Attachment #8385964: Patch for bug #979721

View | Details | Raw Unified | Return to bug 979721
Collapse All | Expand All

(-)a/js/src/jit/BaselineBailouts.cpp (-4 / +4 lines)
Line     Link Here 
 Lines 1335-1368   jit::BailoutIonToBaseline(JSContext *cx, Link Here 
1335
    BailoutKind bailoutKind = snapIter.bailoutKind();
1335
    BailoutKind bailoutKind = snapIter.bailoutKind();
1336
1336
1337
    if (!startFrameFormals.empty()) {
1337
    if (!startFrameFormals.empty()) {
1338
        // Set the first frame's formals, see the comment in InitFromBailout.
1338
        // Set the first frame's formals, see the comment in InitFromBailout.
1339
        Value *argv = builder.startFrame()->argv() + 1; // +1 to skip |this|.
1339
        Value *argv = builder.startFrame()->argv() + 1; // +1 to skip |this|.
1340
        mozilla::PodCopy(argv, startFrameFormals.begin(), startFrameFormals.length());
1340
        mozilla::PodCopy(argv, startFrameFormals.begin(), startFrameFormals.length());
1341
    }
1341
    }
1342
1342
1343
    // Take the reconstructed baseline stack so it doesn't get freed when builder destructs.
1344
    BaselineBailoutInfo *info = builder.takeBuffer();
1345
    info->numFrames = frameNo + 1;
1346
1347
    // Do stack check.
1343
    // Do stack check.
1348
    bool overRecursed = false;
1344
    bool overRecursed = false;
1345
    BaselineBailoutInfo *info = builder.info();
1349
    uint8_t *newsp = info->incomingStack - (info->copyStackTop - info->copyStackBottom);
1346
    uint8_t *newsp = info->incomingStack - (info->copyStackTop - info->copyStackBottom);
1350
#ifdef JS_ARM_SIMULATOR
1347
#ifdef JS_ARM_SIMULATOR
1351
    if (Simulator::Current()->overRecursed(uintptr_t(newsp)))
1348
    if (Simulator::Current()->overRecursed(uintptr_t(newsp)))
1352
        overRecursed = true;
1349
        overRecursed = true;
1353
#else
1350
#else
1354
    JS_CHECK_RECURSION_WITH_SP_DONT_REPORT(cx, newsp, overRecursed = true);
1351
    JS_CHECK_RECURSION_WITH_SP_DONT_REPORT(cx, newsp, overRecursed = true);
1355
#endif
1352
#endif
1356
    if (overRecursed) {
1353
    if (overRecursed) {
1357
        IonSpew(IonSpew_BaselineBailouts, "  Overrecursion check failed!");
1354
        IonSpew(IonSpew_BaselineBailouts, "  Overrecursion check failed!");
1358
        return BAILOUT_RETURN_OVERRECURSED;
1355
        return BAILOUT_RETURN_OVERRECURSED;
1359
    }
1356
    }
1360
1357
1358
    // Take the reconstructed baseline stack so it doesn't get freed when builder destructs.
1359
    info = builder.takeBuffer();
1360
    info->numFrames = frameNo + 1;
1361
    info->bailoutKind = bailoutKind;
1361
    info->bailoutKind = bailoutKind;
1362
    *bailoutInfo = info;
1362
    *bailoutInfo = info;
1363
    return BAILOUT_RETURN_OK;
1363
    return BAILOUT_RETURN_OK;
1364
}
1364
}
1365
1365
1366
static bool
1366
static bool
1367
HandleBoundsCheckFailure(JSContext *cx, HandleScript outerScript, HandleScript innerScript)
1367
HandleBoundsCheckFailure(JSContext *cx, HandleScript outerScript, HandleScript innerScript)
1368
{
1368
{

Return to bug 979721