[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 29 matching lines @@
 #include "wtf/Assertions.h"
 #include "wtf/Atomics.h"
 #include "wtf/Forward.h"
 
 namespace blink {
 
 template<typename T> class Member;
 template<typename T> class WeakMember;
 template<typename T> class UntracedMember;
 
+// TODO(peria): Refactor following two sets of templates.
+
 template<typename T, bool = NeedsAdjustAndMark<T>::value> class ObjectAliveTrait;
 
 template<typename T>
 class ObjectAliveTrait<T, false> {
 public:
     static bool isHeapObjectAlive(T* object)
     {
         static_assert(sizeof(T), "T must be fully defined");
         return HeapObjectHeader::fromPayload(object)->isMarked();
     }
 };
 
 template<typename T>
 class ObjectAliveTrait<T, true> {
 public:
     static bool isHeapObjectAlive(T* object)
     {
+        return object->isHeapObjectAlive();
+    }
+};
+
+template<typename T, bool = IsGarbageCollectedMixin<T>::value> class HeapObjectHeaderTrait;
+
+template<typename T>
+class HeapObjectHeaderTrait<T, true> {
+public:
+    static HeapObjectHeader* heapObjectHeader(T* obj)
+    {
         static_assert(sizeof(T), "T must be fully defined");
-        return object->isHeapObjectAlive();
+        // TODO(peria): This ASSERT() is too restrictive.  The ASSERT forbids
+        // to call heapObjectHeader() for an object while another
+        // (totally independent) mixin object is under construction.
+        ASSERT(!ThreadState::current()->isConstructingGCMixin());
+        return obj->heapObjectHeader();
+    }
+};
+
+template<typename T>
+class HeapObjectHeaderTrait<T, false> {

[peria, 2015/11/17 01:36:49]

Yuta-san,
Is it safe to instantiate HeapObjectHeaderTrait without having a fully-defined
T?

[Yuta Kitamura, 2015/11/17 06:25:12]

If the lines 95-96 are NOT present, I think it's safe, because there's nothing
in
this specific specialization depends on whether T is fully defined or not; in
other
words, this specialization only depends on the existance of T* and
T* -> void* conversion, both of which can be instantiated without T's full
declaration.

With lines 95-96 things get more complex, because this piece of code changes the
behavior
depending on whether T is fully defined *at the point of first instantiation*.

Consider the following example:

    class A;
    bool a1 = IsFullyDefined<A>::value;
    class A { };
    bool a2 = IsFullyDefined<A>::value;

The values of a1 and a2 are *both* false, because IsFullyDefined<A>::value is
instantiated
at the place of its first use, and not again on the later uses.

Therefore, your code with lines 95-96 would effectively cause the
heapObjectHeader
function to return nullptr for some random "T"s and return a valid header for
the other
"T"s. You probably don't want that behavior, nor lines 95-96, I guess.

[peria, 2015/11/17 07:24:57]

Thank you for the clarification and additional explanation in off-line
communication.
As you said, using IsFullyDefined<A>::value has another problem in link phase.
(Linker will choose which instantiation to link.)

As a result, I will add #include to define T and put a static assert to check it
here.

+public:
+    static HeapObjectHeader* heapObjectHeader(T* obj)
+    {
+        ASSERT(!ThreadState::current()->isConstructingGCMixin());
+        if (!IsFullyDefined<T>::value)
+            return nullptr;
+        return HeapObjectHeader::fromPayload(obj);
     }
 };
 
 class PLATFORM_EXPORT Heap {
 public:
     static void init();
     static void shutdown();
     static void doShutdown();
 
 #if ENABLE(ASSERT)
@@ skipping 10 matching lines @@
         // non-live entries, so no entries will be removed. Since you can't set
         // the mark bit on a null pointer, that means that null pointers are
         // always 'alive'.
         if (!object)
             return true;
         return ObjectAliveTrait<T>::isHeapObjectAlive(object);
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const Member<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const WeakMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const UntracedMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const RawPtr<T>& ptr)
     {
         return isHeapObjectAlive(ptr.get());
     }
 
