size_t sz, int advice, unsigned debug_flags, plat_map_t *map)
+{
+#if MALLOC_TARGET_EXCLAVES
+	if (!(advice == MADV_FREE || advice == MADV_FREE_REUSABLE) ||
+		(debug_flags & (MALLOC_ADD_GUARD_PAGE_FLAGS | MALLOC_PURGEABLE))) {
+		malloc_zone_error(MALLOC_ABORT_ON_ERROR | debug_flags, true,
+			"Unsupported allocation advice %d or debug flags %u\n", advice, debug_flags);
+	}
+
+	if (!madvise_plat(map, addr, sz, LIBLIBC_MAP_HINT_UNUSED)) {
+		return 1;
+	}
+#else
+	(void)map;
+	if (madvise(addr, sz, advice) == -1) {
+		return 1;
+	}
+#endif // MALLOC_TARGET_EXCLAVES
+	return 0;
 }
 
 int
 mvm_madvise_free(void *rack, void *r, uintptr_t pgLo, uintptr_t pgHi, uintptr_t *last, boolean_t scribble)
 {
+	return mvm_madvise_free_plat(rack, r, pgLo, pgHi, last, scribble, NULL);
+}
+
+int
+mvm_madvise_free_plat(void *rack, void *r, uintptr_t pgLo, uintptr_t pgHi, uintptr_t *last, boolean_t scribble, plat_map_t *map)
+{
 	if (pgHi > pgLo) {
 		size_t len = pgHi - pgLo;
+		void *ptr = __unsafe_forge_bidi_indexable(void *, pgLo, len);
 
 		if (scribble && malloc_zero_policy != MALLOC_ZERO_ON_FREE) {
-			memset((void *)pgLo, SCRUBBLE_BYTE, len); // Scribble on MADV_FREEd memory
+			memset(ptr, SCRUBBLE_BYTE, len); // Scribble on MADV_FREEd memory
 		}
 
 #if MALLOC_TARGET_IOS
@@ -292,18 +454,24 @@
 		}
 #endif // MALLOC_TARGET_IOS
 
+#if MALLOC_TARGET_EXCLAVES
+		if (mvm_madvise_plat(ptr, len, CONFIG_MADVISE_STYLE, 0, map)) {
+			return 1;
+		}
+#else
 		MAGMALLOC_MADVFREEREGION(rack, r, (void *)pgLo, (int)len); // DTrace USDT Probe
-		if (-1 == madvise((void *)pgLo, len, CONFIG_MADVISE_STYLE)) {
+		if (mvm_madvise(ptr, len, CONFIG_MADVISE_STYLE, 0)) {
 			/* -1 return: VM map entry change makes this unfit for reuse. Something evil lurks. */
 #if DEBUG_MADVISE
 			malloc_zone_error(NULL, false,
 					"madvise_free_range madvise(..., MADV_FREE_REUSABLE) failed for %p, length=%d\n",
 					(void *)pgLo, len);
-#endif
+#endif // DEBUG_MADVISE
 			return 1;
 		} else {
 			MALLOC_TRACE(TRACE_madvise, (uintptr_t)r, (uintptr_t)pgLo, len, CONFIG_MADVISE_STYLE);
 		}
+#endif // MALLOC_TARGET_EXCLAVES
 	}
 	return 0;
 }
@@ -347,7 +515,8 @@
 		ptr -= large_vm_page_quanta_size;
 	}
 	_malloc_lock_lock(&reclaim_buffer_lock);
-	id = mach_vm_reclaim_mark_free(&reclaim_buffer, ptr, size, &should_update_kernel_accounting);
+	id = mach_vm_reclaim_mark_free(&reclaim_buffer, ptr, size,
+			MACH_VM_RECLAIM_DEALLOCATE, &should_update_kernel_accounting);
 	_malloc_lock_unlock(&reclaim_buffer_lock);
 	if (should_update_kernel_accounting) {
 		mach_vm_reclaim_update_kernel_accounting(&reclaim_buffer);