Don't zero out memory added to a free list if ASan is enabled

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 447 matching lines @@
     return header;
 }
 
 void HeapObjectHeader::finalize(const GCInfo* gcInfo, Address object, size_t objectSize)
 {
     ASSERT(gcInfo);
     if (gcInfo->hasFinalizer()) {
         gcInfo->m_finalize(object);
     }
 
-#if !defined(NDEBUG) || defined(LEAK_SANITIZER)
+#if !defined(NDEBUG) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER)
     // In Debug builds, memory is zapped when it's freed, and the zapped memory is
     // zeroed out when the memory is reused. Memory is also zapped when using Leak
     // Sanitizer because the heap is used as a root region for LSan and therefore
     // pointers in unreachable memory could hide leaks.
     for (size_t i = 0; i < objectSize; i++)
         object[i] = finalizedZapValue;
 
     // Zap the primary vTable entry (secondary vTable entries are not zapped).
     *(reinterpret_cast<uintptr_t*>(object)) = zappedVTable;
 #endif
@@ skipping 176 matching lines @@
 template<typename Header>
 void ThreadHeap<Header>::addToFreeList(Address address, size_t size)
 {
     ASSERT(heapPageFromAddress(address));
     ASSERT(heapPageFromAddress(address + size - 1));
     ASSERT(size < blinkPagePayloadSize());
     // The free list entries are only pointer aligned (but when we allocate
     // from them we are 8 byte aligned due to the header size).
     ASSERT(!((reinterpret_cast<uintptr_t>(address) + sizeof(Header)) & allocationMask));
     ASSERT(!(size & allocationMask));
-#if defined(NDEBUG) && !defined(LEAK_SANITIZER)
+#if defined(NDEBUG) && !defined(LEAK_SANITIZER) && !defined(ADDRESS_SANITIZER)
     memset(address, 0, size);
 #endif
     ASAN_POISON_MEMORY_REGION(address, size);
     FreeListEntry* entry;
     if (size < sizeof(*entry)) {
         // Create a dummy header with only a size and freelist bit set.
         ASSERT(size >= sizeof(BasicObjectHeader));
         // Free list encode the size to mark the lost memory as freelist memory.
         new (NotNull, address) BasicObjectHeader(BasicObjectHeader::freeListEncodedSize(size));
         // This memory gets lost. Sweeping can reclaim it.
         return;
     }
     entry = new (NotNull, address) FreeListEntry(size);
 #if defined(ADDRESS_SANITIZER)
-    // For ASAN we don't add the entry to the free lists until the asanDeferMemoryReuseCount
+    // For ASan we don't add the entry to the free lists until the asanDeferMemoryReuseCount
     // reaches zero. However we always add entire pages to ensure that adding a new page will
     // increase the allocation space.
     if (HeapPage<Header>::payloadSize() != size && !entry->shouldAddToFreeList())
         return;
 #endif
     int index = bucketIndexForSize(size);
     entry->link(&m_freeLists[index]);
     if (index > m_biggestFreeListIndex)
         m_biggestFreeListIndex = index;
 }
 
 template<typename Header>
 Address ThreadHeap<Header>::allocateLargeObject(size_t size, const GCInfo* gcInfo)
 {
     // Caller already added space for object header and rounded up to allocation alignment
     ASSERT(!(size & allocationMask));
 
     size_t allocationSize = sizeof(LargeHeapObject<Header>) + size;
 
     // Ensure that there is enough space for alignment. If the header
     // is not a multiple of 8 bytes we will allocate an extra
     // headerPadding<Header> bytes to ensure it 8 byte aligned.
     allocationSize += headerPadding<Header>();
 
-    // If ASAN is supported we add allocationGranularity bytes to the allocated space and
+    // If ASan is supported we add allocationGranularity bytes to the allocated space and
     // poison that to detect overflows
 #if defined(ADDRESS_SANITIZER)
     allocationSize += allocationGranularity;
 #endif
     if (threadState()->shouldGC())
         threadState()->setGCRequested();
     Heap::flushHeapDoesNotContainCache();
     PageMemory* pageMemory = PageMemory::allocate(allocationSize);
     Address largeObjectAddress = pageMemory->writableStart();
     Address headerAddress = largeObjectAddress + sizeof(LargeHeapObject<Header>) + headerPadding<Header>();
@@ skipping 133 matching lines @@
 // turned on by default because it also triggers for cases that are safe.
 // Examples of such safe cases are context life cycle observers and timers
 // embedded in garbage collected objects.
 #define STRICT_ASAN_FINALIZATION_CHECKING 0
 
 template<typename Header>
 void ThreadHeap<Header>::sweep()
 {
     ASSERT(isConsistentForGC());
 #if defined(ADDRESS_SANITIZER) && STRICT_ASAN_FINALIZATION_CHECKING
-    // When using ASAN do a pre-sweep where all unmarked objects are poisoned before
+    // When using ASan do a pre-sweep where all unmarked objects are poisoned before
     // calling their finalizer methods. This can catch the cases where one objects
     // finalizer tries to modify another object as part of finalization.
     for (HeapPage<Header>* page = m_firstPage; page; page = page->next())
         page->poisonUnmarkedObjects();
 #endif
     HeapPage<Header>* page = m_firstPage;
     HeapPage<Header>** previous = &m_firstPage;
     bool pagesRemoved = false;
     while (page) {
         if (page->isEmpty()) {
@@ skipping 197 matching lines @@
         ASSERT(basicHeader->size() < blinkPagePayloadSize());
 
         if (basicHeader->isFree()) {
             headerAddress += basicHeader->size();
             continue;
         }
         // At this point we know this is a valid object of type Header
         Header* header = static_cast<Header*>(basicHeader);
 
         if (!header->isMarked()) {
-            // For ASAN we unpoison the specific object when calling the finalizer and
+            // For ASan we unpoison the specific object when calling the finalizer and
             // poison it again when done to allow the object's own finalizer to operate
             // on the object, but not have other finalizers be allowed to access it.
             ASAN_UNPOISON_MEMORY_REGION(header->payload(), header->payloadSize());
             finalize(header);
             ASAN_POISON_MEMORY_REGION(header->payload(), header->payloadSize());
             headerAddress += header->size();
             continue;
         }
 
         if (startOfGap != headerAddress)
@@ skipping 897 matching lines @@
 template class ThreadHeap<HeapObjectHeader>;
 
 Visitor* Heap::s_markingVisitor;
 CallbackStack* Heap::s_markingStack;
 CallbackStack* Heap::s_weakCallbackStack;
 CallbackStack* Heap::s_ephemeronStack;
 HeapDoesNotContainCache* Heap::s_heapDoesNotContainCache;
 bool Heap::s_shutdownCalled = false;
 bool Heap::s_lastGCWasConservative = false;
 }