Oilpan: disable conservative GCs during initial GC mixin construction.

Source/platform/heap/Visitor.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 879 matching lines @@
                 TraceTrait<TYPE>::trace(visitor, const_cast<TYPE*>(this));                                                              \
             return;                                                                                                                     \
         }                                                                                                                               \
         visitor->mark(static_cast<const TYPE*>(this), &blink::TraceTrait<TYPE>::trace);                                                 \
     }                                                                                                                                   \
     virtual bool isHeapObjectAlive(VISITOR visitor) const override                                                                      \
     {                                                                                                                                   \
         return visitor->isAlive(this);                                                                                                  \
     }                                                                                                                                   \
 private:
+
+// A C++ object's vptr will be initialized to its leftmost base's
+// vtable after the constructors of all its subclasses have run,
+// so if a subclass constructor tries to access any of the vtbl
+// entries of its leftmost base prematurely, it'll find an as-yet
+// incorrect vptr and fail. Which is exactly what a garbage collector
+// will try to do if it tries to access the leftmost base while one
+// of the subclass constructors of a GC mixin object triggers a GC.
+// It is consequently not safe to allow any GCs while these objects
+// are under (sub constructor) construction.
+//
+// To achieve that, the construction of mixins are handled in a
+// special manner:
+//
+//  - The initial allocation of the mixin object will enter a no GC scope.
+//    This is done by overriding 'operator new' for mixin instances.
+//  - When the constructor for the mixin is invoked, after all the
+//    derived constructors have run, it will invoke the constructor
+//    for a field whose only purpose is to leave the GC scope.
+//    GarbageCollectedMixinConstructorMarker's constructor takes care of
+//    this and the field is declared by way of USING_GARBAGE_COLLECTED_MIXIN().
+
+// Trait template to resolve the effective base GC class to use when allocating
+// objects at some type T. Requires specialization for Node and CSSValue
+// derived types to have these be allocated on appropriate heaps.
+template<typename T, typename Enabled = void>
+class EffectiveGCBaseTrait {
+public:
+    using Type = T;
+};
+
+// FIXME: move these forward declarations and the
+// EffectiveGCBaseTrait<> specializations out of
+// here and into the header files for the respective types.
+class Node;
+class CSSValue;
+
+template<typename T>
+class EffectiveGCBaseTrait<T, typename WTF::EnableIf<WTF::IsSubclass<T, blink::Node>::value>::Type> {
+public:
+    using Type = Node;
+};
+
+template<typename T>
+class EffectiveGCBaseTrait<T, typename WTF::EnableIf<WTF::IsSubclass<T, blink::CSSValue>::value>::Type> {
+public:
+    using Type = CSSValue;
+};
+
+#define DEFINE_GARBAGE_COLLECTED_MIXIN_CONSTRUCTOR_MARKER(TYPE)                         \
+public:                                                                                 \
+    GC_PLUGIN_IGNORE("crbug.com/456823")                                                \
+    void* operator new(size_t size)                                                     \
+    {                                                                                   \
+        void* object = Heap::allocate<typename EffectiveGCBaseTrait<TYPE>::Type>(size); \
+        ThreadState* state = ThreadStateFor<ThreadingTrait<TYPE>::Affinity>::state();   \
+        state->enterGCForbiddenScope();                                                 \
+        return object;                                                                  \
+    }                                                                                   \
+private:                                                                                \
+    const GarbageCollectedMixinConstructorMarker<TYPE> m_mixinConstructorMarker;
+
 #if ENABLE(INLINED_TRACE)
 #define USING_GARBAGE_COLLECTED_MIXIN(TYPE)                       \
     DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::Visitor*, TYPE) \
-    DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::InlinedGlobalMarkingVisitor, TYPE)
+    DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::InlinedGlobalMarkingVisitor, TYPE) \
+    DEFINE_GARBAGE_COLLECTED_MIXIN_CONSTRUCTOR_MARKER(TYPE)
 #else
-#define USING_GARBAGE_COLLECTED_MIXIN(TYPE) \
-    DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::Visitor*, TYPE)
+#define USING_GARBAGE_COLLECTED_MIXIN(TYPE)                       \
+    DEFINE_GARBAGE_COLLECTED_MIXIN_METHODS(blink::Visitor*, TYPE) \
+    DEFINE_GARBAGE_COLLECTED_MIXIN_CONSTRUCTOR_MARKER(TYPE)
 #endif
 
 #if ENABLE(OILPAN)
 #define WILL_BE_USING_GARBAGE_COLLECTED_MIXIN(TYPE) USING_GARBAGE_COLLECTED_MIXIN(TYPE)
 #else
 #define WILL_BE_USING_GARBAGE_COLLECTED_MIXIN(TYPE)
 #endif
 
 // Template to determine if a class is a GarbageCollectedMixin by checking if it
 // has IsGarbageCollectedMixinMarker
 template<typename T>
 struct IsGarbageCollectedMixin {
 private:
     typedef char YesType;
     struct NoType {
         char padding[8];
     };
 
     template <typename U> static YesType checkMarker(typename U::IsGarbageCollectedMixinMarker*);
     template <typename U> static NoType checkMarker(...);
 
 public:
     static const bool value = sizeof(checkMarker<T>(nullptr)) == sizeof(YesType);
 };
 
+// An empty class with a constructor that's arranged invoked when all derived constructors
+// of a mixin instance have completed and it is safe to allow GCs again. See
+// AllocateObjectTrait<> comment for more.
+//
+// USING_GARBAGE_COLLECTED_MIXIN() declares a GarbageCollectedMixinConstructorMarker<> private
+// field. By following Blink convention of using the macro at the top of a class declaration,
+// its constructor will run first.
+template<typename T>
+class GarbageCollectedMixinConstructorMarker {
+public:
+    GarbageCollectedMixinConstructorMarker()
+    {
+        // FIXME: if prompt conservative GCs are needed, forced GCs that
+        // were denied while within this scope, could now be performed.
+        // For now, assume the next out-of-line allocation request will
+        // happen soon enough and take care of it. Mixin objects aren't
+        // overly common.
+        ThreadState* state = ThreadStateFor<ThreadingTrait<T>::Affinity>::state();
+        state->leaveGCForbiddenScope();
+    }
+};
+
 #if ENABLE(GC_PROFILING)
 template<typename T>
 struct TypenameStringTrait {
     static const String& get()
     {
         DEFINE_STATIC_LOCAL(String, typenameString, (WTF::extractTypeNameFromFunctionName(WTF::extractNameFunction<T>())));
         return typenameString;
     }
 };
 #endif
@@ skipping 63 matching lines @@
 struct GCInfoTrait {
     static size_t index()
     {
         return GCInfoAtBase<typename GetGarbageCollectedBase<T>::type>::index();
     }
 };
 
 } // namespace blink
 
 #endif // Visitor_h