Revert 197289 "Oilpan: Defer reusing freed memory for one GC cycle"

trunk/Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 188 matching lines @@
 void HeapObjectHeader::zapMagic()
 {
     checkHeader();
     m_magic = zappedMagic;
 }
 #endif
 
 void HeapObjectHeader::finalize(Address object, size_t objectSize)
 {
     const GCInfo* gcInfo = Heap::gcInfo(gcInfoIndex());
-    if (gcInfo->hasFinalizer())
+    if (gcInfo->hasFinalizer()) {
         gcInfo->m_finalize(object);
+    }
 
     ASAN_RETIRE_CONTAINER_ANNOTATION(object, objectSize);
+
+#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
+    // In Debug builds, memory is zapped when it's freed, and the zapped memory
+    // is zeroed out when the memory is reused.  Memory is also zapped when
+    // using Leak Sanitizer because the heap is used as a root region for LSan
+    // and therefore pointers in unreachable memory could hide leaks.
+    for (size_t i = 0; i < objectSize; ++i)
+        object[i] = finalizedZapValue;
+
+    // Zap the primary vTable entry (secondary vTable entries are not zapped).
+    if (gcInfo->hasVTable()) {
+        *(reinterpret_cast<uintptr_t*>(object)) = zappedVTable;
+    }
+#endif
+    // In Release builds, the entire object is zeroed out when it is added to
+    // the free list.  This happens right after sweeping the page and before the
+    // thread commences execution.
 }
 
 BaseHeap::BaseHeap(ThreadState* state, int index)
     : m_firstPage(nullptr)
     , m_firstUnsweptPage(nullptr)
     , m_threadState(state)
     , m_index(index)
 {
 }
 
@@ skipping 334 matching lines @@
         json.pushInteger(bucketStats[i].entryCount);
     json.endArray();
 
     json.beginArray("perBucketFreeSize");
     for (size_t i = 0; i < blinkPageSizeLog2; ++i)
         json.pushInteger(bucketStats[i].freeSize);
     json.endArray();
 }
 #endif
 
-NO_SANITIZE_ADDRESS
 void NormalPageHeap::allocatePage()
 {
     threadState()->shouldFlushHeapDoesNotContainCache();
     PageMemory* pageMemory = Heap::freePagePool()->takeFreePage(heapIndex());
     // We continue allocating page memory until we succeed in committing one.
     while (!pageMemory) {
         // Allocate a memory region for blinkPagesPerRegion pages that
         // will each have the following layout.
         //
         //    [ guard os page | ... payload ... | guard os page ]
@@ skipping 15 matching lines @@
             } else {
                 Heap::freePagePool()->addFreePage(heapIndex(), memory);
             }
             offset += blinkPageSize;
         }
     }
     NormalPage* page = new (pageMemory->writableStart()) NormalPage(pageMemory, this);
     page->link(&m_firstPage);
 
     Heap::increaseAllocatedSpace(page->size());
-#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-    // Allow the following addToFreeList() to add the newly allocated memory
-    // to the free list.
-    Address address = page->payload();
-    for (size_t i = 0; i < page->payloadSize(); i++)
-        address[i] = reuseAllowedZapValue;
-#endif
     addToFreeList(page->payload(), page->payloadSize());
 }
 
 void NormalPageHeap::freePage(NormalPage* page)
 {
     Heap::decreaseAllocatedSpace(page->size());
 
     if (page->terminating()) {
         // The thread is shutting down and this page is being removed as a part
         // of the thread local GC.  In that case the object could be traced in
@@ skipping 418 matching lines @@
         }
     }
     return result;
 }
 
