diff options
| author | Sam Spilsbury <smspillaz@gmail.com> | 2015-01-10 02:59:26 +0800 |
|---|---|---|
| committer | Philip Chimento <philip.chimento@gmail.com> | 2017-01-05 22:22:36 -0800 |
| commit | 8dc60568f0f9a87c87f84f5047bd5e5b20511b77 (patch) | |
| tree | 04252f635f9458d8c36f35ed6aed03f096cde0e2 | |
| parent | e410e719e17830ffd987d4bd53726649046017ca (diff) | |
| download | gjs-wip/ptomato/develop.tar.gz | |
coverage: Enable IonMonkey and BaselineJIT in coverage modewip/ptomato/develop
This should give tests running in coverage mode a slight
speedup.
Previously, we just disabled the JIT during coverage mode, as
it was crashing in the JIT. Upon further analysis, it appears
as though the crash is a bug in js24
(https://bugzilla.mozilla.org/show_bug.cgi?id=1120934). We keep
a single runtime around for a thread's lifetime, which means that
in most cases it is never destroyed. However, trace callbacks
were not correctly added for some internal JIT structures inside
the runtime, which means that if a context was destroyed, the
garbage collector could reclaim that JIT code, but not the
IonRuntime which owned it.
When the next context was created, upon entering a compartment
it would check if an IonRuntime was available, and only
regenerate that JIT code if it was unavailable. If it was
available, then mozjs simply assumed that it was valid and
jumped to it. This caused a jump to an invalid address.
In appears as though the only way to remedy this problem is to
destroy the runtime and re-create it when needed.
gjs_clear_thread_runtime was provided for that purpose. It should
be called whenever a context has been destroyed, but the caller
intends to create a new context later - it will also explictly
clear the runtime.
Fixes #742852
| -rw-r--r-- | gjs/coverage.cpp | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/gjs/coverage.cpp b/gjs/coverage.cpp index 2355b083..7db96d99 100644 --- a/gjs/coverage.cpp +++ b/gjs/coverage.cpp @@ -1704,20 +1704,18 @@ gjs_coverage_constructed(GObject *object) GjsCoverage *coverage = GJS_COVERAGE(object); GjsCoveragePrivate *priv = (GjsCoveragePrivate *) gjs_coverage_get_instance_private(coverage); - JSContext *context = (JSContext *) gjs_context_get_native_context(priv->context); - if (!priv->cache_specified) { g_message("Cache path was not given, picking default one"); priv->cache = g_file_new_for_path(".internal-gjs-coverage-cache"); } - /* Before bootstrapping, turn off the JIT on the context */ - JS::RuntimeOptionsRef(context) - .setIon(false) - .setBaseline(false) - .setAsmJS(false); + /* We now enable Ion and BaselineJIT in coverage mode. See the comment + * in gjs/runtime.cpp:gjs_clear_thread_runtime for some important + * information regarding runtime lifecycle management and garbage collection + * bugs in js24 */ if (!bootstrap_coverage(coverage)) { + JSContext *context = static_cast<JSContext *>(gjs_context_get_native_context(priv->context)); JSAutoCompartment compartment(context, gjs_get_import_global(context)); gjs_log_exception(context); } |