Mercurial > integration > mozilla-inbound / changeset / 6c3d92cbde28b6921e2525e91d7199c718b33169
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1254578 - Fix OOM case when rematerializing frames. (r=jandem)
authorShu-yu Guo <shu@rfrn.org>
Tue, 22 Mar 2016 16:19:52 -0700
changeset 289867 6c3d92cbde28b6921e2525e91d7199c718b33169
parent 289866 4ec87322b994b6624ff3338ce3479e2bda40c7bf
child 289868 fd8964d81f842e0bca4c7c3024cb798242119491
push id74023
push usershu@rfrn.org
push dateTue, 22 Mar 2016 23:17:29 +0000
treeherdermozilla-inbound@fd8964d81f84 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1254578
milestone48.0a1
first release with
nightly linux32
6202ade0e6d6 / 48.0a1 / 20160324030447 / files
nightly linux64
6202ade0e6d6 / 48.0a1 / 20160324030447 / files
nightly mac
6202ade0e6d6 / 48.0a1 / 20160324030447 / files
nightly win32
6202ade0e6d6 / 48.0a1 / 20160324030447 / files
nightly win64
6202ade0e6d6 / 48.0a1 / 20160324030447 / files
last release without
nightly linux32
3587b25bae30 / 48.0a1 / 20160322030417 / files
nightly linux64
3587b25bae30 / 48.0a1 / 20160322030417 / files
nightly mac
3587b25bae30 / 48.0a1 / 20160322030417 / files
nightly win32
3587b25bae30 / 48.0a1 / 20160322030417 / files
nightly win64
3587b25bae30 / 48.0a1 / 20160322030417 / files
Bug 1254578 - Fix OOM case when rematerializing frames. (r=jandem)
js/src/jit-test/tests/debug/bug1254578.js file | annotate | diff | comparison | revisions
js/src/jit/RematerializedFrame.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1254578.js
@@ -0,0 +1,23 @@
+// |jit-test| error:ReferenceError; slow
+
+if (!('oomTest' in this))
+  throw (new ReferenceError);
+
+var g = newGlobal();
+g.debuggeeGlobal = this;
+g.eval("(" + function() {
+    dbg = new Debugger(debuggeeGlobal);
+    dbg.onExceptionUnwind = function(frame, exc) {
+        var s = '!';
+        for (var f = frame; f; f = f.older)
+            debuggeeGlobal.log += s;
+    };
+} + ")();");
+var dbg = new Debugger;
+dbg.onNewGlobalObject = function(global) {
+    get.seen = true;
+};
+oomTest(function() {
+    newGlobal({
+    })
+});
--- a/js/src/jit/RematerializedFrame.cpp
+++ b/js/src/jit/RematerializedFrame.cpp
@@ -73,36 +73,38 @@ RematerializedFrame::New(JSContext* cx, 
 }
 
 /* static */ bool
 RematerializedFrame::RematerializeInlineFrames(JSContext* cx, uint8_t* top,
                                                InlineFrameIterator& iter,
                                                MaybeReadFallback& fallback,
                                                Vector<RematerializedFrame*>& frames)
 {
-    if (!frames.resize(iter.frameCount()))
+    Vector<RematerializedFrame*> tempFrames(cx);
+    if (!tempFrames.resize(iter.frameCount()))
         return false;
 
     while (true) {
         size_t frameNo = iter.frameNo();
         RematerializedFrame* frame = RematerializedFrame::New(cx, top, iter, fallback);
         if (!frame)
             return false;
         if (frame->scopeChain()) {
             if (!EnsureHasScopeObjects(cx, frame))
                 return false;
         }
 
-        frames[frameNo] = frame;
+        tempFrames[frameNo] = frame;
 
         if (!iter.more())
             break;
         ++iter;
     }
 
+    frames = Move(tempFrames);
     return true;
 }
 
 /* static */ void
 RematerializedFrame::FreeInVector(Vector<RematerializedFrame*>& frames)
 {
     for (size_t i = 0; i < frames.length(); i++) {
         RematerializedFrame* f = frames[i];
mozilla-inbound
Deployed from b3b23ca3239b at 2021-02-23T19:22:35Z.