[1.7>master] [MERGE #3768 @MSLaguana] Adding error checking to JsCreateWeakReference

Merge pull request #3768 from MSLaguana:jsrtWeakRefObjectsOnly

If a tagged value or a non-RecyclableObject is passed in,
we will now report an error rather than crashing non-deterministically
in a future GC.

Author: MSLaguana

lib/Jsrt/ChakraCommon.h

@@ -223,6 +223,11 @@ typedef unsigned short uint16_t;
         /// </summary>
         JsErrorModuleParsed,
         /// <summary>
+        ///     Argument passed to JsCreateWeakReference is a primitive that is not managed by the GC.
+        ///     No weak reference is required, the value will never be collected.
+        /// </summary>
+        JsNoWeakRefRequired,
+        /// <summary>
         ///     Category of errors that relates to errors occurring within the engine itself.
         /// </summary>
         JsErrorCategoryEngine = 0x20000,

lib/Jsrt/Jsrt.cpp

@@ -4618,6 +4618,11 @@ CHAKRA_API JsCreateWeakReference(
     PARAM_NOT_NULL(weakRef);
     *weakRef = nullptr;
 
+    if (Js::TaggedNumber::Is(value))
+    {
+        return JsNoWeakRefRequired;
+    }
+
     return GlobalAPIWrapper_NoRecord([&]() -> JsErrorCode {
         ThreadContext* threadContext = ThreadContext::GetContextForCurrentThread();
         if (threadContext == nullptr)
@@ -4631,6 +4636,13 @@ CHAKRA_API JsCreateWeakReference(
             return JsErrorInObjectBeforeCollectCallback;
         }
 
+        RecyclerHeapObjectInfo dummyObjectInfo;
+        if (!recycler->FindHeapObject(value, Memory::FindHeapObjectFlags::FindHeapObjectFlags_NoFlags, dummyObjectInfo))
+        {
+            // value is not recyler-allocated
+            return JsErrorInvalidArgument;
+        }
+
         recycler->FindOrCreateWeakReferenceHandle<char>(
             reinterpret_cast<char*>(value),
             reinterpret_cast<Memory::RecyclerWeakReference<char>**>(weakRef));