Bug 1515816 - Fix missing OOM check in ReadableStreamCreateReadResult. r=arai, a=RyanVM
authorJason Orendorff <jorendorff@mozilla.com>
Wed, 16 Jan 2019 00:34:24 +0000
changeset 506750 c789ccba525f0ce9b30faba06177d1ff9fb35042
parent 506749 c4fa46cb691840b0ab6fea2eb8ac5aa00565d7fe
child 506751 2ea881a24d05154d0a048e06045f5b5e5ba08481
push id10533
push userryanvm@gmail.com
push dateWed, 16 Jan 2019 19:14:07 +0000
treeherdermozilla-beta@86f5a024cd49 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersarai, RyanVM
bugs1515816
milestone65.0
Bug 1515816 - Fix missing OOM check in ReadableStreamCreateReadResult. r=arai, a=RyanVM Differential Revision: https://phabricator.services.mozilla.com/D16361
js/src/builtin/Stream.cpp
js/src/jit-test/tests/stream/bug-1515816.js
--- a/js/src/builtin/Stream.cpp
+++ b/js/src/builtin/Stream.cpp
@@ -1525,16 +1525,19 @@ static MOZ_MUST_USE JSObject* ReadableSt
   // Step 1: Let prototype be null.
   // Step 2: If forAuthorCode is true, set prototype to %ObjectPrototype%.
   RootedObject templateObject(
       cx,
       forAuthorCode == ForAuthorCodeBool::Yes
           ? cx->realm()->getOrCreateIterResultTemplateObject(cx)
           : cx->realm()->getOrCreateIterResultWithoutPrototypeTemplateObject(
                 cx));
+  if (!templateObject) {
+    return nullptr;
+  }
 
   // Step 3: Assert: Type(done) is Boolean (implicit).
 
   // Step 4: Let obj be ObjectCreate(prototype).
   NativeObject* obj;
   JS_TRY_VAR_OR_RETURN_NULL(
       cx, obj,
       NativeObject::createWithTemplate(cx, gc::DefaultHeap, templateObject));
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/stream/bug-1515816.js
@@ -0,0 +1,17 @@
+// |jit-test| --no-ion; --no-baseline; skip-if: !('oomAfterAllocations' in this)
+// Don't crash on OOM in ReadableStreamDefaultReader.prototype.read().
+
+for (let n = 1; n < 1000; n++) {
+  let stream = new ReadableStream({
+    start(controller) {
+      controller.enqueue(7);
+    }
+  });
+  let reader = stream.getReader();
+  oomAfterAllocations(n);
+  try {
+    reader.read();
+    n = 1000;
+  } catch {}
+  resetOOMFailure();
+}