[Oilpan] Add HeapObjectHeader::gcGeneration() and related methods

third_party/WebKit/Source/platform/heap/HeapPage.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 154 matching lines @@
 static_assert(nonLargeObjectPageSizeMax >= blinkPageSize, "max size supported by HeapObjectHeader must at least be blinkPageSize");
 
 class PLATFORM_EXPORT HeapObjectHeader {
 public:
     // If gcInfoIndex is 0, this header is interpreted as a free list header.
     NO_SANITIZE_ADDRESS
     HeapObjectHeader(size_t size, size_t gcInfoIndex)
     {
 #if ENABLE(ASSERT)
         m_magic = magic;
+        putGcGeneration();
 #endif
         // sizeof(HeapObjectHeader) must be equal to or smaller than
         // allocationGranurarity, because HeapObjectHeader is used as a header
         // for an freed entry.  Given that the smallest entry size is
         // allocationGranurarity, HeapObjectHeader must fit into the size.
         static_assert(sizeof(HeapObjectHeader) <= allocationGranularity, "size of HeapObjectHeader must be smaller than allocationGranularity");
 #if CPU(64BIT)
         static_assert(sizeof(HeapObjectHeader) == 8, "size of HeapObjectHeader must be 8 byte aligned");
 #endif
 
@@ skipping 24 matching lines @@
     Address payload();
     size_t payloadSize();
     Address payloadEnd();
 
 #if ENABLE(ASSERT)
     bool checkHeader() const;
     // Zap magic number with a new magic number that means there was once an
     // object allocated here, but it was freed because nobody marked it during
     // GC.
     void zapMagic();
+
+    void putGcGeneration();

[sof, 2015/11/10 16:09:24]

What does this give you beyond what magic values already provide?

[peria, 2015/11/10 16:45:01]

They do same works to check an object is alive or not.
In addition, gcGeneration is expected to check a pointer handle (Member<>)
points a new different object on the same address.

For example,
```
UntracedMember<A> a(new A);
Heap::collectGarbage();  // GC collects 'a'
UntracedMember<A> b(new A);
a->foo();
```
In this code, it is expected that `a->foo()` crashes with use-after-free.
However, if 'b' is allocated on the same address with 'a', it goes successfully
as if there are no issue in it.
We expect that we can detect such use-after-free with gcGeneration,
which was impossible with zapMagic.

+    void clearGcGeneration();
+    uint16_t gcGeneration() const { return m_gcGeneration; }
 #endif
 
     void finalize(Address, size_t);
     static HeapObjectHeader* fromPayload(const void*);
 
     static const uint16_t magic = 0xfff1;
     static const uint16_t zappedMagic = 0x4321;
 
 private:
     uint32_t m_encoded;
 #if ENABLE(ASSERT)
     uint16_t m_magic;
+    uint16_t m_gcGeneration;
 #endif
 
     // In 64 bit architectures, we intentionally add 4 byte padding immediately
     // after the HeapHeaderObject. This is because:
     //
     // | HeapHeaderObject (4 byte) | padding (4 byte) | object payload (8 * n byte) |
     // ^8 byte aligned                                ^8 byte aligned
     //
     // is better than:
     //
@@ skipping 10 matching lines @@
 class FreeListEntry final : public HeapObjectHeader {
 public:
     NO_SANITIZE_ADDRESS
     explicit FreeListEntry(size_t size)
         : HeapObjectHeader(size, gcInfoIndexForFreeListHeader)
         , m_next(nullptr)
     {
 #if ENABLE(ASSERT)
         ASSERT(size >= sizeof(HeapObjectHeader));
         zapMagic();
+        clearGcGeneration();
 #endif
     }
 
     Address address() { return reinterpret_cast<Address>(this); }
 
     NO_SANITIZE_ADDRESS
     void unlink(FreeListEntry** prevNext)
     {
         *prevNext = m_next;
         m_next = nullptr;
@@ skipping 598 matching lines @@
         SET_MEMORY_ACCESSIBLE(result, allocationSize - sizeof(HeapObjectHeader));
         ASSERT(findPageFromAddress(headerAddress + allocationSize - 1));
         return result;
     }
     return outOfLineAllocate(allocationSize, gcInfoIndex);
 }
 
 } // namespace blink
 
 #endif // HeapPage_h