Bug 1525329 - Add compartment/zone assertions to some JSObject/ShapedObject methods. r=jonco
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 07 Feb 2019 16:40:58 +0000
changeset 458253 a7b62563e1eede6bc5cd0b71dab1eea9e1e40561
parent 458252 264d828518f24be7fb5149ea1ccb66ccd30292bf
child 458254 3c6fcec3f2b21a25ca79f6532e7a1ce7afb1cf96
push id111791
push usercsabou@mozilla.com
push dateFri, 08 Feb 2019 16:20:14 +0000
treeherdermozilla-inbound@084e2c76a59b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco
bugs1525329
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1525329 - Add compartment/zone assertions to some JSObject/ShapedObject methods. r=jonco Differential Revision: https://phabricator.services.mozilla.com/D18971
js/src/vm/JSObject-inl.h
js/src/vm/Shape.cpp
js/src/vm/ShapedObject.h
--- a/js/src/vm/JSObject-inl.h
+++ b/js/src/vm/JSObject-inl.h
@@ -155,16 +155,17 @@ js::NativeObject::updateDictionaryListPo
     return makeLazyGroup(cx, obj);
   }
   return obj->group_;
 }
 
 inline void JSObject::setGroup(js::ObjectGroup* group) {
   MOZ_RELEASE_ASSERT(group);
   MOZ_ASSERT(!isSingleton());
+  MOZ_ASSERT(compartment() == group->compartment());
   group_ = group;
 }
 
 /* * */
 
 inline bool JSObject::isQualifiedVarObj() const {
   if (is<js::DebugEnvironmentProxy>()) {
     return as<js::DebugEnvironmentProxy>().environment().isQualifiedVarObj();
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -1445,16 +1445,18 @@ static void AssertValidArrayIndex(Native
     entry->setPreservingCollision(newShape);
   }
   return newShape;
 }
 
 /* static */ bool JSObject::setFlags(JSContext* cx, HandleObject obj,
                                      BaseShape::Flag flags,
                                      GenerateShape generateShape) {
+  MOZ_ASSERT(cx->compartment() == obj->compartment());
+
   if (obj->hasAllFlags(flags)) {
     return true;
   }
 
   Shape* existingShape = obj->ensureShape(cx);
   if (!existingShape) {
     return false;
   }
--- a/js/src/vm/ShapedObject.h
+++ b/js/src/vm/ShapedObject.h
@@ -39,19 +39,26 @@ class ShapedObject : public JSObject {
     return reinterpret_cast<GCPtrShape*>(&(this->shapeOrExpando_));
   }
 
  public:
   // Set the shape of an object. This pointer is valid for native objects and
   // some non-native objects. After creating an object, the objects for which
   // the shape pointer is invalid need to overwrite this pointer before a GC
   // can occur.
-  void initShape(Shape* shape) { shapeRef().init(shape); }
-
-  void setShape(Shape* shape) { shapeRef() = shape; }
+  void initShape(Shape* shape) {
+    // Note: JSObject::zone() uses the group and we require it to be
+    // initialized before the shape.
+    MOZ_ASSERT(zone() == shape->zone());
+    shapeRef().init(shape);
+  }
+  void setShape(Shape* shape) {
+    MOZ_ASSERT(zone() == shape->zone());
+    shapeRef() = shape;
+  }
   Shape* shape() const { return shapeRef(); }
 
   void traceShape(JSTracer* trc) { TraceEdge(trc, shapePtr(), "shape"); }
 
   static JSObject* fromShapeFieldPointer(uintptr_t p) {
     return reinterpret_cast<JSObject*>(p - ShapedObject::offsetOfShape());
   }