Don't clobber callee-save register when testing pushed value after stub calls, bug 687856. r=dvander
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 20 Sep 2011 20:14:28 -0700
changeset 77187 2d29d3a3b31401d35da68c85f8a5da3a027cbcdb
parent 77186 b15856d4b1148976cc05f09bf70d5faf46f99215
child 77188 e8bd19f6abbb6b8158eea2c248c46afd23f42ea2
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersdvander
bugs687856
milestone9.0a1
Don't clobber callee-save register when testing pushed value after stub calls, bug 687856. r=dvander
js/src/methodjit/BaseAssembler.h
--- a/js/src/methodjit/BaseAssembler.h
+++ b/js/src/methodjit/BaseAssembler.h
@@ -1143,17 +1143,17 @@ static const JSC::MacroAssembler::Regist
     static uint32 maskAddress(BaseIndex address) {
         return Registers::maskReg(address.base) |
                Registers::maskReg(address.index);
     }
 
     /*
      * Generate code testing whether an in memory value at address has a type
      * in the specified set. Updates mismatches with any failure jumps. Assumes
-     * no data registers are live.
+     * that no temporary (caller save) registers are live.
      */
     bool generateTypeCheck(JSContext *cx, Address address,
                            types::TypeSet *types, Vector<Jump> *mismatches)
     {
         if (types->unknown())
             return true;
 
         Vector<Jump> matches(cx);
@@ -1193,18 +1193,17 @@ static const JSC::MacroAssembler::Regist
                 return false;
         } else {
             count = types->getObjectCount();
         }
 
         if (count != 0) {
             if (!mismatches->append(testObject(Assembler::NotEqual, address)))
                 return false;
-            Registers tempRegs(Registers::AvailRegs);
-            RegisterID reg = tempRegs.takeAnyReg().reg();
+            RegisterID reg = Registers::ArgReg1;
 
             loadPayload(address, reg);
 
             Jump notSingleton = branchTest32(Assembler::Zero,
                                              Address(reg, offsetof(JSObject, flags)),
                                              Imm32(JSObject::SINGLETON_TYPE));
 
             for (unsigned i = 0; i < count; i++) {