author | Jon Coppeard <jcoppeard@mozilla.com> |
Thu, 08 Oct 2015 10:49:49 +0100 | |
changeset 266850 | 2d03295efd5f759e00697ad5cf13617e4cf41f86 |
parent 266849 | af903bae2619af2c0719f5a2734e5f39f0fa6743 |
child 266851 | 1b6a1a82017691789b2e5a30f1c9d74220fe3596 |
push id | 29499 |
push user | kwierso@gmail.com |
push date | Thu, 08 Oct 2015 21:29:10 +0000 |
treeherder | mozilla-central@46da59584acb [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | jandem |
bugs | 978802 |
milestone | 44.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/js/src/jit-test/tests/baseline/bug847425.js +++ b/js/src/jit-test/tests/baseline/bug847425.js @@ -1,9 +1,9 @@ -// |jit-test| allow-oom +// |jit-test| allow-oom; allow-unhandlable-oom gcparam("maxBytes", gcparam("gcBytes") + 4*1024); var max = 400; function f(b) { if (b) { f(b - 1); } else { g = { apply:function(x,y) { }
new file mode 100644 --- /dev/null +++ b/js/src/jit-test/tests/gc/bug-978802.js @@ -0,0 +1,17 @@ +load(libdir + 'oomTest.js'); + +oomTest(() => { + try { + var max = 400; + function f(b) { + if (b) { + f(b - 1); + } else { + g = {}; + } + g.apply(null, arguments); + } + f(max - 1); + } catch(exc0) {} + f(); +});
--- a/js/src/jsscript.cpp +++ b/js/src/jsscript.cpp @@ -4022,27 +4022,21 @@ JSScript::argumentsOptimizationFailed(JS * implies fp->hasArgsObj", the Ion bail mechanism will create an * arguments object right after restoring the BaselineFrame and before * entering Baseline code (in jit::FinishBailoutToBaseline). */ if (i.isIon()) continue; AbstractFramePtr frame = i.abstractFramePtr(); if (frame.isFunctionFrame() && frame.script() == script) { + /* We crash on OOM since cleaning up here would be complicated. */ + AutoEnterOOMUnsafeRegion oomUnsafe; ArgumentsObject* argsobj = ArgumentsObject::createExpected(cx, frame); - if (!argsobj) { - /* - * We can't leave stack frames with script->needsArgsObj but no - * arguments object. It is, however, safe to leave frames with - * an arguments object but !script->needsArgsObj. - */ - script->needsArgsObj_ = false; - return false; - } - + if (!argsobj) + oomUnsafe.crash("JSScript::argumentsOptimizationFailed"); SetFrameArgumentsObject(cx, frame, script, argsobj); } } return true; } bool