Bug 1083781 - Remove AutoEnterAnalysis from Recover instructions. r=bhackett

This revert some of the modifications made by Bug 1006899, Bug 1054241,
Bug 1057598 and Bug 1064358 as it is now safe to iterate the stack during a
bailout.

js/src/jit/Recover.cpp

@@ -874,13 +874,8 @@ RStringSplit::recover(JSContext *cx, SnapshotIterator &iter) const
     RootedString str(cx, iter.read().toString());
     RootedString sep(cx, iter.read().toString());
     RootedTypeObject typeObj(cx, iter.read().toObject().type());
-
     RootedValue result(cx);
 
-    // Use AutoEnterAnalysis to avoid invoking the object metadata callback,
-    // which could try to walk the stack while bailing out.
-    types::AutoEnterAnalysis enter(cx);
-
     JSObject *res = str_split_string(cx, typeObj, str, sep);
     if (!res)
         return false;
@@ -1008,10 +1003,6 @@ RNewObject::recover(JSContext *cx, SnapshotIterator &iter) const
     RootedValue result(cx);
     JSObject *resultObject = nullptr;
 
-    // Use AutoEnterAnalysis to avoid invoking the object metadata callback
-    // while bailing out, which could try to walk the stack.
-    types::AutoEnterAnalysis enter(cx);
-
     // See CodeGenerator::visitNewObjectVMCall
     if (templateObjectIsClassPrototype_)
         resultObject = NewInitObjectWithClassPrototype(cx, templateObject);
@@ -1049,10 +1040,6 @@ RNewArray::recover(JSContext *cx, SnapshotIterator &iter) const
     RootedValue result(cx);
     RootedTypeObject type(cx);
 
-    // Use AutoEnterAnalysis to avoid invoking the object metadata callback
-    // while bailing out, which could try to walk the stack.
-    types::AutoEnterAnalysis enter(cx);
-
     // See CodeGenerator::visitNewArrayCallVM
     if (!templateObject->hasSingletonType())
         type = templateObject->type();
@@ -1084,10 +1071,6 @@ RNewDerivedTypedObject::recover(JSContext *cx, SnapshotIterator &iter) const
     Rooted<TypedObject *> owner(cx, &iter.read().toObject().as<TypedObject>());
     int32_t offset = iter.read().toInt32();
 
-    // Use AutoEnterAnalysis to avoid invoking the object metadata callback
-    // while bailing out, which could try to walk the stack.
-    types::AutoEnterAnalysis enter(cx);
-
     JSObject *obj = OutlineTypedObject::createDerived(cx, descr, owner, offset);
     if (!obj)
         return false;
@@ -1116,10 +1099,6 @@ RCreateThisWithTemplate::recover(JSContext *cx, SnapshotIterator &iter) const
 {
     RootedNativeObject templateObject(cx, &iter.read().toObject().as<NativeObject>());
 
-    // Use AutoEnterAnalysis to avoid invoking the object metadata callback
-    // while bailing out, which could try to walk the stack.
-    types::AutoEnterAnalysis enter(cx);
-
     // See CodeGenerator::visitCreateThisWithTemplate
     gc::AllocKind allocKind = templateObject->asTenured().getAllocKind();
     gc::InitialHeap initialHeap = tenuredHeap_ ? gc::TenuredHeap : gc::DefaultHeap;

js/src/jsobjinlines.h

@@ -779,8 +779,7 @@ static MOZ_ALWAYS_INLINE bool
 NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata)
 {
     // The metadata callback is invoked before each created object, except when
-    // analysis/compilation is active, to avoid recursion.  It is also skipped
-    // when we allocate objects during a bailout, to prevent stack iterations.
+    // analysis/compilation is active, to avoid recursion.
     MOZ_ASSERT(!*pmetadata);
     if (JSContext *cx = cxArg->maybeJSContext()) {
         if (MOZ_UNLIKELY((size_t)cx->compartment()->hasObjectMetadataCallback()) &&