Bug 1270278; Handle OOM better in Debugger::onPopCall; r=shu

--HG-- extra : rebase_source : 450208bcc4fee9eb548b49586923d979a745c137
2024-10-25 03:05:34 +00:00 · 2016-05-27 17:12:08 -07:00 · 2016-05-27 17:12:08 -07:00 · c2a8430f19
commit c2a8430f19
parent c7406f9fcb
2 changed files with 22 additions and 2 deletions
--- a/js/src/jit-test/tests/debug/bug-1270278.js
+++ b/js/src/jit-test/tests/debug/bug-1270278.js
@ -0,0 +1,18 @@
+// |jit-test| allow-oom; --fuzzing-safe
+// Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js
+var i = 100;
+g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+    Debugger(parent).onExceptionUnwind = function(frame) frame.eval("");
+} + ")()");
+// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js
+oomTest(function() {
+    if (--i < 0)
+        return;
+    try {
+        for (x of y);
+    } catch (e) {
+        x
+    }
+})
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@ -2736,8 +2736,10 @@ DebugScopes::onPopCall(AbstractFramePtr frame, JSContext* cx)
         * but it simplifies later indexing logic.
         */
        Rooted<GCVector<Value>> vec(cx, GCVector<Value>(cx));
-        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0)
+        if (!frame.copyRawFrameSlots(&vec) || vec.length() == 0) {
+            cx->recoverFromOutOfMemory();
            return;
+        }

        /*
         * Copy in formals that are not aliased via the scope chain
@ -2757,7 +2759,7 @@ DebugScopes::onPopCall(AbstractFramePtr frame, JSContext* cx)
         */
        RootedArrayObject snapshot(cx, NewDenseCopiedArray(cx, vec.length(), vec.begin()));
        if (!snapshot) {
-            cx->clearPendingException();
+            cx->recoverFromOutOfMemory();
            return;
        }