Bug 1506554 part 1 - Sweep JitZone/JitRealm *after* discarding JIT code. r=jonco
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 12 Nov 2018 12:16:42 +0100
changeset 445986 4d7d3b7b0b12fb88be5970b248cd23ba244a6c1e
parent 445985 2e5960963eb8c07e374247fab9f1c87e30f32339
child 445987 ae382e944ea805fb71443ed02fb399044836809a
push id109809
push userjandemooij@gmail.com
push dateTue, 13 Nov 2018 10:33:03 +0000
treeherdermozilla-inbound@ae382e944ea8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco
bugs1506554, 1499644
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1506554 part 1 - Sweep JitZone/JitRealm *after* discarding JIT code. r=jonco This is not a problem yet because of how GC/TypeScript/BaselineScript interact, but this caused crashes on Try with the patch for bug 1499644. Differential Revision: https://phabricator.services.mozilla.com/D11616
js/src/gc/GC.cpp
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@@ -5889,41 +5889,47 @@ GCRuntime::sweepJitDataOnMainThread(Free
 
         if (initialState != State::NotActive) {
             // Cancel any active or pending off thread compilations. We also did
             // this before marking (in DiscardJITCodeForGC) so this is a no-op
             // for non-incremental GCs.
             js::CancelOffThreadIonCompile(rt, JS::Zone::Sweep);
         }
 
-        for (SweepGroupRealmsIter r(rt); !r.done(); r.next()) {
-            r->sweepJitRealm();
-        }
-
-        for (SweepGroupZonesIter zone(rt); !zone.done(); zone.next()) {
-            if (jit::JitZone* jitZone = zone->jitZone()) {
-                jitZone->sweep();
-            }
-        }
-
         // Bug 1071218: the following method has not yet been refactored to
         // work on a single zone-group at once.
 
         // Sweep entries containing about-to-be-finalized JitCode and
         // update relocated TypeSet::Types inside the JitcodeGlobalTable.
         jit::JitRuntime::SweepJitcodeGlobalTable(rt);
     }
 
     if (initialState != State::NotActive) {
         gcstats::AutoPhase apdc(stats(), gcstats::PhaseKind::SWEEP_DISCARD_CODE);
         for (SweepGroupZonesIter zone(rt); !zone.done(); zone.next()) {
             zone->discardJitCode(fop);
         }
     }
 
+    // JitZone/JitRealm must be swept *after* discarding JIT code, because
+    // Zone::discardJitCode might access CacheIRStubInfos deleted here.
+    {
+        gcstats::AutoPhase ap(stats(), gcstats::PhaseKind::SWEEP_JIT_DATA);
+
+        for (SweepGroupRealmsIter r(rt); !r.done(); r.next()) {
+            r->sweepJitRealm();
+        }
+
+        for (SweepGroupZonesIter zone(rt); !zone.done(); zone.next()) {
+            if (jit::JitZone* jitZone = zone->jitZone()) {
+                jitZone->sweep();
+            }
+        }
+    }
+
     {
         gcstats::AutoPhase ap1(stats(), gcstats::PhaseKind::SWEEP_TYPES);
         gcstats::AutoPhase ap2(stats(), gcstats::PhaseKind::SWEEP_TYPES_BEGIN);
         for (SweepGroupZonesIter zone(rt); !zone.done(); zone.next()) {
             zone->beginSweepTypes();
         }
     }
 }