Bug 1054047 - Determine the correct range from MArgumentLength. r=sunfish
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Thu, 21 Aug 2014 11:48:19 +0200
changeset 200755 dfddabf968de6f29c36090154563540650e8acc9
parent 200754 63a2984957abb6553a32e77d98727b857b49ffba
child 200756 0bd4d6c736e178d516215d960fc59d5805960b16
push id47997
push usernpierron@mozilla.com
push dateThu, 21 Aug 2014 09:48:33 +0000
treeherdermozilla-inbound@0bd4d6c736e1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssunfish
bugs1054047
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1054047 - Determine the correct range from MArgumentLength. r=sunfish
js/src/jit-test/tests/ion/bug1054047.js
js/src/jit/RangeAnalysis.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1054047.js
@@ -0,0 +1,12 @@
+
+function f() {}
+function g() {
+    f.apply(this, arguments);
+}
+
+var arr = [];
+for (var j = 0; j < 128 /* 127 */; j++)
+    arr.push(0);
+
+for (var j = 0; j < 10000; j++)
+    g.apply(null, arr);
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -1515,21 +1515,21 @@ MStringLength::computeRange(TempAllocato
     static_assert(JSString::MAX_LENGTH <= UINT32_MAX,
                   "NewUInt32Range requires a uint32 value");
     setRange(Range::NewUInt32Range(alloc, 0, JSString::MAX_LENGTH));
 }
 
 void
 MArgumentsLength::computeRange(TempAllocator &alloc)
 {
-    // This is is a conservative upper bound on what |TooManyArguments| checks.
-    // If exceeded, Ion will not be entered in the first place.
-    static_assert(SNAPSHOT_MAX_NARGS <= UINT32_MAX,
-                  "NewUInt32Range requires a uint32 value");
-    setRange(Range::NewUInt32Range(alloc, 0, SNAPSHOT_MAX_NARGS));
+    // This is is a conservative upper bound on what |TooManyActualArguments|
+    // checks.  If exceeded, Ion will not be entered in the first place.
+    MOZ_ASSERT(js_JitOptions.maxStackArgs <= UINT32_MAX,
+               "NewUInt32Range requires a uint32 value");
+    setRange(Range::NewUInt32Range(alloc, 0, js_JitOptions.maxStackArgs));
 }
 
 void
 MBoundsCheck::computeRange(TempAllocator &alloc)
 {
     // Just transfer the incoming index range to the output. The length() is
     // also interesting, but it is handled as a bailout check, and we're
     // computing a pre-bailout range here.