Bug 745194 - [jsdbg2] Crash on Heap, trying to execute NULL, with Debugger forced return, methodjit, and GC. r=bhackett.
☠☠ backed out by 9ec1c7f91699 ☠ ☠
authorJason Orendorff <jorendorff@mozilla.com>
Fri, 14 Dec 2012 13:48:46 -0600
changeset 125226 96b591267cb3ac21eadce063289f81734a60498c
parent 125225 bc1e8c9266ea5718dc1bc12790e2916048e4e7b1
child 125227 a567cc63a3893df175c7053736eb53bddb958764
push id2151
push userlsblakk@mozilla.com
push dateTue, 19 Feb 2013 18:06:57 +0000
treeherdermozilla-beta@4952e88741ec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs745194
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 745194 - [jsdbg2] Crash on Heap, trying to execute NULL, with Debugger forced return, methodjit, and GC. r=bhackett.
js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-06.js
js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-07.js
js/src/methodjit/InvokeHelpers.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-06.js
@@ -0,0 +1,13 @@
+// |jit-test| mjitalways
+// Bug 745194.
+
+var g = newGlobal('new-compartment');
+var dbg = Debugger(g);
+g.eval("function f() {}");
+dbg.onEnterFrame = function (frame) {
+    if (frame.type == 'call') {
+        gc();
+        return { return: 'PASS' };
+    }
+};
+assertEq(g.eval("f()"), 'PASS');
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-07.js
@@ -0,0 +1,16 @@
+// |jit-test| mjitalways
+// Bug 745194.
+
+var g = newGlobal('new-compartment');
+g.eval("function f() {}" +
+       "function h() { return new f; }");
+var dbg = Debugger(g);
+dbg.onEnterFrame = function (frame) {
+    if (frame.constructing) {
+        gc();
+        return { return: 0 };
+    }
+};
+var result = g.eval("h()");
+assertEq(typeof result, 'object');
+assertEq(Object.getPrototypeOf(result), g.f.prototype);
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -663,22 +663,29 @@ void JS_FASTCALL
 stubs::ScriptDebugPrologue(VMFrame &f)
 {
     AssertCanGC();
     Probes::enterScript(f.cx, f.script(), f.script()->function(), f.fp());
     JSTrapStatus status = js::ScriptDebugPrologue(f.cx, f.fp());
     switch (status) {
       case JSTRAP_CONTINUE:
         break;
+
       case JSTRAP_RETURN:
+        if (!f.fp()->nativeReturnAddress()) {
+            // ClearAllFrames was called. Resume in the interpreter.
+            f.fp()->setNativeReturnAddress(JS_FUNC_TO_DATA_PTR(void *, JaegerInterpolineScripted));
+        }
         *f.returnAddressLocation() = f.cx->jaegerRuntime().forceReturnFromFastCall();
         return;
+
       case JSTRAP_ERROR:
       case JSTRAP_THROW:
         THROW();
+
       default:
         JS_NOT_REACHED("bad ScriptDebugPrologue status");
     }
 }
 
 void JS_FASTCALL
 stubs::ScriptDebugEpilogue(VMFrame &f)
 {