Bug 1171430 - Don't shift the poison value by non-byte values; r=jonco
authorTerrence Cole <terrence@mozilla.com>
Wed, 10 Jun 2015 08:58:36 -0700
changeset 248077 3e6ee3df29aa7ac0a3db30d5dffcbd31a7da55c8
parent 248076 fb99310b6a1a7b48486a9d4899dfad8756364026
child 248078 2fd6e854642e13862e03894b99cbc66da2afdc2f
push id28888
push userkwierso@gmail.com
push dateThu, 11 Jun 2015 01:29:45 +0000
treeherdermozilla-central@04c057942da4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco
bugs1171430
milestone41.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1171430 - Don't shift the poison value by non-byte values; r=jonco
js/src/jsutil.h
--- a/js/src/jsutil.h
+++ b/js/src/jsutil.h
@@ -300,17 +300,17 @@ Poison(void* ptr, uint8_t value, size_t 
     static bool poison = !bool(getenv("JSGC_DISABLE_POISONING"));
     if (poison) {
         // Without a valid Value tag, a poisoned Value may look like a valid
         // floating point number. To ensure that we crash more readily when
         // observing a poised Value, we make the poison an invalid ObjectValue.
         uintptr_t obj;
         memset(&obj, value, sizeof(obj));
 #if defined(JS_PUNBOX64)
-        obj >>= JSVAL_TAG_SHIFT;
+        obj = obj & ((uintptr_t(1) << JSVAL_TAG_SHIFT) - 1);
 #endif
         const jsval_layout layout = OBJECT_TO_JSVAL_IMPL((JSObject*)obj);
 
         size_t value_count = num / sizeof(jsval_layout);
         size_t byte_count = num % sizeof(jsval_layout);
         mozilla::PodSet((jsval_layout*)ptr, layout, value_count);
         if (byte_count) {
             uint8_t* bytes = static_cast<uint8_t*>(ptr);