Bug 1247862 - Put rhs into the right value register before returning from typed object setprop stubs, r=jandem.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 29 Feb 2016 15:07:01 -0700
changeset 286170 afcd5f76e45282f63f141fd6dcb3c88cf1dc690e
parent 286169 72d4e5bba9b36f32f050ec73da07ddb945f5a7c8
child 286171 8fed15997251f9b923c7485b1422df93296dd212
push id30039
push usercbook@mozilla.com
push dateTue, 01 Mar 2016 11:02:11 +0000
treeherdermozilla-central@5cafa6f3019b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1247862
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1247862 - Put rhs into the right value register before returning from typed object setprop stubs, r=jandem.
js/src/jit-test/tests/baseline/bug1247862.js
js/src/jit/BaselineIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/baseline/bug1247862.js
@@ -0,0 +1,13 @@
+var T = TypedObject;
+ValueStruct = new T.StructType({
+    f: T.int32,
+    g: T.Any
+});
+var v = new ValueStruct;
+for (var i = 0; i < 2; i++) {
+    var a = {};
+    var b = v.f = 3;
+    var c = v.g = a;
+    assertEq(b === 3, true);
+    assertEq(c === a, true);
+}
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5211,17 +5211,16 @@ ICSetProp_TypedObject::Compiler::generat
     Address dest(scratch, 0);
     Address value(masm.getStackPointer(), 0);
 
     if (fieldDescr_->is<ScalarTypeDescr>()) {
         Scalar::Type type = fieldDescr_->as<ScalarTypeDescr>().type();
         StoreToTypedArray(cx, masm, type, value, dest,
                           secondScratch, &failurePopRHS, &failurePopRHS);
         masm.popValue(R1);
-        EmitReturnFromIC(masm);
     } else {
         ReferenceTypeDescr::Type type = fieldDescr_->as<ReferenceTypeDescr>().type();
 
         masm.popValue(R1);
 
         switch (type) {
           case ReferenceTypeDescr::TYPE_ANY:
             EmitPreBarrier(masm, dest, MIRType_Value);
@@ -5247,19 +5246,21 @@ ICSetProp_TypedObject::Compiler::generat
             Register rhsString = masm.extractString(R1, ExtractTemp0);
             masm.storePtr(rhsString, dest);
             break;
           }
 
           default:
             MOZ_CRASH();
         }
-
-        EmitReturnFromIC(masm);
-    }
+    }
+
+    // The RHS has to be in R0.
+    masm.moveValue(R1, R0);
+    EmitReturnFromIC(masm);
 
     masm.bind(&failurePopRHS);
     masm.popValue(R1);
 
     masm.bind(&failure);
     EmitStubGuardFailure(masm);
     return true;
 }