From 07fa31ec7c1a11b095ec7bcc61fb979570bc624d Mon Sep 17 00:00:00 2001
From: Leo Gaspard <leo@gaspard.io>
Date: Tue, 16 Aug 2016 14:45:07 -0700
Subject: [PATCH] Bug 1283334 - Part 2: Do not sparsify dense arrays when
 freezing - Baseline. r=nbp

--HG--
extra : rebase_source : 135d19fdb9df833819e841c892ce786c6d00a940
extra : histedit_source : 24a4c23bf696c117f7e25520a4c1b770a798748f
---
 js/src/jit/BaselineIC.cpp | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 64dadba4076f..5f7f058ea2c4 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -2822,17 +2822,21 @@ ICSetElem_DenseOrUnboxedArray::Compiler::generateStubCode(MacroAssembler& masm)
         masm.branchTestMagic(Assembler::Equal, element, &failure);
 
         // Perform a single test to see if we either need to convert double
-        // elements or clone the copy on write elements in the object.
+        // elements, clone the copy on write elements in the object or fail
+        // due to a frozen element.
         Label noSpecialHandling;
         Address elementsFlags(scratchReg, ObjectElements::offsetOfFlags());
         masm.branchTest32(Assembler::Zero, elementsFlags,
                           Imm32(ObjectElements::CONVERT_DOUBLE_ELEMENTS |
-                                ObjectElements::COPY_ON_WRITE),
+                                ObjectElements::COPY_ON_WRITE |
+                                ObjectElements::FROZEN),
                           &noSpecialHandling);
 
-        // Fail if we need to clone copy on write elements.
+        // Fail if we need to clone copy on write elements or to throw due
+        // to a frozen element.
         masm.branchTest32(Assembler::NonZero, elementsFlags,
-                          Imm32(ObjectElements::COPY_ON_WRITE),
+                          Imm32(ObjectElements::COPY_ON_WRITE |
+                                ObjectElements::FROZEN),
                           &failure);
 
         // Failure is not possible now.  Free up registers.
@@ -3032,7 +3036,8 @@ ICSetElemDenseOrUnboxedArrayAddCompiler::generateStubCode(MacroAssembler& masm)
         // Check for copy on write elements.
         Address elementsFlags(scratchReg, ObjectElements::offsetOfFlags());
         masm.branchTest32(Assembler::NonZero, elementsFlags,
-                          Imm32(ObjectElements::COPY_ON_WRITE),
+                          Imm32(ObjectElements::COPY_ON_WRITE |
+                                ObjectElements::FROZEN),
                           &failure);
 
         // Failure is not possible now.  Free up registers.