1. Enable large object pointer offset check in release build.

third_party/tcmalloc/chromium/src/tcmalloc.cc

 // Copyright (c) 2005, Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 160 matching lines @@
 using tcmalloc::kCrashWithStats;
 using tcmalloc::Log;
 using tcmalloc::PageHeap;
 using tcmalloc::PageHeapAllocator;
 using tcmalloc::SizeMap;
 using tcmalloc::Span;
 using tcmalloc::StackTrace;
 using tcmalloc::Static;
 using tcmalloc::ThreadCache;
 
-// ---- Double free debug declarations
+// ---- Functions doing validation with an extra mark.
 static size_t ExcludeSpaceForMark(size_t size);
 static void AddRoomForMark(size_t* size);
 static void ExcludeMarkFromSize(size_t* new_size);
 static void MarkAllocatedRegion(void* ptr);
 static void ValidateAllocatedRegion(void* ptr, size_t cl);
-// ---- End Double free debug declarations
+// ---- End validation functions.
 
 DECLARE_int64(tcmalloc_sample_parameter);
 DECLARE_double(tcmalloc_release_rate);
 
 // For windows, the printf we use to report large allocs is
 // potentially dangerous: it could cause a malloc that would cause an
 // infinite loop.  So by default we set the threshold to a huge number
 // on windows, so this bad situation will never trigger.  You can
 // always set TCMALLOC_LARGE_ALLOC_REPORT_THRESHOLD manually if you
 // want this functionality.
@@ skipping 745 matching lines @@
 // Helpers for the exported routines below
 //-------------------------------------------------------------------
 
 static inline bool CheckCachedSizeClass(void *ptr) {
   PageID p = reinterpret_cast<uintptr_t>(ptr) >> kPageShift;
   size_t cached_value = Static::pageheap()->GetSizeClassIfCached(p);
   return cached_value == 0 ||
       cached_value == Static::pageheap()->GetDescriptor(p)->sizeclass;
 }
 
-static inline void* CheckedMallocResult(void *result) {
+static inline void* CheckMallocResult(void *result) {
   ASSERT(result == NULL || CheckCachedSizeClass(result));
   MarkAllocatedRegion(result);
   return result;
 }
 
 static inline void* SpanToMallocResult(Span *span) {
   Static::pageheap()->CacheSizeClass(span->start, 0);
   return
-      CheckedMallocResult(reinterpret_cast<void*>(span->start << kPageShift));
+      CheckMallocResult(reinterpret_cast<void*>(span->start << kPageShift));
 }
 
 static void* DoSampledAllocation(size_t size) {
   // Grab the stack trace outside the heap lock
   StackTrace tmp;
   tmp.depth = GetStackTrace(tmp.stack, tcmalloc::kMaxStackDepth, 1);
   tmp.size = size;
 
   SpinLockHolder h(Static::pageheap_lock());
   // Allocate span
@@ skipping 116 matching lines @@
     // these tallies.  I don't think this is performance critical, but we really
     // should measure it.
     heap->AddToByteAllocatedTotal(size);  // Chromium profiling.
 
     if ((FLAGS_tcmalloc_sample_parameter > 0) && heap->SampleAllocation(size)) {
       ret = DoSampledAllocation(size);
       MarkAllocatedRegion(ret);
     } else {
       // The common case, and also the simplest.  This just pops the
       // size-appropriate freelist, after replenishing it if it's empty.
-      ret = CheckedMallocResult(heap->Allocate(size, cl));
+      ret = CheckMallocResult(heap->Allocate(size, cl));
     }
   } else {
     ret = do_malloc_pages(heap, size);
     MarkAllocatedRegion(ret);
   }
   if (ret == NULL) errno = ENOMEM;
   return ret;
 }
 
 inline void* do_calloc(size_t n, size_t elem_size) {
@@ skipping 39 matching lines @@
       // tcmalloc.  The latter can happen if tcmalloc is linked in via
       // a dynamic library, but is not listed last on the link line.
       // In that case, libraries after it on the link line will
       // allocate with libc malloc, but free with tcmalloc's free.
       (*invalid_free_fn)(ptr);  // Decide how to handle the bad free request
       return;
     }
     cl = span->sizeclass;
     Static::pageheap()->CacheSizeClass(p, cl);
   }
+  if (cl == 0) {
+    // Check to see if the object is in use.
+    CHECK_CONDITION_PRINT(span->location == Span::IN_USE,
+                          "Object was not in-use");
 
