Bug 1484905 - Don't mark MGetFirstDollarIndex as movable. r=arai
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 03 Sep 2018 17:30:55 +0200
changeset 482880 5c25f4ef0c29b4fab4b7ee53c8fa9f402874b7aa
parent 482879 c2c2b68be0960385b411076b9e4f388448c16ce9
child 482881 7e0efee05c20bfc28f1b8ca198a71594b5924f68
push id232
push userfmarier@mozilla.com
push dateWed, 05 Sep 2018 20:45:54 +0000
reviewersarai
bugs1484905
milestone63.0a1
Bug 1484905 - Don't mark MGetFirstDollarIndex as movable. r=arai Differential Revision: https://phabricator.services.mozilla.com/D4879
js/src/jit-test/tests/ion/bug1484905.js
js/src/jit/MIR.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1484905.js
@@ -0,0 +1,4 @@
+// |jit-test| --ion-limit-script-size=off; --ion-gvn=off
+for (var i = 0; i < 1; ++i) {
+    "".replace(/x/, "").replace(/y/, "12");
+}
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -7584,17 +7584,20 @@ class MRegExpInstanceOptimizable
 class MGetFirstDollarIndex
   : public MUnaryInstruction,
     public StringPolicy<0>::Data
 {
     explicit MGetFirstDollarIndex(MDefinition* str)
       : MUnaryInstruction(classOpcode, str)
     {
         setResultType(MIRType::Int32);
-        setMovable();
+
+        // Codegen assumes string length > 0. Don't allow LICM to move this
+        // before the .length > 1 check in RegExpReplace in RegExp.js.
+        MOZ_ASSERT(!isMovable());
     }
 
   public:
     INSTRUCTION_HEADER(GetFirstDollarIndex)
     TRIVIAL_NEW_WRAPPERS
     NAMED_OPERANDS((0, str))
 
     AliasSet getAliasSet() const override {