[Oilpan] Add use-after-free detector in Member<>

third_party/WebKit/Source/platform/heap/HeapPage.cpp

Index: third_party/WebKit/Source/platform/heap/HeapPage.cpp
diff --git a/third_party/WebKit/Source/platform/heap/HeapPage.cpp b/third_party/WebKit/Source/platform/heap/HeapPage.cpp
index 10b30f8de75112e2dafff32746ad59ed959836b9..278d1fdc4c31484c4ba3be42f2d730432e266392 100644
--- a/third_party/WebKit/Source/platform/heap/HeapPage.cpp
+++ b/third_party/WebKit/Source/platform/heap/HeapPage.cpp
@@ -88,15 +88,6 @@
 
 namespace blink {
 
-#if ENABLE(ASSERT)
-NO_SANITIZE_ADDRESS
-void HeapObjectHeader::zapMagic()
-{
-    ASSERT(checkHeader());
-    m_magic = zappedMagic;
-}
-#endif
-
 void HeapObjectHeader::finalize(Address object, size_t objectSize)
 {
     const GCInfo* gcInfo = Heap::gcInfo(gcInfoIndex());
@@ -623,7 +614,7 @@ bool NormalPageHeap::shrinkObject(HeapObjectHeader* header, size_t newSize)
     ASSERT(shrinkSize >= sizeof(HeapObjectHeader));
     ASSERT(header->gcInfoIndex() > 0);
     Address shrinkAddress = header->payloadEnd() - shrinkSize;
-    HeapObjectHeader* freedHeader = new (NotNull, shrinkAddress) HeapObjectHeader(shrinkSize, header->gcInfoIndex());
+    HeapObjectHeader* freedHeader = new (NotNull, shrinkAddress) HeapObjectHeader(shrinkSize, header->gcInfoIndex(), 0);
     freedHeader->markPromptlyFreed();
     ASSERT(pageFromObject(reinterpret_cast<Address>(header)) == findPageFromAddress(reinterpret_cast<Address>(header)));
     m_promptlyFreedSize += shrinkSize;
@@ -777,7 +768,7 @@ Address NormalPageHeap::allocateFromFreeList(size_t allocationSize, size_t gcInf
             ASSERT(hasCurrentAllocationArea());
             ASSERT(remainingAllocationSize() >= allocationSize);
             m_freeList.m_biggestFreeListIndex = index;
-            return allocateObject(allocationSize, gcInfoIndex);
+            return allocateObject(allocationSize, gcInfoIndex, Heap::gcGeneration());
         }
     }
     m_freeList.m_biggestFreeListIndex = index;
@@ -830,7 +821,7 @@ Address LargeObjectHeap::doAllocateLargeObjectPage(size_t allocationSize, size_t
         ASSERT(!largeObjectAddress[i]);
 #endif
     ASSERT(gcInfoIndex > 0);
-    HeapObjectHeader* header = new (NotNull, headerAddress) HeapObjectHeader(largeObjectSizeInHeader, gcInfoIndex);
+    HeapObjectHeader* header = new (NotNull, headerAddress) HeapObjectHeader(largeObjectSizeInHeader, gcInfoIndex, Heap::gcGeneration());
     Address result = headerAddress + sizeof(*header);
     ASSERT(!(reinterpret_cast<uintptr_t>(result) & allocationMask));
     LargeObjectPage* largeObject = new (largeObjectAddress) LargeObjectPage(pageMemory, this, allocationSize);
@@ -924,7 +915,7 @@ void FreeList::addToFreeList(Address address, size_t size)
         // Create a dummy header with only a size and freelist bit set.
         ASSERT(size >= sizeof(HeapObjectHeader));
         // Free list encode the size to mark the lost memory as freelist memory.
-        new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader);
+        new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader, 0);

[haraken, 2015/11/16 02:47:50]

Can you define:

  unsigned gcGenerationForFreeListEntry = 0;

and use it instead of hard-coding 0 in many places?

[peria, 2015/11/16 05:33:26]

Done.

 
         ASAN_POISON_MEMORY_REGION(address, size);
         // This memory gets lost. Sweeping can reclaim it.