Bug 1549853 - Ignore associations of zero bytes of malloc memory with a GC thing r=sfink?
authorJon Coppeard <jcoppeard@mozilla.com>
Wed, 08 May 2019 17:46:02 +0000
changeset 532027 c84376bb87f13282fb87d9a08a45394c685123f2
parent 532026 7214702e12d20f2848fc186f752904310d6b276b
child 532028 f13164b1e651908978336f84e28c8a5150380565
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1549853
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1549853 - Ignore associations of zero bytes of malloc memory with a GC thing r=sfink? Differential Revision: https://phabricator.services.mozilla.com/D30355
dom/canvas/crashtests/1549853.html
js/src/jsapi.cpp
new file mode 100644
--- /dev/null
+++ b/dom/canvas/crashtests/1549853.html
@@ -0,0 +1,8 @@
+<canvas id='a' height='67108864' width='80'></canvas>
+<script>
+document.addEventListener("DOMContentLoaded", function() {
+  var c=document.getElementById('a')
+  var x=c.getContext('2d', {alpha: true})
+  c.setAttribute('width', 800)
+})
+</script>
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -1151,25 +1151,33 @@ JS_PUBLIC_API void JS_string_free(JSCont
 
 JS_PUBLIC_API void JS_freeop(JSFreeOp* fop, void* p) {
   return FreeOp::get(fop)->free_(p);
 }
 
 JS_PUBLIC_API void JS::AddAssociatedMemory(JSObject* obj, size_t nbytes,
                                            JS::MemoryUse use) {
   MOZ_ASSERT(obj);
+  if (!nbytes) {
+    return;
+  }
+
   Zone* zone = obj->zone();
   zone->updateMallocCounter(nbytes);
   zone->addCellMemory(obj, nbytes, use);
   zone->runtimeFromMainThread()->gc.maybeAllocTriggerZoneGC(zone);
 }
 
 JS_PUBLIC_API void JS::RemoveAssociatedMemory(JSObject* obj, size_t nbytes,
                                               JS::MemoryUse use) {
   MOZ_ASSERT(obj);
+  if (!nbytes) {
+    return;
+  }
+
   obj->zoneFromAnyThread()->removeCellMemory(obj, nbytes, use);
 }
 
 #undef JS_AddRoot
 
 JS_PUBLIC_API bool JS_AddExtraGCRootsTracer(JSContext* cx,
                                             JSTraceDataOp traceOp, void* data) {
   return cx->runtime()->gc.addBlackRootsTracer(traceOp, data);