Fix gmail JIT crash (bug 635295, r=luke, a=blocking).
authorDavid Anderson <danderson@mozilla.com>
Fri, 18 Feb 2011 18:29:20 -0800
changeset 62850 49c49bcf67bd99cc11dde62246c9154f83d6d17b
parent 62849 328483e1b820019df619c0f22f570ae3901d1fe5
child 62851 b0bf06306261f118bf660c1c3538746c5b071353
push id1
push userroot
push dateTue, 10 Dec 2013 15:46:25 +0000
reviewersluke, blocking
bugs635295
milestone2.0b12pre
Fix gmail JIT crash (bug 635295, r=luke, a=blocking).
js/src/methodjit/MonoIC.cpp
--- a/js/src/methodjit/MonoIC.cpp
+++ b/js/src/methodjit/MonoIC.cpp
@@ -1253,16 +1253,30 @@ JITScript::sweepCallICs(JSContext *cx, b
          * executing a stub generated by a guard on that object. This lets us
          * precisely GC call ICs while keeping the identity guard safe.
          */
         bool fastFunDead = ic.fastGuardedObject &&
             (purgeAll || IsAboutToBeFinalized(cx, ic.fastGuardedObject));
         bool nativeDead = ic.fastGuardedNative &&
             (purgeAll || IsAboutToBeFinalized(cx, ic.fastGuardedNative));
 
+        /*
+         * There are three conditions where we need to relink:
+         * (1) purgeAll is true.
+         * (2) The native is dead, since it always has a stub.
+         * (3) The fastFun is dead *and* there is a closure stub.
+         *
+         * Note although both objects can be non-NULL, there can only be one
+         * of [closure, native] stub per call IC.
+         */
+        if (purgeAll || nativeDead || (fastFunDead && ic.hasJsFunCheck)) {
+            repatcher.relink(ic.funJump, ic.slowPathStart);
+            ic.hit = false;
+        }
+
         if (fastFunDead) {
             repatcher.repatch(ic.funGuard, NULL);
             ic.releasePool(CallICInfo::Pool_ClosureStub);
             ic.hasJsFunCheck = false;
             ic.fastGuardedObject = NULL;
         }
 
         if (nativeDead) {
@@ -1271,26 +1285,16 @@ JITScript::sweepCallICs(JSContext *cx, b
         }
 
         if (purgeAll) {
             ic.releasePool(CallICInfo::Pool_ScriptStub);
             JSC::CodeLocationJump oolJump = ic.slowPathStart.jumpAtOffset(ic.oolJumpOffset);
             JSC::CodeLocationLabel icCall = ic.slowPathStart.labelAtOffset(ic.icCallOffset);
             repatcher.relink(oolJump, icCall);
         }
-
-        /*
-         * Only relink the fast-path if there are no connected stubs, or we're
-         * trying to disconnect all stubs. Otherwise, we're just disabling an
-         * optimization that must take up space anyway (see bug 632729).
-         */
-        if (purgeAll || !(ic.fastGuardedObject || ic.fastGuardedNative)) {
-            repatcher.relink(ic.funJump, ic.slowPathStart);
-            ic.hit = false;
-        }
     }
 
     if (purgeAll) {
         /* Purge ICs generating stubs into execPools. */
         uint32 released = 0;
 
         ic::EqualityICInfo *equalityICs_ = equalityICs();
         for (uint32 i = 0; i < nEqualityICs; i++) {