mozilla-beta: changeset 462569:92d4018c82ba97188917a26f78010dccc103dbd9

author	Jason Orendorff <jorendorff@mozilla.com>
	Mon, 12 Mar 2018 19:54:06 -0500
changeset 462569	92d4018c82ba97188917a26f78010dccc103dbd9
parent 462514	9c7cd4a36f061042e00296edfc922a8691aa0600
child 462570	3f688199eba12db44ee5f2e72905e290e97762c4
push id	9165
push user	asasaki@mozilla.com
push date	Thu, 26 Apr 2018 21:04:54 +0000
treeherder	mozilla-beta@064c3804de2e [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	nbp, jorendorff
bugs	1444894
milestone	61.0a1
first release with	nightly linux32 3d21d31141dc / 61.0a1 / 20180321040527 / files nightly linux64 3d21d31141dc / 61.0a1 / 20180321040527 / files nightly mac 3d21d31141dc / 61.0a1 / 20180321040527 / files nightly win32 3d21d31141dc / 61.0a1 / 20180321040527 / files nightly win64 3d21d31141dc / 61.0a1 / 20180321040527 / files
last release without	nightly linux32 bfb7edfd0436 / 61.0a1 / 20180320100122 / files nightly linux64 bfb7edfd0436 / 61.0a1 / 20180320100122 / files nightly mac bfb7edfd0436 / 61.0a1 / 20180320100122 / files nightly win32 bfb7edfd0436 / 61.0a1 / 20180320100122 / files nightly win64 bfb7edfd0436 / 61.0a1 / 20180320100122 / files

--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -5093,47 +5093,60 @@ BaselineCompile(JSContext* cx, unsigned 
         }
         if (!args[1].isBoolean() && !args[1].isUndefined()) {
             ReportUsageErrorASCII(cx, callee, "forceDebugInstrumentation argument should be boolean");
             return false;
         }
         forceDebug = ToBoolean(args[1]);
     }
 
-    if (script->hasBaselineScript()) {
-        if (forceDebug && !script->baselineScript()->hasDebugInstrumentation()) {
-            // There isn't an easy way to do this for a script that might be on
-            // stack right now. See js::jit::RecompileOnStackBaselineScriptsForDebugMode.
-            ReportUsageErrorASCII(cx, callee,
-                                  "unsupported case: recompiling script for debug mode");
-            return false;
+    const char* returnedStr = nullptr;
+    do {
+        AutoCompartment ac(cx, script);
+        if (script->hasBaselineScript()) {
+            if (forceDebug && !script->baselineScript()->hasDebugInstrumentation()) {
+                // There isn't an easy way to do this for a script that might be on
+                // stack right now. See js::jit::RecompileOnStackBaselineScriptsForDebugMode.
+                ReportUsageErrorASCII(cx, callee,
+                                      "unsupported case: recompiling script for debug mode");
+                return false;
+            }
+
+            args.rval().setUndefined();
+            return true;
+        }
+
+        if (!jit::IsBaselineEnabled(cx)) {
+            returnedStr = "baseline disabled";
+            break;
         }
-
-        args.rval().setUndefined();
-        return true;
-    }
-
-    if (!jit::IsBaselineEnabled(cx))
-        return ReturnStringCopy(cx, args, "baseline disabled");
-    if (!script->canBaselineCompile())
-        return ReturnStringCopy(cx, args, "can't compile");
-    if (!cx->compartment()->ensureJitCompartmentExists(cx))
-        return false;
-
-    jit::MethodStatus status = jit::BaselineCompile(cx, script, forceDebug);
-    switch (status) {
-      case jit::Method_Error:
-        return false;
-      case jit::Method_CantCompile:
-        return ReturnStringCopy(cx, args, "can't compile");
-      case jit::Method_Skipped:
-        return ReturnStringCopy(cx, args, "skipped");
-      case jit::Method_Compiled:
-        args.rval().setUndefined();
-    }
+        if (!script->canBaselineCompile()) {
+            returnedStr = "can't compile";
+            break;
+        }
+        if (!cx->compartment()->ensureJitCompartmentExists(cx))
+            return false;
+
+        jit::MethodStatus status = jit::BaselineCompile(cx, script, forceDebug);
+        switch (status) {
+          case jit::Method_Error:
+            return false;
+          case jit::Method_CantCompile:
+            returnedStr = "can't compile";
+            break;
+          case jit::Method_Skipped:
+            returnedStr = "skipped";
+            break;
+          case jit::Method_Compiled:
+            args.rval().setUndefined();
+        }
+    } while(false);
+
+    if (returnedStr)
+        return ReturnStringCopy(cx, args, returnedStr);
 
     return true;
 }
 
 static const JSFunctionSpecWithHelp TestingFunctions[] = {
     JS_FN_HELP("gc", ::GC, 0, 0,
 "gc([obj] | 'zone' [, 'shrinking'])",
 "  Run the garbage collector. When obj is given, GC only its zone.\n"

new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/self-test/baselineCompile-Bug1444894.js
@@ -0,0 +1,5 @@
+
+if (typeof baselineCompile == "function") {
+    gc();
+    newGlobal().baselineCompile();
+}

--- a/js/src/jit/BaselineJIT.cpp
+++ b/js/src/jit/BaselineJIT.cpp
@@ -229,16 +229,17 @@ jit::EnterBaselineAtBranch(JSContext* cx
 
     fp->setReturnValue(data.result);
     return JitExec_Ok;
 }
 
 MethodStatus
 jit::BaselineCompile(JSContext* cx, JSScript* script, bool forceDebugInstrumentation)
 {
+    assertSameCompartment(cx, script);
     MOZ_ASSERT(!script->hasBaselineScript());
     MOZ_ASSERT(script->canBaselineCompile());
     MOZ_ASSERT(IsBaselineEnabled(cx));
 
     script->ensureNonLazyCanonicalFunction();
 
     TempAllocator temp(&cx->tempLifoAlloc());
     JitContext jctx(cx, nullptr);

js/src/builtin/TestingFunctions.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/jit-test/tests/self-test/baselineCompile-Bug1444894.js		file \| annotate \| diff \| comparison \| revisions
js/src/jit/BaselineJIT.cpp		file \| annotate \| diff \| comparison \| revisions