summaryrefslogtreecommitdiff
path: root/js/src
diff options
context:
space:
mode:
authorMatt A. Tobin <email@mattatobin.com>2021-01-11 09:31:44 -0500
committerMatt A. Tobin <email@mattatobin.com>2021-01-11 09:31:44 -0500
commit7023db88ca13046fda9204b018d8f48f10e44ec4 (patch)
treea7d0c92b4cab5e0b741f192f960467d1d2f0db5c /js/src
parentc0db767c25b8ebfc9d8d4cb4d07084243e56da8e (diff)
downloaduxp-7023db88ca13046fda9204b018d8f48f10e44ec4.tar.gz
Issue #1624 - Fix slot access intrinsics for objects with > 16 reserved slots
Also flips ion inlining pref back on
Diffstat (limited to 'js/src')
-rw-r--r--js/src/jit/MCallOptimize.cpp8
1 files changed, 8 insertions, 0 deletions
diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index 0033e40b9c..182fa2fd5a 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -2618,6 +2618,10 @@ IonBuilder::inlineUnsafeSetReservedSlot(CallInfo& callInfo)
return InliningStatus_NotInlined;
uint32_t slot = uint32_t(arg->toConstant()->toInt32());
+ // Don't inline if it's not a fixed slot.
+ if (slot >= NativeObject::MAX_FIXED_SLOTS)
+ return InliningStatus_NotInlined;
+
callInfo.setImplicitlyUsedUnchecked();
MStoreFixedSlot* store =
@@ -2649,6 +2653,10 @@ IonBuilder::inlineUnsafeGetReservedSlot(CallInfo& callInfo, MIRType knownValueTy
return InliningStatus_NotInlined;
uint32_t slot = uint32_t(arg->toConstant()->toInt32());
+ // Don't inline if it's not a fixed slot.
+ if (slot >= NativeObject::MAX_FIXED_SLOTS)
+ return InliningStatus_NotInlined;
+
callInfo.setImplicitlyUsedUnchecked();
MLoadFixedSlot* load = MLoadFixedSlot::New(alloc(), callInfo.getArg(0), slot);