Bug 1263857 - Initialize the slots of the match result object before creating properties in generateRegExpMatcherStub. r=h4writer
authorTooru Fujisawa <arai_a@mac.com>
Thu, 14 Apr 2016 16:41:37 +0900
changeset 331113 c77b965d8c74749ddc17f3c5744c950c64df3a3a
parent 331112 c70372e8bd86cfb1c568a20448f88ce88f3c98e9
child 331114 18ba8acba7902115a6f897d7d22b1cc33cb56008
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1263857
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1263857 - Initialize the slots of the match result object before creating properties in generateRegExpMatcherStub. r=h4writer
js/src/jit-test/tests/auto-regress/bug1263857.js
js/src/jit/CodeGenerator.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1263857.js
@@ -0,0 +1,4 @@
+// |jit-test| allow-oom; allow-unhandlable-oom
+gcparam("maxBytes", gcparam("gcBytes") + 1);
+fullcompartmentchecks(true);
+/x/g[Symbol.replace]("        x".repeat(32768), "");
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -1557,16 +1557,21 @@ JitCompartment::generateRegExpMatcherStu
     }
 
     // Construct the result.
     Register object = temp1;
     Label matchResultFallback, matchResultJoin;
     masm.createGCObject(object, temp2, templateObject, gc::DefaultHeap, &matchResultFallback);
     masm.bind(&matchResultJoin);
 
+    // Initialize slots of result object.
+    masm.loadPtr(Address(object, NativeObject::offsetOfSlots()), temp2);
+    masm.storeValue(templateObject->getSlot(0), Address(temp2, 0));
+    masm.storeValue(templateObject->getSlot(1), Address(temp2, sizeof(Value)));
+
     size_t elementsOffset = NativeObject::offsetOfFixedElements();
 
 #ifdef DEBUG
     // Assert the initial value of initializedLength and length to make sure
     // restoration on failure case works.
     {
         Label initLengthOK, lengthOK;
         masm.branch32(Assembler::Equal,