Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett, a=sylvestre
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 04 Oct 2016 12:07:30 +0200
changeset 355956 e289e3f73f466c6366da6ce38411c4550d667989
parent 355955 43c724bde81cd7dbd154e8741da017b86c43cdbd
child 355957 8104e34db545f0bc1724d0302613e76b464c46a4
push id6570
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:26:13 +0000
treeherdermozilla-beta@f455459b2ae5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, sylvestre
bugs1303710
milestone51.0a2
Bug 1303710 - Don't Ion-compile scripts with too many typesets. r=bhackett, a=sylvestre
js/src/jit/Ion.cpp
js/src/jit/IonBuilder.cpp
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -2376,16 +2376,23 @@ CheckScript(JSContext* cx, JSScript* scr
         script->functionExtraBodyVarScope()->hasEnvironment())
     {
         // This restriction will be lifted when intra-function scope chains
         // are compilable by Ion. See bug 1273858.
         TrackAndSpewIonAbort(cx, script, "has extra var environment");
         return false;
     }
 
+    if (script->nTypeSets() >= UINT16_MAX) {
+        // In this case multiple bytecode ops can share a single observed
+        // TypeSet (see bug 1303710).
+        TrackAndSpewIonAbort(cx, script, "too many typesets");
+        return false;
+    }
+
     return true;
 }
 
 static MethodStatus
 CheckScriptSize(JSContext* cx, JSScript* script)
 {
     if (!JitOptions.limitScriptSize)
         return Method_Compiled;
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -160,16 +160,17 @@ IonBuilder::IonBuilder(JSContext* analys
 {
     script_ = info->script();
     scriptHasIonScript_ = script_->hasIonScript();
     pc = info->startPC();
     abortReason_ = AbortReason_Disable;
 
     MOZ_ASSERT(script()->hasBaselineScript() == (info->analysisMode() != Analysis_ArgumentsUsage));
     MOZ_ASSERT(!!analysisContext == (info->analysisMode() == Analysis_DefiniteProperties));
+    MOZ_ASSERT(script_->nTypeSets() < UINT16_MAX);
 
     if (!info->isAnalysis())
         script()->baselineScript()->setIonCompiledOrInlined();
 }
 
 void
 IonBuilder::clearForBackEnd()
 {