Bug 1444604 - Part 1: Check for overrunning the LiveSavedFrameCache even in release builds. r=jorendorff, a=RyanVM
authorJim Blandy <jimb@mozilla.com>
Mon, 12 Mar 2018 18:08:57 -0700
changeset 776175 6d530e6cb06d0249ef87b91ad76a471f3a31d716
parent 776174 23754ad53136c686390597f2ed0228db3013ea21
child 776176 2d48365acd9fb569b6d180e06e26bad9a5b78601
push id104821
push userbmo:rrosario@mozilla.com
push dateMon, 02 Apr 2018 18:45:53 +0000
reviewersjorendorff, RyanVM
bugs1444604
milestone60.0
Bug 1444604 - Part 1: Check for overrunning the LiveSavedFrameCache even in release builds. r=jorendorff, a=RyanVM The LiveSavedFrameCache's invariant that every frame with its hasCachedSavedFrame bit set has an entry in the cache should ensure that LiveSavedFrameCache::find never runs off the bottom of the cache. But we should check for an empty cache even in release builds, so that violations of this invariant don't cause unconstrained memory accesses. MozReview-Commit-ID: 1b9vx9nvVeY
js/src/vm/SavedStacks.cpp
--- a/js/src/vm/SavedStacks.cpp
+++ b/js/src/vm/SavedStacks.cpp
@@ -135,17 +135,17 @@ LiveSavedFrameCache::find(JSContext* cx,
         // since we're going to push new cache entries for all frames younger
         // than frameIter, we must pop it anyway.
         frames->popBack();
 
         // If the frame's bit was set, the frame should always have an entry in
         // the cache. (If we purged the entire cache because its SavedFrames had
         // been captured for a different compartment, then we would have
         // returned early above.)
-        MOZ_ASSERT(!frames->empty());
+        MOZ_ALWAYS_TRUE(!frames->empty());
     }
 
     // The youngest valid frame may have run some code, so its current pc may
     // not match its cache entry's pc. In this case, just treat it as a miss. No
     // older frame has executed any code; it would have been necessary to pop
     // this frame for that to happen, but this frame's bit is set.
     if (pc != frames->back().pc) {
         frames->popBack();