Bug 1401014 - Fix resume point in IonBuilder::setPropTryInlineAccess
MozReview-Commit-ID: L5VpnS41tiH
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1401014.js
@@ -0,0 +1,52 @@
+// Prevent optimizing top-level
+with ({}) { }
+
+
+// Unboxed object constructor candidate
+function Thing() {
+ this.a = {}; // Object || null
+ this.b = {}; // Object || null
+}
+
+(new Thing());
+(new Thing()).a = null;
+(new Thing()).b = null;
+
+
+var arr = new Array(1000);
+arr[0];
+
+var ctx = new Thing();
+
+function funPsh(t, x) {
+ t.a = x;
+}
+
+function funBug(t, i) {
+ t.b = t.a; // GETPROP t.a
+ t.a = null; // SETPROP t.a
+ arr[i] = 0; // Bailout on uninitialized elements
+ return t.b;
+}
+
+// Ion compile
+for (var i = 0; i < 20000; ++i) {
+ funBug(ctx, 0);
+ funPsh(ctx, {});
+}
+
+// Invalidate
+let tmp = { a: null, b: {} };
+funBug(tmp, 0);
+
+// Ion compile
+for (var i = 0; i < 20000; ++i) {
+ funBug(ctx, 0);
+ funPsh(ctx, {});
+}
+
+// Trigger bailout
+let res = funBug(ctx, 500);
+
+// Result should not be clobbered by |t.a = null|
+assertEq(res === null, false);
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -12023,20 +12023,22 @@ IonBuilder::setPropTryInlineAccess(bool*
return Ok();
obj = addGroupGuard(obj, group, Bailout_ShapeGuard);
if (needsPostBarrier(value))
current->add(MPostWriteBarrier::New(alloc(), obj, value));
const UnboxedLayout::Property* property = group->unboxedLayout().lookup(name);
- storeUnboxedProperty(obj, property->offset, property->type, value);
+ MInstruction* store = storeUnboxedProperty(obj, property->offset, property->type, value);
current->push(value);
+ MOZ_TRY(resumeAfter(store));
+
trackOptimizationOutcome(TrackedOutcome::Monomorphic);
*emitted = true;
return Ok();
}
MOZ_ASSERT(receivers.length() > 1);
spew("Inlining polymorphic SETPROP");
