Bug 1305948 - Fix OOM bug in TypedArrayObject::GetTemplateObjectForNative. r=smvv, a=ritu
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 30 Sep 2016 12:06:15 +0200
changeset 350559 f599f4e3d84fe2f99c7c0995f224152ebdb87a34
parent 350558 2b1c242aecce48db247440f44525c2e89020c352
child 350560 1deb126ed5bb1f9bc4b67867c0ca120c4ce788ae
push id1230
push userjlund@mozilla.com
push dateMon, 31 Oct 2016 18:13:35 +0000
treeherdermozilla-release@5e06e3766db2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmvv, ritu
bugs1305948
milestone50.0
Bug 1305948 - Fix OOM bug in TypedArrayObject::GetTemplateObjectForNative. r=smvv, a=ritu
js/src/jit/BaselineIC.cpp
js/src/vm/TypedArrayObject.cpp
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5499,18 +5499,20 @@ GetTemplateObjectForNative(JSContext* cx
             if (!res)
                 return false;
             return true;
         }
     }
 
     if (args.length() == 1 && args[0].isInt32() && args[0].toInt32() >= 0) {
         uint32_t len = args[0].toInt32();
-        if (TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
-            return !!res;
+        if (!TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
+            return false;
+        if (res)
+            return true;
     }
 
     if (native == js::array_slice) {
         if (args.thisv().isObject()) {
             JSObject* obj = &args.thisv().toObject();
             if (!obj->isSingleton()) {
                 if (obj->group()->maybePreliminaryObjects()) {
                     *skipAttach = true;
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -1255,17 +1255,17 @@ TypedArrayObject::GetTemplateObjectForNa
         \
         if (nbytes < TypedArrayObject::SINGLETON_BYTE_LENGTH) { \
             res.set(TypedArrayObjectTemplate<T>::makeTemplateObject(cx, len)); \
             return !!res; \
         } \
     }
 JS_FOR_EACH_TYPED_ARRAY(CHECK_TYPED_ARRAY_CONSTRUCTOR)
 #undef CHECK_TYPED_ARRAY_CONSTRUCTOR
-    return false;
+    return true;
 }
 
 /*
  * These next 3 functions are brought to you by the buggy GCC we use to build
  * B2G ICS. Older GCC versions have a bug in which they fail to compile
  * reinterpret_casts of templated functions with the message: "insufficient
  * contextual information to determine type". JS_PSG needs to
  * reinterpret_cast<JSGetterOp>, so this causes problems for us here.