 FreeList::FreeList()
     : m_biggestFreeListIndex(0)
 {
 }
 
-NO_SANITIZE_ADDRESS
 void FreeList::addToFreeList(Address address, size_t size)
 {
     ASSERT(size < blinkPagePayloadSize());
     // The free list entries are only pointer aligned (but when we allocate
     // from them we are 8 byte aligned due to the header size).
     ASSERT(!((reinterpret_cast<uintptr_t>(address) + sizeof(HeapObjectHeader)) & allocationMask));
     ASSERT(!(size & allocationMask));
     ASAN_POISON_MEMORY_REGION(address, size);
     FreeListEntry* entry;
     if (size < sizeof(*entry)) {
         // Create a dummy header with only a size and freelist bit set.
         ASSERT(size >= sizeof(HeapObjectHeader));
         // Free list encode the size to mark the lost memory as freelist memory.
         new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader);
         // This memory gets lost. Sweeping can reclaim it.
         return;
     }
     entry = new (NotNull, address) FreeListEntry(size);
-
-#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-    // The following logic delays reusing free lists for (at least) one GC
-    // cycle or coalescing. This is helpful to detect use-after-free errors
-    // that could be caused by lazy sweeping etc.
-    size_t allowedCount = 0;
-    size_t forbiddenCount = 0;
-    for (size_t i = sizeof(FreeListEntry); i < size; i++) {
-        if (address[i] == reuseAllowedZapValue) {
-            allowedCount++;
-        } else if (address[i] == reuseForbiddenZapValue) {
-            forbiddenCount++;
-        } else {
-            ASSERT_NOT_REACHED();
-        }
-    }
-    size_t entryCount = size - sizeof(FreeListEntry);
-    if (forbiddenCount == entryCount) {
-        // If all values in the memory region are reuseForbiddenZapValue,
-        // we flip them to reuseAllowedZapValue. This allows the next
-        // addToFreeList() to add the memory region to the free list
-        // (unless someone concatenates the memory region with another memory
-        // region that contains reuseForbiddenZapValue.)
-        for (size_t i = sizeof(FreeListEntry); i < size; i++)
-            address[i] = reuseAllowedZapValue;
-        // Don't add the memory region to the free list in this addToFreeList().
+#if defined(ADDRESS_SANITIZER)
+    BasePage* page = pageFromObject(address);
+    ASSERT(!page->isLargeObjectPage());
+    // For ASan we don't add the entry to the free lists until the
+    // asanDeferMemoryReuseCount reaches zero.  However we always add entire
+    // pages to ensure that adding a new page will increase the allocation
+    // space.
+    if (static_cast<NormalPage*>(page)->payloadSize() != size && !entry->shouldAddToFreeList())
         return;
-    }
-    if (allowedCount != entryCount) {
-        // If the memory region mixes reuseForbiddenZapValue and
-        // reuseAllowedZapValue, we (conservatively) flip all the values
-        // to reuseForbiddenZapValue. These values will be changed to
-        // reuseAllowedZapValue in the next addToFreeList().
-        for (size_t i = sizeof(FreeListEntry); i < size; i++)
-            address[i] = reuseForbiddenZapValue;
-        // Don't add the memory region to the free list in this addToFreeList().
-        return;
-    }
-    // We reach here only when all the values in the memory region are
-    // reuseAllowedZapValue. In this case, we are allowed to add the memory
-    // region to the free list and reuse it for another object.
 #endif
-
     int index = bucketIndexForSize(size);
     entry->link(&m_freeLists[index]);
     if (index > m_biggestFreeListIndex)
         m_biggestFreeListIndex = index;
 }
 
-#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-NO_SANITIZE_ADDRESS
-void FreeList::zapFreedMemory(Address address, size_t size)
-{
-    for (size_t i = 0; i < size; i++) {
-        // See the comment in addToFreeList().
-        if (address[i] != reuseAllowedZapValue)
-            address[i] = reuseForbiddenZapValue;
-    }
-}
-#endif
-
 void FreeList::clear()
 {
     m_biggestFreeListIndex = 0;
     for (size_t i = 0; i < blinkPageSizeLog2; ++i)
         m_freeLists[i] = nullptr;
 }
 
 int FreeList::bucketIndexForSize(size_t size)
 {
     ASSERT(size > 0);
@@ skipping 1220 matching lines @@
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 // We don't want to use 0 KB for the initial value because it may end up
 // triggering the first GC of some thread too prematurely.
 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024;
 size_t Heap::s_externalObjectSizeAtLastGC = 0;
 double Heap::s_estimatedMarkingTimePerByte = 0.0;
 
 } // namespace blink