Bug 1493627 part 3 - Use AutoEnterOOMUnsafeRegion in js::RemapWrapper. r=jonco
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 22 Oct 2018 15:26:32 +0000
changeset 490881 72ce1b22eee8336b6c1b60221696a1e01cc2dc39
parent 490880 9697472e6ab7298445ae8f169fe7b1ca5b247f11
child 490882 c29048279fcc7ffa7785a17b3afaf7b97e915c72
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersjonco
bugs1493627
milestone65.0a1
Bug 1493627 part 3 - Use AutoEnterOOMUnsafeRegion in js::RemapWrapper. r=jonco Depends on D9254 Differential Revision: https://phabricator.services.mozilla.com/D9255
js/src/jit-test/tests/basic/bug1493627.js
js/src/proxy/CrossCompartmentWrapper.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1493627.js
@@ -0,0 +1,4 @@
+// |jit-test| skip-if: !('stackTest' in this)
+stackTest(function() {
+    eval(`var g = newGlobal(); recomputeWrappers(this, g);`);
+});
--- a/js/src/proxy/CrossCompartmentWrapper.cpp
+++ b/js/src/proxy/CrossCompartmentWrapper.cpp
@@ -642,18 +642,19 @@ js::RemapWrapper(JSContext* cx, JSObject
     // now use nonCCWRealm.
     Realm* wrealm = wobj->nonCCWRealm();
 
     // First, we wrap it in the new compartment. We try to use the existing
     // wrapper, |wobj|, since it's been nuked anyway. The wrap() function has
     // the choice to reuse |wobj| or not.
     RootedObject tobj(cx, newTarget);
     AutoRealmUnchecked ar(cx, wrealm);
+    AutoEnterOOMUnsafeRegion oomUnsafe;
     if (!wcompartment->rewrap(cx, &tobj, wobj)) {
-        MOZ_CRASH();
+        oomUnsafe.crash("js::RemapWrapper");
     }
 
     // If wrap() reused |wobj|, it will have overwritten it and returned with
     // |tobj == wobj|. Otherwise, |tobj| will point to a new wrapper and |wobj|
     // will still be nuked. In the latter case, we replace |wobj| with the
     // contents of the new wrapper in |tobj|.
     if (tobj != wobj) {
         // Now, because we need to maintain object identity, we do a brain
@@ -665,17 +666,17 @@ js::RemapWrapper(JSContext* cx, JSObject
     // Before swapping, this wrapper came out of wrap(), which enforces the
     // invariant that the wrapper in the map points directly to the key.
     MOZ_ASSERT(Wrapper::wrappedObject(wobj) == newTarget);
 
     // Update the entry in the compartment's wrapper map to point to the old
     // wrapper, which has now been updated (via reuse or swap).
     MOZ_ASSERT(wobj->is<WrapperObject>());
     if (!wcompartment->putWrapper(cx, CrossCompartmentKey(newTarget), ObjectValue(*wobj))) {
-        MOZ_CRASH();
+        oomUnsafe.crash("js::RemapWrapper");
     }
 }
 
 // Remap all cross-compartment wrappers pointing to |oldTarget| to point to
 // |newTarget|. All wrappers are recomputed.
 JS_FRIEND_API(bool)
 js::RemapAllWrappersForObject(JSContext* cx, JSObject* oldTargetArg,
                               JSObject* newTargetArg)