Bug 1263879 - Check the return value of AtomizeString in str_replace_string_raw. r=h4writer
authorTooru Fujisawa <arai_a@mac.com>
Thu, 14 Apr 2016 16:41:37 +0900
changeset 293270 c70372e8bd86cfb1c568a20448f88ce88f3c98e9
parent 293269 6f330fed23146feb54337db0ea94780be788bfc2
child 293271 c77b965d8c74749ddc17f3c5744c950c64df3a3a
push id18749
push usercbook@mozilla.com
push dateFri, 15 Apr 2016 12:01:19 +0000
treeherderfx-team@8f7045b63b07 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1263879
milestone48.0a1
Bug 1263879 - Check the return value of AtomizeString in str_replace_string_raw. r=h4writer
js/src/jit-test/tests/auto-regress/bug1263879.js
js/src/jsstr.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1263879.js
@@ -0,0 +1,21 @@
+if (!('oomTest' in this))
+    quit();
+
+var lines = `
+
+
+
+"".replace([[2], 3])
+`.split('\n');
+var code = "";
+while (true) {
+    var line = lines.shift();
+    if (line == null)
+        break;
+    loadFile();
+    code += line + "\n";
+}
+loadFile(code);
+function loadFile(code) {
+    oomTest(() => eval(code));
+}
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -2304,16 +2304,19 @@ JSString*
 js::str_replace_string_raw(JSContext* cx, HandleString string, HandleString pattern,
                            HandleString replacement)
 {
     RootedLinearString repl(cx, replacement->ensureLinear(cx));
     if (!repl)
         return nullptr;
 
     RootedAtom pat(cx, AtomizeString(cx, pattern));
+    if (!pat)
+        return nullptr;
+
     size_t patternLength = pat->length();
     int32_t match;
     uint32_t dollarIndex;
 
     {
         AutoCheckCannotGC nogc;
         dollarIndex = repl->hasLatin1Chars()
                       ? FindDollarIndex(repl->latin1Chars(nogc), repl->length())