fix poison heap

source/quickjs.c

@@ -82,7 +82,7 @@
  */
 // #define DUMP_BYTECODE  (1)
 /* dump GC summary: old/new heap, recovery %, heap growth */
-// #define DUMP_GC
+#define DUMP_GC
 /* dump detailed GC: roots, scanning, object traversal (implies DUMP_GC) */
 // #define DUMP_GC_DETAIL
 #ifdef DUMP_GC_DETAIL
@@ -99,6 +99,7 @@
 /* test the GC by forcing it before each object allocation */
 // #define FORCE_GC_AT_MALLOC
 
+#define POISON_HEAP
 /* POISON_HEAP: Use ASan's memory poisoning to detect stale pointer access */
 #ifdef POISON_HEAP
 #if defined(__has_feature)
@@ -2504,11 +2505,11 @@ static int ctx_gc (JSContext *ctx) {
     scan += obj_size;
   }
 
-  /* Return old block to buddy allocator */
+  /* Return old block to buddy allocator, then poison to catch stale accesses */
+  buddy_free (&rt->buddy, from_base, old_heap_size);
 #ifdef POISON_HEAP
   gc_poison_region(from_base, old_heap_size);
 #endif
-  buddy_free (&rt->buddy, from_base, old_heap_size);
 
   /* Update context with new block */
   size_t new_used = to_free - to_base;

source/suite.c

@@ -500,10 +500,15 @@ TEST(array_mixed_types) {
 }
 
 TEST(array_many_elements_resize) {
-  JSValue arr = JS_NewArray(ctx);
+  JSGCRef arr_ref;
+  JSValue *arr_ptr = JS_AddGCRef(ctx, &arr_ref);
+  *arr_ptr = JS_NewArray(ctx);
+
   for (int i = 0; i < 1000; i++) {
-    JS_ArrayPush(ctx, &arr, JS_NewInt32(ctx, i));
+    JS_ArrayPush(ctx, arr_ptr, JS_NewInt32(ctx, i));
   }
+  JSValue arr = *arr_ptr;
+  JS_DeleteGCRef(ctx, &arr_ref);
 
   int64_t len;
   JS_GetLength(ctx, arr, &len);