Oilpan: Unpoison orphaned large objects before zapping

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 526 matching lines @@
 
     Heap::increaseAllocatedSpace(page->size());
     addToFreeList(page->payload(), page->payloadSize());
 }
 
 void NormalPageHeap::freePage(NormalPage* page)
 {
     Heap::decreaseAllocatedSpace(page->size());
 
     if (page->terminating()) {
+        ASSERT(ThreadState::current()->isTerminating());
         // The thread is shutting down and this page is being removed as a part
         // of the thread local GC.  In that case the object could be traced in
         // the next global GC if there is a dangling pointer from a live thread
         // heap to this dead thread heap.  To guard against this, we put the
         // page into the orphaned page pool and zap the page memory.  This
         // ensures that tracing the dangling pointer in the next global GC just
         // crashes instead of causing use-after-frees.  After the next global
         // GC, the orphaned pages are removed.
         Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), page);
+        ASSERT(!page->terminating());
     } else {
+        ASSERT(!ThreadState::current()->isTerminating());
         PageMemory* memory = page->storage();
         page->~NormalPage();
         Heap::freePagePool()->addFreePage(heapIndex(), memory);
     }
 }
 
 bool NormalPageHeap::coalesce()
 {
     // Don't coalesce heaps if there are not enough promptly freed entries
     // to be coalesced.
@@ skipping 352 matching lines @@
         ASSERT(ThreadState::current()->isTerminating());
         // The thread is shutting down and this page is being removed as a part
         // of the thread local GC.  In that case the object could be traced in
         // the next global GC if there is a dangling pointer from a live thread
         // heap to this dead thread heap.  To guard against this, we put the
         // page into the orphaned page pool and zap the page memory.  This
         // ensures that tracing the dangling pointer in the next global GC just
         // crashes instead of causing use-after-frees.  After the next global
         // GC, the orphaned pages are removed.
         Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), object);
+        ASSERT(!object->terminating());
     } else {
         ASSERT(!ThreadState::current()->isTerminating());
         PageMemory* memory = object->storage();
         object->~LargeObjectPage();
         delete memory;
     }
 }
 
 Address LargeObjectHeap::lazySweepPages(size_t allocationSize, size_t gcInfoIndex)
 {
@@ skipping 366 matching lines @@
     ASSERT(contains(address));
     HeapObjectHeader* header = findHeaderFromAddress(address);
     if (!header || header->isDead())
         return;
 #if ENABLE(GC_PROFILING)
     visitor->setHostInfo(&address, "stack");
 #endif
     markPointer(visitor, header);
 }
 
+static void zapOrphanedPage(void* payload, size_t payloadSize)
+{
+#if defined(ADDRESS_SANITIZER)
+    // Unpoison memory before memset.
+    ASAN_UNPOISON_MEMORY_REGION(payload(), payloadSize());
+#endif
+    // Zap the payload with a recognizable value to detect any incorrect
+    // cross thread pointer usage.
+    memset(payload, orphanedZapValue, payloadSize);
+#if defined(ADDRESS_SANITIZER)
+    // Poison the memory again.
+    ASAN_UNPOISON_MEMORY_REGION(payload(), payloadSize());
+#endif
+}
+
 void NormalPage::markOrphaned()
 {
-    // Zap the payload with a recognizable value to detect any incorrect
-    // cross thread pointer usage.
-#if defined(ADDRESS_SANITIZER)
-    // This needs to zap poisoned memory as well.
-    // Force unpoison memory before memset.
-    ASAN_UNPOISON_MEMORY_REGION(payload(), payloadSize());
-#endif
-    memset(payload(), orphanedZapValue, payloadSize());
+    zapOrphanedPage(payload(), payloadSize());
     BasePage::markOrphaned();
 }
 
 #if ENABLE(GC_PROFILING)
 const GCInfo* NormalPage::findGCInfo(Address address)
 {
     if (address < payload())
         return nullptr;
 
     HeapObjectHeader* header = findHeaderFromAddress(address);
@@ skipping 143 matching lines @@
     if (!containedInObjectPayload(address) || heapObjectHeader()->isDead())
         return;
 #if ENABLE(GC_PROFILING)
     visitor->setHostInfo(&address, "stack");
 #endif
     markPointer(visitor, heapObjectHeader());
 }
 
 void LargeObjectPage::markOrphaned()
 {
-    // Zap the payload with a recognizable value to detect any incorrect
-    // cross thread pointer usage.
-    memset(payload(), orphanedZapValue, payloadSize());
+    zapOrphanedPage(payload(), payloadSize());
     BasePage::markOrphaned();
 }
 
 #if ENABLE(GC_PROFILING)
 const GCInfo* LargeObjectPage::findGCInfo(Address address)
 {
     if (!containedInObjectPayload(address))
         return nullptr;
     HeapObjectHeader* header = heapObjectHeader();
     return Heap::gcInfo(header->gcInfoIndex());
@@ skipping 734 matching lines @@
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 // We don't want to use 0 KB for the initial value because it may end up
 // triggering the first GC of some thread too prematurely.
 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024;
 size_t Heap::s_externalObjectSizeAtLastGC = 0;
 double Heap::s_estimatedMarkingTimePerByte = 0.0;
 
 } // namespace blink