Report allocation overflow instead of OOM when NativeObject::goodElementsAllocationAmount fails.

NEW
Unassigned

Status

()

Core
JavaScript Engine
--
enhancement
2 years ago
2 years ago

People

(Reporter: arai, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(firefox44 affected)

Details

(Reporter)

Description

2 years ago
Bug 1214049 replaces ReportAllocationOverflow inside goodElementsAllocationAmount with ReportOutOfMemory because we cannot create an object (saved stack) when cx->compartment()->hasObjectPendingMetadata() is true.

https://dxr.mozilla.org/mozilla-central/rev/11ff0ccb7d59311df4c190d331c8b58c6e35a0c8/js/src/jsarray.cpp#3336
>            AutoSetNewObjectMetadata metadata(cx);
>            JSObject* obj = cache.newObjectFromHit(cx, entry, heap);
>            if (obj) {
>                /* Fixup the elements pointer and length, which may be incorrect. */
>                ArrayObject* arr = &obj->as<ArrayObject>();
>                arr->setFixedElements();
>                arr->setLength(cx, length);
>                if (maxLength > 0 &&
>                    !EnsureNewArrayElements(cx, arr, std::min(maxLength, length)))
>                {
>                    return nullptr;
>                }
>                return arr;
>            }

it's set to true inside cache.newObjectFromHit, and set back to false inside dtor of metadata.  goodElementsAllocationAmount is called inside EnsureNewArrayElements.
You need to log in before you can comment on or make changes to this bug.