The Tor Browser: js/src/jit/BaselineBailouts.cpp@129ffea94266 (annotated)

js/src/jit/BaselineBailouts.cpp@129ffea94266 (annotated)

js/src/jit/BaselineBailouts.cpp

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "jsprf.h"
 #include "jit/arm/Simulator-arm.h"
 #include "jit/BaselineIC.h"
 #include "jit/BaselineJIT.h"
 #include "jit/CompileInfo.h"
 #include "jit/IonSpewer.h"
 #include "jit/Recover.h"
 #include "jit/RematerializedFrame.h"
 #include "vm/ArgumentsObject.h"
 #include "vm/Debugger.h"
 #include "vm/TraceLogging.h"
 #include "jsscriptinlines.h"
 #include "jit/IonFrames-inl.h"
 using namespace js;
 using namespace js::jit;
 // BaselineStackBuilder may reallocate its buffer if the current one is too
 // small. To avoid dangling pointers, BufferPointer represents a pointer into
 // this buffer as a pointer to the header and a fixed offset.
 template <typename T>
 class BufferPointer
 {
     BaselineBailoutInfo **header_;
     size_t offset_;
     bool heap_;
   public:
     BufferPointer(BaselineBailoutInfo **header, size_t offset, bool heap)
       : header_(header), offset_(offset), heap_(heap)
     { }
     T *get() const {
         BaselineBailoutInfo *header = *header_;
         if (!heap_)
             return (T*)(header->incomingStack + offset_);
         uint8_t *p = header->copyStackTop - offset_;
         JS_ASSERT(p >= header->copyStackBottom && p < header->copyStackTop);
         return (T*)p;
     }
     T &operator*() const { return *get(); }
     T *operator->() const { return get(); }
 };
 /**
  * BaselineStackBuilder helps abstract the process of rebuilding the C stack on the heap.
  * It takes a bailout iterator and keeps track of the point on the C stack from which
  * the reconstructed frames will be written.
  *
  * It exposes methods to write data into the heap memory storing the reconstructed
  * stack.  It also exposes method to easily calculate addresses.  This includes both the
  * virtual address that a particular value will be at when it's eventually copied onto
  * the stack, as well as the current actual address of that value (whether on the heap
  * allocated portion being constructed or the existing stack).
  *
  * The abstraction handles transparent re-allocation of the heap memory when it
  * needs to be enlarged to accomodate new data.  Similarly to the C stack, the
  * data that's written to the reconstructed stack grows from high to low in memory.
  *
  * The lowest region of the allocated memory contains a BaselineBailoutInfo structure that
  * points to the start and end of the written data.
  */
 struct BaselineStackBuilder
 {
     IonBailoutIterator &iter_;
     IonJSFrameLayout *frame_;
     static size_t HeaderSize() {
         return AlignBytes(sizeof(BaselineBailoutInfo), sizeof(void *));
     };
     size_t bufferTotal_;
     size_t bufferAvail_;
     size_t bufferUsed_;
     uint8_t *buffer_;
     BaselineBailoutInfo *header_;
     size_t framePushed_;
     BaselineStackBuilder(IonBailoutIterator &iter, size_t initialSize)
       : iter_(iter),
         frame_(static_cast<IonJSFrameLayout*>(iter.current())),
         bufferTotal_(initialSize),
         bufferAvail_(0),
         bufferUsed_(0),
         buffer_(nullptr),
         header_(nullptr),
         framePushed_(0)
     {
         JS_ASSERT(bufferTotal_ >= HeaderSize());
     }
     ~BaselineStackBuilder() {
         js_free(buffer_);
     }
     bool init() {
         JS_ASSERT(!buffer_);
         JS_ASSERT(bufferUsed_ == 0);
         buffer_ = reinterpret_cast<uint8_t *>(js_calloc(bufferTotal_));
         if (!buffer_)
             return false;
         bufferAvail_ = bufferTotal_ - HeaderSize();
         bufferUsed_ = 0;
         header_ = reinterpret_cast<BaselineBailoutInfo *>(buffer_);
         header_->incomingStack = reinterpret_cast<uint8_t *>(frame_);
         header_->copyStackTop = buffer_ + bufferTotal_;
         header_->copyStackBottom = header_->copyStackTop;
         header_->setR0 = 0;
         header_->valueR0 = UndefinedValue();
         header_->setR1 = 0;
         header_->valueR1 = UndefinedValue();
         header_->resumeFramePtr = nullptr;
         header_->resumeAddr = nullptr;
         header_->monitorStub = nullptr;
         header_->numFrames = 0;
         return true;
     }
     bool enlarge() {
         JS_ASSERT(buffer_ != nullptr);
         if (bufferTotal_ & mozilla::tl::MulOverflowMask<2>::value)
             return false;
         size_t newSize = bufferTotal_ * 2;
         uint8_t *newBuffer = reinterpret_cast<uint8_t *>(js_calloc(newSize));
         if (!newBuffer)
             return false;
         memcpy((newBuffer + newSize) - bufferUsed_, header_->copyStackBottom, bufferUsed_);
         memcpy(newBuffer, header_, sizeof(BaselineBailoutInfo));
         js_free(buffer_);
         buffer_ = newBuffer;
         bufferTotal_ = newSize;
         bufferAvail_ = newSize - (HeaderSize() + bufferUsed_);
         header_ = reinterpret_cast<BaselineBailoutInfo *>(buffer_);
         header_->copyStackTop = buffer_ + bufferTotal_;
         header_->copyStackBottom = header_->copyStackTop - bufferUsed_;
         return true;
     }
     BaselineBailoutInfo *info() {
         JS_ASSERT(header_ == reinterpret_cast<BaselineBailoutInfo *>(buffer_));
         return header_;
     }
     BaselineBailoutInfo *takeBuffer() {
         JS_ASSERT(header_ == reinterpret_cast<BaselineBailoutInfo *>(buffer_));
         buffer_ = nullptr;
         return header_;
     }
     void resetFramePushed() {
         framePushed_ = 0;
     }
     size_t framePushed() const {
         return framePushed_;
     }
     bool subtract(size_t size, const char *info = nullptr) {
         // enlarge the buffer if need be.
