Bug 858097 - Fix StackFrame::epilogue to check |this| is an object to avoid OOM crashes. r=jwalden
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 12 Apr 2013 14:18:44 +0200
changeset 128587 25323c442d1adf6320d69f57310439fcac1425e3
parent 128586 4c0d13ce4c4a208afd1b778543883bb4c9d5db18
child 128588 43acb3f9b06b35aaa23f2d708f180f5c39621ebc
push id24532
push userryanvm@gmail.com
push dateFri, 12 Apr 2013 19:06:49 +0000
treeherdermozilla-central@2aff2d574a1e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjwalden
bugs858097
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 858097 - Fix StackFrame::epilogue to check |this| is an object to avoid OOM crashes. r=jwalden
js/src/jit-test/tests/basic/bug858097.js
js/src/vm/Stack.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug858097.js
@@ -0,0 +1,6 @@
+// |jit-test| allow-oom
+function MyObject( value ) {}
+gcparam("maxBytes", gcparam("gcBytes") + 4*(1));
+gczeal(4);
+function test() {}
+var obj = new test();
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -402,18 +402,17 @@ StackFrame::epilogue(JSContext *cx)
     if (fun()->isHeavyweight())
         JS_ASSERT_IF(hasCallObj(), scopeChain()->asCall().callee().nonLazyScript() == script);
     else
         AssertDynamicScopeMatchesStaticScope(cx, script, scopeChain());
 
     if (cx->compartment->debugMode())
         DebugScopes::onPopCall(this, cx);
 
-
-    if (isConstructing() && returnValue().isPrimitive())
+    if (isConstructing() && thisValue().isObject() && returnValue().isPrimitive())
         setReturnValue(ObjectValue(constructorThis()));
 }
 
 bool
 StackFrame::jitStrictEvalPrologue(JSContext *cx)
 {
     JS_ASSERT(isStrictEvalFrame());
     CallObject *callobj = CallObject::createForStrictEval(cx, this);