From b84f01d03a2ba70e09882a3422e3e64054892ab2 Mon Sep 17 00:00:00 2001 From: Till Schneidereit Date: Wed, 25 Jan 2017 14:50:01 +0100 Subject: [PATCH] Bug 1333757 - Add some asserts to slot-setting functions on JSFunction and NativeObject. r=jonco MozReview-Commit-ID: ItTgatvPsbJ --- js/src/jsfun.h | 4 ++++ js/src/jsobj.h | 11 +++++++++++ js/src/vm/NativeObject.h | 17 ++--------------- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/js/src/jsfun.h b/js/src/jsfun.h index 76e9726bd027..145b483ccc4a 100644 --- a/js/src/jsfun.h +++ b/js/src/jsfun.h @@ -811,6 +811,9 @@ inline void JSFunction::initExtendedSlot(size_t which, const js::Value& val) { MOZ_ASSERT(which < mozilla::ArrayLength(toExtended()->extendedSlots)); + MOZ_ASSERT_IF(js::IsMarkedBlack(this) && val.isGCThing(), + !JS::GCThingIsMarkedGray(JS::GCCellPtr(val))); + MOZ_ASSERT(js::IsObjectValueInCompartment(val, compartment())); toExtended()->extendedSlots[which].init(val); } @@ -820,6 +823,7 @@ JSFunction::setExtendedSlot(size_t which, const js::Value& val) MOZ_ASSERT(which < mozilla::ArrayLength(toExtended()->extendedSlots)); MOZ_ASSERT_IF(js::IsMarkedBlack(this) && val.isGCThing(), !JS::GCThingIsMarkedGray(JS::GCCellPtr(val))); + MOZ_ASSERT(js::IsObjectValueInCompartment(val, compartment())); toExtended()->extendedSlots[which] = val; } diff --git a/js/src/jsobj.h b/js/src/jsobj.h index 6404989954b2..7b1c86935591 100644 --- a/js/src/jsobj.h +++ b/js/src/jsobj.h @@ -1380,6 +1380,17 @@ SpeciesConstructor(JSContext* cx, HandleObject obj, JSProtoKey ctorKey, MutableH extern bool GetObjectFromIncumbentGlobal(JSContext* cx, MutableHandleObject obj); + +#ifdef DEBUG +inline bool +IsObjectValueInCompartment(const Value& v, JSCompartment* comp) +{ + if (!v.isObject()) + return true; + return v.toObject().compartment() == comp; +} +#endif + } /* namespace js */ #endif /* jsobj_h */ diff --git a/js/src/vm/NativeObject.h b/js/src/vm/NativeObject.h index 5147c2246a72..3eb90aa35050 100644 --- a/js/src/vm/NativeObject.h +++ b/js/src/vm/NativeObject.h @@ -333,11 +333,6 @@ class Shape; class NewObjectCache; -#ifdef DEBUG -static inline bool -IsObjectValueInCompartment(const Value& v, JSCompartment* comp); -#endif - // Operations which change an object's dense elements can either succeed, fail, // or be unable to complete. For native objects, the latter is used when the // object's elements must become sparse instead. The enum below is used for @@ -934,11 +929,13 @@ class NativeObject : public ShapedObject void setFixedSlot(uint32_t slot, const Value& value) { MOZ_ASSERT(slot < numFixedSlots()); + MOZ_ASSERT(IsObjectValueInCompartment(value, compartment())); fixedSlots()[slot].set(this, HeapSlot::Slot, slot, value); } void initFixedSlot(uint32_t slot, const Value& value) { MOZ_ASSERT(slot < numFixedSlots()); + MOZ_ASSERT(IsObjectValueInCompartment(value, compartment())); fixedSlots()[slot].init(this, HeapSlot::Slot, slot, value); } @@ -1340,16 +1337,6 @@ NativeObject::privateWriteBarrierPre(void** oldval) getClass()->doTrace(shadowZone->barrierTracer(), this); } -#ifdef DEBUG -static inline bool -IsObjectValueInCompartment(const Value& v, JSCompartment* comp) -{ - if (!v.isObject()) - return true; - return v.toObject().compartment() == comp; -} -#endif - /*** Standard internal methods *******************************************************************/