From ae3e160b94ec3368c8c38d0f3592ec80aa964ab3 Mon Sep 17 00:00:00 2001
From: Chris Martin <cmartin@mozilla.com>
Date: Tue, 30 Apr 2019 15:37:45 +0000
Subject: [PATCH] Bug 1546881 - Fix OOM causing realloc to wrong arena r=sfink

Bug 1052579 introduced a new mozjemalloc arena for JSString char buffers.
Unfortunately, my testing missed the case where JSStringBuilder causes an OOM
condition, causing the OOM handler to realloc to the default arena, regardless
of what arena is actually indicated by the AllocPolicy for the char vector.

The realloc now passes the arena from the AllocPolicy to mozjemalloc.

Differential Revision: https://phabricator.services.mozilla.com/D29092

--HG--
extra : moz-landing-system : lando
---
 js/src/vm/Runtime.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/src/vm/Runtime.cpp b/js/src/vm/Runtime.cpp
index 8755ed04d16d..cc2a04636e3c 100644
--- a/js/src/vm/Runtime.cpp
+++ b/js/src/vm/Runtime.cpp
@@ -709,7 +709,7 @@ JS_FRIEND_API void* JSRuntime::onOutOfMemory(AllocFunction allocFunc,
         p = js_arena_calloc(arena, nbytes, 1);
         break;
       case AllocFunction::Realloc:
-        p = js_realloc(reallocPtr, nbytes);
+        p = js_arena_realloc(arena, reallocPtr, nbytes);
         break;
       default:
         MOZ_CRASH();