         while (size > bufferAvail_) {
             if (!enlarge())
                 return false;
         }
         // write out element.
         header_->copyStackBottom -= size;
         bufferAvail_ -= size;
         bufferUsed_ += size;
         framePushed_ += size;
         if (info) {
             IonSpew(IonSpew_BaselineBailouts,
                     "      SUB_%03d   %p/%p %-15s",
                     (int) size, header_->copyStackBottom, virtualPointerAtStackOffset(0), info);
         }
         return true;
     }
     template <typename T>
     bool write(const T &t) {
         if (!subtract(sizeof(T)))
             return false;
         memcpy(header_->copyStackBottom, &t, sizeof(T));
         return true;
     }
     template <typename T>
     bool writePtr(T *t, const char *info) {
         if (!write<T *>(t))
             return false;
         if (info)
             IonSpew(IonSpew_BaselineBailouts,
                     "      WRITE_PTR %p/%p %-15s %p",
                     header_->copyStackBottom, virtualPointerAtStackOffset(0), info, t);
         return true;
     }
     bool writeWord(size_t w, const char *info) {
         if (!write<size_t>(w))
             return false;
         if (info) {
             if (sizeof(size_t) == 4) {
                 IonSpew(IonSpew_BaselineBailouts,
                         "      WRITE_WRD %p/%p %-15s %08x",
                         header_->copyStackBottom, virtualPointerAtStackOffset(0), info, w);
             } else {
                 IonSpew(IonSpew_BaselineBailouts,
                         "      WRITE_WRD %p/%p %-15s %016llx",
                         header_->copyStackBottom, virtualPointerAtStackOffset(0), info, w);
             }
         }
         return true;
     }
     bool writeValue(Value val, const char *info) {
         if (!write<Value>(val))
             return false;
         if (info) {
             IonSpew(IonSpew_BaselineBailouts,
                     "      WRITE_VAL %p/%p %-15s %016llx",
                     header_->copyStackBottom, virtualPointerAtStackOffset(0), info,
                     *((uint64_t *) &val));
         }
         return true;
     }
     Value popValue() {
         JS_ASSERT(bufferUsed_ >= sizeof(Value));
         JS_ASSERT(framePushed_ >= sizeof(Value));
         bufferAvail_ += sizeof(Value);
         bufferUsed_ -= sizeof(Value);
         framePushed_ -= sizeof(Value);
         Value result = *((Value *) header_->copyStackBottom);
         header_->copyStackBottom += sizeof(Value);
         return result;
     }
     void popValueInto(PCMappingSlotInfo::SlotLocation loc) {
         JS_ASSERT(PCMappingSlotInfo::ValidSlotLocation(loc));
         switch(loc) {
           case PCMappingSlotInfo::SlotInR0:
             header_->setR0 = 1;
             header_->valueR0 = popValue();
             break;
           case PCMappingSlotInfo::SlotInR1:
             header_->setR1 = 1;
             header_->valueR1 = popValue();
             break;
           default:
             JS_ASSERT(loc == PCMappingSlotInfo::SlotIgnore);
             popValue();
             break;
         }
     }
     void setResumeFramePtr(void *resumeFramePtr) {
         header_->resumeFramePtr = resumeFramePtr;
     }
     void setResumeAddr(void *resumeAddr) {
         header_->resumeAddr = resumeAddr;
     }
     void setMonitorStub(ICStub *stub) {
         header_->monitorStub = stub;
     }
     template <typename T>
     BufferPointer<T> pointerAtStackOffset(size_t offset) {
         if (offset < bufferUsed_) {
             // Calculate offset from copyStackTop.
