Bug 950764 - Restrict compilation from Baseline based on the number of formal arguments. r=djvj
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Thu, 21 Aug 2014 11:48:19 +0200
changeset 215207 63a2984957abb6553a32e77d98727b857b49ffba
parent 215086 548e9d7175ec3c34e8b5369721c711494dff51df
child 215208 dfddabf968de6f29c36090154563540650e8acc9
push idunknown
push userunknown
push dateunknown
reviewersdjvj
bugs950764
milestone34.0a1
Bug 950764 - Restrict compilation from Baseline based on the number of formal arguments. r=djvj
js/src/jit-test/tests/ion/bug950764.js
js/src/jit/Ion.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug950764.js
@@ -0,0 +1,19 @@
+function g(
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a, a,
+a, a, a, a, a, a, a, a, a
+) {}
+function f() {
+    g();
+}
+new f;
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -1990,19 +1990,26 @@ IonCompile(JSContext *cx, JSScript *scri
 
 static bool
 CheckFrame(BaselineFrame *frame)
 {
     JS_ASSERT(!frame->isGeneratorFrame());
     JS_ASSERT(!frame->isDebuggerFrame());
 
     // This check is to not overrun the stack.
-    if (frame->isFunctionFrame() && TooManyArguments(frame->numActualArgs())) {
-        IonSpew(IonSpew_Abort, "too many actual args");
-        return false;
+    if (frame->isFunctionFrame()) {
+        if (TooManyArguments(frame->numActualArgs())) {
+            IonSpew(IonSpew_Abort, "too many actual args");
+            return false;
+        }
+
+        if (TooManyArguments(frame->numFormalArgs())) {
+            IonSpew(IonSpew_Abort, "too many args");
+            return false;
+        }
     }
 
     return true;
 }
 
 static bool
 CheckScript(JSContext *cx, JSScript *script, bool osr)
 {