+    CHECK_CONDITION_PRINT(
+        span->start << kPageShift == reinterpret_cast<uintptr_t>(ptr),
+        "Pointer is not pointing to the start of a span");
+  }
   ValidateAllocatedRegion(ptr, cl);
 
   if (cl != 0) {
     ASSERT(!Static::pageheap()->GetDescriptor(p)->sample);
     ThreadCache* heap = GetCacheIfPresent();
     if (heap != NULL) {
       heap->Deallocate(ptr, cl);
     } else {
       // Delete directly into central cache
       tcmalloc::FL_Init(ptr);
@@ skipping 99 matching lines @@
 // For use by exported routines below that want specific alignments
 //
 // Note: this code can be slow for alignments > 16, and can
 // significantly fragment memory.  The expectation is that
 // memalign/posix_memalign/valloc/pvalloc will not be invoked very
 // often.  This requirement simplifies our implementation and allows
 // us to tune for expected allocation patterns.
 void* do_memalign(size_t align, size_t size) {
   ASSERT((align & (align - 1)) == 0);
   ASSERT(align > 0);
-  // Marked in CheckMallocResult(), which is also inside SpanToMallocResult(). 
+  // Marked in CheckMallocResult(), which is also inside SpanToMallocResult().
   AddRoomForMark(&size);
   if (size + align < size) return NULL;         // Overflow
 
   // Fall back to malloc if we would already align this memory access properly.
   if (align <= AlignmentForSize(size)) {
     void* p = do_malloc(size);
     ASSERT((reinterpret_cast<uintptr_t>(p) % align) == 0);
     return p;
   }
 
@@ skipping 10 matching lines @@
     // we miss in the size class array, but that is deemed acceptable
     // since memalign() should be used rarely.
     int cl = Static::sizemap()->SizeClass(size);
     while (cl < kNumClasses &&
            ((Static::sizemap()->class_to_size(cl) & (align - 1)) != 0)) {
       cl++;
     }
     if (cl < kNumClasses) {
       ThreadCache* heap = ThreadCache::GetCache();
       size = Static::sizemap()->class_to_size(cl);
-      return CheckedMallocResult(heap->Allocate(size, cl));
+      return CheckMallocResult(heap->Allocate(size, cl));
     }
   }
 
   // We will allocate directly from the page heap
   SpinLockHolder h(Static::pageheap_lock());
 
   if (align <= kPageSize) {
     // Any page-level allocation will be fine
     // TODO: We could put the rest of this page in the appropriate
     // TODO: cache but it does not seem worth it.
@@ skipping 370 matching lines @@
   return do_mallinfo();
 }
 #endif
 
 extern "C" PERFTOOLS_DLL_DECL size_t tc_malloc_size(void* ptr) __THROW {
   return MallocExtension::instance()->GetAllocatedSize(ptr);
 }
 
 #endif  // TCMALLOC_USING_DEBUGALLOCATION
 
-// ---Double free() debugging implementation -----------------------------------
+// --- Validation implementation with an extra mark ----------------------------
 // We will put a mark at the extreme end of each allocation block.  We make
 // sure that we always allocate enough "extra memory" that we can fit in the
 // mark, and still provide the requested usable region.  If ever that mark is
 // not as expected, then we know that the user is corrupting memory beyond their
 // request size, or that they have called free a second time without having
 // the memory allocated (again).  This allows us to spot most double free()s,
 // but some can "slip by" or confuse our logic if the caller reallocates memory
 // (for a second use) before performing an evil double-free of a first
 // allocation
 
