From 4ae98f0d6ed50ae40bda83bcc9feb3258f68b290 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Sat, 29 Dec 2012 22:02:43 +0100
Subject: [PATCH] Bug 824863 - Fix regalloc bug in JM ionCompileHelper.
 r=bhackett

---
 js/src/jit-test/tests/ion/bug824863.js | 53 ++++++++++++++++++++++++++
 js/src/methodjit/Compiler.cpp          |  7 +++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/ion/bug824863.js

diff --git a/js/src/jit-test/tests/ion/bug824863.js b/js/src/jit-test/tests/ion/bug824863.js
new file mode 100644
index 00000000000..32627b9c6e8
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug824863.js
@@ -0,0 +1,53 @@
+Module = {};
+var Runtime = {
+    alignMemory: function alignMemory(size, quantum) {
+	return Math.ceil((size) / (quantum ? quantum : 4)) * (quantum ? quantum : 4);
+    },
+}
+function assert(condition, text) {
+    throw text;
+}
+STACK_ROOT = STACKTOP = Runtime.alignMemory(1);
+function _main() {
+    var __stackBase__ = STACKTOP;
+    var label;
+    label = 2;
+    while (1) {
+	switch (label) {
+          case 2:
+            var $f = __stackBase__;
+            var $1 = __stackBase__ + 12;
+            var $2 = __stackBase__ + 24;
+            var $3 = $f | 0;
+            var $4 = $f + 4 | 0;
+            var $5 = $f + 8 | 0;
+            var $_0 = $1 | 0;
+            var $_1 = $1 + 4 | 0;
+            var $_2 = $1 + 8 | 0;
+            var $j_012 = 0;
+            label = 4;
+            break;
+          case 4:
+            assertEq($_2, 24);
+            if (($j_012 | 0) != 110) {
+                var $j_012 = $j_012 + 1;
+                break;
+            }
+            var $23 = $i_014 + 1 | 0;
+            if (($23 | 0) != 110) {
+                var $i_014 = $23;
+		var $j_012 = 0;
+                label = 4;
+                break;
+            }
+          default:
+            assert(0, "bad label: " + label);
+	}
+    }
+}
+try {
+    _main(0, [], 0);
+    assertEq(0, 1);
+} catch(e) {
+    assertEq(e, "bad label: 4");
+}
diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index 9304ea74ed2..a166f18d3ec 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -4025,6 +4025,12 @@ mjit::Compiler::ionCompileHelper()
 
     void *ionScriptAddress = &script_->ion;
 
+#ifdef JS_CPU_X64
+    // Allocate a temp register. Note that we have to do this before calling
+    // syncExitAndJump below.
+    RegisterID reg = frame.allocReg();
+#endif
+
     InternalCompileTrigger trigger;
     trigger.pc = PC;
     trigger.stubLabel = stubcc.syncExitAndJump(Uses(0));
@@ -4052,7 +4058,6 @@ mjit::Compiler::ionCompileHelper()
                                            Imm32(0));
 #elif defined(JS_CPU_X64)
     /* Handle processors that can't load from absolute addresses. */
-    RegisterID reg = frame.allocReg();
     masm.move(ImmPtr(useCountAddress), reg);
     trigger.inlineJump = masm.branch32(Assembler::GreaterThanOrEqual,
                                        Address(reg),