     // Is the finalizable GC object still alive, but slated for lazy sweeping?
     // If a lazy sweep is in progress, returns true if the object was found
     // to be not reachable during the marking phase, but it has yet to be swept
@@ skipping 132 matching lines @@
     static size_t wrapperCount() { return acquireLoad(&s_wrapperCount); }
     static size_t wrapperCountAtLastGC() { return acquireLoad(&s_wrapperCountAtLastGC); }
     static void increaseCollectedWrapperCount(size_t delta) { atomicAdd(&s_collectedWrapperCount, static_cast<long>(delta)); }
     static size_t collectedWrapperCount() { return acquireLoad(&s_collectedWrapperCount); }
     static size_t partitionAllocSizeAtLastGC() { return acquireLoad(&s_partitionAllocSizeAtLastGC); }
 
     static double estimatedMarkingTime();
     static void reportMemoryUsageHistogram();
     static void reportMemoryUsageForTracing();
 
-#if ENABLE(ASSERT)
-    static uint16_t gcGeneration() { return s_gcGeneration; }
-#endif
+    static uint32_t gcGeneration() { return s_gcGeneration; }
 
 private:
     // A RegionTree is a simple binary search tree of PageMemoryRegions sorted
     // by base addresses.
     class RegionTree {
     public:
         explicit RegionTree(PageMemoryRegion* region) : m_region(region), m_left(nullptr), m_right(nullptr) { }
         ~RegionTree()
         {
             delete m_left;
@@ skipping 26 matching lines @@
     static size_t s_allocatedSpace;
     static size_t s_allocatedObjectSize;
     static size_t s_objectSizeAtLastGC;
     static size_t s_markedObjectSize;
     static size_t s_markedObjectSizeAtLastCompleteSweep;
     static size_t s_wrapperCount;
     static size_t s_wrapperCountAtLastGC;
     static size_t s_collectedWrapperCount;
     static size_t s_partitionAllocSizeAtLastGC;
     static double s_estimatedMarkingTimePerByte;
-#if ENABLE(ASSERT)
-    static uint16_t s_gcGeneration;
-#endif
+    static uint32_t s_gcGeneration;
 
     friend class ThreadState;
 };
 
 template<typename T>
 struct IsEagerlyFinalizedType {
 private:
     typedef char YesType;
     struct NoType {
         char padding[8];
@@ skipping 124 matching lines @@
 #define EAGERLY_FINALIZE_WILL_BE_REMOVED() EAGERLY_FINALIZE()
 #else
 #define EAGERLY_FINALIZE_WILL_BE_REMOVED()
 #endif
 
 inline Address Heap::allocateOnHeapIndex(ThreadState* state, size_t size, int heapIndex, size_t gcInfoIndex)
 {
     ASSERT(state->isAllocationAllowed());
     ASSERT(heapIndex != BlinkGC::LargeObjectHeapIndex);
     NormalPageHeap* heap = static_cast<NormalPageHeap*>(state->heap(heapIndex));
-    return heap->allocateObject(allocationSizeFromSize(size), gcInfoIndex);
+    return heap->allocateObject(allocationSizeFromSize(size), gcInfoIndex, gcGeneration());
 }
 
 template<typename T>
 Address Heap::allocate(size_t size, bool eagerlySweep)
 {
     ThreadState* state = ThreadStateFor<ThreadingTrait<T>::Affinity>::state();
     return Heap::allocateOnHeapIndex(state, size, eagerlySweep ? BlinkGC::EagerSweepHeapIndex : Heap::heapIndexForObjectSize(size), GCInfoTrait<T>::index());
 }
 
 template<typename T>
@@ skipping 34 matching lines @@
 void VisitorHelper<Derived>::handleWeakCell(Visitor* self, void* object)
 {
     T** cell = reinterpret_cast<T**>(object);
     if (*cell && !ObjectAliveTrait<T>::isHeapObjectAlive(*cell))
         *cell = nullptr;
 }
 
 } // namespace blink
 
 #endif // Heap_h