Revert "Revert "[oilpan]: Make thread shutdown more robust.""

Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 51 matching lines @@
 // Double precision floats are more efficient when 8 byte aligned, so we 8 byte
 // align all allocations even on 32 bit.
 const size_t allocationGranularity = 8;
 const size_t allocationMask = allocationGranularity - 1;
 const size_t objectStartBitMapSize = (blinkPageSize + ((8 * allocationGranularity) - 1)) / (8 * allocationGranularity);
 const size_t reservedForObjectBitMap = ((objectStartBitMapSize + allocationMask) & ~allocationMask);
 const size_t maxHeapObjectSize = 1 << 27;
 
 const size_t markBitMask = 1;
 const size_t freeListMask = 2;
-const size_t debugBitMask = 4;
+// The dead bit is used for objects that have gone through a GC marking, but did
+// not get swept before a new GC started. In that case we set the dead bit on
+// objects that were not marked in the previous GC to ensure we are not tracing
+// them via a conservatively found pointer. Tracing dead objects could lead to
+// tracing of already finalized objects in another thread's heap which is a
+// use-after-free situation.
+const size_t deadBitMask = 4;
 const size_t sizeMask = ~7;
 const uint8_t freelistZapValue = 42;
 const uint8_t finalizedZapValue = 24;
+// The orphaned zap value must be zero in the lowest bits to allow for using
+// the mark bit when tracing.
+const uint8_t orphanedZapValue = 240;
+
+enum CallbackInvocationMode {
+    GlobalMarking,
+    ThreadLocalMarking,
+    WeaknessProcessing,
+};
 
 class HeapStats;
 class PageMemory;
 template<ThreadAffinity affinity> class ThreadLocalPersistents;
 template<typename T, typename RootsAccessor = ThreadLocalPersistents<ThreadingTrait<T>::Affinity > > class Persistent;
 template<typename T> class CrossThreadPersistent;
 
 PLATFORM_EXPORT size_t osPageSize();
 
 // Blink heap pages are set up with a guard page before and after the
@@ skipping 34 matching lines @@
 
 // Sanity check for a page header address: the address of the page
 // header should be OS page size away from being Blink page size
 // aligned.
 inline bool isPageHeaderAddress(Address address)
 {
     return !((reinterpret_cast<uintptr_t>(address) & blinkPageOffsetMask) - osPageSize());
 }
 #endif
 
-// Mask an address down to the enclosing oilpan heap page base address.
+// Mask an address down to the enclosing oilpan heap base page.
 // All oilpan heap pages are aligned at blinkPageBase plus an OS page size.
 // FIXME: Remove PLATFORM_EXPORT once we get a proper public interface to our typed heaps.
 // This is only exported to enable tests in HeapTest.cpp.
-PLATFORM_EXPORT inline Address pageHeaderAddress(Address address)
+PLATFORM_EXPORT inline BaseHeapPage* pageHeaderFromObject(const void* object)
 {
-    return blinkPageAddress(address) + osPageSize();
+    Address address = reinterpret_cast<Address>(const_cast<void*>(object));
+    return reinterpret_cast<BaseHeapPage*>(blinkPageAddress(address) + osPageSize());
 }
 
-// Common header for heap pages.
-class BaseHeapPage {
-public:
-    BaseHeapPage(PageMemory* storage, const GCInfo* gcInfo, ThreadState* state)
-        : m_storage(storage)
-        , m_gcInfo(gcInfo)
-        , m_threadState(state)
-        , m_padding(0)
-    {
-        ASSERT(isPageHeaderAddress(reinterpret_cast<Address>(this)));
-    }
-
-    // Check if the given address points to an object in this
-    // heap page. If so, find the start of that object and mark it
-    // using the given Visitor. Otherwise do nothing. The pointer must
-    // be within the same aligned blinkPageSize as the this-pointer.
-    //
-    // This is used during conservative stack scanning to
-    // conservatively mark all objects that could be referenced from
-    // the stack.
-    virtual void checkAndMarkPointer(Visitor*, Address) = 0;
-
-#if ENABLE(GC_TRACING)
-    virtual const GCInfo* findGCInfo(Address) = 0;
+NO_SANITIZE_ADDRESS
+inline void asanMemset(Address base, uint8_t zapValue, size_t size)
+{
+#if defined(ADDRESS_SANITIZER)
+        // Don't use memset when running with ASan since this needs to zap

[Mads Ager (chromium), 2014/07/16 05:19:29]

I think we should move the comment to before the method. We should make it very
clear that this method should only be used if you need to memset poisoned
memory. Normally you should just use memset.

