Bug 1130756 - Set BaselineFrame's isDebuggee flag before any operation that can re-enter the VM. (r=jandem)

2024-09-13 09:24:08 -07:00 · 2015-02-09 18:11:19 -08:00 · 2015-02-09 18:11:19 -08:00 · aa8b24301b
commit aa8b24301b
parent ea80ec9aaa
5 changed files with 54 additions and 5 deletions
--- a/js/src/jit-test/tests/debug/bug1130756.js
+++ b/js/src/jit-test/tests/debug/bug1130756.js
@ -0,0 +1,28 @@
+// |jit-test| error: timeout
+
+options('werror');
+
+var g = newGlobal();
+g.parent = this;
+g.eval("(" + function() {
+var dbg = Debugger(parent);
+var handler = {hit: function() {}};
+
+dbg.onEnterFrame = function(frame) {
+    frame.onStep = function() {}
+}
+} + ")()");
+
+g = newGlobal();
+g.parent = this;
+g.eval("Debugger(parent).onExceptionUnwind = function () {};");
+
+function f(x) {
+    if (x === 0) {
+        return;
+    }
+    f(x - 1);
+    f(x - 1);
+}
+timeout(0.00001);
+f(100);
--- a/js/src/jit/BaselineCompiler.cpp
+++ b/js/src/jit/BaselineCompiler.cpp
@ -413,6 +413,10 @@ BaselineCompiler::emitPrologue()
    if (!initScopeChain())
        return false;

+    // When compiling with Debugger instrumentation, set the debuggeeness of
+    // the frame before any operation that can call into the VM.
+    emitIsDebuggeeCheck();
+
    if (!emitStackCheck())
        return false;

@ -567,6 +571,19 @@ BaselineCompiler::emitStackCheck(bool earlyCheck)
    return true;
 }

+void
+BaselineCompiler::emitIsDebuggeeCheck()
+{
+    if (compileDebugInstrumentation_) {
+        masm.Push(BaselineFrameReg);
+        masm.setupUnalignedABICall(1, R0.scratchReg());
+        masm.loadBaselineFramePtr(BaselineFrameReg, R0.scratchReg());
+        masm.passABIArg(R0.scratchReg());
+        masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, jit::FrameIsDebuggeeCheck));
+        masm.Pop(BaselineFrameReg);
+    }
+}
+
 typedef bool (*DebugPrologueFn)(JSContext *, BaselineFrame *, jsbytecode *, bool *);
 static const VMFunction DebugPrologueInfo = FunctionInfo<DebugPrologueFn>(jit::DebugPrologue);

--- a/js/src/jit/BaselineCompiler.h
+++ b/js/src/jit/BaselineCompiler.h
@ -252,6 +252,7 @@ class BaselineCompiler : public BaselineCompilerSpecific
    bool emitInterruptCheck();
    bool emitWarmUpCounterIncrement(bool allowOsr=true);
    bool emitArgumentTypeChecks();
+    void emitIsDebuggeeCheck();
    bool emitDebugPrologue();
    bool emitDebugTrap();
    bool emitTraceLoggerEnter();
--- a/js/src/jit/VMFunctions.cpp
+++ b/js/src/jit/VMFunctions.cpp
@ -680,11 +680,6 @@ GetIndexFromString(JSString *str)
 bool
 DebugPrologue(JSContext *cx, BaselineFrame *frame, jsbytecode *pc, bool *mustReturn)
 {
-    // Mark the BaselineFrame as a debuggee frame if necessary. This must be
-    // done dynamically, so we might as well do it here.
-    if (frame->script()->isDebuggee())
-        frame->setIsDebuggee();
-
    *mustReturn = false;

    switch (Debugger::onEnterFrame(cx, frame)) {
@ -761,6 +756,13 @@ DebugEpilogue(JSContext *cx, BaselineFrame *frame, jsbytecode *pc, bool ok)
    return true;
 }

+void
+FrameIsDebuggeeCheck(BaselineFrame *frame)
+{
+    if (frame->script()->isDebuggee())
+        frame->setIsDebuggee();
+}
+
 JSObject *
 CreateGenerator(JSContext *cx, BaselineFrame *frame)
 {
--- a/js/src/jit/VMFunctions.h
+++ b/js/src/jit/VMFunctions.h
@ -698,6 +698,7 @@ uint32_t GetIndexFromString(JSString *str);
 bool DebugPrologue(JSContext *cx, BaselineFrame *frame, jsbytecode *pc, bool *mustReturn);
 bool DebugEpilogue(JSContext *cx, BaselineFrame *frame, jsbytecode *pc, bool ok);
 bool DebugEpilogueOnBaselineReturn(JSContext *cx, BaselineFrame *frame, jsbytecode *pc);
+void FrameIsDebuggeeCheck(BaselineFrame *frame);

 JSObject *CreateGenerator(JSContext *cx, BaselineFrame *frame);
 bool NormalSuspend(JSContext *cx, HandleObject obj, BaselineFrame *frame, jsbytecode *pc,