[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 29 matching lines @@
 #include "wtf/Assertions.h"
 #include "wtf/Atomics.h"
 #include "wtf/Forward.h"
 
 namespace blink {
 
 template<typename T> class Member;
 template<typename T> class WeakMember;
 template<typename T> class UntracedMember;
 
+// TODO(peria): Refactor following two sets of template.
+
 template<typename T, bool = NeedsAdjustAndMark<T>::value> class ObjectAliveTrait;
 
 template<typename T>
 class ObjectAliveTrait<T, false> {
 public:
     static bool isHeapObjectAlive(T* object)
     {
         static_assert(sizeof(T), "T must be fully defined");
         return HeapObjectHeader::fromPayload(object)->isMarked();
     }
 };
 
 template<typename T>
 class ObjectAliveTrait<T, true> {
 public:
     static bool isHeapObjectAlive(T* object)
     {
         static_assert(sizeof(T), "T must be fully defined");
         return object->isHeapObjectAlive();
     }
 };
 
+template<typename T, bool = IsGarbageCollectedMixin<T>::value> class GarbageCollectedMixinTrait;
+
+template<typename T>
+class GarbageCollectedMixinTrait<T, true> {

[haraken, 2015/11/11 10:03:16]

I'd rename this to HeapObjectHeaderTrait since this is a Trait for getting a
HeapObjectHeader, regardless of whether T is GarbageCollected or
GarbageCollectedMixin.

[peria, 2015/11/12 14:38:41]

Done.

+public:
+    static HeapObjectHeader* heapObjectHeader(T* obj)
+    {

[haraken, 2015/11/11 10:03:16]

Add ASSERT(!ThreadState::current()->isConstructingGCMixin()).

[peria, 2015/11/12 14:38:42]

This method may be called in Member<>::get(), and
it can happen in a constructor of another GCMixin class.

[haraken, 2015/11/16 06:20:30]

Isn't it unsafe? If obj->heapObjectHeader() is called while constructing a mixin
class, the behavior would be undefined.

My point is that HeapObjectHeader::heapObjectHeader() should not be called when
ThreadState::current()->isConstructingGCMixin() is true.

[peria, 2015/11/16 07:04:42]

If an object which is being constructed is an argument of this call,
it is unsafe and must be avoided.
But it doesn't mean to prevent to call this method while
ThreadState::current()->isConstructingGCMixin() is true.
In following code, we should be able to call
HeapObjectHeaderTrait<X>::heapObjectHeader(x) in the constructor of A.


struct X : public GarbageCollectedMixin { ... };
struct Y : public GarbageCollected<Y>, public X { ... };
struct A : public GarbageCollectedMixin {
  A() : x(new Y) {
    ASSERT(HeapObjectHeadertrait<X>::heapObjectHeader(x));
  }
  Member x;
};
struct B : public GarbageCollected<B>, public A { ... };

+        return obj->heapObjectHeader();
+    }
+    static uint32_t gcGeneration(T* obj)
+    {
+        // While constructing GarbageCollectedMixin classes, we skip looking
+        // for gcGeneration, because the object may not be fully allocated.
+        if (ThreadState::current()->isConstructingGCMixin())
+            return 0;
+        return heapObjectHeader(obj)->gcGeneration();
+    }
+};
+
+template<typename T>
+class GarbageCollectedMixinTrait<T, false> {
+public:
+    static HeapObjectHeader* heapObjectHeader(T* obj)
+    {

[haraken, 2015/11/11 10:03:16]

Add ASSERT(!ThreadState::current()->isConstructingGCMixin()).

[peria, 2015/11/12 14:38:42]

ditto.

+        return HeapObjectHeader::fromPayload(obj);
+    }
+    static uint32_t gcGeneration(T* obj)
+    {
+        return heapObjectHeader(obj)->gcGeneration();
+    }
+};
+
 class PLATFORM_EXPORT Heap {
 public:
     static void init();
     static void shutdown();
     static void doShutdown();
 
 #if ENABLE(ASSERT)
     static BasePage* findPageFromAddress(Address);
     static BasePage* findPageFromAddress(const void* pointer) { return findPageFromAddress(reinterpret_cast<Address>(const_cast<void*>(pointer))); }
 #endif
 
     template<typename T>
     static inline bool isHeapObjectAlive(T* object)
     {
         static_assert(sizeof(T), "T must be fully defined");
         // The strongification of collections relies on the fact that once a
         // collection has been strongified, there is no way that it can contain
         // non-live entries, so no entries will be removed. Since you can't set
         // the mark bit on a null pointer, that means that null pointers are
         // always 'alive'.
         if (!object)
             return true;
         return ObjectAliveTrait<T>::isHeapObjectAlive(object);
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const Member<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const WeakMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const UntracedMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const RawPtr<T>& ptr)
     {
         return isHeapObjectAlive(ptr.get());
     }
 
     // Is the finalizable GC object still alive, but slated for lazy sweeping?
     // If a lazy sweep is in progress, returns true if the object was found
     // to be not reachable during the marking phase, but it has yet to be swept
@@ skipping 133 matching lines @@
     static size_t wrapperCountAtLastGC() { return acquireLoad(&s_wrapperCountAtLastGC); }
     static void increaseCollectedWrapperCount(size_t delta) { atomicAdd(&s_collectedWrapperCount, static_cast<long>(delta)); }
     static size_t collectedWrapperCount() { return acquireLoad(&s_collectedWrapperCount); }
     static size_t partitionAllocSizeAtLastGC() { return acquireLoad(&s_partitionAllocSizeAtLastGC); }
 
     static double estimatedMarkingTime();
     static void reportMemoryUsageHistogram();
     static void reportMemoryUsageForTracing();
 
 #if ENABLE(ASSERT)
-    static uint16_t gcGeneration() { return s_gcGeneration; }
+    static uint32_t gcGeneration() { return s_gcGeneration; }
 #endif
 
 private:
     // A RegionTree is a simple binary search tree of PageMemoryRegions sorted
     // by base addresses.
     class RegionTree {
     public:
         explicit RegionTree(PageMemoryRegion* region) : m_region(region), m_left(nullptr), m_right(nullptr) { }
         ~RegionTree()
         {
@@ skipping 28 matching lines @@
     static size_t s_allocatedObjectSize;
     static size_t s_objectSizeAtLastGC;
     static size_t s_markedObjectSize;
     static size_t s_markedObjectSizeAtLastCompleteSweep;
     static size_t s_wrapperCount;
     static size_t s_wrapperCountAtLastGC;
     static size_t s_collectedWrapperCount;
     static size_t s_partitionAllocSizeAtLastGC;
     static double s_estimatedMarkingTimePerByte;
 #if ENABLE(ASSERT)
-    static uint16_t s_gcGeneration;
+    static uint32_t s_gcGeneration;
 #endif
 
     friend class ThreadState;
 };
 
 template<typename T>
 struct IsEagerlyFinalizedType {
 private:
     typedef char YesType;
     struct NoType {
@@ skipping 180 matching lines @@
 void VisitorHelper<Derived>::handleWeakCell(Visitor* self, void* object)
 {
     T** cell = reinterpret_cast<T**>(object);
     if (*cell && !ObjectAliveTrait<T>::isHeapObjectAlive(*cell))
         *cell = nullptr;
 }
 
 } // namespace blink
 
 #endif // Heap_h