diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp index 01c27d8704e3..9e1e0cf433f8 100644 --- a/js/src/jit/CodeGenerator.cpp +++ b/js/src/jit/CodeGenerator.cpp @@ -6074,6 +6074,8 @@ CodeGenerator::visitCreateArgumentsObject(LCreateArgumentsObject* lir) Register objTemp = ToRegister(lir->temp1()); Register cxTemp = ToRegister(lir->temp2()); + masm.Push(callObj); + // Try to allocate an arguments object. This will leave the reserved // slots uninitialized, so it's important we don't GC until we // initialize these slots in ArgumentsObject::finishForIon. @@ -6082,7 +6084,7 @@ CodeGenerator::visitCreateArgumentsObject(LCreateArgumentsObject* lir) /* initContents = */ false); masm.moveStackPtrTo(temp); - masm.addPtr(Imm32(frameSize()), temp); + masm.addPtr(Imm32(masm.framePushed()), temp); masm.setupUnalignedABICall(cxTemp); masm.loadJSContext(cxTemp); @@ -6092,10 +6094,14 @@ CodeGenerator::visitCreateArgumentsObject(LCreateArgumentsObject* lir) masm.passABIArg(objTemp); masm.callWithABI(JS_FUNC_TO_DATA_PTR(void*, ArgumentsObject::finishForIon)); - masm.branchTestPtr(Assembler::Zero, ReturnReg, ReturnReg, masm.exceptionLabel()); + masm.branchTestPtr(Assembler::Zero, ReturnReg, ReturnReg, &failure); + + // Discard saved callObj on the stack. + masm.addToStackPtr(Imm32(sizeof(uintptr_t))); masm.jump(&done); masm.bind(&failure); + masm.Pop(callObj); } masm.moveStackPtrTo(temp); diff --git a/js/src/vm/ArgumentsObject.cpp b/js/src/vm/ArgumentsObject.cpp index ac7c565bbf68..7a73fe233b40 100644 --- a/js/src/vm/ArgumentsObject.cpp +++ b/js/src/vm/ArgumentsObject.cpp @@ -383,7 +383,9 @@ ArgumentsObject::finishForIon(JSContext* cx, jit::JitFrameLayout* frame, ArgumentsData* data = reinterpret_cast(AllocateObjectBuffer(cx, obj, numBytes)); if (!data) { - // Make the object safe for GC. + // Make the object safe for GC. Don't report OOM, the slow path will + // retry the allocation. + cx->recoverFromOutOfMemory(); obj->initFixedSlot(DATA_SLOT, PrivateValue(nullptr)); return nullptr; }