Bug 1146696 - Don't assume there are no arenas available after last ditch GC. r=terrence

--HG-- extra : rebase_source : 20fc89a49cda291b70b1155f78bf9aac51cb94e9
2015-03-30 11:03:35 +01:00 · 2015-03-30 11:03:35 +01:00 · eb57959ceb
--- a/js/src/gc/Allocator.cpp
+++ b/js/src/gc/Allocator.cpp
@ -232,7 +232,7 @@ GCRuntime::tryNewTenuredThing(ExclusiveContext* cx, AllocKind kind, size_t thing
 {
    T* t = reinterpret_cast<T*>(cx->arenas()->allocateFromFreeList(kind, thingSize));
    if (!t)
-        t = reinterpret_cast<T*>(refillFreeListFromAnyThread<allowGC>(cx, kind));
+        t = reinterpret_cast<T*>(refillFreeListFromAnyThread<allowGC>(cx, kind, thingSize));

    checkIncrementalZoneState(cx, t);
    TraceTenuredAlloc(t, kind);
@ -241,19 +241,19 @@ GCRuntime::tryNewTenuredThing(ExclusiveContext* cx, AllocKind kind, size_t thing

 template <AllowGC allowGC>
 /* static */ void*
-GCRuntime::refillFreeListFromAnyThread(ExclusiveContext* cx, AllocKind thingKind)
+GCRuntime::refillFreeListFromAnyThread(ExclusiveContext* cx, AllocKind thingKind, size_t thingSize)
 {
    MOZ_ASSERT(cx->arenas()->freeLists[thingKind].isEmpty());

    if (cx->isJSContext())
-        return refillFreeListFromMainThread<allowGC>(cx->asJSContext(), thingKind);
+        return refillFreeListFromMainThread<allowGC>(cx->asJSContext(), thingKind, thingSize);

    return refillFreeListOffMainThread(cx, thingKind);
 }

 template <AllowGC allowGC>
 /* static */ void*
-GCRuntime::refillFreeListFromMainThread(JSContext* cx, AllocKind thingKind)
+GCRuntime::refillFreeListFromMainThread(JSContext* cx, AllocKind thingKind, size_t thingSize)
 {
    JSRuntime* rt = cx->runtime();
    MOZ_ASSERT(!rt->isHeapBusy(), "allocating while under GC");
@ -277,7 +277,11 @@ GCRuntime::refillFreeListFromMainThread(JSContext* cx, AllocKind thingKind)
    }

    // Retry the allocation after the last-ditch GC.
-    thing = tryRefillFreeListFromMainThread(cx, thingKind);
+    // Note that due to GC callbacks we might already have allocated an arena
+    // for this thing kind!
+    thing = cx->arenas()->allocateFromFreeList(thingKind, thingSize);
+    if (!thing)
+        thing = tryRefillFreeListFromMainThread(cx, thingKind);
    if (thing)
        return thing;

--- a/js/src/gc/GCRuntime.h
+++ b/js/src/gc/GCRuntime.h
@ -879,9 +879,11 @@ class GCRuntime
    template <typename T>
    static void checkIncrementalZoneState(ExclusiveContext* cx, T* t);
    template <AllowGC allowGC>
-    static void* refillFreeListFromAnyThread(ExclusiveContext* cx, AllocKind thingKind);
+    static void* refillFreeListFromAnyThread(ExclusiveContext* cx, AllocKind thingKind,
+                                             size_t thingSize);
    template <AllowGC allowGC>
-    static void* refillFreeListFromMainThread(JSContext* cx, AllocKind thingKind);
+    static void* refillFreeListFromMainThread(JSContext* cx, AllocKind thingKind,
+                                              size_t thingSize);
    static void* tryRefillFreeListFromMainThread(JSContext* cx, AllocKind thingKind);
    static void* refillFreeListOffMainThread(ExclusiveContext* cx, AllocKind thingKind);

--- a/js/src/jit-test/tests/gc/bug-1146696.js
+++ b/js/src/jit-test/tests/gc/bug-1146696.js
@ -0,0 +1,24 @@
+// |jit-test| --no-ggc
+gc();
+dbg1 = new Debugger();
+root2 = newGlobal();
+dbg1.memory.onGarbageCollection = function(){}
+dbg1.addDebuggee(root2);
+for (var j = 0; j < 9999; ++j) {
+    try {
+        a
+    } catch (e) {}
+}
+gcparam("maxBytes", gcparam("gcBytes") + 8000);
+try {
+    function g(i) {
+        if (i == 0)
+            return;
+        var x = "";
+        function f() {}
+        eval('');
+        g(i - 1);
+    }
+    g(100);
+} catch (e) {
+}