Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett

2016-10-04 12:07:30 +02:00
parent a86f24ce08
commit 3f52f9d79d
2 changed files with 8 additions and 0 deletions
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -2361,6 +2361,13 @@ CheckScript(JSContext* cx, JSScript* script, bool osr)
        return false;
    }

+    if (script->nTypeSets() >= UINT16_MAX) {
+        // In this case multiple bytecode ops can share a single observed
+        // TypeSet (see bug 1303710).
+        TrackAndSpewIonAbort(cx, script, "too many typesets");
+        return false;
+    }
+
    return true;
 }

--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -165,6 +165,7 @@ IonBuilder::IonBuilder(JSContext* analysisContext, CompileCompartment* comp,

    MOZ_ASSERT(script()->hasBaselineScript() == (info->analysisMode() != Analysis_ArgumentsUsage));
    MOZ_ASSERT(!!analysisContext == (info->analysisMode() == Analysis_DefiniteProperties));
+    MOZ_ASSERT(script_->nTypeSets() < UINT16_MAX);

    if (!info->isAnalysis())
        script()->baselineScript()->setIonCompiledOrInlined();