Bug 703544 - Fix register allocation bug in dense array write barrier (r=bhackett)

2024-10-15 14:25:52 +00:00 · 2011-11-18 17:43:00 -08:00 · 2011-11-18 17:43:00 -08:00 · fe2af34e51
commit fe2af34e51
parent 0cec9a62ce
2 changed files with 21 additions and 1 deletions
--- a/js/src/jit-test/tests/basic/bug703544.js
+++ b/js/src/jit-test/tests/basic/bug703544.js
@ -0,0 +1,7 @@
+gczeal(4);
+function testInterpreterReentry7() {
+    var arr = [0, 1, 2, 3, 4];
+    for (var i = (1); i < 5; i++)
+        arr[i] = "grue";
+}
+testInterpreterReentry7();
--- a/js/src/methodjit/FastOps.cpp
+++ b/js/src/methodjit/FastOps.cpp
@ -1180,9 +1180,22 @@ mjit::Compiler::jsop_setelem_dense()
    types::TypeSet *types = frame.extra(obj).types;
    if (cx->compartment->needsBarrier() && (!types || types->propertyNeedsBarrier(cx, JSID_VOID))) {
        Label barrierStart = stubcc.masm.label();
-        frame.sync(stubcc.masm, Uses(3));
        stubcc.linkExitDirect(masm.jump(), barrierStart);
+
+        /*
+         * The sync call below can potentially clobber key.reg() and slotsReg.
+         * So we save and restore them. Additionally, the WriteBarrier stub can
+         * clobber both registers. The rejoin call will restore key.reg() but
+         * not slotsReg. So we restore it again after the stub call.
+         */
        stubcc.masm.storePtr(slotsReg, FrameAddress(offsetof(VMFrame, scratch)));
+        if (!key.isConstant())
+            stubcc.masm.push(key.reg());
+        frame.sync(stubcc.masm, Uses(3));
+        if (!key.isConstant())
+            stubcc.masm.pop(key.reg());
+        stubcc.masm.loadPtr(FrameAddress(offsetof(VMFrame, scratch)), slotsReg);
+
        if (key.isConstant())
            stubcc.masm.lea(Address(slotsReg, key.index() * sizeof(Value)), Registers::ArgReg1);
        else