From 9eb583de8e891e492c57b0e8bff3b50f4afec896 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Tue, 19 Mar 2013 08:47:06 -0600
Subject: [PATCH] Bug 847412 - Monitor result type after a direct eval from Ion
 code, r=jandem.

---
 js/src/ion/IonBuilder.cpp              |  5 ++++-
 js/src/jit-test/tests/ion/bug847412.js | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/ion/bug847412.js

diff --git a/js/src/ion/IonBuilder.cpp b/js/src/ion/IonBuilder.cpp
index 7c4aebd0f0ce..03fbd2219121 100644
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -4469,7 +4469,10 @@ IonBuilder::jsop_eval(uint32_t argc)
         MInstruction *ins = MCallDirectEval::New(scopeChain, string, thisValue);
         current->add(ins);
         current->push(ins);
-        return resumeAfter(ins);
+
+        types::StackTypeSet *barrier;
+        types::StackTypeSet *types = oracle->returnTypeSet(script(), pc, &barrier);
+        return resumeAfter(ins) && pushTypeBarrier(ins, types, barrier);
     }
 
     return jsop_call(argc, /* constructing = */ false);
diff --git a/js/src/jit-test/tests/ion/bug847412.js b/js/src/jit-test/tests/ion/bug847412.js
new file mode 100644
index 000000000000..ce9816d40a92
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug847412.js
@@ -0,0 +1,19 @@
+
+var gTestcases = new Array();
+var gTc = gTestcases.length;
+function TestCase( a) {
+  this.actual = a;
+  gTestcases[gTc++] = this;
+}
+function test() {
+  for ( gTc=0; gTc < gTestcases.length; gTc++ ) {
+	gTestcases[gTc].actual.toString()
+  }
+}
+function testOverwritingSparseHole() {
+  for (var i = 0; i < 50; i++)
+    new TestCase(eval("VAR1 = 0; VAR2 = -1; VAR1 %= VAR2; VAR1"));
+}
+testOverwritingSparseHole();
+test();
+this.toSource();