Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu
☠☠ backed out by 1b661134e2ca ☠ ☠
authorTerrence Cole <terrence@mozilla.com>
Fri, 27 May 2016 17:12:08 -0700
changeset 340426 619ef5aac05fa3dadb656fac5352dc712451c109
parent 340425 764ab2ad75e784d0175f6645c1c2fca4816863af
child 340427 577123ff73d3104f3979c123ccfbcc0303a20541
push id1183
push userraliiev@mozilla.com
push dateMon, 05 Sep 2016 20:01:49 +0000
treeherdermozilla-release@3148731bed45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu
bugs1270278
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu
js/src/jit-test/tests/debug/bug-1270278.js
js/src/vm/ScopeObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug-1270278.js
@@ -0,0 +1,18 @@
+// |jit-test| allow-oom; --fuzzing-safe
+// Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js
+var i = 100;
+g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+    Debugger(parent).onExceptionUnwind = function(frame) frame.eval("");
+} + ")()");
+// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js
+oomTest(function() {
+    if (--i < 0)
+        return;
+    try {
+        for (x of y);
+    } catch (e) {
+        x
+    }
+})
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -2731,18 +2731,20 @@ DebugScopes::onPopCall(AbstractFramePtr 
      */
     if (debugScope) {
         /*
          * Copy all frame values into the snapshot, regardless of
          * aliasing. This unnecessarily includes aliased variables
          * but it simplifies later indexing logic.
          */
         Rooted<GCVector<Value>> vec(cx, GCVector<Value>(cx));
-        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0)
+        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0) {
+            cx->recoverFromOutOfMemory();
             return;
+        }
 
         /*
          * Copy in formals that are not aliased via the scope chain
          * but are aliased via the arguments object.
          */
         RootedScript script(cx, frame.script());
         if (script->analyzedArgsUsage() && script->needsArgsObj() && frame.hasArgsObj()) {
             for (unsigned i = 0; i < frame.numFormalArgs(); ++i) {
@@ -2752,17 +2754,17 @@ DebugScopes::onPopCall(AbstractFramePtr 
         }
 
         /*
          * Use a dense array as storage (since proxies do not have trace
          * hooks). This array must not escape into the wild.
          */
         RootedArrayObject snapshot(cx, NewDenseCopiedArray(cx, vec.length(), vec.begin()));
         if (!snapshot) {
-            cx->clearPendingException();
+            cx->recoverFromOutOfMemory();
             return;
         }
 
         debugScope->initSnapshot(*snapshot);
     }
 }
 
 void