Issue #2257 - Remove rematerialized frames after bailouts and exceptions.

This ensures that rematerialized frames used by the devtools debugger are properly removed so that no stale data is used during bailouts.
author: Moonchild <moonchild@palemoon.org> 2023-06-01 18:45:35 +0200
committer: Moonchild <moonchild@palemoon.org> 2023-06-01 18:45:35 +0200
commit: 4253a2a89367278483b9f5c033a7832944419ef7 (patch)
tree: 3f8f5da97cf2a9195bdd99b29022eb9febeade98 /js/src/jit/BaselineBailouts.cpp
parent: 6e35a8566e2a91242b54e2b21256317e00a934bb (diff)
download: uxp-4253a2a89367278483b9f5c033a7832944419ef7.tar.gz
1 files changed, 18 insertions, 4 deletions
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index ffeb07a058..30c83a5042 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -1803,6 +1803,14 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo)
     MOZ_ASSERT(numFrames > 0);
     BailoutKind bailoutKind = bailoutInfo->bailoutKind;
     bool checkGlobalDeclarationConflicts = bailoutInfo->checkGlobalDeclarationConflicts;
+    uint8_t* incomingStack = bailoutInfo->incomingStack;
+
+    // We have to get rid of the rematerialized frame, whether it is
+    // restored or unwound.
+    auto guardRemoveRematerializedFramesFromDebugger = mozilla::MakeScopeExit([&] {
+        JitActivation* act = cx->activation()->asJit();
+        act->removeRematerializedFramesFromDebugger(cx, incomingStack);
+    });
 
     // Free the bailout buffer.
     js_free(bailoutInfo);
@@ -1876,6 +1884,7 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo)
             if (frameno == numFrames - 1) {
                 outerScript = frame->script();
                 outerFp = iter.fp();
+                MOZ_ASSERT(outerFp == incomingStack);
             }
 
             frameno++;
@@ -1902,18 +1911,23 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfo)
                 // We must attempt to copy all rematerialized frames over,
                 // even if earlier ones failed, to invoke the proper frame
                 // cleanup in the Debugger.
-                ok = CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
-                                                 iter.baselineFrame());
+                if (!CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
+                                                 iter.baselineFrame()))
+                {
+                    ok = false;
+                }
             }
             ++iter;
         }
 
+        if (!ok)
+            return false;
+
         // After copying from all the rematerialized frames, remove them from
         // the table to keep the table up to date.
+        guardRemoveRematerializedFramesFromDebugger.release();
         act->removeRematerializedFrame(outerFp);
 
-        if (!ok)
-            return false;
     }
 
     JitSpew(JitSpew_BaselineBailouts,
author	Moonchild <moonchild@palemoon.org>	2023-06-01 18:45:35 +0200
committer	Moonchild <moonchild@palemoon.org>	2023-06-01 18:45:35 +0200
commit	4253a2a89367278483b9f5c033a7832944419ef7 (patch)
tree	3f8f5da97cf2a9195bdd99b29022eb9febeade98 /js/src/jit/BaselineBailouts.cpp
parent	6e35a8566e2a91242b54e2b21256317e00a934bb (diff)
download	uxp-4253a2a89367278483b9f5c033a7832944419ef7.tar.gz