[wibling-chromium, 2014/07/16 08:45:33]

Done.

+        // poisoned memory as well and the NO_SANITIZE_ADDRESS annotation
+        // only works for code in this method and not for calls to memset.
+        for (Address current = base; current < base + size; ++current) {
+            *current = zapValue;
+        }
+#else
+        memset(base, zapValue, size);
 #endif
-
-    Address address() { return reinterpret_cast<Address>(this); }
-    PageMemory* storage() const { return m_storage; }
-    ThreadState* threadState() const { return m_threadState; }
-    const GCInfo* gcInfo() { return m_gcInfo; }
-    virtual bool isLargeObject() { return false; }
-
-private:
-    // Accessor to silence unused warnings for the m_padding field.
-    intptr_t padding() const { return m_padding; }
-
-    PageMemory* m_storage;
-    const GCInfo* m_gcInfo;
-    ThreadState* m_threadState;
-    // Pointer sized integer to ensure proper alignment of the
-    // HeapPage header. This can be used as a bit field if we need
-    // to associate more information with pages.
-    intptr_t m_padding;
-};
+}
 
 // Large allocations are allocated as separate objects and linked in a
 // list.
 //
 // In order to use the same memory allocation routines for everything
 // allocated in the heap, large objects are considered heap pages
 // containing only one object.
 //
 // The layout of a large heap object is as follows:
 //
@@ skipping 32 matching lines @@
     // The LargeHeapObject pseudo-page contains one actual object. Determine
     // whether the pointer is within that object.
     bool objectContains(Address object)
     {
         return (payload() <= object) && (object < address() + size());
     }
 
     // Returns true for any address that is on one of the pages that this
     // large object uses. That ensures that we can use a negative result to
     // populate the negative page cache.
-    bool contains(Address object)
+    virtual bool contains(Address object) OVERRIDE
     {
         return roundToBlinkPageStart(address()) <= object && object < roundToBlinkPageEnd(address() + size());
     }
 
     LargeHeapObject<Header>* next()
     {
         return m_next;
     }
 
     size_t size()
     {
         return heapObjectHeader()->size() + sizeof(LargeHeapObject<Header>) + headerPadding<Header>();
     }
 
     Address payload() { return heapObjectHeader()->payload(); }
     size_t payloadSize() { return heapObjectHeader()->payloadSize(); }
 
     Header* heapObjectHeader()
     {
         Address headerAddress = address() + sizeof(LargeHeapObject<Header>) + headerPadding<Header>();
         return reinterpret_cast<Header*>(headerAddress);
     }
 
     bool isMarked();
     void unmark();
     void getStats(HeapStats&);
     void mark(Visitor*);
     void finalize();
+    void setDeadMark();
+    virtual void markOrphaned()
+    {
+        // Zap the payload with a recognizable value to detect any incorrect
+        // cross thread pointer usage.
+        memset(payload(), orphanedZapValue, payloadSize());
+        BaseHeapPage::markOrphaned();
+    }
 
 private:
     friend class ThreadHeap<Header>;
 
     LargeHeapObject<Header>* m_next;
 };
 
 // The BasicObjectHeader is the minimal object header. It is used when
 // encountering heap space of size allocationGranularity to mark it as
 // as freelist entry.
@@ skipping 48 matching lines @@
 
     inline void mark();
     inline void unmark();
 
     inline const GCInfo* gcInfo() { return 0; }
 
     inline Address payload();
     inline size_t payloadSize();
     inline Address payloadEnd();
 
-    inline void setDebugMark();
-    inline void clearDebugMark();
-    inline bool hasDebugMark() const;
+    inline void setDeadMark();
+    inline void clearDeadMark();
+    inline bool hasDeadMark() const;
 
     // Zap magic number with a new magic number that means there was once an
     // object allocated here, but it was freed because nobody marked it during
     // GC.
     void zapMagic();
 
     static void finalize(const GCInfo*, Address, size_t);
     static HeapObjectHeader* fromPayload(const void*);
 
     static const intptr_t magic = 0xc0de247;
@@ skipping 116 matching lines @@
     HeapPage(PageMemory*, ThreadHeap<Header>*, const GCInfo*);
 
     void link(HeapPage**);
     static void unlink(HeapPage*, HeapPage**);
 
     bool isEmpty();
 
