Bug 840012 - Handle OOM in CreateThisForFunction (r=hannes)
authorLuke Wagner <luke@mozilla.com>
Wed, 17 Apr 2013 08:50:54 -0700
changeset 129087 64198b55d1ae4b9a4a8e99add95ecec57a97a820
parent 129086 52c19b088828c46d90b93873b7433c2d9bd145a9
child 129088 dd6600519161df8354d71ef6bbd0d041f6a579ad
push id24556
push userryanvm@gmail.com
push dateWed, 17 Apr 2013 20:02:07 +0000
treeherdermozilla-central@25c2aaee8acc [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershannes
bugs840012
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 840012 - Handle OOM in CreateThisForFunction (r=hannes)
js/src/ion/VMFunctions.cpp
js/src/jit-test/tests/basic/testBug0012.js
js/src/shell/js.cpp
--- a/js/src/ion/VMFunctions.cpp
+++ b/js/src/ion/VMFunctions.cpp
@@ -526,17 +526,20 @@ CreateThis(JSContext *cx, HandleObject c
     rval.set(MagicValue(JS_IS_CONSTRUCTING));
 
     if (callee->isFunction()) {
         JSFunction *fun = callee->toFunction();
         if (fun->isInterpreted()) {
             JSScript *script = fun->getOrCreateScript(cx);
             if (!script || !script->ensureHasTypes(cx))
                 return false;
-            rval.set(ObjectValue(*CreateThisForFunction(cx, callee, false)));
+            JSObject *thisObj = CreateThisForFunction(cx, callee, false);
+            if (!thisObj)
+                return false;
+            rval.set(ObjectValue(*thisObj));
         }
     }
 
     return true;
 }
 
 void
 GetDynamicName(JSContext *cx, JSObject *scopeChain, JSString *str, Value *vp)
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug0012.js
@@ -0,0 +1,16 @@
+// |jit-test| error:out of memory
+
+gcPreserveCode();
+evaluate("gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4*1024);");
+evaluate("\
+function testDontEnum(F) { \
+  function test() {\
+    typeof (new test(\"1\")) != 'function'\
+  }\
+  test();\
+} \
+var list = [];\
+for (i in list)\
+  var F = this[list[i]];\
+actual = testDontEnum(F);\
+");
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -1038,17 +1038,20 @@ Evaluate(JSContext *cx, unsigned argc, j
             if (!smurl)
                 return false;
             jschar *smurl_copy = js_strdup(cx, smurl);
             if (!smurl_copy || !script->scriptSource()->setSourceMap(cx, smurl_copy, script->filename()))
                 return false;
         }
         if (!JS_ExecuteScript(cx, global, script, vp)) {
             if (catchTermination && !JS_IsExceptionPending(cx)) {
-                args.rval().setString(JS_NewStringCopyZ(cx, "terminated"));
+                JSString *str = JS_NewStringCopyZ(cx, "terminated");
+                if (!str)
+                    return false;
+                args.rval().setString(str);
                 return true;
             }
             return false;
         }
     }
 
     return JS_WrapValue(cx, vp);
 }