зеркало из https://github.com/mozilla/gecko-dev.git
d12c86aa57
The bug here occurs when we: a) Trial-inline A into B, creating an ICScript owned by B with a pointer to A's JitScript. b) Perform a compacting GC, discarding the JitScript for A, but preserving the JitScript for B (because it is on the stack). c) Create a new JitScript for A. d) Warp-compile B, without hitting the B->A trial-inlined call IC. In this case, the `JitScript*` stored in the ICScript created in `a)` is dangling, and does not match the JitScript created in `c)`. The easy way to fix this is to not store a `JitScript*` here in the first place. We only use `ICScript::jitScript_` to: a) Tell whether the ICScript is inlined, which can be done more easily by looking at the depth. b) Find the `FallbackICStubSpace` for non-inlined ICScripts. If we use the depth to tell when an ICScript is inlined, then we don't need a pointer to find the owning JitScript (and therefore its stub space) for non-inlined ICScripts. Non-inlined ICScripts are embedded inside a JitScript, so we can compute the offset directly. Differential Revision: https://phabricator.services.mozilla.com/D88690 |
||
|---|---|---|
| .. | ||
| ductwork/debugger | ||
| examples | ||
| public | ||
| rust | ||
| src | ||
| xpconnect | ||
| app.mozbuild | ||
| ffi.configure | ||
| moz.build | ||
| moz.configure | ||
| sub.configure | ||