Bug 1897150: Initialize thisValue on every comparator call r=jandem

I also considered setting this in ArraySortData::setComparatorArgs, but this matches the change we made for the descriptor. The only data for the comparator call that is still constant is the comparator itself. I think that's still fine, so long as we trace it during a GC, which we do. Differential Revision: https://phabricator.services.mozilla.com/D210749
2024-05-20 12:09:59 +00:00 · 2024-05-20 12:09:59 +00:00 · df9a2fef47
commit df9a2fef47
parent d4e1eb0d58
3 changed files with 24 additions and 0 deletions
--- a/js/src/jit-test/tests/arrays/bug1897150-1.js
+++ b/js/src/jit-test/tests/arrays/bug1897150-1.js
@ -0,0 +1,9 @@
+var arr = [1,2,3,4]
+var global = 1;
+
+var comparator = function(a, b) {
+  assertEq(this.global, 1);
+  return b - a;
+}
+
+arr.sort(comparator);
--- a/js/src/jit-test/tests/arrays/bug1897150-2.js
+++ b/js/src/jit-test/tests/arrays/bug1897150-2.js
@ -0,0 +1,9 @@
+var typedArr = Uint8Array.from([1,2,3,4])
+var global = 1;
+
+var comparator = function(a, b) {
+  assertEq(this.global, 1);
+  return b - a;
+}
+
+typedArr.sort(comparator);
--- a/js/src/jit/TrampolineNatives.cpp
+++ b/js/src/jit/TrampolineNatives.cpp
@ -88,6 +88,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm,
      -int32_t(FrameSize) + ArraySortData::offsetOfComparatorReturnValue();
  constexpr int32_t DescriptorOffset =
      -int32_t(FrameSize) + ArraySortData::offsetOfDescriptor();
+  constexpr int32_t ComparatorThisOffset =
+      -int32_t(FrameSize) + ArraySortData::offsetOfComparatorThis();

 #ifdef JS_USE_LINK_REGISTER
  masm.pushReturnAddress();
@ -157,6 +159,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm,
  Label callDone, jitCallFast, jitCallSlow;
  masm.bind(&jitCallFast);
  {
+    masm.storeValue(UndefinedValue(),
+                    Address(FramePointer, ComparatorThisOffset));
    masm.storePtr(ImmWord(jitCallDescriptor),
                  Address(FramePointer, DescriptorOffset));
    masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);
@ -166,6 +170,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm,
  }
  masm.bind(&jitCallSlow);
  {
+    masm.storeValue(UndefinedValue(),
+                    Address(FramePointer, ComparatorThisOffset));
    masm.storePtr(ImmWord(jitCallDescriptor),
                  Address(FramePointer, DescriptorOffset));
    masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);