Bug 704795 - Fix setprop write barrier for non-objects (r=bhackett)
authorBill McCloskey <wmccloskey@mozilla.com>
Wed, 07 Dec 2011 09:39:40 -0800
changeset 82185 a48fe9aef820ab4a6d75a1a04e8883f4f5cb0efb
parent 82176 f0f0ec491b9e1c24924c11c9484f50d592282021
child 82186 d91ce1c668e7b39f2642eb8f3840922e9de5403b
push id21587
push userbmo@edmorley.co.uk
push dateThu, 08 Dec 2011 15:13:43 +0000
treeherdermozilla-central@98db2311a44c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs704795
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 704795 - Fix setprop write barrier for non-objects (r=bhackett)
js/src/jit-test/tests/basic/bug704795.js
js/src/methodjit/Compiler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug704795.js
@@ -0,0 +1,13 @@
+Function("\
+  gczeal(4,false);\
+  function f(){\
+    \"use strict\";\
+    this.x = Object\
+  }\
+  for each(y in[0,0]){\
+    try{\
+      new f\
+    }\
+    catch(e){}\
+  }\
+")()
\ No newline at end of file
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -5492,37 +5492,35 @@ mjit::Compiler::jsop_setprop(JSAtom *ato
         if (!propertyTypes)
             return false;
         if (propertyTypes->isDefiniteProperty() &&
             !propertyTypes->isOwnProperty(cx, object, true)) {
             types->addFreeze(cx);
             uint32 slot = propertyTypes->definiteSlot();
             RegisterID reg = frame.tempRegForData(lhs);
             bool isObject = lhs->isTypeKnown();
+            MaybeJump notObject;
+            if (!isObject)
+                notObject = frame.testObject(Assembler::NotEqual, lhs);
 #ifdef JSGC_INCREMENTAL_MJ
             frame.pinReg(reg);
             if (cx->compartment->needsBarrier() && propertyTypes->needsBarrier(cx)) {
                 /* Write barrier. */
-                Jump j;
-                if (isObject)
-                    j = masm.testGCThing(Address(reg, JSObject::getFixedSlotOffset(slot)));
-                else
-                    j = masm.jump();
+                Jump j = masm.testGCThing(Address(reg, JSObject::getFixedSlotOffset(slot)));
                 stubcc.linkExit(j, Uses(0));
                 stubcc.leave();
                 stubcc.masm.addPtr(Imm32(JSObject::getFixedSlotOffset(slot)),
                                    reg, Registers::ArgReg1);
                 OOL_STUBCALL(stubs::GCThingWriteBarrier, REJOIN_NONE);
                 stubcc.rejoin(Changes(0));
             }
             frame.unpinReg(reg);
 #endif
             if (!isObject) {
-                Jump notObject = frame.testObject(Assembler::NotEqual, lhs);
-                stubcc.linkExit(notObject, Uses(2));
+                stubcc.linkExit(notObject.get(), Uses(2));
                 stubcc.leave();
                 stubcc.masm.move(ImmPtr(atom), Registers::ArgReg1);
                 OOL_STUBCALL(STRICT_VARIANT(stubs::SetName), REJOIN_FALLTHROUGH);
             }
             frame.storeTo(rhs, Address(reg, JSObject::getFixedSlotOffset(slot)), popGuaranteed);
             frame.shimmy(1);
             if (!isObject)
                 stubcc.rejoin(Changes(1));