     // Returns true for the whole blinkPageSize page that the page is on, even
     // for the header, and the unmapped guard page at the start. That ensures
     // the result can be used to populate the negative page cache.
-    bool contains(Address addr)
+    virtual bool contains(Address addr) OVERRIDE
     {
         Address blinkPageStart = roundToBlinkPageStart(address());
         ASSERT(blinkPageStart == address() - osPageSize()); // Page is at aligned address plus guard page size.
         return blinkPageStart <= addr && addr < blinkPageStart + blinkPageSize;
     }
 
     HeapPage* next() { return m_next; }
 
     Address payload()
     {
         return address() + sizeof(*this) + headerPadding<Header>();
     }
 
     static size_t payloadSize()
     {
         return (blinkPagePayloadSize() - sizeof(HeapPage) - headerPadding<Header>()) & ~allocationMask;
     }
 
     Address end() { return payload() + payloadSize(); }
 
     void getStats(HeapStats&);
-    void clearMarks();
+    void clearLiveAndMarkDead();
     void sweep();
     void clearObjectStartBitMap();
     void finalize(Header*);
     virtual void checkAndMarkPointer(Visitor*, Address) OVERRIDE;
 #if ENABLE(GC_TRACING)
     const GCInfo* findGCInfo(Address) OVERRIDE;
 #endif
     ThreadHeap<Header>* heap() { return m_heap; }
 #if defined(ADDRESS_SANITIZER)
     void poisonUnmarkedObjects();
 #endif
+    virtual void markOrphaned()
+    {
+        // Zap the payload with a recognizable value to detect any incorrect
+        // cross thread pointer usage.
+        asanMemset(payload(), orphanedZapValue, payloadSize());
+        BaseHeapPage::markOrphaned();
+    }
 
 protected:
     Header* findHeaderFromAddress(Address);
     void populateObjectStartBitMap();
     bool isObjectStartBitMapComputed() { return m_objectStartBitMapComputed; }
     TraceCallback traceCallback(Header*);
     bool hasVTable(Header*);
 
     HeapPage<Header>* m_next;
     ThreadHeap<Header>* m_heap;
@@ skipping 155 matching lines @@
     using GarbageCollectedFinalized<T>::operator delete;
 
 protected:
     ~ThreadSafeRefCountedGarbageCollected() { }
 
 private:
     OwnPtr<CrossThreadPersistent<T> > m_keepAlive;
     mutable Mutex m_mutex;
 };
 
+template<typename DataType>
+class PagePool {
+protected:
+    PagePool();
+
+    class PoolEntry {
+    public:
+        PoolEntry(DataType* data, PoolEntry* next)
+            : data(data)
+            , next(next)
+        { }
+
+        DataType* data;
+        PoolEntry* next;
+    };
+
+    PoolEntry* m_pool[NumberOfHeaps];
+};
+
+// Once pages have been used for one type of thread heap they will never be
+// reused for another type of thread heap. Instead of unmapping, we add the
+// pages to a pool of pages to be reused later by a thread heap of the same
+// type. This is done as a security feature to avoid type confusion. The
+// heaps are type segregated by having separate thread heaps for different
+// types of objects. Holding on to pages ensures that the same virtual address
+// space cannot be used for objects of another type than the type contained
+// in this page to begin with.
+class FreePagePool : public PagePool<PageMemory> {
+public:
+    ~FreePagePool();
+    void addFreePage(int, PageMemory*);
+    PageMemory* takeFreePage(int);
+
+private:
+    Mutex m_mutex[NumberOfHeaps];
+};
+
+class OrphanedPagePool : public PagePool<BaseHeapPage> {
+public:
+    ~OrphanedPagePool();
+    void addOrphanedPage(int, BaseHeapPage*);
+    void decommitOrphanedPages();
+#ifndef NDEBUG
+    bool contains(void*);
+#endif
+};
+
 // The CallbackStack contains all the visitor callbacks used to trace and mark
 // objects. A specific CallbackStack instance contains at most bufferSize elements.
 // If more space is needed a new CallbackStack instance is created and chained
 // together with the former instance. I.e. a logical CallbackStack can be made of
 // multiple chained CallbackStack object instances.
 // There are two logical callback stacks. One containing all the marking callbacks and
 // one containing the weak pointer callbacks.
 class CallbackStack {
 public:
     CallbackStack(CallbackStack** first)
@@ skipping 30 matching lines @@
 
