Bug 1108145 - Fix debug mode in-place Ion->Baseline bailout at loop heads. (r=jandem)

js/src/jit-test/tests/debug/bug1108556.js

@@ -0,0 +1,10 @@
+// |jit-test| error: ReferenceError
+
+var g = newGlobal();
+g.parent = this;
+g.eval("new Debugger(parent).onExceptionUnwind = function () { hits++; };");
+evaluate('\
+var fe="v";\
+for (i=0; String.fromCharCode(0x004E); i++)\
+  fe += fe;\
+', { compileAndGo : true });

js/src/jit/BaselineBailouts.cpp

@@ -1028,28 +1028,29 @@ InitFromBailout(JSContext *cx, HandleScript caller, jsbytecode *callerPC,
             // of exception propagation for debug mode. See note below.
             PCMappingSlotInfo slotInfo;
             uint8_t *nativeCodeForPC = baselineScript->maybeNativeCodeForPC(script, pc, &slotInfo);
-            unsigned numUnsynced;
+            unsigned numUnsynced = slotInfo.numUnsynced();
 
-            if (excInfo && excInfo->propagatingIonExceptionForDebugMode()) {
+            if (excInfo && excInfo->propagatingIonExceptionForDebugMode() && resumeAfter) {
                 // When propagating an exception for debug mode, set the
-                // return address as the return-from-IC for the throw, so that
-                // Debugger hooks report the correct pc offset of the throwing
-                // op instead of its successor.
+                // return address as the return-from-IC for the throwing op,
+                // so that Debugger hooks report the correct pc offset of the
+                // throwing op instead of its successor.
+                //
+                // This should not be done if we are at a resume-at point, as
+                // might be the case when propagating an exception thrown from
+                // an interrupt handler. That interrupt could have happened to
+                // interrupt at a loop head, which would have no ICEntry at
+                // that point.
                 //
                 // Note that we never resume into this address, it is set for
                 // the sake of frame iterators giving the correct answer.
                 ICEntry &icEntry = baselineScript->anyKindICEntryFromPCOffset(iter.pcOffset());
                 nativeCodeForPC = baselineScript->returnAddressForIC(icEntry);
-
-                // The pc after the throwing PC could be unreachable, in which
-                // case we have no native code for it and no slot info. But in
-                // that case, there are definitely no unsynced slots.
-                numUnsynced = nativeCodeForPC ? slotInfo.numUnsynced() : 0;
             } else {
                 MOZ_ASSERT(nativeCodeForPC);
-                numUnsynced = slotInfo.numUnsynced();
             }
 
+            MOZ_ASSERT(nativeCodeForPC);
             MOZ_ASSERT(numUnsynced <= 2);
             PCMappingSlotInfo::SlotLocation loc1, loc2;
             if (numUnsynced > 0) {

js/src/jit/JitFrames.cpp

@@ -417,10 +417,10 @@ HandleExceptionIon(JSContext *cx, const InlineFrameIterator &frame, ResumeFromEx
     RootedScript script(cx, frame.script());
     jsbytecode *pc = frame.pc();
 
-    if (cx->compartment()->isDebuggee()) {
-        // We need to bail when we are the debuggee of a Debugger with a live
-        // onExceptionUnwind hook, or if a Debugger has observed this frame
-        // (e.g., for onPop).
+    if (cx->compartment()->isDebuggee() && cx->isExceptionPending()) {
+        // We need to bail when there is a catchable exception, and we are the
+        // debuggee of a Debugger with a live onExceptionUnwind hook, or if a
+        // Debugger has observed this frame (e.g., for onPop).
         bool shouldBail = Debugger::hasLiveHook(cx->global(), Debugger::OnExceptionUnwind);
         if (!shouldBail) {
             JitActivation *act = cx->mainThread().activation()->asJit();