Bug 1138740 - Notify Ion when changing a typed array's data pointer due to making a lazy buffer for it. r=sfink, a=sledru
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 07 Mar 2015 09:46:27 -0600
changeset 260294 e1fb2a5ab48d
parent 260293 56d740d0769f
child 260295 046c97d2eb23
push id741
push userryanvm@gmail.com
push date2015-04-27 20:01 +0000
treeherdermozilla-release@d10817faa571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink, sledru
bugs1138740
milestone38.0
Bug 1138740 - Notify Ion when changing a typed array's data pointer due to making a lazy buffer for it. r=sfink, a=sledru
js/src/jit-test/tests/ion/bug1138740.js
js/src/vm/TypedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1138740.js
@@ -0,0 +1,12 @@
+
+with({}){}
+x = Int8Array(1)
+function f(y) {
+    x[0] = y
+}
+f()
+f(3)
+f(7)
+x.buffer;
+f(0);
+assertEq(x[0], 0);
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -115,16 +115,20 @@ TypedArrayObject::ensureHasBuffer(JSCont
 
     if (!buffer->addView(cx, tarray))
         return false;
 
     memcpy(buffer->dataPointer(), tarray->viewData(), tarray->byteLength());
     tarray->setPrivate(buffer->dataPointer());
 
     tarray->setSlot(TypedArrayLayout::BUFFER_SLOT, ObjectValue(*buffer));
+
+    // Notify compiled jit code that the base pointer has moved.
+    MarkObjectStateChange(cx, tarray);
+
     return true;
 }
 
 /* static */ void
 TypedArrayObject::trace(JSTracer* trc, JSObject* objArg)
 {
     // Handle all tracing required when the object has a buffer.
     ArrayBufferViewObject::trace(trc, objArg);