     static void init(CallbackStack** first);
     static void shutdown(CallbackStack** first);
     static void clear(CallbackStack** first)
     {
         if (!(*first)->isEmpty()) {
             shutdown(first);
             init(first);
         }
     }
-    bool popAndInvokeCallback(CallbackStack** first, Visitor*);
+    template<CallbackInvocationMode Mode> bool popAndInvokeCallback(CallbackStack** first, Visitor*);
     static void invokeCallbacks(CallbackStack** first, Visitor*);
 
     Item* allocateEntry(CallbackStack** first)
     {
         if (m_current < m_limit)
             return m_current++;
         return (new CallbackStack(first))->allocateEntry(first);
     }
 
 #ifndef NDEBUG
     bool hasCallbackForObject(const void*);
 #endif
 
 private:
     void invokeOldestCallbacks(Visitor*);
 
     static const size_t bufferSize = 8000;
     Item m_buffer[bufferSize];
     Item* m_limit;
     Item* m_current;
     CallbackStack* m_next;
 };
 
 // Non-template super class used to pass a heap around to other classes.
 class BaseHeap {
 public:
     virtual ~BaseHeap() { }
+    virtual void cleanupPages() = 0;
 
     // Find the page in this thread heap containing the given
     // address. Returns 0 if the address is not contained in any
     // page in this thread heap.
     virtual BaseHeapPage* heapPageFromAddress(Address) = 0;
 
 #if ENABLE(GC_TRACING)
     virtual const GCInfo* findGCInfoOfLargeHeapObject(Address) = 0;
 #endif
 
     // Sweep this part of the Blink heap. This finalizes dead objects
     // and builds freelists for all the unused memory.
     virtual void sweep() = 0;
 
-    // Forcefully finalize all objects in this part of the Blink heap
-    // (potentially with the exception of one object). This is used
-    // during thread termination to make sure that all objects for the
-    // dying thread are finalized.
-    virtual void assertEmpty() = 0;
-
     virtual void clearFreeLists() = 0;
-    virtual void clearMarks() = 0;
+    virtual void clearLiveAndMarkDead() = 0;
 #ifndef NDEBUG
     virtual void getScannedStats(HeapStats&) = 0;
 #endif
 
     virtual void makeConsistentForGC() = 0;
     virtual bool isConsistentForGC() = 0;
 
+    virtual void prepareHeapForTermination() = 0;
+
     // Returns a bucket number for inserting a FreeListEntry of a
     // given size. All FreeListEntries in the given bucket, n, have
     // size >= 2^n.
     static int bucketIndexForSize(size_t);
 };
 
 // Thread heaps represent a part of the per-thread Blink heap.
 //
 // Each Blink thread has a number of thread heaps: one general heap
 // that contains any type of object and a number of heaps specialized
 // for specific object types (such as Node).
 //
 // Each thread heap contains the functionality to allocate new objects
 // (potentially adding new pages to the heap), to find and mark
 // objects during conservative stack scanning and to sweep the set of
 // pages after a GC.
 template<typename Header>
 class ThreadHeap : public BaseHeap {
 public:
-    ThreadHeap(ThreadState*);
+    ThreadHeap(ThreadState*, int);
     virtual ~ThreadHeap();
+    virtual void cleanupPages();
 
     virtual BaseHeapPage* heapPageFromAddress(Address);
 #if ENABLE(GC_TRACING)
     virtual const GCInfo* findGCInfoOfLargeHeapObject(Address);
 #endif
     virtual void sweep();
-    virtual void assertEmpty();
     virtual void clearFreeLists();
-    virtual void clearMarks();
+    virtual void clearLiveAndMarkDead();
 #ifndef NDEBUG
     virtual void getScannedStats(HeapStats&);
 #endif
 
     virtual void makeConsistentForGC();
     virtual bool isConsistentForGC();
 
     ThreadState* threadState() { return m_threadState; }
     HeapStats& stats() { return m_threadState->stats(); }
     void flushHeapContainsCache()
     {
         m_threadState->heapContainsCache()->flush();
     }
 
     inline Address allocate(size_t, const GCInfo*);
     void addToFreeList(Address, size_t);
-    void addPageMemoryToPool(PageMemory*);
-    void addPageToPool(HeapPage<Header>*);
     inline static size_t roundedAllocationSize(size_t size)
     {
         return allocationSizeFromSize(size) - sizeof(Header);
     }
 
