commit 0d38313cbfba7a0521b91fcca779eca3e228cf75
parent 66c4c04e8c047af3c5bb1aac5f01e957bbc6a33f
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Wed, 15 Oct 2025 16:29:30 +0000
Bug 1994375 - Poison buffer allocations r=sfink
This uses DebugOnlyPoison, the same as GC cells allocated by FreeSpan::allocate.
Differential Revision: https://phabricator.services.mozilla.com/D268666
Diffstat:
2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/js/src/gc/BufferAllocator.cpp b/js/src/gc/BufferAllocator.cpp
@@ -2131,6 +2131,10 @@ void* BufferAllocator::bumpAlloc(size_t bytes, size_t sizeClass,
void* ptr = allocFromRegion(region, bytes, sizeClass);
updateFreeListsAfterAlloc(&freeLists.ref(), region, sizeClass);
+
+ DebugOnlyPoison(ptr, JS_ALLOCATED_BUFFER_PATTERN, bytes,
+ MemCheckKind::MakeUndefined);
+
return ptr;
}
diff --git a/js/src/util/Poison.h b/js/src/util/Poison.h
@@ -66,6 +66,7 @@ const uint8_t JS_FREED_CHUNK_PATTERN = 0x8B;
const uint8_t JS_FREED_ARENA_PATTERN = 0x9B;
const uint8_t JS_FRESH_MARK_STACK_PATTERN = 0x9F;
const uint8_t JS_FREED_BUFFER_PATTERN = 0xAB;
+const uint8_t JS_ALLOCATED_BUFFER_PATTERN = 0xAD;
const uint8_t JS_RESET_VALUE_PATTERN = 0xBB;
const uint8_t JS_POISONED_JSSCRIPT_DATA_PATTERN = 0xDB;
const uint8_t JS_OOB_PARSE_NODE_PATTERN = 0xFF;
