Bug 1057598 - Suppress the object metadata callback in RStringSplit::recover. r=nbp, a=sledru
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 12 Sep 2014 11:06:22 +0200
changeset 216742 62f5d35f2210
parent 216741 0225b61c4f71
child 216743 3e6571e74e01
push id3895
push userryanvm@gmail.com
push date2014-09-15 16:59 +0000
treeherdermozilla-beta@62f5d35f2210 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp, sledru
bugs1057598
milestone33.0
Bug 1057598 - Suppress the object metadata callback in RStringSplit::recover. r=nbp, a=sledru
js/src/jit-test/tests/ion/bug1057598.js
js/src/jit/Recover.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1057598.js
@@ -0,0 +1,15 @@
+setObjectMetadataCallback(function( r, ... d)  {});
+setJitCompilerOption("ion.warmup.trigger", 20);
+var uceFault = function (i) {
+    if (i > 98)
+        uceFault = function (i) { return true; };
+}
+var uceFault_str_split = eval(uneval(uceFault).replace('uceFault', 'uceFault_str_split'))
+function rstr_split(i) {
+    var x = "str01234567899876543210rts".split("" + i);
+    if (uceFault_str_split(i) || uceFault_str_split(i)) {
+    }
+}
+for (i = 0; i < 100; i++) {
+    rstr_split(i);
+}
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -870,16 +870,20 @@ bool
 RStringSplit::recover(JSContext *cx, SnapshotIterator &iter) const
 {
     RootedString str(cx, iter.read().toString());
     RootedString sep(cx, iter.read().toString());
     RootedTypeObject typeObj(cx, iter.read().toObject().type());
 
     RootedValue result(cx);
 
+    // Use AutoEnterAnalysis to avoid invoking the object metadata callback,
+    // which could try to walk the stack while bailing out.
+    types::AutoEnterAnalysis enter(cx);
+
     JSObject *res = str_split_string(cx, typeObj, str, sep);
     if (!res)
         return false;
 
     result.setObject(*res);
     iter.storeInstructionResult(result);
     return true;
 }