diff --git a/js/src/jit/Recover.cpp b/js/src/jit/Recover.cpp index b832a569282..d1b77558150 100644 --- a/js/src/jit/Recover.cpp +++ b/js/src/jit/Recover.cpp @@ -874,13 +874,8 @@ RStringSplit::recover(JSContext *cx, SnapshotIterator &iter) const RootedString str(cx, iter.read().toString()); RootedString sep(cx, iter.read().toString()); RootedTypeObject typeObj(cx, iter.read().toObject().type()); - RootedValue result(cx); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback, - // which could try to walk the stack while bailing out. - types::AutoEnterAnalysis enter(cx); - JSObject *res = str_split_string(cx, typeObj, str, sep); if (!res) return false; @@ -1008,10 +1003,6 @@ RNewObject::recover(JSContext *cx, SnapshotIterator &iter) const RootedValue result(cx); JSObject *resultObject = nullptr; - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - // See CodeGenerator::visitNewObjectVMCall if (templateObjectIsClassPrototype_) resultObject = NewInitObjectWithClassPrototype(cx, templateObject); @@ -1049,10 +1040,6 @@ RNewArray::recover(JSContext *cx, SnapshotIterator &iter) const RootedValue result(cx); RootedTypeObject type(cx); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - // See CodeGenerator::visitNewArrayCallVM if (!templateObject->hasSingletonType()) type = templateObject->type(); @@ -1084,10 +1071,6 @@ RNewDerivedTypedObject::recover(JSContext *cx, SnapshotIterator &iter) const Rooted owner(cx, &iter.read().toObject().as()); int32_t offset = iter.read().toInt32(); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - JSObject *obj = OutlineTypedObject::createDerived(cx, descr, owner, offset); if (!obj) return false; @@ -1116,10 +1099,6 @@ RCreateThisWithTemplate::recover(JSContext *cx, SnapshotIterator &iter) const { RootedNativeObject templateObject(cx, &iter.read().toObject().as()); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - // See CodeGenerator::visitCreateThisWithTemplate gc::AllocKind allocKind = templateObject->asTenured().getAllocKind(); gc::InitialHeap initialHeap = tenuredHeap_ ? gc::TenuredHeap : gc::DefaultHeap; diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h index 4a33d8e33bc..ae34347fa47 100644 --- a/js/src/jsobjinlines.h +++ b/js/src/jsobjinlines.h @@ -779,8 +779,7 @@ static MOZ_ALWAYS_INLINE bool NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata) { // The metadata callback is invoked before each created object, except when - // analysis/compilation is active, to avoid recursion. It is also skipped - // when we allocate objects during a bailout, to prevent stack iterations. + // analysis/compilation is active, to avoid recursion. MOZ_ASSERT(!*pmetadata); if (JSContext *cx = cxArg->maybeJSContext()) { if (MOZ_UNLIKELY((size_t)cx->compartment()->hasObjectMetadataCallback()) &&