Bug 1129416: Make FuncConvertBits and SIMD ctors GC sane in the interpreter; r=jonco

--HG--
extra : rebase_source : ec70d33848e00824152de4d45c0703f237571153

js/src/builtin/SIMD.cpp

@@ -360,32 +360,41 @@ SimdTypeDescr::call(JSContext *cx, unsigned argc, Value *vp)
         return true;
     }
 
+    MOZ_ASSERT(size_t(static_cast<TypeDescr*>(descr)->size()) <= InlineTypedObject::MaximumSize,
+               "inline storage is needed for using InternalHandle belows");
+
     Rooted<TypedObject*> result(cx, TypedObject::createZeroed(cx, descr, 0));
     if (!result)
         return false;
 
     switch (descr->type()) {
       case SimdTypeDescr::TYPE_INT32: {
-        int32_t *mem = reinterpret_cast<int32_t*>(result->typedMem());
+        InternalHandle<int32_t *> mem(result, reinterpret_cast<int32_t*>(result->typedMem()));
+        int32_t tmp;
         for (unsigned i = 0; i < 4; i++) {
-            if (!ToInt32(cx, args.get(i), &mem[i]))
+            if (!ToInt32(cx, args.get(i), &tmp))
                 return false;
+            mem.get()[i] = tmp;
         }
         break;
       }
       case SimdTypeDescr::TYPE_FLOAT32: {
-        float *mem = reinterpret_cast<float*>(result->typedMem());
+        InternalHandle<float *> mem(result, reinterpret_cast<float*>(result->typedMem()));
+        float tmp;
         for (unsigned i = 0; i < 4; i++) {
-            if (!RoundFloat32(cx, args.get(i), &mem[i]))
+            if (!RoundFloat32(cx, args.get(i), &tmp))
                 return false;
+            mem.get()[i] = tmp;
         }
         break;
       }
       case SimdTypeDescr::TYPE_FLOAT64: {
-        double *mem = reinterpret_cast<double*>(result->typedMem());
+        InternalHandle<double *> mem(result, reinterpret_cast<double*>(result->typedMem()));
+        double tmp;
         for (unsigned i = 0; i < 2; i++) {
-            if (!ToNumber(cx, args.get(i), &mem[i]))
+            if (!ToNumber(cx, args.get(i), &tmp))
                 return false;
+            mem.get()[i] = tmp;
         }
         break;
       }
@@ -876,8 +885,13 @@ FuncConvertBits(JSContext *cx, unsigned argc, Value *vp)
     if (args.length() != 1 || !IsVectorObject<V>(args[0]))
         return ErrorBadArgs(cx);
 
-    RetElem *result = TypedObjectMemory<RetElem *>(args[0]);
-    return StoreResult<Vret>(cx, args, result);
+    // While we could just pass the typedMem of args[0] as StoreResults' last
+    // argument, a GC could move the pointer to its memory in the meanwhile.
+    // For consistency with other SIMD functions, simply copy the input in a
+    // temporary array.
+    RetElem copy[Vret::lanes];
+    memcpy(copy, TypedObjectMemory<RetElem*>(args[0]), Vret::lanes * sizeof(RetElem));
+    return StoreResult<Vret>(cx, args, copy);
 }
 
 template<typename Vret>
@@ -1059,7 +1073,7 @@ Load(JSContext *cx, unsigned argc, Value *vp)
 
     Rooted<TypeDescr*> typeDescr(cx, &V::GetTypeDescr(*cx->global()));
     MOZ_ASSERT(typeDescr);
-    Rooted<TypedObject *> result(cx, OutlineTypedObject::createZeroed(cx, typeDescr, 0));
+    Rooted<TypedObject *> result(cx, TypedObject::createZeroed(cx, typeDescr, 0));
     if (!result)
         return false;
 

js/src/tests/ecma_7/SIMD/select-bitselect.js

@@ -128,9 +128,9 @@ function test() {
     testSelect(float64x2, inputs);
     testBitSelectSimple(float64x2, inputs);
     testBitSelectComplex(float64x2, inputs);
+
+    if (typeof reportCompare === "function")
+        reportCompare(true, true);
 }
 
-// TODO temporarily disabled because of bug 1123404
-//test();
-if (typeof reportCompare === "function")
-    reportCompare(true, true);
+test();