+    void prepareHeapForTermination();
+    void removePageFromHeap(HeapPage<Header>*);
+
 private:
-    // Once pages have been used for one thread heap they will never
-    // be reused for another thread heap. Instead of unmapping, we add
-    // the pages to a pool of pages to be reused later by this thread
-    // heap. This is done as a security feature to avoid type
-    // confusion. The heap is type segregated by having separate
-    // thread heaps for various types of objects. Holding on to pages
-    // ensures that the same virtual address space cannot be used for
-    // objects of another type than the type contained in this thread
-    // heap.
-    class PagePoolEntry {
-    public:
-        PagePoolEntry(PageMemory* storage, PagePoolEntry* next)
-            : m_storage(storage)
-            , m_next(next)
-        { }
-
-        PageMemory* storage() { return m_storage; }
-        PagePoolEntry* next() { return m_next; }
-
-    private:
-        PageMemory* m_storage;
-        PagePoolEntry* m_next;
-    };
-
+    void addPageToHeap(const GCInfo*);
     PLATFORM_EXPORT Address outOfLineAllocate(size_t, const GCInfo*);
     static size_t allocationSizeFromSize(size_t);
-    void addPageToHeap(const GCInfo*);
     PLATFORM_EXPORT Address allocateLargeObject(size_t, const GCInfo*);
     Address currentAllocationPoint() const { return m_currentAllocationPoint; }
     size_t remainingAllocationSize() const { return m_remainingAllocationSize; }
     bool ownsNonEmptyAllocationArea() const { return currentAllocationPoint() && remainingAllocationSize(); }
     void setAllocationPoint(Address point, size_t size)
     {
         ASSERT(!point || heapPageFromAddress(point));
         ASSERT(size <= HeapPage<Header>::payloadSize());
         m_currentAllocationPoint = point;
         m_remainingAllocationSize = size;
     }
     void ensureCurrentAllocation(size_t, const GCInfo*);
     bool allocateFromFreeList(size_t);
 
     void freeLargeObject(LargeHeapObject<Header>*, LargeHeapObject<Header>**);
-
     void allocatePage(const GCInfo*);
-    PageMemory* takePageFromPool();
-    void clearPagePool();
-    void deletePages();
 
     Address m_currentAllocationPoint;
     size_t m_remainingAllocationSize;
 
     HeapPage<Header>* m_firstPage;
     LargeHeapObject<Header>* m_firstLargeHeapObject;
 
     int m_biggestFreeListIndex;
     ThreadState* m_threadState;
 
     // All FreeListEntries in the nth list have size >= 2^n.
     FreeListEntry* m_freeLists[blinkPageSizeLog2];
 
-    // List of pages that have been previously allocated, but are now
-    // unused.
-    PagePoolEntry* m_pagePool;
+    // Index into the page pools. This is used to ensure that the pages of the
+    // same type go into the correct page pool and thus avoid type confusion.
+    int m_index;
 };
 
 class PLATFORM_EXPORT Heap {
 public:
     static void init();
     static void shutdown();
     static void doShutdown();
 
     static BaseHeapPage* contains(Address);
     static BaseHeapPage* contains(void* pointer) { return contains(reinterpret_cast<Address>(pointer)); }
     static BaseHeapPage* contains(const void* pointer) { return contains(const_cast<void*>(pointer)); }
+#ifndef NDEBUG
+    static bool containedInHeapOrOrphanedPage(void*);
+#endif
 
     // Push a trace callback on the marking stack.
     static void pushTraceCallback(void* containerObject, TraceCallback);
 
     // Add a weak pointer callback to the weak callback work list. General
     // object pointer callbacks are added to a thread local weak callback work
     // list and the callback is called on the thread that owns the object, with
     // the closure pointer as an argument. Most of the time, the closure and
     // the containerObject can be the same thing, but the containerObject is
     // constrained to be on the heap, since the heap is used to identify the
     // correct thread.
     static void pushWeakObjectPointerCallback(void* closure, void* containerObject, WeakPointerCallback);
 
