Oilpan: introduce eager finalization.

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 316 matching lines @@
     m_firstUnsweptPage = m_firstPage;
     m_firstPage = nullptr;
 }
 
 #if defined(ADDRESS_SANITIZER)
 void BaseHeap::poisonUnmarkedObjects()
 {
     // This method is called just before starting sweeping.
     // Thus all dead objects are in the list of m_firstUnsweptPage.
     for (BasePage* page = m_firstUnsweptPage; page; page = page->next()) {
-        page->poisonUnmarkedObjects();
+        page->poisonObjects(BasePage::UnmarkedOnly, BasePage::SetPoison);
+    }
+}
+
+void BaseHeap::poisonHeap(bool setPoison)

[haraken, 2015/05/28 12:30:04]

poisonHeap => poisonEagerHeap

I'd use SetPoison/ClearPoison instead of bool.

[sof, 2015/05/29 21:25:07]

Moved enums around to make that possible.

Keeping it as poisonHeap(), for reasons mentioned below.

+{
+    ASSERT(heapIndex() == EagerSweepHeapIndex);
+    // This method is called just before starting sweeping
+    // of eager heaps. Hence, all objects will be in
+    // m_firstUnsweptPage before start.
+    if (setPoison) {
+        for (BasePage* page = m_firstUnsweptPage; page; page = page->next()) {

[haraken, 2015/05/28 12:30:04]

Add ASSERT(!m_firstPage).

[sof, 2015/05/29 21:25:07]

Done.

+            page->poisonObjects(BasePage::UnmarkedOrMarked, BasePage::SetPoison);

[haraken, 2015/05/28 12:30:04]

Why do we need to poison marked objects? I'm ok with this, but I'm wondering why
we need it because we're not poisoning marked objects for other heaps.

[sof, 2015/05/29 21:25:07]

You're not allowed to touch other eagerly finalized objects. By poisoning the
live objects also, we catch not only accesses to other eagerly finalized objects
that happen to have been finalized already, but all.

This wouldn't work for lazy sweeping, as the mutator gains access to the live
objects earlier, but I believe we can do something similar for 'normal' complete
sweeps of the other heaps also. That's why I would prefer to keep this named
poisonHeap().

(This follows up the suggestion made in
https://codereview.chromium.org/1159583002/#msg14 )

+        }
+        return;
+    }
+    for (BasePage* page = m_firstPage; page; page = page->next()) {
+        page->poisonObjects(BasePage::UnmarkedOnly, BasePage::ClearPoison);

[haraken, 2015/05/28 12:30:04]

Who unpoisons the marked objects that have been poisoned at line 349?

[sof, 2015/05/29 21:25:07]

This very loop when poisonHeap() is called on the eager heap afterwards to clear
the poisoning. The live objects have all been unmarked at this stage.

     }
 }
 #endif
 
 Address BaseHeap::lazySweep(size_t allocationSize, size_t gcInfoIndex)
 {
     // If there are no pages to be swept, return immediately.
     if (!m_firstUnsweptPage)
         return nullptr;
 
@@ skipping 414 matching lines @@
 {
     ASSERT(allocationSize > remainingAllocationSize());
     ASSERT(allocationSize >= allocationGranularity);
 
 #if ENABLE(GC_PROFILING)
     threadState()->snapshotFreeListIfNecessary();
 #endif
 
     // 1. If this allocation is big enough, allocate a large object.
     if (allocationSize >= largeObjectSizeThreshold) {
+        // TODO(sof): support eagerly finalized large objects, if ever needed.
+        ASSERT(heapIndex() != EagerSweepHeapIndex);
         LargeObjectHeap* largeObjectHeap = static_cast<LargeObjectHeap*>(threadState()->heap(LargeObjectHeapIndex));
         Address largeObject = largeObjectHeap->allocateLargeObjectPage(allocationSize, gcInfoIndex);
         ASAN_MARK_LARGE_VECTOR_CONTAINER(this, largeObject);
         return largeObject;
     }
 
     // 2. Check if we should trigger a GC.
     updateRemainingAllocationSize();
     threadState()->scheduleGCIfNeeded();
 
