Bug 1414901 - part 1a - make mozWritePoison respect its documentation; r=Waldo
authorNathan Froyd <froydnj@mozilla.com>
Tue, 06 Mar 2018 11:35:50 -0500
changeset 461802 0d24a10002a9410c461a967ea397b06ebef2f9dc
parent 461798 3363cb492aa149a43e196e127080b8b5bcf60684
child 461803 8c6f13a64b497f968eab5e4d618f70a1299ec90b
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo
bugs1414901
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1414901 - part 1a - make mozWritePoison respect its documentation; r=Waldo The documentation for mozWritePoison says that only an even number of sizeof(uintptr_t) bytes are overwritten; any trailing bytes are not touched. This documentation doesn't correspond to how the function actually works. The function as written will happily overwrite trailing bytes and any bytes not contained in the object, if the passed-in size isn't divisible by sizeof(uintptr_t). Let's fix that.
mfbt/Poison.h
--- a/mfbt/Poison.h
+++ b/mfbt/Poison.h
@@ -34,17 +34,17 @@ inline uintptr_t mozPoisonValue()
  * aPtr MUST be aligned at a sizeof(uintptr_t) boundary.
  * Only an even number of sizeof(uintptr_t) bytes are overwritten, the last
  * few bytes (if any) is not overwritten.
  */
 inline void mozWritePoison(void* aPtr, size_t aSize)
 {
   const uintptr_t POISON = mozPoisonValue();
   char* p = (char*)aPtr;
-  char* limit = p + aSize;
+  char* limit = p + (aSize & ~(sizeof(uintptr_t) - 1));
   MOZ_ASSERT((uintptr_t)aPtr % sizeof(uintptr_t) == 0, "bad alignment");
   MOZ_ASSERT(aSize >= sizeof(uintptr_t), "poisoning this object has no effect");
   for (; p < limit; p += sizeof(uintptr_t)) {
     *((uintptr_t*)p) = POISON;
   }
 }
 
 /**