Bug 948647, part 1 - Make sure exn_finalize is safe when the object's reserved slot was never initialized (due to OOM right after it was allocated). r=Waldo.
authorJason Orendorff <jorendorff@mozilla.com>
Mon, 16 Dec 2013 06:03:15 -0600
changeset 177666 9d152bc73ecefbe7eb6095b0b25dbdcab7e36a98
parent 177665 0e9e2d0e72c3d883f46e1a276e69b29b42f0ba67
child 177667 e8e93efa64af3c4d6f9e0e2f1704c5865b99fb6c
push id462
push userraliiev@mozilla.com
push dateTue, 22 Apr 2014 00:22:30 +0000
treeherdermozilla-release@ac5db8c74ac0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo
bugs948647
milestone29.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 948647, part 1 - Make sure exn_finalize is safe when the object's reserved slot was never initialized (due to OOM right after it was allocated). r=Waldo.
js/src/vm/ErrorObject.h
--- a/js/src/vm/ErrorObject.h
+++ b/js/src/vm/ErrorObject.h
@@ -72,18 +72,20 @@ class ErrorObject : public JSObject
            uint32_t lineNumber, uint32_t columnNumber, ScopedJSFreePtr<JSErrorReport> *report,
            HandleString message);
 
     JSExnType type() const {
         return JSExnType(getReservedSlot(EXNTYPE_SLOT).toInt32());
     }
 
     JSErrorReport * getErrorReport() const {
-        void *priv = getReservedSlot(ERROR_REPORT_SLOT).toPrivate();
-        return static_cast<JSErrorReport*>(priv);
+        const Value &slot = getReservedSlot(ERROR_REPORT_SLOT);
+        if (slot.isUndefined())
+            return nullptr;
+        return static_cast<JSErrorReport*>(slot.toPrivate());
     }
 
     JSString * fileName() const {
         return getReservedSlot(FILENAME_SLOT).toString();
     }
 
     uint32_t lineNumber() const {
         return getReservedSlot(LINENUMBER_SLOT).toInt32();