@@ skipping 350 matching lines @@
             // touches any other on-heap object that die at the same GC cycle.
             ASAN_UNPOISON_MEMORY_REGION(payload, payloadSize);
             header->finalize(payload, payloadSize);
             // This memory will be added to the freelist. Maintain the invariant
             // that memory on the freelist is zero filled.
             FILL_ZERO_IF_PRODUCTION(headerAddress, size);
             ASAN_POISON_MEMORY_REGION(payload, payloadSize);
             headerAddress += size;
             continue;
         }
-
         if (startOfGap != headerAddress)
             heapForNormalPage()->addToFreeList(startOfGap, headerAddress - startOfGap);
         header->unmark();
         headerAddress += header->size();
         markedObjectSize += header->size();
         startOfGap = headerAddress;
     }
     if (startOfGap != payloadEnd())
         heapForNormalPage()->addToFreeList(startOfGap, payloadEnd() - startOfGap);
 
@@ skipping 20 matching lines @@
         } else {
             header->markDead();
         }
         headerAddress += header->size();
     }
     if (markedObjectSize)
         Heap::increaseMarkedObjectSize(markedObjectSize);
 }
 
 #if defined(ADDRESS_SANITIZER)
-void NormalPage::poisonUnmarkedObjects()
+void NormalPage::poisonObjects(ObjectsToPoison objectsToPoison, Poisoning poisoning)
 {
     for (Address headerAddress = payload(); headerAddress < payloadEnd();) {
         HeapObjectHeader* header = reinterpret_cast<HeapObjectHeader*>(headerAddress);
         ASSERT(header->size() < blinkPagePayloadSize());
         // Check if a free list entry first since we cannot call
         // isMarked on a free list entry.
         if (header->isFree()) {
             headerAddress += header->size();
             continue;
         }
         header->checkHeader();
-        if (!header->isMarked()) {
-            ASAN_POISON_MEMORY_REGION(header->payload(), header->payloadSize());
+        if (objectsToPoison == UnmarkedOrMarked || !header->isMarked()) {
+            if (poisoning == SetPoison)
+                ASAN_POISON_MEMORY_REGION(header->payload(), header->payloadSize());
+            else
+                ASAN_UNPOISON_MEMORY_REGION(header->payload(), header->payloadSize());
         }
         headerAddress += header->size();
     }
 }
 #endif
 
 void NormalPage::populateObjectStartBitMap()
 {
     memset(&m_objectStartBitMap, 0, objectStartBitMapSize);
     Address start = payload();
@@ skipping 255 matching lines @@
     HeapObjectHeader* header = heapObjectHeader();
     if (header->isMarked()) {
         header->unmark();
         Heap::increaseMarkedObjectSize(size());
     } else {
         header->markDead();
     }
 }
 
 #if defined(ADDRESS_SANITIZER)
-void LargeObjectPage::poisonUnmarkedObjects()
+void LargeObjectPage::poisonObjects(ObjectsToPoison objectsToPoison, Poisoning poisoning)
 {
     HeapObjectHeader* header = heapObjectHeader();
-    if (!header->isMarked())
-        ASAN_POISON_MEMORY_REGION(header->payload(), header->payloadSize());
+    if (objectsToPoison == UnmarkedOrMarked || !header->isMarked()) {
+        if (poisoning == BasePage::SetPoison)
+            ASAN_POISON_MEMORY_REGION(header->payload(), header->payloadSize());
+        else
+            ASAN_UNPOISON_MEMORY_REGION(header->payload(), header->payloadSize());
+    }
 }
 #endif
 
 void LargeObjectPage::checkAndMarkPointer(Visitor* visitor, Address address)
 {
     ASSERT(contains(address));
     if (!containedInObjectPayload(address) || heapObjectHeader()->isDead())
         return;
 #if ENABLE(GC_PROFILING)
     visitor->setHostInfo(&address, "stack");
@@ skipping 736 matching lines @@
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 // We don't want to use 0 KB for the initial value because it may end up
 // triggering the first GC of some thread too prematurely.
 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024;
 size_t Heap::s_externalObjectSizeAtLastGC = 0;
 double Heap::s_estimatedMarkingTimePerByte = 0.0;
 
 } // namespace blink