Bug 1203791 - Fix LazyLink issue with Debugger::onIonCompilation. r=h4writer
authorJan de Mooij <jdemooij@mozilla.com>
Sat, 19 Sep 2015 20:00:40 +0200
changeset 296028 9bdb6d48a34e1bbf0aaf468e44e71544e26adf7d
parent 296027 123761e37f2722014766a0c225bd2e15623519f9
child 296029 71e34d39c5c5cb6178610796dfc9b5b382856076
push id5245
push userraliiev@mozilla.com
push dateThu, 29 Oct 2015 11:30:51 +0000
treeherdermozilla-beta@dac831dc1bd0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1203791
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1203791 - Fix LazyLink issue with Debugger::onIonCompilation. r=h4writer
js/src/jit-test/tests/ion/bug1203791.js
js/src/jit/Ion.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1203791.js
@@ -0,0 +1,26 @@
+function n(x) {
+    try {
+	Object.create(x);
+    } catch(e){};
+}
+function m() {
+    n();
+}
+var g = newGlobal();
+g.parent = this;
+g.eval(`
+    var dbg = new Debugger();
+    var parentw = dbg.addDebuggee(parent);
+    var pw = parentw.makeDebuggeeValue(parent.p);
+    var scriptw = pw.script;
+`);
+g.dbg.onIonCompilation = function(graph) {
+    if (graph.scripts[0] != g.scriptw)
+        return;
+    m();
+};
+function p() {
+    for (var res = false; !res; res = inIon()) {}
+}
+p();
+(function() {})();
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -404,22 +404,24 @@ JitCompartment::ensureIonStubsExist(JSCo
     }
 
     return true;
 }
 
 struct OnIonCompilationInfo {
     size_t numBlocks;
     size_t scriptIndex;
+    LifoAlloc alloc;
     LSprinter graph;
 
-    explicit OnIonCompilationInfo(LifoAlloc* alloc)
+    OnIonCompilationInfo()
       : numBlocks(0),
         scriptIndex(0),
-        graph(alloc)
+        alloc(4096),
+        graph(&alloc)
     { }
 
     bool filled() const {
         return numBlocks != 0;
     }
 };
 
 typedef Vector<OnIonCompilationInfo> OnIonCompilationVector;
@@ -589,36 +591,36 @@ jit::LazyLink(JSContext* cx, HandleScrip
         calleeScript->baselineScript()->removePendingIonBuilder(calleeScript);
 
         // Remove from pending.
         builder->removeFrom(HelperThreadState().ionLazyLinkList());
     }
 
     // See PrepareForDebuggerOnIonCompilationHook
     Rooted<ScriptVector> debugScripts(cx, ScriptVector(cx));
-    OnIonCompilationInfo info(builder->alloc().lifoAlloc());
+    OnIonCompilationInfo info;
 
     {
         AutoEnterAnalysis enterTypes(cx);
         if (!LinkBackgroundCodeGen(cx, builder, &debugScripts, &info)) {
             // Silently ignore OOM during code generation. The assembly code
             // doesn't has code to handle it after linking happened. So it's
             // not OK to throw a catchable exception from there.
             cx->clearPendingException();
         }
     }
 
-    if (info.filled())
-        Debugger::onIonCompilation(cx, debugScripts, info.graph);
-
     {
         AutoLockHelperThreadState lock;
         FinishOffThreadBuilder(cx, builder);
     }
 
+    if (info.filled())
+        Debugger::onIonCompilation(cx, debugScripts, info.graph);
+
     MOZ_ASSERT(calleeScript->hasBaselineScript());
     MOZ_ASSERT(calleeScript->baselineOrIonRawPointer());
 }
 
 uint8_t*
 jit::LazyLinkTopActivation(JSContext* cx)
 {
     JitActivationIterator iter(cx->runtime());
@@ -2222,17 +2224,17 @@ IonCompile(JSContext* cx, JSScript* scri
         // processed in the finishedOffThreadCompilations list.
         autoDelete.forget();
 
         return AbortReason_NoAbort;
     }
 
     // See PrepareForDebuggerOnIonCompilationHook
     Rooted<ScriptVector> debugScripts(cx, ScriptVector(cx));
-    OnIonCompilationInfo debugInfo(alloc);
+    OnIonCompilationInfo debugInfo;
 
     ScopedJSDeletePtr<CodeGenerator> codegen;
     {
         AutoEnterAnalysis enter(cx);
         codegen = CompileBackEnd(builder);
         if (!codegen) {
             JitSpew(JitSpew_IonAbort, "Failed during back-end compilation.");
             return AbortReason_Disable;