[Feature] Check whether ctx/tid is valid between object and prop

throw error if obj's ctx or tid is incosistent
[internal:]
issue: f-5941886199
doc: https://xxxxxx
[end_internal]

Author: pandazyp

src/gc/allocator.cc

@@ -2130,10 +2130,6 @@ static int chunk_call_munmap(mstate m, mchunkptr p, size_t size) {
   return res;
 }
 
-#if defined(ANDROID) || defined(__ANDROID__)
-pid_t gettid() { return syscall(SYS_gettid); }
-#endif
-
 static void* mmap_alloc(mstate m, size_t nb) {
   size_t mmsize = mmap_align(nb + SIX_SIZE_T_SIZES + CHUNK_ALIGN_MASK);
   if (m->footprint_limit != 0) {
@@ -2416,7 +2412,7 @@ static void* sys_alloc(mstate m, size_t nb) {
     sprintf(id, "%d", getpid());
     strcat(m->mem_name, id);
     strcat(m->mem_name, "_");
-    sprintf(id, "%d", gettid());
+    sprintf(id, "%d", reinterpret_cast<int>(syscall(SYS_gettid)));
     strcat(m->mem_name, id);
 #endif
   } else {
@@ -2849,7 +2845,8 @@ void* allocate(mstate gm, size_t bytes) {
 }
 
 void gcfree(mstate fm, void* mem) {
-  PRINT("gcfree, addr:%p, mstate:%p, tid:%d\n", mem, fm, gettid());
+  PRINT("gcfree, addr:%p, mstate:%p, tid:%d\n", mem, fm,
+        reinterpret_cast<int>(syscall(SYS_gettid)));
 #ifdef ENABLE_GC_DEBUG_TOOLS
   delete_cur_mems(fm->runtime, mem);
 #endif

src/interpreter/quickjs/include/quickjs-inner.h

@@ -789,10 +789,11 @@ struct LEPUSContext {
 
   PtrHandles *ptr_handles;
   NAPIHandleScope *napi_scope;
+  struct FinalizationRegistryContext *fg_ctx = nullptr;
+  uint64_t binary_version;
   bool gc_enable;
   bool is_lepusng;
-  uint64_t binary_version;
-  struct FinalizationRegistryContext *fg_ctx = nullptr;
+  bool object_ctx_check;
 };
 
 typedef union JSFloat64Union {
@@ -973,6 +974,12 @@ typedef struct LEPUSFunctionBytecode {
   // <Primjs begin>
   struct list_head gc_link;
   uint32_t function_id;  // for lepusNG debugger encode
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  LEPUSContext *ctx;
+#if defined(ANDROID) || defined(__ANDROID__)
+  pid_t tid;
+#endif
+#endif
   // <Primjs end>
   struct {
     /* debug info, move to separate structure to save memory? */
@@ -1346,6 +1353,12 @@ struct LEPUSObject {
     JSRegExp regexp;        /* JS_CLASS_REGEXP: 8/16 bytes */
     LEPUSValue object_data; /* for JS_SetObjectData(): 8/16/16 bytes */
   } u;
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  LEPUSContext *ctx;
+#if defined(ANDROID) || defined(__ANDROID__)
+  pid_t tid;
+#endif
+#endif
   /* byte sizes: 40/48/72 */
 };
 
@@ -3201,4 +3214,12 @@ inline bool js_is_bytecode_function(LEPUSValue obj) {
 bool emit_name_str(JSParseState *s, const uint8_t *start, const uint8_t *end);
 void get_caller_string(JSFunctionDef *s);
 
+void SetObjectCtxCheckStatus(LEPUSContext *ctx, bool enable);
+
+#ifdef ENABLE_QUICKJS_DEBUGGER
+QJS_HIDE pid_t get_tid();
+QJS_HIDE bool CheckObjectCtx(LEPUSContext *ctx, LEPUSValue obj);
+QJS_HIDE LEPUSValue JS_ThrowCtxError(LEPUSContext *ctx);
+#endif
+
 #endif  // SRC_INTERPRETER_QUICKJS_INCLUDE_QUICKJS_INNER_H_

src/interpreter/quickjs/include/quickjs.h

@@ -1603,6 +1603,8 @@ const char *LEPUS_GetStringUtf8(LEPUSContext *, const struct JSString *);
 void LEPUS_SetFuncFileName(LEPUSContext *, LEPUSValue, const char *);
 
 void InitLynxTraceEnv(void *(*)(const char *), void (*)(void *));
+
+void SetObjectCtxCheckStatus(LEPUSContext *ctx, bool enable);
 // <Primjs end>
 
 #undef lepus_unlikely

src/interpreter/quickjs/source/quickjs.cc

@@ -56,6 +56,7 @@ extern "C" {
 #include <cstdlib>
 #if defined(ANDROID) || defined(__ANDROID__)
 #include <errno.h>
+#include <sys/syscall.h>
 #include <unistd.h>
 #endif
 
