From 88c9f11bcc62f3af924013c9730ecc3bdeb01b34 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Mon, 17 Dec 2012 15:10:12 -0700
Subject: [PATCH] Bug 821788 - Prevent elimination of phis and resume point
 operands for operands of inline calls, r=jandem.

---
 js/src/ion/IonBuilder.cpp              |  6 +++++-
 js/src/jit-test/tests/ion/bug821788.js | 13 +++++++++++++
 js/src/jit-test/tests/ion/bug821794.js | 10 ++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/ion/bug821788.js
 create mode 100644 js/src/jit-test/tests/ion/bug821794.js

diff --git a/js/src/ion/IonBuilder.cpp b/js/src/ion/IonBuilder.cpp
index 10993965f6d..162d6630965 100644
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -3098,9 +3098,12 @@ IonBuilder::jsop_call_inline(HandleFunction callee, uint32_t argc, bool construc
 {
     AssertCanGC();
 
+    int calleePos = -((int) argc + 2);
+    current->peek(calleePos)->setFoldedUnchecked();
+
     // Rewrite the stack position containing the function with the constant
     // function definition, before we take the inlineResumePoint
-    current->rewriteAtDepth(-((int) argc + 2), constFun);
+    current->rewriteAtDepth(calleePos, constFun);
 
     // This resume point collects outer variables only.  It is used to recover
     // the stack state before the current bytecode.
@@ -3506,6 +3509,7 @@ IonBuilder::inlineScriptedCall(AutoObjectVector &targets, uint32_t argc, bool co
         MPassArg *passArg = top->peek(argSlotDepth)->toPassArg();
         MBasicBlock *block = passArg->block();
         MDefinition *wrapped = passArg->getArgument();
+        wrapped->setFoldedUnchecked();
         passArg->replaceAllUsesWith(wrapped);
         top->rewriteAtDepth(argSlotDepth, wrapped);
         block->discard(passArg);
diff --git a/js/src/jit-test/tests/ion/bug821788.js b/js/src/jit-test/tests/ion/bug821788.js
new file mode 100644
index 00000000000..520b7919c28
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug821788.js
@@ -0,0 +1,13 @@
+
+var appendToActual = function(s) {
+    actual += s + ',';
+}
+gczeal(2,(3));
+actual = '';
+function loop(f) {}
+function f(j, k) {
+  var g = function(a, b, c) {}
+  for (k = 0; k < 5; ++k)
+    appendToActual(loop(g));
+}
+f(1);
diff --git a/js/src/jit-test/tests/ion/bug821794.js b/js/src/jit-test/tests/ion/bug821794.js
new file mode 100644
index 00000000000..9bde3f31c48
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug821794.js
@@ -0,0 +1,10 @@
+
+gczeal(2);
+function bitsinbyte() {
+    var [ summary  ]  = true;
+}
+function TimeFunc(func) {
+    for(var y=0; y<11000; y++)
+        func();
+}
+TimeFunc(bitsinbyte);