Chromium Code Reviews Chromium Code Reviews
Issue 1154733002:
Oilpan: Unpoison orphaned large objects before zapping (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2013 Google Inc. All rights reserved. | 2 * Copyright (C) 2013 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 526 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 537 | 537 |
| 538 Heap::increaseAllocatedSpace(page->size()); | 538 Heap::increaseAllocatedSpace(page->size()); |
| 539 addToFreeList(page->payload(), page->payloadSize()); | 539 addToFreeList(page->payload(), page->payloadSize()); |
| 540 } | 540 } |
| 541 | 541 |
| 542 void NormalPageHeap::freePage(NormalPage* page) | 542 void NormalPageHeap::freePage(NormalPage* page) |
| 543 { | 543 { |
| 544 Heap::decreaseAllocatedSpace(page->size()); | 544 Heap::decreaseAllocatedSpace(page->size()); |
| 545 | 545 |
| 546 if (page->terminating()) { | 546 if (page->terminating()) { |
| 547 ASSERT(ThreadState::current()->isTerminating()); | |
| 547 // The thread is shutting down and this page is being removed as a part | 548 // The thread is shutting down and this page is being removed as a part |
| 548 // of the thread local GC. In that case the object could be traced in | 549 // of the thread local GC. In that case the object could be traced in |
| 549 // the next global GC if there is a dangling pointer from a live thread | 550 // the next global GC if there is a dangling pointer from a live thread |
| 550 // heap to this dead thread heap. To guard against this, we put the | 551 // heap to this dead thread heap. To guard against this, we put the |
| 551 // page into the orphaned page pool and zap the page memory. This | 552 // page into the orphaned page pool and zap the page memory. This |
| 552 // ensures that tracing the dangling pointer in the next global GC just | 553 // ensures that tracing the dangling pointer in the next global GC just |
| 553 // crashes instead of causing use-after-frees. After the next global | 554 // crashes instead of causing use-after-frees. After the next global |
| 554 // GC, the orphaned pages are removed. | 555 // GC, the orphaned pages are removed. |
| 555 Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), page); | 556 Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), page); |
| 557 ASSERT(!page->terminating()); | |
| 556 } else { | 558 } else { |
| 559 ASSERT(!ThreadState::current()->isTerminating()); | |
| 557 PageMemory* memory = page->storage(); | 560 PageMemory* memory = page->storage(); |
| 558 page->~NormalPage(); | 561 page->~NormalPage(); |
| 559 Heap::freePagePool()->addFreePage(heapIndex(), memory); | 562 Heap::freePagePool()->addFreePage(heapIndex(), memory); |
| 560 } | 563 } |
| 561 } | 564 } |
| 562 | 565 |
| 563 bool NormalPageHeap::coalesce() | 566 bool NormalPageHeap::coalesce() |
| 564 { | 567 { |
| 565 // Don't coalesce heaps if there are not enough promptly freed entries | 568 // Don't coalesce heaps if there are not enough promptly freed entries |
| 566 // to be coalesced. | 569 // to be coalesced. |
| (...skipping 352 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 919 ASSERT(ThreadState::current()->isTerminating()); | 922 ASSERT(ThreadState::current()->isTerminating()); |
| 920 // The thread is shutting down and this page is being removed as a part | 923 // The thread is shutting down and this page is being removed as a part |
| 921 // of the thread local GC. In that case the object could be traced in | 924 // of the thread local GC. In that case the object could be traced in |
| 922 // the next global GC if there is a dangling pointer from a live thread | 925 // the next global GC if there is a dangling pointer from a live thread |
| 923 // heap to this dead thread heap. To guard against this, we put the | 926 // heap to this dead thread heap. To guard against this, we put the |
| 924 // page into the orphaned page pool and zap the page memory. This | 927 // page into the orphaned page pool and zap the page memory. This |
| 925 // ensures that tracing the dangling pointer in the next global GC just | 928 // ensures that tracing the dangling pointer in the next global GC just |
