[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 29 matching lines @@
 #include "wtf/Assertions.h"
 #include "wtf/Atomics.h"
 #include "wtf/Forward.h"
 
 namespace blink {
 
 template<typename T> class Member;
 template<typename T> class WeakMember;
 template<typename T> class UntracedMember;
 
+// TODO(peria): Refactor following two sets of templates.
+
 template<typename T, bool = NeedsAdjustAndMark<T>::value> class ObjectAliveTrait;
 
 template<typename T>
 class ObjectAliveTrait<T, false> {
 public:
     static bool isHeapObjectAlive(T* object)
     {
         static_assert(sizeof(T), "T must be fully defined");
         return HeapObjectHeader::fromPayload(object)->isMarked();
     }
 };
 
 template<typename T>
 class ObjectAliveTrait<T, true> {
 public:
     static bool isHeapObjectAlive(T* object)
     {
-        static_assert(sizeof(T), "T must be fully defined");
         return object->isHeapObjectAlive();
     }
 };
 
+template<typename T, bool = IsGarbageCollectedMixin<T>::value> class HeapObjectHeaderTrait;
+
+template<typename T>
+class HeapObjectHeaderTrait<T, true> {
+public:
+    static HeapObjectHeader* heapObjectHeader(T* obj)
+    {
+        static_assert(IsFullyDefined<T>::value, "T must be fully defined.");
+        // TODO(peria): This ASSERT() is too restrictive.  The ASSERT forbids
+        // to call heapObjectHeader() for an object while another
+        // (totally independent) mixin object is under construction.
+        ASSERT(!ThreadState::current()->isConstructingGCMixin());
+        return obj->heapObjectHeader();
+    }
+};
+
+template<typename T>
+class HeapObjectHeaderTrait<T, false> {
+public:
+    static HeapObjectHeader* heapObjectHeader(T* obj)
+    {
+        static_assert(IsFullyDefined<T>::value, "T must be fully defined.");
+        ASSERT(!ThreadState::current()->isConstructingGCMixin());
+        return HeapObjectHeader::fromPayload(obj);
+    }
+};
+
 class PLATFORM_EXPORT Heap {
 public:
     static void init();
     static void shutdown();
     static void doShutdown();
 
 #if ENABLE(ASSERT)
     static BasePage* findPageFromAddress(Address);
     static BasePage* findPageFromAddress(const void* pointer) { return findPageFromAddress(reinterpret_cast<Address>(const_cast<void*>(pointer))); }
 #endif
 
     template<typename T>
     static inline bool isHeapObjectAlive(T* object)
     {
         static_assert(sizeof(T), "T must be fully defined");
         // The strongification of collections relies on the fact that once a
         // collection has been strongified, there is no way that it can contain
         // non-live entries, so no entries will be removed. Since you can't set
         // the mark bit on a null pointer, that means that null pointers are
         // always 'alive'.
         if (!object)
             return true;
         return ObjectAliveTrait<T>::isHeapObjectAlive(object);
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const Member<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const WeakMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const UntracedMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const RawPtr<T>& ptr)
     {
         return isHeapObjectAlive(ptr.get());
     }
 
     // Is the finalizable GC object still alive, but slated for lazy sweeping?
     // If a lazy sweep is in progress, returns true if the object was found
     // to be not reachable during the marking phase, but it has yet to be swept
@@ skipping 132 matching lines @@
     static size_t wrapperCount() { return acquireLoad(&s_wrapperCount); }
     static size_t wrapperCountAtLastGC() { return acquireLoad(&s_wrapperCountAtLastGC); }
     static void increaseCollectedWrapperCount(size_t delta) { atomicAdd(&s_collectedWrapperCount, static_cast<long>(delta)); }
     static size_t collectedWrapperCount() { return acquireLoad(&s_collectedWrapperCount); }
     static size_t partitionAllocSizeAtLastGC() { return acquireLoad(&s_partitionAllocSizeAtLastGC); }
 
     static double estimatedMarkingTime();
     static void reportMemoryUsageHistogram();
     static void reportMemoryUsageForTracing();
 
-#if ENABLE(ASSERT)
-    static uint16_t gcGeneration() { return s_gcGeneration; }
-#endif
+    static uint32_t gcGeneration() { return s_gcGeneration; }

[haraken, 2015/11/20 01:59:06]

Can we add:

  ASSERT(s_gcGeneration != gcGenerationUnchecked);
  ASSERT(s_gcGeneration != gcGenerationForFreeListEntry);

?

[peria, 2015/11/20 02:27:00]

Done.

 
 private:
     // A RegionTree is a simple binary search tree of PageMemoryRegions sorted
     // by base addresses.
     class RegionTree {
     public:
         explicit RegionTree(PageMemoryRegion* region) : m_region(region), m_left(nullptr), m_right(nullptr) { }
         ~RegionTree()
         {
             delete m_left;
@@ skipping 26 matching lines @@
     static size_t s_allocatedSpace;
     static size_t s_allocatedObjectSize;
     static size_t s_objectSizeAtLastGC;
     static size_t s_markedObjectSize;
     static size_t s_markedObjectSizeAtLastCompleteSweep;
     static size_t s_wrapperCount;
     static size_t s_wrapperCountAtLastGC;
     static size_t s_collectedWrapperCount;
     static size_t s_partitionAllocSizeAtLastGC;
     static double s_estimatedMarkingTimePerByte;
-#if ENABLE(ASSERT)
-    static uint16_t s_gcGeneration;
-#endif
+    static uint32_t s_gcGeneration;
 
     friend class ThreadState;
 };
 
 template<typename T>
 struct IsEagerlyFinalizedType {
 private:
     typedef char YesType;
     struct NoType {
         char padding[8];
@@ skipping 124 matching lines @@
 #define EAGERLY_FINALIZE_WILL_BE_REMOVED() EAGERLY_FINALIZE()
 #else
 #define EAGERLY_FINALIZE_WILL_BE_REMOVED()
 #endif
 
 inline Address Heap::allocateOnHeapIndex(ThreadState* state, size_t size, int heapIndex, size_t gcInfoIndex)
 {
     ASSERT(state->isAllocationAllowed());
     ASSERT(heapIndex != BlinkGC::LargeObjectHeapIndex);
     NormalPageHeap* heap = static_cast<NormalPageHeap*>(state->heap(heapIndex));
-    return heap->allocateObject(allocationSizeFromSize(size), gcInfoIndex);
+    return heap->allocateObject(allocationSizeFromSize(size), gcInfoIndex, gcGeneration());
 }
 
 template<typename T>
 Address Heap::allocate(size_t size, bool eagerlySweep)
 {
     ThreadState* state = ThreadStateFor<ThreadingTrait<T>::Affinity>::state();
     return Heap::allocateOnHeapIndex(state, size, eagerlySweep ? BlinkGC::EagerSweepHeapIndex : Heap::heapIndexForObjectSize(size), GCInfoTrait<T>::index());
 }
 
 template<typename T>
@@ skipping 34 matching lines @@
 void VisitorHelper<Derived>::handleWeakCell(Visitor* self, void* object)
 {
     T** cell = reinterpret_cast<T**>(object);
     if (*cell && !ObjectAliveTrait<T>::isHeapObjectAlive(*cell))
         *cell = nullptr;
 }
 
 } // namespace blink
 
 #endif // Heap_h