Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / art / ef496d9a08bdc9cd86a2ada2196d88ebdcab01bd^! / . / runtime / gc / collector / concurrent_copying.cc
commitef496d9a08bdc9cd86a2ada2196d88ebdcab01bd[log] [tgz]
authorMathieu Chartier <mathieuc@google.com>Fri Apr 28 18:58:59 2017 -0700
committerMathieu Chartier <mathieuc@google.com>Mon May 01 15:22:32 2017 -0700
tree7bcfa18999a6edf72656210bf7a8b9370b7d996a
parent18df7714111bdd3c5737f1ef2fa587d9957f8a2f [diff] [blame]
Add basic heap corruption detection ConcurrentCopying::Copy

Detect objects that have a null class. This also detects objects that
are not in the from-space allocated area since this area is zero
initialized.

Test: test-art-host

Bug: 37683299
Bug: 12687968
Bug: 37187694

(cherry picked from commit 350cf8a406486a4fa96549114b3b21b975a5c8f8)

Change-Id: I3ce282d3d3e523ca3952f85573fb03c1597b6bfc

diff --git a/runtime/gc/collector/concurrent_copying.cc b/runtime/gc/collector/concurrent_copying.cc
index 9c3ce0b..b3780e6 100644
--- a/runtime/gc/collector/concurrent_copying.cc
+++ b/runtime/gc/collector/concurrent_copying.cc

@@ -2218,8 +2218,16 @@
   return reinterpret_cast<mirror::Object*>(addr);
 }
 
-mirror::Object* ConcurrentCopying::Copy(mirror::Object* from_ref) {
+mirror::Object* ConcurrentCopying::Copy(mirror::Object* from_ref,
+                                        mirror::Object* holder,
+                                        MemberOffset offset) {
   DCHECK(region_space_->IsInFromSpace(from_ref));
+  // If the class pointer is null, the object is invalid. This could occur for a dangling pointer
+  // from a previous GC that is either inside or outside the allocated region.
+  mirror::Class* klass = from_ref->GetClass<kVerifyNone, kWithoutReadBarrier>();
+  if (UNLIKELY(klass == nullptr)) {
+    heap_->GetVerification()->LogHeapCorruption(holder, offset, from_ref, /* fatal */ true);
+  }
   // There must not be a read barrier to avoid nested RB that might violate the to-space invariant.
   // Note that from_ref is a from space ref so the SizeOf() call will access the from-space meta
   // objects, but it's ok and necessary.
@@ -2274,7 +2282,7 @@
   DCHECK(to_ref != nullptr);
 
   // Copy the object excluding the lock word since that is handled in the loop.
-  to_ref->SetClass(from_ref->GetClass<kVerifyNone, kWithoutReadBarrier>());
+  to_ref->SetClass(klass);
   const size_t kObjectHeaderSize = sizeof(mirror::Object);
   DCHECK_GE(obj_size, kObjectHeaderSize);
   static_assert(kObjectHeaderSize == sizeof(mirror::HeapReference<mirror::Class>) +
@@ -2482,7 +2490,7 @@
       if (is_los && !IsAligned<kPageSize>(ref)) {
         // Ref is a large object that is not aligned, it must be heap corruption. Dump data before
         // AtomicSetReadBarrierState since it will fault if the address is not valid.
-        heap_->GetVerification()->LogHeapCorruption(ref, offset, holder, /* fatal */ true);
+        heap_->GetVerification()->LogHeapCorruption(holder, offset, ref, /* fatal */ true);
       }
       // Not marked or on the allocation stack. Try to mark it.
       // This may or may not succeed, which is ok.