Fix not marking some invalidated IonCode objects as invalidated (bug 724579 part 1, r=cdleary).
authorDavid Anderson <danderson@mozilla.com>
Tue, 07 Feb 2012 12:47:36 -0800
changeset 112656 88c7a495402af5ae08649f95e8b293765e8bc9d2
parent 112655 e30f6ac05651eeb4533eec262640fe7409278193
child 112657 d66c148e075650d13195e6e583f3bb6660fbabf2
push id239
push userakeybl@mozilla.com
push dateThu, 03 Jan 2013 21:54:43 +0000
treeherdermozilla-release@3a7b66445659 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscdleary
bugs724579
milestone13.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Fix not marking some invalidated IonCode objects as invalidated (bug 724579 part 1, r=cdleary).
js/src/ion/Ion.cpp
js/src/ion/IonCode.h
--- a/js/src/ion/Ion.cpp
+++ b/js/src/ion/Ion.cpp
@@ -1053,16 +1053,18 @@ InvalidateActivation(JSContext *cx, uint
         IonScript *ionScript = script->ion;
         ionScript->incref();
         IonSpew(IonSpew_Invalidate, "   ionScript %p ref %u", (void *) ionScript,
                 unsigned(ionScript->refcount()));
 
         const SafepointIndex *si = ionScript->getSafepointIndex(it.returnAddressToFp());
         IonCode *ionCode = ionScript->method();
 
+        ionCode->setInvalidated();
+
         // Write the delta (from the return address offset to the
         // IonScript pointer embedded into the invalidation epilogue)
         // where the safepointed call instruction used to be. We rely on
         // the call sequence causing the safepoint being >= the size of
         // a uint32, which is checked during safepoint index
         // construction.
         CodeLocationLabel dataLabelToMunge(it.returnAddressToFp());
         ptrdiff_t delta = ionScript->invalidateEpilogueDataOffset() -
@@ -1123,18 +1125,16 @@ ion::Invalidate(JSContext *cx, const Vec
 }
 
 void
 ion::FinishInvalidation(JSContext *cx, JSScript *script)
 {
     if (!script->hasIonScript())
         return;
 
-    script->ion->method()->setInvalidated();
-
     /*
      * If this script has Ion code on the stack, invalidation() will return
      * true. In this case we have to wait until destroying it.
      */
     if (!script->ion->invalidated())
         ion::IonScript::Destroy(cx, script->ion);
 
     /* In all cases, NULL out script->ion to avoid re-entry. */
--- a/js/src/ion/IonCode.h
+++ b/js/src/ion/IonCode.h
@@ -109,16 +109,20 @@ class IonCode : public gc::Cell
     size_t bufferSize() const {
         return bufferSize_;
     }
     void trace(JSTracer *trc);
     void finalize(JSContext *cx, bool background);
     void setInvalidated() {
         invalidated_ = true;
     }
+
+    // If this IonCode object has been, effectively, corrupted due to
+    // invalidation patching, then we have to remember this so we don't try and
+    // trace relocation entries that may now be corrupt.
     bool invalidated() const {
         return !!invalidated_;
     }
 
     template <typename T> T as() const {
         return JS_DATA_TO_FUNC_PTR(T, raw());
     }