From 22e2874bf6412144ab4b51b95327306ef9609b2c Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Thu, 30 May 2024 05:02:55 +0200
Subject: Merging upstream version 126.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 js/src/jit-test/tests/arrays/bug1897150-1.js | 9 +++++++++
 js/src/jit-test/tests/arrays/bug1897150-2.js | 9 +++++++++
 js/src/jit/TrampolineNatives.cpp             | 6 ++++++
 3 files changed, 24 insertions(+)
 create mode 100644 js/src/jit-test/tests/arrays/bug1897150-1.js
 create mode 100644 js/src/jit-test/tests/arrays/bug1897150-2.js

(limited to 'js/src')

diff --git a/js/src/jit-test/tests/arrays/bug1897150-1.js b/js/src/jit-test/tests/arrays/bug1897150-1.js
new file mode 100644
index 0000000000..d7a26fb41a
--- /dev/null
+++ b/js/src/jit-test/tests/arrays/bug1897150-1.js
@@ -0,0 +1,9 @@
+var arr = [1,2,3,4]
+var global = 1;
+
+var comparator = function(a, b) {
+  assertEq(this.global, 1);
+  return b - a;
+}
+
+arr.sort(comparator);
diff --git a/js/src/jit-test/tests/arrays/bug1897150-2.js b/js/src/jit-test/tests/arrays/bug1897150-2.js
new file mode 100644
index 0000000000..53f78a8a45
--- /dev/null
+++ b/js/src/jit-test/tests/arrays/bug1897150-2.js
@@ -0,0 +1,9 @@
+var typedArr = Uint8Array.from([1,2,3,4])
+var global = 1;
+
+var comparator = function(a, b) {
+  assertEq(this.global, 1);
+  return b - a;
+}
+
+typedArr.sort(comparator);
diff --git a/js/src/jit/TrampolineNatives.cpp b/js/src/jit/TrampolineNatives.cpp
index 0bde6d9985..e22023f8dd 100644
--- a/js/src/jit/TrampolineNatives.cpp
+++ b/js/src/jit/TrampolineNatives.cpp
@@ -86,6 +86,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm) {
       -int32_t(FrameSize) + ArraySortData::offsetOfComparatorReturnValue();
   constexpr int32_t DescriptorOffset =
       -int32_t(FrameSize) + ArraySortData::offsetOfDescriptor();
+  constexpr int32_t ComparatorThisOffset =
+      -int32_t(FrameSize) + ArraySortData::offsetOfComparatorThis();
 
 #ifdef JS_USE_LINK_REGISTER
   masm.pushReturnAddress();
@@ -146,6 +148,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm) {
   Label callDone, jitCallFast, jitCallSlow;
   masm.bind(&jitCallFast);
   {
+    masm.storeValue(UndefinedValue(),
+                    Address(FramePointer, ComparatorThisOffset));
     masm.storePtr(ImmWord(jitCallDescriptor),
                   Address(FramePointer, DescriptorOffset));
     masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);
@@ -155,6 +159,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm) {
   }
   masm.bind(&jitCallSlow);
   {
+    masm.storeValue(UndefinedValue(),
+                    Address(FramePointer, ComparatorThisOffset));
     masm.storePtr(ImmWord(jitCallDescriptor),
                   Address(FramePointer, DescriptorOffset));
     masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);
-- 
cgit v1.2.3