Bug 1315856 - Fix dynamic slot base address passed to fillSlotsWithUndefined. r=jonco
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 08 Dec 2016 14:49:38 -1000
changeset 325464 c3d4bcee4905b8d322319d9585e76a148a7b707f
parent 325463 853a0dfc4d5f5d0a4edb51e9b6356b547556ecc5
child 325465 7849f81b44de6f6b1a83545bdd514f0a73f21c5e
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewersjonco
bugs1315856
milestone53.0a1
Bug 1315856 - Fix dynamic slot base address passed to fillSlotsWithUndefined. r=jonco
js/src/jit/MacroAssembler.cpp
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -1188,17 +1188,18 @@ MacroAssembler::initGCSlots(Register obj
         push(obj);
         loadPtr(Address(obj, NativeObject::offsetOfSlots()), obj);
 
         // Fill uninitialized slots if necessary. Otherwise initialize all
         // slots to undefined.
         if (startOfUndefined > nfixed) {
             MOZ_ASSERT(startOfUninitialized != startOfUndefined);
             fillSlotsWithUninitialized(Address(obj, 0), temp, 0, startOfUndefined - nfixed);
-            fillSlotsWithUndefined(Address(obj, 0), temp, startOfUndefined - nfixed, ndynamic);
+            size_t offset = (startOfUndefined - nfixed) * sizeof(Value);
+            fillSlotsWithUndefined(Address(obj, offset), temp, startOfUndefined - nfixed, ndynamic);
         } else {
             fillSlotsWithUndefined(Address(obj, 0), temp, 0, ndynamic);
         }
 
         pop(obj);
     }
 }