[tbb-commits] [tor-browser/esr24] Bug 982957 - Fix crash if ConstraintTypeSet::sweep or TypeObject::sweep OOMs. r=bhackett, a=lsblakk
mikeperry at torproject.org
mikeperry at torproject.org
Fri Aug 29 05:26:38 UTC 2014
commit 3fb3184b540fcd82899c6e8d565941b12372ed72
Author: Jan de Mooij <jdemooij at mozilla.com>
Date: Thu Mar 13 18:15:25 2014 -0400
Bug 982957 - Fix crash if ConstraintTypeSet::sweep or TypeObject::sweep OOMs. r=bhackett, a=lsblakk
---
js/src/jsinfer.cpp | 51 ++++++++++++++++++++++++++++-----------------------
1 file changed, 28 insertions(+), 23 deletions(-)
diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp
index d43974f..e961f11 100644
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -6172,6 +6172,15 @@ JSCompartment::getLazyType(JSContext *cx, Class *clasp, TaggedProto proto)
// Tracing
/////////////////////////////////////////////////////////////////////
+static void
+CrashAtUnhandlableOOM(const char *reason)
+{
+ char msgbuf[1024];
+ JS_snprintf(msgbuf, sizeof(msgbuf), "[unhandlable oom] %s", reason);
+ MOZ_ReportAssertionFailure(msgbuf, __FILE__, __LINE__);
+ MOZ_CRASH();
+}
+
void
TypeSet::sweep(Zone *zone)
{
@@ -6196,10 +6205,9 @@ TypeSet::sweep(Zone *zone)
TypeObjectKey **pentry =
HashSetInsert<TypeObjectKey *,TypeObjectKey,TypeObjectKey>
(zone->types.typeLifoAlloc, objectSet, objectCount, object);
- if (pentry)
- *pentry = object;
- else
- zone->types.setPendingNukeTypes();
+ if (!pentry)
+ CrashAtUnhandlableOOM("OOM in ConstraintTypeSet::sweep");
+ *pentry = object;
}
}
setBaseObjectCount(objectCount);
@@ -6279,19 +6287,17 @@ TypeObject::sweep(FreeOp *fop)
Property *prop = oldArray[i];
if (prop && prop->types.ownProperty(false)) {
Property *newProp = typeLifoAlloc.new_<Property>(*prop);
- if (newProp) {
- Property **pentry =
- HashSetInsert<jsid,Property,Property>
- (typeLifoAlloc, propertySet, propertyCount, prop->id);
- if (pentry) {
- *pentry = newProp;
- newProp->types.sweep(zone());
- } else {
- zone()->types.setPendingNukeTypes();
- }
- } else {
- zone()->types.setPendingNukeTypes();
- }
+ if (!newProp)
+ CrashAtUnhandlableOOM("OOM in TypeObject::sweep");
+
+ Property **pentry =
+ HashSetInsert<jsid,Property,Property>
+ (typeLifoAlloc, propertySet, propertyCount, prop->id);
+ if (!pentry)
+ CrashAtUnhandlableOOM("OOM in TypeObject::sweep");
+
+ *pentry = newProp;
+ newProp->types.sweep(zone());
}
}
setBasePropertyCount(propertyCount);
@@ -6299,12 +6305,11 @@ TypeObject::sweep(FreeOp *fop)
Property *prop = (Property *) propertySet;
if (prop->types.ownProperty(false)) {
Property *newProp = typeLifoAlloc.new_<Property>(*prop);
- if (newProp) {
- propertySet = (Property **) newProp;
- newProp->types.sweep(zone());
- } else {
- zone()->types.setPendingNukeTypes();
- }
+ if (!newProp)
+ CrashAtUnhandlableOOM("OOM in TypeObject::sweep");
+
+ propertySet = (Property **) newProp;
+ newProp->types.sweep(zone());
} else {
propertySet = NULL;
setBasePropertyCount(0);
More information about the tbb-commits
mailing list