[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/GarbageCollected.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef GarbageCollected_h
 #define GarbageCollected_h
 
 #include "platform/heap/ThreadState.h"
 #include "wtf/Allocator.h"
 #include "wtf/Assertions.h"
@@ skipping 109 matching lines @@
 // Note that this is only enabled for Member<B>. For Member<A> which we can
 // compute the object header addr statically, this dynamic dispatch is not used.
 class PLATFORM_EXPORT GarbageCollectedMixin {
     IS_GARBAGE_COLLECTED_TYPE();
 public:
     typedef int IsGarbageCollectedMixinMarker;
     virtual void adjustAndMark(Visitor*) const = 0;
     virtual void trace(Visitor*) { }
     virtual void adjustAndMark(InlinedGlobalMarkingVisitor) const = 0;
     virtual void trace(InlinedGlobalMarkingVisitor);
     virtual bool isHeapObjectAlive() const = 0;

[haraken, 2015/11/11 10:03:16]

In a follow-up, I hope we can remove this. If we have heapObjectHeader(),
isHeapObjectAlive() won't be needed.

[peria, 2015/11/12 14:38:41]

Acknowledged.

+    virtual HeapObjectHeader* heapObjectHeader() const = 0;
 };
 
 #define DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(VISITOR, TYPE)           \
     public:                                                             \
     void adjustAndMark(VISITOR visitor) const override                  \
     {                                                                   \
         typedef WTF::IsSubclassOfTemplate<typename WTF::RemoveConst<TYPE>::Type, blink::GarbageCollected> IsSubclassOfGarbageCollected; \
         static_assert(IsSubclassOfGarbageCollected::value, "only garbage collected objects can have garbage collected mixins"); \
         if (TraceEagerlyTrait<TYPE>::value) {                           \
             if (visitor->ensureMarked(static_cast<const TYPE*>(this)))  \
@@ skipping 23 matching lines @@
 //    GarbageCollectedMixinConstructorMarker's constructor takes care of
 //    this and the field is declared by way of USING_GARBAGE_COLLECTED_MIXIN().
 
 #define DEFINE_GARBAGE_COLLECTED_MIXIN_CONSTRUCTOR_MARKER(TYPE)         \
     public:                                                             \
     GC_PLUGIN_IGNORE("crbug.com/456823") NO_SANITIZE_UNRELATED_CAST     \
     void* operator new(size_t size)                                     \
 {                                                                       \
         void* object = TYPE::allocateObject(size, IsEagerlyFinalizedType<TYPE>::value); \
         ThreadState* state = ThreadStateFor<ThreadingTrait<TYPE>::Affinity>::state();   \
-        state->enterGCForbiddenScopeIfNeeded(&(reinterpret_cast<TYPE*>(object)->m_mixinConstructorMarker)); \
+        state->startConstructingGCMixin(&(reinterpret_cast<TYPE*>(object)->m_mixinConstructorMarker)); \
         return object;                                                  \
     }                                                                   \
     GarbageCollectedMixinConstructorMarker m_mixinConstructorMarker;    \
     private:
 
 // Mixins that wrap/nest others requires extra handling:
 //
 //  class A : public GarbageCollected<A>, public GarbageCollectedMixin {
 //  USING_GARBAGE_COLLECTED_MIXIN(A);
 //  ...
@@ skipping 13 matching lines @@
 // runs.
 #define USING_GARBAGE_COLLECTED_MIXIN(TYPE)                             \
     DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::Visitor*, TYPE)       \
     DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::InlinedGlobalMarkingVisitor, TYPE) \
     DEFINE_GARBAGE_COLLECTED_MIXIN_CONSTRUCTOR_MARKER(TYPE)             \
 public:                                                                 \
     bool isHeapObjectAlive() const override                             \
     {                                                                   \
         return Heap::isHeapObjectAlive(this);                           \
     }                                                                   \
+    HeapObjectHeader* heapObjectHeader() const override                 \
+    {                                                                   \
+        return HeapObjectHeader::fromPayload(this);                     \
+    }                                                                   \
 private:
 
 #if ENABLE(OILPAN)
 #define WILL_BE_USING_GARBAGE_COLLECTED_MIXIN(TYPE) USING_GARBAGE_COLLECTED_MIXIN(TYPE)
 #else
 #define WILL_BE_USING_GARBAGE_COLLECTED_MIXIN(TYPE)
 #endif
 
 // An empty class with a constructor that's arranged invoked when all derived constructors
 // of a mixin instance have completed and it is safe to allow GCs again. See
 // AllocateObjectTrait<> comment for more.
 //
 // USING_GARBAGE_COLLECTED_MIXIN() declares a GarbageCollectedMixinConstructorMarker<> private
 // field. By following Blink convention of using the macro at the top of a class declaration,
 // its constructor will run first.
 class GarbageCollectedMixinConstructorMarker {
 public:
     GarbageCollectedMixinConstructorMarker()
     {
         // FIXME: if prompt conservative GCs are needed, forced GCs that
         // were denied while within this scope, could now be performed.
         // For now, assume the next out-of-line allocation request will
         // happen soon enough and take care of it. Mixin objects aren't
         // overly common.
         ThreadState* state = ThreadState::current();
-        state->leaveGCForbiddenScopeIfNeeded(this);
+        state->finishConstructingGCMixin(this);
     }
 };
 
 // Base class for objects allocated in the Blink garbage-collected heap.
 //
 // Defines a 'new' operator that allocates the memory in the heap.  'delete'
 // should not be called on objects that inherit from GarbageCollected.
 //
 // Instances of GarbageCollected will *NOT* get finalized.  Their destructor
 // will not be called.  Therefore, only classes that have trivial destructors
@@ skipping 143 matching lines @@
     template<typename U, size_t sz = sizeof(U)> static TrueType isSizeofKnown(U*);
     static FalseType isSizeofKnown(...);
     static T& t;
 public:
     static const bool value = sizeof(TrueType) == sizeof(isSizeofKnown(&t));
 };
 
 } // namespace blink
 
 #endif