Assertion: "tree->root == tree" and crash while loading a website, r=gal.
authorGraydon Hoare <graydon@mozilla.com>
Wed, 04 Mar 2009 13:35:28 -0800
changeset 23673 df865af82400453d2bd043df65942a6764c06d3b
parent 23672 1bad6093db64a6b5430cb715e65faf8582320ff2
child 23674 f2472bc0091ba5193f3f0eff8bfdc15ef7af7123
child 23677 4f39f0365be88c9dfd147f22defb5d841ef5bedb
push id844
push userrsayre@mozilla.com
push dateThu, 05 Mar 2009 01:10:31 +0000
reviewersgal
milestone1.9.1b3pre
Assertion: "tree->root == tree" and crash while loading a website, r=gal.
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -2452,31 +2452,31 @@ TraceRecorder::isLoopHeader(JSContext* c
 
 /* Compile the current fragment. */
 JS_REQUIRES_STACK void
 TraceRecorder::compile(JSTraceMonitor* tm)
 {
     Fragmento* fragmento = tm->fragmento;
     if (treeInfo->maxNativeStackSlots >= MAX_NATIVE_STACK_SLOTS) {
         debug_only_v(printf("Blacklist: excessive stack use.\n"));
-        js_Blacklist(fragment);
+        js_Blacklist(fragment->root);
         return;
     }
     if (anchor && anchor->exitType != CASE_EXIT)
         ++treeInfo->branchCount;
     if (lirbuf->outOMem()) {
         fragmento->assm()->setError(nanojit::OutOMem);
         return;
     }
     ::compile(fragmento->assm(), fragment);
     if (fragmento->assm()->error() == nanojit::OutOMem)
         return;
     if (fragmento->assm()->error() != nanojit::None) {
         debug_only_v(printf("Blacklisted: error during compilation\n");)
-        js_Blacklist(fragment);
+        js_Blacklist(fragment->root);
         return;
     }
     if (anchor) {
 #ifdef NANOJIT_IA32
         if (anchor->exitType == CASE_EXIT)
             fragmento->assm()->patch(anchor, anchor->switchInfo);
         else
 #endif
@@ -2530,17 +2530,17 @@ TraceRecorder::closeLoop(JSTraceMonitor*
     Fragment* peer_root;
     Fragmento* fragmento = tm->fragmento;
 
     exitIns = snapshot(UNSTABLE_LOOP_EXIT);
     exit = (VMSideExit*)((GuardRecord*)exitIns->payload())->exit;
 
     if (callDepth != 0) {
         debug_only_v(printf("Blacklisted: stack depth mismatch, possible recursion.\n");)
-        js_Blacklist(fragment);
+        js_Blacklist(fragment->root);
         trashSelf = true;
         return false;
     }
 
     JS_ASSERT(exit->numStackSlots == treeInfo->nStackTypes);
 
     peer_root = getLoop(traceMonitor, fragment->root->ip, treeInfo->globalShape);
     JS_ASSERT(peer_root != NULL);
@@ -2711,17 +2711,17 @@ TraceRecorder::joinEdgesToEntry(Fragment
 /* Emit an always-exit guard and compile the tree (used for break statements. */
 JS_REQUIRES_STACK void
 TraceRecorder::endLoop(JSTraceMonitor* tm)
 {
     LIns* exitIns = snapshot(LOOP_EXIT);
 
     if (callDepth != 0) {
         debug_only_v(printf("Blacklisted: stack depth mismatch, possible recursion.\n");)
-        js_Blacklist(fragment);
+        js_Blacklist(fragment->root);
         trashSelf = true;
         return;
     }
 
     fragment->lastIns = lir->insGuard(LIR_x, lir->insImm(1), exitIns);
     compile(tm);
 
     if (tm->fragmento->assm()->error() != nanojit::None)
@@ -4257,17 +4257,17 @@ js_MonitorLoopEdge(JSContext* cx, uintN&
     uintN count;
     Fragment* match = js_FindVMCompatiblePeer(cx, f, count);
     if (!match) {
         if (count < MAXPEERS)
             goto record;
         /* If we hit the max peers ceiling, don't try to lookup fragments all the time. Thats
            expensive. This must be a rather type-unstable loop. */
         debug_only_v(printf("Blacklisted: too many peer trees.\n");)
-        js_Blacklist(f);
+        js_Blacklist(f->root);
         return false;
     }
 
     VMSideExit* lr = NULL;
     VMSideExit* innermostNestedGuard = NULL;
 
     lr = js_ExecuteTree(cx, match, inlineCallCount, &innermostNestedGuard);
     if (!lr)