| 926 // crashes instead of causing use-after-frees. After the next global | 929 // crashes instead of causing use-after-frees. After the next global |
| 927 // GC, the orphaned pages are removed. | 930 // GC, the orphaned pages are removed. |
| 928 Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), object); | 931 Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), object); |
| 932 ASSERT(!object->terminating()); | |
| 929 } else { | 933 } else { |
| 930 ASSERT(!ThreadState::current()->isTerminating()); | 934 ASSERT(!ThreadState::current()->isTerminating()); |
| 931 PageMemory* memory = object->storage(); | 935 PageMemory* memory = object->storage(); |
| 932 object->~LargeObjectPage(); | 936 object->~LargeObjectPage(); |
| 933 delete memory; | 937 delete memory; |
| 934 } | 938 } |
| 935 } | 939 } |
| 936 | 940 |
| 937 Address LargeObjectHeap::lazySweepPages(size_t allocationSize, size_t gcInfoInde x) | 941 Address LargeObjectHeap::lazySweepPages(size_t allocationSize, size_t gcInfoInde x) |
| 938 { | 942 { |
| (...skipping 541 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1480 #if ENABLE(GC_PROFILING) | 1484 #if ENABLE(GC_PROFILING) |
| 1481 visitor->setHostInfo(&address, "stack"); | 1485 visitor->setHostInfo(&address, "stack"); |
| 1482 #endif | 1486 #endif |
| 1483 markPointer(visitor, heapObjectHeader()); | 1487 markPointer(visitor, heapObjectHeader()); |
| 1484 } | 1488 } |
| 1485 | 1489 |
| 1486 void LargeObjectPage::markOrphaned() | 1490 void LargeObjectPage::markOrphaned() |
| 1487 { | 1491 { |
| 1488 // Zap the payload with a recognizable value to detect any incorrect | 1492 // Zap the payload with a recognizable value to detect any incorrect |
| 1489 // cross thread pointer usage. | 1493 // cross thread pointer usage. |
| 1494 #if defined(ADDRESS_SANITIZER) | |
| 1495 // This needs to zap poisoned memory as well. | |
| 1496 // Force unpoison memory before memset. | |
| 1497 ASAN_UNPOISON_MEMORY_REGION(payload(), payloadSize()); | |
|
sof
2015/05/22 05:42:07
If you pass (payload,size) as args to BasePage::ma
| |
| 1498 #endif | |
| 1490 memset(payload(), orphanedZapValue, payloadSize()); | 1499 memset(payload(), orphanedZapValue, payloadSize()); |
| 1491 BasePage::markOrphaned(); | 1500 BasePage::markOrphaned(); |
|
sof
2015/05/22 05:42:07
Why isn't it re-poisoned afterwards?
| |
| 1492 } | 1501 } |
| 1493 | 1502 |
| 1494 #if ENABLE(GC_PROFILING) | 1503 #if ENABLE(GC_PROFILING) |
| 1495 const GCInfo* LargeObjectPage::findGCInfo(Address address) | 1504 const GCInfo* LargeObjectPage::findGCInfo(Address address) |
| 1496 { | 1505 { |
| 1497 if (!containedInObjectPayload(address)) | 1506 if (!containedInObjectPayload(address)) |
| 1498 return nullptr; | 1507 return nullptr; |
| 1499 HeapObjectHeader* header = heapObjectHeader(); | 1508 HeapObjectHeader* header = heapObjectHeader(); |
| 1500 return Heap::gcInfo(header->gcInfoIndex()); | 1509 return Heap::gcInfo(header->gcInfoIndex()); |
| 1501 } | 1510 } |
| (...skipping 733 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2235 size_t Heap::s_allocatedObjectSize = 0; | 2244 size_t Heap::s_allocatedObjectSize = 0; |
| 2236 size_t Heap::s_allocatedSpace = 0; | 2245 size_t Heap::s_allocatedSpace = 0; |
| 2237 size_t Heap::s_markedObjectSize = 0; | 2246 size_t Heap::s_markedObjectSize = 0; |
| 2238 // We don't want to use 0 KB for the initial value because it may end up | 2247 // We don't want to use 0 KB for the initial value because it may end up |
| 2239 // triggering the first GC of some thread too prematurely. | 2248 // triggering the first GC of some thread too prematurely. |
| 2240 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024; | 2249 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024; |
| 2241 size_t Heap::s_externalObjectSizeAtLastGC = 0; | 2250 size_t Heap::s_externalObjectSizeAtLastGC = 0; |
| 2242 double Heap::s_estimatedMarkingTimePerByte = 0.0; | 2251 double Heap::s_estimatedMarkingTimePerByte = 0.0; |
| 2243 | 2252 |
| 2244 } // namespace blink | 2253 } // namespace blink |
| OLD | NEW |
