Bug 1236600 - Properly pre-barrier sets to inline TypedObject Any-typ…

…e Elements. (r=jandem)
iaxat · Jan 13, 2016 · 24be047 · 24be047
1 parent 6877e14
commit 24be047
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 8 deletions.
diff --git a/js/src/jit-test/tests/TypedObject/jit-write-references-2.js b/js/src/jit-test/tests/TypedObject/jit-write-references-2.js
@@ -0,0 +1,16 @@
+if (typeof TypedObject === "undefined" || typeof Intl === "undefined")
+    quit();
+
+try {
+    gczeal(4)
+} catch (exc) {}
+var T = TypedObject;
+var ValueStruct = new T.StructType({
+    f: T.Any
+})
+var v = new ValueStruct;
+new class get extends Number {};
+function writeValue(o, v)
+  o.f = v
+for (var i = 0; i < 5; i++)
+  writeValue(v, {}, "helo")
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
@@ -7054,7 +7054,7 @@ CodeGenerator::visitStoreElementT(LStoreElementT* store)
     const LAllocation* index = store->index();
 
     if (store->mir()->needsBarrier())
-        emitPreBarrier(elements, index);
+        emitPreBarrier(elements, index, store->mir()->offsetAdjustment());
 
     if (store->mir()->needsHoleCheck())
         emitStoreHoleCheck(elements, index, store->mir()->offsetAdjustment(), store->snapshot());
@@ -7072,7 +7072,7 @@ CodeGenerator::visitStoreElementV(LStoreElementV* lir)
     const LAllocation* index = lir->index();
 
     if (lir->mir()->needsBarrier())
-        emitPreBarrier(elements, index);
+        emitPreBarrier(elements, index, lir->mir()->offsetAdjustment());
 
     if (lir->mir()->needsHoleCheck())
         emitStoreHoleCheck(elements, index, lir->mir()->offsetAdjustment(), lir->snapshot());
@@ -7104,7 +7104,7 @@ CodeGenerator::visitStoreElementHoleT(LStoreElementHoleT* lir)
         masm.branchKey(Assembler::BelowOrEqual, initLength, ToInt32Key(index), ool->entry());
 
         if (lir->mir()->needsBarrier())
-            emitPreBarrier(elements, index);
+            emitPreBarrier(elements, index, 0);
 
         masm.bind(ool->rejoinStore());
         emitStoreElementTyped(lir->value(), lir->mir()->value()->type(), lir->mir()->elementType(),
@@ -7154,7 +7154,7 @@ CodeGenerator::visitStoreElementHoleV(LStoreElementHoleV* lir)
         masm.branchKey(Assembler::BelowOrEqual, initLength, ToInt32Key(index), ool->entry());
 
         if (lir->mir()->needsBarrier())
-            emitPreBarrier(elements, index);
+            emitPreBarrier(elements, index, 0);
 
         masm.bind(ool->rejoinStore());
         if (index->isConstant())

diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp
@@ -1530,13 +1530,13 @@ CodeGeneratorShared::emitAsmJSCall(LAsmJSCall* ins)
 }
 
 void
-CodeGeneratorShared::emitPreBarrier(Register base, const LAllocation* index)
+CodeGeneratorShared::emitPreBarrier(Register base, const LAllocation* index, int32_t offsetAdjustment)
 {
     if (index->isConstant()) {
-        Address address(base, ToInt32(index) * sizeof(Value));
+        Address address(base, ToInt32(index) * sizeof(Value) + offsetAdjustment);
         masm.patchableCallPreBarrier(address, MIRType_Value);
     } else {
-        BaseIndex address(base, ToRegister(index), TimesEight);
+        BaseIndex address(base, ToRegister(index), TimesEight, offsetAdjustment);
         masm.patchableCallPreBarrier(address, MIRType_Value);
     }
 }

diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
@@ -337,7 +337,7 @@ class CodeGeneratorShared : public LElementVisitor
 
     void emitAsmJSCall(LAsmJSCall* ins);
 
-    void emitPreBarrier(Register base, const LAllocation* index);
+    void emitPreBarrier(Register base, const LAllocation* index, int32_t offsetAdjustment);
     void emitPreBarrier(Address address);
 
     // We don't emit code for trivial blocks, so if we want to branch to the