Bug 907085 - Don't use GetIonContext->cx during GC (r=jandem)

--HG-- extra : rebase_source : 0c442c82e71435dd8712a67cc7f01f00010f1e41
2024-09-13 09:24:08 -07:00 · 2013-08-20 09:40:16 -05:00 · 2013-08-20 09:40:16 -05:00 · e11942b6a1
commit e11942b6a1
parent f54c0d20fb
3 changed files with 34 additions and 15 deletions
--- a/js/src/jit-test/tests/asm.js/testBug907085.js
+++ b/js/src/jit-test/tests/asm.js/testBug907085.js
@ -0,0 +1,22 @@
+try {
+    s.e
+} catch (e) {}
+o = o = s2 = /x/
+for (let e in []);
+x = s2
+schedulegc(21)
+eval("x.e=x.t")
+try {
+    (function() {
+        this.eval("\
+            (function(stdlib,fgn,heap) {\
+                \"use asm\";\
+                var Vie = new stdlib.Float64Array(heap);\
+                var Iew = new stdlib.Int8Array(heap);\
+                function f(){\
+                    ent\
+                }\
+            })()\
+        ")
+    })()
+} catch (e) {}
--- a/js/src/jit/BaselineJIT.cpp
+++ b/js/src/jit/BaselineJIT.cpp
@ -892,7 +892,7 @@ ion::ToggleBaselineSPS(JSRuntime *runtime, bool enable)
 }

 static void
-MarkActiveBaselineScripts(JSContext *cx, const JitActivationIterator &activation)
+MarkActiveBaselineScripts(JSRuntime *rt, const JitActivationIterator &activation)
 {
    for (ion::IonFrameIterator iter(activation); !iter.done(); ++iter) {
        switch (iter.type()) {
@ -903,7 +903,7 @@ MarkActiveBaselineScripts(JSContext *cx, const JitActivationIterator &activation
            // Keep the baseline script around, since bailouts from the ion
            // jitcode might need to re-enter into the baseline jitcode.
            iter.script()->baselineScript()->setActive();
-            for (InlineFrameIterator inlineIter(cx, &iter); inlineIter.more(); ++inlineIter)
+            for (InlineFrameIterator inlineIter(rt, &iter); inlineIter.more(); ++inlineIter)
                inlineIter.script()->baselineScript()->setActive();
            break;
          }
@ -915,19 +915,9 @@ MarkActiveBaselineScripts(JSContext *cx, const JitActivationIterator &activation
 void
 ion::MarkActiveBaselineScripts(Zone *zone)
 {
-    // First check if there is a JitActivation on the stack, so that there
-    // must be a valid IonContext.
-    JitActivationIterator iter(zone->runtimeFromMainThread());
-    if (iter.done())
-        return;
-
-    // If baseline is disabled, there are no baseline scripts on the stack.
-    JSContext *cx = GetIonContext()->cx;
-    if (!ion::IsBaselineEnabled(cx))
-        return;
-
-    for (; !iter.done(); ++iter) {
+    JSRuntime *rt = zone->runtimeFromMainThread();
+    for (JitActivationIterator iter(rt); !iter.done(); ++iter) {
        if (iter.activation()->compartment()->zone() == zone)
-            MarkActiveBaselineScripts(cx, iter);
+            MarkActiveBaselineScripts(rt, iter);
    }
 }
--- a/js/src/jit/IonFrameIterator.h
+++ b/js/src/jit/IonFrameIterator.h
@ -342,6 +342,13 @@ class InlineFrameIteratorMaybeGC
        resetOn(iter);
    }

+    InlineFrameIteratorMaybeGC(JSRuntime *rt, const IonFrameIterator *iter)
+      : callee_(rt),
+        script_(rt)
+    {
+        resetOn(iter);
+    }
+
    InlineFrameIteratorMaybeGC(JSContext *cx, const IonBailoutIterator *iter);

    InlineFrameIteratorMaybeGC(JSContext *cx, const InlineFrameIteratorMaybeGC *iter)