[INFER] Make ReleaseScriptCode specify which JIT to destroy, fix inline code invariant logic, bug 619433.

js/src/jscompartment.cpp

@@ -447,7 +447,7 @@ ScriptPoolDestroyed(JSContext *cx, mjit::JITScript *jit,
 }
 
 static inline void
-ScriptTryDestroyCode(JSContext *cx, JSScript *script, mjit::JITScript *jit,
+ScriptTryDestroyCode(JSContext *cx, JSScript *script, bool normal,
                      uint32 releaseInterval, uint32 &counter)
 {
     /*
@@ -457,16 +457,21 @@ ScriptTryDestroyCode(JSContext *cx, JSScript *script, mjit::JITScript *jit,
      * JIT code for any inlined frame which may need to be expanded.
      */
 
+    mjit::JITScript *jit = normal ? script->jitNormal : script->jitCtor;
+
+    if (!jit)
+        return;
+
     if (ScriptPoolDestroyed(cx, jit, releaseInterval, counter)) {
-        mjit::ReleaseScriptCode(cx, script);
+        mjit::ReleaseScriptCode(cx, script, normal);
         return;
     }
 
     for (unsigned i = 0; i < jit->nInlineFrames; i++) {
         JSScript *inner = jit->inlineFrames()[i].fun->script();
-        JS_ASSERT(inner->jitNormal);
-        if (ScriptPoolDestroyed(cx, inner->jitNormal, releaseInterval, counter)) {
-            mjit::ReleaseScriptCode(cx, script);
+        if (!inner->jitNormal ||  /* Found inner first in the walk. */
+            ScriptPoolDestroyed(cx, inner->jitNormal, releaseInterval, counter)) {
+            mjit::ReleaseScriptCode(cx, script, true);
             return;
         }
     }
@@ -569,10 +574,8 @@ JSCompartment::sweep(JSContext *cx, uint32 releaseInterval)
         if (script->hasJITCode()) {
             mjit::ic::SweepCallICs(cx, script, discardScripts);
             if (discardScripts) {
-                if (script->jitNormal)
-                    ScriptTryDestroyCode(cx, script, script->jitNormal, releaseInterval, counter);
-                if (script->jitCtor)
-                    ScriptTryDestroyCode(cx, script, script->jitCtor, releaseInterval, counter);
+                ScriptTryDestroyCode(cx, script, true, releaseInterval, counter);
+                ScriptTryDestroyCode(cx, script, false, releaseInterval, counter);
             }
         }
     }

js/src/jsdbgapi.cpp

@@ -179,7 +179,8 @@ JS_SetDebugModeForCompartment(JSContext *cx, JSCompartment *comp, JSBool debug)
             return JS_FALSE;
         }
 
-        mjit::ReleaseScriptCode(cx, script);
+        mjit::ReleaseScriptCode(cx, script, true);
+        mjit::ReleaseScriptCode(cx, script, false);
         script->debugMode = !!debug;
     }
 #endif

js/src/jsscript.cpp

@@ -1671,7 +1671,8 @@ DestroyScript(JSContext *cx, JSScript *script)
     cx->free(script->varTypes);
 
 #if defined(JS_METHODJIT)
-    mjit::ReleaseScriptCode(cx, script);
+    mjit::ReleaseScriptCode(cx, script, true);
+    mjit::ReleaseScriptCode(cx, script, false);
 #endif
 
     JS_REMOVE_LINK(&script->links);

js/src/methodjit/Compiler.cpp

@@ -337,7 +337,7 @@ mjit::Compiler::performCompilation(JITScript **jitp)
         if (script->jitNormal && !script->jitNormal->rejoinPoints) {
             mjit::Recompiler recompiler(cx, script);
             if (!recompiler.recompile()) {
-                ReleaseScriptCode(cx, outerScript);
+                ReleaseScriptCode(cx, outerScript, true);
                 return Compile_Error;
             }
         }
@@ -349,7 +349,7 @@ mjit::Compiler::performCompilation(JITScript **jitp)
                 status = cc.compile();
             }
             if (status != Compile_Okay) {
-                ReleaseScriptCode(cx, outerScript);
+                ReleaseScriptCode(cx, outerScript, true);
                 return status;
             }
         }

js/src/methodjit/MethodJIT.cpp

@@ -1015,29 +1015,21 @@ mjit::JITScript::scriptDataSize()
 }
 
 void
-mjit::ReleaseScriptCode(JSContext *cx, JSScript *script)
+mjit::ReleaseScriptCode(JSContext *cx, JSScript *script, bool normal)
 {
     // NB: The recompiler may call ReleaseScriptCode, in which case it
     // will get called again when the script is destroyed, so we
     // must protect against calling ReleaseScriptCode twice.
-    JITScript *jscr;
 
-    if ((jscr = script->jitNormal)) {
-        cx->runtime->mjitMemoryUsed -= jscr->scriptDataSize() + jscr->mainCodeSize();
+    JITScript **pjit = normal ? &script->jitNormal : &script->jitCtor;
+    void **parity = normal ? &script->jitArityCheckNormal : &script->jitArityCheckCtor;
 
-        jscr->~JITScript();
-        cx->free(jscr);
-        script->jitNormal = NULL;
-        script->jitArityCheckNormal = NULL;
-    }
-
-    if ((jscr = script->jitCtor)) {
-        cx->runtime->mjitMemoryUsed -= jscr->scriptDataSize() + jscr->mainCodeSize();
-
-        jscr->~JITScript();
-        cx->free(jscr);
-        script->jitCtor = NULL;
-        script->jitArityCheckCtor = NULL;
+    if (*pjit) {
+        cx->runtime->mjitMemoryUsed -= (*pjit)->scriptDataSize() + (*pjit)->mainCodeSize();
+        (*pjit)->~JITScript();
+        cx->free(*pjit);
+        *pjit = NULL;
+        *parity = NULL;
     }
 }
 

js/src/methodjit/MethodJIT.h

@@ -470,7 +470,7 @@ CompileStatus JS_NEVER_INLINE
 TryCompile(JSContext *cx, JSStackFrame *fp);
 
 void
-ReleaseScriptCode(JSContext *cx, JSScript *script);
+ReleaseScriptCode(JSContext *cx, JSScript *script, bool normal);
 
 // Expand either the topmost stack frame or all stack frames inlined by the JIT.
 void

js/src/methodjit/Retcon.cpp

@@ -508,7 +508,8 @@ Recompiler::recompile()
     if (script->jitCtor && !cleanup(script->jitCtor, &ctorSites))
         return false;
 
-    ReleaseScriptCode(cx, script);
+    ReleaseScriptCode(cx, script, true);
+    ReleaseScriptCode(cx, script, false);
 
     if (normalFrames.length() &&
         !recompile(normalFrames, normalPatches, normalSites, normalNatives)) {