Bug 1254578 - Fix OOM case when rematerializing frames. (r=jandem)

2016-03-22 16:19:52 -07:00 · 2016-03-22 16:19:52 -07:00 · 0e6d958a14
--- a/js/src/jit-test/tests/debug/bug1254578.js
+++ b/js/src/jit-test/tests/debug/bug1254578.js
@ -0,0 +1,23 @@
+// |jit-test| error:ReferenceError; slow
+
+if (!('oomTest' in this))
+  throw (new ReferenceError);
+
+var g = newGlobal();
+g.debuggeeGlobal = this;
+g.eval("(" + function() {
+    dbg = new Debugger(debuggeeGlobal);
+    dbg.onExceptionUnwind = function(frame, exc) {
+        var s = '!';
+        for (var f = frame; f; f = f.older)
+            debuggeeGlobal.log += s;
+    };
+} + ")();");
+var dbg = new Debugger;
+dbg.onNewGlobalObject = function(global) {
+    get.seen = true;
+};
+oomTest(function() {
+    newGlobal({
+    })
+});
--- a/js/src/jit/RematerializedFrame.cpp
+++ b/js/src/jit/RematerializedFrame.cpp
@ -78,7 +78,8 @@ RematerializedFrame::RematerializeInlineFrames(JSContext* cx, uint8_t* top,
                                               MaybeReadFallback& fallback,
                                               Vector<RematerializedFrame*>& frames)
 {
-    if (!frames.resize(iter.frameCount()))
+    Vector<RematerializedFrame*> tempFrames(cx);
+    if (!tempFrames.resize(iter.frameCount()))
        return false;

    while (true) {
@ -91,13 +92,14 @@ RematerializedFrame::RematerializeInlineFrames(JSContext* cx, uint8_t* top,
                return false;
        }

-        frames[frameNo] = frame;
+        tempFrames[frameNo] = frame;

        if (!iter.more())
            break;
        ++iter;
    }

+    frames = Move(tempFrames);
    return true;
 }