Bug 994444. (r=nbp)

2024-09-13 09:24:08 -07:00 · 2014-04-14 22:00:07 -07:00 · 2014-04-14 22:00:07 -07:00 · 4bb7a376ed
commit 4bb7a376ed
parent ce29c5307d
1 changed files with 19 additions and 6 deletions
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@ -392,6 +392,17 @@ GetStubReturnAddress(JSContext *cx, jsbytecode *pc)
    return cx->compartment()->jitCompartment()->baselineCallReturnAddr();
 }

+static inline jsbytecode *
+GetNextNonLoopEntryPc(jsbytecode *pc)
+{
+    JSOp op = JSOp(*pc);
+    if (op == JSOP_GOTO)
+        return pc + GET_JUMP_OFFSET(pc);
+    if (op == JSOP_LOOPENTRY || op == JSOP_NOP || op == JSOP_LOOPHEAD)
+        return GetNextPc(pc);
+    return pc;
+}
+
 // For every inline frame, we write out the following data:
 //
 //                      |      ...      |
@ -783,16 +794,18 @@ InitFromBailout(JSContext *cx, HandleScript caller, jsbytecode *callerPC,
    // If we are resuming at a LOOPENTRY op, resume at the next op to avoid
    // a bailout -> enter Ion -> bailout loop with --ion-eager. See also
    // ThunkToInterpreter.
+    //
+    // The algorithm below is the "tortoise and the hare" algorithm. See bug
+    // 994444 for more explanation.
    if (!resumeAfter) {
+        jsbytecode *fasterPc = pc;
        while (true) {
-            op = JSOp(*pc);
-            if (op == JSOP_GOTO)
-                pc += GET_JUMP_OFFSET(pc);
-            else if (op == JSOP_LOOPENTRY || op == JSOP_NOP || op == JSOP_LOOPHEAD)
-                pc = GetNextPc(pc);
-            else
+            pc = GetNextNonLoopEntryPc(pc);
+            fasterPc = GetNextNonLoopEntryPc(GetNextNonLoopEntryPc(fasterPc));
+            if (fasterPc == pc)
                break;
        }
+        op = JSOp(*pc);
    }

    uint32_t pcOff = script->pcToOffset(pc);