Bug 1267557 part 2 - Use different jitcode poison values. r=nbp a=ritu
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 28 Apr 2016 13:38:12 +0200
changeset 332710 2fa3f71011ccb7f8171af8295cc7ffbaa556333c
parent 332709 29d746b57ed2690d98d5ac9e85fc745e78350266
child 332711 fa1e3821e0e483b702425ddea96238222bf85a76
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp, ritu
bugs1267557
milestone48.0a2
Bug 1267557 part 2 - Use different jitcode poison values. r=nbp a=ritu
js/src/jsutil.h
--- a/js/src/jsutil.h
+++ b/js/src/jsutil.h
@@ -312,28 +312,40 @@ PodSet(T* aDst, T aSrc, size_t aNElem)
         *aDst = aSrc;
 }
 
 } /* namespace mozilla */
 
 /*
  * Patterns used by SpiderMonkey to overwrite unused memory. If you are
  * accessing an object with one of these pattern, you probably have a dangling
- * pointer.
+ * pointer. These values should be odd, see the comment in IsThingPoisoned.
  *
  * Note: new patterns should also be added to the array in IsThingPoisoned!
  */
 #define JS_FRESH_NURSERY_PATTERN 0x2F
 #define JS_SWEPT_NURSERY_PATTERN 0x2B
 #define JS_ALLOCATED_NURSERY_PATTERN 0x2D
 #define JS_FRESH_TENURED_PATTERN 0x4F
 #define JS_MOVED_TENURED_PATTERN 0x49
 #define JS_SWEPT_TENURED_PATTERN 0x4B
 #define JS_ALLOCATED_TENURED_PATTERN 0x4D
-#define JS_SWEPT_CODE_PATTERN 0x3B
+
+/*
+ * Ensure JS_SWEPT_CODE_PATTERN is a byte pattern that will crash immediately
+ * when executed, so either an undefined instruction or an instruction that's
+ * illegal in user mode.
+ */
+#if defined(JS_CODEGEN_X86) || defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_NONE)
+# define JS_SWEPT_CODE_PATTERN 0xED // IN instruction, crashes in user mode.
+#elif defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_ARM64)
+# define JS_SWEPT_CODE_PATTERN 0xA3 // undefined instruction
+#else
+# error "JS_SWEPT_CODE_PATTERN not defined for this platform"
+#endif
 
 static inline void*
 Poison(void* ptr, uint8_t value, size_t num)
 {
     static bool disablePoison = bool(getenv("JSGC_DISABLE_POISONING"));
     if (disablePoison)
         return ptr;