diff options
author | Moonchild <moonchild@palemoon.org> | 2023-06-01 18:45:35 +0200 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2023-06-05 21:17:13 +0200 |
commit | ae1d53ceb18c2eb9dd74a0d5b05854ec909edf2e (patch) | |
tree | 314c74e79173d8879f047bbe76eaf9bd581c75ad | |
parent | c3f4709d5e72233005f9bbe2759e26fc2143e3bb (diff) | |
download | uxp-ae1d53ceb18c2eb9dd74a0d5b05854ec909edf2e.tar.gz |
Issue #2257 - Remove rematerialized frames after bailouts and exceptions.
This ensures that rematerialized frames used by the devtools debugger
are properly removed so that no stale data is used during bailouts.
-rw-r--r-- | js/src/jit/BaselineBailouts.cpp | 22 | ||||
-rw-r--r-- | js/src/jit/JitFrames.cpp | 5 | ||||
-rw-r--r-- | js/src/vm/Stack.cpp | 2 |
3 files changed, 25 insertions, 4 deletions
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp index ffeb07a058..30c83a5042 100644 --- a/js/src/jit/BaselineBailouts.cpp +++ b/js/src/jit/BaselineBailouts.cpp @@ -1803,6 +1803,14 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo) MOZ_ASSERT(numFrames > 0); BailoutKind bailoutKind = bailoutInfo->bailoutKind; bool checkGlobalDeclarationConflicts = bailoutInfo->checkGlobalDeclarationConflicts; + uint8_t* incomingStack = bailoutInfo->incomingStack; + + // We have to get rid of the rematerialized frame, whether it is + // restored or unwound. + auto guardRemoveRematerializedFramesFromDebugger = mozilla::MakeScopeExit([&] { + JitActivation* act = cx->activation()->asJit(); + act->removeRematerializedFramesFromDebugger(cx, incomingStack); + }); // Free the bailout buffer. js_free(bailoutInfo); @@ -1876,6 +1884,7 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo) if (frameno == numFrames - 1) { outerScript = frame->script(); outerFp = iter.fp(); + MOZ_ASSERT(outerFp == incomingStack); } frameno++; @@ -1902,18 +1911,23 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo) // We must attempt to copy all rematerialized frames over, // even if earlier ones failed, to invoke the proper frame // cleanup in the Debugger. - ok = CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth, - iter.baselineFrame()); + if (!CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth, + iter.baselineFrame())) + { + ok = false; + } } ++iter; } + if (!ok) + return false; + // After copying from all the rematerialized frames, remove them from // the table to keep the table up to date. + guardRemoveRematerializedFramesFromDebugger.release(); act->removeRematerializedFrame(outerFp); - if (!ok) - return false; } JitSpew(JitSpew_BaselineBailouts, diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp index 6f159151d4..c343800e0d 100644 --- a/js/src/jit/JitFrames.cpp +++ b/js/src/jit/JitFrames.cpp @@ -888,7 +888,12 @@ HandleException(ResumeFromException* rfe) ++frames; } + // Remove left-over state which might have been needed for bailout. activation->removeIonFrameRecovery(iter.jsFrame()); + activation->removeRematerializedFrame(iter.fp()); + + // If invalidated, decrement the number of frames remaining on the + // stack for the given IonScript. if (invalidated) ionScript->decrementInvalidationCount(cx->runtime()->defaultFreeOp()); diff --git a/js/src/vm/Stack.cpp b/js/src/vm/Stack.cpp index 75d82055ad..ef82ad3968 100644 --- a/js/src/vm/Stack.cpp +++ b/js/src/vm/Stack.cpp @@ -1584,6 +1584,8 @@ jit::JitActivation::removeRematerializedFramesFromDebugger(JSContext* cx, uint8_ if (RematerializedFrameTable::Ptr p = rematerializedFrames_->lookup(top)) { for (uint32_t i = 0; i < p->value().length(); i++) Debugger::handleUnrecoverableIonBailoutError(cx, p->value()[i]); + RematerializedFrame::FreeInVector(p->value()); + rematerializedFrames_->remove(p); } } |