Bug 978802 - Crash in argumentsOptimizationFailed() if we run out of memory r=jandem

2015-10-08 10:49:49 +01:00 · 2015-10-08 10:49:49 +01:00 · 0ae0f8e41a
--- a/js/src/jit-test/tests/baseline/bug847425.js
+++ b/js/src/jit-test/tests/baseline/bug847425.js
@ -1,4 +1,4 @@
-// |jit-test| allow-oom
+// |jit-test| allow-oom; allow-unhandlable-oom
 gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
 var max = 400;
 function f(b) {
--- a/js/src/jit-test/tests/gc/bug-978802.js
+++ b/js/src/jit-test/tests/gc/bug-978802.js
@ -0,0 +1,17 @@
+load(libdir + 'oomTest.js');
+
+oomTest(() => {
+    try {
+        var max = 400;
+        function f(b) {
+            if (b) {
+                f(b - 1);
+            } else {
+                g = {};
+            }
+            g.apply(null, arguments);
+        }
+        f(max - 1);
+    } catch(exc0) {}
+    f();
+});
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@ -4027,17 +4027,11 @@ JSScript::argumentsOptimizationFailed(JSContext* cx, HandleScript script)
            continue;
        AbstractFramePtr frame = i.abstractFramePtr();
        if (frame.isFunctionFrame() && frame.script() == script) {
+            /* We crash on OOM since cleaning up here would be complicated. */
+            AutoEnterOOMUnsafeRegion oomUnsafe;
            ArgumentsObject* argsobj = ArgumentsObject::createExpected(cx, frame);
-            if (!argsobj) {
-                /*
-                 * We can't leave stack frames with script->needsArgsObj but no
-                 * arguments object. It is, however, safe to leave frames with
-                 * an arguments object but !script->needsArgsObj.
-                 */
-                script->needsArgsObj_ = false;
-                return false;
-            }
-
+            if (!argsobj)
+                oomUnsafe.crash("JSScript::argumentsOptimizationFailed");
            SetFrameArgumentsObject(cx, frame, script, argsobj);
        }
    }