Bug 1476845 - Collect poison values from around the engine into jsutil.h r=jonco

Differential Revision: https://phabricator.services.mozilla.com/D33450 --HG-- extra : moz-landing-system : lando
2019-06-14 05:36:37 +00:00 · 2019-06-14 05:36:37 +00:00 · 22ecc62435
--- a/js/src/builtin/Array.cpp
+++ b/js/src/builtin/Array.cpp
@ -4467,7 +4467,8 @@ void js::ArraySpeciesLookup::initialize(JSContext* cx) {
 }

 void js::ArraySpeciesLookup::reset() {
-  AlwaysPoison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  AlwaysPoison(this, JS_RESET_VALUE_PATTERN, sizeof(*this),
+               MemCheckKind::MakeUndefined);
  state_ = State::Uninitialized;
 }

--- a/js/src/builtin/Promise.cpp
+++ b/js/src/builtin/Promise.cpp
@ -5176,7 +5176,8 @@ void js::PromiseLookup::initialize(JSContext* cx) {
 }

 void js::PromiseLookup::reset() {
-  AlwaysPoison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  AlwaysPoison(this, JS_RESET_VALUE_PATTERN, sizeof(*this),
+               MemCheckKind::MakeUndefined);
  state_ = State::Uninitialized;
 }

--- a/js/src/frontend/NameFunctions.cpp
+++ b/js/src/frontend/NameFunctions.cpp
@ -457,7 +457,7 @@ class NameResolver : public ParseNodeVisitor<NameResolver> {
    MOZ_ASSERT(initialParents == nparents_, "nparents imbalance detected");
    MOZ_ASSERT(parents_[initialParents] == pn,
               "pushed child shouldn't change underneath us");
-    AlwaysPoison(&parents_[initialParents], 0xFF,
+    AlwaysPoison(&parents_[initialParents], JS_OOB_PARSE_NODE_PATTERN,
                 sizeof(parents_[initialParents]), MemCheckKind::MakeUndefined);

    return ok;
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@ -131,7 +131,10 @@ static inline bool IsThingPoisoned(T* thing) {
      JS_MOVED_TENURED_PATTERN,     JS_SWEPT_TENURED_PATTERN,
      JS_ALLOCATED_TENURED_PATTERN, JS_FREED_HEAP_PTR_PATTERN,
      JS_FREED_CHUNK_PATTERN,       JS_FREED_ARENA_PATTERN,
-      JS_SWEPT_TI_PATTERN,          JS_SWEPT_CODE_PATTERN};
+      JS_SWEPT_TI_PATTERN,          JS_SWEPT_CODE_PATTERN,
+      JS_RESET_VALUE_PATTERN,       JS_POISONED_JSSCRIPT_DATA_PATTERN,
+      JS_OOB_PARSE_NODE_PATTERN,
+  };
  const int numPoisonBytes = sizeof(poisonBytes) / sizeof(poisonBytes[0]);
  uint32_t* p =
      reinterpret_cast<uint32_t*>(reinterpret_cast<FreeSpan*>(thing) + 1);
--- a/js/src/jsutil.h
+++ b/js/src/jsutil.h
@ -268,6 +268,13 @@ const uint8_t JS_FREED_CHUNK_PATTERN = 0x8B;
 const uint8_t JS_FREED_ARENA_PATTERN = 0x9B;
 const uint8_t JS_SWEPT_TI_PATTERN = 0x6F;
 const uint8_t JS_FRESH_MARK_STACK_PATTERN = 0x9F;
+const uint8_t JS_RESET_VALUE_PATTERN = 0xBB;
+const uint8_t JS_POISONED_JSSCRIPT_DATA_PATTERN = 0xDB;
+const uint8_t JS_OOB_PARSE_NODE_PATTERN = 0xFF;
+
+// Even ones
+const uint8_t JS_NEW_NATIVE_ITERATOR_PATTERN = 0xCC;
+const uint8_t JS_SCOPE_DATA_TRAILING_NAMES_PATTERN = 0xCC;

 /*
 * Ensure JS_SWEPT_CODE_PATTERN is a byte pattern that will crash immediately
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@ -638,8 +638,8 @@ static PropertyIteratorObject* CreatePropertyIterator(
 NativeIterator::NativeIterator() {
  // Do our best to enforce that nothing in |this| except the two fields set
  // below is ever observed.
-  AlwaysPoison(static_cast<void*>(this), 0xCC, sizeof(*this),
-               MemCheckKind::MakeUndefined);
+  AlwaysPoison(static_cast<void*>(this), JS_NEW_NATIVE_ITERATOR_PATTERN,
+               sizeof(*this), MemCheckKind::MakeUndefined);

  // These are the only two fields in sentinel NativeIterators that are
  // examined, in ObjectRealm::sweepNativeIterators.  Everything else is
--- a/js/src/vm/JSScript.cpp
+++ b/js/src/vm/JSScript.cpp
@ -4107,7 +4107,8 @@ void JSScript::finalize(FreeOp* fop) {

  if (data_) {
    size_t size = computedSizeOfData();
-    AlwaysPoison(data_, 0xdb, size, MemCheckKind::MakeNoAccess);
+    AlwaysPoison(data_, JS_POISONED_JSSCRIPT_DATA_PATTERN, size,
+                 MemCheckKind::MakeNoAccess);
    fop->free_(this, data_, size, MemoryUse::ScriptPrivateData);
  }

--- a/js/src/vm/Scope.h
+++ b/js/src/vm/Scope.h
@ -178,7 +178,8 @@ class TrailingNamesArray {

  explicit TrailingNamesArray(size_t nameCount) {
    if (nameCount) {
-      AlwaysPoison(&data_, 0xCC, sizeof(BindingName) * nameCount,
+      AlwaysPoison(&data_, JS_SCOPE_DATA_TRAILING_NAMES_PATTERN,
+                   sizeof(BindingName) * nameCount,
                   MemCheckKind::MakeUndefined);
    }
  }