summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2023-06-01 18:45:35 +0200
committerMoonchild <moonchild@palemoon.org>2023-06-05 21:17:13 +0200
commitae1d53ceb18c2eb9dd74a0d5b05854ec909edf2e (patch)
tree314c74e79173d8879f047bbe76eaf9bd581c75ad
parentc3f4709d5e72233005f9bbe2759e26fc2143e3bb (diff)
downloaduxp-ae1d53ceb18c2eb9dd74a0d5b05854ec909edf2e.tar.gz
Issue #2257 - Remove rematerialized frames after bailouts and exceptions.
This ensures that rematerialized frames used by the devtools debugger are properly removed so that no stale data is used during bailouts.
-rw-r--r--js/src/jit/BaselineBailouts.cpp22
-rw-r--r--js/src/jit/JitFrames.cpp5
-rw-r--r--js/src/vm/Stack.cpp2
3 files changed, 25 insertions, 4 deletions
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index ffeb07a058..30c83a5042 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -1803,6 +1803,14 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo)
MOZ_ASSERT(numFrames > 0);
BailoutKind bailoutKind = bailoutInfo->bailoutKind;
bool checkGlobalDeclarationConflicts = bailoutInfo->checkGlobalDeclarationConflicts;
+ uint8_t* incomingStack = bailoutInfo->incomingStack;
+
+ // We have to get rid of the rematerialized frame, whether it is
+ // restored or unwound.
+ auto guardRemoveRematerializedFramesFromDebugger = mozilla::MakeScopeExit([&] {
+ JitActivation* act = cx->activation()->asJit();
+ act->removeRematerializedFramesFromDebugger(cx, incomingStack);
+ });
// Free the bailout buffer.
js_free(bailoutInfo);
@@ -1876,6 +1884,7 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo)
if (frameno == numFrames - 1) {
outerScript = frame->script();
outerFp = iter.fp();
+ MOZ_ASSERT(outerFp == incomingStack);
}
frameno++;
@@ -1902,18 +1911,23 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo)
// We must attempt to copy all rematerialized frames over,
// even if earlier ones failed, to invoke the proper frame
// cleanup in the Debugger.
- ok = CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
- iter.baselineFrame());
+ if (!CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
+ iter.baselineFrame()))
+ {
+ ok = false;
+ }
}
++iter;
}
+ if (!ok)
+ return false;
+
// After copying from all the rematerialized frames, remove them from
// the table to keep the table up to date.
+ guardRemoveRematerializedFramesFromDebugger.release();
act->removeRematerializedFrame(outerFp);
- if (!ok)
- return false;
}
JitSpew(JitSpew_BaselineBailouts,
diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
index 6f159151d4..c343800e0d 100644
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -888,7 +888,12 @@ HandleException(ResumeFromException* rfe)
++frames;
}
+ // Remove left-over state which might have been needed for bailout.
activation->removeIonFrameRecovery(iter.jsFrame());
+ activation->removeRematerializedFrame(iter.fp());
+
+ // If invalidated, decrement the number of frames remaining on the
+ // stack for the given IonScript.
if (invalidated)
ionScript->decrementInvalidationCount(cx->runtime()->defaultFreeOp());
diff --git a/js/src/vm/Stack.cpp b/js/src/vm/Stack.cpp
index 75d82055ad..ef82ad3968 100644
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -1584,6 +1584,8 @@ jit::JitActivation::removeRematerializedFramesFromDebugger(JSContext* cx, uint8_
if (RematerializedFrameTable::Ptr p = rematerializedFrames_->lookup(top)) {
for (uint32_t i = 0; i < p->value().length(); i++)
Debugger::handleUnrecoverableIonBailoutError(cx, p->value()[i]);
+ RematerializedFrame::FreeInVector(p->value());
+ rematerializedFrames_->remove(p);
}
}