Bug 977181 - Don't push/assume IonContext when executing JIT code (r=jandem)

--HG-- extra : rebase_source : ffdd773736657d11a67ef4e7f7110f61594d6d1f
2014-02-26 17:38:24 -06:00 · 2014-02-26 17:38:24 -06:00 · 6fa2286415
--- a/js/src/jit/AsmJSLink.cpp
+++ b/js/src/jit/AsmJSLink.cpp
@ -426,7 +426,6 @@ CallAsmJS(JSContext *cx, unsigned argc, Value *vp)
        // Eagerly push an IonContext+JitActivation so that the optimized
        // asm.js-to-Ion FFI call path (which we want to be very fast) can
        // avoid doing so.
-        jit::IonContext ictx(cx, nullptr);
        JitActivation jitActivation(cx, /* firstFrameIsConstructing = */ false, /* active */ false);

        // Call the per-exported-function trampoline created by GenerateEntry.
--- a/js/src/jit/Bailouts.cpp
+++ b/js/src/jit/Bailouts.cpp
@ -49,7 +49,7 @@ void
 IonBailoutIterator::dump() const
 {
    if (type_ == IonFrame_OptimizedJS) {
-        InlineFrameIterator frames(GetIonContext()->cx, this);
+        InlineFrameIterator frames(GetJSContextFromJitCode(), this);
        for (;;) {
            frames.dump();
            if (!frames.more())
@ -64,8 +64,9 @@ IonBailoutIterator::dump() const
 uint32_t
 jit::Bailout(BailoutStack *sp, BaselineBailoutInfo **bailoutInfo)
 {
+    JSContext *cx = GetJSContextFromJitCode();
    JS_ASSERT(bailoutInfo);
-    JSContext *cx = GetIonContext()->cx;
+
    // We don't have an exit frame.
    cx->mainThread().ionTop = nullptr;
    JitActivationIterator jitActivations(cx->runtime());
@ -95,7 +96,7 @@ jit::InvalidationBailout(InvalidationBailoutStack *sp, size_t *frameSizeOut,
 {
    sp->checkInvariants();

-    JSContext *cx = GetIonContext()->cx;
+    JSContext *cx = GetJSContextFromJitCode();

    // We don't have an exit frame.
    cx->mainThread().ionTop = nullptr;
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@ -1416,7 +1416,7 @@ jit::FinishBailoutToBaseline(BaselineBailoutInfo *bailoutInfo)
 {
    // The caller pushes R0 and R1 on the stack without rooting them.
    // Since GC here is very unlikely just suppress it.
-    JSContext *cx = GetIonContext()->cx;
+    JSContext *cx = GetJSContextFromJitCode();
    js::gc::AutoSuppressGC suppressGC(cx);

    IonSpew(IonSpew_BaselineBailouts, "  Done restoring frames");
--- a/js/src/jit/BaselineFrame.cpp
+++ b/js/src/jit/BaselineFrame.cpp
@ -183,7 +183,7 @@ BaselineFrame::initForOsr(StackFrame *fp, uint32_t numStackValues)
    for (uint32_t i = 0; i < numStackValues; i++)
        *valueSlot(i) = fp->slots()[i];

-    JSContext *cx = GetIonContext()->cx;
+    JSContext *cx = GetJSContextFromJitCode();
    if (cx->compartment()->debugMode()) {
        // In debug mode, update any Debugger.Frame objects for the StackFrame to
        // point to the BaselineFrame.
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@ -577,6 +577,7 @@ ICStubCompiler::getStubCode()
        return stubCode;

    // Compile new stubcode.
+    IonContext ictx(cx, nullptr);
    MacroAssembler masm;
 #ifdef JS_CODEGEN_ARM
    masm.setSecondScratchReg(BaselineSecondScratchReg);
--- a/js/src/jit/BaselineJIT.cpp
+++ b/js/src/jit/BaselineJIT.cpp
@ -108,7 +108,6 @@ EnterBaseline(JSContext *cx, EnterJitData &data)
    data.result.setInt32(data.numActualArgs);
    {
        AssertCompartmentUnchanged pcc(cx);
-        IonContext ictx(cx, nullptr);
        JitActivation activation(cx, data.constructing);
        JSAutoResolveFlags rf(cx, RESOLVE_INFER);
        AutoFlushInhibitor afi(cx->runtime()->jitRuntime());
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@ -2227,7 +2227,6 @@ EnterIon(JSContext *cx, EnterJitData &data)
    data.result.setInt32(data.numActualArgs);
    {
        AssertCompartmentUnchanged pcc(cx);
-        IonContext ictx(cx, nullptr);
        JitActivation activation(cx, data.constructing);
        JSAutoResolveFlags rf(cx, RESOLVE_INFER);
        AutoFlushInhibitor afi(cx->runtime()->jitRuntime());
--- a/js/src/jit/IonFrames.cpp
+++ b/js/src/jit/IonFrames.cpp
@ -571,7 +571,7 @@ HandleExceptionBaseline(JSContext *cx, const IonFrameIterator &frame, ResumeFrom
 void
 HandleException(ResumeFromException *rfe)
 {
-    JSContext *cx = GetIonContext()->cx;
+    JSContext *cx = GetJSContextFromJitCode();

    rfe->kind = ResumeFromException::RESUME_ENTRY_FRAME;

