Source/platform/heap/Heap.cpp - Issue 1154733002: Oilpan: Unpoison orphaned large objects before zapping

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/platform/heap/Heap.cpp

Issue 1154733002: Oilpan: Unpoison orphaned large objects before zapping (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: Source/platform/heap/Heap.cpp

diff --git a/Source/platform/heap/Heap.cpp b/Source/platform/heap/Heap.cpp

index 3fef547f1660fe8dc9a2fddf735d751d6e8f191d..2230a2dbd9867866b9eeb302dfd7c2845d9c6abb 100644

--- a/Source/platform/heap/Heap.cpp

+++ b/Source/platform/heap/Heap.cpp

@@ -544,6 +544,7 @@ void NormalPageHeap::freePage(NormalPage* page)

Heap::decreaseAllocatedSpace(page->size());

if (page->terminating()) {

+ ASSERT(ThreadState::current()->isTerminating());

// The thread is shutting down and this page is being removed as a part

// of the thread local GC. In that case the object could be traced in

// the next global GC if there is a dangling pointer from a live thread

@@ -553,7 +554,9 @@ void NormalPageHeap::freePage(NormalPage* page)

// crashes instead of causing use-after-frees. After the next global

// GC, the orphaned pages are removed.

Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), page);

+ ASSERT(!page->terminating());

} else {

+ ASSERT(!ThreadState::current()->isTerminating());

PageMemory* memory = page->storage();

page->~NormalPage();

Heap::freePagePool()->addFreePage(heapIndex(), memory);

@@ -926,6 +929,7 @@ void LargeObjectHeap::freeLargeObjectPage(LargeObjectPage* object)

// crashes instead of causing use-after-frees. After the next global

// GC, the orphaned pages are removed.

Heap::orphanedPagePool()->addOrphanedPage(heapIndex(), object);

+ ASSERT(!object->terminating());

} else {

ASSERT(!ThreadState::current()->isTerminating());

PageMemory* memory = object->storage();

@@ -1487,6 +1491,11 @@ void LargeObjectPage::markOrphaned()

{

// Zap the payload with a recognizable value to detect any incorrect

// cross thread pointer usage.

+#if defined(ADDRESS_SANITIZER)

+ // This needs to zap poisoned memory as well.

+ // Force unpoison memory before memset.

+ ASAN_UNPOISON_MEMORY_REGION(payload(), payloadSize());

sof 2015/05/22 05:42:07 If you pass (payload,size) as args to BasePage::ma

+#endif

memset(payload(), orphanedZapValue, payloadSize());

BasePage::markOrphaned();

sof 2015/05/22 05:42:07 Why isn't it re-poisoned afterwards?

}

« no previous file with comments | « no previous file | no next file » | no next file with comments »