summaryrefslogtreecommitdiffstats
path: root/js/src/vm/ArrayBufferObject.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'js/src/vm/ArrayBufferObject.cpp')
-rw-r--r--js/src/vm/ArrayBufferObject.cpp12
1 files changed, 10 insertions, 2 deletions
diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp
index 14039af574..1610a59ae9 100644
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -207,6 +207,7 @@ void* js::MapBufferMemory(wasm::IndexType t, size_t mappedSize,
void* data = nullptr;
if (int err = posix_memalign(&data, gc::SystemPageSize(), mappedSize)) {
MOZ_ASSERT(err == ENOMEM);
+ (void)err;
return nullptr;
}
MOZ_ASSERT(data);
@@ -2578,8 +2579,15 @@ size_t ArrayBufferObject::objectMoved(JSObject* obj, JSObject* old) {
auto& dst = obj->as<ArrayBufferType>();
const auto& src = old->as<ArrayBufferType>();
- MOZ_ASSERT(
- !obj->runtimeFromMainThread()->gc.nursery().isInside(src.dataPointer()));
+#ifdef DEBUG
+ // Check the data pointer is not inside the nursery, but take account of the
+ // fact that inline data pointers for zero length buffers can point to the end
+ // of a chunk which can abut the start of the nursery.
+ if (src.byteLength() != 0 || (uintptr_t(src.dataPointer()) & gc::ChunkMask)) {
+ Nursery& nursery = obj->runtimeFromMainThread()->gc.nursery();
+ MOZ_ASSERT(!nursery.isInside(src.dataPointer()));
+ }
+#endif
// Fix up possible inline data pointer.
if (src.hasInlineData()) {