From 6da36b28baa1670bd713fc76cab12fe85c746a5c Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Fri, 10 Jan 2014 15:34:25 +0000
Subject: [PATCH] Bug 945275 - Mark ThisV in rectifier frames r=jandem

---
 js/src/jit-test/tests/gc/bug-945275.js | 11 +++++++++++
 js/src/jit-test/tests/gc/bug-957114.js | 13 +++++++++++++
 js/src/jit/IonFrames.cpp               | 11 +++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 js/src/jit-test/tests/gc/bug-945275.js
 create mode 100644 js/src/jit-test/tests/gc/bug-957114.js

diff --git a/js/src/jit-test/tests/gc/bug-945275.js b/js/src/jit-test/tests/gc/bug-945275.js
new file mode 100644
index 000000000000..42e63a55c777
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-945275.js
@@ -0,0 +1,11 @@
+function TestCase(n) {
+  this.name = undefined;
+  this.description = undefined;
+}
+gczeal(7,1);
+eval("\
+function reportCompare() new TestCase;\
+reportCompare();\
+Object.defineProperty(Object.prototype, 'name', {});\
+reportCompare();\
+");
diff --git a/js/src/jit-test/tests/gc/bug-957114.js b/js/src/jit-test/tests/gc/bug-957114.js
new file mode 100644
index 000000000000..f245786b96e5
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-957114.js
@@ -0,0 +1,13 @@
+gczeal(7,1);
+function TestCase(n) {
+  this.name = '';
+  this.description = '';
+  this.expect = '';
+  this.actual = '';
+  this.reason = '';
+  this.passed = '';
+}
+function test() new TestCase;
+test();
+Object.defineProperty(Object.prototype, "name", {});
+test();
diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp
index 2186c8501e9e..ad6486094eef 100644
--- a/js/src/jit/IonFrames.cpp
+++ b/js/src/jit/IonFrames.cpp
@@ -1102,6 +1102,15 @@ MarkJitExitFrame(JSTracer *trc, const IonFrameIterator &frame)
     }
 }
 
+static void
+MarkRectifierFrame(JSTracer *trc, const IonFrameIterator &frame)
+{
+    // Mark thisv. Baseline JIT code generated as part of the ICCall_Fallback
+    // stub may read it if a constructor returns a primitive value.
+    IonRectifierFrameLayout *layout = (IonRectifierFrameLayout *)frame.fp();
+    gc::MarkValueRoot(trc, &layout->argv()[0], "ion-thisv");
+}
+
 static void
 MarkJitActivation(JSTracer *trc, const JitActivationIterator &activations)
 {
@@ -1132,6 +1141,8 @@ MarkJitActivation(JSTracer *trc, const JitActivationIterator &activations)
           case IonFrame_Unwound_OptimizedJS:
             MOZ_ASSUME_UNREACHABLE("invalid");
           case IonFrame_Rectifier:
+            MarkRectifierFrame(trc, frames);
+            break;
           case IonFrame_Unwound_Rectifier:
             break;
           case IonFrame_Osr: