[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/HeapPage.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 98 matching lines @@
 #define CHECK_MEMORY_INACCESSIBLE(address, size) \
     ASAN_UNPOISON_MEMORY_REGION(address, size); \
     FreeList::checkFreedMemoryIsZapped(address, size); \
     ASAN_POISON_MEMORY_REGION(address, size)
 #else
 #define SET_MEMORY_INACCESSIBLE(address, size) memset((address), 0, (size))
 #define SET_MEMORY_ACCESSIBLE(address, size) do { } while (false)
 #define CHECK_MEMORY_INACCESSIBLE(address, size) do { } while (false)
 #endif
 
-#if !ENABLE(ASSERT) && CPU(64BIT)
-#define USE_4BYTE_HEADER_PADDING 1
-#else
-#define USE_4BYTE_HEADER_PADDING 0
-#endif
-
 class CallbackStack;
 class FreePagePool;
 class NormalPageHeap;
 class OrphanedPagePool;
 class PageMemory;
 class PageMemoryRegion;
 class WebProcessMemoryDump;
 
-// HeapObjectHeader is 4 byte (32 bit) that has the following layout:
+// HeapObjectHeader has two 4 byte (32 bit) members, and one of them has
+// the following bit field layout:
 //
-// | gcInfoIndex (14 bit) | DOM mark bit (1 bit) | size (14 bit) | dead bit (1 bit) | freed bit (1 bit) | mark bit (1 bit) |
+// | gcInfoIndex (14 bit) | DOM mark bit (1 bit) | size (14 bit) | dead bit (1 bit) | freed bit (1 bit) | mark bit (1 bit)
 //
 // - For non-large objects, 14 bit is enough for |size| because the blink
 //   page size is 2^17 byte and each object is guaranteed to be aligned with
 //   2^3 byte.
 // - For large objects, |size| is 0. The actual size of a large object is
 //   stored in LargeObjectPage::m_payloadSize.
 // - 1 bit used to mark DOM trees for V8.
 // - 14 bit is enough for gcInfoIndex because there are less than 2^14 types
 //   in Blink.
 const size_t headerDOMMarkBitMask = 1u << 17;
 const size_t headerGCInfoIndexShift = 18;
 const size_t headerGCInfoIndexMask = (static_cast<size_t>((1 << 14) - 1)) << headerGCInfoIndexShift;
 const size_t headerSizeMask = (static_cast<size_t>((1 << 14) - 1)) << 3;
 const size_t headerMarkBitMask = 1;
 const size_t headerFreedBitMask = 2;
 // The dead bit is used for objects that have gone through a GC marking, but did
 // not get swept before a new GC started. In that case we set the dead bit on
 // objects that were not marked in the previous GC to ensure we are not tracing
 // them via a conservatively found pointer. Tracing dead objects could lead to
 // tracing of already finalized objects in another thread's heap which is a
 // use-after-free situation.
 const size_t headerDeadBitMask = 4;
 // On free-list entries we reuse the dead bit to distinguish a normal free-list
 // entry from one that has been promptly freed.
 const size_t headerPromptlyFreedBitMask = headerFreedBitMask | headerDeadBitMask;
 const size_t largeObjectSizeInHeader = 0;
 const size_t gcInfoIndexForFreeListHeader = 0;
 const size_t nonLargeObjectPageSizeMax = 1 << 17;
 
+const uint32_t gcGenerationUnchecked = 0;
+const uint32_t gcGenerationForFreeListEntry = 1;
+const uint32_t gcGenerationStart = 2;
+
 static_assert(nonLargeObjectPageSizeMax >= blinkPageSize, "max size supported by HeapObjectHeader must at least be blinkPageSize");
 
