Bug 831040 - Disallow GCs during error reporting for allocation and string/inflate bad inputs, r=terrence.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 16 Jan 2013 14:03:59 -0700
changeset 119067 f719315ea4121c192a8c9f5c0f65fc114472e351
parent 119066 3e149de4b63871eb66b4555be097f4c348e19618
child 119068 64eb6292b965b3cd08ae4a982b2ee7648e2b87d0
push id24189
push useremorley@mozilla.com
push dateThu, 17 Jan 2013 10:42:06 +0000
treeherdermozilla-central@712eca11a04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence
bugs831040
milestone21.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 831040 - Disallow GCs during error reporting for allocation and string/inflate bad inputs, r=terrence.
js/src/jscntxt.cpp
js/src/jsstr.cpp
--- a/js/src/jscntxt.cpp
+++ b/js/src/jscntxt.cpp
@@ -549,18 +549,20 @@ js_ReportOverRecursed(JSContext *maybecx
 #endif
     if (maybecx)
         JS_ReportErrorNumber(maybecx, js_GetErrorMessage, NULL, JSMSG_OVER_RECURSED);
 }
 
 void
 js_ReportAllocationOverflow(JSContext *maybecx)
 {
-    if (maybecx)
+    if (maybecx) {
+        AutoSuppressGC suppressGC(maybecx);
         JS_ReportErrorNumber(maybecx, js_GetErrorMessage, NULL, JSMSG_ALLOC_OVERFLOW);
+    }
 }
 
 /*
  * Given flags and the state of cx, decide whether we should report an
  * error, a warning, or just continue execution normally.  Return
  * true if we should continue normally, without reporting anything;
  * otherwise, adjust *flags as appropriate and return false.
  */
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -3850,16 +3850,17 @@ bool
 js::DeflateStringToBuffer(JSContext *maybecx, const jschar *src, size_t srclen,
                           char *dst, size_t *dstlenp)
 {
     size_t dstlen = *dstlenp;
     if (srclen > dstlen) {
         for (size_t i = 0; i < dstlen; i++)
             dst[i] = (char) src[i];
         if (maybecx) {
+            AutoSuppressGC suppress(maybecx);
             JS_ReportErrorNumber(maybecx, js_GetErrorMessage, NULL,
                                  JSMSG_BUFFER_TOO_SMALL);
         }
         return JS_FALSE;
     }
     for (size_t i = 0; i < srclen; i++)
         dst[i] = (char) src[i];
     *dstlenp = srclen;
@@ -3871,32 +3872,37 @@ js::InflateStringToBuffer(JSContext *may
                           jschar *dst, size_t *dstlenp)
 {
     if (dst) {
         size_t dstlen = *dstlenp;
         if (srclen > dstlen) {
             for (size_t i = 0; i < dstlen; i++)
                 dst[i] = (unsigned char) src[i];
             if (maybecx) {
+                AutoSuppressGC suppress(maybecx);
                 JS_ReportErrorNumber(maybecx, js_GetErrorMessage, NULL,
                                      JSMSG_BUFFER_TOO_SMALL);
             }
             return JS_FALSE;
         }
         for (size_t i = 0; i < srclen; i++)
             dst[i] = (unsigned char) src[i];
     }
     *dstlenp = srclen;
     return JS_TRUE;
 }
 
 bool
 js::InflateUTF8StringToBuffer(JSContext *cx, const char *src, size_t srclen,
                               jschar *dst, size_t *dstlenp)
 {
+    mozilla::Maybe<AutoSuppressGC> suppress;
+    if (cx)
+        suppress.construct(cx);
+
     size_t dstlen, origDstlen, offset, j, n;
     uint32_t v;
 
     dstlen = dst ? *dstlenp : (size_t) -1;
     origDstlen = dstlen;
     offset = 0;
 
     while (srclen) {