Bug 1155618 - Fix more out of memory handling issues r=terrence

2024-09-13 09:24:08 -07:00 · 2015-09-07 11:36:55 +01:00 · 2015-09-07 11:36:55 +01:00 · 9122e8fbd5
commit 9122e8fbd5
parent e920d4ee84
12 changed files with 42 additions and 20 deletions
--- a/js/src/asmjs/AsmJSFrameIterator.cpp
+++ b/js/src/asmjs/AsmJSFrameIterator.cpp
@ -250,7 +250,7 @@ GenerateProfilingEpilogue(MacroAssembler& masm, unsigned framePushed, AsmJSExit:
        masm.storePtr(scratch2, Address(scratch, AsmJSActivation::offsetOfFP()));
        DebugOnly<uint32_t> prePop = masm.currentOffset();
        masm.addToStackPtr(Imm32(sizeof(void *)));
-        MOZ_ASSERT(PostStorePrePopFP == masm.currentOffset() - prePop);
+        MOZ_ASSERT_IF(!masm.oom(), PostStorePrePopFP == masm.currentOffset() - prePop);
 #else
        masm.pop(Address(scratch, AsmJSActivation::offsetOfFP()));
        MOZ_ASSERT(PostStorePrePopFP == 0);
--- a/js/src/asmjs/AsmJSValidate.cpp
+++ b/js/src/asmjs/AsmJSValidate.cpp
@ -12386,7 +12386,8 @@ CheckModule(ExclusiveContext* cx, AsmJSParser& parser, ParseNode* stmtList,
    if (!CheckFunctions(m, &mcd))
        return false;

-    m.finishFunctionBodies(&mcd);
+    if (!m.finishFunctionBodies(&mcd))
+        return false;

    if (!CheckFuncPtrTables(m))
        return false;
--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
@ -2923,7 +2923,8 @@ BytecodeEmitter::emitNumberOp(double dval)

        uint32_t u = uint32_t(ival);
        if (u < JS_BIT(16)) {
-            emitUint16Operand(JSOP_UINT16, u);
+            if (!emitUint16Operand(JSOP_UINT16, u))
+                return false;
        } else if (u < JS_BIT(24)) {
            ptrdiff_t off;
            if (!emitN(JSOP_UINT24, 3, &off))
--- a/js/src/frontend/FullParseHandler.h
+++ b/js/src/frontend/FullParseHandler.h
@ -482,6 +482,8 @@ class FullParseHandler
        genName->setOp(JSOP_SETNAME);
        genName->markAsAssigned();
        ParseNode* genInit = newBinary(PNK_ASSIGN, genName, makeGen);
+        if (!genInit)
+            return false;

        ParseNode* initialYield = newYieldExpression(yieldPos.begin, nullptr, genInit,
                                                     JSOP_INITIALYIELD);
--- a/js/src/jit/shared/IonAssemblerBufferWithConstantPools.h
+++ b/js/src/jit/shared/IonAssemblerBufferWithConstantPools.h
@ -518,7 +518,9 @@ struct AssemblerBufferWithConstantPools : public AssemblerBuffer<SliceSize, Inst
    void markNextAsBranch() {
        // If the previous thing inserted was the last instruction of the node,
        // then whoops, we want to mark the first instruction of the next node.
-        this->ensureSpace(InstSize);
+        if (!this->ensureSpace(InstSize))
+            return;
+
        MOZ_ASSERT(this->getTail() != nullptr);
        this->getTail()->markNextAsBranch();
    }
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@ -520,8 +520,10 @@ NativeIterator::allocateIterator(JSContext* cx, uint32_t numGuards, const AutoId

    size_t plength = props.length();
    NativeIterator* ni = cx->zone()->pod_malloc_with_extra<NativeIterator, void*>(plength + numGuards * 2);
-    if (!ni)
+    if (!ni) {
+        ReportOutOfMemory(cx);
        return nullptr;
+    }

    AutoValueVector strings(cx);
    ni->props_array = ni->props_cursor = reinterpret_cast<HeapPtrFlatString*>(ni + 1);
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@ -3247,8 +3247,10 @@ js::detail::CopyScript(JSContext* cx, HandleObject scriptStaticScope, HandleScri

    size_t size = src->dataSize();
    uint8_t* data = AllocScriptData(cx->zone(), size);
-    if (size && !data)
+    if (size && !data) {
+        ReportOutOfMemory(cx);
        return false;
+    }

    /* Bindings */

--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@ -554,10 +554,12 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
        RootedObject obj(cx, proto.toObject());

        if (associated) {
-            if (associated->is<JSFunction>())
-                TypeNewScript::make(cx->asJSContext(), group, &associated->as<JSFunction>());
-            else
+            if (associated->is<JSFunction>()) {
+                if (!TypeNewScript::make(cx->asJSContext(), group, &associated->as<JSFunction>()))
+                    return nullptr;
+            } else {
                group->setTypeDescr(&associated->as<TypeDescr>());
+            }
        }

        /*
--- a/js/src/vm/Runtime.h
+++ b/js/src/vm/Runtime.h
@ -2169,18 +2169,18 @@ class MOZ_STACK_CLASS AutoInitGCManagedObject
    }

    T& operator*() const {
-        return *ptr_.get();
+        return *get();
    }

    T* operator->() const {
-        return ptr_.get();
+        return get();
    }

    explicit operator bool() const {
-        return ptr_.get() != nullptr;
+        return get() != nullptr;
    }

-    T* get() {
+    T* get() const {
        return ptr_.get();
    }

--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@ -1110,13 +1110,22 @@ ScopeIter::settle()
 {
    // Check for trying to iterate a function frame before the prologue has
    // created the CallObject, in which case we have to skip.
-    if (frame_ && frame_.isNonEvalFunctionFrame() &&
-        frame_.fun()->needsCallObject() && !frame_.hasCallObj())
+    if (frame_ && frame_.isNonEvalFunctionFrame() && frame_.fun()->needsCallObject() &&
+        !frame_.hasCallObj())
    {
        MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Function);
        incrementStaticScopeIter();
    }

+    // Check for trying to iterate a strict eval frame before the prologue has
+    // created the CallObject.
+    if (frame_ && frame_.isStrictEvalFrame() && !frame_.hasCallObj() && !ssi_.done()) {
+        MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Block);
+        incrementStaticScopeIter();
+        MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Eval);
+        incrementStaticScopeIter();
+    }
+
    // Check if we have left the extent of the initial frame after we've
    // settled on a static scope.
    if (frame_ && (ssi_.done() || maybeStaticScope() == frame_.script()->enclosingStaticScope()))
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@ -3488,7 +3488,7 @@ PreliminaryObjectArrayWithTemplate::maybeAnalyze(ExclusiveContext* cx, ObjectGro

 // Make a TypeNewScript for |group|, and set it up to hold the preliminary
 // objects created with the group.
-/* static */ void
+/* static */ bool
 TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
 {
    MOZ_ASSERT(cx->zone()->types.activeAnalysis);
@ -3496,21 +3496,22 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
    MOZ_ASSERT(!group->maybeUnboxedLayout());

    if (group->unknownProperties())
-        return;
+        return true;

    ScopedJSDeletePtr<TypeNewScript> newScript(cx->new_<TypeNewScript>());
    if (!newScript)
-        return;
+        return false;

    newScript->function_ = fun;

    newScript->preliminaryObjects = group->zone()->new_<PreliminaryObjectArray>();
    if (!newScript->preliminaryObjects)
-        return;
+        return true;

    group->setNewScript(newScript.forget());

    gc::TraceTypeNewScript(group);
+    return true;
 }

 // Make a TypeNewScript with the same initializer list as |newScript| but with
--- a/js/src/vm/TypeInference.h
+++ b/js/src/vm/TypeInference.h
@ -964,7 +964,7 @@ class TypeNewScript

    bool rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* group);

-    static void make(JSContext* cx, ObjectGroup* group, JSFunction* fun);
+    static bool make(JSContext* cx, ObjectGroup* group, JSFunction* fun);
    static TypeNewScript* makeNativeVersion(JSContext* cx, TypeNewScript* newScript,
                                            PlainObject* templateObject);