@ -1651,7 +1651,7 @@ InlineFrameIteratorMaybeGC<allowGC>::isConstructing() const
 {
    // Skip the current frame and look at the caller's.
    if (more()) {
-        InlineFrameIteratorMaybeGC<allowGC> parent(GetIonContext()->cx, this);
+        InlineFrameIteratorMaybeGC<allowGC> parent(GetJSContextFromJitCode(), this);
        ++parent;

        // Inlined Getters and Setters are never constructing.
@ -1681,7 +1681,7 @@ IonFrameIterator::isConstructing() const

    if (parent.isOptimizedJS()) {
        // In the case of a JS frame, look up the pc from the snapshot.
-        InlineFrameIterator inlinedParent(GetIonContext()->cx, &parent);
+        InlineFrameIterator inlinedParent(GetJSContextFromJitCode(), &parent);

        //Inlined Getters and Setters are never constructing.
        if (IsGetPropPC(inlinedParent.pc()) || IsSetPropPC(inlinedParent.pc()))
@ -1761,7 +1761,7 @@ IonFrameIterator::dumpBaseline() const
    fprintf(stderr, "  file %s line %u\n",
            script()->filename(), (unsigned) script()->lineno());

-    JSContext *cx = GetIonContext()->cx;
+    JSContext *cx = GetJSContextFromJitCode();
    RootedScript script(cx);
    jsbytecode *pc;
    baselineScriptAndPc(script.address(), &pc);
@ -1829,7 +1829,7 @@ InlineFrameIteratorMaybeGC<allowGC>::dump() const
            else {
                if (i - 2 == callee()->nargs() && numActualArgs() > callee()->nargs()) {
                    DumpOp d(callee()->nargs());
-                    forEachCanonicalActualArg(GetIonContext()->cx, d, d.i_, numActualArgs() - d.i_);
+                    forEachCanonicalActualArg(GetJSContextFromJitCode(), d, d.i_, numActualArgs() - d.i_);
                }

                fprintf(stderr, "  slot %d: ", int(i - 2 - callee()->nargs()));
@ -1866,7 +1866,7 @@ IonFrameIterator::dump() const
        break;
      case IonFrame_OptimizedJS:
      {
-        InlineFrameIterator frames(GetIonContext()->cx, this);
+        InlineFrameIterator frames(GetJSContextFromJitCode(), this);
        for (;;) {
            frames.dump();
            if (!frames.more())
--- a/js/src/vm/Interpreter-inl.h
+++ b/js/src/vm/Interpreter-inl.h
@ -659,7 +659,6 @@ class FastInvokeGuard
 #ifdef JS_ION
    // Constructing an IonContext is pretty expensive due to the TLS access,
    // so only do this if we have to.
-    mozilla::Maybe<jit::IonContext> ictx_;
    bool useIon_;
 #endif

@ -696,8 +695,6 @@ class FastInvokeGuard
                if (!script_)
                    return false;
            }
-            if (ictx_.empty())
-                ictx_.construct(cx, (js::jit::TempAllocator *)nullptr);
            JS_ASSERT(fun_->nonLazyScript() == script_);

            jit::MethodStatus status = jit::CanEnterUsingFastInvoke(cx, script_, args_.length());
--- a/js/src/vm/Runtime.h
+++ b/js/src/vm/Runtime.h
@ -1770,6 +1770,19 @@ struct JSRuntime : public JS::shadow::Runtime,

 namespace js {

+// When entering JIT code, the calling JSContext* is stored into the thread's
+// PerThreadData. This function retrieves the JSContext with the pre-condition
+// that the caller is JIT code or C++ called directly from JIT code. This
+// function should not be called from arbitrary locations since the JSContext
+// may be the wrong one.
+static inline JSContext *
+GetJSContextFromJitCode()
+{
+    JSContext *cx = TlsPerThreadData.get()->ionJSContext;
+    JS_ASSERT(cx);
+    return cx;
+}
+
 /*
 * Flags accompany script version data so that a) dynamically created scripts
 * can inherit their caller's compile-time properties and b) scripts can be