Revert 197289 "Oilpan: Defer reusing freed memory for one GC cycle"

trunk/Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 49 matching lines @@
 // Double precision floats are more efficient when 8 byte aligned, so we 8 byte
 // align all allocations even on 32 bit.
 const size_t allocationGranularity = 8;
 const size_t allocationMask = allocationGranularity - 1;
 const size_t objectStartBitMapSize = (blinkPageSize + ((8 * allocationGranularity) - 1)) / (8 * allocationGranularity);
 const size_t reservedForObjectBitMap = ((objectStartBitMapSize + allocationMask) & ~allocationMask);
 const size_t maxHeapObjectSizeLog2 = 27;
 const size_t maxHeapObjectSize = 1 << maxHeapObjectSizeLog2;
 const size_t largeObjectSizeThreshold = blinkPageSize / 2;
 
-// A zap value used for freed memory that is allowed to be added to the free
-// list in the next addToFreeList().
-const uint8_t reuseAllowedZapValue = 0x2a;
-// A zap value used for freed memory that is forbidden to be added to the free
-// list in the next addToFreeList().
-const uint8_t reuseForbiddenZapValue = 0x2c;
+const uint8_t freelistZapValue = 42;
+const uint8_t finalizedZapValue = 24;
 // The orphaned zap value must be zero in the lowest bits to allow for using
 // the mark bit when tracing.
 const uint8_t orphanedZapValue = 240;
+// A zap value for vtables should be < 4K to ensure it cannot be
+// used for dispatch.
+static const intptr_t zappedVTable = 0xd0d;
 
-// In non-production builds, memory is zapped when it's freed. The zapped
-// memory is zeroed out when the memory is reused in Heap::allocateObject().
-// In production builds, memory is not zapped (for performance). The memory
-// is just zeroed out when it is added to the free list.
+#if defined(ADDRESS_SANITIZER)
+const size_t asanMagic = 0xabefeed0;
+const size_t asanDeferMemoryReuseCount = 2;
+const size_t asanDeferMemoryReuseMask = 0x3;
+#endif
+
 #if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-#define FILL_ZERO_IF_PRODUCTION(address, size) FreeList::zapFreedMemory(address, size)
+#define FILL_ZERO_IF_PRODUCTION(address, size) do { } while (false)
 #define FILL_ZERO_IF_NOT_PRODUCTION(address, size) memset((address), 0, (size))
 #else
 #define FILL_ZERO_IF_PRODUCTION(address, size) memset((address), 0, (size))
 #define FILL_ZERO_IF_NOT_PRODUCTION(address, size) do { } while (false)
 #endif
 
 class CallbackStack;
 class FreePagePool;
 class NormalPageHeap;
 class OrphanedPagePool;
@@ skipping 146 matching lines @@
 #endif
 };
 
 class FreeListEntry final : public HeapObjectHeader {
 public:
     NO_SANITIZE_ADDRESS
     explicit FreeListEntry(size_t size)
         : HeapObjectHeader(size, gcInfoIndexForFreeListHeader)
         , m_next(nullptr)
     {
-#if ENABLE(ASSERT)
+#if ENABLE(ASSERT) && !defined(ADDRESS_SANITIZER)
+        // Zap free area with asterisks, aka 0x2a2a2a2a.
+        // For ASan don't zap since we keep accounting in the freelist entry.
+        for (size_t i = sizeof(*this); i < size; ++i)
+            reinterpret_cast<Address>(this)[i] = freelistZapValue;
         ASSERT(size >= sizeof(HeapObjectHeader));
         zapMagic();
 #endif
     }
 
     Address address() { return reinterpret_cast<Address>(this); }
 
     NO_SANITIZE_ADDRESS
     void unlink(FreeListEntry** prevNext)
     {
@@ skipping 11 matching lines @@
     NO_SANITIZE_ADDRESS
     FreeListEntry* next() const { return m_next; }
 
     NO_SANITIZE_ADDRESS
     void append(FreeListEntry* next)
     {
         ASSERT(!m_next);
         m_next = next;
     }
 
+#if defined(ADDRESS_SANITIZER)
+    NO_SANITIZE_ADDRESS
+    bool shouldAddToFreeList()
+    {
+        // Init if not already magic.
+        if ((m_asanMagic & ~asanDeferMemoryReuseMask) != asanMagic) {
+            m_asanMagic = asanMagic | asanDeferMemoryReuseCount;
+            return false;
+        }
+        // Decrement if count part of asanMagic > 0.
+        if (m_asanMagic & asanDeferMemoryReuseMask)
+            m_asanMagic--;
+        return !(m_asanMagic & asanDeferMemoryReuseMask);
+    }
+#endif
+
 private:
     FreeListEntry* m_next;
+#if defined(ADDRESS_SANITIZER)
+    unsigned m_asanMagic;
+#endif
 };
 
 // Blink heap pages are set up with a guard page before and after the payload.
 inline size_t blinkPagePayloadSize()
 {
     return blinkPageSize - 2 * WTF::kSystemPageSize;
 }
 
 // Blink heap pages are aligned to the Blink heap page size.
 // Therefore, the start of a Blink page can be obtained by
@@ skipping 334 matching lines @@
     struct PerBucketFreeListStats {
         size_t entryCount;
         size_t freeSize;
 
         PerBucketFreeListStats() : entryCount(0), freeSize(0) { }
     };
 
     void getFreeSizeStats(PerBucketFreeListStats bucketStats[], size_t& totalSize) const;
 #endif
 
-#if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
-    static void zapFreedMemory(Address, size_t);
-#endif
-
 private:
     int m_biggestFreeListIndex;
 
     // All FreeListEntries in the nth list have size >= 2^n.
     FreeListEntry* m_freeLists[blinkPageSizeLog2];
 
     friend class NormalPageHeap;
 };
 
 // Each thread has a number of thread heaps (e.g., Generic heaps,
@@ skipping 708 matching lines @@
     size_t copySize = previousHeader->payloadSize();
     if (copySize > size)
         copySize = size;
     memcpy(address, previous, copySize);
     return address;
 }
 
 } // namespace blink
 
 #endif // Heap_h