Oilpan: improve handling of ASan contiguous container annotations.

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 22 matching lines @@
 
 #include "platform/ScriptForbiddenScope.h"
 #include "platform/Task.h"
 #include "platform/TraceEvent.h"
 #include "platform/heap/CallbackStack.h"
 #include "platform/heap/MarkingVisitorImpl.h"
 #include "platform/heap/ThreadState.h"
 #include "public/platform/Platform.h"
 #include "wtf/AddressSpaceRandomization.h"
 #include "wtf/Assertions.h"
+#include "wtf/ContainerAnnotations.h"
 #include "wtf/LeakAnnotations.h"
 #include "wtf/PassOwnPtr.h"
 #if ENABLE(GC_PROFILING)
 #include "platform/TracedValue.h"
 #include "wtf/HashMap.h"
 #include "wtf/HashSet.h"
 #include "wtf/text/StringBuilder.h"
 #include "wtf/text/StringHash.h"
 #include <stdio.h>
 #include <utility>
 #endif
 
 #if OS(POSIX)
 #include <sys/mman.h>
 #include <unistd.h>
 #elif OS(WIN)
 #include <windows.h>
 #endif
 
+#ifdef ANNOTATE_CONTIGUOUS_CONTAINER
+#define ENABLE_ASAN_CONTAINER_ANNOTATIONS 1
+// Remove the contiguous container annotation, as non-inlined vector backings
+// aren't finalized.
+#define ASAN_RETIRE_CONTAINER_ANNOTATION(heapIndex, payload, payloadSize) \

[haraken, 2015/02/20 20:57:56]

You might remove the heapIndex parameter from ASAN_RETIRE_CONTAINER_ANNOTATION.
Then I think you can move ASAN_RETIRE_CONTAINER_ANNOTATION(payload, payloadSize)
into finalize().

The macro can do something like:

BasePage* page = pageFromObject(payload);
if (page->heapIndex() == VectorHeapIndex || (page->heapIndex() ==
LargeObjectHeapIndex &&
static_cast<LargeObjectPage>(page)->isVectorBackingPage())) {
    ANNOTATE_DELETE_BUFFER();
}

[sof, 2015/02/21 08:52:34]

Done.

+    if (heapIndex == VectorHeapIndex) \
+        ANNOTATE_DELETE_BUFFER(payload, payloadSize, 0)
+#else
+#define ASAN_RETIRE_CONTAINER_ANNOTATION(heapIndex, payload, payloadSize)
+#endif
+
 namespace blink {
 
 #if ENABLE(GC_PROFILING)
 static String classOf(const void* object)
 {
     if (const GCInfo* gcInfo = Heap::findGCInfo(reinterpret_cast<Address>(const_cast<void*>(object))))
         return gcInfo->m_className;
     return "unknown";
 }
 #endif
@@ skipping 810 matching lines @@
     header->checkHeader();
     Address address = reinterpret_cast<Address>(header);
     Address payload = header->payload();
     size_t size = header->size();
     size_t payloadSize = header->payloadSize();
     ASSERT(size > 0);
     ASSERT(pageFromObject(address) == findPageFromAddress(address));
 
     {
         ThreadState::SweepForbiddenScope forbiddenScope(threadState());
+        ASAN_RETIRE_CONTAINER_ANNOTATION(heapIndex(), payload, payloadSize);
         header->finalize(payload, payloadSize);
         if (address + size == m_currentAllocationPoint) {
             m_currentAllocationPoint = address;
             if (m_lastRemainingAllocationSize == m_remainingAllocationSize) {
                 Heap::decreaseAllocatedObjectSize(size);
                 m_lastRemainingAllocationSize += size;
             }
             m_remainingAllocationSize += size;
             FILL_ZERO_IF_PRODUCTION(address, size);
             ASAN_POISON_MEMORY_REGION(address, size);
@@ skipping 110 matching lines @@
 Address NormalPageHeap::outOfLineAllocate(size_t allocationSize, size_t gcInfoIndex)
 {
     ASSERT(allocationSize > remainingAllocationSize());
     ASSERT(allocationSize >= allocationGranularity);
 
 #if ENABLE(GC_PROFILING)
     threadState()->snapshotFreeListIfNecessary();
 #endif
 
     // 1. If this allocation is big enough, allocate a large object.
-    if (allocationSize >= largeObjectSizeThreshold)
-        return static_cast<LargeObjectHeap*>(threadState()->heap(LargeObjectHeapIndex))->allocateLargeObjectPage(allocationSize, gcInfoIndex);
+    if (allocationSize >= largeObjectSizeThreshold) {
+        Address largeObject = static_cast<LargeObjectHeap*>(threadState()->heap(LargeObjectHeapIndex))->allocateLargeObjectPage(allocationSize, gcInfoIndex);
+#if ENABLE(ASAN_CONTAINER_ANNOTATIONS)
+        if (heapIndex() == VectorHeapIndex) {

[haraken, 2015/02/20 20:57:56]

Can we move this logic to doAllocateLargeObject, which actually does a
LargeObject allocation?

