Bug 1188347 - Properly handle OOM during script cloning. r=jandem

--HG-- extra : rebase_source : f867184b557677ad18d831c0afed40907f4c09a4
2015-09-23 13:07:18 +02:00 · 2015-09-23 13:07:18 +02:00 · 3e91adfbc7
--- a/js/src/jit-test/tests/basic/function-cloning-2.js
+++ b/js/src/jit-test/tests/basic/function-cloning-2.js
@ -0,0 +1,7 @@
+var a = [];
+oomAtAllocation(1);
+try {
+	a.forEach();
+} catch (e) {
+}
+a.forEach(()=>1);
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@ -3489,13 +3489,19 @@ js::CloneScriptIntoFunction(JSContext* cx, HandleObject enclosingScope, HandleFu
        return nullptr;

    dst->setFunction(fun);
-    if (fun->isInterpretedLazy())
+    LazyScript* lazy = nullptr;
+    if (fun->isInterpretedLazy()) {
+        lazy = fun->lazyScriptOrNull();
        fun->setUnlazifiedScript(dst);
-    else
+    } else {
        fun->initScript(dst);
+    }

    if (!detail::CopyScript(cx, fun, src, dst)) {
-        fun->setScript(nullptr);
+        if (lazy)
+            fun->initLazyScript(lazy);
+        else
+            fun->setScript(nullptr);
        return nullptr;
    }

--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@ -1864,16 +1864,21 @@ JSRuntime::cloneSelfHostedFunctionScript(JSContext* cx, HandlePropertyName name,
    // aren't any.
    MOZ_ASSERT(!sourceFun->isGenerator());
    MOZ_ASSERT(sourceFun->nargs() == targetFun->nargs());
-    // The target function might have been relazified after it's flags changed.
-    targetFun->setFlags((targetFun->flags() & ~JSFunction::INTERPRETED_LAZY) |
-                        sourceFun->flags() | JSFunction::EXTENDED);
    MOZ_ASSERT(targetFun->isExtended());
+    MOZ_ASSERT(targetFun->isInterpretedLazy());
+    MOZ_ASSERT(targetFun->isSelfHostedBuiltin());

    RootedScript sourceScript(cx, sourceFun->getOrCreateScript(cx));
    if (!sourceScript)
        return false;
    MOZ_ASSERT(!sourceScript->enclosingStaticScope());
-    return !!CloneScriptIntoFunction(cx, /* enclosingScope = */ nullptr, targetFun, sourceScript);
+    if (!CloneScriptIntoFunction(cx, /* enclosingScope = */ nullptr, targetFun, sourceScript))
+        return false;
+    MOZ_ASSERT(!targetFun->isInterpretedLazy());
+
+    // The target function might have been relazified after its flags changed.
+    targetFun->setFlags(targetFun->flags() | sourceFun->flags());
+    return true;
 }

 bool