Bug 858097 - Fix StackFrame::epilogue to check |this| is an object to avoid OOM crashes. r=jwalden

--HG-- extra : rebase_source : d13d16bd9ab4fd9d875983c6a14f4d06417ff0c8
2024-09-13 09:24:08 -07:00 · 2013-04-12 14:18:44 +02:00 · 2013-04-12 14:18:44 +02:00 · db657c6f80
commit db657c6f80
parent f835c852b8
2 changed files with 7 additions and 2 deletions
--- a/js/src/jit-test/tests/basic/bug858097.js
+++ b/js/src/jit-test/tests/basic/bug858097.js
@ -0,0 +1,6 @@
+// |jit-test| allow-oom
+function MyObject( value ) {}
+gcparam("maxBytes", gcparam("gcBytes") + 4*(1));
+gczeal(4);
+function test() {}
+var obj = new test();
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@ -407,8 +407,7 @@ StackFrame::epilogue(JSContext *cx)
    if (cx->compartment->debugMode())
        DebugScopes::onPopCall(this, cx);

-
-    if (isConstructing() && returnValue().isPrimitive())
+    if (isConstructing() && thisValue().isObject() && returnValue().isPrimitive())
        setReturnValue(ObjectValue(constructorThis()));
 }