Bug 655742: restrict tracing of array stores, r=dvander, a=dveditz
authorDavid Mandelin <dmandelin@mozilla.com>
Tue, 24 May 2011 12:11:19 -0700
changeset 27411 ed572ce324ba73c7c9b055e0995f2c1185637ea9
parent 27410 8f8185f5888102a4cad7172fd138f36fd4686393
child 27412 7424b1e94070124031d6261b25bb3fc830872bee
push id2725
push userdmandelin@mozilla.com
push dateTue, 24 May 2011 19:11:35 +0000
reviewersdvander, dveditz
bugs655742
milestone1.9.1.20pre
Bug 655742: restrict tracing of array stores, r=dvander, a=dveditz
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -5988,16 +5988,21 @@ TraceRecorder::incProp(jsint incr, bool 
     uint32 slot;
     LIns* v_ins;
     CHECK_STATUS(prop(obj, obj_ins, slot, v_ins));
 
     if (slot == SPROP_INVALID_SLOT)
         ABORT_TRACE("incProp on invalid slot");
 
     jsval& v = STOBJ_GET_SLOT(obj, slot);
+    // Bug 655742: if the array element is a double, box_jsval can
+    // OOM after we have already overwritten the array object in
+    // the stack.
+    if (JSVAL_IS_DOUBLE(v))
+        return JSRS_STOP;
     CHECK_STATUS(inc(v, v_ins, incr, pre));
 
     box_jsval(v, v_ins);
 
     LIns* dslots_ins = NULL;
     stobj_set_slot(obj_ins, slot, dslots_ins, v_ins);
     return JSRS_CONTINUE;
 }
@@ -6014,16 +6019,21 @@ TraceRecorder::incElem(jsint incr, bool 
     if (!JSVAL_IS_OBJECT(l) || !JSVAL_IS_INT(r) ||
         !guardDenseArray(JSVAL_TO_OBJECT(l), get(&l))) {
         return JSRS_STOP;
     }
 
     CHECK_STATUS(denseArrayElement(l, r, vp, v_ins, addr_ins));
     if (!addr_ins) // if we read a hole, abort
         return JSRS_STOP;
+    // Bug 655742: if the array element is a double, box_jsval can
+    // OOM after we have already overwritten the array object in
+    // the stack.
+    if (JSVAL_IS_DOUBLE(*vp))
+        return JSRS_STOP;
     CHECK_STATUS(inc(*vp, v_ins, incr, pre));
     box_jsval(*vp, v_ins);
     lir->insStorei(v_ins, addr_ins, 0);
     return JSRS_CONTINUE;
 }
 
 static bool
 evalCmp(LOpcode op, double l, double r)