Remove orphaned pages from Oilpan

third_party/WebKit/Source/platform/heap/HeapPage.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 98 matching lines @@
     : m_firstPage(nullptr),
       m_firstUnsweptPage(nullptr),
       m_threadState(state),
       m_index(index) {}
 
 BaseArena::~BaseArena() {
   ASSERT(!m_firstPage);
   ASSERT(!m_firstUnsweptPage);
 }
 
-void BaseArena::cleanupPages() {
+void BaseArena::removeAllPages() {
   clearFreeLists();
 
   ASSERT(!m_firstUnsweptPage);
-  // Add the BaseArena's pages to the orphanedPagePool.
-  for (BasePage* page = m_firstPage; page; page = page->next()) {
-    getThreadState()->heap().heapStats().decreaseAllocatedSpace(page->size());
-    getThreadState()->heap().getOrphanedPagePool()->addOrphanedPage(
-        arenaIndex(), page);
+  while (m_firstPage) {
+    BasePage* page = m_firstPage;
+    page->unlink(&m_firstPage);
+    page->removeFromHeap();
   }
-  m_firstPage = nullptr;
 }
 
 void BaseArena::takeSnapshot(const String& dumpBaseName,
                              ThreadState::GCSnapshotInfo& info) {
   // |dumpBaseName| at this point is "blink_gc/thread_X/heaps/HeapName"
   base::trace_event::MemoryAllocatorDump* allocatorDump =
       BlinkGCMemoryDumpProvider::instance()
           ->createMemoryAllocatorDumpForCurrentGC(dumpBaseName);
   size_t pageCount = 0;
   BasePage::HeapSnapshotInfo heapInfo;
@@ skipping 510 matching lines @@
   for (size_t i = 0; i < page->payloadSize(); i++)
     address[i] = reuseAllowedZapValue;
   ASAN_POISON_MEMORY_REGION(page->payload(), page->payloadSize());
 #endif
   addToFreeList(page->payload(), page->payloadSize());
 }
 
 void NormalPageArena::freePage(NormalPage* page) {
   getThreadState()->heap().heapStats().decreaseAllocatedSpace(page->size());
 
-  if (page->terminating()) {
-    // The thread is shutting down and this page is being removed as a part
-    // of the thread local GC.  In that case the object could be traced in
-    // the next global GC if there is a dangling pointer from a live thread
-    // heap to this dead thread heap.  To guard against this, we put the
-    // page into the orphaned page pool and zap the page memory.  This
-    // ensures that tracing the dangling pointer in the next global GC just
-    // crashes instead of causing use-after-frees.  After the next global
-    // GC, the orphaned pages are removed.
-    getThreadState()->heap().getOrphanedPagePool()->addOrphanedPage(
-        arenaIndex(), page);
-  } else {
-    PageMemory* memory = page->storage();
-    page->~NormalPage();
-    getThreadState()->heap().getFreePagePool()->addFreePage(arenaIndex(),
-                                                            memory);
-  }
+  PageMemory* memory = page->storage();
+  page->~NormalPage();
+  getThreadState()->heap().getFreePagePool()->addFreePage(arenaIndex(), memory);
 }
 
 bool NormalPageArena::coalesce() {
   // Don't coalesce arenas if there are not enough promptly freed entries
   // to be coalesced.
   //
   // FIXME: This threshold is determined just to optimize blink_perf
   // benchmarks. Coalescing is very sensitive to the threashold and
   // we need further investigations on the coalescing scheme.
   if (m_promptlyFreedSize < 1024 * 1024)
@@ skipping 361 matching lines @@
                                        object->payloadSize());
   getThreadState()->heap().heapStats().decreaseAllocatedSpace(object->size());
 
   // Unpoison the object header and allocationGranularity bytes after the
   // object before freeing.
   ASAN_UNPOISON_MEMORY_REGION(object->heapObjectHeader(),
                               sizeof(HeapObjectHeader));
   ASAN_UNPOISON_MEMORY_REGION(object->getAddress() + object->size(),
                               allocationGranularity);
 
-  if (object->terminating()) {
-    ASSERT(ThreadState::current()->isTerminating());
-    // The thread is shutting down and this page is being removed as a part
-    // of the thread local GC.  In that case the object could be traced in
-    // the next global GC if there is a dangling pointer from a live thread
-    // heap to this dead thread heap.  To guard against this, we put the
-    // page into the orphaned page pool and zap the page memory.  This
-    // ensures that tracing the dangling pointer in the next global GC just
-    // crashes instead of causing use-after-frees.  After the next global
-    // GC, the orphaned pages are removed.
-    getThreadState()->heap().getOrphanedPagePool()->addOrphanedPage(
-        arenaIndex(), object);
-  } else {
-    ASSERT(!ThreadState::current()->isTerminating());
-    PageMemory* memory = object->storage();
-    object->~LargeObjectPage();
-    delete memory;
-  }
+  PageMemory* memory = object->storage();
+  object->~LargeObjectPage();
+  delete memory;
 }
 
