Bug 1149119 - Use Atoms in the template object hold by Baseline. r=jandem

js/src/jit/BaselineIC.cpp

@@ -10130,6 +10130,17 @@ TryAttachStringSplit(JSContext* cx, ICCall_Fallback* stub, HandleScript script,
     if (!CopyArray(cx, obj, &arr))
         return false;
 
+    // Atomize all elements of the array.
+    RootedArrayObject arrObj(cx, &arr.toObject().as<ArrayObject>());
+    uint32_t initLength = arrObj->length();
+    for (uint32_t i = 0; i < initLength; i++) {
+        JSAtom* str = js::AtomizeString(cx, arrObj->getDenseElement(i).toString());
+        if (!str)
+            return false;
+
+        arrObj->setDenseElement(i, StringValue(str));
+    }
+
     ICCall_StringSplit::Compiler compiler(cx, stub->fallbackMonitorStub()->firstMonitorStub(),
                                           script->pcToOffset(pc), thisString, argString,
                                           arr);

js/src/jit/MCallOptimize.cpp

@@ -1567,14 +1567,11 @@ IonBuilder::inlineConstantStringSplit(CallInfo& callInfo)
     if (templateObject->getDenseInitializedLength() != initLength)
         return InliningStatus_NotInlined;
 
-    JSContext* cx = GetJitContext()->cx;
     Vector<MConstant*, 0, SystemAllocPolicy> arrayValues;
     for (uint32_t i = 0; i < initLength; i++) {
-        JSAtom* str = js::AtomizeString(cx, templateObject->getDenseElement(i).toString());
-        if (!str)
-            return InliningStatus_Error;
-
-        MConstant* value = MConstant::New(alloc(), StringValue(str), constraints());
+        Value str = templateObject->getDenseElement(i);
+        MOZ_ASSERT(str.toString()->isAtom());
+        MConstant* value = MConstant::New(alloc(), str, constraints());
         if (!TypeSetIncludes(key.maybeTypes(), value->type(), value->resultTypeSet()))
             return InliningStatus_NotInlined;