Oilpan: Discard unused system pages when sweeping NormalPageHeaps

third_party/WebKit/Source/platform/heap/HeapPage.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 81 matching lines @@
 void HeapObjectHeader::zapMagic()
 {
     ASSERT(checkHeader());
     m_magic = zappedMagic;
 }
 #endif
 
 void HeapObjectHeader::finalize(Address object, size_t objectSize)
 {
     const GCInfo* gcInfo = Heap::gcInfo(gcInfoIndex());
-    if (gcInfo->hasFinalizer())
+    if (!gcInfo) {
+        fprintf(stderr, "gcInfoIndex = %ld\n", gcInfoIndex());
+        RELEASE_ASSERT(0);
+    }
+    fprintf(stderr, "header=%p gcInfo=%p index=%ld\n", this, gcInfo, gcInfoIndex());
+    if (gcInfo->hasFinalizer()) {

[haraken, 2016/02/08 08:34:56]

I crash here with the following log:

header=0x307fed8420b0 gcInfo=0x40bda50 index=279
not hasFinalizer
header=0x307fed8420d8 gcInfo=0x40bda50 index=279
not hasFinalizer
header=0x307fed842100 gcInfo=0x40bda50 index=279
not hasFinalizer
header=0x307fed842128 gcInfo=0x40bda50 index=279
not hasFinalizer
header=0x307fed842150 gcInfo=0x40bda50 index=279
not hasFinalizer
header=0x307fed842188 gcInfo=0x40bda50 index=279
not hasFinalizer
trying to discard 0x307fed841d80 - 0x307fed846b98
discarded 307fed842000 - 307fed846000 size=16384
trying to discard 0x307fed846be8 - 0x307fed846d38
trying to discard 0x307fed846d88 - 0x307fed846fb0
header=0x307fed847000 gcInfo=0x3333333333333333 index=0

This means that the header at 0x307fed847000 has been already cleared out.
However, the previous discarding was conducted for [307fed842000, 307fed846000),
which doesn't contain 0x307fed847000. It's strange that 0x307fed847000 is
cleared out...

+        fprintf(stderr, "hasFinalizer\n");
         gcInfo->m_finalize(object);
+    } else {
+        fprintf(stderr, "not hasFinalizer\n");
+    }
 
     ASAN_RETIRE_CONTAINER_ANNOTATION(object, objectSize);
 }
 
 BaseHeap::BaseHeap(ThreadState* state, int index)
     : m_firstPage(nullptr)
     , m_firstUnsweptPage(nullptr)
     , m_threadState(state)
     , m_index(index)
 {
@@ skipping 983 matching lines @@
 {
     HeapObjectHeader* header = reinterpret_cast<HeapObjectHeader*>(payload());
     return header->isFree() && header->size() == payloadSize();
 }
 
 void NormalPage::removeFromHeap()
 {
     heapForNormalPage()->freePage(this);
 }
 
+#if !ENABLE(ASSERT) && !defined(LEAK_SANITIZER) && !defined(ADDRESS_SANITIZER)
+static void discardPages(Address begin, Address end)
+{
+    uintptr_t beginAddress = WTF::roundUpToSystemPage(reinterpret_cast<uintptr_t>(begin));
+    uintptr_t endAddress = WTF::roundDownToSystemPage(reinterpret_cast<uintptr_t>(end));
+    fprintf(stderr, "trying to discard %p - %p\n", begin, end);
+    if (beginAddress < endAddress) {
+        WTF::discardSystemPages(reinterpret_cast<void*>(beginAddress), endAddress - beginAddress);
+        fprintf(stderr, "discarded %lx - %lx size=%ld\n", beginAddress, endAddress, endAddress - beginAddress);
+    }
+}
+#endif
+
 void NormalPage::sweep()
 {
     size_t markedObjectSize = 0;
     Address startOfGap = payload();
     for (Address headerAddress = startOfGap; headerAddress < payloadEnd(); ) {
         HeapObjectHeader* header = reinterpret_cast<HeapObjectHeader*>(headerAddress);
-        ASSERT(header->size() > 0);
-        ASSERT(header->size() < blinkPagePayloadSize());
+        size_t size = header->size();
+        ASSERT(size > 0);
+        ASSERT(size < blinkPagePayloadSize());
 
         if (header->isPromptlyFreed())
-            heapForNormalPage()->decreasePromptlyFreedSize(header->size());
+            heapForNormalPage()->decreasePromptlyFreedSize(size);
         if (header->isFree()) {
-            size_t size = header->size();
             // Zero the memory in the free list header to maintain the
             // invariant that memory on the free list is zero filled.
             // The rest of the memory is already on the free list and is
             // therefore already zero filled.
             SET_MEMORY_INACCESSIBLE(headerAddress, size < sizeof(FreeListEntry) ? size : sizeof(FreeListEntry));
             CHECK_MEMORY_INACCESSIBLE(headerAddress, size);
             headerAddress += size;
             continue;
         }
         ASSERT(header->checkHeader());
 
         if (!header->isMarked()) {
-            size_t size = header->size();
             // This is a fast version of header->payloadSize().
             size_t payloadSize = size - sizeof(HeapObjectHeader);
             Address payload = header->payload();
             // For ASan, unpoison the object before calling the finalizer. The
             // finalized object will be zero-filled and poison'ed afterwards.
             // Given all other unmarked objects are poisoned, ASan will detect
             // an error if the finalizer touches any other on-heap object that
             // die at the same GC cycle.
             ASAN_UNPOISON_MEMORY_REGION(payload, payloadSize);
             header->finalize(payload, payloadSize);
             // This memory will be added to the freelist. Maintain the invariant
             // that memory on the freelist is zero filled.
             SET_MEMORY_INACCESSIBLE(headerAddress, size);
             headerAddress += size;
             continue;
         }
-        if (startOfGap != headerAddress)
+        if (startOfGap != headerAddress) {
             heapForNormalPage()->addToFreeList(startOfGap, headerAddress - startOfGap);
+#if !ENABLE(ASSERT) && !defined(LEAK_SANITIZER) && !defined(ADDRESS_SANITIZER)
+            discardPages(startOfGap, headerAddress);
+#endif
+        }
         header->unmark();
-        headerAddress += header->size();
-        markedObjectSize += header->size();
+        headerAddress += size;
+        markedObjectSize += size;
         startOfGap = headerAddress;
     }
-    if (startOfGap != payloadEnd())
+    if (startOfGap != payloadEnd()) {
         heapForNormalPage()->addToFreeList(startOfGap, payloadEnd() - startOfGap);
+#if !ENABLE(ASSERT) && !defined(LEAK_SANITIZER) && !defined(ADDRESS_SANITIZER)
+        discardPages(startOfGap, payloadEnd());
+#endif
+    }
 
     if (markedObjectSize)
         Heap::increaseMarkedObjectSize(markedObjectSize);
 }
 
 void NormalPage::makeConsistentForGC()
 {
     size_t markedObjectSize = 0;
     for (Address headerAddress = payload(); headerAddress < payloadEnd();) {
         HeapObjectHeader* header = reinterpret_cast<HeapObjectHeader*>(headerAddress);
@@ skipping 406 matching lines @@
 
     m_hasEntries = true;
     size_t index = hash(address);
     ASSERT(!(index & 1));
     Address cachePage = roundToBlinkPageStart(address);
     m_entries[index + 1] = m_entries[index];
     m_entries[index] = cachePage;
 }
 
 } // namespace blink