From cac9c459cee83085b9aa0d18cbb87a77671544be Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Mon, 15 Sep 2014 13:29:28 -0500
Subject: [PATCH] Bug 1053676 - Insert GC pre-barriers for slots containing
 symbols in Ion code. r=terrence.

The first two hunks in this patch are improvements to an assertion blamed (I think incorrectly) for this bug in the original bug report. They are not directly related to the fix.

--HG--
extra : rebase_source : 031680a9b762f05e9b64e8aab9f87d686d2ab45d
extra : amend_source : 32f4ab968338de3ae989ec4d4c4dee7bd56df498
---
 js/src/gc/GCRuntime.h                   |  3 +++
 js/src/gc/Nursery.cpp                   |  3 ++-
 js/src/jit-test/tests/gc/bug-1053676.js | 10 ++++++++++
 js/src/jsinfer.cpp                      |  4 +++-
 4 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1053676.js

diff --git a/js/src/gc/GCRuntime.h b/js/src/gc/GCRuntime.h
index 51b2ac6583ec..9631113b6966 100644
--- a/js/src/gc/GCRuntime.h
+++ b/js/src/gc/GCRuntime.h
@@ -468,6 +468,9 @@ class GCRuntime
     void startVerifyPostBarriers();
     bool endVerifyPostBarriers();
     void finishVerifier();
+    bool isVerifyPreBarriersEnabled() const { return !!verifyPreData; }
+#else
+    bool isVerifyPreBarriersEnabled() const { return false; }
 #endif
 
   private:
diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp
index 54becfba7685..567cff16adab 100644
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -109,7 +109,8 @@ js::Nursery::updateDecommittedRegion()
 void
 js::Nursery::enable()
 {
-    JS_ASSERT(isEmpty());
+    MOZ_ASSERT(isEmpty());
+    MOZ_ASSERT(!runtime()->gc.isVerifyPreBarriersEnabled());
     if (isEnabled())
         return;
     numActiveChunks_ = 1;
diff --git a/js/src/jit-test/tests/gc/bug-1053676.js b/js/src/jit-test/tests/gc/bug-1053676.js
new file mode 100644
index 000000000000..83c7afe3f345
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1053676.js
@@ -0,0 +1,10 @@
+// |jit-test| ion-eager; debug;
+var x
+(function() {
+    x
+}());
+verifyprebarriers();
+x = x * 0
+x = Symbol();
+gc();
+evalcx("x=1", this);
diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp
index 794a674d57bd..8b8e3c820a40 100644
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -614,6 +614,8 @@ TypeSet::print()
         fprintf(stderr, " float");
     if (flags & TYPE_FLAG_STRING)
         fprintf(stderr, " string");
+    if (flags & TYPE_FLAG_SYMBOL)
+        fprintf(stderr, " symbol");
     if (flags & TYPE_FLAG_LAZYARGS)
         fprintf(stderr, " lazyargs");
 
@@ -1498,7 +1500,7 @@ HeapTypeSetKey::needsBarrier(CompilerConstraintList *constraints)
         return false;
     bool result = types->unknownObject()
                || types->getObjectCount() > 0
-               || types->hasAnyFlag(TYPE_FLAG_STRING);
+               || types->hasAnyFlag(TYPE_FLAG_STRING | TYPE_FLAG_SYMBOL);
     if (!result)
         freeze(constraints);
     return result;