@@ -4585,6 +4586,12 @@ QJS_HIDE LEPUSValue JS_NewObjectFromShape(LEPUSContext *ctx, JSShape *sh,
   p->first_weak_ref = NULL;
   p->u.opaque = NULL;
   p->shape = sh;
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  p->ctx = ctx;
+#if defined(ANDROID) || defined(__ANDROID__)
+  p->tid = get_tid();
+#endif
+#endif
   p->prop = static_cast<JSProperty *>(
       lepus_malloc(ctx, sizeof(JSProperty) * sh->prop_size));
   if (unlikely(!p->prop)) {
@@ -8838,6 +8845,14 @@ int JS_SetPropertyInternalImpl(LEPUSContext *ctx, LEPUSValueConst this_obj,
     }
   }
   p = LEPUS_VALUE_GET_OBJ(this_obj);
+
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  if (CheckObjectCtx(ctx, val)) {
+    JS_ThrowCtxError(ctx);
+    return -1;
+  }
+#endif
+
 retry:
   prs = find_own_property(&pr, p, prop);
   if (prs) {
@@ -18489,6 +18504,12 @@ QJS_STATIC inline LEPUSValue JS_CallInternalTI(LEPUSContext *caller_ctx,
                                                LEPUSValue this_obj,
                                                LEPUSValue new_target, int argc,
                                                LEPUSValue *argv, int flags) {
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  if (CheckObjectCtx(caller_ctx, func_obj)) {
+    return JS_ThrowCtxError(caller_ctx);
+  }
+#endif
+
 #ifdef ENABLE_PRIMJS_SNAPSHOT
   if (caller_ctx->rt->use_primjs) {
     return entry(this_obj, new_target, func_obj, (address)caller_ctx, argc,
@@ -31525,6 +31546,12 @@ LEPUSValue js_create_function(LEPUSContext *ctx, JSFunctionDef *fd) {
   }
 
   b->stack_size = stack_size;
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  b->ctx = ctx;
+#if defined(ANDROID) || defined(__ANDROID__)
+  b->tid = get_tid();
+#endif
+#endif
 
   if (fd->js_mode & JS_MODE_STRIP) {
     if (!is_gc) {
@@ -56074,3 +56101,46 @@ void InitLynxTraceEnv(void *(*begin)(const char *), void (*end)(void *ptr)) {
   lynx_trace.InitEndPtr(end);
   return;
 }
+
+void SetObjectCtxCheckStatus(LEPUSContext *ctx, bool enable) {
+  ctx->object_ctx_check = enable;
+  return;
+}
+
+#ifdef ENABLE_QUICKJS_DEBUGGER
+pid_t get_tid() {
+#if defined(ANDROID) || defined(__ANDROID__)
+  return syscall(SYS_gettid);
+#else
+  return 0;
+#endif
+}
+
+bool CheckObjectCtx(LEPUSContext *ctx, LEPUSValue obj) {
+  if (ctx->object_ctx_check) {
+    bool inconsistent_ctx =
+        (LEPUS_VALUE_IS_OBJECT(obj) &&
+         (LEPUS_VALUE_GET_OBJ(obj)->ctx) != ctx) ||
+        (LEPUS_VALUE_IS_FUNCTION_BYTECODE(obj) &&
+         static_cast<LEPUSFunctionBytecode *>(LEPUS_VALUE_GET_PTR(obj))->ctx !=
+             ctx);
+    bool inconsistent_tid = false;
+#if defined(ANDROID) || defined(__ANDROID__)
+    pid_t tid = get_tid();
+    inconsistent_tid =
+        (LEPUS_VALUE_IS_OBJECT(obj) &&
+         (LEPUS_VALUE_GET_OBJ(obj)->tid) != tid) ||
+        (LEPUS_VALUE_IS_FUNCTION_BYTECODE(obj) &&
+         static_cast<LEPUSFunctionBytecode *>(LEPUS_VALUE_GET_PTR(obj))->tid !=
+             tid);
+#endif
+    return inconsistent_ctx || inconsistent_tid;
+  }
+  return false;
+}
+
+LEPUSValue JS_ThrowCtxError(LEPUSContext *ctx) {
+  return LEPUS_ThrowTypeError(
+      ctx, "The property's ctx or tid is inconsistent with this object.");
+}
+#endif

src/interpreter/quickjs/source/quickjs_gc.cc

@@ -2691,6 +2691,12 @@ QJS_HIDE LEPUSValue JS_NewObjectFromShape_GC(LEPUSContext *ctx, JSShape *sh,
   p->u.opaque = NULL;
   p->shape = sh;
   p->prop = NULL;
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  p->ctx = ctx;
+#if defined(ANDROID) || defined(__ANDROID__)
+  p->tid = get_tid();
+#endif
+#endif
 
   switch (class_id) {
     case JS_CLASS_OBJECT:
@@ -4784,6 +4790,14 @@ int JS_SetPropertyInternalImpl_GC(LEPUSContext *ctx, LEPUSValueConst this_obj,
     }
   }
   p = LEPUS_VALUE_GET_OBJ(this_obj);
+
+#ifdef ENABLE_QUICKJS_DEBUGGER
+  if (CheckObjectCtx(ctx, val)) {
+    JS_ThrowCtxError(ctx);
+    return -1;
+  }
+#endif
+
 retry:
   prs = find_own_property(&pr, p, prop);
   if (prs) {