When a script is not live on the stack, we destroy its BaselineScript. However, if a script is active on the stack, we should still purge all optimized stubs (that cannot call into the VM). The following testcase crashes because our type update IC thinks the TypeSet of "x" includes the object type, but x's TypeSet is wiped out by the GC and the type update IC should monitor this type again. function foo() { x = null; } function f() { for (var i=0; i<99; i++) { x = null; if (i >= 97) { gc(); gc(); foo(); } x = {}; if (i >= 97) foo(); } } f();

This patch allocates all stubs that can make (non-tail) VM calls in the fallback stub space. For all scripts that are active during GC, we can then unlink all optimized stubs and release their memory. The patch refactors things a bit to make it hard to allocate stubs that can make calls in the optimized space (it will assert). The AutoSuppressGC added to ICStubCompiler suppresses GC during stub compilation. This is necessary to avoid freeing stubs while we are still, for instance, initializing their monitor chain.

Comment on attachment 713850 [details] [diff] [review] Patch Review of attachment 713850 [details] [diff] [review]: ----------------------------------------------------------------- Nice and clean :) ::: js/src/ion/BaselineIC.h @@ +584,5 @@ > + return false; > + } > + } > + > + bool allocatedInFallbackSpace() const { Nit: A comment above this explaining why we do this would be nice. Something along the lines of "Optimized stubs get purged on GC. But some stubs can be active on the stack during GC - specifically the ones that can make calls. To ensure that these do not get purged, all stubs that can make calls are allocated in the fallback stub space."

Pushed with extra comment: https://hg.mozilla.org/projects/ionmonkey/rev/60529bd66587