Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem

--HG-- extra : rebase_source : b00aeacf897e3e3d61b2a57387f35b4c608c160a
2016-10-07 10:20:44 -04:00 · 2016-10-07 10:20:44 -04:00 · 93dd2d157d
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@ -339,7 +339,7 @@ js::Nursery::allocate(size_t size)
 }

 void*
-js::Nursery::allocateBuffer(Zone* zone, uint32_t nbytes)
+js::Nursery::allocateBuffer(Zone* zone, size_t nbytes)
 {
    MOZ_ASSERT(nbytes > 0);

@ -358,7 +358,7 @@ js::Nursery::allocateBuffer(Zone* zone, uint32_t nbytes)
 }

 void*
-js::Nursery::allocateBuffer(JSObject* obj, uint32_t nbytes)
+js::Nursery::allocateBuffer(JSObject* obj, size_t nbytes)
 {
    MOZ_ASSERT(obj);
    MOZ_ASSERT(nbytes > 0);
@ -370,7 +370,7 @@ js::Nursery::allocateBuffer(JSObject* obj, uint32_t nbytes)

 void*
 js::Nursery::reallocateBuffer(JSObject* obj, void* oldBuffer,
-                              uint32_t oldBytes, uint32_t newBytes)
+                              size_t oldBytes, size_t newBytes)
 {
    if (!IsInsideNursery(obj))
        return obj->zone()->pod_realloc<uint8_t>((uint8_t*)oldBuffer, oldBytes, newBytes);
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@ -174,17 +174,17 @@ class Nursery
    JSObject* allocateObject(JSContext* cx, size_t size, size_t numDynamic, const js::Class* clasp);

    /* Allocate a buffer for a given zone, using the nursery if possible. */
-    void* allocateBuffer(JS::Zone* zone, uint32_t nbytes);
+    void* allocateBuffer(JS::Zone* zone, size_t nbytes);

    /*
     * Allocate a buffer for a given object, using the nursery if possible and
     * obj is in the nursery.
     */
-    void* allocateBuffer(JSObject* obj, uint32_t nbytes);
+    void* allocateBuffer(JSObject* obj, size_t nbytes);

    /* Resize an existing object buffer. */
    void* reallocateBuffer(JSObject* obj, void* oldBuffer,
-                           uint32_t oldBytes, uint32_t newBytes);
+                           size_t oldBytes, size_t newBytes);

    /* Free an object buffer. */
    void freeBuffer(void* buffer);
--- a/js/src/jit-test/tests/basic/bug1296249.js
+++ b/js/src/jit-test/tests/basic/bug1296249.js
@ -0,0 +1,9 @@
+if (!('oomTest' in this))
+    quit();
+
+function f(x) {
+    new Int32Array(x);
+}
+
+f(0);
+oomTest(() => f(2147483647));