From 22ecc62435669df51d02ba8d7292bae794aba93b Mon Sep 17 00:00:00 2001
From: Paul Bone <pbone@mozilla.com>
Date: Fri, 14 Jun 2019 05:36:37 +0000
Subject: [PATCH] Bug 1476845 - Collect poison values from around the engine
 into jsutil.h r=jonco

Differential Revision: https://phabricator.services.mozilla.com/D33450

--HG--
extra : moz-landing-system : lando
---
 js/src/builtin/Array.cpp          | 3 ++-
 js/src/builtin/Promise.cpp        | 3 ++-
 js/src/frontend/NameFunctions.cpp | 2 +-
 js/src/gc/Marking.cpp             | 5 ++++-
 js/src/jsutil.h                   | 7 +++++++
 js/src/vm/Iteration.cpp           | 4 ++--
 js/src/vm/JSScript.cpp            | 3 ++-
 js/src/vm/Scope.h                 | 3 ++-
 8 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
index 4976a95c1442..38884068d757 100644
--- a/js/src/builtin/Array.cpp
+++ b/js/src/builtin/Array.cpp
@@ -4467,7 +4467,8 @@ void js::ArraySpeciesLookup::initialize(JSContext* cx) {
 }
 
 void js::ArraySpeciesLookup::reset() {
-  AlwaysPoison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  AlwaysPoison(this, JS_RESET_VALUE_PATTERN, sizeof(*this),
+               MemCheckKind::MakeUndefined);
   state_ = State::Uninitialized;
 }
 
diff --git a/js/src/builtin/Promise.cpp b/js/src/builtin/Promise.cpp
index 545b39e03c1e..2d8d204bedf6 100644
--- a/js/src/builtin/Promise.cpp
+++ b/js/src/builtin/Promise.cpp
@@ -5176,7 +5176,8 @@ void js::PromiseLookup::initialize(JSContext* cx) {
 }
 
 void js::PromiseLookup::reset() {
-  AlwaysPoison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  AlwaysPoison(this, JS_RESET_VALUE_PATTERN, sizeof(*this),
+               MemCheckKind::MakeUndefined);
   state_ = State::Uninitialized;
 }
 
diff --git a/js/src/frontend/NameFunctions.cpp b/js/src/frontend/NameFunctions.cpp
index 56ebfd0cfec5..dc57086bff59 100644
--- a/js/src/frontend/NameFunctions.cpp
+++ b/js/src/frontend/NameFunctions.cpp
@@ -457,7 +457,7 @@ class NameResolver : public ParseNodeVisitor<NameResolver> {
     MOZ_ASSERT(initialParents == nparents_, "nparents imbalance detected");
     MOZ_ASSERT(parents_[initialParents] == pn,
                "pushed child shouldn't change underneath us");
-    AlwaysPoison(&parents_[initialParents], 0xFF,
+    AlwaysPoison(&parents_[initialParents], JS_OOB_PARSE_NODE_PATTERN,
                  sizeof(parents_[initialParents]), MemCheckKind::MakeUndefined);
 
