Oilpan: Validate pointers stored in Member

Source/platform/heap/Handle.h

 /*
  * Copyright (C) 2014 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 548 matching lines @@
     Member() : m_raw(nullptr)
     {
     }
 
     Member(std::nullptr_t) : m_raw(nullptr)
     {
     }
 
     Member(T* raw) : m_raw(raw)
     {
-        // HashTable can store a special value to Member<> to represent
-        // a deleted entry. The special value is not aligned to the allocation
-        // granularity. The following ASSERT is checking that m_raw is either of:
-        //   - nullptr
-        //   - a special value to represent a deleted entry of a HashTable
-        //   - a valid pointer to the heap
-        ASSERT(!m_raw || reinterpret_cast<intptr_t>(m_raw) % allocationGranularity || Heap::findPageFromAddress(m_raw));
+        checkPointer();
     }
 
     explicit Member(T& raw) : m_raw(&raw)
     {
-        // See the comment above.
-        ASSERT(!m_raw || reinterpret_cast<intptr_t>(m_raw) % allocationGranularity || Heap::findPageFromAddress(m_raw));
+        checkPointer();
     }
 
     template<typename U>
     Member(const RawPtr<U>& other) : m_raw(other.get())
     {
+        checkPointer();
     }
 
     Member(WTF::HashTableDeletedValueType) : m_raw(reinterpret_cast<T*>(-1))
     {
     }
 
     bool isHashTableDeletedValue() const { return m_raw == reinterpret_cast<T*>(-1); }
 
     template<typename U>
-    Member(const Persistent<U>& other) : m_raw(other) { }
+    Member(const Persistent<U>& other) : m_raw(other)
+    {
+        checkPointer();
+    }
 
-    Member(const Member& other) : m_raw(other) { }
+    Member(const Member& other) : m_raw(other)
+    {
+        checkPointer();
+    }
 
     template<typename U>
-    Member(const Member<U>& other) : m_raw(other) { }
+    Member(const Member<U>& other) : m_raw(other)
+    {
+        checkPointer();
+    }
 
     T* release()
     {
         T* result = m_raw;
         m_raw = nullptr;
         return result;
     }
 
     bool operator!() const { return !m_raw; }
 
     operator T*() const { return m_raw; }
 
     T* operator->() const { return m_raw; }
     T& operator*() const { return *m_raw; }
     template<typename U>
     operator RawPtr<U>() const { return m_raw; }
 
     template<typename U>
     Member& operator=(const Persistent<U>& other)
     {
         m_raw = other;
+        checkPointer();
         return *this;
     }
 
     template<typename U>
     Member& operator=(const Member<U>& other)
     {
         m_raw = other;
+        checkPointer();
         return *this;
     }
 
     template<typename U>
     Member& operator=(U* other)
     {
         m_raw = other;
+        checkPointer();
         return *this;
     }
 
     template<typename U>
     Member& operator=(RawPtr<U> other)
     {
         m_raw = other;
+        checkPointer();
         return *this;
     }
 
     Member& operator=(std::nullptr_t)
     {
         m_raw = nullptr;
         return *this;
     }
 
-    void swap(Member<T>& other) { std::swap(m_raw, other.m_raw); }
+    void swap(Member<T>& other)
+    {
+        std::swap(m_raw, other.m_raw);
+        checkPointer();
+    }
 
     T* get() const { return m_raw; }
 
     void clear() { m_raw = nullptr; }
 
 
 protected:
+    void checkPointer()
+    {
+        if (!m_raw)
+            return;
+        // HashTable can store a special value (which is not aligned to the
+        // allocation granularity) to Member<> to represent a deleted entry.
+        // Thus we treat a pointer that is not aligned to the granularity
+        // as a valid pointer.
+        if (reinterpret_cast<intptr_t>(m_raw) % allocationGranularity)
+            return;
+
+        // TODO(haraken): What we really want to check here is that the pointer

[haraken, 2015/05/26 13:27:53]

I welcome any idea to fix this TODO.

+        // is a traceable object. In other words, the pointer is either of:
+        //
+        //   (a) a pointer to the head of an on-heap object.
+        //   (b) a pointer to the head of an on-heap mixin object.
+        //
+        // We can check it by calling visitor->isHeapObjectAlive(m_raw),
+        // but we cannot call it here because it requres to include T.h.
+        // So we currently implement only the check for (a).
+        if (!IsGarbageCollectedMixin<T>::value)
+            HeapObjectHeader::fromPayload(m_raw)->checkHeader();
+    }
+
     T* m_raw;
 
     template<bool x, WTF::WeakHandlingFlag y, WTF::ShouldWeakPointersBeMarkedStrongly z, typename U, typename V> friend struct CollectionBackingTraceTrait;
     friend class Visitor;
+
 };
 
 // WeakMember is similar to Member in that it is used to point to other oilpan
 // heap allocated objects.
 // However instead of creating a strong pointer to the object, the WeakMember creates
 // a weak pointer, which does not keep the pointee alive. Hence if all pointers to
 // to a heap allocated object are weak the object will be garbage collected. At the
 // time of GC the weak pointers will automatically be set to null.
 template<typename T>
 class WeakMember : public Member<T> {
 public:
     WeakMember() : Member<T>() { }
 
     WeakMember(std::nullptr_t) : Member<T>(nullptr) { }
 
     WeakMember(T* raw) : Member<T>(raw) { }
 
     WeakMember(WTF::HashTableDeletedValueType x) : Member<T>(x) { }
 
     template<typename U>
     WeakMember(const Persistent<U>& other) : Member<T>(other) { }
 
     template<typename U>
     WeakMember(const Member<U>& other) : Member<T>(other) { }
 
     template<typename U>
     WeakMember& operator=(const Persistent<U>& other)
     {
         this->m_raw = other;
+        this->checkPointer();
         return *this;
     }
 
     template<typename U>
     WeakMember& operator=(const Member<U>& other)
     {
         this->m_raw = other;
+        this->checkPointer();
         return *this;
     }
 
     template<typename U>
     WeakMember& operator=(U* other)
     {
         this->m_raw = other;
+        this->checkPointer();
         return *this;
     }
 
     template<typename U>
     WeakMember& operator=(const RawPtr<U>& other)
     {
         this->m_raw = other;
+        this->checkPointer();
         return *this;
     }
 
     WeakMember& operator=(std::nullptr_t)
     {
         this->m_raw = nullptr;
         return *this;
     }
 
 private:
@@ skipping 413 matching lines @@
 struct ParamStorageTraits<RawPtr<T>> : public PointerParamStorageTraits<T*, blink::IsGarbageCollectedType<T>::value> {
     static_assert(sizeof(T), "T must be fully defined");
 };
 
 template<typename T>
 PassRefPtr<T> adoptRef(blink::RefCountedGarbageCollected<T>*) = delete;
 
 } // namespace WTF
 
 #endif