Oilpan: Defer reusing freed memory for one GC cycle

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 188 matching lines @@
 void HeapObjectHeader::zapMagic()
 {
     checkHeader();
     m_magic = zappedMagic;
 }
 #endif
 
 void HeapObjectHeader::finalize(Address object, size_t objectSize)
 {
     const GCInfo* gcInfo = Heap::gcInfo(gcInfoIndex());
-    if (gcInfo->hasFinalizer()) {
+    if (gcInfo->hasFinalizer())
         gcInfo->m_finalize(object);
-    }
 
     ASAN_RETIRE_CONTAINER_ANNOTATION(object, objectSize);
-
-#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-    // In Debug builds, memory is zapped when it's freed, and the zapped memory
-    // is zeroed out when the memory is reused.  Memory is also zapped when
-    // using Leak Sanitizer because the heap is used as a root region for LSan
-    // and therefore pointers in unreachable memory could hide leaks.
-    for (size_t i = 0; i < objectSize; ++i)
-        object[i] = finalizedZapValue;
-
-    // Zap the primary vTable entry (secondary vTable entries are not zapped).
-    if (gcInfo->hasVTable()) {
-        *(reinterpret_cast<uintptr_t*>(object)) = zappedVTable;
-    }
-#endif
-    // In Release builds, the entire object is zeroed out when it is added to
-    // the free list.  This happens right after sweeping the page and before the
-    // thread commences execution.
 }
 
 BaseHeap::BaseHeap(ThreadState* state, int index)
     : m_firstPage(nullptr)
     , m_firstUnsweptPage(nullptr)
     , m_threadState(state)
     , m_index(index)
 {
 }
 
@@ skipping 334 matching lines @@
         json.pushInteger(bucketStats[i].entryCount);
     json.endArray();
 
     json.beginArray("perBucketFreeSize");
     for (size_t i = 0; i < blinkPageSizeLog2; ++i)
         json.pushInteger(bucketStats[i].freeSize);
     json.endArray();
 }
 #endif
 
+NO_SANITIZE_ADDRESS
 void NormalPageHeap::allocatePage()
 {
     threadState()->shouldFlushHeapDoesNotContainCache();
     PageMemory* pageMemory = Heap::freePagePool()->takeFreePage(heapIndex());
     // We continue allocating page memory until we succeed in committing one.
     while (!pageMemory) {
         // Allocate a memory region for blinkPagesPerRegion pages that
         // will each have the following layout.
         //
         //    [ guard os page | ... payload ... | guard os page ]
@@ skipping 15 matching lines @@
             } else {
                 Heap::freePagePool()->addFreePage(heapIndex(), memory);
             }
             offset += blinkPageSize;
         }
     }
     NormalPage* page = new (pageMemory->writableStart()) NormalPage(pageMemory, this);
     page->link(&m_firstPage);
 
     Heap::increaseAllocatedSpace(page->size());
+#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
+    // Allow the following addToFreeList() to add the newly allocated memory
+    // to the free list.
+    Address address = page->payload();
+    for (size_t i = 0; i < page->payloadSize(); i++)
+        address[i] = reuseAllowedZapValue;
+#endif
     addToFreeList(page->payload(), page->payloadSize());
 }
 
 void NormalPageHeap::freePage(NormalPage* page)
 {
     Heap::decreaseAllocatedSpace(page->size());
 
     if (page->terminating()) {
         // The thread is shutting down and this page is being removed as a part
         // of the thread local GC.  In that case the object could be traced in
@@ skipping 418 matching lines @@
         }
     }
     return result;
 }
 
 FreeList::FreeList()
     : m_biggestFreeListIndex(0)
 {
 }
 
+NO_SANITIZE_ADDRESS
 void FreeList::addToFreeList(Address address, size_t size)
 {
     ASSERT(size < blinkPagePayloadSize());
     // The free list entries are only pointer aligned (but when we allocate
     // from them we are 8 byte aligned due to the header size).
     ASSERT(!((reinterpret_cast<uintptr_t>(address) + sizeof(HeapObjectHeader)) & allocationMask));
     ASSERT(!(size & allocationMask));
     ASAN_POISON_MEMORY_REGION(address, size);

[haraken, 2015/06/17 21:11:43]

If we delay this ASAN_POISON_MEMORY_REGION, we need to duplicate the
ASAN_POISON_MEMORY_REGION at every return. So I decided to leave this as is and
use NO_SANITIZE_ADDRESS.

