Bug 1024756: Track the frame size properly for NewDenseArray and rest arguments. Test case. r=shu

js/src/jit-test/tests/parallel/bug1024756.js

@@ -0,0 +1,12 @@
+// Failure to track frame size properly in code generation for NewDenseArray and rest arguments.
+
+if (!getBuildConfiguration().parallelJS)
+  quit(0);
+
+var x =
+(function() {
+    return Array.buildPar(15891, function() {
+        return [].map(function() {})
+    })
+})();
+assertEq(x.length, 15891);

js/src/jit/CodeGenerator.cpp

@@ -3916,10 +3916,10 @@ CodeGenerator::visitNewDenseArrayPar(LNewDenseArrayPar *lir)
     Register tempReg2 = ToRegister(lir->getTemp2());
     JSObject *templateObj = lir->mir()->templateObject();
 
-    masm.push(lengthReg);
+    masm.Push(lengthReg);
     if (!emitAllocateGCThingPar(lir, tempReg2, cxReg, tempReg0, tempReg1, templateObj))
         return false;
-    masm.pop(lengthReg);
+    masm.Pop(lengthReg);
 
     // Invoke a C helper to allocate the elements.  The helper returns
     // nullptr on allocation error or the array object.
@@ -6602,10 +6602,10 @@ CodeGenerator::visitRestPar(LRestPar *lir)
     unsigned numFormals = lir->mir()->numFormals();
     JSObject *templateObject = lir->mir()->templateObject();
 
-    masm.push(numActuals);
+    masm.Push(numActuals);
     if (!emitAllocateGCThingPar(lir, temp2, cx, temp0, temp1, templateObject))
         return false;
-    masm.pop(numActuals);
+    masm.Pop(numActuals);
 
     return emitRest(lir, temp2, numActuals, temp0, temp1, numFormals, templateObject, true, ToRegister(lir->output()));
 }

js/src/jit/MIR.h

@@ -9911,6 +9911,7 @@ class MNewDenseArrayPar : public MBinaryInstruction
       : MBinaryInstruction(cx, length),
         templateObject_(templateObject)
     {
+        JS_ASSERT(length->type() == MIRType_Int32);
         setResultType(MIRType_Object);
     }