summaryrefslogtreecommitdiffstats
path: root/js/src
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-08-05 11:35:53 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-08-05 11:35:53 +0200
commit6bd66b1728eeddb058066edda740aaeb2ceaec23 (patch)
tree985faf01c526763515731569fa01a99f4dbef36e /js/src
parente0a8dcfed131ffa58a5e2cb1d30fe48c745c2fdc (diff)
parent559824514dc95e02fbe81f1786e6ac13ee8e9d55 (diff)
downloadUXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar
UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar.gz
UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar.lz
UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar.xz
UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.zip
Merge branch 'master' into js-modules
Diffstat (limited to 'js/src')
-rw-r--r--js/src/jit/BaselineBailouts.cpp56
-rw-r--r--js/src/jit/JitFrameIterator.h2
-rw-r--r--js/src/vm/EnvironmentObject.h3
3 files changed, 23 insertions, 38 deletions
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index 3ab722b3d..ad2757ae1 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -419,41 +419,6 @@ struct BaselineStackBuilder
}
};
-// Ensure that all value locations are readable from the SnapshotIterator.
-// Remove RInstructionResults from the JitActivation if the frame got recovered
-// ahead of the bailout.
-class SnapshotIteratorForBailout : public SnapshotIterator
-{
- JitActivation* activation_;
- JitFrameIterator& iter_;
-
- public:
- SnapshotIteratorForBailout(JitActivation* activation, JitFrameIterator& iter)
- : SnapshotIterator(iter, activation->bailoutData()->machineState()),
- activation_(activation),
- iter_(iter)
- {
- MOZ_ASSERT(iter.isBailoutJS());
- }
-
- ~SnapshotIteratorForBailout() {
- // The bailout is complete, we no longer need the recover instruction
- // results.
- activation_->removeIonFrameRecovery(fp_);
- }
-
- // Take previously computed result out of the activation, or compute the
- // results of all recover instructions contained in the snapshot.
- MOZ_MUST_USE bool init(JSContext* cx) {
-
- // Under a bailout, there is no need to invalidate the frame after
- // evaluating the recover instruction, as the invalidation is only
- // needed to cause of the frame which has been introspected.
- MaybeReadFallback recoverBailout(cx, activation_, &iter_, MaybeReadFallback::Fallback_DoNothing);
- return initInstructionResults(recoverBailout);
- }
-};
-
#ifdef DEBUG
static inline bool
IsInlinableFallback(ICFallbackStub* icEntry)
@@ -1476,6 +1441,7 @@ jit::BailoutIonToBaseline(JSContext* cx, JitActivation* activation, JitFrameIter
{
MOZ_ASSERT(bailoutInfo != nullptr);
MOZ_ASSERT(*bailoutInfo == nullptr);
+ MOZ_ASSERT(iter.isBailoutJS());
TraceLoggerThread* logger = TraceLoggerForMainThread(cx->runtime());
TraceLogStopEvent(logger, TraceLogger_IonMonkey);
@@ -1488,6 +1454,12 @@ jit::BailoutIonToBaseline(JSContext* cx, JitActivation* activation, JitFrameIter
activation->removeRematerializedFramesFromDebugger(cx, iter.fp());
});
+ // Always remove the RInstructionResults from the JitActivation, even in
+ // case of failures as the stack frame is going away after the bailout.
+ auto removeIonFrameRecovery = mozilla::MakeScopeExit([&] {
+ activation->removeIonFrameRecovery(iter.jsFrame());
+ });
+
// The caller of the top frame must be one of the following:
// IonJS - Ion calling into Ion.
// BaselineStub - Baseline calling into Ion.
@@ -1561,9 +1533,19 @@ jit::BailoutIonToBaseline(JSContext* cx, JitActivation* activation, JitFrameIter
}
JitSpew(JitSpew_BaselineBailouts, " Incoming frame ptr = %p", builder.startFrame());
- SnapshotIteratorForBailout snapIter(activation, iter);
- if (!snapIter.init(cx))
+ // Under a bailout, there is no need to invalidate the frame after
+ // evaluating the recover instruction, as the invalidation is only needed in
+ // cases where the frame is introspected ahead of the bailout.
+ MaybeReadFallback recoverBailout(cx, activation, &iter, MaybeReadFallback::Fallback_DoNothing);
+
+ // Ensure that all value locations are readable from the SnapshotIterator.
+ // Get the RInstructionResults from the JitActivation if the frame got
+ // recovered ahead of the bailout.
+ SnapshotIterator snapIter(iter, activation->bailoutData()->machineState());
+ if (!snapIter.initInstructionResults(recoverBailout)) {
+ ReportOutOfMemory(cx);
return BAILOUT_RETURN_FATAL_ERROR;
+ }
#ifdef TRACK_SNAPSHOTS
snapIter.spewBailingFrom();
diff --git a/js/src/jit/JitFrameIterator.h b/js/src/jit/JitFrameIterator.h
index 3620badbd..76d04d092 100644
--- a/js/src/jit/JitFrameIterator.h
+++ b/js/src/jit/JitFrameIterator.h
@@ -509,13 +509,13 @@ class SnapshotIterator
return recover_.moreInstructions();
}
- protected:
// Register a vector used for storing the results of the evaluation of
// recover instructions. This vector should be registered before the
// beginning of the iteration. This function is in charge of allocating
// enough space for all instructions results, and return false iff it fails.
MOZ_MUST_USE bool initInstructionResults(MaybeReadFallback& fallback);
+ protected:
// This function is used internally for computing the result of the recover
// instructions.
MOZ_MUST_USE bool computeInstructionResults(JSContext* cx, RInstructionResults* results) const;
diff --git a/js/src/vm/EnvironmentObject.h b/js/src/vm/EnvironmentObject.h
index d457ca839..032286116 100644
--- a/js/src/vm/EnvironmentObject.h
+++ b/js/src/vm/EnvironmentObject.h
@@ -930,6 +930,9 @@ class DebugEnvironments
void mark(JSTracer* trc);
void sweep(JSRuntime* rt);
void finish();
+#ifdef JSGC_HASH_TABLE_CHECKS
+ void checkHashTablesAfterMovingGC(JSRuntime* runtime);
+#endif
// If a live frame has a synthesized entry in missingEnvs, make sure it's not
// collected.