tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 80b9dca8f07d69c5b172a2870c93d3963fde30c5
parent 22935fc12727f5676d239d0db05264cf1a415998
Author: Iain Ireland <iireland@mozilla.com>
Date:   Fri, 12 Dec 2025 22:46:23 +0000

Bug 2005551: Check for empty table in lookupMFBT r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D276063

Diffstat:

Mjs/src/gc/WeakMap.h | 3+++


Ajs/src/jit-test/tests/collections/bug2005551.js | 11+++++++++++


Mjs/src/jit/MacroAssembler-inl.h | 4++++


Mmfbt/HashTable.h | 6++++++


4 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/js/src/gc/WeakMap.h b/js/src/gc/WeakMap.h
@@ -438,6 +438,9 @@ class WeakMap : public WeakMapBase {
   static size_t offsetOfTable() {
     return offsetof(WeakMap, map_) + UnbarrieredMap::offsetOfTable();
   }
+  static size_t offsetOfEntryCount() {
+    return offsetof(WeakMap, map_) + UnbarrieredMap::offsetOfEntryCount();
+  }
 
  protected:
   inline void assertMapIsSameZoneWithValue(const BarrieredValue& v);
diff --git a/js/src/jit-test/tests/collections/bug2005551.js b/js/src/jit-test/tests/collections/bug2005551.js
@@ -0,0 +1,11 @@
+function f() {
+  var x = new WeakMap();
+  for (var y of [0, 0]) {
+    try {
+      function g() {};
+      x.getOrInsertComputed([], function () {});
+    } catch (e) {}
+  }
+  oomTest(f);
+}
+f();
diff --git a/js/src/jit/MacroAssembler-inl.h b/js/src/jit/MacroAssembler-inl.h
@@ -1032,6 +1032,10 @@ void MacroAssembler::lookupMFBT(Register hashTable, Register hashCode,
                                 Match match) {
   // Inline implementation of |lookup| for mozilla::detail::HashTable
 
+  // If the hashtable is empty, we won't find an entry.
+  branch32(Assembler::Equal, Address(hashTable, Table::offsetOfEntryCount()),
+           Imm32(0), missing);
+
   // Compute the primary hash address:
   // HashNumber h1 = hash1(aKeyHash);
   Register hash1 = scratch5;
diff --git a/mfbt/HashTable.h b/mfbt/HashTable.h
@@ -432,6 +432,9 @@ class MOZ_STANDALONE_DEBUG HashMap {
   static size_t offsetOfTable() {
     return offsetof(HashMap, mImpl) + Impl::offsetOfTable();
   }
+  static size_t offsetOfEntryCount() {
+    return offsetof(HashMap, mImpl) + Impl::offsetOfEntryCount();
+  }
 };
 
 //---------------------------------------------------------------------------
@@ -2359,6 +2362,9 @@ class MOZ_STANDALONE_DEBUG HashTable : private AllocPolicy {
 #endif
   }
   static size_t offsetOfTable() { return offsetof(HashTable, mTable); }
+  static size_t offsetOfEntryCount() {
+    return offsetof(HashTable, mEntryCount);
+  }
 };
 
 }  // namespace detail