Bug 1574415 - Part 11: Add regression test for StoreTypedObjectScalarProperty clobbered register bug. r=jandem
authorAndré Bargull <andre.bargull@gmail.com>
Mon, 07 Oct 2019 11:59:54 +0000
changeset 496563 1bd9ae4caa0ba3aa9b08743cbd899c0ce052567d
parent 496562 42469f1d04913311bd96876eb106a8fba39d2223
child 496564 218a81625331fa748ee2723114ed836a09e93694
push id97326
push userarchaeopteryx@coole-files.de
push dateMon, 07 Oct 2019 16:46:32 +0000
treeherderautoland@144ebbca6844 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1574415
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1574415 - Part 11: Add regression test for StoreTypedObjectScalarProperty clobbered register bug. r=jandem Regression test for the fixed TypedObject bug mentioned in part 9. Differential Revision: https://phabricator.services.mozilla.com/D47759
js/src/jit-test/tests/auto-regress/bug1574415-2.js
js/src/jit/BaselineIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1574415-2.js
@@ -0,0 +1,24 @@
+// |jit-test| skip-if: !this.hasOwnProperty("TypedObject")
+
+function f(obj, x, y) {
+  // The assignment mustn't use the same registers as |x| or |y| for temporaries.
+  obj.foo = y;
+
+  // Ensure the assignment didn't clobber any registers used by either |x| or |y|.
+  assertEq(x, 0.1);
+  assertEq(y, 0.2);
+}
+
+// Different struct types to ensure we emit a SetProp IC.
+var objects = [
+  new new TypedObject.StructType({foo: TypedObject.float64}),
+  new new TypedObject.StructType({foo: TypedObject.float32}),
+];
+
+// Load from an array to ensure we don't mark the values as constant.
+var xs = [0.1, 0.1];
+var ys = [0.2, 0.2];
+
+for (var i = 0; i < 100; ++i) {
+  f(objects[i & 1], xs[i & 1], ys[i & 1]);
+}
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -2247,16 +2247,19 @@ bool FallbackICCodeCompiler::emit_SetEle
   using Fn = bool (*)(JSContext*, BaselineFrame*, ICSetElem_Fallback*, Value*,
                       HandleValue, HandleValue, HandleValue);
   return tailCallVM<Fn, DoSetElemFallback>(masm);
 }
 
 void StoreToTypedObject(JSContext* cx, MacroAssembler& masm, Scalar::Type type,
                         const ValueOperand& value, const Address& dest,
                         Register scratch, Label* failure) {
+  // Float register must be preserved. The SetProp ICs use the fact that
+  // baseline has them available, as well as fixed temps on LSetPropertyCache.
+
   Label done;
 
   if (type == Scalar::Float32 || type == Scalar::Float64) {
     masm.ensureDouble(value, FloatReg0, failure);
     if (type == Scalar::Float32) {
       ScratchFloat32Scope fpscratch(masm);
       masm.convertDoubleToFloat32(FloatReg0, fpscratch);
       masm.storeToTypedFloatArray(type, fpscratch, dest);