Bug 1264948 - IonBuilder::inlineArray, check for OOMs when creating array elements without resume points. r=h4writer
☠☠ backed out by 57aca488acc1 ☠ ☠
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Wed, 15 Jun 2016 16:27:18 +0000
changeset 301897 831077a22f587ba1c45e44336ee9aa00d5c51d89
parent 301896 46d50a87b3b53c7ef6b8dc07ad692c34f990005f
child 301898 87f37f6cde598e58168536e9907c00f035cc375c
push id78493
push usernpierron@mozilla.com
push dateWed, 15 Jun 2016 16:28:34 +0000
treeherdermozilla-inbound@87f37f6cde59 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1264948
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1264948 - IonBuilder::inlineArray, check for OOMs when creating array elements without resume points. r=h4writer
js/src/jit/MCallOptimize.cpp
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -521,16 +521,18 @@ IonBuilder::inlineArray(CallInfo& callIn
 
     if (!jsop_newarray(templateObject, initLength))
         return InliningStatus_Error;
 
     MDefinition* array = current->peek(-1);
     if (callInfo.argc() >= 2) {
         JSValueType unboxedType = GetBoxedOrUnboxedType(templateObject);
         for (uint32_t i = 0; i < initLength; i++) {
+            if (!alloc().ensureBallast())
+                return InliningStatus_Error;
             MDefinition* value = callInfo.getArg(i);
             if (!initializeArrayElement(array, i, value, unboxedType, /* addResumePoint = */ false))
                 return InliningStatus_Error;
         }
 
         MInstruction* setLength = setInitializedLength(array, unboxedType, initLength);
         if (!resumeAfter(setLength))
             return InliningStatus_Error;