[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/HeapPage.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 70 matching lines @@
         static_cast<LargeObjectPage*>(largePage)->setIsVectorBackingPage(); \
     }
 #else
 #define ENABLE_ASAN_CONTAINER_ANNOTATIONS 0
 #define ASAN_RETIRE_CONTAINER_ANNOTATION(payload, payloadSize)
 #define ASAN_MARK_LARGE_VECTOR_CONTAINER(heap, largeObject)
 #endif
 
 namespace blink {
 
-#if ENABLE(ASSERT)
-NO_SANITIZE_ADDRESS
-void HeapObjectHeader::zapMagic()
-{
-    ASSERT(checkHeader());
-    m_magic = zappedMagic;
-}
-#endif
-
 void HeapObjectHeader::finalize(Address object, size_t objectSize)
 {
     const GCInfo* gcInfo = Heap::gcInfo(gcInfoIndex());
     if (gcInfo->hasFinalizer())
         gcInfo->m_finalize(object);
 
     ASAN_RETIRE_CONTAINER_ANNOTATION(object, objectSize);
 }
 
 BaseHeap::BaseHeap(ThreadState* state, int index)
@@ skipping 506 matching lines @@
     if (isObjectAllocatedAtAllocationPoint(header)) {
         m_currentAllocationPoint -= shrinkSize;
         setRemainingAllocationSize(m_remainingAllocationSize + shrinkSize);
         SET_MEMORY_INACCESSIBLE(m_currentAllocationPoint, shrinkSize);
         header->setSize(allocationSize);
         return true;
     }
     ASSERT(shrinkSize >= sizeof(HeapObjectHeader));
     ASSERT(header->gcInfoIndex() > 0);
     Address shrinkAddress = header->payloadEnd() - shrinkSize;
-    HeapObjectHeader* freedHeader = new (NotNull, shrinkAddress) HeapObjectHeader(shrinkSize, header->gcInfoIndex());
+    HeapObjectHeader* freedHeader = new (NotNull, shrinkAddress) HeapObjectHeader(shrinkSize, header->gcInfoIndex(), gcGenerationForFreeListEntry);
     freedHeader->markPromptlyFreed();
     ASSERT(pageFromObject(reinterpret_cast<Address>(header)) == findPageFromAddress(reinterpret_cast<Address>(header)));
     m_promptlyFreedSize += shrinkSize;
     header->setSize(allocationSize);
     SET_MEMORY_INACCESSIBLE(shrinkAddress + sizeof(HeapObjectHeader), shrinkSize - sizeof(HeapObjectHeader));
     return false;
 }
 
 Address NormalPageHeap::lazySweepPages(size_t allocationSize, size_t gcInfoIndex)
 {
@@ skipping 133 matching lines @@
             // as it is considered too costly.
             if (!entry || entry->size() < allocationSize)
                 break;
         }
         if (entry) {
             entry->unlink(&m_freeList.m_freeLists[index]);
             setAllocationPoint(entry->address(), entry->size());
             ASSERT(hasCurrentAllocationArea());
             ASSERT(remainingAllocationSize() >= allocationSize);
             m_freeList.m_biggestFreeListIndex = index;
-            return allocateObject(allocationSize, gcInfoIndex);
+            return allocateObject(allocationSize, gcInfoIndex, Heap::gcGeneration());
         }
     }
     m_freeList.m_biggestFreeListIndex = index;
     return nullptr;
 }
 
 LargeObjectHeap::LargeObjectHeap(ThreadState* state, int index)
     : BaseHeap(state, index)
 {
 }
@@ skipping 32 matching lines @@
     threadState()->shouldFlushHeapDoesNotContainCache();
     PageMemory* pageMemory = PageMemory::allocate(largeObjectSize);
     Address largeObjectAddress = pageMemory->writableStart();
     Address headerAddress = largeObjectAddress + LargeObjectPage::pageHeaderSize();
 #if ENABLE(ASSERT)
     // Verify that the allocated PageMemory is expectedly zeroed.
     for (size_t i = 0; i < largeObjectSize; ++i)
         ASSERT(!largeObjectAddress[i]);
 #endif
     ASSERT(gcInfoIndex > 0);
-    HeapObjectHeader* header = new (NotNull, headerAddress) HeapObjectHeader(largeObjectSizeInHeader, gcInfoIndex);
+    HeapObjectHeader* header = new (NotNull, headerAddress) HeapObjectHeader(largeObjectSizeInHeader, gcInfoIndex, Heap::gcGeneration());
     Address result = headerAddress + sizeof(*header);
     ASSERT(!(reinterpret_cast<uintptr_t>(result) & allocationMask));
     LargeObjectPage* largeObject = new (largeObjectAddress) LargeObjectPage(pageMemory, this, allocationSize);
     ASSERT(header->checkHeader());
 
