From 69e6b9f055b52e2b97a9aec37ec0fabccaeaa5a4 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Mon, 9 Mar 2015 09:17:27 -0600
Subject: [PATCH] Bug 1140888 - Make sure Ion code depending on unboxed layouts
 is invalidated when unboxed objects are converted to natives, r=jandem.

---
 .../tests/ion/unboxed-objects-invalidate.js      | 16 ++++++++++++++++
 js/src/vm/UnboxedObject.cpp                      |  2 ++
 2 files changed, 18 insertions(+)
 create mode 100644 js/src/jit-test/tests/ion/unboxed-objects-invalidate.js

diff --git a/js/src/jit-test/tests/ion/unboxed-objects-invalidate.js b/js/src/jit-test/tests/ion/unboxed-objects-invalidate.js
new file mode 100644
index 000000000000..02e27614fe20
--- /dev/null
+++ b/js/src/jit-test/tests/ion/unboxed-objects-invalidate.js
@@ -0,0 +1,16 @@
+
+var a = [];
+for (var i = 0; i < 2000; i++)
+    a.push({f:i});
+
+function f() {
+    var total = 0;
+    for (var i = 0; i < a.length; i++)
+        total += a[i].f;
+    return total;
+}
+assertEq(f(), 1999000);
+
+var sub = Object.create(a[0]);
+
+assertEq(f(), 1999000);
diff --git a/js/src/vm/UnboxedObject.cpp b/js/src/vm/UnboxedObject.cpp
index 0ec15fee308c..f7d3979ff1d4 100644
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@@ -265,6 +265,8 @@ UnboxedLayout::makeNativeGroup(JSContext *cx, ObjectGroup *group)
 
     nativeGroup->setOriginalUnboxedGroup(group);
 
+    group->markStateChange(cx);
+
     return true;
 }