Oilpan: HeapObjectHeader::checkHeader should not allow access on orphaned pages

Source/platform/heap/Heap.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 587 matching lines @@
             }
             if (header->isFree()) {
                 // Zero the memory in the free list header to maintain the
                 // invariant that memory on the free list is zero filled.
                 // The rest of the memory is already on the free list and is
                 // therefore already zero filled.
                 FILL_ZERO_IF_PRODUCTION(headerAddress, size < sizeof(FreeListEntry) ? size : sizeof(FreeListEntry));
                 headerAddress += size;
                 continue;
             }
+            header->checkHeader();
             if (startOfGap != headerAddress)
                 addToFreeList(startOfGap, headerAddress - startOfGap);
 
             headerAddress += size;
             startOfGap = headerAddress;
         }
 
         if (startOfGap != page->payloadEnd())
             addToFreeList(startOfGap, page->payloadEnd() - startOfGap);
     }
@@ skipping 33 matching lines @@
     }
 
     m_promptlyFreedSize += size;
 }
 
 bool NormalPageHeap::expandObject(HeapObjectHeader* header, size_t newSize)
 {
     // It's possible that Vector requests a smaller expanded size because
     // Vector::shrinkCapacity can set a capacity smaller than the actual payload
     // size.
+    header->checkHeader();
     if (header->payloadSize() >= newSize)
         return true;
     size_t allocationSize = Heap::allocationSizeFromSize(newSize);
     ASSERT(allocationSize > header->size());
     size_t expandSize = allocationSize - header->size();
     if (header->payloadEnd() == m_currentAllocationPoint && expandSize <= m_remainingAllocationSize) {
         m_currentAllocationPoint += expandSize;
         m_remainingAllocationSize -= expandSize;
 
         // Unpoison the memory used for the object (payload).
         ASAN_UNPOISON_MEMORY_REGION(header->payloadEnd(), expandSize);
         FILL_ZERO_IF_NOT_PRODUCTION(header->payloadEnd(), expandSize);
         header->setSize(allocationSize);
         ASSERT(findPageFromAddress(header->payloadEnd() - 1));
         return true;
     }
     return false;
 }
 
 bool NormalPageHeap::shrinkObject(HeapObjectHeader* header, size_t newSize)
 {
+    header->checkHeader();
     ASSERT(header->payloadSize() > newSize);
     size_t allocationSize = Heap::allocationSizeFromSize(newSize);
     ASSERT(header->size() > allocationSize);
     size_t shrinkSize = header->size() - allocationSize;
     if (header->payloadEnd() == m_currentAllocationPoint) {
         m_currentAllocationPoint -= shrinkSize;
         m_remainingAllocationSize += shrinkSize;
         FILL_ZERO_IF_PRODUCTION(m_currentAllocationPoint, shrinkSize);
         ASAN_POISON_MEMORY_REGION(m_currentAllocationPoint, shrinkSize);
         header->setSize(allocationSize);
@@ skipping 581 matching lines @@
     for (size_t i = 0; i < objectSize / sizeof(Address); ++i) {
         if (objectFields[i] != 0)
             return false;
     }
     return true;
 }
 #endif
 
 static void markPointer(Visitor* visitor, HeapObjectHeader* header)
 {
+    header->checkHeader();
     const GCInfo* gcInfo = Heap::gcInfo(header->gcInfoIndex());
     if (gcInfo->hasVTable() && !vTableInitialized(header->payload())) {
         // We hit this branch when a GC strikes before GarbageCollected<>'s
         // constructor runs.
         //
         // class A : public GarbageCollected<A> { virtual void f() = 0; };
         // class B : public A {
         //   B() : A(foo()) { };
         // };
         //
@@ skipping 51 matching lines @@
 {
     HeapObjectHeader* header = nullptr;
     for (Address addr = payload(); addr < payloadEnd(); addr += header->size()) {
         header = reinterpret_cast<HeapObjectHeader*>(addr);
         if (json)
             json->pushInteger(header->encodedSize());
         if (header->isFree()) {
             info->freeSize += header->size();
             continue;
         }
+        header->checkHeader();
 
         size_t tag = info->getClassTag(Heap::gcInfo(header->gcInfoIndex()));
         size_t age = header->age();
         if (json)
             json->pushInteger(tag);
         if (header->isMarked()) {
             info->liveCount[tag] += 1;
             info->liveSize[tag] += header->size();
             // Count objects that are live when promoted to the final generation.
             if (age == maxHeapObjectAge - 1)
@@ skipping 862 matching lines @@
 size_t Heap::s_allocatedObjectSize = 0;
 size_t Heap::s_allocatedSpace = 0;
 size_t Heap::s_markedObjectSize = 0;
 // We don't want to use 0 KB for the initial value because it may end up
 // triggering the first GC of some thread too prematurely.
 size_t Heap::s_estimatedLiveObjectSize = 512 * 1024;
 size_t Heap::s_externalObjectSizeAtLastGC = 0;
 double Heap::s_estimatedMarkingTimePerByte = 0.0;
 
 } // namespace blink