Bug 1352510 - Handle already-invalidated IonScripts in ArrayPushDense. r=h4writer

--HG-- extra : rebase_source : 807ed6f72eb353020a4460ba0137e37f88245f6b
2017-04-25 12:56:54 +02:00 · 2017-04-25 12:56:54 +02:00 · 3d34d9a8de
--- a/js/src/jit-test/tests/ion/bug1352510.js
+++ b/js/src/jit-test/tests/ion/bug1352510.js
@ -0,0 +1,8 @@
+function maybeSetLength(arr, b) {
+    if (b) arr.length = 0x7fffffff;
+}
+var arr = [];
+for (var i = 0; i < 2000; i++) {
+    maybeSetLength(arr, i > 1500);
+    var res = arr.push((0.017453));
+}
--- a/js/src/jit/VMFunctions.cpp
+++ b/js/src/jit/VMFunctions.cpp
@ -356,8 +356,17 @@ ArrayPushDense(JSContext* cx, HandleObject obj, HandleValue v, uint32_t* length)
        return result == DenseElementResult::Success;
    }

+    // AutoDetectInvalidation uses GetTopJitJSScript(cx)->ionScript(), but it's
+    // possible the SetOrExtendAnyBoxedOrUnboxedDenseElements call already
+    // invalidated the IonScript. JitFrameIterator::ionScript works when the
+    // script is invalidated so we use that instead.
+    JitFrameIterator it(cx);
+    MOZ_ASSERT(it.type() == JitFrame_Exit);
+    ++it;
+    IonScript* ionScript = it.ionScript();
+
    JS::AutoValueArray<3> argv(cx);
-    AutoDetectInvalidation adi(cx, argv[0]);
+    AutoDetectInvalidation adi(cx, argv[0], ionScript);
    argv[0].setUndefined();
    argv[1].setObject(*obj);
    argv[2].set(v);