diff options
Diffstat (limited to 'js/src')
| -rw-r--r-- | js/src/jit/MCallOptimize.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp index 0033e40b9..182fa2fd5 100644 --- a/js/src/jit/MCallOptimize.cpp +++ b/js/src/jit/MCallOptimize.cpp @@ -2618,6 +2618,10 @@ IonBuilder::inlineUnsafeSetReservedSlot(CallInfo& callInfo) return InliningStatus_NotInlined; uint32_t slot = uint32_t(arg->toConstant()->toInt32()); + // Don't inline if it's not a fixed slot. + if (slot >= NativeObject::MAX_FIXED_SLOTS) + return InliningStatus_NotInlined; + callInfo.setImplicitlyUsedUnchecked(); MStoreFixedSlot* store = @@ -2649,6 +2653,10 @@ IonBuilder::inlineUnsafeGetReservedSlot(CallInfo& callInfo, MIRType knownValueTy return InliningStatus_NotInlined; uint32_t slot = uint32_t(arg->toConstant()->toInt32()); + // Don't inline if it's not a fixed slot. + if (slot >= NativeObject::MAX_FIXED_SLOTS) + return InliningStatus_NotInlined; + callInfo.setImplicitlyUsedUnchecked(); MLoadFixedSlot* load = MLoadFixedSlot::New(alloc(), callInfo.getArg(0), slot); |