Bug 1354275 - Fix handling of Array() throwing in Ion
MozReview-Commit-ID: 4bwSYSmvLUV
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1354275.js
@@ -0,0 +1,16 @@
+// --ion-eager --ion-offthread-compile=off
+
+function f(t) {
+ for (var i = 0; i < 2; i++) {
+ try {
+ var x = 1;
+ Array(1);
+ x = 2;
+ Array(t);
+ } catch (e) {
+ assertEq(x, 2);
+ }
+ }
+}
+
+f(-1);
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -512,16 +512,20 @@ IonBuilder::inlineArray(CallInfo& callIn
if (!arg->isConstant()) {
callInfo.setImplicitlyUsedUnchecked();
MNewArrayDynamicLength* ins =
MNewArrayDynamicLength::New(alloc(), constraints(), templateObject,
templateObject->group()->initialHeap(constraints()),
arg);
current->add(ins);
current->push(ins);
+
+ // This may throw, so we need a resume point.
+ MOZ_TRY(resumeAfter(ins));
+
return InliningStatus_Inlined;
}
// The next several checks all may fail due to range conditions.
trackOptimizationOutcome(TrackedOutcome::ArrayRange);
// Negative lengths generate a RangeError, unhandled by the inline path.
initLength = arg->toConstant()->toInt32();