[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 78 matching lines @@
         // non-live entries, so no entries will be removed. Since you can't set
         // the mark bit on a null pointer, that means that null pointers are
         // always 'alive'.
         if (!object)
             return true;
         return ObjectAliveTrait<T>::isHeapObjectAlive(object);
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const Member<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const WeakMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const UntracedMember<T>& member)
     {
-        return isHeapObjectAlive(member.get());
+        return isHeapObjectAlive(member.unsafeGet());
     }
     template<typename T>
     static inline bool isHeapObjectAlive(const RawPtr<T>& ptr)
     {
         return isHeapObjectAlive(ptr.get());
     }
 
     // Is the finalizable GC object still alive, but slated for lazy sweeping?
     // If a lazy sweep is in progress, returns true if the object was found
     // to be not reachable during the marking phase, but it has yet to be swept
@@ skipping 132 matching lines @@
     static size_t wrapperCount() { return acquireLoad(&s_wrapperCount); }
     static size_t wrapperCountAtLastGC() { return acquireLoad(&s_wrapperCountAtLastGC); }
     static void increaseCollectedWrapperCount(size_t delta) { atomicAdd(&s_collectedWrapperCount, static_cast<long>(delta)); }
     static size_t collectedWrapperCount() { return acquireLoad(&s_collectedWrapperCount); }
     static size_t partitionAllocSizeAtLastGC() { return acquireLoad(&s_partitionAllocSizeAtLastGC); }
 
     static double estimatedMarkingTime();
     static void reportMemoryUsageHistogram();
     static void reportMemoryUsageForTracing();
 
-#if ENABLE(ASSERT)
-    static uint16_t gcGeneration() { return s_gcGeneration; }
-#endif
+    static uint32_t gcGeneration()
+    {
+        ASSERT(s_gcGeneration != gcGenerationUnchecked);
+        ASSERT(s_gcGeneration != gcGenerationForFreeListEntry);
+        return s_gcGeneration;
+    }
 
 private:
     // A RegionTree is a simple binary search tree of PageMemoryRegions sorted
     // by base addresses.
     class RegionTree {
     public:
         explicit RegionTree(PageMemoryRegion* region) : m_region(region), m_left(nullptr), m_right(nullptr) { }
         ~RegionTree()
         {
             delete m_left;
@@ skipping 26 matching lines @@
     static size_t s_allocatedSpace;
     static size_t s_allocatedObjectSize;
     static size_t s_objectSizeAtLastGC;
     static size_t s_markedObjectSize;
     static size_t s_markedObjectSizeAtLastCompleteSweep;
     static size_t s_wrapperCount;
     static size_t s_wrapperCountAtLastGC;
     static size_t s_collectedWrapperCount;
     static size_t s_partitionAllocSizeAtLastGC;
     static double s_estimatedMarkingTimePerByte;
-#if ENABLE(ASSERT)
-    static uint16_t s_gcGeneration;
-#endif
+    static uint32_t s_gcGeneration;
 
     friend class ThreadState;
 };
 
 template<typename T>
 struct IsEagerlyFinalizedType {
 private:
     typedef char YesType;
     struct NoType {
         char padding[8];
@@ skipping 124 matching lines @@
 #define EAGERLY_FINALIZE_WILL_BE_REMOVED() EAGERLY_FINALIZE()
 #else
 #define EAGERLY_FINALIZE_WILL_BE_REMOVED()
 #endif
 
 inline Address Heap::allocateOnHeapIndex(ThreadState* state, size_t size, int heapIndex, size_t gcInfoIndex)
 {
     ASSERT(state->isAllocationAllowed());
     ASSERT(heapIndex != BlinkGC::LargeObjectHeapIndex);
     NormalPageHeap* heap = static_cast<NormalPageHeap*>(state->heap(heapIndex));
-    return heap->allocateObject(allocationSizeFromSize(size), gcInfoIndex);
+    return heap->allocateObject(allocationSizeFromSize(size), gcInfoIndex, gcGeneration());
 }
 
 template<typename T>
 Address Heap::allocate(size_t size, bool eagerlySweep)
 {
     ThreadState* state = ThreadStateFor<ThreadingTrait<T>::Affinity>::state();
     return Heap::allocateOnHeapIndex(state, size, eagerlySweep ? BlinkGC::EagerSweepHeapIndex : Heap::heapIndexForObjectSize(size), GCInfoTrait<T>::index());
 }
 
 template<typename T>
@@ skipping 34 matching lines @@
 void VisitorHelper<Derived>::handleWeakCell(Visitor* self, void* object)
 {
     T** cell = reinterpret_cast<T**>(object);
     if (*cell && !ObjectAliveTrait<T>::isHeapObjectAlive(*cell))
         *cell = nullptr;
 }
 
 } // namespace blink
 
 #endif // Heap_h