Bug 1264948 - IonBuilder::inlineArray, check for OOMs when creating array elements without resume points. r=h4writer
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Mon, 20 Jun 2016 13:54:08 +0000
changeset 302091 a7a5f51c271b800af05b967554a7152d7ba230fc
parent 302090 8b1a20de30f9694f851178a4caeed8c56d3f3903
child 302092 ab5f00905c50354585c89bb18d16d3c4749a3a61
push id78584
push usernpierron@mozilla.com
push dateMon, 20 Jun 2016 13:54:38 +0000
treeherdermozilla-inbound@ab5f00905c50 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1264948
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1264948 - IonBuilder::inlineArray, check for OOMs when creating array elements without resume points. r=h4writer
js/src/jit/MCallOptimize.cpp
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -521,16 +521,18 @@ IonBuilder::inlineArray(CallInfo& callIn
 
     if (!jsop_newarray(templateObject, initLength))
         return InliningStatus_Error;
 
     MDefinition* array = current->peek(-1);
     if (callInfo.argc() >= 2) {
         JSValueType unboxedType = GetBoxedOrUnboxedType(templateObject);
         for (uint32_t i = 0; i < initLength; i++) {
+            if (!alloc().ensureBallast())
+                return InliningStatus_Error;
             MDefinition* value = callInfo.getArg(i);
             if (!initializeArrayElement(array, i, value, unboxedType, /* addResumePoint = */ false))
                 return InliningStatus_Error;
         }
 
         MInstruction* setLength = setInitializedLength(array, unboxedType, initLength);
         if (!resumeAfter(setLength))
             return InliningStatus_Error;