Bug 1212258 - ARM Assembler::as_b: Add oom check before reading the BufferOffset for debug assertions. r=jolesen
☠☠ backed out by da767cf4ce86 ☠ ☠
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Thu, 08 Oct 2015 18:07:15 +0200
changeset 266960 a4e0f0475b789412d8f575661b88a53c9589807d
parent 266959 f68b62d3af7f66075303094a4eae7424b5bc6248
child 266961 e04c59fd01c4b07898f805938e131afb3d71f7e5
push id29504
push usercbook@mozilla.com
push dateFri, 09 Oct 2015 09:43:23 +0000
treeherdermozilla-central@d01dd42e654b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjolesen
bugs1212258
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1212258 - ARM Assembler::as_b: Add oom check before reading the BufferOffset for debug assertions. r=jolesen
js/src/jit-test/tests/ion/bug1212258.js
js/src/jit/Label.h
js/src/jit/arm/Assembler-arm.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1212258.js
@@ -0,0 +1,10 @@
+// |jit-test| allow-oom;
+function h(f, inputs) {
+    for (var j = 0; j < 99; ++j) {
+        for (var k = 0; k < 99; ++k) {
+            oomAfterAllocations(10)
+        }
+    }
+}
+m = function(y) {};
+h(m, []);
--- a/js/src/jit/Label.h
+++ b/js/src/jit/Label.h
@@ -55,17 +55,17 @@ struct LabelBase
     }
     // Sets the label's latest used position, returning the old use position in
     // the process.
     int32_t use(int32_t offset) {
         MOZ_ASSERT(!bound());
 
         int32_t old = offset_;
         offset_ = offset;
-        MOZ_ASSERT(offset_ == offset);
+        MOZ_ASSERT(offset_ == offset, "bitfield overflow");
 
         return old;
     }
 };
 
 // A label represents a position in an assembly buffer that may or may not have
 // already been generated. Labels can either be "bound" or "unbound", the
 // former meaning that its position is known and the latter that its position
--- a/js/src/jit/arm/Assembler-arm.cpp
+++ b/js/src/jit/arm/Assembler-arm.cpp
@@ -2411,16 +2411,21 @@ Assembler::as_b(Label* l, Condition c)
             return ret;
         }
         ret = as_b(BOffImm(old), c, l);
     } else {
         old = LabelBase::INVALID_OFFSET;
         BOffImm inv;
         ret = as_b(inv, c, l);
     }
+
+    // We might oom while adding more instructions.
+    if (!ret.assigned())
+        return ret;
+
     DebugOnly<int32_t> check = l->use(ret.getOffset());
     MOZ_ASSERT(check == old);
     return ret;
 }
 
 BufferOffset
 Assembler::as_b(BOffImm off, Condition c, BufferOffset inst)
 {