Bug 1401014 - Fix resume point in IonBuilder::setPropTryInlineAccess r=jandem

MozReview-Commit-ID: L5VpnS41tiH

--HG--
extra : rebase_source : d7eef0358a28a652b7038af8cf609d038c27ee6f

js/src/jit-test/tests/ion/bug1401014.js

@@ -0,0 +1,52 @@
+// Prevent optimizing top-level
+with ({}) { }
+
+
+// Unboxed object constructor candidate
+function Thing() {
+    this.a = {};    // Object || null
+    this.b = {};    // Object || null
+}
+
+(new Thing());
+(new Thing()).a = null;
+(new Thing()).b = null;
+
+
+var arr = new Array(1000);
+arr[0];
+
+var ctx = new Thing();
+
+function funPsh(t, x) {
+    t.a = x;
+}
+
+function funBug(t, i) {
+    t.b = t.a;      // GETPROP t.a
+    t.a = null;     // SETPROP t.a
+    arr[i] = 0;     // Bailout on uninitialized elements
+    return t.b;
+}
+
+// Ion compile
+for (var i = 0; i < 20000; ++i) {
+    funBug(ctx, 0);
+    funPsh(ctx, {});
+}
+
+// Invalidate
+let tmp = { a: null, b: {} };
+funBug(tmp, 0);
+
+// Ion compile
+for (var i = 0; i < 20000; ++i) {
+    funBug(ctx, 0);
+    funPsh(ctx, {});
+}
+
+// Trigger bailout
+let res = funBug(ctx, 500);
+
+// Result should not be clobbered by |t.a = null|
+assertEq(res === null, false);

js/src/jit/IonBuilder.cpp

@@ -12028,10 +12028,12 @@ IonBuilder::setPropTryInlineAccess(bool* emitted, MDefinition* obj,
             current->add(MPostWriteBarrier::New(alloc(), obj, value));
 
         const UnboxedLayout::Property* property = group->unboxedLayout().lookup(name);
-        storeUnboxedProperty(obj, property->offset, property->type, value);
+        MInstruction* store = storeUnboxedProperty(obj, property->offset, property->type, value);
 
         current->push(value);
 
+        MOZ_TRY(resumeAfter(store));
+
         trackOptimizationOutcome(TrackedOutcome::Monomorphic);
         *emitted = true;
         return Ok();