Bug 1430561 - Make sure the empty elements header is followed by an unused Value. r=luke
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 18 Jan 2018 13:20:26 +0100
changeset 399869 4dc616cbbb203e6b36ae21507359e70481a25919
parent 399868 a98f615965d73f6462924188fc2b1f2a620337bb
child 399870 3919edc6531353d70f57214ec2f7ae7376010763
push id33279
push useraciure@mozilla.com
push dateThu, 18 Jan 2018 21:53:37 +0000
treeherdermozilla-central@cffb3cd9dbb1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1430561
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1430561 - Make sure the empty elements header is followed by an unused Value. r=luke
js/src/vm/NativeObject.cpp
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -27,23 +27,43 @@ using namespace js;
 using JS::AutoCheckCannotGC;
 using JS::GenericNaN;
 using mozilla::ArrayLength;
 using mozilla::CheckedInt;
 using mozilla::DebugOnly;
 using mozilla::PodCopy;
 using mozilla::RoundUpPow2;
 
-static const ObjectElements emptyElementsHeader(0, 0);
+struct EmptyObjectElements
+{
+    const ObjectElements emptyElementsHeader;
+
+    // Add an extra (unused) Value to make sure an out-of-bounds index when
+    // masked (resulting in index 0) accesses valid memory.
+    const Value val;
+
+  public:
+    constexpr EmptyObjectElements()
+      : emptyElementsHeader(0, 0),
+        val(UndefinedValue())
+    {}
+    explicit constexpr EmptyObjectElements(ObjectElements::SharedMemory shmem)
+      : emptyElementsHeader(0, 0, shmem),
+        val(UndefinedValue())
+    {}
+};
+
+static constexpr EmptyObjectElements emptyElementsHeader;
 
 /* Objects with no elements share one empty set of elements. */
 HeapSlot* const js::emptyObjectElements =
     reinterpret_cast<HeapSlot*>(uintptr_t(&emptyElementsHeader) + sizeof(ObjectElements));
 
-static const ObjectElements emptyElementsHeaderShared(0, 0, ObjectElements::SharedMemory::IsShared);
+static constexpr
+EmptyObjectElements emptyElementsHeaderShared(ObjectElements::SharedMemory::IsShared);
 
 /* Objects with no elements share one empty set of elements. */
 HeapSlot* const js::emptyObjectElementsShared =
     reinterpret_cast<HeapSlot*>(uintptr_t(&emptyElementsHeaderShared) + sizeof(ObjectElements));
 
 
 #ifdef DEBUG