Bug 1172498 - Properly mark ion frame new.target values. (r=jandem)
☠☠ backed out by ee3fddb7a3eb ☠ ☠
authorEric Faust <efaustbmo@mozilla.com>
Tue, 23 Jun 2015 09:19:36 -0700
changeset 280816 fe813debcd79042f3c089affac95c0e08e2ae731
parent 280815 f2bd296fb0f59465f60255e12783b6e0fffb7514
child 280817 809adf5430de3907d3147914201e6e48051c1d07
push id4932
push userjlund@mozilla.com
push dateMon, 10 Aug 2015 18:23:06 +0000
treeherdermozilla-beta@6dd5a4f5f745 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1172498
milestone41.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1172498 - Properly mark ion frame new.target values. (r=jandem)
js/src/jit-test/tests/ion/bug1172498.js
js/src/jit/JitFrames.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1172498.js
@@ -0,0 +1,3 @@
+for(var e=1; e<10000; e++) {
+  new (function  (c) { eval("var y"); });
+}
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -6,16 +6,17 @@
 
 #include "jit/JitFrames-inl.h"
 
 #include "mozilla/SizePrintfMacros.h"
 
 #include "jsfun.h"
 #include "jsobj.h"
 #include "jsscript.h"
+#include "jsutil.h"
 
 #include "gc/Marking.h"
 #include "jit/BaselineDebugModeOSR.h"
 #include "jit/BaselineFrame.h"
 #include "jit/BaselineIC.h"
 #include "jit/BaselineJIT.h"
 #include "jit/Ion.h"
 #include "jit/JitcodeMap.h"
@@ -1042,30 +1043,36 @@ MarkThisAndArguments(JSTracer* trc, JitF
 {
     // Mark |this| and any extra actual arguments for an Ion frame. Marking of
     // formal arguments is taken care of by the frame's safepoint/snapshot,
     // except when the script might have lazy arguments, in which case we mark
     // them as well.
 
     size_t nargs = layout->numActualArgs();
     size_t nformals = 0;
+    size_t newTargetOffset = 0;
     if (CalleeTokenIsFunction(layout->calleeToken())) {
         JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
         nformals = fun->nonLazyScript()->argumentsHasVarBinding() ? 0 : fun->nargs();
+        newTargetOffset = Max(nargs, fun->nargs());
     }
 
     Value* argv = layout->argv();
 
     // Trace |this|.
     TraceRoot(trc, argv, "ion-thisv");
 
-    // Trace actual arguments and newTarget beyond the formals. Note + 1 for thisv.
-    bool constructing = CalleeTokenIsConstructing(layout->calleeToken());
-    for (size_t i = nformals + 1; i < nargs + 1 + constructing; i++)
+    // Trace actual arguments beyond the formals. Note + 1 for thisv.
+    for (size_t i = nformals + 1; i < nargs + 1; i++)
         TraceRoot(trc, &argv[i], "ion-argv");
+
+    // Always mark the new.target from the frame. It's not in the snapshots.
+    // +1 to pass |this|
+    if (CalleeTokenIsConstructing(layout->calleeToken()))
+        TraceRoot(trc, &argv[1 + newTargetOffset], "ion-newTarget");
 }
 
 static void
 MarkThisAndArguments(JSTracer* trc, const JitFrameIterator& frame)
 {
     JitFrameLayout* layout = frame.jsFrame();
     MarkThisAndArguments(trc, layout);
 }