Bug 1264575 - Add missing pre-barrier in Ion r=jandem a=ritu
authorJon Coppeard <jcoppeard@mozilla.com>
Wed, 11 May 2016 10:14:45 +0100
changeset 332887 df9b55a0fed6e85bfde84a9f6debe2c772fdc7f5
parent 332886 796d757bceee782f5c24350fcf213c87655659e9
child 332888 39d73775d903e37dfcd2f779e136033807789dc3
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, ritu
bugs1264575
milestone48.0a2
Bug 1264575 - Add missing pre-barrier in Ion r=jandem a=ritu
js/src/jit-test/tests/self-hosting/bug1264575.js
js/src/jit/MCallOptimize.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/self-hosting/bug1264575.js
@@ -0,0 +1,7 @@
+function f(x, [y]) {}
+f(0, []);
+// jsfunfuzz-generated
+let i = 0;
+for (var z of [0, 0, 0]) {
+    verifyprebarriers();
+}
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -2328,17 +2328,18 @@ IonBuilder::inlineUnsafeSetReservedSlot(
     // Don't inline if we don't have a constant slot.
     MDefinition* arg = callInfo.getArg(1);
     if (!arg->isConstant())
         return InliningStatus_NotInlined;
     uint32_t slot = uint32_t(arg->toConstant()->toInt32());
 
     callInfo.setImplicitlyUsedUnchecked();
 
-    MStoreFixedSlot* store = MStoreFixedSlot::New(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2));
+    MStoreFixedSlot* store =
+        MStoreFixedSlot::NewBarriered(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2));
     current->add(store);
     current->push(store);
 
     if (NeedsPostBarrier(callInfo.getArg(2)))
         current->add(MPostWriteBarrier::New(alloc(), callInfo.getArg(0), callInfo.getArg(2)));
 
     return InliningStatus_Inlined;
 }