From ae00e39b035b5bb8a71b6e0d83030cdef70bbb86 Mon Sep 17 00:00:00 2001
From: Tim Lunn <tim@feathertop.org>
Date: Thu, 17 Jan 2013 09:26:09 -0800
Subject: [PATCH] Bug 829421 - Free ArgumentsData if JSObject allocation fails.
 r=nbp

---
 js/src/vm/ArgumentsObject.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/js/src/vm/ArgumentsObject.cpp b/js/src/vm/ArgumentsObject.cpp
index 1e199301e992..2abe72974c25 100644
--- a/js/src/vm/ArgumentsObject.cpp
+++ b/js/src/vm/ArgumentsObject.cpp
@@ -161,8 +161,10 @@ ArgumentsObject::create(JSContext *cx, HandleScript script, HandleFunction calle
     ClearAllBitArrayElements(data->deletedBits, numDeletedWords);
 
     RawObject obj = JSObject::create(cx, FINALIZE_KIND, shape, type, NULL);
-    if (!obj)
+    if (!obj) {
+        js_free(data);
         return NULL;
+    }
 
     obj->initFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(numActuals << PACKED_BITS_COUNT));
     obj->initFixedSlot(DATA_SLOT, PrivateValue(data));