Bug 1410276 - Add a canary field to nsStringBuffer r=bz

This version of the patch hopefully causes fewer performance regressions. It might be good to apply this and catch some more assertions.
2017-11-09 15:17:35 +11:00
parent f6977620cf
commit e6f4fe0467
2 changed files with 66 additions and 1 deletions
--- a/xpcom/string/nsSubstring.cpp
+++ b/xpcom/string/nsSubstring.cpp
@@ -20,6 +20,7 @@
 #include "nsString.h"
 #include "nsStringBuffer.h"
 #include "nsDependentString.h"
+#include "nsPrintfCString.h"
 #include "nsMemory.h"
 #include "prprf.h"
 #include "nsStaticAtom.h"
@@ -36,6 +37,19 @@
 #include <unistd.h>
 #endif

+#ifdef STRING_BUFFER_CANARY
+#define CHECK_STRING_BUFFER_CANARY(c)                                     \
+  do {                                                                    \
+    if ((c) != CANARY_OK) {                                               \
+      MOZ_CRASH_UNSAFE_PRINTF("Bad canary value %d", c);                  \
+    }                                                                     \
+  } while(0)
+#else
+#define CHECK_STRING_BUFFER_CANARY(c)                                     \
+  do {                                                                    \
+  } while(0)
+#endif
+
 using mozilla::Atomic;

 // ---------------------------------------------------------------------------
@@ -205,6 +219,8 @@ nsStringBuffer::AddRef()
 void
 nsStringBuffer::Release()
 {
+  CHECK_STRING_BUFFER_CANARY(mCanary);
+
  // Since this may be the last release on this thread, we need
  // release semantics so that prior writes on this thread are visible
  // to the thread that destroys the object when it reads mValue with
@@ -217,6 +233,9 @@ nsStringBuffer::Release()
    // the last release on other threads, that is, to ensure that
    // writes prior to that release are now visible on this thread.
    count = mRefCount.load(std::memory_order_acquire);
+#ifdef STRING_BUFFER_CANARY
+    mCanary = CANARY_POISON;
+#endif

    STRING_STAT_INCREMENT(Free);
    free(this); // we were allocated with |malloc|
@@ -241,6 +260,9 @@ nsStringBuffer::Alloc(size_t aSize)

    hdr->mRefCount = 1;
    hdr->mStorageSize = aSize;
+#ifdef STRING_BUFFER_CANARY
+    hdr->mCanary = CANARY_OK;
+#endif
    NS_LOG_ADDREF(hdr, 1, "nsStringBuffer", sizeof(*hdr));
  }
  return dont_AddRef(hdr);
@@ -251,6 +273,7 @@ nsStringBuffer::Realloc(nsStringBuffer* aHdr, size_t aSize)
 {
  STRING_STAT_INCREMENT(Realloc);

+  CHECK_STRING_BUFFER_CANARY(aHdr->mCanary);
  NS_ASSERTION(aSize != 0, "zero capacity allocation not allowed");
  NS_ASSERTION(sizeof(nsStringBuffer) + aSize <= size_t(uint32_t(-1)) &&
               sizeof(nsStringBuffer) + aSize > aSize,
@@ -349,6 +372,14 @@ nsStringBuffer::SizeOfIncludingThisEvenIfShared(mozilla::MallocSizeOf aMallocSiz
  return aMallocSizeOf(this);
 }

+#ifdef STRING_BUFFER_CANARY
+void
+nsStringBuffer::FromDataCanaryCheckFailed() const
+{
+  MOZ_CRASH_UNSAFE_PRINTF("Bad canary value %d in FromData", mCanary);
+}
+#endif
+
 // ---------------------------------------------------------------------------

 // define nsAString