Open
Bug 1214999
Opened 9 years ago
Updated 2 years ago
Report allocation overflow instead of OOM when NativeObject::goodElementsAllocationAmount fails.
Categories
(Core :: JavaScript Engine, enhancement)
Core
JavaScript Engine
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox44 | --- | affected |
People
(Reporter: arai, Unassigned)
References
Details
Bug 1214049 replaces ReportAllocationOverflow inside goodElementsAllocationAmount with ReportOutOfMemory because we cannot create an object (saved stack) when cx->compartment()->hasObjectPendingMetadata() is true. https://dxr.mozilla.org/mozilla-central/rev/11ff0ccb7d59311df4c190d331c8b58c6e35a0c8/js/src/jsarray.cpp#3336 > AutoSetNewObjectMetadata metadata(cx); > JSObject* obj = cache.newObjectFromHit(cx, entry, heap); > if (obj) { > /* Fixup the elements pointer and length, which may be incorrect. */ > ArrayObject* arr = &obj->as<ArrayObject>(); > arr->setFixedElements(); > arr->setLength(cx, length); > if (maxLength > 0 && > !EnsureNewArrayElements(cx, arr, std::min(maxLength, length))) > { > return nullptr; > } > return arr; > } it's set to true inside cache.newObjectFromHit, and set back to false inside dtor of metadata. goodElementsAllocationAmount is called inside EnsureNewArrayElements.
Arai-san, is this still valid? jsarray.cpp seems to be gone from js/src ...
Flags: needinfo?(arai.unmht)
Reporter | ||
Comment 2•5 years ago
|
||
yes, it's moved to builtin/Array.cpp: https://searchfox.org/mozilla-central/rev/49e78df13e7a505827a3a86daae9efdf827133c6/js/src/builtin/Array.cpp#4023-4035
Flags: needinfo?(arai.unmht)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•