Closed Bug 973574 Opened 10 years ago Closed 10 years ago

AutoDebugModeInvalidation can call FinishDiscardJitCode if it didn't discard JIT code

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(1 file)

Patch
747 bytes, patch
shu
: review+
Details | Diff | Splinter Review
Attached patch PatchSplinter Review 
~AutoDebugModeInvalidation does not discard JIT code if !comp->principals, but it does call FinishDiscardJitCode in this case. This will crash as we'll free optimized Baseline stubs without unlinking them first.

This is causing some jit-test failures with bug 939562, as we can now compile code in the self-hosting compartment.

Shu, I was wondering, why is it ok to keep JIT code in these compartments? Because we never debug them?
Attachment #8377102 - Flags: review?(shu)
Comment on attachment 8377102 [details] [diff] [review]
Patch

The review tool isn't working for me on BMO for some reason. Luckily this patch is small.

Jan, nice catch! The reason that we only discard JIT code for compartments with principals is that JSD1, which is compartment-oblivious and blindly toggles debug mode for all compartments, only turns on debug mode for compartments w/ principals (http://dxr.mozilla.org/mozilla-central/source/js/src/vm/OldDebugAPI.cpp?from=JS_SetDebugModeForAllCompartments#181). For JSD2, which is compartment-specific, any compartment we flip debug mode on via JSD2 is guaranteed to have principals.
Attachment #8377102 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/e007e58149c5
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: