From a34aedbb0c24e9bf1a3eac0585c154a5e7bdf37a Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Thu, 28 Jan 2016 14:59:42 +0100
Subject: [PATCH] Bug 1232859 - Don't crash or abort compilation if we're
 unable to compile the regex stubs. r=nbp

---
 js/src/jit-test/tests/ion/bug1232859.js | 12 ++++++++++++
 js/src/jit/IonBuilder.cpp               |  2 +-
 js/src/jit/IonBuilder.h                 |  5 -----
 js/src/jit/MCallOptimize.cpp            |  8 ++++----
 4 files changed, 17 insertions(+), 10 deletions(-)
 create mode 100644 js/src/jit-test/tests/ion/bug1232859.js

diff --git a/js/src/jit-test/tests/ion/bug1232859.js b/js/src/jit-test/tests/ion/bug1232859.js
new file mode 100644
index 00000000000..4eefa634eea
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1232859.js
@@ -0,0 +1,12 @@
+// |jit-test| error:recursion
+x = /x/;
+z = [];
+y = Object.defineProperty(z, "valueOf", {
+    get: function() {
+        +y;
+        for (var i = 0; i < 1; i++) {
+            a = x.exec(0);
+        }
+    }
+})
+z + '';
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index 014f6536e11..13ade9b9d7d 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5044,7 +5044,7 @@ IonBuilder::inlineScriptedCall(CallInfo& callInfo, JSFunction* target)
         if (types && !types->unknown()) {
             TemporaryTypeSet* clonedTypes = types->clone(alloc_->lifoAlloc());
             if (!clonedTypes)
-                return oom();
+                return false;
             MTypeBarrier* barrier = MTypeBarrier::New(alloc(), callInfo.thisArg(), clonedTypes);
             current->add(barrier);
             if (barrier->type() == MIRType_Undefined)
diff --git a/js/src/jit/IonBuilder.h b/js/src/jit/IonBuilder.h
index fe161f09b52..85ec62f74de 100644
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@@ -1140,11 +1140,6 @@ class IonBuilder
 
     IonBuilder* outermostBuilder();
 
-    bool oom() {
-        abortReason_ = AbortReason_Alloc;
-        return false;
-    }
-
     struct LoopHeader {
         jsbytecode* pc;
         MBasicBlock* header;
diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index eec7497bb56..c01f5d00d0c 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -1864,8 +1864,8 @@ IonBuilder::inlineRegExpMatcher(CallInfo& callInfo)
 
     JSContext* cx = GetJitContext()->cx;
     if (!cx->compartment()->jitCompartment()->ensureRegExpMatcherStubExists(cx)) {
-        oom();
-        return InliningStatus_Error;
+        cx->clearPendingException(); // OOM or overrecursion.
+        return InliningStatus_NotInlined;
     }
 
     callInfo.setImplicitlyUsedUnchecked();
@@ -1918,8 +1918,8 @@ IonBuilder::inlineRegExpTester(CallInfo& callInfo)
 
     JSContext* cx = GetJitContext()->cx;
     if (!cx->compartment()->jitCompartment()->ensureRegExpTesterStubExists(cx)) {
-        oom();
-        return InliningStatus_Error;
+        cx->clearPendingException(); // OOM or overrecursion.
+        return InliningStatus_NotInlined;
     }
 
     callInfo.setImplicitlyUsedUnchecked();