 class PLATFORM_EXPORT HeapObjectHeader {
 public:
     // If gcInfoIndex is 0, this header is interpreted as a free list header.
     NO_SANITIZE_ADDRESS
-    HeapObjectHeader(size_t size, size_t gcInfoIndex)
+    HeapObjectHeader(size_t size, size_t gcInfoIndex, uint32_t generation)
+        : m_gcGeneration(generation)
     {
-#if ENABLE(ASSERT)
-        m_magic = magic;
-#endif
         // sizeof(HeapObjectHeader) must be equal to or smaller than
         // allocationGranurarity, because HeapObjectHeader is used as a header
         // for an freed entry.  Given that the smallest entry size is
         // allocationGranurarity, HeapObjectHeader must fit into the size.
         static_assert(sizeof(HeapObjectHeader) <= allocationGranularity, "size of HeapObjectHeader must be smaller than allocationGranularity");
 #if CPU(64BIT)
         static_assert(sizeof(HeapObjectHeader) == 8, "size of HeapObjectHeader must be 8 byte aligned");
 #endif
 
         ASSERT(gcInfoIndex < GCInfoTable::maxIndex);
@@ skipping 23 matching lines @@
     void unmark();
     void markDead();
     bool isDead() const;
 
     Address payload();
     size_t payloadSize();
     Address payloadEnd();
 
 #if ENABLE(ASSERT)
     bool checkHeader() const;
-    // Zap magic number with a new magic number that means there was once an
-    // object allocated here, but it was freed because nobody marked it during
-    // GC.
-    void zapMagic();
 #endif
+    NO_SANITIZE_ADDRESS
+    uint32_t gcGeneration() const { return m_gcGeneration; }
 
     void finalize(Address, size_t);
     static HeapObjectHeader* fromPayload(const void*);
 
-    static const uint16_t magic = 0xfff1;
-    static const uint16_t zappedMagic = 0x4321;
-
 private:
     uint32_t m_encoded;
-#if ENABLE(ASSERT)
-    uint16_t m_magic;
-#endif
-
-    // In 64 bit architectures, we intentionally add 4 byte padding immediately
-    // after the HeapHeaderObject. This is because:
-    //
-    // | HeapHeaderObject (4 byte) | padding (4 byte) | object payload (8 * n byte) |
-    // ^8 byte aligned                                ^8 byte aligned
-    //
-    // is better than:
-    //
-    // | HeapHeaderObject (4 byte) | object payload (8 * n byte) | padding (4 byte) |
-    // ^4 byte aligned             ^8 byte aligned               ^4 byte aligned
-    //
-    // since the former layout aligns both header and payload to 8 byte.
-#if USE_4BYTE_HEADER_PADDING
-public:
-    uint32_t m_padding;
-#endif
+    // m_gcGeneration keeps track of the number of GC cycles where the object gets
+    // allocated. gcGenerationForFreeListentry indicates that the object has
+    // already been freed.
+    uint32_t m_gcGeneration;
 };
 
 class FreeListEntry final : public HeapObjectHeader {
 public:
     NO_SANITIZE_ADDRESS
     explicit FreeListEntry(size_t size)
-        : HeapObjectHeader(size, gcInfoIndexForFreeListHeader)
+        : HeapObjectHeader(size, gcInfoIndexForFreeListHeader, gcGenerationForFreeListEntry)
         , m_next(nullptr)
     {
 #if ENABLE(ASSERT)
         ASSERT(size >= sizeof(HeapObjectHeader));
-        zapMagic();
 #endif
     }
 
     Address address() { return reinterpret_cast<Address>(this); }
 
     NO_SANITIZE_ADDRESS
     void unlink(FreeListEntry** prevNext)
     {
         *prevNext = m_next;
         m_next = nullptr;
@@ skipping 201 matching lines @@
         // Compute the amount of padding we have to add to a header to make
         // the size of the header plus the padding a multiple of 8 bytes.
         size_t paddingSize = (sizeof(NormalPage) + allocationGranularity - (sizeof(HeapObjectHeader) % allocationGranularity)) % allocationGranularity;
         return sizeof(NormalPage) + paddingSize;
     }
 
 
     NormalPageHeap* heapForNormalPage();
     void clearObjectStartBitMap();
 
