Bug 1493903 - Don't inline push with more than 1 argument. r=tcampbell
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 25 Sep 2018 12:33:42 +0200
changeset 494701 65e444ed5c8cb00d4940f955ed7b7f8403434806
parent 494700 33454859eab6fbeff45442d9e7e12fbe815f6da1
child 494702 a653a439a39b5513169c2bf31353c49b57922a81
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1493903
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1493903 - Don't inline push with more than 1 argument. r=tcampbell
js/src/jit/MCallOptimize.cpp
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -812,16 +812,22 @@ IonBuilder::InliningResult
 IonBuilder::inlineArrayPush(CallInfo& callInfo)
 {
     const uint32_t inlineArgsLimit = 10;
     if (callInfo.argc() < 1 || callInfo.argc() > inlineArgsLimit || callInfo.constructing()) {
         trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
     for (uint32_t i = 0; i < callInfo.argc(); i++) {
         MDefinition* value = callInfo.getArg(i);
         if (PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current,
                                           &obj, nullptr, &value, /* canModify = */ false))
         {
             trackOptimizationOutcome(TrackedOutcome::NeedsTypeBarrier);
             return InliningStatus_NotInlined;