Bug 987935 - inlineScriptedCall() must check return of TypeSet::clone(). r=nbp
authorSean Stangl <sstangl@mozilla.com>
Tue, 25 Mar 2014 12:39:27 -0700
changeset 175887 2cb79b338122220d139180b8d17272e795aa26df
parent 175886 a7355ddf5b01b14673b7031fa68f78caa27da9c3
child 175888 32f04076b6b59d90f5a6de45d513b275926c2af0
push id41639
push usersean.stangl@gmail.com
push dateFri, 28 Mar 2014 18:02:17 +0000
treeherdermozilla-inbound@2cb79b338122 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs987935
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 987935 - inlineScriptedCall() must check return of TypeSet::clone(). r=nbp
js/src/jit/IonBuilder.cpp
js/src/jit/IonBuilder.h
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -3913,18 +3913,20 @@ IonBuilder::inlineScriptedCall(CallInfo 
 
     // Improve type information of |this| when not set.
     if (callInfo.constructing() &&
         !callInfo.thisArg()->resultTypeSet() &&
         calleeScript->types)
     {
         types::StackTypeSet *types = types::TypeScript::ThisTypes(calleeScript);
         if (!types->unknown()) {
-            MTypeBarrier *barrier =
-                MTypeBarrier::New(alloc(), callInfo.thisArg(), types->clone(alloc_->lifoAlloc()));
+            types::TemporaryTypeSet *clonedTypes = types->clone(alloc_->lifoAlloc());
+            if (!clonedTypes)
+                return oom();
+            MTypeBarrier *barrier = MTypeBarrier::New(alloc(), callInfo.thisArg(), clonedTypes);
             current->add(barrier);
             callInfo.setThis(barrier);
         }
     }
 
     // Start inlining.
     LifoAlloc *lifoAlloc = alloc_->lifoAlloc();
     CompileInfo *info = lifoAlloc->new_<CompileInfo>(calleeScript, target,
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@@ -839,16 +839,21 @@ class IonBuilder : public MIRGenerator
 
     /* Information used for inline-call builders. */
     MResumePoint *callerResumePoint_;
     jsbytecode *callerPC() {
         return callerResumePoint_ ? callerResumePoint_->pc() : nullptr;
     }
     IonBuilder *callerBuilder_;
 
+    bool oom() {
+        abortReason_ = AbortReason_Alloc;
+        return false;
+    }
+
     struct LoopHeader {
         jsbytecode *pc;
         MBasicBlock *header;
 
         LoopHeader(jsbytecode *pc, MBasicBlock *header)
           : pc(pc), header(header)
         {}
     };