Bug 1238815 - Limit baseline script size on ARM. r?jandem
ARM branch instructions have a limited range of 32 MB, and our ARM
macroassembler doesn't mitigate that except by crashing when a branch goes out
of range.
Limit the size of scripts that baseline will attempt to compile on ARM so that
we are much less likely to hit the hard crash.
MozReview-Commit-ID: E4JOt9fEB2
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/baseline/bug1238815.js
@@ -0,0 +1,13 @@
+// This program crashes the ARM code generator because the machine code is
+// longer than the 32MB range of ARM branch instructions.
+//
+// Baseline should not attempt to compile the script.
+
+i = 1;
+function test(s) eval("line0 = Error.lineNumber\ndebugger\n" + s);
+function repeat(s) {
+ return Array(65 << 13).join(s)
+}
+long_expr = repeat(" + i")
+long_throw_stmt = long_expr;
+test(long_throw_stmt);
--- a/js/src/jit/BaselineJIT.h
+++ b/js/src/jit/BaselineJIT.h
@@ -105,17 +105,25 @@ struct DependentWasmModuleImport
: module(module),
importIndex(importIndex)
{ }
};
struct BaselineScript
{
public:
+ // Largest script that the baseline compiler will attempt to compile.
+#if defined(JS_CODEGEN_ARM)
+ // ARM branches can only reach 32MB, and the macroassembler doesn't mitigate
+ // that limitation. Use a stricter limit on the acceptable script size to
+ // avoid crashing when branches go out of range.
+ static const uint32_t MAX_JSSCRIPT_LENGTH = 1000000u;
+#else
static const uint32_t MAX_JSSCRIPT_LENGTH = 0x0fffffffu;
+#endif
// Limit the locals on a given script so that stack check on baseline frames
// doesn't overflow a uint32_t value.
// (MAX_JSSCRIPT_SLOTS * sizeof(Value)) must fit within a uint32_t.
static const uint32_t MAX_JSSCRIPT_SLOTS = 0xffffu;
private:
// Code pointer containing the actual method.