Bug 1263865 - Check the return value of GetSelfHostedFunction in ArraySpeciesCreate. r=efaust
authorTooru Fujisawa <arai_a@mac.com>
Fri, 22 Apr 2016 10:35:50 +0900
changeset 332300 d9c905c8e1d102de622cbcf17f1e8797f7f5fa7b
parent 332299 53b4512a42b434524730ddf84b6f448e0a0d3c80
child 332301 29debcd8e53a49ae130a3b2954f9e0898b655921
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersefaust
bugs1263865
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1263865 - Check the return value of GetSelfHostedFunction in ArraySpeciesCreate. r=efaust
js/src/jit-test/tests/auto-regress/bug1263865.js
js/src/jsarray.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1263865.js
@@ -0,0 +1,12 @@
+if (!('oomTest' in this))
+    quit();
+
+loadFile("");
+loadFile("");
+loadFile("Array.prototype.splice.call(1)");
+function loadFile(lfVarx) {
+    parseInt("1");
+    oomTest(function() {
+        eval(lfVarx);
+    });
+}
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -926,16 +926,18 @@ IsArraySpecies(JSContext* cx, HandleObje
     return IsSelfHostedFunctionWithName(getter, cx->names().ArraySpecies);
 }
 
 static bool
 ArraySpeciesCreate(JSContext* cx, HandleObject origArray, uint32_t length, MutableHandleObject arr)
 {
     RootedId createId(cx, NameToId(cx->names().ArraySpeciesCreate));
     RootedFunction create(cx, JS::GetSelfHostedFunction(cx, "ArraySpeciesCreate", createId, 2));
+    if (!create)
+        return false;
 
     FixedInvokeArgs<2> args(cx);
 
     args[0].setObject(*origArray);
     args[1].set(NumberValue(length));
 
     RootedValue callee(cx, ObjectValue(*create));
     RootedValue rval(cx);