I noticed that blink_gc heap dumps from Android feature garbled types. See attached screenshot taken from this trace: https://drive.google.com/file/d/0B_Hmi138MnbJSkpyTVd6ckRNSTg/view?usp=sharing

When I dug deeper I found that all of those types are instances of "blink::CSSValue" and "blink::Node".

The problem is code that submits those types declares 'const char typeName[]' array on the stack:

    const char typeName[] = "blink::CSSValue";
    return ThreadHeap::allocateOnArenaIndex(
        state, size,
        isEager ? BlinkGC::EagerSweepArenaIndex : BlinkGC::CSSValueArenaIndex,
        GCInfoTrait<CSSValue>::index(), typeName);

This creates 'const char typeName[16]' array on the stack and initializes it with "blink::CSSValue" chars. Code then submits that pointer to allocateOnArenaIndex(), where it's interned by BlinkGCMemoryDumpProvider.

By the time we're reading that interned pointer (in OnMemoryDump) the original content of typeName is long gone, and we end up reading random bytes from the stack.

The fix is simple: either make that array static, or declare it as 'const char*' pointer.
 

Deleted: blink_gc-types.png 66.2 KB

	blink_gc-types.png 66.2 KB View Download