Bug 1502090 - Fix bailout tracking with fun.call. r=nbp
authorTed Campbell <tcampbell@mozilla.com>
Thu, 25 Oct 2018 19:50:02 +0000
changeset 443053 1c4bf766a99a657e2f88183afbef240e9e8e38ac
parent 443052 13372afaba779afec99af4e3dd6b0609f460c627
child 443054 0a7215b615603dc8eebcf7bac65ff4afbdad5713
push id109289
push userccoroiu@mozilla.com
push dateFri, 26 Oct 2018 04:51:46 +0000
treeherdermozilla-inbound@bafc89c8101a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs1502090
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1502090 - Fix bailout tracking with fun.call. r=nbp NOTE: Multi-arg array.push is still disabled in Ion. Differential Revision: https://phabricator.services.mozilla.com/D9803
js/src/jit-test/tests/ion/bug1502090.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1502090.js
@@ -0,0 +1,13 @@
+function f(o) {
+   var a = [o];
+   a.length = a[0];
+   var useless = function() {}
+   var sz = Array.prototype.push.call(a, 42, 43);
+   (function(){
+       sz;
+   })(new Boolean(false));
+}
+for (var i = 0; i < 2; i++) {
+   f(1);
+}
+f(2);
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5351,32 +5351,38 @@ IonBuilder::jsop_funcall(uint32_t argc)
         return makeCall(native, callInfo);
     }
     current->peek(calleeDepth)->setImplicitlyUsedUnchecked();
 
     // Extract call target.
     TemporaryTypeSet* funTypes = current->peek(funcDepth)->resultTypeSet();
     JSFunction* target = getSingleCallTarget(funTypes);
 
+    CallInfo callInfo(alloc(), pc, /* constructing = */ false,
+                      /* ignoresReturnValue = */ BytecodeIsPopped(pc));
+
+    // Save prior call stack in case we need to resolve during bailout
+    // recovery of inner inlined function. This includes the JSFunction and the
+    // 'call' native function.
+    MOZ_TRY(callInfo.savePriorCallStack(this, current, argc + 2));
+
     // Shimmy the slots down to remove the native 'call' function.
     current->shimmySlots(funcDepth - 1);
 
     bool zeroArguments = (argc == 0);
 
     // If no |this| argument was provided, explicitly pass Undefined.
     // Pushing is safe here, since one stack slot has been removed.
     if (zeroArguments) {
         pushConstant(UndefinedValue());
     } else {
         // |this| becomes implicit in the call.
         argc -= 1;
     }
 
-    CallInfo callInfo(alloc(), pc, /* constructing = */ false,
-                      /* ignoresReturnValue = */ BytecodeIsPopped(pc));
     if (!callInfo.init(current, argc)) {
         return abort(AbortReason::Alloc);
     }
 
     // Try to inline the call.
     if (!zeroArguments) {
         InliningDecision decision = makeInliningDecision(target, callInfo);
         switch (decision) {