Bug 1333757 - Add some asserts to slot-setting functions on JSFunction and NativeObject. r=jonco

MozReview-Commit-ID: ItTgatvPsbJ
2017-01-25 14:50:01 +01:00 · 2017-01-25 14:50:01 +01:00 · b84f01d03a
--- a/js/src/jsfun.h
+++ b/js/src/jsfun.h
@ -811,6 +811,9 @@ inline void
 JSFunction::initExtendedSlot(size_t which, const js::Value& val)
 {
    MOZ_ASSERT(which < mozilla::ArrayLength(toExtended()->extendedSlots));
+    MOZ_ASSERT_IF(js::IsMarkedBlack(this) && val.isGCThing(),
+                  !JS::GCThingIsMarkedGray(JS::GCCellPtr(val)));
+    MOZ_ASSERT(js::IsObjectValueInCompartment(val, compartment()));
    toExtended()->extendedSlots[which].init(val);
 }

@ -820,6 +823,7 @@ JSFunction::setExtendedSlot(size_t which, const js::Value& val)
    MOZ_ASSERT(which < mozilla::ArrayLength(toExtended()->extendedSlots));
    MOZ_ASSERT_IF(js::IsMarkedBlack(this) && val.isGCThing(),
                  !JS::GCThingIsMarkedGray(JS::GCCellPtr(val)));
+    MOZ_ASSERT(js::IsObjectValueInCompartment(val, compartment()));
    toExtended()->extendedSlots[which] = val;
 }

--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -1380,6 +1380,17 @@ SpeciesConstructor(JSContext* cx, HandleObject obj, JSProtoKey ctorKey, MutableH
 extern bool
 GetObjectFromIncumbentGlobal(JSContext* cx, MutableHandleObject obj);

+
+#ifdef DEBUG
+inline bool
+IsObjectValueInCompartment(const Value& v, JSCompartment* comp)
+{
+    if (!v.isObject())
+        return true;
+    return v.toObject().compartment() == comp;
+}
+#endif
+
 }  /* namespace js */

 #endif /* jsobj_h */
--- a/js/src/vm/NativeObject.h
+++ b/js/src/vm/NativeObject.h
@ -333,11 +333,6 @@ class Shape;

 class NewObjectCache;

-#ifdef DEBUG
-static inline bool
-IsObjectValueInCompartment(const Value& v, JSCompartment* comp);
-#endif
-
 // Operations which change an object's dense elements can either succeed, fail,
 // or be unable to complete. For native objects, the latter is used when the
 // object's elements must become sparse instead. The enum below is used for
@ -934,11 +929,13 @@ class NativeObject : public ShapedObject

    void setFixedSlot(uint32_t slot, const Value& value) {
        MOZ_ASSERT(slot < numFixedSlots());
+        MOZ_ASSERT(IsObjectValueInCompartment(value, compartment()));
        fixedSlots()[slot].set(this, HeapSlot::Slot, slot, value);
    }

    void initFixedSlot(uint32_t slot, const Value& value) {
        MOZ_ASSERT(slot < numFixedSlots());
+        MOZ_ASSERT(IsObjectValueInCompartment(value, compartment()));
        fixedSlots()[slot].init(this, HeapSlot::Slot, slot, value);
    }

@ -1340,16 +1337,6 @@ NativeObject::privateWriteBarrierPre(void** oldval)
        getClass()->doTrace(shadowZone->barrierTracer(), this);
 }

-#ifdef DEBUG
-static inline bool
-IsObjectValueInCompartment(const Value& v, JSCompartment* comp)
-{
-    if (!v.isObject())
-        return true;
-    return v.toObject().compartment() == comp;
-}
-#endif
-

 /*** Standard internal methods *******************************************************************/