Bug 906241 - Trigger post barriers for writes to tenured call objects; r=bhackett

js/src/jit-test/tests/gc/bug-906241.js

@@ -0,0 +1,8 @@
+for (let y in []);
+(function f(x) {
+    Float64Array(ArrayBuffer());
+    {
+        f(x)
+        function t() {}
+    }
+})();

js/src/jit/VMFunctions.cpp

@@ -458,7 +458,17 @@ JSObject *
 NewCallObject(JSContext *cx, HandleScript script,
               HandleShape shape, HandleTypeObject type, HeapSlot *slots)
 {
-    return CallObject::create(cx, script, shape, type, slots);
+    JSObject *obj = CallObject::create(cx, script, shape, type, slots);
+
+#ifdef JSGC_GENERATIONAL
+    // The JIT creates call objects in the nursery, so elides barriers for
+    // the initializing writes. The interpreter, however, may have allocated
+    // the call object tenured, so barrier as needed before re-entering.
+    if (!IsInsideNursery(cx->runtime(), obj))
+        cx->runtime()->gcStoreBuffer.putWholeCell(obj);
+#endif
+
+    return obj;
 }
 
 JSObject *