Bug 1667685 - Fix OOM bug in addInlinedChild. r=iain

Differential Revision: https://phabricator.services.mozilla.com/D91570
2020-09-28 16:49:16 +00:00 · 2020-09-28 16:49:16 +00:00 · 1ea2b43146
--- a/js/src/jit-test/tests/warp/bug1667685.js
+++ b/js/src/jit-test/tests/warp/bug1667685.js
@ -0,0 +1,27 @@
+// |jit-test| skip-if: !('oomTest' in this); --fast-warmup
+
+// Prevent slowness with --ion-eager.
+setJitCompilerOption("ion.warmup.trigger", 100);
+
+function h() {
+    return 1;
+}
+function g() {
+    for (var j = 0; j < 10; j++) {
+        h();
+    }
+    trialInline();
+}
+function f() {
+    for (var i = 0; i < 2; i++) {
+        var fun = Function(g.toString() + "g()");
+        try {
+            fun();
+        } catch {}
+        try {
+            fun();
+        } catch {}
+    }
+
+}
+oomTest(f);
--- a/js/src/jit/JitScript.cpp
+++ b/js/src/jit/JitScript.cpp
@ -272,16 +272,25 @@ void ICScript::trace(JSTracer* trc) {
 bool ICScript::addInlinedChild(JSContext* cx, UniquePtr<ICScript> child,
                               uint32_t pcOffset) {
  MOZ_ASSERT(!hasInlinedChild(pcOffset));
+
  if (!inlinedChildren_) {
    inlinedChildren_ = cx->make_unique<Vector<CallSite>>(cx);
    if (!inlinedChildren_) {
      return false;
    }
  }
-  if (!inlinedChildren_->emplaceBack(child.get(), pcOffset)) {
+
+  // First reserve space in inlinedChildren_ to ensure that if the ICScript is
+  // added to the inlining root, it can also be added to inlinedChildren_.
+  CallSite callsite(child.get(), pcOffset);
+  if (!inlinedChildren_->reserve(inlinedChildren_->length() + 1)) {
    return false;
  }
-  return inliningRoot()->addInlinedScript(std::move(child));
+  if (!inliningRoot()->addInlinedScript(std::move(child))) {
+    return false;
+  }
+  inlinedChildren_->infallibleAppend(callsite);
+  return true;
 }

 ICScript* ICScript::findInlinedChild(uint32_t pcOffset) {