From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 25 Sep 2018 12:33:42 +0200
Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
 r=tcampbell

--HG--
extra : rebase_source : b193307614e2f56615e7b5fe5ca97c2f6638c29d
---
 js/src/jit/MCallOptimize.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index 33c585957e31..82c642c5ee81 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -817,6 +817,12 @@ IonBuilder::inlineArrayPush(CallInfo& callInfo)
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
     for (uint32_t i = 0; i < callInfo.argc(); i++) {
         MDefinition* value = callInfo.getArg(i);