Bug 1305948 - Fix OOM bug in TypedArrayObject::GetTemplateObjectForNative. r=smvv, a=ritu
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 30 Sep 2016 12:06:15 +0200
changeset 355948 a9ba2aa61f5b9f5cbc25ed8431bb41f2d0c47703
parent 355947 3a72e917e75649b350147c1aa6bce5f57a64c3d5
child 355949 edbfbd7da7d0a1efc21393125e445dda533f8715
push id6570
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:26:13 +0000
treeherdermozilla-beta@f455459b2ae5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmvv, ritu
bugs1305948
milestone51.0a2
Bug 1305948 - Fix OOM bug in TypedArrayObject::GetTemplateObjectForNative. r=smvv, a=ritu
js/src/jit/BaselineIC.cpp
js/src/vm/TypedArrayObject.cpp
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5520,18 +5520,20 @@ GetTemplateObjectForNative(JSContext* cx
     }
 
     if (args.length() == 1) {
         size_t len = 0;
 
         if (args[0].isInt32() && args[0].toInt32() >= 0)
             len = args[0].toInt32();
 
-        if (TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
-            return !!res;
+        if (!TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
+            return false;
+        if (res)
+            return true;
     }
 
     if (native == js::array_slice) {
         if (args.thisv().isObject()) {
             JSObject* obj = &args.thisv().toObject();
             if (!obj->isSingleton()) {
                 if (obj->group()->maybePreliminaryObjects()) {
                     *skipAttach = true;
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -1271,22 +1271,22 @@ TypedArrayObject::GetTemplateObjectForNa
 #define CHECK_TYPED_ARRAY_CONSTRUCTOR(T, N) \
     if (native == &TypedArrayObjectTemplate<T>::class_constructor) { \
         size_t nbytes; \
         if (!js::CalculateAllocSize<T>(len, &nbytes)) \
             return true; \
         \
         if (nbytes < TypedArrayObject::SINGLETON_BYTE_LENGTH) { \
             res.set(TypedArrayObjectTemplate<T>::makeTemplateObject(cx, len)); \
-            return true; \
+            return !!res; \
         } \
     }
 JS_FOR_EACH_TYPED_ARRAY(CHECK_TYPED_ARRAY_CONSTRUCTOR)
 #undef CHECK_TYPED_ARRAY_CONSTRUCTOR
-    return false;
+    return true;
 }
 
 /*
  * These next 3 functions are brought to you by the buggy GCC we use to build
  * B2G ICS. Older GCC versions have a bug in which they fail to compile
  * reinterpret_casts of templated functions with the message: "insufficient
  * contextual information to determine type". JS_PSG needs to
  * reinterpret_cast<JSGetterOp>, so this causes problems for us here.