     return ok;
diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp
index fd93b4bb809c..8783d8f3e399 100644
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -131,7 +131,10 @@ static inline bool IsThingPoisoned(T* thing) {
       JS_MOVED_TENURED_PATTERN,     JS_SWEPT_TENURED_PATTERN,
       JS_ALLOCATED_TENURED_PATTERN, JS_FREED_HEAP_PTR_PATTERN,
       JS_FREED_CHUNK_PATTERN,       JS_FREED_ARENA_PATTERN,
-      JS_SWEPT_TI_PATTERN,          JS_SWEPT_CODE_PATTERN};
+      JS_SWEPT_TI_PATTERN,          JS_SWEPT_CODE_PATTERN,
+      JS_RESET_VALUE_PATTERN,       JS_POISONED_JSSCRIPT_DATA_PATTERN,
+      JS_OOB_PARSE_NODE_PATTERN,
+  };
   const int numPoisonBytes = sizeof(poisonBytes) / sizeof(poisonBytes[0]);
   uint32_t* p =
       reinterpret_cast<uint32_t*>(reinterpret_cast<FreeSpan*>(thing) + 1);
diff --git a/js/src/jsutil.h b/js/src/jsutil.h
index 2cc490ea1091..5369094bfeda 100644
--- a/js/src/jsutil.h
+++ b/js/src/jsutil.h
@@ -268,6 +268,13 @@ const uint8_t JS_FREED_CHUNK_PATTERN = 0x8B;
 const uint8_t JS_FREED_ARENA_PATTERN = 0x9B;
 const uint8_t JS_SWEPT_TI_PATTERN = 0x6F;
 const uint8_t JS_FRESH_MARK_STACK_PATTERN = 0x9F;
+const uint8_t JS_RESET_VALUE_PATTERN = 0xBB;
+const uint8_t JS_POISONED_JSSCRIPT_DATA_PATTERN = 0xDB;
+const uint8_t JS_OOB_PARSE_NODE_PATTERN = 0xFF;
+
+// Even ones
+const uint8_t JS_NEW_NATIVE_ITERATOR_PATTERN = 0xCC;
+const uint8_t JS_SCOPE_DATA_TRAILING_NAMES_PATTERN = 0xCC;
 
 /*
  * Ensure JS_SWEPT_CODE_PATTERN is a byte pattern that will crash immediately
diff --git a/js/src/vm/Iteration.cpp b/js/src/vm/Iteration.cpp
index 61d6bd1c00cb..ce423aedbe75 100644
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@@ -638,8 +638,8 @@ static PropertyIteratorObject* CreatePropertyIterator(
 NativeIterator::NativeIterator() {
   // Do our best to enforce that nothing in |this| except the two fields set
   // below is ever observed.
-  AlwaysPoison(static_cast<void*>(this), 0xCC, sizeof(*this),
-               MemCheckKind::MakeUndefined);
+  AlwaysPoison(static_cast<void*>(this), JS_NEW_NATIVE_ITERATOR_PATTERN,
+               sizeof(*this), MemCheckKind::MakeUndefined);
 
   // These are the only two fields in sentinel NativeIterators that are
   // examined, in ObjectRealm::sweepNativeIterators.  Everything else is
diff --git a/js/src/vm/JSScript.cpp b/js/src/vm/JSScript.cpp
index e4ad313fd1c9..465a11327ee4 100644
--- a/js/src/vm/JSScript.cpp
+++ b/js/src/vm/JSScript.cpp
@@ -4107,7 +4107,8 @@ void JSScript::finalize(FreeOp* fop) {
 
   if (data_) {
     size_t size = computedSizeOfData();
-    AlwaysPoison(data_, 0xdb, size, MemCheckKind::MakeNoAccess);
+    AlwaysPoison(data_, JS_POISONED_JSSCRIPT_DATA_PATTERN, size,
+                 MemCheckKind::MakeNoAccess);
     fop->free_(this, data_, size, MemoryUse::ScriptPrivateData);
   }
 
diff --git a/js/src/vm/Scope.h b/js/src/vm/Scope.h
index e02afa1526df..d771a3678e24 100644
--- a/js/src/vm/Scope.h
+++ b/js/src/vm/Scope.h
@@ -178,7 +178,8 @@ class TrailingNamesArray {
 
   explicit TrailingNamesArray(size_t nameCount) {
     if (nameCount) {
-      AlwaysPoison(&data_, 0xCC, sizeof(BindingName) * nameCount,
+      AlwaysPoison(&data_, JS_SCOPE_DATA_TRAILING_NAMES_PATTERN,
+                   sizeof(BindingName) * nameCount,
                    MemCheckKind::MakeUndefined);
     }
   }