[INFER] Add rejoins for call sites that can trigger GC, bug 671943.

2024-09-13 09:24:08 -07:00 · 2011-07-16 07:15:34 -07:00 · 2011-07-16 07:15:34 -07:00 · 2291066d7c
commit 2291066d7c
parent 14ffb09713
5 changed files with 34 additions and 4 deletions
--- a/js/src/jit-test/tests/jaeger/recompile/bug671943-1.js
+++ b/js/src/jit-test/tests/jaeger/recompile/bug671943-1.js
@ -0,0 +1,12 @@
+gczeal(2);
+o1 = Iterator;
+var o2 = (function() { return arguments; })();
+function f(o) {
+    for(var j=0; j<20; j++) {
+        Object.seal(o2);
+        (function() { return eval(o); })() == o1;
+        (function() { return {x: arguments}.x; })();
+        if (false) {};
+    }
+}
+f({});
--- a/js/src/jit-test/tests/jaeger/recompile/bug671943-2.js
+++ b/js/src/jit-test/tests/jaeger/recompile/bug671943-2.js
@ -0,0 +1,9 @@
+schedulegc(11);
+function foo(n) {
+  if (n == 10)
+    foo.apply = function(a, b) { return b[0]; }
+  return n;
+}
+function bar() { return foo.apply(null, arguments); }
+for (var i = 0; i < 20; i++)
+  assertEq(bar(i), i);
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -739,7 +739,7 @@ mjit::Compiler::generatePrologue()
        /* Create the call object. */
        if (script->fun->isHeavyweight()) {
            prepareStubCall(Uses(0));
-            INLINE_STUBCALL(stubs::CreateFunCallObject, REJOIN_NONE);
+            INLINE_STUBCALL(stubs::CreateFunCallObject, REJOIN_CREATE_CALL_OBJECT);
        }

        j.linkTo(masm.label(), &masm);
@ -2634,7 +2634,7 @@ mjit::Compiler::generateMethod()
            JSObject *regex = script->getRegExp(fullAtomIndex(PC));
            prepareStubCall(Uses(0));
            masm.move(ImmPtr(regex), Registers::ArgReg1);
-            INLINE_STUBCALL(stubs::RegExp, REJOIN_NONE);
+            INLINE_STUBCALL(stubs::RegExp, REJOIN_PUSH_OBJECT);
            frame.takeReg(Registers::ReturnReg);
            frame.pushTypedPayload(JSVAL_TYPE_OBJECT, Registers::ReturnReg);
          }
@ -3310,7 +3310,7 @@ mjit::Compiler::checkCallApplySpeculation(uint32 callImmArgc, uint32 speculatedA

        int32 frameDepthAdjust;
        if (applyTricks == LazyArgsObj) {
-            OOL_STUBCALL(stubs::Arguments, REJOIN_NONE);
+            OOL_STUBCALL(stubs::Arguments, REJOIN_RESUME);
            frameDepthAdjust = +1;
        } else {
            frameDepthAdjust = 0;
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@ -1435,13 +1435,19 @@ js_InternalInterpret(void *returnData, void *returnType, void *returnReg, js::VM
         */
        if (!CheckStackQuota(f))
            return js_InternalThrow(f);
+
+        SetValueRangeToUndefined(fp->slots(), script->nfixed);
+
        if (fp->fun()->isHeavyweight()) {
            if (!js::CreateFunCallObject(cx, fp))
                return js_InternalThrow(f);
        }

+        /* FALLTHROUGH */
+      }
+
+      case REJOIN_CREATE_CALL_OBJECT: {
        fp->scopeChain();
-        SetValueRangeToUndefined(fp->slots(), script->nfixed);

        /* Construct the 'this' object for the frame if necessary. */
        if (!ScriptPrologueOrGeneratorResume(cx, fp, types::UseNewTypeAtEntry(cx, fp)))
--- a/js/src/methodjit/MethodJIT.h
+++ b/js/src/methodjit/MethodJIT.h
@ -289,6 +289,9 @@ enum RejoinState {
     */
    REJOIN_CHECK_ARGUMENTS,

+    /* A GC while making a call object occurred, discarding the script's jitcode. */
+    REJOIN_CREATE_CALL_OBJECT,
+
    /*
     * State after calling a stub which returns a JIT code pointer for a call
     * or NULL for an already-completed call.