Issue #1624 - Fix slot access intrinsics for objects with > 16 reserved slots

Also flips ion inlining pref back on
author: Matt A. Tobin <email@mattatobin.com> 2021-01-11 09:31:44 -0500
committer: Matt A. Tobin <email@mattatobin.com> 2021-01-11 09:31:44 -0500
commit: 7023db88ca13046fda9204b018d8f48f10e44ec4 (patch)
tree: a7d0c92b4cab5e0b741f192f960467d1d2f0db5c /js
parent: c0db767c25b8ebfc9d8d4cb4d07084243e56da8e (diff)
download: uxp-7023db88ca13046fda9204b018d8f48f10e44ec4.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index 0033e40b9c..182fa2fd5a 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -2618,6 +2618,10 @@ IonBuilder::inlineUnsafeSetReservedSlot(CallInfo& callInfo)
         return InliningStatus_NotInlined;
     uint32_t slot = uint32_t(arg->toConstant()->toInt32());
 
+    // Don't inline if it's not a fixed slot.
+    if (slot >= NativeObject::MAX_FIXED_SLOTS)
+        return InliningStatus_NotInlined;
+
     callInfo.setImplicitlyUsedUnchecked();
 
     MStoreFixedSlot* store =
@@ -2649,6 +2653,10 @@ IonBuilder::inlineUnsafeGetReservedSlot(CallInfo& callInfo, MIRType knownValueTy
         return InliningStatus_NotInlined;
     uint32_t slot = uint32_t(arg->toConstant()->toInt32());
 
+    // Don't inline if it's not a fixed slot.
+    if (slot >= NativeObject::MAX_FIXED_SLOTS)
+        return InliningStatus_NotInlined;
+
     callInfo.setImplicitlyUsedUnchecked();
 
     MLoadFixedSlot* load = MLoadFixedSlot::New(alloc(), callInfo.getArg(0), slot);
author	Matt A. Tobin <email@mattatobin.com>	2021-01-11 09:31:44 -0500
committer	Matt A. Tobin <email@mattatobin.com>	2021-01-11 09:31:44 -0500
commit	7023db88ca13046fda9204b018d8f48f10e44ec4 (patch)
tree	a7d0c92b4cab5e0b741f192f960467d1d2f0db5c /js
parent	c0db767c25b8ebfc9d8d4cb4d07084243e56da8e (diff)
download	uxp-7023db88ca13046fda9204b018d8f48f10e44ec4.tar.gz