Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu
☠☠ backed out by 1b661134e2ca ☠ ☠
authorTerrence Cole <terrence@mozilla.com>
Fri, 27 May 2016 17:12:08 -0700
changeset 299398 619ef5aac05fa3dadb656fac5352dc712451c109
parent 299397 764ab2ad75e784d0175f6645c1c2fca4816863af
child 299399 577123ff73d3104f3979c123ccfbcc0303a20541
push id77552
push usertcole@mozilla.com
push dateSat, 28 May 2016 00:13:06 +0000
treeherdermozilla-inbound@619ef5aac05f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu
bugs1270278
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu
js/src/jit-test/tests/debug/bug-1270278.js
js/src/vm/ScopeObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug-1270278.js
@@ -0,0 +1,18 @@
+// |jit-test| allow-oom; --fuzzing-safe
+// Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js
+var i = 100;
+g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+    Debugger(parent).onExceptionUnwind = function(frame) frame.eval("");
+} + ")()");
+// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js
+oomTest(function() {
+    if (--i < 0)
+        return;
+    try {
+        for (x of y);
+    } catch (e) {
+        x
+    }
+})
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -2731,18 +2731,20 @@ DebugScopes::onPopCall(AbstractFramePtr 
      */
     if (debugScope) {
         /*
          * Copy all frame values into the snapshot, regardless of
          * aliasing. This unnecessarily includes aliased variables
          * but it simplifies later indexing logic.
          */
         Rooted<GCVector<Value>> vec(cx, GCVector<Value>(cx));
-        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0)
+        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0) {
+            cx->recoverFromOutOfMemory();
             return;
+        }
 
         /*
          * Copy in formals that are not aliased via the scope chain
          * but are aliased via the arguments object.
          */
         RootedScript script(cx, frame.script());
         if (script->analyzedArgsUsage() && script->needsArgsObj() && frame.hasArgsObj()) {
             for (unsigned i = 0; i < frame.numFormalArgs(); ++i) {
@@ -2752,17 +2754,17 @@ DebugScopes::onPopCall(AbstractFramePtr 
         }
 
         /*
          * Use a dense array as storage (since proxies do not have trace
          * hooks). This array must not escape into the wild.
          */
         RootedArrayObject snapshot(cx, NewDenseCopiedArray(cx, vec.length(), vec.begin()));
         if (!snapshot) {
-            cx->clearPendingException();
+            cx->recoverFromOutOfMemory();
             return;
         }
 
         debugScope->initSnapshot(*snapshot);
     }
 }
 
 void