Bug 1448136 - Ensure Debug OSR transition is respected in InstanceOf Fallback stub. r=jandem, a=RyanVM
authorMatthew Gaudet <mgaudet@mozilla.com>
Fri, 23 Mar 2018 13:10:08 -0700
changeset 460429 bfe7012b7d583b9f4fa3ff305bc569c0688cd1d3
parent 460428 17a3b84a2ac3689c682b7ec69d4ea49af9b39af2
child 460430 50c2162dfe7fa9c81070734a2fa7596f84ea9465
push id8941
push userryanvm@gmail.com
push dateWed, 28 Mar 2018 19:57:26 +0000
treeherdermozilla-beta@bfe7012b7d58 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, RyanVM
bugs1448136
milestone60.0
Bug 1448136 - Ensure Debug OSR transition is respected in InstanceOf Fallback stub. r=jandem, a=RyanVM
js/src/jit-test/tests/cacheir/bug1448136.js
js/src/jit/BaselineIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/cacheir/bug1448136.js
@@ -0,0 +1,23 @@
+print = function(s) { return s.toString(); }
+assertEq = function(a,b) {
+  try { print(a); print(b); } catch(exc) {}
+}
+g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+  Debugger(parent).onExceptionUnwind = function(frame) {
+    frame.older
+  }
+} + ")()")
+function a() {};
+function b() {};
+for (let _ of Array(100))
+  assertEq(b instanceof a, true);
+function c(){};
+function d(){};
+function e(){};
+Object.defineProperty(a, Symbol.hasInstance, {value: assertEq });
+let funcs = [a, b, c, d];
+for (let f of funcs)
+  assertEq(e instanceof f, true);
+
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -4141,33 +4141,40 @@ TryAttachInstanceOfStub(JSContext* cx, B
         if (!attached)
             stub->state().trackNotAttached();
     }
 
     return true;
 }
 
 static bool
-DoInstanceOfFallback(JSContext* cx, BaselineFrame* frame, ICInstanceOf_Fallback* stub,
+DoInstanceOfFallback(JSContext* cx, BaselineFrame* frame, ICInstanceOf_Fallback* stub_,
                      HandleValue lhs, HandleValue rhs, MutableHandleValue res)
 {
+    // This fallback stub may trigger debug mode toggling.
+    DebugModeOSRVolatileStub<ICInstanceOf_Fallback*> stub(ICStubEngine::Baseline, frame, stub_);
+
     FallbackICSpew(cx, stub, "InstanceOf");
 
     if (!rhs.isObject()) {
         ReportValueError(cx, JSMSG_BAD_INSTANCEOF_RHS, -1, rhs, nullptr);
         return false;
     }
 
     RootedObject obj(cx, &rhs.toObject());
     bool cond = false;
     if (!HasInstance(cx, obj, lhs, &cond))
         return false;
 
     res.setBoolean(cond);
 
+    // Check if debug mode toggling made the stub invalid.
+    if (stub.invalid())
+        return true;
+
     if (!obj->is<JSFunction>()) {
         stub->noteUnoptimizableAccess();
         return true;
     }
 
     // For functions, keep track of the |prototype| property in type information,
     // for use during Ion compilation.
     EnsureTrackPropertyTypes(cx, obj, NameToId(cx->names().prototype));