Bug 1467753 - Don't leak freshly-allocated, copied string chars in CopyStringPure when OOM happens allocating the JSString* that will adopt them. r=anba
authorJeff Walden <jwalden@mit.edu>
Mon, 18 Jun 2018 11:54:44 -0700
changeset 479648 9fcf87cdfb395004c885f581b59dcd1999316c9a
parent 479647 7a56278c7b7849359567d9dca06abc4ddef42c63
child 479649 d8eb78d6b65d8583281f22d84b5bc82a7c05ef98
push id1757
push userffxbld-merge
push dateFri, 24 Aug 2018 17:02:43 +0000
treeherdermozilla-release@736023aebdb1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1467753
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1467753 - Don't leak freshly-allocated, copied string chars in CopyStringPure when OOM happens allocating the JSString* that will adopt them. r=anba
js/src/vm/Compartment.cpp
--- a/js/src/vm/Compartment.cpp
+++ b/js/src/vm/Compartment.cpp
@@ -126,24 +126,32 @@ CopyStringPure(JSContext* cx, JSString* 
                : NewStringCopyNDontDeflate<CanGC>(cx, chars.twoByteRange().begin().get(), len);
     }
 
     if (str->hasLatin1Chars()) {
         ScopedJSFreePtr<Latin1Char> copiedChars;
         if (!str->asRope().copyLatin1CharsZ(cx, copiedChars))
             return nullptr;
 
-        return NewString<CanGC>(cx, copiedChars.forget(), len);
+        auto* rawCopiedChars = copiedChars.forget();
+        auto* result = NewString<CanGC>(cx, rawCopiedChars, len);
+        if (!result)
+            js_free(rawCopiedChars);
+        return result;
     }
 
     ScopedJSFreePtr<char16_t> copiedChars;
     if (!str->asRope().copyTwoByteCharsZ(cx, copiedChars))
         return nullptr;
 
-    return NewStringDontDeflate<CanGC>(cx, copiedChars.forget(), len);
+    auto* rawCopiedChars = copiedChars.forget();
+    auto* result = NewStringDontDeflate<CanGC>(cx, rawCopiedChars, len);
+    if (!result)
+        js_free(rawCopiedChars);
+    return result;
 }
 
 bool
 Compartment::wrap(JSContext* cx, MutableHandleString strp)
 {
     MOZ_ASSERT(cx->compartment() == this);
 
     /* If the string is already in this compartment, we are done. */