Build fix: Add NO_SANITIZE_ADDRESS to addToFreeList

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 1026 matching lines @@
         }
     }
     return result;
 }
 
 FreeList::FreeList()
     : m_biggestFreeListIndex(0)
 {
 }
 
+NO_SANITIZE_ADDRESS
 void FreeList::addToFreeList(Address address, size_t size)
 {
     ASSERT(size < blinkPagePayloadSize());
     // The free list entries are only pointer aligned (but when we allocate
     // from them we are 8 byte aligned due to the header size).
     ASSERT(!((reinterpret_cast<uintptr_t>(address) + sizeof(HeapObjectHeader)) & allocationMask));
     ASSERT(!(size & allocationMask));
     ASAN_POISON_MEMORY_REGION(address, size);

[sof, 2015/06/12 07:01:23]

Can't we delay this instead?

[haraken, 2015/06/12 07:08:25]

We shouldn't delay the poisoning :) It is important that
freed-but-not-yet-added-to-freelists memory is poisoned. This enables ASan to
detect (more) use-after-free errors (than the case we delay the poisoning).

[sof, 2015/06/12 07:11:26]

That doesn't make sense if you immediately afterwards mutate the payload for the
common code path; now all accesses are exempted from checking here (m_freeLists
?)

[haraken, 2015/06/12 07:15:45]

Maybe I'm not sure I get your point.

- Memory in the m_freeLists must be poisoned.
- Memory that is delayed reusing and not yet in the m_freeLists must be
poisoned.
- Memory should be unpoisoned immediately before it is reused.

Isn't the current code doing that?

     FreeListEntry* entry;
     if (size < sizeof(*entry)) {
         // Create a dummy header with only a size and freelist bit set.
         ASSERT(size >= sizeof(HeapObjectHeader));
         // Free list encode the size to mark the lost memory as freelist memory.
         new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader);
         // This memory gets lost. Sweeping can reclaim it.
         return;
     }
     entry = new (NotNull, address) FreeListEntry(size);
@@ skipping 40 matching lines @@
     // region to the free list and reuse it for another object.
 #endif
 
     int index = bucketIndexForSize(size);
     entry->link(&m_freeLists[index]);
     if (index > m_biggestFreeListIndex)
         m_biggestFreeListIndex = index;
 }
 
 #if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
+NO_SANITIZE_ADDRESS
 void FreeList::zapFreedMemory(Address address, size_t size)
 {
     for (size_t i = 0; i < size; i++) {
         // See the comment in addToFreeList().
         if (address[i] != reuseAllowedZapValue)
             address[i] = reuseForbiddenZapValue;
     }
 }
 #endif
 
@@ skipping 1230 matching lines @@
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 // We don't want to use 0 KB for the initial value because it may end up
 // triggering the first GC of some thread too prematurely.
 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024;
 size_t Heap::s_externalObjectSizeAtLastGC = 0;
 double Heap::s_estimatedMarkingTimePerByte = 0.0;
 
 } // namespace blink