From 13d7de6673baffd59b0fc51a6fd3745cb599068b Mon Sep 17 00:00:00 2001 From: "Nicolas B. Pierron" Date: Fri, 17 Oct 2014 18:32:46 +0200 Subject: [PATCH] Bug 1083781 - Remove AutoEnterAnalysis from Recover instructions. r=bhackett This revert some of the modifications made by Bug 1006899, Bug 1054241, Bug 1057598 and Bug 1064358 as it is now safe to iterate the stack during a bailout. --- js/src/jit/Recover.cpp | 21 --------------------- js/src/jsobjinlines.h | 3 +-- 2 files changed, 1 insertion(+), 23 deletions(-) diff --git a/js/src/jit/Recover.cpp b/js/src/jit/Recover.cpp index b832a569282..d1b77558150 100644 --- a/js/src/jit/Recover.cpp +++ b/js/src/jit/Recover.cpp @@ -874,13 +874,8 @@ RStringSplit::recover(JSContext *cx, SnapshotIterator &iter) const RootedString str(cx, iter.read().toString()); RootedString sep(cx, iter.read().toString()); RootedTypeObject typeObj(cx, iter.read().toObject().type()); - RootedValue result(cx); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback, - // which could try to walk the stack while bailing out. - types::AutoEnterAnalysis enter(cx); - JSObject *res = str_split_string(cx, typeObj, str, sep); if (!res) return false; @@ -1008,10 +1003,6 @@ RNewObject::recover(JSContext *cx, SnapshotIterator &iter) const RootedValue result(cx); JSObject *resultObject = nullptr; - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - // See CodeGenerator::visitNewObjectVMCall if (templateObjectIsClassPrototype_) resultObject = NewInitObjectWithClassPrototype(cx, templateObject); @@ -1049,10 +1040,6 @@ RNewArray::recover(JSContext *cx, SnapshotIterator &iter) const RootedValue result(cx); RootedTypeObject type(cx); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - // See CodeGenerator::visitNewArrayCallVM if (!templateObject->hasSingletonType()) type = templateObject->type(); @@ -1084,10 +1071,6 @@ RNewDerivedTypedObject::recover(JSContext *cx, SnapshotIterator &iter) const Rooted owner(cx, &iter.read().toObject().as()); int32_t offset = iter.read().toInt32(); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - JSObject *obj = OutlineTypedObject::createDerived(cx, descr, owner, offset); if (!obj) return false; @@ -1116,10 +1099,6 @@ RCreateThisWithTemplate::recover(JSContext *cx, SnapshotIterator &iter) const { RootedNativeObject templateObject(cx, &iter.read().toObject().as()); - // Use AutoEnterAnalysis to avoid invoking the object metadata callback - // while bailing out, which could try to walk the stack. - types::AutoEnterAnalysis enter(cx); - // See CodeGenerator::visitCreateThisWithTemplate gc::AllocKind allocKind = templateObject->asTenured().getAllocKind(); gc::InitialHeap initialHeap = tenuredHeap_ ? gc::TenuredHeap : gc::DefaultHeap; diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h index 4a33d8e33bc..ae34347fa47 100644 --- a/js/src/jsobjinlines.h +++ b/js/src/jsobjinlines.h @@ -779,8 +779,7 @@ static MOZ_ALWAYS_INLINE bool NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata) { // The metadata callback is invoked before each created object, except when - // analysis/compilation is active, to avoid recursion. It is also skipped - // when we allocate objects during a bailout, to prevent stack iterations. + // analysis/compilation is active, to avoid recursion. MOZ_ASSERT(!*pmetadata); if (JSContext *cx = cxArg->maybeJSContext()) { if (MOZ_UNLIKELY((size_t)cx->compartment()->hasObjectMetadataCallback()) &&