 Address LargeObjectArena::lazySweepPages(size_t allocationSize,
                                          size_t gcInfoIndex) {
   Address result = nullptr;
   size_t sweptSize = 0;
   while (m_firstUnsweptPage) {
     BasePage* page = m_firstUnsweptPage;
     if (page->isEmpty()) {
       sweptSize += static_cast<LargeObjectPage*>(page)->payloadSize() +
@@ skipping 185 matching lines @@
 
 BasePage::BasePage(PageMemory* storage, BaseArena* arena)
     : m_storage(storage),
       m_arena(arena),
       m_next(nullptr),
       m_terminating(false),
       m_swept(true) {
   ASSERT(isPageHeaderAddress(reinterpret_cast<Address>(this)));
 }
 
-void BasePage::markOrphaned() {
-  m_arena = nullptr;
-  m_terminating = false;
-  // Since we zap the page payload for orphaned pages we need to mark it as
-  // unused so a conservative pointer won't interpret the object headers.
-  storage()->markUnused();
-}
-
 NormalPage::NormalPage(PageMemory* storage, BaseArena* arena)
     : BasePage(storage, arena), m_objectStartBitMapComputed(false) {
   ASSERT(isPageHeaderAddress(reinterpret_cast<Address>(this)));
 }
 
 size_t NormalPage::objectPayloadSizeForTesting() {
   size_t objectPayloadSize = 0;
   Address headerAddress = payload();
   markAsSwept();
   ASSERT(headerAddress != payloadEnd());
@@ skipping 371 matching lines @@
                                      MarkedPointerCallbackForTesting callback) {
   DCHECK(contains(address));
   HeapObjectHeader* header = findHeaderFromAddress(address);
   if (!header)
     return;
   if (!callback(header))
     markPointer(visitor, header);
 }
 #endif
 
-void NormalPage::markOrphaned() {
-// Zap the payload with a recognizable value to detect any incorrect
-// cross thread pointer usage.
-#if defined(ADDRESS_SANITIZER)
-  // This needs to zap poisoned memory as well.
-  // Force unpoison memory before memset.
-  ASAN_UNPOISON_MEMORY_REGION(payload(), payloadSize());
-#endif
-  OrphanedPagePool::asanDisabledMemset(
-      payload(), OrphanedPagePool::orphanedZapValue, payloadSize());
-  BasePage::markOrphaned();
-}
-
 void NormalPage::takeSnapshot(base::trace_event::MemoryAllocatorDump* pageDump,
                               ThreadState::GCSnapshotInfo& info,
                               HeapSnapshotInfo& heapInfo) {
   HeapObjectHeader* header = nullptr;
   size_t liveCount = 0;
   size_t deadCount = 0;
   size_t freeCount = 0;
   size_t liveSize = 0;
   size_t deadSize = 0;
   size_t freeSize = 0;
@@ skipping 98 matching lines @@
     Address address,
     MarkedPointerCallbackForTesting callback) {
   DCHECK(contains(address));
   if (!containedInObjectPayload(address))
     return;
   if (!callback(heapObjectHeader()))
     markPointer(visitor, heapObjectHeader());
 }
 #endif
 
-void LargeObjectPage::markOrphaned() {
-  // Zap the payload with a recognizable value to detect any incorrect
-  // cross thread pointer usage.
-  OrphanedPagePool::asanDisabledMemset(
-      payload(), OrphanedPagePool::orphanedZapValue, payloadSize());
-  BasePage::markOrphaned();
-}
-
 void LargeObjectPage::takeSnapshot(
     base::trace_event::MemoryAllocatorDump* pageDump,
     ThreadState::GCSnapshotInfo& info,
     HeapSnapshotInfo&) {
   size_t liveSize = 0;
   size_t deadSize = 0;
   size_t liveCount = 0;
   size_t deadCount = 0;
   HeapObjectHeader* header = heapObjectHeader();
   size_t gcInfoIndex = header->gcInfoIndex();
@@ skipping 57 matching lines @@
 
   m_hasEntries = true;
   size_t index = hash(address);
   ASSERT(!(index & 1));
   Address cachePage = roundToBlinkPageStart(address);
   m_entries[index + 1] = m_entries[index];
   m_entries[index] = cachePage;
 }
 
 }  // namespace blink