Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu
☠☠ backed out by 1b661134e2ca ☠ ☠
authorTerrence Cole <terrence@mozilla.com>
Fri, 27 May 2016 17:12:08 -0700
changeset 338413 619ef5aac05fa3dadb656fac5352dc712451c109
parent 338412 764ab2ad75e784d0175f6645c1c2fca4816863af
child 338414 577123ff73d3104f3979c123ccfbcc0303a20541
push id6249
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 13:59:36 +0000
treeherdermozilla-beta@bad9d4f5bf7e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu
bugs1270278
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu
js/src/jit-test/tests/debug/bug-1270278.js
js/src/vm/ScopeObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug-1270278.js
@@ -0,0 +1,18 @@
+// |jit-test| allow-oom; --fuzzing-safe
+// Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js
+var i = 100;
+g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+    Debugger(parent).onExceptionUnwind = function(frame) frame.eval("");
+} + ")()");
+// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js
+oomTest(function() {
+    if (--i < 0)
+        return;
+    try {
+        for (x of y);
+    } catch (e) {
+        x
+    }
+})
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -2731,18 +2731,20 @@ DebugScopes::onPopCall(AbstractFramePtr 
      */
     if (debugScope) {
         /*
          * Copy all frame values into the snapshot, regardless of
          * aliasing. This unnecessarily includes aliased variables
          * but it simplifies later indexing logic.
          */
         Rooted<GCVector<Value>> vec(cx, GCVector<Value>(cx));
-        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0)
+        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0) {
+            cx->recoverFromOutOfMemory();
             return;
+        }
 
         /*
          * Copy in formals that are not aliased via the scope chain
          * but are aliased via the arguments object.
          */
         RootedScript script(cx, frame.script());
         if (script->analyzedArgsUsage() && script->needsArgsObj() && frame.hasArgsObj()) {
             for (unsigned i = 0; i < frame.numFormalArgs(); ++i) {
@@ -2752,17 +2754,17 @@ DebugScopes::onPopCall(AbstractFramePtr 
         }
 
         /*
          * Use a dense array as storage (since proxies do not have trace
          * hooks). This array must not escape into the wild.
          */
         RootedArrayObject snapshot(cx, NewDenseCopiedArray(cx, vec.length(), vec.begin()));
         if (!snapshot) {
-            cx->clearPendingException();
+            cx->recoverFromOutOfMemory();
             return;
         }
 
         debugScope->initSnapshot(*snapshot);
     }
 }
 
 void