Bug 1053676 - Insert GC pre-barriers for slots containing symbols in Ion code. r=terrence.

The first two hunks in this patch are improvements to an assertion blamed (I think incorrectly) for this bug in the original bug report. They are not directly related to the fix.

--HG--
extra : rebase_source : 031680a9b762f05e9b64e8aab9f87d686d2ab45d
extra : amend_source : 32f4ab968338de3ae989ec4d4c4dee7bd56df498

js/src/gc/GCRuntime.h

@@ -468,6 +468,9 @@ class GCRuntime
     void startVerifyPostBarriers();
     bool endVerifyPostBarriers();
     void finishVerifier();
+    bool isVerifyPreBarriersEnabled() const { return !!verifyPreData; }
+#else
+    bool isVerifyPreBarriersEnabled() const { return false; }
 #endif
 
   private:

js/src/gc/Nursery.cpp

@@ -109,7 +109,8 @@ js::Nursery::updateDecommittedRegion()
 void
 js::Nursery::enable()
 {
-    JS_ASSERT(isEmpty());
+    MOZ_ASSERT(isEmpty());
+    MOZ_ASSERT(!runtime()->gc.isVerifyPreBarriersEnabled());
     if (isEnabled())
         return;
     numActiveChunks_ = 1;

js/src/jit-test/tests/gc/bug-1053676.js

@@ -0,0 +1,10 @@
+// |jit-test| ion-eager; debug;
+var x
+(function() {
+    x
+}());
+verifyprebarriers();
+x = x * 0
+x = Symbol();
+gc();
+evalcx("x=1", this);

js/src/jsinfer.cpp

@@ -614,6 +614,8 @@ TypeSet::print()
         fprintf(stderr, " float");
     if (flags & TYPE_FLAG_STRING)
         fprintf(stderr, " string");
+    if (flags & TYPE_FLAG_SYMBOL)
+        fprintf(stderr, " symbol");
     if (flags & TYPE_FLAG_LAZYARGS)
         fprintf(stderr, " lazyargs");
 
@@ -1498,7 +1500,7 @@ HeapTypeSetKey::needsBarrier(CompilerConstraintList *constraints)
         return false;
     bool result = types->unknownObject()
                || types->getObjectCount() > 0
-               || types->hasAnyFlag(TYPE_FLAG_STRING);
+               || types->hasAnyFlag(TYPE_FLAG_STRING | TYPE_FLAG_SYMBOL);
     if (!result)
         freeze(constraints);
     return result;