Backout 60eb0da71cdb as suspected crash cause (bug 718765)

js/src/methodjit/Compiler.cpp

@@ -5029,7 +5029,7 @@ mjit::Compiler::jsop_setprop(PropertyName *name, bool popGuaranteed)
         ScriptAnalysis::NameAccess access =
             analysis->resolveNameAccess(cx, ATOM_TO_JSID(name), true);
         if (access.nesting) {
-            /* Use a SavedReg so it isn't clobbered by sync or the stub call. */
+            /* Use a SavedReg so it isn't clobbered by the stub call. */
             RegisterID nameReg = frame.allocReg(Registers::SavedRegs).reg();
             Address address = frame.loadNameAddress(access, nameReg);
 
@@ -5076,9 +5076,9 @@ mjit::Compiler::jsop_setprop(PropertyName *name, bool popGuaranteed)
             if (!isObject)
                 notObject = frame.testObject(Assembler::NotEqual, lhs);
 #ifdef JSGC_INCREMENTAL_MJ
+            frame.pinReg(reg);
             if (cx->compartment->needsBarrier() && propertyTypes->needsBarrier(cx)) {
                 /* Write barrier. */
-                frame.pinReg(reg);
                 Jump j = masm.testGCThing(Address(reg, JSObject::getFixedSlotOffset(slot)));
                 stubcc.linkExit(j, Uses(0));
                 stubcc.leave();
@@ -5086,8 +5086,8 @@ mjit::Compiler::jsop_setprop(PropertyName *name, bool popGuaranteed)
                                    reg, Registers::ArgReg1);
                 OOL_STUBCALL(stubs::GCThingWriteBarrier, REJOIN_NONE);
                 stubcc.rejoin(Changes(0));
-                frame.unpinReg(reg);
             }
+            frame.unpinReg(reg);
 #endif
             if (!isObject) {
                 stubcc.linkExit(notObject.get(), Uses(2));

js/src/methodjit/FastOps.cpp

@@ -1187,26 +1187,17 @@ mjit::Compiler::jsop_setelem_dense()
 
         /*
          * The sync call below can potentially clobber key.reg() and slotsReg.
-         * We pin key.reg() to avoid it being clobbered. If |hoisted| is true,
+         * So we save and restore them. Additionally, the WriteBarrier stub can
-         * we can also pin slotsReg. If not, then slotsReg is owned by the
+         * clobber both registers. The rejoin call will restore key.reg() but
-         * compiler and we save in manually to VMFrame::scratch.
+         * not slotsReg. So we restore it again after the stub call.
-         *
-         * Additionally, the WriteBarrier stub can clobber both registers. The
-         * rejoin call will restore key.reg() but not slotsReg. So we save
-         * slotsReg in the frame and restore it after the stub call.
          */
         stubcc.masm.storePtr(slotsReg, FrameAddress(offsetof(VMFrame, scratch)));
-        if (hoisted)
-            frame.pinReg(slotsReg);
         if (!key.isConstant())
-            frame.pinReg(key.reg());
+            stubcc.masm.push(key.reg());
         frame.sync(stubcc.masm, Uses(3));
         if (!key.isConstant())
-            frame.unpinReg(key.reg());
+            stubcc.masm.pop(key.reg());
-        if (hoisted)
+        stubcc.masm.loadPtr(FrameAddress(offsetof(VMFrame, scratch)), slotsReg);
-            frame.unpinReg(slotsReg);
-        else
-            stubcc.masm.loadPtr(FrameAddress(offsetof(VMFrame, scratch)), slotsReg);
 
         if (key.isConstant())
             stubcc.masm.lea(Address(slotsReg, key.index() * sizeof(Value)), Registers::ArgReg1);

js/src/methodjit/ImmutableSync.cpp

@@ -48,7 +48,7 @@ using namespace js;
 using namespace js::mjit;
 
 ImmutableSync::ImmutableSync()
-  : cx(NULL), entries(NULL), frame(NULL), avail(Registers::TempRegs), generation(0)
+  : cx(NULL), entries(NULL), frame(NULL), avail(Registers::AvailRegs), generation(0)
 {
 }
 
@@ -71,7 +71,7 @@ ImmutableSync::init(JSContext *cx, const FrameState &frame, uint32_t nentries)
 void
 ImmutableSync::reset(Assembler *masm, Registers avail, FrameEntry *top, FrameEntry *bottom)
 {
-    this->avail = avail & Registers::TempRegs;
+    this->avail = avail;
     this->masm = masm;
     this->top = top;
     this->bottom = bottom;
@@ -91,7 +91,7 @@ ImmutableSync::doAllocReg()
     /* Find something to evict. */
     for (uint32_t i = 0; i < Registers::TotalRegisters; i++) {
         RegisterID reg = RegisterID(i);
-        if (!(Registers::maskReg(reg) & Registers::TempRegs))
+        if (!(Registers::maskReg(reg) & Registers::AvailRegs))
             continue;
 
         if (frame->regstate(reg).isPinned())
@@ -151,14 +151,13 @@ ImmutableSync::allocReg()
 {
     RegisterID reg = doAllocReg();
     JS_ASSERT(!frame->regstate(reg).isPinned());
-    JS_ASSERT(!Registers::isSaved(reg));
     return reg;
 }
 
 void
 ImmutableSync::freeReg(JSC::MacroAssembler::RegisterID reg)
 {
-    if (!frame->regstate(reg).isPinned() && !Registers::isSaved(reg))
+    if (!frame->regstate(reg).isPinned())
         avail.putReg(reg);
 }
 

js/src/methodjit/MachineRegs.h

@@ -573,10 +573,6 @@ struct Registers {
         return freeMask == other.freeMask;
     }
 
-    Registers operator &(const Registers &other) {
-        return Registers(freeMask & other.freeMask);
-    }
-
     uint32_t freeMask;
 };