[MERGE #979] FreeLoopBodyJobs race condition.

Merge pull request #979 from LouisLaf:stackjob
FreeLoopBodyJobs also need a processed flag to avoid race conditions.
To free data associated with a JIT loopbody, we create a FreeLoopBodyJob.  If we can't allocate one of these (OOM), we create one on the stack, and wait for it to be processed.
There was a race condition if we processed the job before starting to wait for it...  The 'processed' flag avoids this.

Author: LouisLaf

lib/Backend/NativeCodeGenerator.h

@@ -211,6 +211,7 @@ void SetProfileMode(BOOL fSet);
             : JsUtil::WaitableJobManager(processor)
             , autoClose(true)
             , isClosed(false)
+            , processed(false)
         {
             Processor()->AddManager(this);
         }
@@ -238,7 +239,7 @@ void SetProfileMode(BOOL fSet);
 
         FreeLoopBodyJob* GetJob(FreeLoopBodyJob* job)
         {
-            return job;
+            return this->processed ? nullptr : job;
         }
 
         bool WasAddedToJobProcessor(JsUtil::Job *const job) const
@@ -268,6 +269,8 @@ void SetProfileMode(BOOL fSet);
         {
             FreeLoopBodyJob* freeLoopBodyJob = static_cast<FreeLoopBodyJob*>(job);
 
+            this->processed = true;
+
             if (freeLoopBodyJob->heapAllocated)
             {
                 HeapDelete(freeLoopBodyJob);
@@ -280,6 +283,7 @@ void SetProfileMode(BOOL fSet);
         NativeCodeGenerator* nativeCodeGen;
         bool autoClose;
         bool isClosed;
+        bool processed;
     };
 
     FreeLoopBodyJobManager freeLoopBodyManager;