Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett, a=sylvestre
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 04 Oct 2016 12:07:30 +0200
changeset 348505 dacddb224d32cd5f979fa4b53e702c7dc69be46c
parent 348504 568a9ce78d2f816af262945b40b888a0e6d98951
child 348506 b0d514b7bf0cb2ce484ce0cbd1524670c0d8975f
push id6459
push userjandemooij@gmail.com
push dateWed, 05 Oct 2016 15:07:36 +0000
treeherdermozilla-beta@dacddb224d32 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, sylvestre
bugs1303710
milestone50.0
Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett, a=sylvestre
js/src/jit/Ion.cpp
js/src/jit/IonBuilder.cpp
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -2362,16 +2362,23 @@ CheckScript(JSContext* cx, JSScript* scr
         // Support functions with a non-syntactic global scope but not other
         // scripts. For global scripts, IonBuilder currently uses the global
         // object as scope chain, this is not valid when the script has a
         // non-syntactic global scope.
         TrackAndSpewIonAbort(cx, script, "has non-syntactic global scope");
         return false;
     }
 
+    if (script->nTypeSets() >= UINT16_MAX) {
+        // In this case multiple bytecode ops can share a single observed
+        // TypeSet (see bug 1303710).
+        TrackAndSpewIonAbort(cx, script, "too many typesets");
+        return false;
+    }
+
     return true;
 }
 
 static MethodStatus
 CheckScriptSize(JSContext* cx, JSScript* script)
 {
     if (!JitOptions.limitScriptSize)
         return Method_Compiled;
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -164,16 +164,17 @@ IonBuilder::IonBuilder(JSContext* analys
 {
     script_ = info->script();
     scriptHasIonScript_ = script_->hasIonScript();
     pc = info->startPC();
     abortReason_ = AbortReason_Disable;
 
     MOZ_ASSERT(script()->hasBaselineScript() == (info->analysisMode() != Analysis_ArgumentsUsage));
     MOZ_ASSERT(!!analysisContext == (info->analysisMode() == Analysis_DefiniteProperties));
+    MOZ_ASSERT(script_->nTypeSets() < UINT16_MAX);
 
     if (!info->isAnalysis())
         script()->baselineScript()->setIonCompiledOrInlined();
 }
 
 void
 IonBuilder::clearForBackEnd()
 {