new way to track actor bad memory access

source/quickjs-internal.h

@@ -98,9 +98,9 @@
 #include <sys/mman.h>
 #include <unistd.h>
 
-#define POISON_HEAP
-/* POISON_HEAP: Use ASan's memory poisoning to detect stale pointer access */
-#ifdef POISON_HEAP
+/* HEAP_CHECK: validate heap pointers at JS_VALUE_GET_* macros */
+// #define HEAP_CHECK
+
 #if defined(__has_feature)
   #if __has_feature(address_sanitizer)
     #define HAVE_ASAN 1
@@ -109,22 +109,6 @@
   #define HAVE_ASAN 1
 #endif
 
-#ifdef HAVE_ASAN
-#include <sanitizer/asan_interface.h>
-#define gc_poison_region(addr, size) __asan_poison_memory_region((addr), (size))
-#define gc_unpoison_region(addr, size) __asan_unpoison_memory_region((addr), (size))
-#else
-/* Fallback: no-op when not building with ASan */
-#define gc_poison_region(addr, size) ((void)0)
-#define gc_unpoison_region(addr, size) ((void)0)
-#endif
-
-static inline size_t poison_page_align(size_t size) {
-  size_t ps = (size_t)sysconf(_SC_PAGESIZE);
-  return (size + ps - 1) & ~(ps - 1);
-}
-#endif /* POISON_HEAP */
-
 #ifdef HAVE_ASAN
 static struct JSContext *__asan_js_ctx;
 #endif
@@ -303,14 +287,27 @@ typedef enum JSErrorEnum {
 
 /* Forward declaration for bytecode freeing */
 
+#define JS_VALUE_GET_BLOB(v) ((JSBlob *)JS_VALUE_GET_PTR (v))
+#define JS_VALUE_GET_CODE(v) (JS_VALUE_GET_PTR (v))
+
+#ifdef HEAP_CHECK
+void heap_check_fail(void *ptr, struct JSContext *ctx);
+#define JS_VALUE_GET_ARRAY(v) ((JSArray *)heap_check_chase(ctx, v))
+#define JS_VALUE_GET_OBJ(v) ((JSRecord *)heap_check_chase(ctx, v))
+#define JS_VALUE_GET_TEXT(v) ((JSText *)heap_check_chase(ctx, v))
+#define JS_VALUE_GET_FUNCTION(v) ((JSFunction *)heap_check_chase(ctx, v))
+#define JS_VALUE_GET_FRAME(v) ((JSFrame *)heap_check_chase(ctx, v))
+#define JS_VALUE_GET_STRING(v) ((JSText *)heap_check_chase(ctx, v))
+#define JS_VALUE_GET_RECORD(v) ((JSRecord *)heap_check_chase(ctx, v))
+#else
 #define JS_VALUE_GET_ARRAY(v) ((JSArray *)chase (v))
 #define JS_VALUE_GET_OBJ(v) ((JSRecord *)chase (v))
 #define JS_VALUE_GET_TEXT(v) ((JSText *)chase (v))
-#define JS_VALUE_GET_BLOB(v) ((JSBlob *)JS_VALUE_GET_PTR (v))
 #define JS_VALUE_GET_FUNCTION(v) ((JSFunction *)chase (v))
 #define JS_VALUE_GET_FRAME(v) ((JSFrame *)chase (v))
-#define JS_VALUE_GET_CODE(v) (JS_VALUE_GET_PTR (v))
 #define JS_VALUE_GET_STRING(v) ((JSText *)chase (v))
+#define JS_VALUE_GET_RECORD(v) ((JSRecord *)chase (v))
+#endif
 
 /* Compatibility: JS_TAG_STRING is an alias for text type checks */
 #define JS_TAG_STRING JS_TAG_STRING_IMM
@@ -1219,6 +1216,17 @@ static inline int is_ct_ptr (JSContext *ctx, void *ptr) {
   return (uint8_t *)ptr >= ctx->ct_base && (uint8_t *)ptr < ctx->ct_end;
 }
 
+#ifdef HEAP_CHECK
+static inline objhdr_t *heap_check_chase(JSContext *ctx, JSValue v) {
+  objhdr_t *oh = chase(v);
+  uint8_t *p = (uint8_t *)oh;
+  if (!((p >= ctx->heap_base && p < ctx->heap_free) ||
+        (p >= ctx->ct_base && p < ctx->ct_end)))
+    heap_check_fail(oh, ctx);
+  return oh;
+}
+#endif
+
 /* Intern a UTF-32 string as a stone text, returning a JSValue string */
 
 /* Create a stoned, interned key from a UTF-8 C string.
@@ -1252,8 +1260,6 @@ typedef struct JSRegExp {
 #define obj_is_stone(rec) objhdr_s ((rec)->mist_hdr)
 #define obj_set_stone(rec) ((rec)->mist_hdr = objhdr_set_s ((rec)->mist_hdr, true))
 
-#define JS_VALUE_GET_RECORD(v) ((JSRecord *)chase (v))
-
 /* Get prototype from object (works for both JSRecord and JSRecord since they
  * share layout) */
 #define JS_OBJ_GET_PROTO(p) (JS_IsNull(((JSRecord *)(p))->proto) ? NULL : (JSRecord *)JS_VALUE_GET_PTR(((JSRecord *)(p))->proto))