From ce88b713d21eaa96bbb15ec0a112408bf7fd1433 Mon Sep 17 00:00:00 2001 From: Benjamin Bouvier Date: Fri, 13 Jul 2018 16:25:27 +0200 Subject: [PATCH] Bug 1473956: Report OOM when a wasm Global's cell couldn't be allocated; r=jseward --HG-- extra : rebase_source : 0698793b5808d247bfde67b7883feb2e514c4f46 --- js/src/wasm/WasmJS.cpp | 8 ++++++-- js/src/wasm/WasmJS.h | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/js/src/wasm/WasmJS.cpp b/js/src/wasm/WasmJS.cpp index 5399b733989b..0e5b8cf9f56e 100644 --- a/js/src/wasm/WasmJS.cpp +++ b/js/src/wasm/WasmJS.cpp @@ -2175,7 +2175,8 @@ WasmGlobalObject::trace(JSTracer* trc, JSObject* obj) WasmGlobalObject::finalize(FreeOp*, JSObject* obj) { WasmGlobalObject* global = reinterpret_cast(obj); - js_delete(global->cell()); + if (!global->isNewborn()) + js_delete(global->cell()); } /* static */ WasmGlobalObject* @@ -2188,14 +2189,17 @@ WasmGlobalObject::create(JSContext* cx, HandleVal hval, bool isMutable) if (!obj) return nullptr; + MOZ_ASSERT(obj->isNewborn()); MOZ_ASSERT(obj->isTenured(), "assumed by set_global post barriers"); // It's simpler to initialize the cell after the object has been created, // to avoid needing to root the cell before the object creation. Cell* cell = js_new(); - if (!cell) + if (!cell) { + ReportOutOfMemory(cx); return nullptr; + } const Val& val = hval.get(); switch (val.type().code()) { diff --git a/js/src/wasm/WasmJS.h b/js/src/wasm/WasmJS.h index 50f9afb004d6..0bdb1c94d572 100644 --- a/js/src/wasm/WasmJS.h +++ b/js/src/wasm/WasmJS.h @@ -154,6 +154,7 @@ class WasmGlobalObject : public NativeObject static bool construct(JSContext*, unsigned, Value*); static WasmGlobalObject* create(JSContext* cx, wasm::HandleVal value, bool isMutable); + bool isNewborn() { return getReservedSlot(CELL_SLOT).isUndefined(); } wasm::ValType type() const; void val(wasm::MutableHandleVal outval) const;