Bug 1350464 - Don't try to poison not-yet-allocated structures when an error occurs during parsing. r=arai

--HG--
extra : rebase_source : 05df0ec3dd38e73de0a8b156b0a0b5725622a350

js/src/frontend/TokenStream.cpp

@@ -1938,9 +1938,9 @@ TokenStream::getTokenInternal(TokenKind* ttp, Modifier modifier)
     return true;
 
   error:
-    flags.isDirtyLine = true;
-    tp->pos.end = userbuf.offset();
-    MOZ_MAKE_MEM_UNDEFINED(&tp->type, sizeof(tp->type));
+    // We didn't get a token, so don't set |flags.isDirtyLine|.  And don't
+    // poison any of |*tp|: if we haven't allocated a token, |tp| could be
+    // uninitialized.
     flags.hadError = true;
 #ifdef DEBUG
     // Poisoning userbuf on error establishes an invariant: once an erroneous

js/src/jit-test/tests/parser/oom-tracking-line-starts-in-tokenizer.js

@@ -0,0 +1,143 @@
+// Constraints on this test's appearance:
+//
+//   * |TokenStream::SourceCoords::add| must try to allocate memory.  (This test
+//     ensures this happens by making the function below >=128 lines long so
+//     that |SourceCoords::lineStartOffsets_| must convert to heap storage.  The
+//     precise approach doesn't matter.)
+//   * That allocation attempt must fail (by forced simulated OOM, here).
+//
+// It'd be nice to build up the function programmatically, but it appears that
+// the above only happens if the provided function has a lazy script.  Cursory
+// attempts to relazify |Function("...")| didn't work, so this fuzzer-like
+// version had to be used instead.
+if ("oomTest" in this) {
+  oomTest(function() {
+      try {
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+      } catch(e) {
+          ;
+      }
+  })
+}