Bug 1264948 - IonBuilder::init, reserve ballast space after freezing type sets. r=h4writer
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Mon, 20 Jun 2016 13:54:08 +0000
changeset 302088 42b04c4bae8f414001d848aa17cc0290938c3413
parent 302087 02d9acf640f594ae1d474747c2d7a6cb399e4258
child 302089 88336c73abae97f9f122e6ebd8db2e93797b29d3
push id78584
push usernpierron@mozilla.com
push dateMon, 20 Jun 2016 13:54:38 +0000
treeherdermozilla-inbound@ab5f00905c50 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1264948
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1264948 - IonBuilder::init, reserve ballast space after freezing type sets. r=h4writer
js/src/jit-test/tests/ion/bug1264948-1.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1264948-1.js
@@ -0,0 +1,9 @@
+// |jit-test| error: ReferenceError
+
+var N = 70 * 1000;
+var x = build("&&")();
+function build(operation) {
+    var a = [];
+    for (var i = 1; i != N - 1; ++i) a.push("f()");
+    return new Function(a.join(operation));
+}
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -761,17 +761,23 @@ IonBuilder::pushLoop(CFGState::State ini
     state.loop.initialStopAt = stopAt;
     state.loop.loopHead = loopHead;
     return cfgStack_.append(state);
 }
 
 bool
 IonBuilder::init()
 {
-    if (!TypeScript::FreezeTypeSets(constraints(), script(), &thisTypes, &argTypes, &typeArray))
+    {
+        LifoAlloc::AutoFallibleScope fallibleAllocator(alloc().lifoAlloc());
+        if (!TypeScript::FreezeTypeSets(constraints(), script(), &thisTypes, &argTypes, &typeArray))
+            return false;
+    }
+
+    if (!alloc().ensureBallast())
         return false;
 
     if (inlineCallInfo_) {
         // If we're inlining, the actual this/argument types are not necessarily
         // a subset of the script's observed types. |argTypes| is never accessed
         // for inlined scripts, so we just null it.
         thisTypes = inlineCallInfo_->thisArg()->resultTypeSet();
         argTypes = nullptr;