Bug 1287416 - Ensure we have enough ballast space in IonBuilder::inlineConstantStringSplitString. r=h4writer

2016-07-20 09:56:49 +00:00 · 2016-07-20 09:56:49 +00:00 · 8eb3d73a81
--- a/js/src/jit-test/tests/ion/bug1287416.js
+++ b/js/src/jit-test/tests/ion/bug1287416.js
@ -0,0 +1,3 @@
+for (var i = 0; i < 1; i++) {
+    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".split("x");
+};
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@ -1492,11 +1492,14 @@ IonBuilder::inlineConstantStringSplitString(CallInfo& callInfo)
    // jsop_initelem_array is doing because we do not expect to bailout
    // because the memory is supposed to be allocated by now.
    for (uint32_t i = 0; i < initLength; i++) {
-       MConstant* value = arrayValues[i];
-       current->add(value);
+        if (!alloc().ensureBallast())
+            return InliningStatus_Error;

-       if (!initializeArrayElement(array, i, value, unboxedType, /* addResumePoint = */ false))
-           return InliningStatus_Error;
+        MConstant* value = arrayValues[i];
+        current->add(value);
+
+        if (!initializeArrayElement(array, i, value, unboxedType, /* addResumePoint = */ false))
+            return InliningStatus_Error;
    }

    MInstruction* setLength = setInitializedLength(array, unboxedType, initLength);