Original Revision: https://phabricator.services.mozilla.com/D205661

Differential Revision: https://phabricator.services.mozilla.com/D206168

Bug 1860193 - Verify we get a script from a function before asking for the filename r=mccr8, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D203836

Differential Revision: https://phabricator.services.mozilla.com/D205586

Differential Revision: https://phabricator.services.mozilla.com/D206068

Original Revision: https://phabricator.services.mozilla.com/D204130

Differential Revision: https://phabricator.services.mozilla.com/D205340

Differential Revision: https://phabricator.services.mozilla.com/D204546

Original Revision: https://phabricator.services.mozilla.com/D201684

Differential Revision: https://phabricator.services.mozilla.com/D203291

Original Revision: https://phabricator.services.mozilla.com/D201196

Differential Revision: https://phabricator.services.mozilla.com/D201954

Differential Revision: https://phabricator.services.mozilla.com/D201213

Differential Revision: https://phabricator.services.mozilla.com/D199233

Differential Revision: https://phabricator.services.mozilla.com/D198479

Bug 1860767 - Replace MOZ_ReportCrash call for AutoEnterOOMUnsafeRegion with fprintf. r=jonco, a=dsmith

According to bug 1859737, there are some issues with the stack dumping code on Windows
and the goal is to stop defining `MOZ_ReportCrash` in non-debug builds.
For `AutoEnterOOMUnsafeRegion` it seems simplest to do our own printf.

Differential Revision: https://phabricator.services.mozilla.com/D191735

For objects with dynamic slots allocations, NativeObject::slots_ stores a
pointer that points just past the end of the slots header. For zero-capacity
allocations this pointer points outside the allocation itself.

Currently this causes valgrind to think that the slots allocation is leaked. To
fix this the patch adds an extra unused slot to zero capacity slots allocations
on valgrind builds only.

Differential Revision: https://phabricator.services.mozilla.com/D190274

Differential Revision: https://phabricator.services.mozilla.com/D188150

Differential Revision: https://phabricator.services.mozilla.com/D188264

Differential Revision: https://phabricator.services.mozilla.com/D183714

Bug 1847397 - Get the string heap to use after possible GC when executing regular expressions. r=jandem, a=RyanVM

The problem here is that initialStringHeap can be stale by the time it's used
in UpdateRegExpStatics. GenerateRegExpMatchStubShared can allocate a shape
which can trigger GC which can re-enable previously disabled nursery string
allocation. This means we may incorrectly elide post barriers here.

The fix is to get the initial heap setting after potential GC.

Differential Revision: https://phabricator.services.mozilla.com/D186012

Differential Revision: https://phabricator.services.mozilla.com/D186264

Differential Revision: https://phabricator.services.mozilla.com/D182530

Differential Revision: https://phabricator.services.mozilla.com/D186098

In that case, the error stored in cx is an OOM rather than the expected
SyntaxError. CheckRegExpSyntax should return false in that case.

Differential Revision: https://phabricator.services.mozilla.com/D184162

Differential Revision: https://phabricator.services.mozilla.com/D184161

It is simpler to think about ErrorToException returning true when the error is
correctly converted, which is why it returns false on recursion even though you
could argue that nothing went wrong in that case.

Differential Revision: https://phabricator.services.mozilla.com/D184160

Bug 1828024 - Require the helper thread lock in the GC helper thread count getter r=sfink, a=dmeehan

This makes us take a lock to read this state (we already lock when writing it).

Also it adds a release assert in case something goes wrong with the thread
count calculations, as a crash is preferable to the potential deadlock.

Differential Revision: https://phabricator.services.mozilla.com/D181257

Bug 1841682 - (ESR115) Simplify post barrier for MStoreElementHole and MArrayPush. r=iain!, a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D184210

Bug 1841040 - Remove over-alignment from GCMarker and Nursery, r=spidermonkey-reviewers,jonco a=RyanVM

js_new<T> cannot guarantee the alignment if T is over-aligned, and this
issue is not trivial to fix (blocked by Bug 1842582).

Add a static assert to detect the attempt using js_new<T> for
over-aligned T, and remove the problematic alignas() attributes as a
short-term fix.

Differential Revision: https://phabricator.services.mozilla.com/D182546

Differential Revision: https://phabricator.services.mozilla.com/D182324

Original Revision: https://phabricator.services.mozilla.com/D181738

Differential Revision: https://phabricator.services.mozilla.com/D182710

On Win64 platforms (`NEED_JIT_UNWIND_HANDLING`), we reserve an extra page in
`ReserveProcessExecutableMemory` for the generated exception handler.

Before this patch we'd skip the first page if we generated an exception handler there.
If we didn't generate an exception handler (for example JS shell builds on ARM64)
we'd not skip the first page and instead have an unused page at the end of the JIT
code region.

With this patch we always skip the first page if we reserved one. This fixes an
assertion failure in `UnregisterJitCodeRegion` for Windows ARM64 JS shell builds
because the size didn't match what we passed to `RegisterJitCodeRegion`.

Differential Revision: https://phabricator.services.mozilla.com/D182726

Differential Revision: https://phabricator.services.mozilla.com/D181978

Bug 1839669 - Use stack pointer register for stack probes to fix crashes on older Linux kernels. r=iain, a=dmeehan

Google Images creates a huge stack frame with more than 19550 slots (more than 150 KB)
and then uses OSR to enter Baseline Interpreter code.

The stack probing we do there caused crashes because older kernels don't like it when
the distance between the address and RSP is more than about 64 KB.

Differential Revision: https://phabricator.services.mozilla.com/D181892

Depends on D181503

Differential Revision: https://phabricator.services.mozilla.com/D181537

Differential Revision: https://phabricator.services.mozilla.com/D181389

Bug 1835886 - Cancel outstanding load requests when a document is detached from a global r=smaug, a=dmeehan

Also cancel module load requests when cancelling requests generally.

What was happening here was that a previous load was completing and calling
into the wrong module loader, because the loader to use is determined via the
current global, and this was now associated with a different document / script
loader / module loader.

Differential Revision: https://phabricator.services.mozilla.com/D179787

Differential Revision: https://phabricator.services.mozilla.com/D180403

This specializes HasFreeLSB for JSObject* and JSString* because in
embedder code they are opaque pointers with no alignment information,
which makes JS::Result not able to compile for those types.

Differential Revision: https://phabricator.services.mozilla.com/D180542

Bug 1835710 - Cancel off-thread JIT compilation before changing nursery allocation flags r=jandem, a=dmeehan

This calls CancelOffThreadIonCompile before changing the nursery allocation
flags to avoid the race condition with off-thread compilation reading these
flags.

Nursery::discardJitCodeForZone is renamed to make it clear that it also sets
JIT flags.

Differential Revision: https://phabricator.services.mozilla.com/D179542

Bug 1834711 - Set background finalized flag for dead object proxes created after nuking all CCWs r=jandem, a=dmeehan

The background finalized flag wasn't getting set in the second overload of
NewDeadProxyObject. The patch makes the first overload of this function more
generic so it can accept non-proxy arguments and uses it in all cases.

The testcase also results in dead object proxies being returned from rewrap()
in RemapDeadWrapper which previously cased an assertion. I added an early
return for this case - do you think that's OK?

Differential Revision: https://phabricator.services.mozilla.com/D179576