Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem
authorSander Mathijs van Veen <smvv@kompiler.org>
Fri, 07 Oct 2016 10:20:44 -0400
changeset 316976 bb162dfbe7f2ffd78600a3da5a8e9bf261969fd5
parent 316975 847a2c97b414371c1ba7562f7cc35e498e261454
child 316977 3c560d4ed804f2ec17da977f4a4271539fe88c15
push id82576
push userryanvm@gmail.com
push dateFri, 07 Oct 2016 14:49:32 +0000
treeherdermozilla-inbound@3c560d4ed804 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1296249
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem
js/src/gc/Nursery.cpp
js/src/gc/Nursery.h
js/src/jit-test/tests/basic/bug1296249.js
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -334,17 +334,17 @@ js::Nursery::allocate(size_t size)
     }
 #endif
 
     MemProfiler::SampleNursery(reinterpret_cast<void*>(thing), size);
     return thing;
 }
 
 void*
-js::Nursery::allocateBuffer(Zone* zone, uint32_t nbytes)
+js::Nursery::allocateBuffer(Zone* zone, size_t nbytes)
 {
     MOZ_ASSERT(nbytes > 0);
 
     if (nbytes <= MaxNurseryBufferSize) {
         void* buffer = allocate(nbytes);
         if (buffer)
             return buffer;
     }
@@ -353,29 +353,29 @@ js::Nursery::allocateBuffer(Zone* zone, 
     if (buffer && !mallocedBuffers.putNew(buffer)) {
         js_free(buffer);
         return nullptr;
     }
     return buffer;
 }
 
 void*
-js::Nursery::allocateBuffer(JSObject* obj, uint32_t nbytes)
+js::Nursery::allocateBuffer(JSObject* obj, size_t nbytes)
 {
     MOZ_ASSERT(obj);
     MOZ_ASSERT(nbytes > 0);
 
     if (!IsInsideNursery(obj))
         return obj->zone()->pod_malloc<uint8_t>(nbytes);
     return allocateBuffer(obj->zone(), nbytes);
 }
 
 void*
 js::Nursery::reallocateBuffer(JSObject* obj, void* oldBuffer,
-                              uint32_t oldBytes, uint32_t newBytes)
+                              size_t oldBytes, size_t newBytes)
 {
     if (!IsInsideNursery(obj))
         return obj->zone()->pod_realloc<uint8_t>((uint8_t*)oldBuffer, oldBytes, newBytes);
 
     if (!isInside(oldBuffer)) {
         void* newBuffer = obj->zone()->pod_realloc<uint8_t>((uint8_t*)oldBuffer, oldBytes, newBytes);
         if (newBuffer && oldBuffer != newBuffer)
             MOZ_ALWAYS_TRUE(mallocedBuffers.rekeyAs(oldBuffer, newBuffer, newBuffer));
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@@ -169,27 +169,27 @@ class Nursery
 
     /*
      * Allocate and return a pointer to a new GC object with its |slots|
      * pointer pre-filled. Returns nullptr if the Nursery is full.
      */
     JSObject* allocateObject(JSContext* cx, size_t size, size_t numDynamic, const js::Class* clasp);
 
     /* Allocate a buffer for a given zone, using the nursery if possible. */
-    void* allocateBuffer(JS::Zone* zone, uint32_t nbytes);
+    void* allocateBuffer(JS::Zone* zone, size_t nbytes);
 
     /*
      * Allocate a buffer for a given object, using the nursery if possible and
      * obj is in the nursery.
      */
-    void* allocateBuffer(JSObject* obj, uint32_t nbytes);
+    void* allocateBuffer(JSObject* obj, size_t nbytes);
 
     /* Resize an existing object buffer. */
     void* reallocateBuffer(JSObject* obj, void* oldBuffer,
-                           uint32_t oldBytes, uint32_t newBytes);
+                           size_t oldBytes, size_t newBytes);
 
     /* Free an object buffer. */
     void freeBuffer(void* buffer);
 
     /* The maximum number of bytes allowed to reside in nursery buffers. */
     static const size_t MaxNurseryBufferSize = 1024;
 
     /* Do a minor collection. */
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1296249.js
@@ -0,0 +1,9 @@
+if (!('oomTest' in this))
+    quit();
+
+function f(x) {
+    new Int32Array(x);
+}
+
+f(0);
+oomTest(() => f(2147483647));