From df9a2fef47e457352d98b919460d1a491f1c6297 Mon Sep 17 00:00:00 2001 From: Iain Ireland Date: Mon, 20 May 2024 12:09:59 +0000 Subject: [PATCH] Bug 1897150: Initialize thisValue on every comparator call r=jandem I also considered setting this in ArraySortData::setComparatorArgs, but this matches the change we made for the descriptor. The only data for the comparator call that is still constant is the comparator itself. I think that's still fine, so long as we trace it during a GC, which we do. Differential Revision: https://phabricator.services.mozilla.com/D210749 --- js/src/jit-test/tests/arrays/bug1897150-1.js | 9 +++++++++ js/src/jit-test/tests/arrays/bug1897150-2.js | 9 +++++++++ js/src/jit/TrampolineNatives.cpp | 6 ++++++ 3 files changed, 24 insertions(+) create mode 100644 js/src/jit-test/tests/arrays/bug1897150-1.js create mode 100644 js/src/jit-test/tests/arrays/bug1897150-2.js diff --git a/js/src/jit-test/tests/arrays/bug1897150-1.js b/js/src/jit-test/tests/arrays/bug1897150-1.js new file mode 100644 index 000000000000..d7a26fb41acc --- /dev/null +++ b/js/src/jit-test/tests/arrays/bug1897150-1.js @@ -0,0 +1,9 @@ +var arr = [1,2,3,4] +var global = 1; + +var comparator = function(a, b) { + assertEq(this.global, 1); + return b - a; +} + +arr.sort(comparator); diff --git a/js/src/jit-test/tests/arrays/bug1897150-2.js b/js/src/jit-test/tests/arrays/bug1897150-2.js new file mode 100644 index 000000000000..53f78a8a4598 --- /dev/null +++ b/js/src/jit-test/tests/arrays/bug1897150-2.js @@ -0,0 +1,9 @@ +var typedArr = Uint8Array.from([1,2,3,4]) +var global = 1; + +var comparator = function(a, b) { + assertEq(this.global, 1); + return b - a; +} + +typedArr.sort(comparator); diff --git a/js/src/jit/TrampolineNatives.cpp b/js/src/jit/TrampolineNatives.cpp index 80d0bf2f2e71..a0d7c979c107 100644 --- a/js/src/jit/TrampolineNatives.cpp +++ b/js/src/jit/TrampolineNatives.cpp @@ -88,6 +88,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm, -int32_t(FrameSize) + ArraySortData::offsetOfComparatorReturnValue(); constexpr int32_t DescriptorOffset = -int32_t(FrameSize) + ArraySortData::offsetOfDescriptor(); + constexpr int32_t ComparatorThisOffset = + -int32_t(FrameSize) + ArraySortData::offsetOfComparatorThis(); #ifdef JS_USE_LINK_REGISTER masm.pushReturnAddress(); @@ -157,6 +159,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm, Label callDone, jitCallFast, jitCallSlow; masm.bind(&jitCallFast); { + masm.storeValue(UndefinedValue(), + Address(FramePointer, ComparatorThisOffset)); masm.storePtr(ImmWord(jitCallDescriptor), Address(FramePointer, DescriptorOffset)); masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0); @@ -166,6 +170,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm, } masm.bind(&jitCallSlow); { + masm.storeValue(UndefinedValue(), + Address(FramePointer, ComparatorThisOffset)); masm.storePtr(ImmWord(jitCallDescriptor), Address(FramePointer, DescriptorOffset)); masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);