third_party/WebKit/Source/platform/heap/HeapPage.cpp - Issue 1411603007: [Oilpan] Add use-after-free detector in Member<>

Unified Diff: third_party/WebKit/Source/platform/heap/HeapPage.cpp

Issue 1411603007: [Oilpan] Add use-after-free detector in Member<> Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Introduce gcGenerationUnchecked Created 5 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« third_party/WebKit/Source/platform/heap/Heap.h ('K') | « third_party/WebKit/Source/platform/heap/HeapPage.h ('k') | third_party/WebKit/Source/platform/heap/ThreadState.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/platform/heap/HeapPage.cpp

diff --git a/third_party/WebKit/Source/platform/heap/HeapPage.cpp b/third_party/WebKit/Source/platform/heap/HeapPage.cpp

index 10b30f8de75112e2dafff32746ad59ed959836b9..027df742f5e08beba04fd77d37851913bf484e89 100644

--- a/third_party/WebKit/Source/platform/heap/HeapPage.cpp

+++ b/third_party/WebKit/Source/platform/heap/HeapPage.cpp

@@ -88,15 +88,6 @@

namespace blink {

-#if ENABLE(ASSERT)

-NO_SANITIZE_ADDRESS

-void HeapObjectHeader::zapMagic()

- ASSERT(checkHeader());

- m_magic = zappedMagic;

-#endif

void HeapObjectHeader::finalize(Address object, size_t objectSize)

{

const GCInfo* gcInfo = Heap::gcInfo(gcInfoIndex());

@@ -623,7 +614,7 @@ bool NormalPageHeap::shrinkObject(HeapObjectHeader* header, size_t newSize)

ASSERT(shrinkSize >= sizeof(HeapObjectHeader));

ASSERT(header->gcInfoIndex() > 0);

Address shrinkAddress = header->payloadEnd() - shrinkSize;

- HeapObjectHeader* freedHeader = new (NotNull, shrinkAddress) HeapObjectHeader(shrinkSize, header->gcInfoIndex());

+ HeapObjectHeader* freedHeader = new (NotNull, shrinkAddress) HeapObjectHeader(shrinkSize, header->gcInfoIndex(), gcGenerationForFreeListEntry);

freedHeader->markPromptlyFreed();

ASSERT(pageFromObject(reinterpret_cast<Address>(header)) == findPageFromAddress(reinterpret_cast<Address>(header)));

m_promptlyFreedSize += shrinkSize;

@@ -777,7 +768,7 @@ Address NormalPageHeap::allocateFromFreeList(size_t allocationSize, size_t gcInf

ASSERT(hasCurrentAllocationArea());

ASSERT(remainingAllocationSize() >= allocationSize);

m_freeList.m_biggestFreeListIndex = index;

- return allocateObject(allocationSize, gcInfoIndex);

+ return allocateObject(allocationSize, gcInfoIndex, Heap::gcGeneration());

}

m_freeList.m_biggestFreeListIndex = index;

@@ -830,7 +821,7 @@ Address LargeObjectHeap::doAllocateLargeObjectPage(size_t allocationSize, size_t

ASSERT(!largeObjectAddress[i]);

#endif

ASSERT(gcInfoIndex > 0);

- HeapObjectHeader* header = new (NotNull, headerAddress) HeapObjectHeader(largeObjectSizeInHeader, gcInfoIndex);

+ HeapObjectHeader* header = new (NotNull, headerAddress) HeapObjectHeader(largeObjectSizeInHeader, gcInfoIndex, Heap::gcGeneration());

Address result = headerAddress + sizeof(*header);

ASSERT(!(reinterpret_cast<uintptr_t>(result) & allocationMask));

LargeObjectPage* largeObject = new (largeObjectAddress) LargeObjectPage(pageMemory, this, allocationSize);

@@ -924,7 +915,7 @@ void FreeList::addToFreeList(Address address, size_t size)

// Create a dummy header with only a size and freelist bit set.

ASSERT(size >= sizeof(HeapObjectHeader));

// Free list encode the size to mark the lost memory as freelist memory.

- new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader);

+ new (NotNull, address) HeapObjectHeader(size, gcInfoIndexForFreeListHeader, gcGenerationForFreeListEntry);

ASAN_POISON_MEMORY_REGION(address, size);

// This memory gets lost. Sweeping can reclaim it.