Prevent GCs when constructing GC mixin objects.

Source/platform/heap/Heap.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 1013 matching lines @@
     static bool s_lastGCWasConservative;
     static FreePagePool* s_freePagePool;
     static OrphanedPagePool* s_orphanedPagePool;
     static RegionTree* s_regionTree;
     static size_t s_allocatedSpace;
     static size_t s_allocatedObjectSize;
     static size_t s_markedObjectSize;
     friend class ThreadState;
 };
 
+template<typename T>
+struct HeapIndexTrait {
+    static int index() { return NormalPageHeapIndex; };
+};
+
+// FIXME: The forward declaration is layering violation.
+#define DEFINE_TYPED_HEAP_TRAIT(Type)                   \
+    class Type;                                         \
+    template <> struct HeapIndexTrait<class Type> {     \
+        static int index() { return Type##HeapIndex; }; \
+    };
+FOR_EACH_TYPED_HEAP(DEFINE_TYPED_HEAP_TRAIT)
+#undef DEFINE_TYPED_HEAP_TRAIT
+
+template<typename T, typename Enabled = void>
+class AllocateObjectTrait {
+public:
+    static inline Address allocate(size_t size)
+    {
+        return Heap::allocateOnHeapIndex<T>(size, HeapIndexTrait<T>::index(), GCInfoTrait<T>::index());
+    }
+
+    static inline void constructor()
+    {
+    }
+};
+
+template<typename T>
+class AllocateObjectTrait<T, typename WTF::EnableIf<blink::IsGarbageCollectedMixin<T>::value>::Type> {
+public:
+    // An object which implements GarbageCollectedMixin is marked
+    // and traced during GC by first adjusting object references to
+    // it to refer to the leftmost base for the object (which would
+    // be a GarbageCollected-derived class.) The prefixed object header
+    // can be located after that adjustment and its trace() vtbl slot
+    // will be used to fully trace the object, if not already marked.
+    //
+    // A C++ object's vptr will be initialized to its leftmost base's
+    // vtabke after the constructors of all its subclasses have run,

[haraken, 2015/02/23 08:24:23]

vtable

[sof, 2015/02/23 10:29:02]

Done.

+    // so if a subclass constructor tries to access any of the vtbl
+    // entries of its leftmost base prematurely, it'll find an as-yet
+    // incorrect vptr and fail. Which is exactly what a garbage collector
+    // will try to do if it tries to access the leftmost base while one
+    // of the subclass constructors of a GC mixin object triggers a GC.
+    // It is consequently not safe to allow any GCs while these objects
+    // are under (sub constructor) construction.
+    //
+    // To achieve that, the construction of mixins are handled in a
+    // special manner:
+    //
+    //  - The initial allocation of the mixin object will enter a no GC scope.
+    //  - The constructor for the leftmost base, which is when the mixin
+    //    object is in a state ready for a GC, leaves that GC scope.
+    //  - no-GC scope entering/leaving must support nesting.
+    //
+    static inline Address allocate(size_t size)
+    {
+        Address object = Heap::allocateOnHeapIndex<T>(size, HeapIndexTrait<T>::index(), GCInfoTrait<T>::index());
+        ThreadState::current()->enterNoGCAllowedScope();

[haraken, 2015/02/23 08:24:22]

Are compilers smart enough to remove the two ThreadState::current() lookups (one
in Heap::allocateOnHeapIndex and the other here)?

[sof, 2015/02/23 10:29:02]

Reasonable to assume so, but we might as well manually CSE to remove the
possibility that it won't be. Now done.

I left in a templated version of allocateOnHeapIndex<T>; please check if you
find that agreeable.

+        return object;
+    }
+
+    static inline void constructor()
+    {
+        ThreadState::current()->leaveNoGCAllowedScope();
+    }
+};
+
 // Base class for objects allocated in the Blink garbage-collected heap.
 //
 // Defines a 'new' operator that allocates the memory in the heap.  'delete'
 // should not be called on objects that inherit from GarbageCollected.
 //
 // Instances of GarbageCollected will *NOT* get finalized.  Their destructor
 // will not be called.  Therefore, only classes that have trivial destructors
 // with no semantic meaning (including all their subclasses) should inherit from
 // GarbageCollected.  If there are non-trival destructors in a given class or
 // any of its subclasses, GarbageCollectedFinalized should be used which
@@ skipping 28 matching lines @@
     }
 
     void operator delete(void* p)
     {
         ASSERT_NOT_REACHED();
     }
 
 protected:
     GarbageCollected()
     {
+        AllocateObjectTrait<T>::constructor();
     }
 };
 
 // Base class for objects allocated in the Blink garbage-collected heap.
 //
 // Defines a 'new' operator that allocates the memory in the heap.  'delete'
 // should not be called on objects that inherit from GarbageCollected.
 //
 // Instances of GarbageCollectedFinalized will have their destructor called when
 // the garbage collector determines that the object is no longer reachable.
@@ skipping 277 matching lines @@
     }
     return outOfLineAllocate(allocationSize, gcInfoIndex);
 }
 
 Address NormalPageHeap::allocate(size_t size, size_t gcInfoIndex)
 {
     return allocateObject(allocationSizeFromSize(size), gcInfoIndex);
 }
 
 template<typename T>
-struct HeapIndexTrait {
-    static int index() { return NormalPageHeapIndex; };
-};
-
-// FIXME: The forward declaration is layering violation.
-#define DEFINE_TYPED_HEAP_TRAIT(Type)                   \
-    class Type;                                         \
-    template <> struct HeapIndexTrait<class Type> {     \
-        static int index() { return Type##HeapIndex; }; \
-    };
-FOR_EACH_TYPED_HEAP(DEFINE_TYPED_HEAP_TRAIT)
-#undef DEFINE_TYPED_HEAP_TRAIT
-
-template<typename T>
 Address Heap::allocateOnHeapIndex(size_t size, int heapIndex, size_t gcInfoIndex)
 {
     ThreadState* state = ThreadStateFor<ThreadingTrait<T>::Affinity>::state();
     ASSERT(state->isAllocationAllowed());
     return static_cast<NormalPageHeap*>(state->heap(heapIndex))->allocate(size, gcInfoIndex);
 }
 
 template<typename T>
 Address Heap::allocate(size_t size)
 {
-    return allocateOnHeapIndex<T>(size, HeapIndexTrait<T>::index(), GCInfoTrait<T>::index());
+    return AllocateObjectTrait<T>::allocate(size);
 }
 
 template<typename T>
 Address Heap::reallocate(void* previous, size_t size)
 {
     if (!size) {
         // If the new size is 0 this is equivalent to either free(previous) or
         // malloc(0).  In both cases we do nothing and return nullptr.
         return nullptr;
     }
@@ skipping 1027 matching lines @@
 template<typename T, size_t inlineCapacity>
 struct GCInfoTrait<HeapVector<T, inlineCapacity>> : public GCInfoTrait<Vector<T, inlineCapacity, HeapAllocator>> { };
 template<typename T, size_t inlineCapacity>
 struct GCInfoTrait<HeapDeque<T, inlineCapacity>> : public GCInfoTrait<Deque<T, inlineCapacity, HeapAllocator>> { };
 template<typename T, typename U, typename V>
 struct GCInfoTrait<HeapHashCountedSet<T, U, V>> : public GCInfoTrait<HashCountedSet<T, U, V, HeapAllocator>> { };
 
 } // namespace blink
 
 #endif // Heap_h