summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--js/src/jit/MCallOptimize.cpp8
-rw-r--r--modules/libpref/init/all.js2
2 files changed, 9 insertions, 1 deletions
diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index 0033e40b9..182fa2fd5 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -2618,6 +2618,10 @@ IonBuilder::inlineUnsafeSetReservedSlot(CallInfo& callInfo)
return InliningStatus_NotInlined;
uint32_t slot = uint32_t(arg->toConstant()->toInt32());
+ // Don't inline if it's not a fixed slot.
+ if (slot >= NativeObject::MAX_FIXED_SLOTS)
+ return InliningStatus_NotInlined;
+
callInfo.setImplicitlyUsedUnchecked();
MStoreFixedSlot* store =
@@ -2649,6 +2653,10 @@ IonBuilder::inlineUnsafeGetReservedSlot(CallInfo& callInfo, MIRType knownValueTy
return InliningStatus_NotInlined;
uint32_t slot = uint32_t(arg->toConstant()->toInt32());
+ // Don't inline if it's not a fixed slot.
+ if (slot >= NativeObject::MAX_FIXED_SLOTS)
+ return InliningStatus_NotInlined;
+
callInfo.setImplicitlyUsedUnchecked();
MLoadFixedSlot* load = MLoadFixedSlot::New(alloc(), callInfo.getArg(0), slot);
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index b6af98863..513d94a5e 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1272,7 +1272,7 @@ pref("javascript.options.strict.debug", false);
pref("javascript.options.unboxed_objects", false);
pref("javascript.options.baselinejit", true);
pref("javascript.options.ion", true);
-pref("javascript.options.ion.inlining", false);
+pref("javascript.options.ion.inlining", true);
pref("javascript.options.asmjs", true);
pref("javascript.options.wasm", true);
// wasm jit crashes in 32bit builds because of 64bit casts so
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-26 04:49:32 +0000