Bug 1888614 - Fix exception handler to restore realm for trampoline native frames too. r=iain

Differential Revision: https://phabricator.services.mozilla.com/D206330
2024-04-03 09:27:15 +00:00 · 2024-04-03 09:27:15 +00:00 · 7a6d8fd713
commit 7a6d8fd713
parent b8f399d747
5 changed files with 28 additions and 4 deletions
--- a/js/src/jit-test/tests/arrays/sort-trampoline.js
+++ b/js/src/jit-test/tests/arrays/sort-trampoline.js
@ -135,3 +135,19 @@ function testBailout() {
  assertEq(arr.map(x => x.n).join(""), "0135");
 }
 testBailout();
+
+function testExceptionHandlerSwitchRealm() {
+  var g = newGlobal({sameCompartmentAs: this});
+  for (var i = 0; i < 25; i++) {
+    var ex = null;
+    try {
+      g.Array.prototype.toSorted.call([2, 3], () => {
+        throw "fit";
+      });
+    } catch (e) {
+      ex = e;
+    }
+    assertEq(ex, "fit");
+  }
+}
+testExceptionHandlerSwitchRealm();
--- a/js/src/jit/JSJitFrameIter.cpp
+++ b/js/src/jit/JSJitFrameIter.cpp
@ -78,7 +78,7 @@ CalleeToken JSJitFrameIter::calleeToken() const {
 }

 JSFunction* JSJitFrameIter::callee() const {
-  MOZ_ASSERT(isScripted());
+  MOZ_ASSERT(isScripted() || isTrampolineNative());
  MOZ_ASSERT(isFunctionFrame());
  return CalleeTokenToFunction(calleeToken());
 }
--- a/js/src/jit/JSJitFrameIter.h
+++ b/js/src/jit/JSJitFrameIter.h
@ -177,6 +177,9 @@ class JSJitFrameIter {
    return type_ == FrameType::BaselineInterpreterEntry;
  }
  bool isRectifier() const { return type_ == FrameType::Rectifier; }
+  bool isTrampolineNative() const {
+    return type_ == FrameType::TrampolineNative;
+  }
  bool isBareExit() const;
  bool isUnwoundJitExit() const;
  template <typename T>
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@ -760,7 +760,7 @@ void HandleException(ResumeFromException* rfe) {

    // JIT code can enter same-compartment realms, so reset cx->realm to
    // this frame's realm.
-    if (frame.isScripted()) {
+    if (frame.isScripted() || frame.isTrampolineNative()) {
      cx->setRealmForJitExceptionHandler(iter.realm());
    }

@ -830,7 +830,7 @@ void HandleException(ResumeFromException* rfe) {
      if (rfe->kind == ExceptionResumeKind::ForcedReturnBaseline) {
        return;
      }
-    } else if (frame.type() == FrameType::TrampolineNative) {
+    } else if (frame.isTrampolineNative()) {
      UnwindTrampolineNativeFrame(cx->runtime(), frame);
    }

--- a/js/src/vm/FrameIter.cpp
+++ b/js/src/vm/FrameIter.cpp
@ -124,7 +124,12 @@ JS::Realm* JitFrameIter::realm() const {
    return asWasm().instance()->realm();
  }

-  return asJSJit().script()->realm();
+  if (asJSJit().isScripted()) {
+    return asJSJit().script()->realm();
+  }
+
+  MOZ_RELEASE_ASSERT(asJSJit().isTrampolineNative());
+  return asJSJit().callee()->realm();
 }

 uint8_t* JitFrameIter::resumePCinCurrentFrame() const {