LibJS: Fix fatal mistake in HeapBlock::cell_from_possible_pointer()

When scanning for potential heap pointers during conservative GC, we look for any value that is an address somewhere inside a heap cell. However, we were failing to account for the slack at the end of a block (which occurs whenever the block storage size isn't an exact multiple of the cell size.) Pointers inside the trailing slack were misidentified as pointers into "last_cell+1". Instead of skipping over them, we would treat this garbage data as a live cell and try to mark it. I believe this is the test-js crash that has been terrorizing Travis for a while. :^)
author: Andreas Kling <kling@serenityos.org> 2020-10-01 20:54:36 +0200
committer: Andreas Kling <kling@serenityos.org> 2020-10-01 21:07:12 +0200
commit: bd5abbc454552128ea3c9effce7d44cb58e86d20 (patch)
tree: 495969a220f3fc244fcb843a4a244dbd93188d53
parent: 0245e0f03a7f250652978a6c1fa577b5a789567b (diff)
download: serenity-bd5abbc454552128ea3c9effce7d44cb58e86d20.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/Libraries/LibJS/Heap/HeapBlock.h b/Libraries/LibJS/Heap/HeapBlock.h
index 6269ebd45d..3de49c5e28 100644
--- a/Libraries/LibJS/Heap/HeapBlock.h
+++ b/Libraries/LibJS/Heap/HeapBlock.h
@@ -64,6 +64,8 @@ public:
         if (pointer < reinterpret_cast<FlatPtr>(m_storage))
             return nullptr;
         size_t cell_index = (pointer - reinterpret_cast<FlatPtr>(m_storage)) / m_cell_size;
+        if (cell_index >= cell_count())
+            return nullptr;
         return cell(cell_index);
     }
author	Andreas Kling <kling@serenityos.org>	2020-10-01 20:54:36 +0200
committer	Andreas Kling <kling@serenityos.org>	2020-10-01 21:07:12 +0200
commit	bd5abbc454552128ea3c9effce7d44cb58e86d20 (patch)
tree	495969a220f3fc244fcb843a4a244dbd93188d53
parent	0245e0f03a7f250652978a6c1fa577b5a789567b (diff)
download	serenity-bd5abbc454552128ea3c9effce7d44cb58e86d20.zip