Bug 756632 - Handle OOM in methodjit jsop_getgname/jsop_setgname methods. r=bhackett

2024-10-11 04:15:43 +00:00 · 2012-05-30 10:16:20 +02:00 · 2012-05-30 10:16:20 +02:00 · 46949ed335
commit 46949ed335
parent 7a12ef6f78
2 changed files with 20 additions and 17 deletions
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -3096,7 +3096,8 @@ mjit::Compiler::generateMethod()
          BEGIN_CASE(JSOP_CALLGNAME)
          {
            uint32_t index = GET_UINT32_INDEX(PC);
-            jsop_getgname(index);
+            if (!jsop_getgname(index))
+                return Compile_Error;
            frame.extra(frame.peek(-1)).name = script->getName(index);
          }
          END_CASE(JSOP_GETGNAME)
@ -3105,7 +3106,8 @@ mjit::Compiler::generateMethod()
          {
            jsbytecode *next = &PC[JSOP_SETGNAME_LENGTH];
            bool pop = JSOp(*next) == JSOP_POP && !analysis->jumpTarget(next);
-            jsop_setgname(script->getName(GET_UINT32_INDEX(PC)), pop);
+            if (!jsop_setgname(script->getName(GET_UINT32_INDEX(PC)), pop))
+                return Compile_Error;
          }
          END_CASE(JSOP_SETGNAME)

@ -6149,29 +6151,29 @@ mjit::Compiler::jsop_bindgname()
    frame.pushTypedPayload(JSVAL_TYPE_OBJECT, Registers::ReturnReg);
 }

-void
+bool
 mjit::Compiler::jsop_getgname(uint32_t index)
 {
    /* Optimize undefined, NaN and Infinity. */
    PropertyName *name = script->getName(index);
    if (name == cx->runtime->atomState.typeAtoms[JSTYPE_VOID]) {
        frame.push(UndefinedValue());
-        return;
+        return true;
    }
    if (name == cx->runtime->atomState.NaNAtom) {
        frame.push(cx->runtime->NaNValue);
-        return;
+        return true;
    }
    if (name == cx->runtime->atomState.InfinityAtom) {
        frame.push(cx->runtime->positiveInfinityValue);
-        return;
+        return true;
    }

    /* Optimize singletons like Math for JSOP_CALLPROP. */
    JSObject *obj = pushedSingleton(0);
    if (obj && !hasTypeBarriers(PC) && testSingletonProperty(globalObj, RootedId(cx, NameToId(name)))) {
        frame.push(ObjectValue(*obj));
-        return;
+        return true;
    }

    jsid id = NameToId(name);
@ -6180,7 +6182,7 @@ mjit::Compiler::jsop_getgname(uint32_t index)
        !globalObj->getType(cx)->unknownProperties()) {
        types::TypeSet *propertyTypes = globalObj->getType(cx)->getProperty(cx, id, false);
        if (!propertyTypes)
-            return;
+            return false;

        /*
         * If we are accessing a defined global which is a normal data property
@ -6198,7 +6200,7 @@ mjit::Compiler::jsop_getgname(uint32_t index)

                BarrierState barrier = pushAddressMaybeBarrier(Address(reg), type, true);
                finishBarrier(barrier, REJOIN_GETTER, 0);
-                return;
+                return true;
            }
        }
    }
@ -6276,7 +6278,7 @@ mjit::Compiler::jsop_getgname(uint32_t index)
 #else
    jsop_getgname_slow(index);
 #endif
-
+    return true;
 }

 void
@ -6289,13 +6291,13 @@ mjit::Compiler::jsop_setgname_slow(PropertyName *name)
    pushSyncedEntry(0);
 }

-void
+bool
 mjit::Compiler::jsop_setgname(PropertyName *name, bool popGuaranteed)
 {
    if (monitored(PC)) {
        /* Global accesses are monitored only for a few names like __proto__. */
        jsop_setgname_slow(name);
-        return;
+        return true;
    }

    jsid id = NameToId(name);
@ -6309,7 +6311,7 @@ mjit::Compiler::jsop_setgname(PropertyName *name, bool popGuaranteed)
         */
        types::TypeSet *types = globalObj->getType(cx)->getProperty(cx, id, false);
        if (!types)
-            return;
+            return false;
        const js::Shape *shape = globalObj->nativeLookup(cx, NameToId(name));
        if (shape && shape->hasDefaultSetter() &&
            shape->writable() && shape->hasSlot() &&
@ -6331,7 +6333,7 @@ mjit::Compiler::jsop_setgname(PropertyName *name, bool popGuaranteed)
            frame.storeTo(frame.peek(-1), Address(reg), popGuaranteed);
            frame.shimmy(1);
            frame.freeReg(reg);
-            return;
+            return true;
        }
    }

@ -6339,7 +6341,7 @@ mjit::Compiler::jsop_setgname(PropertyName *name, bool popGuaranteed)
    /* Write barrier. */
    if (cx->compartment->needsBarrier()) {
        jsop_setgname_slow(name);
-        return;
+        return true;
    }
 #endif

@ -6414,6 +6416,7 @@ mjit::Compiler::jsop_setgname(PropertyName *name, bool popGuaranteed)
 #else
    jsop_setgname_slow(name);
 #endif
+    return true;
 }

 void
--- a/js/src/methodjit/Compiler.h
+++ b/js/src/methodjit/Compiler.h
@ -644,9 +644,9 @@ private:
                                   Jump *uncachedCallSlowRejoin, CallPatchInfo *uncachedCallPatch);
    bool inlineCallHelper(uint32_t argc, bool callingNew, FrameSize &callFrameSize);
    void fixPrimitiveReturn(Assembler *masm, FrameEntry *fe);
-    void jsop_getgname(uint32_t index);
+    bool jsop_getgname(uint32_t index);
    void jsop_getgname_slow(uint32_t index);
-    void jsop_setgname(PropertyName *name, bool popGuaranteed);
+    bool jsop_setgname(PropertyName *name, bool popGuaranteed);
    void jsop_setgname_slow(PropertyName *name);
    void jsop_bindgname();
    void jsop_setelem_slow();