mozilla-release: changeset 112656:88c7a495402af5ae08649f95e8b293765e8bc9d2

author	David Anderson <danderson@mozilla.com>
	Tue, 07 Feb 2012 12:47:36 -0800
changeset 112656	88c7a495402af5ae08649f95e8b293765e8bc9d2
parent 112655	e30f6ac05651eeb4533eec262640fe7409278193
child 112657	d66c148e075650d13195e6e583f3bb6660fbabf2
push id	239
push user	akeybl@mozilla.com
push date	Thu, 03 Jan 2013 21:54:43 +0000
treeherder	mozilla-release@3a7b66445659 [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	cdleary
bugs	724579
milestone	13.0a1
first release with	nightly linux32 fdfaef738a00 / 18.0a1 / 20120911140351 / files nightly linux64 fdfaef738a00 / 18.0a1 / 20120911140351 / files nightly mac fdfaef738a00 / 18.0a1 / 20120911140351 / files nightly win32 fdfaef738a00 / 18.0a1 / 20120911140351 / files nightly win64 fdfaef738a00 / 18.0a1 / 20120911140351 / files
last release without	nightly linux32 766a59650976 / 13.0a1 / 20120204031137 / files nightly linux64 766a59650976 / 13.0a1 / 20120204031137 / files nightly mac 766a59650976 / 13.0a1 / 20120204031137 / files nightly win32 766a59650976 / 13.0a1 / 20120204031137 / files nightly win64 766a59650976 / 13.0a1 / 20120204031137 / files

--- a/js/src/ion/Ion.cpp
+++ b/js/src/ion/Ion.cpp
@@ -1053,16 +1053,18 @@ InvalidateActivation(JSContext *cx, uint
         IonScript *ionScript = script->ion;
         ionScript->incref();
         IonSpew(IonSpew_Invalidate, "   ionScript %p ref %u", (void *) ionScript,
                 unsigned(ionScript->refcount()));
 
         const SafepointIndex *si = ionScript->getSafepointIndex(it.returnAddressToFp());
         IonCode *ionCode = ionScript->method();
 
+        ionCode->setInvalidated();
+
         // Write the delta (from the return address offset to the
         // IonScript pointer embedded into the invalidation epilogue)
         // where the safepointed call instruction used to be. We rely on
         // the call sequence causing the safepoint being >= the size of
         // a uint32, which is checked during safepoint index
         // construction.
         CodeLocationLabel dataLabelToMunge(it.returnAddressToFp());
         ptrdiff_t delta = ionScript->invalidateEpilogueDataOffset() -
@@ -1123,18 +1125,16 @@ ion::Invalidate(JSContext *cx, const Vec
 }
 
 void
 ion::FinishInvalidation(JSContext *cx, JSScript *script)
 {
     if (!script->hasIonScript())
         return;
 
-    script->ion->method()->setInvalidated();
-
     /*
      * If this script has Ion code on the stack, invalidation() will return
      * true. In this case we have to wait until destroying it.
      */
     if (!script->ion->invalidated())
         ion::IonScript::Destroy(cx, script->ion);
 
     /* In all cases, NULL out script->ion to avoid re-entry. */

--- a/js/src/ion/IonCode.h
+++ b/js/src/ion/IonCode.h
@@ -109,16 +109,20 @@ class IonCode : public gc::Cell
     size_t bufferSize() const {
         return bufferSize_;
     }
     void trace(JSTracer *trc);
     void finalize(JSContext *cx, bool background);
     void setInvalidated() {
         invalidated_ = true;
     }
+
+    // If this IonCode object has been, effectively, corrupted due to
+    // invalidation patching, then we have to remember this so we don't try and
+    // trace relocation entries that may now be corrupt.
     bool invalidated() const {
         return !!invalidated_;
     }
 
     template <typename T> T as() const {
         return JS_DATA_TO_FUNC_PTR(T, raw());
     }

js/src/ion/Ion.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/ion/IonCode.h		file \| annotate \| diff \| comparison \| revisions