Bug 1246593 - Ensure that the element index is greater than zero for the PostWriteElementBarrier; r=jandem

js/src/devtools/automation/cgc-jittest-timeouts.txt

@@ -13,6 +13,7 @@ basic/testBug686274.js
 basic/testManyVars.js
 basic/testTypedArrayInit.js
 gc/bug-1014972.js
+gc/bug-1246593.js
 gc/bug-906236.js
 gc/bug-906241.js
 ion/bug787921.js

js/src/jit-test/tests/gc/bug-1246593.js

@@ -0,0 +1,4 @@
+length = 10000;
+array = Array();
+for (i = length;i > -100000; i--)
+  array[i] = {};

js/src/jit/VMFunctions.cpp

@@ -619,10 +619,11 @@ PostWriteBarrier(JSRuntime* rt, JSObject* obj)
 static const size_t MAX_WHOLE_CELL_BUFFER_SIZE = 4096;
 
 void
-PostWriteElementBarrier(JSRuntime* rt, JSObject* obj, size_t index)
+PostWriteElementBarrier(JSRuntime* rt, JSObject* obj, int32_t index)
 {
     MOZ_ASSERT(!IsInsideNursery(obj));
     if (obj->is<NativeObject>() &&
+        uint32_t(index) < obj->as<NativeObject>().getDenseInitializedLength() &&
         (obj->as<NativeObject>().getDenseInitializedLength() > MAX_WHOLE_CELL_BUFFER_SIZE
 #ifdef JS_GC_ZEAL
          || rt->hasZealMode(gc::ZealMode::ElementsBarrier)

js/src/jit/VMFunctions.h

@@ -640,7 +640,7 @@ bool CreateThis(JSContext* cx, HandleObject callee, HandleObject newTarget, Muta
 void GetDynamicName(JSContext* cx, JSObject* scopeChain, JSString* str, Value* vp);
 
 void PostWriteBarrier(JSRuntime* rt, JSObject* obj);
-void PostWriteElementBarrier(JSRuntime* rt, JSObject* obj, size_t index);
+void PostWriteElementBarrier(JSRuntime* rt, JSObject* obj, int32_t index);
 void PostGlobalWriteBarrier(JSRuntime* rt, JSObject* obj);
 
 uint32_t GetIndexFromString(JSString* str);