Bug 1234397 - dispatch on the correct value. r=luke
authorLars T Hansen <lhansen@mozilla.com>
Tue, 22 Dec 2015 10:19:38 +0100
changeset 317416 5f330d996ca4e3bd5a8c2c12e5867a406e27af66
parent 317415 20a481bc8b5a9a71e296b01da89b601b316749a3
child 317417 3832a93e1d70552830979376c2e31dea2ddc8c34
push id8692
push userbenj@benj.me
push dateWed, 23 Dec 2015 22:18:33 +0000
reviewersluke
bugs1234397
milestone46.0a1
Bug 1234397 - dispatch on the correct value. r=luke
js/src/vm/SharedArrayObject.cpp
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@@ -165,17 +165,17 @@ SharedArrayRawBuffer::dropReference()
     if (refcount == 0) {
         SharedMem<uint8_t*> p = this->dataPointerShared() - AsmJSPageSize;
 
         MOZ_ASSERT(p.asValue() % AsmJSPageSize == 0);
 
         uint8_t* address = p.unwrap(/*safe - only reference*/);
         uint32_t allocSize = (this->length + 2*AsmJSPageSize - 1) & ~(AsmJSPageSize - 1);
 #if defined(ASMJS_MAY_USE_SIGNAL_HANDLERS_FOR_OOB)
-        if (!IsValidAsmJSHeapLength(allocSize)) {
+        if (!IsValidAsmJSHeapLength(this->length)) {
             UnmapMemory(address, allocSize);
         } else {
             numLive--;
             UnmapMemory(address, SharedArrayMappedSize);
 #       if defined(MOZ_VALGRIND) \
            && defined(VALGRIND_ENABLE_ADDR_ERROR_REPORTING_IN_RANGE)
             // Tell Valgrind/Memcheck to recommence reporting accesses in the
             // previously-inaccessible region.