Bug 1493903 - Don't inline push with more than 1 argument. r=tcampbell a=dveditz
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 25 Sep 2018 12:33:42 +0200
changeset 481192 dc688e0c9702
parent 481191 d596c94e62cd
child 481193 dc99e844c2af
push id1804
push userjcristau@mozilla.com
push dateMon, 01 Oct 2018 10:38:02 +0000
treeherdermozilla-release@dc99e844c2af [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell, dveditz
bugs1493903
milestone62.0.3
Bug 1493903 - Don't inline push with more than 1 argument. r=tcampbell a=dveditz
js/src/jit/MCallOptimize.cpp
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -786,16 +786,22 @@ IonBuilder::InliningResult
 IonBuilder::inlineArrayPush(CallInfo& callInfo)
 {
     const uint32_t inlineArgsLimit = 10;
     if (callInfo.argc() < 1 || callInfo.argc() > inlineArgsLimit || callInfo.constructing()) {
         trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
     for (uint32_t i = 0; i < callInfo.argc(); i++) {
         MDefinition* value = callInfo.getArg(i);
         if (PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current,
                                           &obj, nullptr, &value, /* canModify = */ false))
         {
             trackOptimizationOutcome(TrackedOutcome::NeedsTypeBarrier);
             return InliningStatus_NotInlined;