From 9133f15f25054802fb372f68c288a72894b514fa Mon Sep 17 00:00:00 2001
From: Paul Bone <pbone@mozilla.com>
Date: Mon, 30 Jul 2018 14:35:11 +1000
Subject: [PATCH] Bug 1478902 Part 2 - Nursery strings allocation code uses the
 wrong pointer r=sfink

Some of the allocation code here uses the wrong pointer for the strings
nursery position.  The bug is benign because the nursery is shared.

--HG--
extra : rebase_source : 27a14aa077d8de6e616d26759aa4e8e0a6bb5bb9
---
 js/src/jit/MacroAssembler.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/src/jit/MacroAssembler.cpp b/js/src/jit/MacroAssembler.cpp
index 1965e3dae03b..8762cb9e882f 100644
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -972,7 +972,7 @@ MacroAssembler::nurseryAllocateString(Register result, Register temp, gc::AllocK
     void* nurseryPosAddr = zone->addressOfStringNurseryPosition();
     const void* nurseryEndAddr = zone->addressOfStringNurseryCurrentEnd();
 
-    movePtr(ImmPtr(zone->addressOfNurseryPosition()), temp);
+    movePtr(ImmPtr(nurseryPosAddr), temp);
     loadPtr(Address(temp, 0), result);
     addPtr(Imm32(totalSize), result);
     const ptrdiff_t endOffset =