Bug 1287416 - Ensure we have enough ballast space in IonBuilder::inlineConstantStringSplitString. r=h4writer
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Wed, 20 Jul 2016 09:56:49 +0000
changeset 330886 81d489064842a69044201690a18e315458698f53
parent 330885 759e68fea5478cc79c69504359e6a0a0b6e2ec0c
child 330887 6cf0a45011d47ae9d8b10612fbb2b254af8d8e32
push id9858
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 14:37:10 +0000
treeherdermozilla-aurora@203106ef6cb6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1287416
milestone50.0a1
Bug 1287416 - Ensure we have enough ballast space in IonBuilder::inlineConstantStringSplitString. r=h4writer
js/src/jit-test/tests/ion/bug1287416.js
js/src/jit/MCallOptimize.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1287416.js
@@ -0,0 +1,3 @@
+for (var i = 0; i < 1; i++) {
+    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".split("x");
+};
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -1487,21 +1487,24 @@ IonBuilder::inlineConstantStringSplitStr
     }
 
     JSValueType unboxedType = GetBoxedOrUnboxedType(templateObject);
 
     // Store all values, no need to initialize the length after each as
     // jsop_initelem_array is doing because we do not expect to bailout
     // because the memory is supposed to be allocated by now.
     for (uint32_t i = 0; i < initLength; i++) {
-       MConstant* value = arrayValues[i];
-       current->add(value);
-
-       if (!initializeArrayElement(array, i, value, unboxedType, /* addResumePoint = */ false))
-           return InliningStatus_Error;
+        if (!alloc().ensureBallast())
+            return InliningStatus_Error;
+
+        MConstant* value = arrayValues[i];
+        current->add(value);
+
+        if (!initializeArrayElement(array, i, value, unboxedType, /* addResumePoint = */ false))
+            return InliningStatus_Error;
     }
 
     MInstruction* setLength = setInitializedLength(array, unboxedType, initLength);
     if (!resumeAfter(setLength))
         return InliningStatus_Error;
 
     return InliningStatus_Inlined;
 }