Open Bug 1214999 Opened 9 years ago Updated 2 years ago

Report allocation overflow instead of OOM when NativeObject::goodElementsAllocationAmount fails.

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: arai, Unassigned)

References

Details

Bug 1214049 replaces ReportAllocationOverflow inside goodElementsAllocationAmount with ReportOutOfMemory because we cannot create an object (saved stack) when cx->compartment()->hasObjectPendingMetadata() is true.

https://dxr.mozilla.org/mozilla-central/rev/11ff0ccb7d59311df4c190d331c8b58c6e35a0c8/js/src/jsarray.cpp#3336
>            AutoSetNewObjectMetadata metadata(cx);
>            JSObject* obj = cache.newObjectFromHit(cx, entry, heap);
>            if (obj) {
>                /* Fixup the elements pointer and length, which may be incorrect. */
>                ArrayObject* arr = &obj->as<ArrayObject>();
>                arr->setFixedElements();
>                arr->setLength(cx, length);
>                if (maxLength > 0 &&
>                    !EnsureNewArrayElements(cx, arr, std::min(maxLength, length)))
>                {
>                    return nullptr;
>                }
>                return arr;
>            }

it's set to true inside cache.newObjectFromHit, and set back to false inside dtor of metadata.  goodElementsAllocationAmount is called inside EnsureNewArrayElements.
Arai-san, is this still valid? jsarray.cpp seems to be gone from js/src ...
Flags: needinfo?(arai.unmht)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.