Oilpan: In ASan, poison all unmarked objects before start sweeping

Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 366 matching lines @@
     BasePage* next() const { return m_next; }
 
     // virtual methods are slow. So performance-sensitive methods
     // should be defined as non-virtual methods on NormalPage and LargeObjectPage.
     // The following methods are not performance-sensitive.
     virtual size_t objectPayloadSizeForTesting() = 0;
     virtual bool isEmpty() = 0;
     virtual void removeFromHeap() = 0;
     virtual void sweep() = 0;
     virtual void markUnmarkedObjectsDead() = 0;
+#if defined(ADDRESS_SANITIZER)
+    virtual void poisonUnmarkedObjects() = 0;
+#endif
     // Check if the given address points to an object in this
     // heap page. If so, find the start of that object and mark it
     // using the given Visitor. Otherwise do nothing. The pointer must
     // be within the same aligned blinkPageSize as the this-pointer.
     //
     // This is used during conservative stack scanning to
     // conservatively mark all objects that could be referenced from
     // the stack.
     virtual void checkAndMarkPointer(Visitor*, Address) = 0;
     virtual void markOrphaned();
@@ skipping 64 matching lines @@
     bool containedInObjectPayload(Address address)
     {
         return payload() <= address && address < payloadEnd();
     }
 
     virtual size_t objectPayloadSizeForTesting() override;
     virtual bool isEmpty() override;
     virtual void removeFromHeap() override;
     virtual void sweep() override;
     virtual void markUnmarkedObjectsDead() override;
+#if defined(ADDRESS_SANITIZER)
+    virtual void poisonUnmarkedObjects() override;
+#endif
     virtual void checkAndMarkPointer(Visitor*, Address) override;
     virtual void markOrphaned() override;
 #if ENABLE(GC_PROFILING)
     const GCInfo* findGCInfo(Address) override;
     void snapshot(TracedValue*, ThreadState::SnapshotInfo*) override;
     void incrementMarkedObjectsAge() override;
     void countMarkedObjects(ClassAgeCountsMap&) override;
     void countObjectsToSweep(ClassAgeCountsMap&) override;
 #endif
 #if ENABLE(ASSERT) || ENABLE(GC_PROFILING)
     // Returns true for the whole blinkPageSize page that the page is on, even
     // for the header, and the unmapped guard page at the start. That ensures
     // the result can be used to populate the negative page cache.
     virtual bool contains(Address) override;
 #endif
     virtual size_t size() override { return blinkPageSize; }
     static size_t pageHeaderSize()
     {
         // Compute the amount of padding we have to add to a header to make
         // the size of the header plus the padding a multiple of 8 bytes.
         size_t paddingSize = (sizeof(NormalPage) + allocationGranularity - (sizeof(HeapObjectHeader) % allocationGranularity)) % allocationGranularity;
         return sizeof(NormalPage) + paddingSize;
     }
 
 
     NormalPageHeap* heapForNormalPage();
     void clearObjectStartBitMap();
 
-#if defined(ADDRESS_SANITIZER)
-    void poisonUnmarkedObjects();
-#endif
-
 private:
     HeapObjectHeader* findHeaderFromAddress(Address);
     void populateObjectStartBitMap();
     bool isObjectStartBitMapComputed() { return m_objectStartBitMapComputed; }
 
     bool m_objectStartBitMapComputed;
     uint8_t m_objectStartBitMap[reservedForObjectBitMap];
 };
 
 // Large allocations are allocated as separate objects and linked in a list.
@@ skipping 11 matching lines @@
     bool containedInObjectPayload(Address address)
     {
         return payload() <= address && address < payloadEnd();
     }
 
     virtual size_t objectPayloadSizeForTesting() override;
     virtual bool isEmpty() override;
     virtual void removeFromHeap() override;
     virtual void sweep() override;
     virtual void markUnmarkedObjectsDead() override;
+#if defined(ADDRESS_SANITIZER)
+    virtual void poisonUnmarkedObjects() override;
+#endif
     virtual void checkAndMarkPointer(Visitor*, Address) override;
     virtual void markOrphaned() override;
 
 #if ENABLE(GC_PROFILING)
     const GCInfo* findGCInfo(Address) override;
     void snapshot(TracedValue*, ThreadState::SnapshotInfo*) override;
     void incrementMarkedObjectsAge() override;
     void countMarkedObjects(ClassAgeCountsMap&) override;
     void countObjectsToSweep(ClassAgeCountsMap&) override;
 #endif
@@ skipping 190 matching lines @@
 #endif
 
     virtual void clearFreeLists() { }
     void makeConsistentForSweeping();
 #if ENABLE(ASSERT)
     virtual bool isConsistentForSweeping() = 0;
 #endif
     size_t objectPayloadSizeForTesting();
     void prepareHeapForTermination();
     void prepareForSweep();
+#if defined(ADDRESS_SANITIZER)
+    void poisonUnmarkedObjects();
+#endif
     Address lazySweep(size_t, size_t gcInfoIndex);
     void sweepUnsweptPage();
     // Returns true if we have swept all pages within the deadline.
     // Returns false otherwise.
     bool lazySweepWithDeadline(double deadlineSeconds);
     void completeSweep();
 
     ThreadState* threadState() { return m_threadState; }
     int heapIndex() const { return m_index; }
 
@@ skipping 1290 matching lines @@
     Value* table = reinterpret_cast<Value*>(pointer);
     for (unsigned i = 0; i < length; ++i) {
         if (!Table::isEmptyOrDeletedBucket(table[i]))
             table[i].~Value();
     }
 }
 
 } // namespace blink
 
 #endif // Heap_h