Bug 1546881 - Fix OOM causing realloc to wrong arena r=sfink
authorChris Martin <cmartin@mozilla.com>
Tue, 30 Apr 2019 15:37:45 +0000
changeset 530823 b081558961139b81c626b6d37055d4c60204a013
parent 530822 eabc25a9ff765345ca75887af521696951da6694
child 530824 dc66462519e1960df71a10d3df05b4db2e84e279
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1546881, 1052579
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1546881 - Fix OOM causing realloc to wrong arena r=sfink Bug 1052579 introduced a new mozjemalloc arena for JSString char buffers. Unfortunately, my testing missed the case where JSStringBuilder causes an OOM condition, causing the OOM handler to realloc to the default arena, regardless of what arena is actually indicated by the AllocPolicy for the char vector. The realloc now passes the arena from the AllocPolicy to mozjemalloc. Differential Revision: https://phabricator.services.mozilla.com/D29092
js/src/vm/Runtime.cpp
--- a/js/src/vm/Runtime.cpp
+++ b/js/src/vm/Runtime.cpp
@@ -704,17 +704,17 @@ JS_FRIEND_API void* JSRuntime::onOutOfMe
     switch (allocFunc) {
       case AllocFunction::Malloc:
         p = js_arena_malloc(arena, nbytes);
         break;
       case AllocFunction::Calloc:
         p = js_arena_calloc(arena, nbytes, 1);
         break;
       case AllocFunction::Realloc:
-        p = js_realloc(reallocPtr, nbytes);
+        p = js_arena_realloc(arena, reallocPtr, nbytes);
         break;
       default:
         MOZ_CRASH();
     }
     if (p) {
       return p;
     }
   }