+    HeapObjectHeader* findHeaderFromObject(const void*);
+
 private:
     HeapObjectHeader* findHeaderFromAddress(Address);
     void populateObjectStartBitMap();
     bool isObjectStartBitMapComputed() { return m_objectStartBitMapComputed; }
 
     bool m_objectStartBitMapComputed;
     uint8_t m_objectStartBitMap[reservedForObjectBitMap];
 };
 
 // Large allocations are allocated as separate objects and linked in a list.
@@ skipping 204 matching lines @@
         ASSERT(findPageFromAddress(address + size - 1));
         m_freeList.addToFreeList(address, size);
     }
     void clearFreeLists() override;
 #if ENABLE(ASSERT)
     bool isConsistentForGC() override;
     bool pagesToBeSweptContains(Address);
 #endif
     void takeFreelistSnapshot(const String& dumpBaseName) override;
 
-    Address allocateObject(size_t allocationSize, size_t gcInfoIndex);
+    Address allocateObject(size_t allocationSize, size_t gcInfoIndex, uint32_t generation);
 
     void freePage(NormalPage*);
 
     bool coalesce();
     void promptlyFreeObject(HeapObjectHeader*);
     bool expandObject(HeapObjectHeader*, size_t);
     bool shrinkObject(HeapObjectHeader*, size_t);
     void decreasePromptlyFreedSize(size_t size) { m_promptlyFreedSize -= size; }
 
     bool isObjectAllocatedAtAllocationPoint(HeapObjectHeader* header)
@@ skipping 59 matching lines @@
     // LargeObjectPage::m_payloadSize.
     ASSERT(result != largeObjectSizeInHeader);
     ASSERT(!pageFromObject(this)->isLargeObjectPage());
     return result;
 }
 
 #if ENABLE(ASSERT)
 NO_SANITIZE_ADDRESS inline
 bool HeapObjectHeader::checkHeader() const
 {
-    return !pageFromObject(this)->orphaned() && m_magic == magic;
+    ASSERT(isFree() == (m_gcGeneration == gcGenerationForFreeListEntry));
+    ASSERT(m_gcGeneration != gcGenerationUnchecked);
+    return !pageFromObject(this)->orphaned();
 }
 #endif
 
 inline Address HeapObjectHeader::payload()
 {
     return reinterpret_cast<Address>(this) + sizeof(HeapObjectHeader);
 }
 
 inline Address HeapObjectHeader::payloadEnd()
 {
@@ skipping 51 matching lines @@
 }
 
 NO_SANITIZE_ADDRESS inline
 void HeapObjectHeader::markDead()
 {
     ASSERT(checkHeader());
     ASSERT(!isMarked());
     m_encoded |= headerDeadBitMask;
 }
 
-inline Address NormalPageHeap::allocateObject(size_t allocationSize, size_t gcInfoIndex)
+inline Address NormalPageHeap::allocateObject(size_t allocationSize, size_t gcInfoIndex, uint32_t gcGeneration)
 {
     if (LIKELY(allocationSize <= m_remainingAllocationSize)) {
         Address headerAddress = m_currentAllocationPoint;
         m_currentAllocationPoint += allocationSize;
         m_remainingAllocationSize -= allocationSize;
         ASSERT(gcInfoIndex > 0);
-        new (NotNull, headerAddress) HeapObjectHeader(allocationSize, gcInfoIndex);
+        new (NotNull, headerAddress) HeapObjectHeader(allocationSize, gcInfoIndex, gcGeneration);
         Address result = headerAddress + sizeof(HeapObjectHeader);
         ASSERT(!(reinterpret_cast<uintptr_t>(result) & allocationMask));
 
         SET_MEMORY_ACCESSIBLE(result, allocationSize - sizeof(HeapObjectHeader));
         ASSERT(findPageFromAddress(headerAddress + allocationSize - 1));
         return result;
     }
     return outOfLineAllocate(allocationSize, gcInfoIndex);
 }
 
 } // namespace blink
 
 #endif // HeapPage_h