Bug 1403397 - Add a testing API. r=bz,r=Manishearth

This will allow us to verify the entire detection pipeline in real nightly builds, which will give us confidence that real heap corruption will be detected and reported properly. MozReview-Commit-ID: 43Fp2HT8RYy
2017-09-27 23:20:47 -07:00 · 2017-09-27 23:20:47 -07:00 · bd4be52f46
--- a/dom/base/ChromeUtils.cpp
+++ b/dom/base/ChromeUtils.cpp
@ -326,5 +326,20 @@ ChromeUtils::IsOriginAttributesEqual(const dom::OriginAttributesDictionary& aA,
         aA.mPrivateBrowsingId == aB.mPrivateBrowsingId;
 }

+/* static */ void
+ChromeUtils::CorruptRuleHashAndCrash(GlobalObject& aGlobal,
+                                     unsigned long aIndex)
+{
+  nsCOMPtr<nsPIDOMWindowInner> win = do_QueryInterface(aGlobal.GetAsSupports());
+  NS_ENSURE_TRUE_VOID(win);
+  nsIDocument* doc = win->GetExtantDoc();
+  NS_ENSURE_TRUE_VOID(doc);
+  nsIPresShell* shell = doc->GetShell();
+  NS_ENSURE_TRUE_VOID(shell);
+  NS_ENSURE_TRUE_VOID(shell->StyleSet() && shell->StyleSet()->IsServo());
+  ServoStyleSet* set = shell->StyleSet()->AsServo();
+  set->CorruptRuleHashAndCrash(aIndex);
+}
+
 } // namespace dom
 } // namespace mozilla
--- a/dom/base/ChromeUtils.h
+++ b/dom/base/ChromeUtils.h
@ -145,6 +145,9 @@ public:
                           JS::HandleObject aTarget,
                           JS::MutableHandleObject aRetval,
                           ErrorResult& aRv);
+
+  static void CorruptRuleHashAndCrash(GlobalObject& aGlobal,
+                                      unsigned long aIndex);
 };

 } // namespace dom
--- a/dom/webidl/ChromeUtils.webidl
+++ b/dom/webidl/ChromeUtils.webidl
@ -101,6 +101,12 @@ interface ChromeUtils : ThreadSafeChromeUtils {
   */
  [Throws]
  static object shallowClone(object obj, optional object? target = null);
+
+  /**
+   * Temporary testing method to verify that nightly builds will crash when
+   * the rulehash is corrupted. See bug 1403397.
+   */
+  static void corruptRuleHashAndCrash(unsigned long index);
 };

 /**
--- a/layout/style/ServoBindingList.h
+++ b/layout/style/ServoBindingList.h
@ -673,6 +673,10 @@ SERVO_BINDING_FUNC(Servo_ReleaseArcStringData, void,
 SERVO_BINDING_FUNC(Servo_CloneArcStringData, mozilla::ServoRawOffsetArc<RustString>,
                   const mozilla::ServoRawOffsetArc<RustString>* string);

+SERVO_BINDING_FUNC(Servo_CorruptRuleHashAndCrash, void,
+                   RawServoStyleSetBorrowed set,
+                   size_t index);
+
 // AddRef / Release functions
 #define SERVO_ARC_TYPE(name_, type_)                                \
  SERVO_BINDING_FUNC(Servo_##name_##_AddRef, void, type_##Borrowed) \
--- a/layout/style/ServoStyleSet.cpp
+++ b/layout/style/ServoStyleSet.cpp
@ -1571,6 +1571,13 @@ ServoStyleSet::ReparentStyleContext(ServoStyleContext* aStyleContext,
                             aElement, mRawSet.get()).Consume();
 }

+void
+ServoStyleSet::CorruptRuleHashAndCrash(unsigned long aIndex)
+{
+  Servo_CorruptRuleHashAndCrash(mRawSet.get(), (size_t) aIndex);
+
+}
+
 NS_IMPL_ISUPPORTS(UACacheReporter, nsIMemoryReporter)

 MOZ_DEFINE_MALLOC_SIZE_OF(ServoUACacheMallocSizeOf)
--- a/layout/style/ServoStyleSet.h
+++ b/layout/style/ServoStyleSet.h
@ -481,6 +481,11 @@ public:
                       ServoStyleContext* aNewLayoutParent,
                       Element* aElement);

+  /**
+   * Temporary testing method. See bug 1403397.
+   */
+  void CorruptRuleHashAndCrash(unsigned long aIndex);
+
 private:
  friend class AutoSetInServoTraversal;
  friend class AutoPrepareTraversal;