From 502cce6ef59413b06b60b97aac4086faee85e149 Mon Sep 17 00:00:00 2001
From: Dan Gohman <sunfish@mozilla.com>
Date: Fri, 20 Jun 2014 05:53:12 -0700
Subject: [PATCH] Bug 1027866 - SpiderMonkey: Assert that an element isn't
 inserted into a InlineList twice. r=jandem

---
 js/src/jit/InlineList.h | 20 +++++++++++++++++++-
 js/src/jit/MIR.h        |  8 ++++----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/js/src/jit/InlineList.h b/js/src/jit/InlineList.h
index 86d38dbf9f8..1217583181c 100644
--- a/js/src/jit/InlineList.h
+++ b/js/src/jit/InlineList.h
@@ -86,11 +86,11 @@ class InlineForwardList : protected InlineForwardListNode<T>
         insertAfter(this, t);
     }
     void pushBack(Node *t) {
+        JS_ASSERT(t->next == nullptr);
 #ifdef DEBUG
         modifyCount_++;
 #endif
         tail_->next = t;
-        t->next = nullptr;
         tail_ = t;
     }
     T *popFront() {
@@ -104,6 +104,7 @@ class InlineForwardList : protected InlineForwardListNode<T>
         return static_cast<T *>(tail_);
     }
     void insertAfter(Node *at, Node *item) {
+        JS_ASSERT(item->next == nullptr);
 #ifdef DEBUG
         modifyCount_++;
 #endif
@@ -120,6 +121,7 @@ class InlineForwardList : protected InlineForwardListNode<T>
             tail_ = at;
         JS_ASSERT(at->next == item);
         at->next = item->next;
+        item->next = nullptr;
     }
     void splitAfter(Node *at, InlineForwardList<T> *to) {
         JS_ASSERT(to->empty());
@@ -273,9 +275,15 @@ class InlineList : protected InlineListNode<T>
     void pushFront(Node *t) {
         insertAfter(this, t);
     }
+    void pushFrontUnchecked(Node *t) {
+        insertAfterUnchecked(this, t);
+    }
     void pushBack(Node *t) {
         insertBefore(this, t);
     }
+    void pushBackUnchecked(Node *t) {
+        insertBeforeUnchecked(this, t);
+    }
     T *popFront() {
         JS_ASSERT(!empty());
         T *t = static_cast<T *>(this->next);
@@ -294,12 +302,22 @@ class InlineList : protected InlineListNode<T>
         return *iter;
     }
     void insertBefore(Node *at, Node *item) {
+        JS_ASSERT(item->prev == nullptr);
+        JS_ASSERT(item->next == nullptr);
+        insertBeforeUnchecked(at, item);
+    }
+    void insertBeforeUnchecked(Node *at, Node *item) {
         item->next = at;
         item->prev = at->prev;
         at->prev->next = item;
         at->prev = item;
     }
     void insertAfter(Node *at, Node *item) {
+        JS_ASSERT(item->prev == nullptr);
+        JS_ASSERT(item->next == nullptr);
+        insertAfterUnchecked(at, item);
+    }
+    void insertAfterUnchecked(Node *at, Node *item) {
         item->next = at->next;
         item->prev = at;
         static_cast<Node *>(at->next)->prev = item;
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 7dc2ca421a9..d9e4993e163 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -635,11 +635,11 @@ class MDefinition : public MNode
     }
 
     void addUse(MUse *use) {
-        // The use can't be in the list at all, but we only check the first
-        // element for now, as that's where it's most likely to be.
-        MOZ_ASSERT(uses_.empty() || use != *uses_.begin());
         uses_.pushFront(use);
     }
+    void addUseUnchecked(MUse *use) {
+        uses_.pushFrontUnchecked(use);
+    }
     void replaceAllUsesWith(MDefinition *dom);
 
     // Mark this instruction as having replaced all uses of ins, as during GVN,
@@ -10536,7 +10536,7 @@ void MUse::initUnchecked(MDefinition *producer, MNode *consumer)
     MOZ_ASSERT(consumer, "Initializing to null consumer");
     consumer_ = consumer;
     producer_ = producer;
-    producer_->addUse(this);
+    producer_->addUseUnchecked(this);
 }
 
 void MUse::initUncheckedWithoutProducer(MNode *consumer)