     // Similar to the more general pushWeakObjectPointerCallback, but cell
     // pointer callbacks are added to a static callback work list and the weak
     // callback is performed on the thread performing garbage collection. This
     // is OK because cells are just cleared and no deallocation can happen.
     static void pushWeakCellPointerCallback(void** cell, WeakPointerCallback);
 
     // Pop the top of the marking stack and call the callback with the visitor
     // and the object. Returns false when there is nothing more to do.
-    static bool popAndInvokeTraceCallback(Visitor*);
+    template<CallbackInvocationMode Mode> static bool popAndInvokeTraceCallback(Visitor*);
 
     // Remove an item from the weak callback work list and call the callback
     // with the visitor and the closure pointer. Returns false when there is
     // nothing more to do.
     static bool popAndInvokeWeakPointerCallback(Visitor*);
 
     // Register an ephemeron table for fixed-point iteration.
     static void registerWeakTable(void* containerObject, EphemeronCallback, EphemeronCallback);
 #ifndef NDEBUG
     static bool weakTableRegistered(const void*);
 #endif
 
     template<typename T> static Address allocate(size_t);
     template<typename T> static Address reallocate(void* previous, size_t);
 
     static void collectGarbage(ThreadState::StackState);
+    static void collectGarbageForTerminatingThread(ThreadState*);
     static void collectAllGarbage();
+    template<CallbackInvocationMode Mode> static void traceRootsAndPerformGlobalWeakProcessing();
     static void setForcePreciseGCForTesting();
 
     static void prepareForGC();
 
     // Conservatively checks whether an address is a pointer in any of the thread
     // heaps. If so marks the object pointed to as live.
     static Address checkAndMarkPointer(Visitor*, Address);
 
 #if ENABLE(GC_TRACING)
     // Dump the path to specified object on the next GC. This method is to be invoked from GDB.
@@ skipping 17 matching lines @@
     static bool isConsistentForGC();
     static void makeConsistentForGC();
 
     static void flushHeapDoesNotContainCache();
     static bool heapDoesNotContainCacheIsEmpty() { return s_heapDoesNotContainCache->isEmpty(); }
 
     // Return true if the last GC found a pointer into a heap page
     // during conservative scanning.
     static bool lastGCWasConservative() { return s_lastGCWasConservative; }
 
+    static FreePagePool* freePagePool() { return s_freePagePool; }
+    static OrphanedPagePool* orphanedPagePool() { return s_orphanedPagePool; }
+
 private:
     static Visitor* s_markingVisitor;
 
     static CallbackStack* s_markingStack;
     static CallbackStack* s_weakCallbackStack;
     static CallbackStack* s_ephemeronStack;
     static HeapDoesNotContainCache* s_heapDoesNotContainCache;
     static bool s_shutdownCalled;
     static bool s_lastGCWasConservative;
+    static FreePagePool* s_freePagePool;
+    static OrphanedPagePool* s_orphanedPagePool;
     friend class ThreadState;
 };
 
 // The NoAllocationScope class is used in debug mode to catch unwanted
 // allocations. E.g. allocations during GC.
 template<ThreadAffinity Affinity>
 class NoAllocationScope {
 public:
     NoAllocationScope() : m_active(true) { enter(); }
 
@@ skipping 286 matching lines @@
 #define GC_PLUGIN_IGNORE(bug)                           \
     __attribute__((annotate("blink_gc_plugin_ignore")))
 #else
 #define STACK_ALLOCATED() DISALLOW_ALLOCATION()
 #define GC_PLUGIN_IGNORE(bug)
 #endif
 
 NO_SANITIZE_ADDRESS
 void HeapObjectHeader::checkHeader() const
 {
-    ASSERT(m_magic == magic);
+#ifndef NDEBUG
+    BaseHeapPage* page = pageHeaderFromObject(this);
+    ASSERT(page->orphaned() || m_magic == magic);
+#endif
 }
 
 Address HeapObjectHeader::payload()
 {
     return reinterpret_cast<Address>(this) + objectHeaderSize;
 }
 
 size_t HeapObjectHeader::payloadSize()
 {
     return size() - objectHeaderSize;
@@ skipping 1030 matching lines @@
 };
 
 template<typename T>
 struct IfWeakMember<WeakMember<T> > {
     static bool isDead(Visitor* visitor, const WeakMember<T>& t) { return !visitor->isAlive(t.get()); }
 };
 
 }
 
 #endif // Heap_h