Bug 1119081 - Fix Ion string concat stub to create non-fat inline strings if possible. r=bhackett
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -5381,24 +5381,41 @@ ConcatFatInlineString(MacroAssembler &ma
Label *failure, Label *failurePopTemps, bool isTwoByte)
{
// State: result length in temp2.
// Ensure both strings are linear.
masm.branchIfRope(lhs, failure);
masm.branchIfRope(rhs, failure);
- // Allocate a JSFatInlineString.
- masm.newGCFatInlineString(output, temp1, failure);
-
- // Store length and flags.
- uint32_t flags = JSString::INIT_FAT_INLINE_FLAGS;
- if (!isTwoByte)
- flags |= JSString::LATIN1_CHARS_BIT;
- masm.store32(Imm32(flags), Address(output, JSString::offsetOfFlags()));
+ // Allocate a JSInlineString or JSFatInlineString.
+ size_t maxLengthInline = isTwoByte
+ ? JSInlineString::MAX_LENGTH_TWO_BYTE
+ : JSInlineString::MAX_LENGTH_LATIN1;
+ Label isFat, allocDone;
+ masm.branch32(Assembler::Above, temp2, Imm32(maxLengthInline), &isFat);
+ {
+ uint32_t flags = JSString::INIT_INLINE_FLAGS;
+ if (!isTwoByte)
+ flags |= JSString::LATIN1_CHARS_BIT;
+ masm.newGCString(output, temp1, failure);
+ masm.store32(Imm32(flags), Address(output, JSString::offsetOfFlags()));
+ masm.jump(&allocDone);
+ }
+ masm.bind(&isFat);
+ {
+ uint32_t flags = JSString::INIT_FAT_INLINE_FLAGS;
+ if (!isTwoByte)
+ flags |= JSString::LATIN1_CHARS_BIT;
+ masm.newGCFatInlineString(output, temp1, failure);
+ masm.store32(Imm32(flags), Address(output, JSString::offsetOfFlags()));
+ }
+ masm.bind(&allocDone);
+
+ // Store length.
masm.store32(temp2, Address(output, JSString::offsetOfLength()));
// Load chars pointer in temp2.
masm.computeEffectiveAddress(Address(output, JSInlineString::offsetOfInlineStorage()), temp2);
{
// Copy lhs chars. Note that this advances temp2 to point to the next
// char. This also clobbers the lhs register.