Bug 1259222 - Add more assertions to hopefully catch bad pointers when collecting the nursery r=sfink

2024-10-09 19:35:51 +00:00 · 2017-10-09 10:22:44 +01:00 · 2017-10-09 10:22:44 +01:00 · 3a810c3d63
commit 3a810c3d63
parent a05866a727
2 changed files with 21 additions and 7 deletions
--- a/js/public/Value.h
+++ b/js/public/Value.h
@ -1428,14 +1428,25 @@ auto
 DispatchTyped(F f, const JS::Value& val, Args&&... args)
  -> decltype(f(static_cast<JSObject*>(nullptr), mozilla::Forward<Args>(args)...))
 {
-    if (val.isString())
-        return f(val.toString(), mozilla::Forward<Args>(args)...);
-    if (val.isObject())
-        return f(&val.toObject(), mozilla::Forward<Args>(args)...);
-    if (val.isSymbol())
-        return f(val.toSymbol(), mozilla::Forward<Args>(args)...);
-    if (MOZ_UNLIKELY(val.isPrivateGCThing()))
+    if (val.isString()) {
+        JSString* str = val.toString();
+        MOZ_ASSERT(gc::IsCellPointerValid(str));
+        return f(str, mozilla::Forward<Args>(args)...);
+    }
+    if (val.isObject()) {
+        JSObject* obj = &val.toObject();
+        MOZ_ASSERT(gc::IsCellPointerValid(obj));
+        return f(obj, mozilla::Forward<Args>(args)...);
+    }
+    if (val.isSymbol()) {
+        JS::Symbol* sym = val.toSymbol();
+        MOZ_ASSERT(gc::IsCellPointerValid(sym));
+        return f(sym, mozilla::Forward<Args>(args)...);
+    }
+    if (MOZ_UNLIKELY(val.isPrivateGCThing())) {
+        MOZ_ASSERT(gc::IsCellPointerValid(val.toGCThing()));
        return DispatchTyped(f, val.toGCCellPtr(), mozilla::Forward<Args>(args)...);
+    }
    MOZ_ASSERT(!val.isGCThing());
    return F::defaultValue(val);
 }
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@ -2716,6 +2716,7 @@ void
 js::gc::StoreBuffer::SlotsEdge::trace(TenuringTracer& mover) const
 {
    NativeObject* obj = object();
+    MOZ_ASSERT(IsCellPointerValid(obj));

    // Beware JSObject::swap exchanging a native object for a non-native one.
    if (!obj->isNative())
@ -2788,6 +2789,7 @@ js::gc::StoreBuffer::traceWholeCells(TenuringTracer& mover)
 {
    for (ArenaCellSet* cells = bufferWholeCell; cells; cells = cells->next) {
        Arena* arena = cells->arena;
+        MOZ_ASSERT(IsCellPointerValid(arena));

        MOZ_ASSERT(arena->bufferedCells() == cells);
        arena->bufferedCells() = &ArenaCellSet::Empty;
@ -2817,6 +2819,7 @@ js::gc::StoreBuffer::CellPtrEdge::trace(TenuringTracer& mover) const
    if (!*edge)
        return;

+    MOZ_ASSERT(IsCellPointerValid(*edge));
    MOZ_ASSERT((*edge)->getTraceKind() == JS::TraceKind::Object);
    mover.traverse(reinterpret_cast<JSObject**>(edge));
 }