Bug 1248420 - Handle JSObject::getGroup OOM in js::ArraySetLength. r=jandem
authorTooru Fujisawa <arai_a@mac.com>
Wed, 17 Feb 2016 01:40:18 +0900
changeset 331325 995ff53a4d50c9986e3475c1b4bc1ea8cc0f7aad
parent 331324 c5631db6889e4a4c1afe3004aac3f22e5736b4a7
child 331326 b85eae6c9a0582aa8bd92ec4adf4fea753ae539c
push id10956
push userjolesen@mozilla.com
push dateTue, 16 Feb 2016 19:12:12 +0000
reviewersjandem
bugs1248420
milestone47.0a1
Bug 1248420 - Handle JSObject::getGroup OOM in js::ArraySetLength. r=jandem
js/src/jsarray.cpp
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -611,19 +611,19 @@ js::ArraySetLength(JSContext* cx, Handle
         // that element must prevent any deletions below it.  Bug 586842 should
         // fix this inefficiency by moving indexed storage to be entirely
         // separate from non-indexed storage.
         // A second reason for this optimization to be invalid is an active
         // for..in iteration over the array. Keys deleted before being reached
         // during the iteration must not be visited, and suppressing them here
         // would be too costly.
         ObjectGroup* arrGroup = arr->getGroup(cx);
-        if (!arr->isIndexed() &&
-            !MOZ_UNLIKELY(!arrGroup || arrGroup->hasAllFlags(OBJECT_FLAG_ITERATED)))
-        {
+        if (MOZ_UNLIKELY(!arrGroup))
+            return false;
+        if (!arr->isIndexed() && !MOZ_UNLIKELY(arrGroup->hasAllFlags(OBJECT_FLAG_ITERATED))) {
             if (!arr->maybeCopyElementsForWrite(cx))
                 return false;
 
             uint32_t oldCapacity = arr->getDenseCapacity();
             uint32_t oldInitializedLength = arr->getDenseInitializedLength();
             MOZ_ASSERT(oldCapacity >= oldInitializedLength);
             if (oldInitializedLength > newLen)
                 arr->setDenseInitializedLength(newLen);