From 770ca1d056ba3ba2d429190eeaceea152077d91c Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Mon, 29 Aug 2011 13:59:06 -0700
Subject: [PATCH] [INFER] Don't use loop registers for entries after coercing
 them to double/any for a branch, bug 682563.

---
 js/src/methodjit/Compiler.cpp     |  2 ++
 js/src/methodjit/FrameState-inl.h | 11 +++++++++++
 js/src/methodjit/FrameState.h     |  1 +
 3 files changed, 14 insertions(+)

diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index 56968cdcca8..5011d94cc8f 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -6918,6 +6918,7 @@ mjit::Compiler::fixDoubleTypes(jsbytecode *target)
                 if (vt.type == JSVAL_TYPE_INT32) {
                     fixedIntToDoubleEntries.append(newv->slot);
                     frame.ensureDouble(fe);
+                    frame.forgetLoopReg(fe);
                 } else if (vt.type == JSVAL_TYPE_UNKNOWN) {
                     /*
                      * Unknown here but a double at the target. The type
@@ -6932,6 +6933,7 @@ mjit::Compiler::fixDoubleTypes(jsbytecode *target)
             } else if (fe->isType(JSVAL_TYPE_DOUBLE)) {
                 fixedDoubleToAnyEntries.append(newv->slot);
                 frame.syncAndForgetFe(fe);
+                frame.forgetLoopReg(fe);
             }
             newv++;
         }
diff --git a/js/src/methodjit/FrameState-inl.h b/js/src/methodjit/FrameState-inl.h
index 09769ba0475..2ecd238bb14 100644
--- a/js/src/methodjit/FrameState-inl.h
+++ b/js/src/methodjit/FrameState-inl.h
@@ -878,6 +878,17 @@ FrameState::syncAndForgetFe(FrameEntry *fe, bool markSynced)
     fe->data.setMemory();
 }
 
+inline void
+FrameState::forgetLoopReg(FrameEntry *fe)
+{
+    /*
+     * Don't use a loop register for fe in the active loop, as its underlying
+     * representation may have changed since the start of the loop.
+     */
+    if (loop)
+        fe->lastLoop = loop->headOffset();
+}
+
 inline void
 FrameState::syncType(FrameEntry *fe)
 {
diff --git a/js/src/methodjit/FrameState.h b/js/src/methodjit/FrameState.h
index 4e4427511fa..2971903db29 100644
--- a/js/src/methodjit/FrameState.h
+++ b/js/src/methodjit/FrameState.h
@@ -951,6 +951,7 @@ class FrameState
     Vector<TemporaryCopy> *getTemporaryCopies();
 
     inline void syncAndForgetFe(FrameEntry *fe, bool markSynced = false);
+    inline void forgetLoopReg(FrameEntry *fe);
 
   private:
     inline AnyRegisterID allocAndLoadReg(FrameEntry *fe, bool fp, RematInfo::RematType type);