From 3301b277a135d588261f4d6c24686267aa01db68 Mon Sep 17 00:00:00 2001
From: Terrence Cole <terrence@mozilla.com>
Date: Mon, 21 Sep 2015 09:41:29 -0700
Subject: [PATCH] Bug 1188290 - Remove an incomplete assertion about store
 buffer state; r=jandem

---
 js/src/gc/StoreBuffer.h                 |  8 --------
 js/src/jit-test/tests/gc/bug-1188290.js | 12 ++++++++++++
 js/src/jsobj.h                          |  8 ++++----
 3 files changed, 16 insertions(+), 12 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1188290.js

diff --git a/js/src/gc/StoreBuffer.h b/js/src/gc/StoreBuffer.h
index 71a9a3c81f6f..00353c068e77 100644
--- a/js/src/gc/StoreBuffer.h
+++ b/js/src/gc/StoreBuffer.h
@@ -447,14 +447,6 @@ class StoreBuffer
         putFromAnyThread(bufferGeneric, CallbackRef<Key>(callback, key, data));
     }
 
-    void assertHasCellEdge(Cell** cellp) {
-        CellPtrEdge cpe(cellp);
-
-        MOZ_ASSERT(bufferCell.has(this, CellPtrEdge(cellp)) ||
-                   !CellPtrEdge(cellp).maybeInRememberedSet(nursery_));
-
-    }
-
     void assertHasValueEdge(JS::Value* vp) {
         MOZ_ASSERT(bufferVal.has(this, ValueEdge(vp)) ||
                    !ValueEdge(vp).maybeInRememberedSet(nursery_));
diff --git a/js/src/jit-test/tests/gc/bug-1188290.js b/js/src/jit-test/tests/gc/bug-1188290.js
new file mode 100644
index 000000000000..f6f8b91bfd19
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1188290.js
@@ -0,0 +1,12 @@
+this.__proto__ = [];
+var T = TypedObject;
+var ObjectStruct = new T.StructType({f: T.Object});
+var o = new ObjectStruct();
+minorgc();
+function writeObject(o, v) {
+    o.f = v;
+    assertEq(typeof o.f, "object");
+}
+for (var i = 0; i < 5; i++)
+    writeObject(o, { toString: function() { return "helo"} }
+);
diff --git a/js/src/jsobj.h b/js/src/jsobj.h
index 3e8da316611e..1a40bd90c5ee 100644
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@@ -642,11 +642,11 @@ JSObject::writeBarrierPost(void* cellp, JSObject* prev, JSObject* next)
     js::gc::StoreBuffer* buffer;
     if (next && (buffer = next->storeBuffer())) {
         // If we know that the prev has already inserted an entry, we can skip
-        // doing the lookup to add the new entry.
-        if (prev && prev->storeBuffer()) {
-            buffer->assertHasCellEdge(static_cast<js::gc::Cell**>(cellp));
+        // doing the lookup to add the new entry. Note that we cannot safely
+        // assert the presence of the entry because it may have been added
+        // via a different store buffer.
+        if (prev && prev->storeBuffer())
             return;
-        }
         buffer->putCellFromAnyThread(static_cast<js::gc::Cell**>(cellp));
         return;
     }