Add basic heap corruption detection ConcurrentCopying::Copy
Detect objects that have a null class. This also detects objects that
are not in the from-space allocated area since this area is zero
initialized.
Test: test-art-host
Bug: 37683299
Bug: 12687968
Bug: 37187694
(cherry picked from commit 350cf8a406486a4fa96549114b3b21b975a5c8f8)
Change-Id: I3ce282d3d3e523ca3952f85573fb03c1597b6bfc
diff --git a/runtime/gc/collector/concurrent_copying.cc b/runtime/gc/collector/concurrent_copying.cc
index 9c3ce0b..b3780e6 100644
--- a/runtime/gc/collector/concurrent_copying.cc
+++ b/runtime/gc/collector/concurrent_copying.cc
@@ -2218,8 +2218,16 @@
return reinterpret_cast<mirror::Object*>(addr);
}
-mirror::Object* ConcurrentCopying::Copy(mirror::Object* from_ref) {
+mirror::Object* ConcurrentCopying::Copy(mirror::Object* from_ref,
+ mirror::Object* holder,
+ MemberOffset offset) {
DCHECK(region_space_->IsInFromSpace(from_ref));
+ // If the class pointer is null, the object is invalid. This could occur for a dangling pointer
+ // from a previous GC that is either inside or outside the allocated region.
+ mirror::Class* klass = from_ref->GetClass<kVerifyNone, kWithoutReadBarrier>();
+ if (UNLIKELY(klass == nullptr)) {
+ heap_->GetVerification()->LogHeapCorruption(holder, offset, from_ref, /* fatal */ true);
+ }
// There must not be a read barrier to avoid nested RB that might violate the to-space invariant.
// Note that from_ref is a from space ref so the SizeOf() call will access the from-space meta
// objects, but it's ok and necessary.
@@ -2274,7 +2282,7 @@
DCHECK(to_ref != nullptr);
// Copy the object excluding the lock word since that is handled in the loop.
- to_ref->SetClass(from_ref->GetClass<kVerifyNone, kWithoutReadBarrier>());
+ to_ref->SetClass(klass);
const size_t kObjectHeaderSize = sizeof(mirror::Object);
DCHECK_GE(obj_size, kObjectHeaderSize);
static_assert(kObjectHeaderSize == sizeof(mirror::HeapReference<mirror::Class>) +
@@ -2482,7 +2490,7 @@
if (is_los && !IsAligned<kPageSize>(ref)) {
// Ref is a large object that is not aligned, it must be heap corruption. Dump data before
// AtomicSetReadBarrierState since it will fault if the address is not valid.
- heap_->GetVerification()->LogHeapCorruption(ref, offset, holder, /* fatal */ true);
+ heap_->GetVerification()->LogHeapCorruption(holder, offset, ref, /* fatal */ true);
}
// Not marked or on the allocation stack. Try to mark it.
// This may or may not succeed, which is ok.