[sof, 2015/02/20 21:06:43]

Don't see how without passing in the heapIndex as an argument, which seems a bit
artificial?

[haraken, 2015/02/20 21:11:09]

You can get heapIndex from payload. payload => page => heapIndex.

(Given that this is only for ASAN code and thus not performance-sensitive, I'd
prefer encapsulating the complexity into the macro.)

[sof, 2015/02/20 21:45:17]

I don't get it; payload of what? LargeObjectHeap has a generic&unrelated heap
index; this has to be the heap index of the origining NormalPageHeap.

[haraken, 2015/02/21 06:56:35]

As commented above, I think you can get a right heapIndex by:

BasePage* page = pageFromObject(payload);
if (page->heapIndex() == VectorHeapIndex || (page->heapIndex() ==
LargeObjectHeapIndex &&
static_cast<LargeObjectPage>(page)->isVectorBackingPage())) {
    ANNOTATE_DELETE_BUFFER();
}

[sof, 2015/02/21 08:52:34]

Addressed in the tidiest manner I could think of.

+            BasePage* largePage = pageFromObject(largeObject);
+            ASSERT(largePage->isLargeObjectPage());
+            static_cast<LargeObjectPage*>(largePage)->setIsVectorBackingPage();
+        }
+#endif
+        return largeObject;
+    }
 
     // 2. Check if we should trigger a GC.
     updateRemainingAllocationSize();
     threadState()->scheduleGCIfNeeded();
 
     // 3. Try to allocate from a free list.
     Address result = allocateFromFreeList(allocationSize, gcInfoIndex);
     if (result)
         return result;
 
@@ skipping 115 matching lines @@
 
     largeObject->link(&m_firstPage);
 
     Heap::increaseAllocatedSpace(largeObject->size());
     Heap::increaseAllocatedObjectSize(largeObject->size());
     return result;
 }
 
 void LargeObjectHeap::freeLargeObjectPage(LargeObjectPage* object)
 {
+#if ENABLE(ASAN_CONTAINER_ANNOTATIONS)
+    if (object->isVectorBackingPage())
+        ASAN_RETIRE_CONTAINER_ANNOTATION(VectorHeapIndex, object->payload(), object->payloadSize());
+#endif
     object->heapObjectHeader()->finalize(object->payload(), object->payloadSize());
     Heap::decreaseAllocatedSpace(object->size());
 
     // Unpoison the object header and allocationGranularity bytes after the
     // object before freeing.
     ASAN_UNPOISON_MEMORY_REGION(object->heapObjectHeader(), sizeof(HeapObjectHeader));
     ASAN_UNPOISON_MEMORY_REGION(object->address() + object->size(), allocationGranularity);
 
     if (object->terminating()) {
         ASSERT(ThreadState::current()->isTerminating());
@@ skipping 339 matching lines @@
         if (!header->isMarked()) {
             size_t size = header->size();
             // This is a fast version of header->payloadSize().
             size_t payloadSize = size - sizeof(HeapObjectHeader);
             Address payload = header->payload();
             // For ASan we unpoison the specific object when calling the
             // finalizer and poison it again when done to allow the object's own
             // finalizer to operate on the object, but not have other finalizers
             // be allowed to access it.
             ASAN_UNPOISON_MEMORY_REGION(payload, payloadSize);
+            ASAN_RETIRE_CONTAINER_ANNOTATION(heap()->heapIndex(), payload, payloadSize);
             header->finalize(payload, payloadSize);
             // This memory will be added to the freelist. Maintain the invariant
             // that memory on the freelist is zero filled.
             FILL_ZERO_IF_PRODUCTION(headerAddress, size);
             ASAN_POISON_MEMORY_REGION(payload, payloadSize);
             headerAddress += size;
             continue;
         }
 
         if (startOfGap != headerAddress)
@@ skipping 239 matching lines @@
 #endif
 
 NormalPageHeap* NormalPage::heapForNormalPage()
 {
     return static_cast<NormalPageHeap*>(heap());
 }
 
 LargeObjectPage::LargeObjectPage(PageMemory* storage, BaseHeap* heap, size_t payloadSize)
     : BasePage(storage, heap)
     , m_payloadSize(payloadSize)
+#if ENABLE(ASAN_CONTAINER_ANNOTATIONS)
+    , m_isVectorBackingPage(false)
+#endif
 {
 }
 
 size_t LargeObjectPage::objectPayloadSizeForTesting()
 {
     markAsSwept();
     return payloadSize();
 }
 
 bool LargeObjectPage::isEmpty()
@@ skipping 1037 matching lines @@
 bool Heap::s_shutdownCalled = false;
 bool Heap::s_lastGCWasConservative = false;
 FreePagePool* Heap::s_freePagePool;
 OrphanedPagePool* Heap::s_orphanedPagePool;
 Heap::RegionTree* Heap::s_regionTree = nullptr;
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 
 } // namespace blink