From 265f99d7f7ee1a642d925785b11bc94909508f4b Mon Sep 17 00:00:00 2001
From: Tom Schuster <evilpies@gmail.com>
Date: Sun, 5 Feb 2012 11:32:12 +0100
Subject: [PATCH] Bug 720675 - OOM Crash [@ JSString::isFlat] because of NULL
 deref for ensureFlat. r=bhackett

---
 js/src/jit-test/tests/basic/bug720675.js |  9 +++++++++
 js/src/jsatominlines.h                   | 13 ++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/bug720675.js

diff --git a/js/src/jit-test/tests/basic/bug720675.js b/js/src/jit-test/tests/basic/bug720675.js
new file mode 100644
index 00000000000..dd664d508be
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug720675.js
@@ -0,0 +1,9 @@
+// |jit-test| allow-oom;
+
+gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
+arr = [1e0, 5e1, 9e19, 0.1e20, 1.3e20, 1e20, 9e20, 9.99e20, 
+    0.1e21, 1e21, 1e21+65537, 1e21+65536, 1e21-65536, 1]; 
+for (var i = 0; i < 4000; i++) {
+    arr.push(1e19 + i*1e19);
+}
+for (var i in arr) {}
diff --git a/js/src/jsatominlines.h b/js/src/jsatominlines.h
index 80bb9751dfd..a63ba028b92 100644
--- a/js/src/jsatominlines.h
+++ b/js/src/jsatominlines.h
@@ -192,9 +192,16 @@ IdToString(JSContext *cx, jsid id)
 {
     if (JSID_IS_STRING(id))
         return JSID_TO_ATOM(id);
-    if (JS_LIKELY(JSID_IS_INT(id)))
-        return js_IntToString(cx, JSID_TO_INT(id))->ensureFlat(cx);
-    return ToStringSlow(cx, IdToValue(id))->ensureFlat(cx);
+
+    JSString *str;
+     if (JS_LIKELY(JSID_IS_INT(id)))
+        str = js_IntToString(cx, JSID_TO_INT(id));
+    else
+        str = ToStringSlow(cx, IdToValue(id));    
+
+    if (!str)
+        return NULL;
+    return str->ensureFlat(cx);
 }
 
 inline