summaryrefslogtreecommitdiffstats
path: root/js
diff options
context:
space:
mode:
Diffstat (limited to 'js')
-rw-r--r--js/src/jit-test/tests/debug/bug1353356.js65
-rw-r--r--js/src/vm/Stack.cpp14
-rw-r--r--js/src/wasm/WasmModule.cpp8
3 files changed, 77 insertions, 10 deletions
diff --git a/js/src/jit-test/tests/debug/bug1353356.js b/js/src/jit-test/tests/debug/bug1353356.js
new file mode 100644
index 000000000..389bb7860
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1353356.js
@@ -0,0 +1,65 @@
+// |jit-test| allow-oom; --fuzzing-safe
+
+var lfLogBuffer = `
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-endofdata
+ setJitCompilerOption("ion.warmup.trigger", 4);
+ var g = newGlobal();
+ g.debuggeeGlobal = this;
+ g.eval("(" + function () {
+ dbg = new Debugger(debuggeeGlobal);
+ dbg.onExceptionUnwind = function (frame, exc) {
+ var s = '!';
+ for (var f = frame; f; f = f.older)
+ debuggeeGlobal.log += s;
+ };
+ } + ")();");
+ j('Number.prototype.toSource.call([])');
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-selectmode 4
+//corefuzz-dcd-endofdata
+}
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-selectmode 5
+//corefuzz-dcd-endofdata
+oomTest(() => i({
+ new : (true ),
+ thisprops: true
+}));
+`;
+lfLogBuffer = lfLogBuffer.split('\n');
+var lfRunTypeId = -1;
+var lfCodeBuffer = "";
+while (true) {
+ var line = lfLogBuffer.shift();
+ if (line == null) {
+ break;
+ } else if (line == "//corefuzz-dcd-endofdata") {
+ loadFile(lfCodeBuffer);
+ lfCodeBuffer = "";
+ loadFile(line);
+ } else {
+ lfCodeBuffer += line + "\n";
+ }
+}
+if (lfCodeBuffer) loadFile(lfCodeBuffer);
+function loadFile(lfVarx) {
+ try {
+ if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) {
+ lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % 6;
+ } else {
+ switch (lfRunTypeId) {
+ case 4:
+ oomTest(function() {
+ let m = parseModule(lfVarx);
+ });
+ break;
+ default:
+ evaluate(lfVarx);
+ }
+ }
+ } catch (lfVare) {}
+}
diff --git a/js/src/vm/Stack.cpp b/js/src/vm/Stack.cpp
index 7978d8dbc..439bb1ed4 100644
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -1517,11 +1517,7 @@ jit::JitActivation::getRematerializedFrame(JSContext* cx, const JitFrameIterator
uint8_t* top = iter.fp();
RematerializedFrameTable::AddPtr p = rematerializedFrames_->lookupForAdd(top);
if (!p) {
- RematerializedFrameVector empty(cx);
- if (!rematerializedFrames_->add(p, top, Move(empty))) {
- ReportOutOfMemory(cx);
- return nullptr;
- }
+ RematerializedFrameVector frames(cx);
// The unit of rematerialization is an uninlined frame and its inlined
// frames. Since inlined frames do not exist outside of snapshots, it
@@ -1536,9 +1532,11 @@ jit::JitActivation::getRematerializedFrame(JSContext* cx, const JitFrameIterator
// be in the activation's compartment.
AutoCompartment ac(cx, compartment_);
- if (!RematerializedFrame::RematerializeInlineFrames(cx, top, inlineIter, recover,
- p->value()))
- {
+ if (!RematerializedFrame::RematerializeInlineFrames(cx, top, inlineIter, recover, frames))
+ return nullptr;
+
+ if (!rematerializedFrames_->add(p, top, Move(frames))) {
+ ReportOutOfMemory(cx);
return nullptr;
}
diff --git a/js/src/wasm/WasmModule.cpp b/js/src/wasm/WasmModule.cpp
index be7ddba8f..b24e01a40 100644
--- a/js/src/wasm/WasmModule.cpp
+++ b/js/src/wasm/WasmModule.cpp
@@ -1007,12 +1007,16 @@ Module::instantiate(JSContext* cx,
maybeBytecode = bytecode_.get();
auto codeSegment = CodeSegment::create(cx, code_, linkData_, *metadata_, memory);
- if (!codeSegment)
+ if (!codeSegment) {
+ ReportOutOfMemory(cx);
return false;
+ }
auto code = cx->make_unique<Code>(Move(codeSegment), *metadata_, maybeBytecode);
- if (!code)
+ if (!code) {
+ ReportOutOfMemory(cx);
return false;
+ }
instance.set(WasmInstanceObject::create(cx,
Move(code),