From afc95d00796f104e1c5c3ba32198a41fb5e61882 Mon Sep 17 00:00:00 2001
From: Paul Bone <pbone@mozilla.com>
Date: Fri, 26 Jul 2019 09:03:30 +0000
Subject: [PATCH] Bug 1568119 - Setup OOM simulation testing for
 MarkPagesInUseHard r=jonco

There are three cases where this function could OOM:

 * Zeal mode - we want to crash if this OOMs
 * Growing the Nursery - We've added a new test to exercise this code path
 * Disabling the Nursery - Plenty of existing tests seem to cover this
   with OOM testing.

Differential Revision: https://phabricator.services.mozilla.com/D39457

--HG--
extra : moz-landing-system : lando
---
 js/src/gc/Memory.cpp                    |  4 ++++
 js/src/gc/Nursery.cpp                   |  7 +++++--
 js/src/jit-test/tests/gc/bug-1568119.js | 21 +++++++++++++++++++++
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1568119.js

diff --git a/js/src/gc/Memory.cpp b/js/src/gc/Memory.cpp
index 8338896e7146..c9f1b2d4dfce 100644
--- a/js/src/gc/Memory.cpp
+++ b/js/src/gc/Memory.cpp
@@ -801,6 +801,10 @@ void MarkPagesInUseSoft(void* region, size_t length) {
 }
 
 bool MarkPagesInUseHard(void* region, size_t length) {
+  if (js::oom::ShouldFailWithOOM()) {
+    return false;
+  }
+
   CheckDecommit(region, length);
 
   MOZ_MAKE_MEM_UNDEFINED(region, length);
diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp
index 7b9c9e8b5793..0f8df37afff9 100644
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -379,8 +379,11 @@ void js::Nursery::enterZealMode() {
       // which could be attempting to decommit the currently-unused part of this
       // chunk.
       decommitTask.join();
-      if (!chunk(0).markPagesInUseHard(ChunkSize - ArenaSize)) {
-        MOZ_CRASH("Out of memory trying to extend chunk for zeal mode");
+      {
+        AutoEnterOOMUnsafeRegion oomUnsafe;
+        if (!chunk(0).markPagesInUseHard(ChunkSize - ArenaSize)) {
+          oomUnsafe.crash("Out of memory trying to extend chunk for zeal mode");
+        }
       }
 
       // It'd be simpler to poison the whole chunk, but we can't do that
diff --git a/js/src/jit-test/tests/gc/bug-1568119.js b/js/src/jit-test/tests/gc/bug-1568119.js
new file mode 100644
index 000000000000..946da1081084
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1568119.js
@@ -0,0 +1,21 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+function allocateSomeStuff() {
+  return {a: "a fish", b: [1, 2, 3]};
+}
+
+oomTest(() => {
+  // Run a minor GC with a small nursery.
+  gcparam('minNurseryBytes', 256 * 1024);
+  gcparam('maxNurseryBytes', 256 * 1024);
+  allocateSomeStuff();
+  gc();
+
+  // Run a minor GC with a larger nursery to get it to attempt to grow and
+  // fail the allocation there.
+  gcparam('maxNurseryBytes', 1024 * 1024);
+  gcparam('minNurseryBytes', 1024 * 1024);
+  allocateSomeStuff();
+  gc();
+});
+