Bug 1546881 - Fix OOM causing realloc to wrong arena r=sfink

Bug 1052579 introduced a new mozjemalloc arena for JSString char buffers. Unfortunately, my testing missed the case where JSStringBuilder causes an OOM condition, causing the OOM handler to realloc to the default arena, regardless of what arena is actually indicated by the AllocPolicy for the char vector. The realloc now passes the arena from the AllocPolicy to mozjemalloc. Differential Revision: https://phabricator.services.mozilla.com/D29092 --HG-- extra : moz-landing-system : lando
2019-04-30 15:37:45 +00:00 · 2019-04-30 15:37:45 +00:00 · ae3e160b94
--- a/js/src/vm/Runtime.cpp
+++ b/js/src/vm/Runtime.cpp
@ -709,7 +709,7 @@ JS_FRIEND_API void* JSRuntime::onOutOfMemory(AllocFunction allocFunc,
        p = js_arena_calloc(arena, nbytes, 1);
        break;
      case AllocFunction::Realloc:
-        p = js_realloc(reallocPtr, nbytes);
+        p = js_arena_realloc(arena, reallocPtr, nbytes);
        break;
      default:
        MOZ_CRASH();