Bug 1357024 - Fix fixupAliasedInputs to not leave an unusable register on 32-bit platforms. r=h4writer

js/src/jit-test/tests/cacheir/bug1357024.js

@@ -0,0 +1,12 @@
+function f() {
+    var o = {};
+    for (var j = 0; j < 15; j++) {
+        try {
+            o.__proto__ = o || j;
+        } catch(e) {
+            continue;
+        }
+        throw "Fail";
+    }
+}
+f();

js/src/jit/CacheIRCompiler.cpp

@@ -465,15 +465,19 @@ CacheRegisterAllocator::fixupAliasedInputs(MacroAssembler& masm)
             if (!loc1.aliasesReg(loc2))
                 continue;
 
+            // loc1 and loc2 alias so we spill one of them. If one is a
+            // ValueReg and the other is a PayloadReg, we have to spill the
+            // PayloadReg: spilling the ValueReg instead would leave its type
+            // register unallocated on 32-bit platforms.
             if (loc1.kind() == OperandLocation::ValueReg) {
                 MOZ_ASSERT_IF(loc2.kind() == OperandLocation::ValueReg,
                               loc1 == loc2);
+                spillOperandToStack(masm, &loc2);
+            } else {
+                MOZ_ASSERT(loc1.kind() == OperandLocation::PayloadReg);
                 spillOperandToStack(masm, &loc1);
-                break;
+                break; // Spilled loc1, so nothing else will alias it.
             }
-
-            MOZ_ASSERT(loc1.kind() == OperandLocation::PayloadReg);
-            spillOperandToStack(masm, &loc2);
         }
     }
 }