Bug 1054047 - Determine the correct range from MArgumentLength. r=sunfish
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Thu, 21 Aug 2014 11:48:19 +0200
changeset 215208 dfddabf968de6f29c36090154563540650e8acc9
parent 215207 63a2984957abb6553a32e77d98727b857b49ffba
child 215209 0bd4d6c736e178d516215d960fc59d5805960b16
push idunknown
push userunknown
push dateunknown
reviewerssunfish
bugs1054047
milestone34.0a1
Bug 1054047 - Determine the correct range from MArgumentLength. r=sunfish
js/src/jit-test/tests/ion/bug1054047.js
js/src/jit/RangeAnalysis.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1054047.js
@@ -0,0 +1,12 @@
+
+function f() {}
+function g() {
+    f.apply(this, arguments);
+}
+
+var arr = [];
+for (var j = 0; j < 128 /* 127 */; j++)
+    arr.push(0);
+
+for (var j = 0; j < 10000; j++)
+    g.apply(null, arr);
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -1515,21 +1515,21 @@ MStringLength::computeRange(TempAllocato
     static_assert(JSString::MAX_LENGTH <= UINT32_MAX,
                   "NewUInt32Range requires a uint32 value");
     setRange(Range::NewUInt32Range(alloc, 0, JSString::MAX_LENGTH));
 }
 
 void
 MArgumentsLength::computeRange(TempAllocator &alloc)
 {
-    // This is is a conservative upper bound on what |TooManyArguments| checks.
-    // If exceeded, Ion will not be entered in the first place.
-    static_assert(SNAPSHOT_MAX_NARGS <= UINT32_MAX,
-                  "NewUInt32Range requires a uint32 value");
-    setRange(Range::NewUInt32Range(alloc, 0, SNAPSHOT_MAX_NARGS));
+    // This is is a conservative upper bound on what |TooManyActualArguments|
+    // checks.  If exceeded, Ion will not be entered in the first place.
+    MOZ_ASSERT(js_JitOptions.maxStackArgs <= UINT32_MAX,
+               "NewUInt32Range requires a uint32 value");
+    setRange(Range::NewUInt32Range(alloc, 0, js_JitOptions.maxStackArgs));
 }
 
 void
 MBoundsCheck::computeRange(TempAllocator &alloc)
 {
     // Just transfer the incoming index range to the output. The length() is
     // also interesting, but it is handled as a bailout check, and we're
     // computing a pre-bailout range here.