From d3a8744d8ede2830aa48f33dc056e1a924b11e41 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <shu@rfrn.org>
Date: Tue, 5 Jan 2016 18:36:36 -0800
Subject: [PATCH] Bug 1216261 - Fix OOM handling of DebugScopes. (r=jonco)

---
 js/src/jit-test/tests/debug/bug1216261.js | 15 +++++++++++++++
 js/src/vm/ScopeObject.cpp                 | 17 ++++++++---------
 2 files changed, 23 insertions(+), 9 deletions(-)
 create mode 100644 js/src/jit-test/tests/debug/bug1216261.js

diff --git a/js/src/jit-test/tests/debug/bug1216261.js b/js/src/jit-test/tests/debug/bug1216261.js
new file mode 100644
index 000000000000..71f11fe802c7
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1216261.js
@@ -0,0 +1,15 @@
+// |jit-test| exitstatus: 3
+
+if (!('oomAfterAllocations' in this))
+    quit(3);
+
+var g = newGlobal();
+var dbg = new Debugger(g);
+dbg.onDebuggerStatement = function(frame) {
+    oomAfterAllocations(5);
+    // OOMs here, and possibly again in the error reporter when trying to
+    // report the OOM, so the shell just exits with code 3.
+    frame.older.eval("escaped = function() { return y }");
+}
+g.eval("function h() { debugger }");
+g.eval("(function () { var y = {p:42}; h(); yield })().next();");
diff --git a/js/src/vm/ScopeObject.cpp b/js/src/vm/ScopeObject.cpp
index fb38c623f36e..0c6c69b85b39 100644
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -2354,7 +2354,7 @@ DebugScopes::DebugScopes(JSContext* cx)
 
 DebugScopes::~DebugScopes()
 {
-    MOZ_ASSERT(missingScopes.empty());
+    MOZ_ASSERT_IF(missingScopes.initialized(), missingScopes.empty());
 }
 
 bool
@@ -2454,15 +2454,14 @@ DebugScopes::ensureCompartmentData(JSContext* cx)
     if (c->debugScopes)
         return c->debugScopes;
 
-    c->debugScopes = cx->runtime()->new_<DebugScopes>(cx);
-    if (c->debugScopes && c->debugScopes->init())
-        return c->debugScopes;
+    AutoInitGCManagedObject<DebugScopes> debugScopes(cx->make_unique<DebugScopes>(cx));
+    if (!debugScopes || !debugScopes->init()) {
+        ReportOutOfMemory(cx);
+        return nullptr;
+    }
 
-    if (c->debugScopes)
-        js_delete<DebugScopes>(c->debugScopes);
-    c->debugScopes = nullptr;
-    ReportOutOfMemory(cx);
-    return nullptr;
+    c->debugScopes = debugScopes.release();
+    return c->debugScopes;
 }
 
 DebugScopeObject*