Oilpan: eagerly finalize WebGLRenderingContext objects.

Source/core/html/canvas/WebGLContextGroup.cpp

Index: Source/core/html/canvas/WebGLContextGroup.cpp
diff --git a/Source/core/html/canvas/WebGLContextGroup.cpp b/Source/core/html/canvas/WebGLContextGroup.cpp
index f2a9386cde2cf937014af4afbfb21b887122fd24..8a1c5bc2dd79fa847adcad7b2b4dbf49df796b24 100644
--- a/Source/core/html/canvas/WebGLContextGroup.cpp
+++ b/Source/core/html/canvas/WebGLContextGroup.cpp
@@ -28,6 +28,7 @@
 #include "core/html/canvas/WebGLContextGroup.h"
 
 #include "core/html/canvas/WebGLSharedObject.h"
+#include "platform/heap/Handle.h"
 
 namespace blink {
 
@@ -53,6 +54,58 @@ WebGraphicsContext3D* WebGLContextGroup::getAWebGraphicsContext3D()
     return (*it)->webContext();
 }
 
+#if ENABLE(OILPAN) && defined(ADDRESS_SANITIZER)
+WebGLContextGroup::UnpoisonScope::UnpoisonScope(WebGLContextGroup* context)
+    : m_context(context)
+    , m_object(nullptr)
+{
+    m_context->poisonContext(false);
+}
+
+WebGLContextGroup::UnpoisonScope::UnpoisonScope(WebGLContextGroup* context, WebGLSharedObject* object)
+    : m_context(context)
+    , m_object(object)
+{
+    m_context->poisonObject(m_object, false);
+}
+
+WebGLContextGroup::UnpoisonScope::~UnpoisonScope()
+{
+    if (!m_object) {
+        m_context->poisonContext(true);
+    } else {
+        ASSERT(m_object);
+        m_context->poisonObject(m_object, true);
+    }
+}
+
+void WebGLContextGroup::poisonContext(bool poisonIt)
+{
+    HashSet<WebGLRenderingContextBase*>::iterator it = m_contexts.begin();

[haraken, 2015/05/26 11:23:10]

I'd prefer explicitly pass in the WebGLRenderingContextBase to be
poisoned/unpoisoned instead of looking up the first WebGLRenderingContextBase
from the m_contexts.

+    WebGLRenderingContextBase* context = *it;
+    if (!Heap::willObjectBeLazilySwept(context))

[haraken, 2015/05/26 11:23:10]

Can we replace this with Heap::isHeapObjectAlive()?

poisonContext must not be called for WebGLRenderingContextBases that have been
already finalized, because they should have been already removed from
m_contexts. Thus poisonContext can be called for either of:

(a) a live WebGLRenderingContextBase
(b) a dead WebGLRenderingContextBase that is not yet finalized

For (a), Heap::willObjectBeLazilySwept returns false. For (b),
Heap::willObjectBeLazilySwept returns true. I think you can get the same result
by calling Heap::isHeapObjectAlive(). Given that Heap::willObjectBeLazilySwept
is a super hacky API, I'd prefer using Heap::isHeapObjectAlive().

[sof, 2015/05/26 11:29:47]

I'm not sure what you refer to..what is Heap::isHeapObjectAlive() ?

[haraken, 2015/05/26 11:36:08]

Oh, you're right. isHeapObjectAlive() is available via Visitor... Then it makes
sense to use Heap::willObjectBeLazilySwept().

+        return;
+
+    unsigned char* objectStart = reinterpret_cast<unsigned char*>(context);
+    if (poisonIt)
+        ASAN_POISON_MEMORY_REGION(objectStart, sizeof(WebGLRenderingContextBase));
+    else
+        ASAN_UNPOISON_MEMORY_REGION(objectStart, sizeof(WebGLRenderingContextBase));
+}
+
+void WebGLContextGroup::poisonObject(WebGLSharedObject* object, bool poisonIt)
+{
+    if (!Heap::willObjectBeLazilySwept(object))

[haraken, 2015/05/26 11:23:10]

Ditto. I'd prefer using Heap::isHeapObjectAlive().

+        return;
+
+    unsigned char* objectStart = reinterpret_cast<unsigned char*>(object);
+    if (poisonIt)
+        ASAN_POISON_MEMORY_REGION(objectStart, sizeof(WebGLSharedObject));
+    else
+        ASAN_UNPOISON_MEMORY_REGION(objectStart, sizeof(WebGLSharedObject));
+}
+#endif
+
 void WebGLContextGroup::addContext(WebGLRenderingContextBase* context)
 {
     m_contexts.add(context);
@@ -81,6 +134,9 @@ void WebGLContextGroup::detachAndRemoveAllObjects()
 {
     while (!m_groupObjects.isEmpty()) {
         HashSet<WebGLSharedObject*>::iterator it = m_groupObjects.begin();
+#if ENABLE(OILPAN) && defined(ADDRESS_SANITIZER)
+        UnpoisonScope scope(this, *it);
+#endif
         (*it)->detachContextGroup();
     }
 }