Bug 1245862 - Handle OOM when bailing Ion->Baseline with >1 rematerialized frames. (r=jandem)
authorShu-yu Guo <shu@rfrn.org>
Fri, 05 Feb 2016 14:55:31 -0800
changeset 283350 7498837e2150d99dea60542a8ee0c750a2faa42b
parent 283349 a556e78d4a629850583e767d14ae99dcc782172f
child 283351 9aab45404d978166454c8085805b34769d99fb2c
push id29979
push userphilringnalda@gmail.com
push dateSun, 07 Feb 2016 03:08:56 +0000
treeherdermozilla-central@76733110704b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1245862
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1245862 - Handle OOM when bailing Ion->Baseline with >1 rematerialized frames. (r=jandem)
js/src/jit-test/tests/debug/bug1245862.js
js/src/jit/BaselineBailouts.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1245862.js
@@ -0,0 +1,22 @@
+// |jit-test| allow-oom
+
+var g = newGlobal();
+var dbg = new Debugger;
+g.h = function h(d) {
+  if (d) {
+    dbg.addDebuggee(g);
+    var f = dbg.getNewestFrame().older;
+    f.st_p1((oomAfterAllocations(10)) + "foo = 'string of 42'");
+  }
+}
+g.eval("" + function f(d) {
+  g(d);
+});
+g.eval("" + function g(d) {
+  h(d);
+});
+g.eval("(" + function () {
+  for (i = 0; i < 5; i++)
+    f(false);
+  assertEq(f(true), "string of 42");
+} + ")();");
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -1842,29 +1842,34 @@ jit::FinishBailoutToBaseline(BaselineBai
     // If we rematerialized Ion frames due to debug mode toggling, copy their
     // values into the baseline frame. We need to do this even when debug mode
     // is off, as we should respect the mutations made while debug mode was
     // on.
     JitActivation* act = cx->runtime()->activation()->asJit();
     if (act->hasRematerializedFrame(outerFp)) {
         JitFrameIterator iter(cx);
         size_t inlineDepth = numFrames;
+        bool ok = true;
         while (inlineDepth > 0) {
-            if (iter.isBaselineJS() &&
-                !CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
-                                             iter.baselineFrame()))
-            {
-                return false;
+            if (iter.isBaselineJS()) {
+                // We must attempt to copy all rematerialized frames over,
+                // even if earlier ones failed, to invoke the proper frame
+                // cleanup in the Debugger.
+                ok = CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
+                                                 iter.baselineFrame());
             }
             ++iter;
         }
 
         // After copying from all the rematerialized frames, remove them from
         // the table to keep the table up to date.
         act->removeRematerializedFrame(outerFp);
+
+        if (!ok)
+            return false;
     }
 
     JitSpew(JitSpew_BaselineBailouts,
             "  Restored outerScript=(%s:%u,%u) innerScript=(%s:%u,%u) (bailoutKind=%u)",
             outerScript->filename(), outerScript->lineno(), outerScript->getWarmUpCount(),
             innerScript->filename(), innerScript->lineno(), innerScript->getWarmUpCount(),
             (unsigned) bailoutKind);