Oilpan: Validate pointers stored in Persistent

Source/platform/heap/Handle.h

 /*
  * Copyright (C) 2014 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 206 matching lines @@
 // We have to construct and destruct Persistent in the same thread.
 template<typename T>
 class Persistent : public PersistentBase<ThreadLocalPersistents<ThreadingTrait<T>::Affinity>, Persistent<T>> {
 public:
     Persistent() : m_raw(nullptr) { }
 
     Persistent(std::nullptr_t) : m_raw(nullptr) { }
 
     Persistent(T* raw) : m_raw(raw)
     {
-        ASSERT(!m_raw || ThreadStateFor<ThreadingTrait<T>::Affinity>::state()->findPageFromAddress(m_raw));
+        checkPointer();
         recordBacktrace();
     }
 
     explicit Persistent(T& raw) : m_raw(&raw)
     {
-        ASSERT(!m_raw || ThreadStateFor<ThreadingTrait<T>::Affinity>::state()->findPageFromAddress(m_raw));
+        checkPointer();
         recordBacktrace();
     }
 
-    Persistent(const Persistent& other) : m_raw(other) { recordBacktrace(); }
+    Persistent(const Persistent& other) : m_raw(other)
+    {
+        checkPointer();
+        recordBacktrace();
+    }
 
     template<typename U>
-    Persistent(const Persistent<U>& other) : m_raw(other) { recordBacktrace(); }
+    Persistent(const Persistent<U>& other) : m_raw(other)
+    {
+        checkPointer();
+        recordBacktrace();
+    }
 
     template<typename U>
-    Persistent(const Member<U>& other) : m_raw(other) { recordBacktrace(); }
+    Persistent(const Member<U>& other) : m_raw(other)
+    {
+        checkPointer();
+        recordBacktrace();
+    }
 
     template<typename U>
-    Persistent(const RawPtr<U>& other) : m_raw(other.get()) { recordBacktrace(); }
-
-    template<typename U>
-    Persistent& operator=(U* other)
+    Persistent(const RawPtr<U>& other) : m_raw(other.get())
     {
-        m_raw = other;
+        checkPointer();
         recordBacktrace();
-        return *this;
-    }
-
-    Persistent& operator=(std::nullptr_t)
-    {
-        m_raw = nullptr;
-        return *this;
     }
 
     void clear() { m_raw = nullptr; }
 
     virtual ~Persistent()
     {
         m_raw = nullptr;
     }
 
     template<typename VisitorDispatcher>
@@ skipping 16 matching lines @@
 
     T& operator*() const { return *m_raw; }
 
     bool operator!() const { return !m_raw; }
 
     operator T*() const { return m_raw; }
     operator RawPtr<T>() const { return m_raw; }
 
     T* operator->() const { return *this; }
 
+    template<typename U>
+    Persistent& operator=(U* other)
+    {
+        m_raw = other;
+        checkPointer();
+        recordBacktrace();
+        return *this;
+    }
+
+    Persistent& operator=(std::nullptr_t)
+    {
+        m_raw = nullptr;
+        return *this;
+    }
+
     Persistent& operator=(const Persistent& other)
     {
         m_raw = other;
+        checkPointer();
         recordBacktrace();
         return *this;
     }
 
     template<typename U>
     Persistent& operator=(const Persistent<U>& other)
     {
         m_raw = other;
+        checkPointer();
         recordBacktrace();
         return *this;
     }
 
     template<typename U>
     Persistent& operator=(const Member<U>& other)
     {
         m_raw = other;
+        checkPointer();
         recordBacktrace();
         return *this;
     }
 
     template<typename U>
     Persistent& operator=(const RawPtr<U>& other)
     {
         m_raw = other;
+        checkPointer();
         recordBacktrace();
         return *this;
     }
 
     T* get() const { return m_raw; }
 
 private:
+    void checkPointer()
+    {
+#if ENABLE(ASSERT)
+        if (!m_raw)
+            return;
+
+        // Heap::isHeapObjectAlive(m_raw) checks that m_raw is a traceable
+        // object. In other words, it checks that the pointer is either of:
+        //
+        //   (a) a pointer to the head of an on-heap object.
+        //   (b) a pointer to the head of an on-heap mixin object.
+        //
+        // Otherwise, Heap::isHeapObjectAlive will crash when it calls
+        // header->checkHeader().
+        Heap::isHeapObjectAlive(m_raw);
+#endif
+    }
+
 #if ENABLE(GC_PROFILING)
     void recordBacktrace()
     {
         if (m_raw)
             m_tracingName = Heap::createBacktraceString();
     }
 
     String m_tracingName;
 #else
     inline void recordBacktrace() const { }
@@ skipping 340 matching lines @@
         // as a valid pointer.
         if (reinterpret_cast<intptr_t>(m_raw) % allocationGranularity)
             return;
 
         // TODO(haraken): What we really want to check here is that the pointer
         // is a traceable object. In other words, the pointer is either of:
         //
         //   (a) a pointer to the head of an on-heap object.
         //   (b) a pointer to the head of an on-heap mixin object.
         //
-        // We can check it by calling visitor->isHeapObjectAlive(m_raw),
+        // We can check it by calling Heap::isHeapObjectAlive(m_raw),
         // but we cannot call it here because it requres to include T.h.
         // So we currently implement only the check for (a).
         if (!IsGarbageCollectedMixin<T>::value)
             HeapObjectHeader::fromPayload(m_raw)->checkHeader();
 #endif
     }
 
     T* m_raw;
 
     template<bool x, WTF::WeakHandlingFlag y, WTF::ShouldWeakPointersBeMarkedStrongly z, typename U, typename V> friend struct CollectionBackingTraceTrait;
@@ skipping 479 matching lines @@
 struct ParamStorageTraits<RawPtr<T>> : public PointerParamStorageTraits<T*, blink::IsGarbageCollectedType<T>::value> {
     static_assert(sizeof(T), "T must be fully defined");
 };
 
 template<typename T>
 PassRefPtr<T> adoptRef(blink::RefCountedGarbageCollected<T>*) = delete;
 
 } // namespace WTF
 
 #endif