Bug 1054241 - Use AutoEnterAnalysis to avoid iterating the stack under RNewArray allocations. r=bhackett
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Wed, 20 Aug 2014 20:41:26 +0200
changeset 200624 fb294a66c8ac872560e978564f4039dbc4f7319c
parent 200623 76e9621b8a08ba875ba0de9a7639898c49b45e67
child 200625 a23b03bf9f615b532c58cac0e0b7c6a662d26a4b
push id47950
push usernpierron@mozilla.com
push dateWed, 20 Aug 2014 18:41:58 +0000
treeherdermozilla-inbound@fb294a66c8ac [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs1054241
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1054241 - Use AutoEnterAnalysis to avoid iterating the stack under RNewArray allocations. r=bhackett
js/src/jit-test/tests/ion/bug1054241.js
js/src/jit/Recover.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1054241.js
@@ -0,0 +1,12 @@
+setJitCompilerOption("baseline.usecount.trigger", 10);
+setJitCompilerOption("ion.usecount.trigger", 20);
+
+setObjectMetadataCallback(true);
+(function(){
+  for(var i = 0; i < 100; i++) {
+    try{
+      var a = new Array(5);
+      throw 1;
+    } catch(e) {}
+  }
+})();
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -993,16 +993,20 @@ RNewArray::RNewArray(CompactBufferReader
 
 bool
 RNewArray::recover(JSContext *cx, SnapshotIterator &iter) const
 {
     RootedObject templateObject(cx, &iter.read().toObject());
     RootedValue result(cx);
     RootedTypeObject type(cx);
 
+    // Use AutoEnterAnalysis to avoid invoking the object metadata callback
+    // while bailing out, which could try to walk the stack.
+    types::AutoEnterAnalysis enter(cx);
+
     // See CodeGenerator::visitNewArrayCallVM
     if (!templateObject->hasSingletonType())
         type = templateObject->type();
 
     JSObject *resultObject = NewDenseArray(cx, count_, type, isAllocating_);
     if (!resultObject)
         return false;