Bug 1518824 - Poison old ObjectGroup properties array during sweeping r=tcampbell
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 10 Jan 2019 11:00:20 +0000
changeset 510352 3922da7f8c518a0dfe111458859e5dc45e477a62
parent 510351 d2a84a3dcae072a3ea765345c35aaaa92842860b
child 510353 77dfbff3744411eaec7b5d834e3c517dda9c22b6
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1518824
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518824 - Poison old ObjectGroup properties array during sweeping r=tcampbell
js/src/vm/TypeInference.cpp
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -4578,16 +4578,22 @@ void ObjectGroup::sweep(const AutoSweepO
    */
   unsigned propertyCount = basePropertyCount(sweep);
   if (propertyCount >= 2) {
     unsigned oldCapacity = TypeHashSet::Capacity(propertyCount);
     Property** oldArray = propertySet;
 
     MOZ_RELEASE_ASSERT(uintptr_t(oldArray[-1]) == oldCapacity);
 
+    auto poisonArray = mozilla::MakeScopeExit([oldArray, oldCapacity] {
+      size_t size = sizeof(Property*) * (oldCapacity + 1);
+      JS_POISON(oldArray - 1, JS_SWEPT_TI_PATTERN, size,
+                MemCheckKind::MakeUndefined);
+    });
+
     unsigned oldPropertyCount = propertyCount;
     unsigned oldPropertiesFound = 0;
 
     clearProperties(sweep);
     propertyCount = 0;
     for (unsigned i = 0; i < oldCapacity; i++) {
       Property* prop = oldArray[i];
       if (prop) {