From 3e91adfbc7c5c7821d707229c55889d600b2c653 Mon Sep 17 00:00:00 2001
From: Till Schneidereit <till@tillschneidereit.net>
Date: Wed, 23 Sep 2015 13:07:18 +0200
Subject: [PATCH] Bug 1188347 - Properly handle OOM during script cloning.
 r=jandem

--HG--
extra : rebase_source : f867184b557677ad18d831c0afed40907f4c09a4
---
 js/src/jit-test/tests/basic/function-cloning-2.js |  7 +++++++
 js/src/jsscript.cpp                               | 12 +++++++++---
 js/src/vm/SelfHosting.cpp                         | 13 +++++++++----
 3 files changed, 25 insertions(+), 7 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/function-cloning-2.js

diff --git a/js/src/jit-test/tests/basic/function-cloning-2.js b/js/src/jit-test/tests/basic/function-cloning-2.js
new file mode 100644
index 000000000000..1227628966d4
--- /dev/null
+++ b/js/src/jit-test/tests/basic/function-cloning-2.js
@@ -0,0 +1,7 @@
+var a = [];
+oomAtAllocation(1);
+try {
+	a.forEach();
+} catch (e) {
+}
+a.forEach(()=>1);
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
index 15bd6aa1c996..7aa3c68f3590 100644
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -3489,13 +3489,19 @@ js::CloneScriptIntoFunction(JSContext* cx, HandleObject enclosingScope, HandleFu
         return nullptr;
 
     dst->setFunction(fun);
-    if (fun->isInterpretedLazy())
+    LazyScript* lazy = nullptr;
+    if (fun->isInterpretedLazy()) {
+        lazy = fun->lazyScriptOrNull();
         fun->setUnlazifiedScript(dst);
-    else
+    } else {
         fun->initScript(dst);
+    }
 
     if (!detail::CopyScript(cx, fun, src, dst)) {
-        fun->setScript(nullptr);
+        if (lazy)
+            fun->initLazyScript(lazy);
+        else
+            fun->setScript(nullptr);
         return nullptr;
     }
 
diff --git a/js/src/vm/SelfHosting.cpp b/js/src/vm/SelfHosting.cpp
index 5b78de7b7036..53c16da8a4b5 100644
--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@@ -1864,16 +1864,21 @@ JSRuntime::cloneSelfHostedFunctionScript(JSContext* cx, HandlePropertyName name,
     // aren't any.
     MOZ_ASSERT(!sourceFun->isGenerator());
     MOZ_ASSERT(sourceFun->nargs() == targetFun->nargs());
-    // The target function might have been relazified after it's flags changed.
-    targetFun->setFlags((targetFun->flags() & ~JSFunction::INTERPRETED_LAZY) |
-                        sourceFun->flags() | JSFunction::EXTENDED);
     MOZ_ASSERT(targetFun->isExtended());
+    MOZ_ASSERT(targetFun->isInterpretedLazy());
+    MOZ_ASSERT(targetFun->isSelfHostedBuiltin());
 
     RootedScript sourceScript(cx, sourceFun->getOrCreateScript(cx));
     if (!sourceScript)
         return false;
     MOZ_ASSERT(!sourceScript->enclosingStaticScope());
-    return !!CloneScriptIntoFunction(cx, /* enclosingScope = */ nullptr, targetFun, sourceScript);
+    if (!CloneScriptIntoFunction(cx, /* enclosingScope = */ nullptr, targetFun, sourceScript))
+        return false;
+    MOZ_ASSERT(!targetFun->isInterpretedLazy());
+
+    // The target function might have been relazified after its flags changed.
+    targetFun->setFlags(targetFun->flags() | sourceFun->flags());
+    return true;
 }
 
 bool