Bug 1258320 - Fix jump target in CodeGenerator::visitGetNextMapEntryForIterator. r=jandem
authorTooru Fujisawa <arai_a@mac.com>
Mon, 21 Mar 2016 21:04:18 +0900
changeset 289699 f835f8fde27da0129710d264584a2530c1118abf
parent 289698 c8b6ae5094f8733a2071a49d8590d341c5988a27
child 289700 bc7572388c5a057baa743635a596ed1fa43f1543
push id19656
push usergwagner@mozilla.com
push dateMon, 04 Apr 2016 13:43:23 +0000
treeherderb2g-inbound@e99061fde28a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1258320
milestone48.0a1
Bug 1258320 - Fix jump target in CodeGenerator::visitGetNextMapEntryForIterator. r=jandem
js/src/jit-test/tests/collections/Map-iterator-already-done.js
js/src/jit/CodeGenerator.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/collections/Map-iterator-already-done.js
@@ -0,0 +1,12 @@
+let a = new Map();
+for (let i = 0; i < 1000; i++)
+  a.set(i, i);
+
+function f() {
+  let iter = a.entries();
+  while (!iter.next().done) {}
+  iter.next();
+}
+
+for (let i = 0; i < 10; i++)
+  f();
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -5741,18 +5741,18 @@ CodeGenerator::visitGetNextMapEntryForIt
     Register temp = ToRegister(lir->temp0());
     Register dataLength = ToRegister(lir->temp1());
     Register range = ToRegister(lir->temp2());
     Register output = ToRegister(lir->output());
 
     masm.loadPrivate(Address(iter, NativeObject::getFixedSlotOffset(MapIteratorObject::RangeSlot)),
                      range);
 
-    Label iterDone, done;
-    masm.branchTestPtr(Assembler::Zero, range, range, &iterDone);
+    Label iterAlreadyDone, iterDone, done;
+    masm.branchTestPtr(Assembler::Zero, range, range, &iterAlreadyDone);
 
     masm.load32(Address(range, ValueMap::Range::offsetOfI()), temp);
     masm.loadPtr(Address(range, ValueMap::Range::offsetOfHashTable()), dataLength);
     masm.load32(Address(dataLength, ValueMap::offsetOfImplDataLength()), dataLength);
     masm.branch32(Assembler::AboveOrEqual, temp, dataLength, &iterDone);
     {
         masm.push(iter);
 
@@ -5791,16 +5791,18 @@ CodeGenerator::visitGetNextMapEntryForIt
     {
         masm.bind(&iterDone);
 
         ValueMapRangeDestruct(masm, range, temp, dataLength);
 
         masm.storeValue(PrivateValue(nullptr),
                         Address(iter, NativeObject::getFixedSlotOffset(MapIteratorObject::RangeSlot)));
 
+        masm.bind(&iterAlreadyDone);
+
         masm.move32(Imm32(1), output);
     }
     masm.bind(&done);
 }
 
 void
 CodeGenerator::visitTypedArrayLength(LTypedArrayLength* lir)
 {