@@ skipping 22 matching lines @@
 
 static size_t ExcludeSpaceForMark(size_t size) { return size; }
 static void AddRoomForMark(size_t* size) {}
 static void ExcludeMarkFromSize(size_t* new_size) {}
 static void MarkAllocatedRegion(void* ptr) {}
 static void ValidateAllocatedRegion(void* ptr, size_t cl) {}
 
 #else  // TCMALLOC_VALIDATION
 
 static void DieFromDoubleFree() {
-  char* p = NULL;
-  p++;
-  *p += 1;  // Segv.
-}
-
-static size_t DieFromBadFreePointer(const void* unused) {
-  char* p = NULL;
-  p += 2;
-  *p += 2;  // Segv.
-  return 0;
+  Log(kCrash, __FILE__, __LINE__, "Attempt to double free");
 }
 
 static void DieFromMemoryCorruption() {
-  char* p = NULL;
-  p += 3;
-  *p += 3;  // Segv.
+  Log(kCrash, __FILE__, __LINE__, "Memory corrupted");
 }
 
 // We can either do byte marking, or whole word marking based on the following
 // define.  char is as small as we can get, and word marking probably provides
 // more than enough bits that we won't miss a corruption. Any sized integral
 // type can be used, but we just define two examples.
 
 //  #define TCMALLOC_SMALL_VALIDATION
 #if defined (TCMALLOC_SMALL_VALIDATION)
 
 typedef char MarkType;  // char saves memory... int is more complete.
 static const MarkType kAllocationMarkMask = static_cast<MarkType>(0x36);
 
-#else 
+#else
 
 typedef int MarkType;  // char saves memory... int is more complete.
 static const MarkType kAllocationMarkMask = static_cast<MarkType>(0xE1AB9536);
 
 #endif
 
 // TODO(jar): See if use of reference rather than pointer gets better inlining,
 // or if macro is needed.  My fear is that taking address map preclude register
 // allocation :-(.
 inline static void AddRoomForMark(size_t* size) {
   *size += sizeof(kAllocationMarkMask);
 }
 
 inline static void ExcludeMarkFromSize(size_t* new_size) {
   *new_size -= sizeof(kAllocationMarkMask);
 }
 
 inline static size_t ExcludeSpaceForMark(size_t size) {
   return size - sizeof(kAllocationMarkMask);  // Lie about size when asked.
 }
 
 inline static MarkType* GetMarkLocation(void* ptr) {
-  size_t class_size = GetSizeWithCallback(ptr, DieFromBadFreePointer);
-  ASSERT(class_size % sizeof(kAllocationMarkMask) == 0);
-  size_t last_index = (class_size / sizeof(kAllocationMarkMask)) - 1;
+  size_t size = GetSizeWithCallback(ptr, &InvalidGetAllocatedSize);
+  ASSERT(size % sizeof(kAllocationMarkMask) == 0);
+  size_t last_index = (size / sizeof(kAllocationMarkMask)) - 1;
   return static_cast<MarkType*>(ptr) + last_index;
 }
 
 // We hash in the mark location plus the pointer so that we effectively mix in
 // the size of the block.  This means that if a span is used for different sizes
 // that the mark will be different. It would be good to hash in the size (which
 // we effectively get by using both mark location and pointer), but even better
 // would be to also include the class, as it concisely contains the entropy
 // found in the size (when we don't have large allocation), and there is less
 // risk of losing those bits to truncation. It would probably be good to combine
@@ skipping 50 matching lines @@
   *mark = ~allocated_mark;  //  Distinctively not allocated.
 }
 
 static void MarkAllocatedRegion(void* ptr) {
   if (ptr == NULL) return;
   MarkType* mark = GetMarkLocation(ptr);
   *mark = GetMarkValue(ptr, mark);
 }
 
 #endif  // TCMALLOC_VALIDATION