Closed Bug 1430561 Opened 2 years ago Closed 2 years ago

Make sure emptyElementsHeader is followed by an unused Value

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox59 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Attached patch PatchSplinter Review
I was thinking about this last week and posting this just so I don't forget about it.

This patch makes sure the emptyElementsHeaders are followed by an UndefinedValue, since index-masked out-of-bounds loads can speculatively load this value.
Attachment #8942641 - Flags: review?(luke)
Comment on attachment 8942641 [details] [diff] [review]
Patch

Review of attachment 8942641 [details] [diff] [review]:
-----------------------------------------------------------------

Hah, yeah, I had this in the back of my head as well.
Attachment #8942641 - Flags: review?(luke) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4dc616cbbb20
Make sure the empty elements header is followed by an unused Value. r=luke
https://hg.mozilla.org/mozilla-central/rev/4dc616cbbb20
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.