| author | Jan de Mooij <jdemooij@mozilla.com> |
| Sat, 19 Sep 2015 20:00:40 +0200 | |
| changeset 263405 | 9bdb6d48a34e1bbf0aaf468e44e71544e26adf7d |
| parent 263404 | 123761e37f2722014766a0c225bd2e15623519f9 |
| child 263406 | 71e34d39c5c5cb6178610796dfc9b5b382856076 |
| push id | 65300 |
| push user | jandemooij@gmail.com |
| push date | Sat, 19 Sep 2015 18:01:25 +0000 |
| treeherder | mozilla-inbound@9bdb6d48a34e [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | h4writer |
| bugs | 1203791 |
| milestone | 43.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| js/src/jit-test/tests/ion/bug1203791.js | file | annotate | diff | comparison | revisions | |
| js/src/jit/Ion.cpp | file | annotate | diff | comparison | revisions |
new file mode 100644 --- /dev/null +++ b/js/src/jit-test/tests/ion/bug1203791.js @@ -0,0 +1,26 @@ +function n(x) { + try { + Object.create(x); + } catch(e){}; +} +function m() { + n(); +} +var g = newGlobal(); +g.parent = this; +g.eval(` + var dbg = new Debugger(); + var parentw = dbg.addDebuggee(parent); + var pw = parentw.makeDebuggeeValue(parent.p); + var scriptw = pw.script; +`); +g.dbg.onIonCompilation = function(graph) { + if (graph.scripts[0] != g.scriptw) + return; + m(); +}; +function p() { + for (var res = false; !res; res = inIon()) {} +} +p(); +(function() {})();
--- a/js/src/jit/Ion.cpp +++ b/js/src/jit/Ion.cpp @@ -404,22 +404,24 @@ JitCompartment::ensureIonStubsExist(JSCo } return true; } struct OnIonCompilationInfo { size_t numBlocks; size_t scriptIndex; + LifoAlloc alloc; LSprinter graph; - explicit OnIonCompilationInfo(LifoAlloc* alloc) + OnIonCompilationInfo() : numBlocks(0), scriptIndex(0), - graph(alloc) + alloc(4096), + graph(&alloc) { } bool filled() const { return numBlocks != 0; } }; typedef Vector<OnIonCompilationInfo> OnIonCompilationVector; @@ -589,36 +591,36 @@ jit::LazyLink(JSContext* cx, HandleScrip calleeScript->baselineScript()->removePendingIonBuilder(calleeScript); // Remove from pending. builder->removeFrom(HelperThreadState().ionLazyLinkList()); } // See PrepareForDebuggerOnIonCompilationHook Rooted<ScriptVector> debugScripts(cx, ScriptVector(cx)); - OnIonCompilationInfo info(builder->alloc().lifoAlloc()); + OnIonCompilationInfo info; { AutoEnterAnalysis enterTypes(cx); if (!LinkBackgroundCodeGen(cx, builder, &debugScripts, &info)) { // Silently ignore OOM during code generation. The assembly code // doesn't has code to handle it after linking happened. So it's // not OK to throw a catchable exception from there. cx->clearPendingException(); } } - if (info.filled()) - Debugger::onIonCompilation(cx, debugScripts, info.graph); - { AutoLockHelperThreadState lock; FinishOffThreadBuilder(cx, builder); } + if (info.filled()) + Debugger::onIonCompilation(cx, debugScripts, info.graph); + MOZ_ASSERT(calleeScript->hasBaselineScript()); MOZ_ASSERT(calleeScript->baselineOrIonRawPointer()); } uint8_t* jit::LazyLinkTopActivation(JSContext* cx) { JitActivationIterator iter(cx->runtime()); @@ -2222,17 +2224,17 @@ IonCompile(JSContext* cx, JSScript* scri // processed in the finishedOffThreadCompilations list. autoDelete.forget(); return AbortReason_NoAbort; } // See PrepareForDebuggerOnIonCompilationHook Rooted<ScriptVector> debugScripts(cx, ScriptVector(cx)); - OnIonCompilationInfo debugInfo(alloc); + OnIonCompilationInfo debugInfo; ScopedJSDeletePtr<CodeGenerator> codegen; { AutoEnterAnalysis enter(cx); codegen = CompileBackEnd(builder); if (!codegen) { JitSpew(JitSpew_IonAbort, "Failed during back-end compilation."); return AbortReason_Disable;