Fix g-mail JIT crash (bug 635295, r=luke).
authorDavid Anderson <danderson@mozilla.com>
Fri, 18 Feb 2011 18:29:20 -0800
changeset 62947 39e3a00ea6e8c6622f658b984bb32f2117d0b19e
parent 62946 58eebd67ae57b016ccdc39ddbf697126d0294b34
child 62948 3f71115041e81bef84d94f9550d55d8325f460e9
push id1
push userroot
push dateTue, 10 Dec 2013 15:46:25 +0000
reviewersluke
bugs635295
milestone2.0b12pre
Fix g-mail JIT crash (bug 635295, r=luke).
js/src/methodjit/MonoIC.cpp
--- a/js/src/methodjit/MonoIC.cpp
+++ b/js/src/methodjit/MonoIC.cpp
@@ -1263,16 +1263,30 @@ JITScript::sweepCallICs(JSContext *cx, b
          * executing a stub generated by a guard on that object. This lets us
          * precisely GC call ICs while keeping the identity guard safe.
          */
         bool fastFunDead = ic.fastGuardedObject &&
             (purgeAll || IsAboutToBeFinalized(cx, ic.fastGuardedObject));
         bool nativeDead = ic.fastGuardedNative &&
             (purgeAll || IsAboutToBeFinalized(cx, ic.fastGuardedNative));
 
+        /*
+         * There are three conditions where we need to relink:
+         * (1) purgeAll is true.
+         * (2) The native is dead, since it always has a stub.
+         * (3) The fastFun is dead *and* there is a closure stub.
+         *
+         * Note although both objects can be non-NULL, there can only be one
+         * of [closure, native] stub per call IC.
+         */
+        if (purgeAll || nativeDead || (fastFunDead && ic.hasJsFunCheck)) {
+            repatcher.relink(ic.funJump, ic.slowPathStart);
+            ic.hit = false;
+        }
+
         if (fastFunDead) {
             repatcher.repatch(ic.funGuard, NULL);
             ic.releasePool(CallICInfo::Pool_ClosureStub);
             ic.hasJsFunCheck = false;
             ic.fastGuardedObject = NULL;
         }
 
         if (nativeDead) {
@@ -1281,26 +1295,16 @@ JITScript::sweepCallICs(JSContext *cx, b
         }
 
         if (purgeAll) {
             ic.releasePool(CallICInfo::Pool_ScriptStub);
             JSC::CodeLocationJump oolJump = ic.slowPathStart.jumpAtOffset(ic.oolJumpOffset);
             JSC::CodeLocationLabel icCall = ic.slowPathStart.labelAtOffset(ic.icCallOffset);
             repatcher.relink(oolJump, icCall);
         }
-
-        /*
-         * Only relink the fast-path if there are no connected stubs, or we're
-         * trying to disconnect all stubs. Otherwise, we're just disabling an
-         * optimization that must take up space anyway (see bug 632729).
-         */
-        if (purgeAll || !(ic.fastGuardedObject || ic.fastGuardedNative)) {
-            repatcher.relink(ic.funJump, ic.slowPathStart);
-            ic.hit = false;
-        }
     }
 
     if (purgeAll) {
         /* Purge ICs generating stubs into execPools. */
         uint32 released = 0;
 
         ic::EqualityICInfo *equalityICs_ = equalityICs();
         for (uint32 i = 0; i < nEqualityICs; i++) {