From a80557283a28600f58d864c61cdd631b63faf767 Mon Sep 17 00:00:00 2001 From: John Alanbrook Date: Tue, 3 Feb 2026 02:06:29 -0600 Subject: [PATCH] fix poison heap --- source/quickjs.c | 7 ++++--- source/suite.c | 9 +++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/source/quickjs.c b/source/quickjs.c index 9f3d8106..9f19120d 100644 --- a/source/quickjs.c +++ b/source/quickjs.c @@ -82,7 +82,7 @@ */ // #define DUMP_BYTECODE (1) /* dump GC summary: old/new heap, recovery %, heap growth */ -// #define DUMP_GC +#define DUMP_GC /* dump detailed GC: roots, scanning, object traversal (implies DUMP_GC) */ // #define DUMP_GC_DETAIL #ifdef DUMP_GC_DETAIL @@ -99,6 +99,7 @@ /* test the GC by forcing it before each object allocation */ // #define FORCE_GC_AT_MALLOC +#define POISON_HEAP /* POISON_HEAP: Use ASan's memory poisoning to detect stale pointer access */ #ifdef POISON_HEAP #if defined(__has_feature) @@ -2504,11 +2505,11 @@ static int ctx_gc (JSContext *ctx) { scan += obj_size; } - /* Return old block to buddy allocator */ + /* Return old block to buddy allocator, then poison to catch stale accesses */ + buddy_free (&rt->buddy, from_base, old_heap_size); #ifdef POISON_HEAP gc_poison_region(from_base, old_heap_size); #endif - buddy_free (&rt->buddy, from_base, old_heap_size); /* Update context with new block */ size_t new_used = to_free - to_base; diff --git a/source/suite.c b/source/suite.c index f3295bd7..e4770973 100644 --- a/source/suite.c +++ b/source/suite.c @@ -500,10 +500,15 @@ TEST(array_mixed_types) { } TEST(array_many_elements_resize) { - JSValue arr = JS_NewArray(ctx); + JSGCRef arr_ref; + JSValue *arr_ptr = JS_AddGCRef(ctx, &arr_ref); + *arr_ptr = JS_NewArray(ctx); + for (int i = 0; i < 1000; i++) { - JS_ArrayPush(ctx, &arr, JS_NewInt32(ctx, i)); + JS_ArrayPush(ctx, arr_ptr, JS_NewInt32(ctx, i)); } + JSValue arr = *arr_ptr; + JS_DeleteGCRef(ctx, &arr_ref); int64_t len; JS_GetLength(ctx, arr, &len);