Bug 720675 - OOM Crash [@ JSString::isFlat] because of NULL deref for ensureFlat. r=bhackett

2024-09-13 09:24:08 -07:00 · 2012-02-05 11:32:12 +01:00 · 2012-02-05 11:32:12 +01:00 · 265f99d7f7
commit 265f99d7f7
parent e6d34778fa
2 changed files with 19 additions and 3 deletions
--- a/js/src/jit-test/tests/basic/bug720675.js
+++ b/js/src/jit-test/tests/basic/bug720675.js
@ -0,0 +1,9 @@
+// |jit-test| allow-oom;
+
+gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
+arr = [1e0, 5e1, 9e19, 0.1e20, 1.3e20, 1e20, 9e20, 9.99e20, 
+    0.1e21, 1e21, 1e21+65537, 1e21+65536, 1e21-65536, 1]; 
+for (var i = 0; i < 4000; i++) {
+    arr.push(1e19 + i*1e19);
+}
+for (var i in arr) {}
--- a/js/src/jsatominlines.h
+++ b/js/src/jsatominlines.h
@ -192,9 +192,16 @@ IdToString(JSContext *cx, jsid id)
 {
    if (JSID_IS_STRING(id))
        return JSID_TO_ATOM(id);
-    if (JS_LIKELY(JSID_IS_INT(id)))
-        return js_IntToString(cx, JSID_TO_INT(id))->ensureFlat(cx);
-    return ToStringSlow(cx, IdToValue(id))->ensureFlat(cx);
+
+    JSString *str;
+     if (JS_LIKELY(JSID_IS_INT(id)))
+        str = js_IntToString(cx, JSID_TO_INT(id));
+    else
+        str = ToStringSlow(cx, IdToValue(id));    
+
+    if (!str)
+        return NULL;
+    return str->ensureFlat(cx);
 }

 inline