Bug 1011474 - Don't trash CallTemp1 register in malloc/free stubs; r=mjrosenb

js/src/jit/CodeGenerator.cpp

@@ -5444,8 +5444,6 @@ JitRuntime::generateMallocStub(JSContext *cx)
 {
     const Register regReturn = CallTempReg0;
     const Register regNBytes = CallTempReg0;
-    const Register regRuntime = CallTempReg1;
-    const Register regTemp = CallTempReg1;
 
     MacroAssembler masm(cx);
 
@@ -5453,6 +5451,11 @@ JitRuntime::generateMallocStub(JSContext *cx)
     regs.takeUnchecked(regNBytes);
     masm.PushRegsInMask(regs);
 
+    const Register regTemp = regs.takeGeneral();
+    const Register regRuntime = regTemp;
+    regs.add(regTemp);
+    JS_ASSERT(regTemp != regNBytes);
+
     masm.setupUnalignedABICall(2, regTemp);
     masm.movePtr(ImmPtr(cx->runtime()), regRuntime);
     masm.passABIArg(regRuntime);
@@ -5478,7 +5481,6 @@ JitCode *
 JitRuntime::generateFreeStub(JSContext *cx)
 {
     const Register regSlots = CallTempReg0;
-    const Register regTemp = CallTempReg1;
 
     MacroAssembler masm(cx);
 
@@ -5486,6 +5488,10 @@ JitRuntime::generateFreeStub(JSContext *cx)
     regs.takeUnchecked(regSlots);
     masm.PushRegsInMask(regs);
 
+    const Register regTemp = regs.takeGeneral();
+    regs.add(regTemp);
+    JS_ASSERT(regTemp != regSlots);
+
     masm.setupUnalignedABICall(1, regTemp);
     masm.passABIArg(regSlots);
     masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, js_free));

js/src/jit/IonMacroAssembler.cpp

@@ -548,13 +548,6 @@ MacroAssembler::allocateObject(Register result, Register slots, gc::AllocKind al
 {
     JS_ASSERT(allocKind >= gc::FINALIZE_OBJECT0 && allocKind <= gc::FINALIZE_OBJECT_LAST);
 
-#ifdef JS_CODEGEN_ARM
-    // Bug 1011474: Always take the ool path when allocating malloc slots on
-    //              ARM to work around a top-crasher while we investigate.
-    if (nDynamicSlots)
-        return jump(fail);
-#endif
-
     checkAllocatorState(fail);
 
     if (shouldNurseryAllocate(allocKind, initialHeap))