diff options
Diffstat (limited to 'js')
-rw-r--r-- | js/src/jit-test/tests/debug/bug1353356.js | 65 | ||||
-rw-r--r-- | js/src/vm/Stack.cpp | 14 | ||||
-rw-r--r-- | js/src/wasm/WasmModule.cpp | 8 |
3 files changed, 77 insertions, 10 deletions
diff --git a/js/src/jit-test/tests/debug/bug1353356.js b/js/src/jit-test/tests/debug/bug1353356.js new file mode 100644 index 000000000..389bb7860 --- /dev/null +++ b/js/src/jit-test/tests/debug/bug1353356.js @@ -0,0 +1,65 @@ +// |jit-test| allow-oom; --fuzzing-safe + +var lfLogBuffer = ` +//corefuzz-dcd-endofdata +//corefuzz-dcd-endofdata +//corefuzz-dcd-endofdata + setJitCompilerOption("ion.warmup.trigger", 4); + var g = newGlobal(); + g.debuggeeGlobal = this; + g.eval("(" + function () { + dbg = new Debugger(debuggeeGlobal); + dbg.onExceptionUnwind = function (frame, exc) { + var s = '!'; + for (var f = frame; f; f = f.older) + debuggeeGlobal.log += s; + }; + } + ")();"); + j('Number.prototype.toSource.call([])'); +//corefuzz-dcd-endofdata +//corefuzz-dcd-endofdata +//corefuzz-dcd-endofdata +//corefuzz-dcd-selectmode 4 +//corefuzz-dcd-endofdata +} +//corefuzz-dcd-endofdata +//corefuzz-dcd-selectmode 5 +//corefuzz-dcd-endofdata +oomTest(() => i({ + new : (true ), + thisprops: true +})); +`; +lfLogBuffer = lfLogBuffer.split('\n'); +var lfRunTypeId = -1; +var lfCodeBuffer = ""; +while (true) { + var line = lfLogBuffer.shift(); + if (line == null) { + break; + } else if (line == "//corefuzz-dcd-endofdata") { + loadFile(lfCodeBuffer); + lfCodeBuffer = ""; + loadFile(line); + } else { + lfCodeBuffer += line + "\n"; + } +} +if (lfCodeBuffer) loadFile(lfCodeBuffer); +function loadFile(lfVarx) { + try { + if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) { + lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % 6; + } else { + switch (lfRunTypeId) { + case 4: + oomTest(function() { + let m = parseModule(lfVarx); + }); + break; + default: + evaluate(lfVarx); + } + } + } catch (lfVare) {} +} diff --git a/js/src/vm/Stack.cpp b/js/src/vm/Stack.cpp index 7978d8dbc..439bb1ed4 100644 --- a/js/src/vm/Stack.cpp +++ b/js/src/vm/Stack.cpp @@ -1517,11 +1517,7 @@ jit::JitActivation::getRematerializedFrame(JSContext* cx, const JitFrameIterator uint8_t* top = iter.fp(); RematerializedFrameTable::AddPtr p = rematerializedFrames_->lookupForAdd(top); if (!p) { - RematerializedFrameVector empty(cx); - if (!rematerializedFrames_->add(p, top, Move(empty))) { - ReportOutOfMemory(cx); - return nullptr; - } + RematerializedFrameVector frames(cx); // The unit of rematerialization is an uninlined frame and its inlined // frames. Since inlined frames do not exist outside of snapshots, it @@ -1536,9 +1532,11 @@ jit::JitActivation::getRematerializedFrame(JSContext* cx, const JitFrameIterator // be in the activation's compartment. AutoCompartment ac(cx, compartment_); - if (!RematerializedFrame::RematerializeInlineFrames(cx, top, inlineIter, recover, - p->value())) - { + if (!RematerializedFrame::RematerializeInlineFrames(cx, top, inlineIter, recover, frames)) + return nullptr; + + if (!rematerializedFrames_->add(p, top, Move(frames))) { + ReportOutOfMemory(cx); return nullptr; } diff --git a/js/src/wasm/WasmModule.cpp b/js/src/wasm/WasmModule.cpp index be7ddba8f..b24e01a40 100644 --- a/js/src/wasm/WasmModule.cpp +++ b/js/src/wasm/WasmModule.cpp @@ -1007,12 +1007,16 @@ Module::instantiate(JSContext* cx, maybeBytecode = bytecode_.get(); auto codeSegment = CodeSegment::create(cx, code_, linkData_, *metadata_, memory); - if (!codeSegment) + if (!codeSegment) { + ReportOutOfMemory(cx); return false; + } auto code = cx->make_unique<Code>(Move(codeSegment), *metadata_, maybeBytecode); - if (!code) + if (!code) { + ReportOutOfMemory(cx); return false; + } instance.set(WasmInstanceObject::create(cx, Move(code), |