Bug 1583860 - Don't access JSScript::realm() off-thread. r=jandem
authorTed Campbell <tcampbell@mozilla.com>
Mon, 30 Sep 2019 12:52:50 +0000
changeset 495592 c520d4083fa2a2a66f5a6dc14a4f810e0002bad6
parent 495591 37edb4f96fccf4d078d32edf2dec32cdeab2d387
child 495593 2736f38dd2ce83b8711c0db304fcf6cf5b62f56f
push id96708
push usertcampbell@mozilla.com
push dateMon, 30 Sep 2019 12:53:37 +0000
treeherderautoland@c520d4083fa2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1583860
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1583860 - Don't access JSScript::realm() off-thread. r=jandem It is no longer safe to access JSScript::realm() off-thread. That is okay because IonBuilder already has a CompileRealm for us to use. Differential Revision: https://phabricator.services.mozilla.com/D47379
js/src/jit/Ion.cpp
js/src/jit/IonBuilder.cpp
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -1734,16 +1734,18 @@ static AbortReason IonCompile(JSContext*
                               BaselineFrame* baselineFrame, jsbytecode* osrPc,
                               bool recompile,
                               OptimizationLevel optimizationLevel) {
   TraceLoggerThread* logger = TraceLoggerForCurrentThread(cx);
   TraceLoggerEvent event(TraceLogger_AnnotateScripts, script);
   AutoTraceLog logScript(logger, event);
   AutoTraceLog logCompile(logger, TraceLogger_IonCompilation);
 
+  cx->check(script);
+
   // Make sure the script's canonical function isn't lazy. We can't de-lazify
   // it in a helper thread.
   script->ensureNonLazyCanonicalFunction();
 
   auto alloc =
       cx->make_unique<LifoAlloc>(TempAllocator::PreferredLifoChunkSize);
   if (!alloc) {
     return AbortReason::Alloc;
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -1138,25 +1138,22 @@ AbortReasonOr<Ok> IonBuilder::buildInlin
     return abort(AbortReason::PreliminaryObjects);
   }
 
   return Ok();
 }
 
 void IonBuilder::runTask() {
   // This is the entry point when ion compiles are run offthread.
-  JSRuntime* rt = script()->runtimeFromAnyThread();
-
   TraceLoggerThread* logger = TraceLoggerForCurrentThread();
   TraceLoggerEvent event(TraceLogger_AnnotateScripts, script());
   AutoTraceLog logScript(logger, event);
   AutoTraceLog logCompile(logger, TraceLogger_IonCompilation);
 
-  jit::JitContext jctx(jit::CompileRuntime::get(rt),
-                       jit::CompileRealm::get(script()->realm()), &alloc());
+  jit::JitContext jctx(realm->runtime(), realm, &alloc());
   setBackgroundCodegen(jit::CompileBackEnd(this));
 }
 
 void IonBuilder::rewriteParameter(uint32_t slotIdx, MDefinition* param) {
   MOZ_ASSERT(param->isParameter() || param->isGetArgumentsObjectArg());
 
   TemporaryTypeSet* types = param->resultTypeSet();
   MDefinition* actual = ensureDefiniteType(param, types->getKnownMIRType());