LibJS: Fix fatal mistake in HeapBlock::cell_from_possible_pointer()

When scanning for potential heap pointers during conservative GC, we look for any value that is an address somewhere inside a heap cell. However, we were failing to account for the slack at the end of a block (which occurs whenever the block storage size isn't an exact multiple of the cell size.) Pointers inside the trailing slack were misidentified as pointers into "last_cell+1". Instead of skipping over them, we would treat this garbage data as a live cell and try to mark it. I believe this is the test-js crash that has been terrorizing Travis for a while. :^)
Author: https://github.com/awesomekling Commit: bd5abbc454
2025-07-28 19:59:17 +00:00 · 2020-10-01 20:54:36 +02:00 · 2020-10-01 20:54:36 +02:00 · bd5abbc454 · 2024-07-19 02:06:55 +09:00
commit bd5abbc454
parent 0245e0f03a
1 changed files with 2 additions and 0 deletions
--- a/Libraries/LibJS/Heap/HeapBlock.h
+++ b/Libraries/LibJS/Heap/HeapBlock.h
@ -64,6 +64,8 @@ public:
        if (pointer < reinterpret_cast<FlatPtr>(m_storage))
            return nullptr;
        size_t cell_index = (pointer - reinterpret_cast<FlatPtr>(m_storage)) / m_cell_size;
+        if (cell_index >= cell_count())
+            return nullptr;
        return cell(cell_index);
    }