commit 4bea37064d144212e87dddfde7d32aec73f31541
parent 60163ba1664911c7cb810b56fbfa3880c6a99757
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Wed, 26 Nov 2025 17:22:46 +0000
Bug 2002445 - Clear WeakMap's vector of nursery keys on OOM r=sfink
We assume the keys vector is clear elsewhere if nurseryKeysValid is false.
Differential Revision: https://phabricator.services.mozilla.com/D274132
Diffstat:
2 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/js/src/gc/WeakMap-inl.h b/js/src/gc/WeakMap-inl.h
@@ -385,15 +385,12 @@ void WeakMap<K, V, AP>::addNurseryKey(const K& key) {
return;
}
- if (nurseryKeys.length() >= map().count() / 2) {
- // Don't bother recording every key if there a lot of them. We will scan the
- // map instead.
- nurseryKeys.clear();
- nurseryKeysValid = false;
- return;
- }
+ // Don't bother recording every key if there a lot of them. We will scan the
+ // map instead.
+ bool tooManyKeys = nurseryKeys.length() >= map().count() / 2;
- if (!nurseryKeys.append(key)) {
+ if (tooManyKeys || !nurseryKeys.append(key)) {
+ nurseryKeys.clear();
nurseryKeysValid = false;
}
}
diff --git a/js/src/jit-test/tests/gc/bug-2002445.js b/js/src/jit-test/tests/gc/bug-2002445.js
@@ -0,0 +1,16 @@
+var x = newGlobal({
+ newCompartment: true,
+});
+x.parent = [];
+x.eval(
+ '(function () { Debugger(parent).onEnterFrame = function (y) { y.eval(""); }; })();',
+);
+function f() {
+ (() => {
+ this;
+ });
+ oomTest(f);
+}
+for (var i = 0; i < 99; i++) {
+ f();
+}