     // Poison the object header and allocationGranularity bytes after the object
     ASAN_POISON_MEMORY_REGION(header, sizeof(*header));
     ASAN_POISON_MEMORY_REGION(largeObject->address() + largeObject->size(), allocationGranularity);
 
     largeObject->link(&m_firstPage);
@@ skipping 73 matching lines @@
     // The free list entries are only pointer aligned (but when we allocate
     // from them we are 8 byte aligned due to the header size).
     ASSERT(!((reinterpret_cast<uintptr_t>(address) + sizeof(HeapObjectHeader)) & allocationMask));
     ASSERT(!(size & allocationMask));
     ASAN_UNPOISON_MEMORY_REGION(address, size);
     FreeListEntry* entry;
     if (size < sizeof(*entry)) {
         // Create a dummy header with only a size and freelist bit set.
         ASSERT(size >= sizeof(HeapObjectHeader));
         // Free list encode the size to mark the lost memory as freelist memory.
-        new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader);
+        new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader, gcGenerationForFreeListEntry);
 
         ASAN_POISON_MEMORY_REGION(address, size);
         // This memory gets lost. Sweeping can reclaim it.
         return;
     }
     entry = new (NotNull, address) FreeListEntry(size);
 
 #if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
     // The following logic delays reusing free lists for (at least) one GC
     // cycle or coalescing. This is helpful to detect use-after-free errors
@@ skipping 371 matching lines @@
     objectStartNumber = (mapIndex * 8) + 7 - leadingZeroes;
     objectOffset = objectStartNumber * allocationGranularity;
     Address objectAddress = objectOffset + payload();
     HeapObjectHeader* header = reinterpret_cast<HeapObjectHeader*>(objectAddress);
     if (header->isFree())
         return nullptr;
     ASSERT(header->checkHeader());
     return header;
 }
 
+HeapObjectHeader* NormalPage::findHeaderFromObject(const void* obj)

[haraken, 2015/11/25 02:38:54]

I'm afraid that this method would be super heavy.

How much does the cycle time of layout tests increase when you enable the
use-after-free detection?

+{
+    ASSERT(payload() <= obj && obj <= payloadEnd());
+
+    Address start = payload();
+    for (Address headerAddress = start; headerAddress < payloadEnd();) {
+        HeapObjectHeader* header = reinterpret_cast<HeapObjectHeader*>(headerAddress);
+        Address nextHeaderAddress = headerAddress + header->size();
+        if (header <= obj && obj < nextHeaderAddress)
+            return header;
+        headerAddress = nextHeaderAddress;
+        ASSERT(headerAddress <= payloadEnd());
+    }
+
+    ASSERT_NOT_REACHED();
+    return nullptr;
+}
+
 #if ENABLE(ASSERT)
 static bool isUninitializedMemory(void* objectPointer, size_t objectSize)
 {
     // Scan through the object's fields and check that they are all zero.
     Address* objectFields = reinterpret_cast<Address*>(objectPointer);
     for (size_t i = 0; i < objectSize / sizeof(Address); ++i) {
         if (objectFields[i] != 0)
             return false;
     }
     return true;
@@ skipping 255 matching lines @@
 
     m_hasEntries = true;
     size_t index = hash(address);
     ASSERT(!(index & 1));
     Address cachePage = roundToBlinkPageStart(address);
     m_entries[index + 1] = m_entries[index];
     m_entries[index] = cachePage;
 }
 
 } // namespace blink