Bug 1302432 - Fix RematerializedFrame slot tracing. r=jimb, a=ritu
authorShu-yu Guo <shu@rfrn.org>
Wed, 05 Oct 2016 15:20:58 -0700
changeset 350717 f65f7378763e36b99436af60b0bb52242b28dfda
parent 350716 0eb418434f75ee9fdde015cc30dad119e1023ac8
child 350718 0616db3d38ab140ff3641e0b3eaa7aedecbcf893
push id1230
push userjlund@mozilla.com
push dateMon, 31 Oct 2016 18:13:35 +0000
treeherdermozilla-release@5e06e3766db2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimb, ritu
bugs1302432
milestone50.0
Bug 1302432 - Fix RematerializedFrame slot tracing. r=jimb, a=ritu
js/src/jit-test/tests/debug/bug1302432.js
js/src/jit/RematerializedFrame.cpp
js/src/vm/Debugger.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1302432.js
@@ -0,0 +1,10 @@
+setJitCompilerOption('ion.warmup.trigger', 0);
+gczeal(7, 1);
+var dbgGlobal = newGlobal();
+var dbg = new dbgGlobal.Debugger();
+dbg.addDebuggee(this);
+function f(x, await = () => Array.isArray(revocable.proxy), ...get) {
+    dbg.getNewestFrame().older.eval("print(a)");
+}
+function a() {}
+for (var i = 0; i < 10; i++) f();
--- a/js/src/jit/RematerializedFrame.cpp
+++ b/js/src/jit/RematerializedFrame.cpp
@@ -160,17 +160,17 @@ RematerializedFrame::mark(JSTracer* trc)
     TraceRoot(trc, &script_, "remat ion frame script");
     TraceRoot(trc, &scopeChain_, "remat ion frame scope chain");
     if (callee_)
         TraceRoot(trc, &callee_, "remat ion frame callee");
     if (argsObj_)
         TraceRoot(trc, &argsObj_, "remat ion frame argsobj");
     TraceRoot(trc, &returnValue_, "remat ion frame return value");
     TraceRoot(trc, &thisArgument_, "remat ion frame this");
-    TraceRootRange(trc, numActualArgs_ + isConstructing_ + script_->nfixed(),
+    TraceRootRange(trc, numArgSlots() + isConstructing_ + script_->nfixed(),
                    slots_, "remat ion frame stack");
 }
 
 void
 RematerializedFrame::dump()
 {
     fprintf(stderr, " Rematerialized Ion Frame%s\n", inlined() ? " (inlined)" : "");
     if (isFunctionFrame()) {
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -7067,17 +7067,17 @@ DebuggerFrame::initClass(JSContext* cx, 
 }
 
 /* static */ DebuggerFrame*
 DebuggerFrame::create(JSContext* cx, HandleObject proto, AbstractFramePtr referent,
                       const ScriptFrameIter* maybeIter, HandleNativeObject debugger)
 {
   JSObject* obj = NewObjectWithGivenProto(cx, &DebuggerFrame::class_, proto);
   if (!obj)
-    return nullptr;
+      return nullptr;
 
   DebuggerFrame& frame = obj->as<DebuggerFrame>();
 
   // Eagerly copy ScriptFrameIter data if we've already walked the stack.
   if (maybeIter) {
       AbstractFramePtr data = maybeIter->copyDataAsAbstractFramePtr();
       if (!data)
           return nullptr;