Bug 1138740 - Notify Ion when changing a typed array's data pointer due to making a lazy buffer for it, r=sfink.
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 07 Mar 2015 09:46:27 -0600
changeset 232399 cb1c692e89638fada258ff3539ad16d2e1ecc26b
parent 232398 dca901fa0641cf6b67dc4f5495b319efdb9365ca
child 232400 99a276974d6d0a357074f2dba31b3dd6b47a5d10
push id56540
push userbhackett@mozilla.com
push dateSat, 07 Mar 2015 15:46:48 +0000
treeherdermozilla-inbound@cb1c692e8963 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1138740
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1138740 - Notify Ion when changing a typed array's data pointer due to making a lazy buffer for it, r=sfink.
js/src/jit-test/tests/ion/bug1138740.js
js/src/vm/TypedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1138740.js
@@ -0,0 +1,12 @@
+
+with({}){}
+x = Int8Array(1)
+function f(y) {
+    x[0] = y
+}
+f()
+f(3)
+f(7)
+x.buffer;
+f(0);
+assertEq(x[0], 0);
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -115,16 +115,20 @@ TypedArrayObject::ensureHasBuffer(JSCont
 
     if (!buffer->addView(cx, tarray))
         return false;
 
     memcpy(buffer->dataPointer(), tarray->viewData(), tarray->byteLength());
     tarray->setPrivate(buffer->dataPointer());
 
     tarray->setSlot(TypedArrayLayout::BUFFER_SLOT, ObjectValue(*buffer));
+
+    // Notify compiled jit code that the base pointer has moved.
+    MarkObjectStateChange(cx, tarray);
+
     return true;
 }
 
 /* static */ void
 TypedArrayObject::trace(JSTracer *trc, JSObject *objArg)
 {
     // Handle all tracing required when the object has a buffer.
     ArrayBufferViewObject::trace(trc, objArg);