Bug 1498458 - Properly report OOM on failure to allocate ArrayBuffer contents for a fresh ArrayBuffer that can't fit in inline storage. r=nbp
☠☠ backed out by 3ee73bef9537 ☠ ☠
authorJeff Walden <jwalden@mit.edu>
Thu, 11 Oct 2018 20:32:11 -0700
changeset 496835 f7c32e7abf7293b99c6d1941af6e15ebc3119d5c
parent 496834 acd510f0152a9c4624fafa7eceda552be1a6c376
child 496836 22f5c9171d258adadc703aca664bbca476fa441a
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs1498458
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1498458 - Properly report OOM on failure to allocate ArrayBuffer contents for a fresh ArrayBuffer that can't fit in inline storage. r=nbp
js/src/jit-test/tests/typedarray/oom-allocating-arraybuffer-contents.js
js/src/vm/ArrayBufferObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/typedarray/oom-allocating-arraybuffer-contents.js
@@ -0,0 +1,8 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+oomTest(function test() {
+  // The original missing OOM check was after failure to allocate ArrayBuffer
+  // contents, in the ctor call -- the particular operations after that aren't
+  // important.
+  new Uint8ClampedArray(256).toLocaleString('hi');
+});
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -458,18 +458,17 @@ ArrayBufferObject::class_constructor(JSC
     }
     args.rval().setObject(*bufobj);
     return true;
 }
 
 static ArrayBufferObject::BufferContents
 AllocateArrayBufferContents(JSContext* cx, uint32_t nbytes)
 {
-    uint8_t* p = cx->pod_callocCanGC<uint8_t>(nbytes,
-                                                      js::ArrayBufferContentsArena);
+    uint8_t* p = cx->pod_callocCanGC<uint8_t>(nbytes, js::ArrayBufferContentsArena);
     return ArrayBufferObject::BufferContents::create<ArrayBufferObject::PLAIN>(p);
 }
 
 static void
 NoteViewBufferWasDetached(ArrayBufferViewObject* view,
                           ArrayBufferObject::BufferContents newContents,
                           JSContext* cx)
 {
@@ -1245,16 +1244,17 @@ ArrayBufferObject::create(JSContext* cx,
         if (nbytes <= usableSlots * sizeof(Value)) {
             int newSlots = JS_HOWMANY(nbytes, sizeof(Value));
             MOZ_ASSERT(int(nbytes) <= newSlots * int(sizeof(Value)));
             nslots = reservedSlots + newSlots;
             contents = BufferContents::createPlain(nullptr);
         } else {
             contents = AllocateArrayBufferContents(cx, nbytes);
             if (!contents) {
+                ReportOutOfMemory(cx);
                 return nullptr;
             }
             allocated = true;
         }
     }
 
     MOZ_ASSERT(!(class_.flags & JSCLASS_HAS_PRIVATE));
     gc::AllocKind allocKind = gc::GetGCObjectKind(nslots);