From c39e62c31228008f22c1dd274aaadc94ce5b3988 Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Mon, 27 Sep 2021 16:41:53 +0000
Subject: [PATCH] Bug 1730534 - Part 4: Assert that there's only one
 JSHolderMap::Iter at any time r=mccr8

This iterator can update the map for removed items so it's not safe to have
more than one live at any one time.

Differential Revision: https://phabricator.services.mozilla.com/D125431
---
 xpcom/base/CycleCollectedJSRuntime.cpp |  3 +++
 xpcom/base/CycleCollectedJSRuntime.h   | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/xpcom/base/CycleCollectedJSRuntime.cpp b/xpcom/base/CycleCollectedJSRuntime.cpp
index b9716aa28985..df0160df1d4e 100644
--- a/xpcom/base/CycleCollectedJSRuntime.cpp
+++ b/xpcom/base/CycleCollectedJSRuntime.cpp
@@ -500,6 +500,9 @@ void JSHolderMap::EntryVectorIter::Settle() {
 
 inline JSHolderMap::Iter::Iter(JSHolderMap& aMap, WhichHolders aWhich)
     : mHolderMap(aMap), mIter(aMap, aMap.mAnyZoneJSHolders) {
+  MOZ_RELEASE_ASSERT(!mHolderMap.mHasIterator);
+  mHolderMap.mHasIterator = true;
+
   // Populate vector of zones to iterate after the any-zone holders.
   for (auto i = aMap.mPerZoneJSHolders.iter(); !i.done(); i.next()) {
     JS::Zone* zone = i.get().key();
diff --git a/xpcom/base/CycleCollectedJSRuntime.h b/xpcom/base/CycleCollectedJSRuntime.h
index 13720a244f48..ac8dd90f35c5 100644
--- a/xpcom/base/CycleCollectedJSRuntime.h
+++ b/xpcom/base/CycleCollectedJSRuntime.h
@@ -93,6 +93,7 @@ class JSHolderMap {
   class Iter;
 
   JSHolderMap();
+  ~JSHolderMap() { MOZ_RELEASE_ASSERT(!mHasIterator); }
 
   bool Has(void* aHolder) const;
   nsScriptObjectTracer* Get(void* aHolder) const;
@@ -139,6 +140,10 @@ class JSHolderMap {
   // Currently this will only contain wrapper cache wrappers since these are the
   // only holders to pass a zone parameter through to AddJSHolder.
   EntryVectorMap mPerZoneJSHolders;
+
+  // Iterators can mutate the element vectors by removing stale elements. Allow
+  // at most one to exist at a time.
+  bool mHasIterator = false;
 };
 
 // An iterator over an EntryVector that skips over removed entries and removes
@@ -174,6 +179,11 @@ class JSHolderMap::Iter {
  public:
   explicit Iter(JSHolderMap& aMap, WhichHolders aWhich = AllHolders);
 
+  ~Iter() {
+    MOZ_RELEASE_ASSERT(mHolderMap.mHasIterator);
+    mHolderMap.mHasIterator = false;
+  }
+
   bool Done() const { return mIter.Done(); }
   const Entry& Get() const { return mIter.Get(); }
   void Next() {