     FreeListEntry* entry;
     if (size < sizeof(*entry)) {
         // Create a dummy header with only a size and freelist bit set.
         ASSERT(size >= sizeof(HeapObjectHeader));
         // Free list encode the size to mark the lost memory as freelist memory.
         new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader);
         // This memory gets lost. Sweeping can reclaim it.
         return;
     }
     entry = new (NotNull, address) FreeListEntry(size);
-#if defined(ADDRESS_SANITIZER)
-    BasePage* page = pageFromObject(address);
-    ASSERT(!page->isLargeObjectPage());
-    // For ASan we don't add the entry to the free lists until the
-    // asanDeferMemoryReuseCount reaches zero.  However we always add entire
-    // pages to ensure that adding a new page will increase the allocation
-    // space.
-    if (static_cast<NormalPage*>(page)->payloadSize() != size && !entry->shouldAddToFreeList())
+
+#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
+    // The following logic delays reusing free lists for (at least) one GC
+    // cycle or coalescing. This is helpful to detect use-after-free errors
+    // that could be caused by lazy sweeping etc.
+    size_t allowedCount = 0;
+    size_t forbiddenCount = 0;
+    for (size_t i = sizeof(FreeListEntry); i < size; i++) {
+        if (address[i] == reuseAllowedZapValue) {
+            allowedCount++;
+        } else if (address[i] == reuseForbiddenZapValue) {
+            forbiddenCount++;
+        } else {
+            ASSERT_NOT_REACHED();
+        }
+    }
+    size_t entryCount = size - sizeof(FreeListEntry);
+    if (forbiddenCount == entryCount) {
+        // If all values in the memory region are reuseForbiddenZapValue,
+        // we flip them to reuseAllowedZapValue. This allows the next
+        // addToFreeList() to add the memory region to the free list
+        // (unless someone concatenates the memory region with another memory
+        // region that contains reuseForbiddenZapValue.)
+        for (size_t i = sizeof(FreeListEntry); i < size; i++)
+            address[i] = reuseAllowedZapValue;
+        // Don't add the memory region to the free list in this addToFreeList().
         return;
+    }
+    if (allowedCount != entryCount) {
+        // If the memory region mixes reuseForbiddenZapValue and
+        // reuseAllowedZapValue, we (conservatively) flip all the values
+        // to reuseForbiddenZapValue. These values will be changed to
+        // reuseAllowedZapValue in the next addToFreeList().
+        for (size_t i = sizeof(FreeListEntry); i < size; i++)
+            address[i] = reuseForbiddenZapValue;

[haraken, 2015/06/22 11:27:39]

It seems that this line is causing use-after-poison. I'm wondering why this is
detected as use-after-poison whereas I marked addToFreeList as
NO_SANITIZE_ADDRESS.

https://storage.googleapis.com/chromium-layout-test-archives/WebKit_Linux_ASA...

+        // Don't add the memory region to the free list in this addToFreeList().
+        return;
+    }
+    // We reach here only when all the values in the memory region are
+    // reuseAllowedZapValue. In this case, we are allowed to add the memory
+    // region to the free list and reuse it for another object.
 #endif
+
     int index = bucketIndexForSize(size);
     entry->link(&m_freeLists[index]);
     if (index > m_biggestFreeListIndex)
         m_biggestFreeListIndex = index;
 }
 
+#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
+NO_SANITIZE_ADDRESS
+void FreeList::zapFreedMemory(Address address, size_t size)
+{
+    for (size_t i = 0; i < size; i++) {
+        // See the comment in addToFreeList().
+        if (address[i] != reuseAllowedZapValue)
+            address[i] = reuseForbiddenZapValue;
+    }
+}
+#endif
+
 void FreeList::clear()
 {
     m_biggestFreeListIndex = 0;
     for (size_t i = 0; i < blinkPageSizeLog2; ++i)
         m_freeLists[i] = nullptr;
 }
 
 int FreeList::bucketIndexForSize(size_t size)
 {
     ASSERT(size > 0);
@@ skipping 1220 matching lines @@
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 // We don't want to use 0 KB for the initial value because it may end up
 // triggering the first GC of some thread too prematurely.
 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024;
 size_t Heap::s_externalObjectSizeAtLastGC = 0;
 double Heap::s_estimatedMarkingTimePerByte = 0.0;
 
 } // namespace blink