Mercurial > mozilla-central / changeset / 30406bf293ecea80a3e40ce0ec9a95359f3f4e58
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1272908 - Fix OOM in DebugScopes::onPopCall(). (r=shu)
authorEric Faust <efaustbmo@gmail.com>
Mon, 27 Jun 2016 15:21:13 -0700
changeset 302802 30406bf293ecea80a3e40ce0ec9a95359f3f4e58
parent 302801 2ae2d69ebed3b3449f76173ce02bfd06d2513543
child 302803 38cb4f9e6f31cd5a855375b0f7c59f871806384a
push id30376
push usercbook@mozilla.com
push dateTue, 28 Jun 2016 14:09:36 +0000
treeherdermozilla-central@e45890951ce7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu
bugs1272908
milestone50.0a1
first release with
nightly linux32
e45890951ce7 / 50.0a1 / 20160629030209 / files
nightly linux64
e45890951ce7 / 50.0a1 / 20160629030209 / files
nightly mac
e45890951ce7 / 50.0a1 / 20160629030209 / files
nightly win32
e45890951ce7 / 50.0a1 / 20160629030209 / files
nightly win64
e45890951ce7 / 50.0a1 / 20160629030209 / files
last release without
nightly linux32
0e3f8401b804 / 50.0a1 / 20160627030215 / files
nightly linux64
0e3f8401b804 / 50.0a1 / 20160627030215 / files
nightly mac
0e3f8401b804 / 50.0a1 / 20160627030215 / files
nightly win32
0e3f8401b804 / 50.0a1 / 20160627030215 / files
nightly win64
0e3f8401b804 / 50.0a1 / 20160627030215 / files
Bug 1272908 - Fix OOM in DebugScopes::onPopCall(). (r=shu)
js/src/jit-test/tests/debug/bug1272908.js file | annotate | diff | comparison | revisions
js/src/vm/ScopeObject.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1272908.js
@@ -0,0 +1,19 @@
+// |jit-test| error: out of memory; slow;
+
+// Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js
+g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+    Debugger(parent).onExceptionUnwind = function(frame)
+    frame.eval("")
+} + ")()");
+// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1254123.js
+function ERROR(msg) {
+    throw new Error("boom");
+}
+var dbg = new Debugger;
+dbg.onNewGlobalObject = ERROR;
+oomTest(function() {
+    newGlobal();
+})
+
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -2732,17 +2732,22 @@ DebugScopes::onPopCall(AbstractFramePtr 
      */
     if (debugScope) {
         /*
          * Copy all frame values into the snapshot, regardless of
          * aliasing. This unnecessarily includes aliased variables
          * but it simplifies later indexing logic.
          */
         Rooted<GCVector<Value>> vec(cx, GCVector<Value>(cx));
-        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0)
+        if (!frame.copyRawFrameSlots(&vec)) {
+            cx->recoverFromOutOfMemory();
+            return;
+        }
+
+        if (vec.length() == 0)
             return;
 
         /*
          * Copy in formals that are not aliased via the scope chain
          * but are aliased via the arguments object.
          */
         RootedScript script(cx, frame.script());
         if (script->analyzedArgsUsage() && script->needsArgsObj() && frame.hasArgsObj()) {
@@ -2753,17 +2758,17 @@ DebugScopes::onPopCall(AbstractFramePtr 
         }
 
         /*
          * Use a dense array as storage (since proxies do not have trace
          * hooks). This array must not escape into the wild.
          */
         RootedArrayObject snapshot(cx, NewDenseCopiedArray(cx, vec.length(), vec.begin()));
         if (!snapshot) {
-            cx->clearPendingException();
+            cx->recoverFromOutOfMemory();
             return;
         }
 
         debugScope->initSnapshot(*snapshot);
     }
 }
 
 void
mozilla-central
Deployed from 1769ae2b5feb at 2022-05-11T14:55:53Z.