Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 04 Oct 2016 12:07:30 +0200
changeset 316362 6cd845d2e110e2d928233ebd442c1e0d4fb679c3
parent 316361 f09bf13bb350da8cec1867a02129e437c291280e
child 316363 24953f3dbcb1854c065c2a64521b81672e95b0d1
push id82414
push userjandemooij@gmail.com
push dateTue, 04 Oct 2016 10:07:56 +0000
treeherdermozilla-inbound@6cd845d2e110 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs1303710
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett
js/src/jit/Ion.cpp
js/src/jit/IonBuilder.cpp
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -2356,16 +2356,23 @@ CheckScript(JSContext* cx, JSScript* scr
         script->functionExtraBodyVarScope()->hasEnvironment())
     {
         // This restriction will be lifted when intra-function scope chains
         // are compilable by Ion. See bug 1273858.
         TrackAndSpewIonAbort(cx, script, "has extra var environment");
         return false;
     }
 
+    if (script->nTypeSets() >= UINT16_MAX) {
+        // In this case multiple bytecode ops can share a single observed
+        // TypeSet (see bug 1303710).
+        TrackAndSpewIonAbort(cx, script, "too many typesets");
+        return false;
+    }
+
     return true;
 }
 
 static MethodStatus
 CheckScriptSize(JSContext* cx, JSScript* script)
 {
     if (!JitOptions.limitScriptSize)
         return Method_Compiled;
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -160,16 +160,17 @@ IonBuilder::IonBuilder(JSContext* analys
 {
     script_ = info->script();
     scriptHasIonScript_ = script_->hasIonScript();
     pc = info->startPC();
     abortReason_ = AbortReason_Disable;
 
     MOZ_ASSERT(script()->hasBaselineScript() == (info->analysisMode() != Analysis_ArgumentsUsage));
     MOZ_ASSERT(!!analysisContext == (info->analysisMode() == Analysis_DefiniteProperties));
+    MOZ_ASSERT(script_->nTypeSets() < UINT16_MAX);
 
     if (!info->isAnalysis())
         script()->baselineScript()->setIonCompiledOrInlined();
 }
 
 void
 IonBuilder::clearForBackEnd()
 {