From ce2cf4e34773dee64d3b3e40257f28794168304d Mon Sep 17 00:00:00 2001
From: Terrence Cole <terrence@mozilla.com>
Date: Fri, 2 May 2014 16:33:18 -0700
Subject: [PATCH] Bug 1004457 - Remove unused mutable value operations from
 BarrieredBase; r=jonco

---
 js/src/gc/Barrier.h                     | 15 ++++++++++++++-
 js/src/jit-test/tests/gc/bug-1004457.js |  3 +++
 js/src/vm/ArgumentsObject.h             |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1004457.js

diff --git a/js/src/gc/Barrier.h b/js/src/gc/Barrier.h
index 1da568f34e81..ede93b7f7b72 100644
--- a/js/src/gc/Barrier.h
+++ b/js/src/gc/Barrier.h
@@ -407,11 +407,14 @@ struct InternalGCMethods<jsid>
     static void postBarrierRemove(jsid *idp) {}
 };
 
+template <typename T>
+class BarrieredBaseMixins {};
+
 /*
  * Base class for barriered pointer types.
  */
 template <class T>
-class BarrieredBase : public HeapBase<T>
+class BarrieredBase : public BarrieredBaseMixins<T>
 {
   protected:
     T value;
@@ -436,6 +439,7 @@ class BarrieredBase : public HeapBase<T>
      * Obviously this is dangerous unless you know the barrier is not needed.
      */
     T *unsafeGet() { return &value; }
+    const T *unsafeGet() const { return &value; }
     void unsafeSet(T v) { value = v; }
 
     T operator->() const { return value; }
@@ -451,6 +455,15 @@ class BarrieredBase : public HeapBase<T>
     void pre(Zone *zone) { InternalGCMethods<T>::preBarrier(zone, value); }
 };
 
+template <>
+class BarrieredBaseMixins<JS::Value> : public ValueOperations<BarrieredBase<JS::Value> >
+{
+    friend class ValueOperations<BarrieredBase<JS::Value> >;
+    const JS::Value * extract() const {
+        return static_cast<const BarrieredBase<JS::Value>*>(this)->unsafeGet();
+    }
+};
+
 /*
  * PreBarriered only automatically handles pre-barriers. Post-barriers must
  * be manually implemented when using this class. HeapPtr and RelocatablePtr
diff --git a/js/src/jit-test/tests/gc/bug-1004457.js b/js/src/jit-test/tests/gc/bug-1004457.js
new file mode 100644
index 000000000000..80e1150f34d3
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1004457.js
@@ -0,0 +1,3 @@
+var argObj = (function () { return arguments })();
+gczeal(4);
+delete argObj.callee;
diff --git a/js/src/vm/ArgumentsObject.h b/js/src/vm/ArgumentsObject.h
index efc24545f370..f4636cb6daf5 100644
--- a/js/src/vm/ArgumentsObject.h
+++ b/js/src/vm/ArgumentsObject.h
@@ -295,7 +295,7 @@ class NormalArgumentsObject : public ArgumentsObject
 
     /* Clear the location storing arguments.callee's initial value. */
     void clearCallee() {
-        data()->callee.setMagic(JS_OVERWRITTEN_CALLEE);
+        data()->callee = MagicValue(JS_OVERWRITTEN_CALLEE);
     }
 };