Oilpan: Defer reusing freed memory for one GC cycle

Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 49 matching lines @@
 // Double precision floats are more efficient when 8 byte aligned, so we 8 byte
 // align all allocations even on 32 bit.
 const size_t allocationGranularity = 8;
 const size_t allocationMask = allocationGranularity - 1;
 const size_t objectStartBitMapSize = (blinkPageSize + ((8 * allocationGranularity) - 1)) / (8 * allocationGranularity);
 const size_t reservedForObjectBitMap = ((objectStartBitMapSize + allocationMask) & ~allocationMask);
 const size_t maxHeapObjectSizeLog2 = 27;
 const size_t maxHeapObjectSize = 1 << maxHeapObjectSizeLog2;
 const size_t largeObjectSizeThreshold = blinkPageSize / 2;
 
-const uint8_t freelistZapValue = 42;
-const uint8_t finalizedZapValue = 24;
+// A zap value used for freed memory that is allowed to be added to the free
+// list in the next addToFreeList().
+const uint8_t reuseAllowedZapValue = 0x2a;
+// A zap value used for freed memory that is forbidden to be added to the free
+// list in the next addToFreeList().
+const uint8_t reuseForbiddenZapValue = 0x2c;
 // The orphaned zap value must be zero in the lowest bits to allow for using
 // the mark bit when tracing.
 const uint8_t orphanedZapValue = 240;
-// A zap value for vtables should be < 4K to ensure it cannot be
-// used for dispatch.
-static const intptr_t zappedVTable = 0xd0d;
 
-#if defined(ADDRESS_SANITIZER)
-const size_t asanMagic = 0xabefeed0;
-const size_t asanDeferMemoryReuseCount = 2;
-const size_t asanDeferMemoryReuseMask = 0x3;
-#endif
-
+// In non-production builds, memory is zapped when it's freed. The zapped
+// memory is zeroed out when the memory is reused in Heap::allocateObject().
+// In production builds, memory is not zapped (for performance). The memory
+// is just zeroed out when it is added to the free list.
 #if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-#define FILL_ZERO_IF_PRODUCTION(address, size) do { } while (false)
+#define FILL_ZERO_IF_PRODUCTION(address, size) FreeList::zapFreedMemory(address, size)
 #define FILL_ZERO_IF_NOT_PRODUCTION(address, size) memset((address), 0, (size))
 #else
 #define FILL_ZERO_IF_PRODUCTION(address, size) memset((address), 0, (size))
 #define FILL_ZERO_IF_NOT_PRODUCTION(address, size) do { } while (false)
 #endif
 
 class CallbackStack;
 class FreePagePool;
 class NormalPageHeap;
 class OrphanedPagePool;
@@ skipping 146 matching lines @@
 #endif
 };
 
 class FreeListEntry final : public HeapObjectHeader {
 public:
     NO_SANITIZE_ADDRESS
     explicit FreeListEntry(size_t size)
         : HeapObjectHeader(size, gcInfoIndexForFreeListHeader)
         , m_next(nullptr)
     {
-#if ENABLE(ASSERT) && !defined(ADDRESS_SANITIZER)
-        // Zap free area with asterisks, aka 0x2a2a2a2a.
-        // For ASan don't zap since we keep accounting in the freelist entry.
-        for (size_t i = sizeof(*this); i < size; ++i)
-            reinterpret_cast<Address>(this)[i] = freelistZapValue;
+#if ENABLE(ASSERT)
         ASSERT(size >= sizeof(HeapObjectHeader));
         zapMagic();
 #endif
     }
 
     Address address() { return reinterpret_cast<Address>(this); }
 
     NO_SANITIZE_ADDRESS
     void unlink(FreeListEntry** prevNext)
     {
@@ skipping 11 matching lines @@
     NO_SANITIZE_ADDRESS
     FreeListEntry* next() const { return m_next; }
 
     NO_SANITIZE_ADDRESS
     void append(FreeListEntry* next)
     {
         ASSERT(!m_next);
         m_next = next;
     }
 
-#if defined(ADDRESS_SANITIZER)
-    NO_SANITIZE_ADDRESS
-    bool shouldAddToFreeList()
-    {
-        // Init if not already magic.
-        if ((m_asanMagic & ~asanDeferMemoryReuseMask) != asanMagic) {
-            m_asanMagic = asanMagic | asanDeferMemoryReuseCount;
-            return false;
-        }
-        // Decrement if count part of asanMagic > 0.
-        if (m_asanMagic & asanDeferMemoryReuseMask)
-            m_asanMagic--;
-        return !(m_asanMagic & asanDeferMemoryReuseMask);
-    }
-#endif
-
 private:
     FreeListEntry* m_next;
-#if defined(ADDRESS_SANITIZER)
-    unsigned m_asanMagic;
-#endif
 };
 
 // Blink heap pages are set up with a guard page before and after the payload.
 inline size_t blinkPagePayloadSize()
 {
     return blinkPageSize - 2 * WTF::kSystemPageSize;
 }
 
 // Blink heap pages are aligned to the Blink heap page size.
 // Therefore, the start of a Blink page can be obtained by
@@ skipping 334 matching lines @@
     struct PerBucketFreeListStats {
         size_t entryCount;
         size_t freeSize;
 
         PerBucketFreeListStats() : entryCount(0), freeSize(0) { }
     };
 
     void getFreeSizeStats(PerBucketFreeListStats bucketStats[], size_t& totalSize) const;
 #endif
 
+#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
+    static void zapFreedMemory(Address, size_t);
+#endif
+
 private:
     int m_biggestFreeListIndex;
 
     // All FreeListEntries in the nth list have size >= 2^n.
     FreeListEntry* m_freeLists[blinkPageSizeLog2];
 
     friend class NormalPageHeap;
 };
 
 // Each thread has a number of thread heaps (e.g., Generic heaps,
@@ skipping 708 matching lines @@
     size_t copySize = previousHeader->payloadSize();
     if (copySize > size)
         copySize = size;
     memcpy(address, previous, copySize);
     return address;
 }
 
 } // namespace blink
 
 #endif // Heap_h