Mercurial > releases > mozilla-b2g26_v1_2 / changeset / f2706052a3bf670b5e13460fa90a4846627f25ac
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Diagnostic patch for bug 837370 topcrash (r=bhackett).
authorDavid Anderson <danderson@mozilla.com>
Wed, 13 Mar 2013 18:03:27 -0700
changeset 131751 f2706052a3bf670b5e13460fa90a4846627f25ac
parent 131750 1255520f471bb03663e5c9602f241b72be5390bc
child 131752 d40d19445f9a9d2a447d0880e52fdd1e40426502
push idunknown
push userunknown
push dateunknown
reviewersbhackett
bugs837370
milestone22.0a1
Diagnostic patch for bug 837370 topcrash (r=bhackett).
js/src/jsinfer.cpp file | annotate | diff | comparison | revisions
js/src/jsinferinlines.h file | annotate | diff | comparison | revisions
js/src/jsobjinlines.h file | annotate | diff | comparison | revisions 
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -2306,16 +2306,21 @@ AddPendingRecompile(JSContext *cx, RawSc
     /*
      * Remind Ion not to save the compile code if generating type
      * inference information mid-compilation causes an invalidation of the
      * script being compiled.
      */
     RecompileInfo& info = cx->compartment->types.compiledInfo;
     if (info.outputIndex != RecompileInfo::NoCompilerRunning) {
         CompilerOutput *co = info.compilerOutput(cx);
+        if (!co) {
+            if (script->compartment() != cx->compartment)
+                MOZ_CRASH();
+            return;
+        }
         switch (co->kind()) {
           case CompilerOutput::MethodJIT:
             break;
           case CompilerOutput::Ion:
           case CompilerOutput::ParallelIon:
             if (co->script == script)
                 co->invalidate();
             break;
@@ -2710,16 +2715,19 @@ TypeCompartment::growPendingArray(JSCont
     pendingCapacity = newCapacity;
 
     return true;
 }
 
 void
 TypeCompartment::processPendingRecompiles(FreeOp *fop)
 {
+    if (!pendingRecompiles)
+        return;
+
     /* Steal the list of scripts to recompile, else we will try to recursively recompile them. */
     Vector<RecompileInfo> *pending = pendingRecompiles;
     pendingRecompiles = NULL;
 
     JS_ASSERT(!pending->empty());
 
 #ifdef JS_METHODJIT
 
@@ -2810,16 +2818,18 @@ TypeZone::nukeTypes(FreeOp *fop)
 
     pendingNukeTypes = false;
 }
 
 void
 TypeCompartment::addPendingRecompile(JSContext *cx, const RecompileInfo &info)
 {
     CompilerOutput *co = info.compilerOutput(cx);
+    if (!co)
+        return;
 
     if (co->pendingRecompilation)
         return;
 
     if (co->isValid())
         CancelOffThreadIonCompile(cx->compartment, co->script);
 
     if (!co->isValid()) {
--- a/js/src/jsinferinlines.h
+++ b/js/src/jsinferinlines.h
@@ -168,16 +168,18 @@ CompilerOutput::isValid() const
         return false;
     }
     return false;
 }
 
 inline CompilerOutput*
 RecompileInfo::compilerOutput(TypeCompartment &types) const
 {
+    if (!types.constrainedOutputs || outputIndex >= types.constrainedOutputs->length())
+        return NULL;
     return &(*types.constrainedOutputs)[outputIndex];
 }
 
 inline CompilerOutput*
 RecompileInfo::compilerOutput(JSContext *cx) const
 {
     return compilerOutput(cx->compartment->types);
 }
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -754,16 +754,18 @@ JSObject::setSingletonType(JSContext *cx
 }
 
 inline js::types::TypeObject*
 JSObject::getType(JSContext *cx)
 {
     JS_ASSERT(cx->compartment == compartment());
     if (hasLazyType()) {
         JS::RootedObject self(cx, this);
+        if (cx->compartment != compartment())
+            MOZ_CRASH();
         return makeLazyType(cx, self);
     }
     return static_cast<js::types::TypeObject*>(type_);
 }
 
 /* static */ inline bool
 JSObject::clearType(JSContext *cx, js::HandleObject obj)
 {
mozilla-b2g26_v1_2
Deployed from 18d8b634a3eb at 2022-06-27T19:41:41Z.