Bug 1618880 - Fix GC hazard in jit::InvalidateActivation. r=jonco

Differential Revision: https://phabricator.services.mozilla.com/D66815 --HG-- extra : moz-landing-system : lando
2024-10-18 15:55:36 +00:00 · 2020-03-14 11:09:25 +00:00 · 2020-03-14 11:09:25 +00:00 · 4a2e100a77
commit 4a2e100a77
parent bc8997ee18
5 changed files with 28 additions and 2 deletions
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@ -2427,7 +2427,7 @@ static void InvalidateActivation(JSFreeOp* fop,
        } else if (frame.isBailoutJS()) {
          type = "Bailing";
        }
-        JSScript* script = MaybeForwarded(frame.script());
+        JSScript* script = frame.maybeForwardedScript();
        JitSpew(JitSpew_IonInvalidate,
                "#%zu %s JS frame @ %p, %s:%u:%u (fun: %p, script: %p, pc %p)",
                frameno, type, frame.fp(), script->maybeForwardedFilename(),
@ -2467,7 +2467,7 @@ static void InvalidateActivation(JSFreeOp* fop,
      continue;
    }

-    JSScript* script = MaybeForwarded(frame.script());
+    JSScript* script = frame.maybeForwardedScript();
    if (!script->hasIonScript()) {
      continue;
    }
--- a/js/src/jit/JSJitFrameIter.cpp
+++ b/js/src/jit/JSJitFrameIter.cpp
@ -114,6 +114,16 @@ JSScript* JSJitFrameIter::script() const {
  return script;
 }

+JSScript* JSJitFrameIter::maybeForwardedScript() const {
+  MOZ_ASSERT(isScripted());
+  if (isBaselineJS()) {
+    return MaybeForwardedScriptFromCalleeToken(baselineFrame()->calleeToken());
+  }
+  JSScript* script = MaybeForwardedScriptFromCalleeToken(calleeToken());
+  MOZ_ASSERT(script);
+  return script;
+}
+
 void JSJitFrameIter::baselineScriptAndPc(JSScript** scriptRes,
                                         jsbytecode** pcRes) const {
  MOZ_ASSERT(isBaselineJS());
--- a/js/src/jit/JSJitFrameIter.h
+++ b/js/src/jit/JSJitFrameIter.h
@ -186,6 +186,7 @@ class JSJitFrameIter {
  JSFunction* maybeCallee() const;
  unsigned numActualArgs() const;
  JSScript* script() const;
+  JSScript* maybeForwardedScript() const;
  void baselineScriptAndPc(JSScript** scriptRes, jsbytecode** pcRes) const;
  Value* actualArgs() const;

--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@ -730,6 +730,19 @@ void EnsureBareExitFrame(JitActivation* act, JitFrameLayout* frame) {
  MOZ_ASSERT(exitFrame->isBareExit());
 }

+JSScript* MaybeForwardedScriptFromCalleeToken(CalleeToken token) {
+  switch (GetCalleeTokenTag(token)) {
+    case CalleeToken_Script:
+      return MaybeForwarded(CalleeTokenToScript(token));
+    case CalleeToken_Function:
+    case CalleeToken_FunctionConstructing: {
+      JSFunction* fun = MaybeForwarded(CalleeTokenToFunction(token));
+      return MaybeForwarded(fun)->nonLazyScript();
+    }
+  }
+  MOZ_CRASH("invalid callee token tag");
+}
+
 CalleeToken TraceCalleeToken(JSTracer* trc, CalleeToken token) {
  switch (CalleeTokenTag tag = GetCalleeTokenTag(token)) {
    case CalleeToken_Function:
--- a/js/src/jit/JitFrames.h
+++ b/js/src/jit/JitFrames.h
@ -74,6 +74,8 @@ static inline JSScript* ScriptFromCalleeToken(CalleeToken token) {
  MOZ_CRASH("invalid callee token tag");
 }

+JSScript* MaybeForwardedScriptFromCalleeToken(CalleeToken token);
+
 // In between every two frames lies a small header describing both frames. This
 // header, minimally, contains a returnAddress word and a descriptor word. The
 // descriptor describes the size and type of the previous frame, whereas the