Bug 1263879 - Check the return value of AtomizeString in str_replace_string_raw. r=h4writer
authorTooru Fujisawa <arai_a@mac.com>
Thu, 14 Apr 2016 16:41:37 +0900
changeset 331112 c70372e8bd86cfb1c568a20448f88ce88f3c98e9
parent 331111 6f330fed23146feb54337db0ea94780be788bfc2
child 331113 c77b965d8c74749ddc17f3c5744c950c64df3a3a
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1263879
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1263879 - Check the return value of AtomizeString in str_replace_string_raw. r=h4writer
js/src/jit-test/tests/auto-regress/bug1263879.js
js/src/jsstr.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1263879.js
@@ -0,0 +1,21 @@
+if (!('oomTest' in this))
+    quit();
+
+var lines = `
+
+
+
+"".replace([[2], 3])
+`.split('\n');
+var code = "";
+while (true) {
+    var line = lines.shift();
+    if (line == null)
+        break;
+    loadFile();
+    code += line + "\n";
+}
+loadFile(code);
+function loadFile(code) {
+    oomTest(() => eval(code));
+}
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -2304,16 +2304,19 @@ JSString*
 js::str_replace_string_raw(JSContext* cx, HandleString string, HandleString pattern,
                            HandleString replacement)
 {
     RootedLinearString repl(cx, replacement->ensureLinear(cx));
     if (!repl)
         return nullptr;
 
     RootedAtom pat(cx, AtomizeString(cx, pattern));
+    if (!pat)
+        return nullptr;
+
     size_t patternLength = pat->length();
     int32_t match;
     uint32_t dollarIndex;
 
     {
         AutoCheckCannotGC nogc;
         dollarIndex = repl->hasLatin1Chars()
                       ? FindDollarIndex(repl->latin1Chars(nogc), repl->length())