diff --git a/js/src/ion/IonBuilder.cpp b/js/src/ion/IonBuilder.cpp index 53c57bfdefe..94b6aa01161 100644 --- a/js/src/ion/IonBuilder.cpp +++ b/js/src/ion/IonBuilder.cpp @@ -2885,7 +2885,7 @@ IonBuilder::jsop_call_inline(HandleFunction callee, uint32 argc, bool constructi } bool -IonBuilder::makeInliningDecision(AutoObjectVector &targets) +IonBuilder::makeInliningDecision(AutoObjectVector &targets, uint32 argc) { if (inliningDepth >= js_IonOptions.maxInlineDepth) return false; @@ -2913,6 +2913,12 @@ IonBuilder::makeInliningDecision(AutoObjectVector &targets) JSScript *script = target->script(); uint32_t calleeUses = script->getUseCount(); + + if (target->nargs < argc) { + IonSpew(IonSpew_Inlining, "Not inlining, overflow of arguments."); + return false; + } + totalSize += script->length; if (totalSize > js_IonOptions.inlineMaxTotalBytecodeLength) return false; @@ -3710,7 +3716,7 @@ IonBuilder::jsop_call(uint32 argc, bool constructing) } } - if (numTargets > 0 && makeInliningDecision(targets)) + if (numTargets > 0 && makeInliningDecision(targets, argc)) return inlineScriptedCall(targets, argc, constructing, types, barrier); } diff --git a/js/src/ion/IonBuilder.h b/js/src/ion/IonBuilder.h index 16edf7fc179..f87f0f60104 100644 --- a/js/src/ion/IonBuilder.h +++ b/js/src/ion/IonBuilder.h @@ -399,7 +399,7 @@ class IonBuilder : public MIRGenerator Vector &retvalDefns); bool inlineScriptedCall(AutoObjectVector &targets, uint32 argc, bool constructing, types::StackTypeSet *types, types::StackTypeSet *barrier); - bool makeInliningDecision(AutoObjectVector &targets); + bool makeInliningDecision(AutoObjectVector &targets, uint32 argc); MCall *makeCallHelper(HandleFunction target, uint32 argc, bool constructing); bool makeCallBarrier(HandleFunction target, uint32 argc, bool constructing,