             offset = header_->copyStackTop - (header_->copyStackBottom + offset);
             return BufferPointer<T>(&header_, offset, /* heap = */ true);
         }
         return BufferPointer<T>(&header_, offset - bufferUsed_, /* heap = */ false);
     }
     BufferPointer<Value> valuePointerAtStackOffset(size_t offset) {
         return pointerAtStackOffset<Value>(offset);
     }
     inline uint8_t *virtualPointerAtStackOffset(size_t offset) {
         if (offset < bufferUsed_)
             return reinterpret_cast<uint8_t *>(frame_) - (bufferUsed_ - offset);
         return reinterpret_cast<uint8_t *>(frame_) + (offset - bufferUsed_);
     }
     inline IonJSFrameLayout *startFrame() {
         return frame_;
     }
     BufferPointer<IonJSFrameLayout> topFrameAddress() {
         return pointerAtStackOffset<IonJSFrameLayout>(0);
     }
     //
     // This method should only be called when the builder is in a state where it is
     // starting to construct the stack frame for the next callee.  This means that
     // the lowest value on the constructed stack is the return address for the previous
     // caller frame.
     //
     // This method is used to compute the value of the frame pointer (e.g. ebp on x86)
     // that would have been saved by the baseline jitcode when it was entered.  In some
     // cases, this value can be bogus since we can ensure that the caller would have saved
     // it anyway.
     //
     void *calculatePrevFramePtr() {
         // Get the incoming frame.
         BufferPointer<IonJSFrameLayout> topFrame = topFrameAddress();
         FrameType type = topFrame->prevType();
         // For IonJS and Entry frames, the "saved" frame pointer in the baseline
         // frame is meaningless, since Ion saves all registers before calling other ion
         // frames, and the entry frame saves all registers too.
         if (type == JitFrame_IonJS || type == JitFrame_Entry)
             return nullptr;
         // BaselineStub - Baseline calling into Ion.
         //  PrevFramePtr needs to point to the BaselineStubFrame's saved frame pointer.
         //      STACK_START_ADDR + IonJSFrameLayout::Size() + PREV_FRAME_SIZE
         //                      - IonBaselineStubFrameLayout::reverseOffsetOfSavedFramePtr()
         if (type == JitFrame_BaselineStub) {
             size_t offset = IonJSFrameLayout::Size() + topFrame->prevFrameLocalSize() +
                             IonBaselineStubFrameLayout::reverseOffsetOfSavedFramePtr();
             return virtualPointerAtStackOffset(offset);
         }
         JS_ASSERT(type == JitFrame_Rectifier);
         // Rectifier - behaviour depends on the frame preceding the rectifier frame, and
         // whether the arch is x86 or not.  The x86 rectifier frame saves the frame pointer,
         // so we can calculate it directly.  For other archs, the previous frame pointer
         // is stored on the stack in the frame that precedes the rectifier frame.
         size_t priorOffset = IonJSFrameLayout::Size() + topFrame->prevFrameLocalSize();
 #if defined(JS_CODEGEN_X86)
         // On X86, the FramePointer is pushed as the first value in the Rectifier frame.
         JS_ASSERT(BaselineFrameReg == FramePointer);
         priorOffset -= sizeof(void *);
         return virtualPointerAtStackOffset(priorOffset);
 #elif defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_MIPS)
         // On X64, ARM and MIPS, the frame pointer save location depends on
         // the caller of the rectifier frame.
         BufferPointer<IonRectifierFrameLayout> priorFrame =
             pointerAtStackOffset<IonRectifierFrameLayout>(priorOffset);
         FrameType priorType = priorFrame->prevType();
         JS_ASSERT(priorType == JitFrame_IonJS || priorType == JitFrame_BaselineStub);
         // If the frame preceding the rectifier is an IonJS frame, then once again
         // the frame pointer does not matter.
         if (priorType == JitFrame_IonJS)
             return nullptr;
         // Otherwise, the frame preceding the rectifier is a BaselineStub frame.
         //  let X = STACK_START_ADDR + IonJSFrameLayout::Size() + PREV_FRAME_SIZE
         //      X + IonRectifierFrameLayout::Size()
         //        + ((IonRectifierFrameLayout *) X)->prevFrameLocalSize()
         //        - BaselineStubFrameLayout::reverseOffsetOfSavedFramePtr()
         size_t extraOffset = IonRectifierFrameLayout::Size() + priorFrame->prevFrameLocalSize() +
                              IonBaselineStubFrameLayout::reverseOffsetOfSavedFramePtr();
         return virtualPointerAtStackOffset(priorOffset + extraOffset);
 #else
 #  error "Bad architecture!"
 #endif
     }
 };
 static inline bool
 IsInlinableFallback(ICFallbackStub *icEntry)
 {
     return icEntry->isCall_Fallback() || icEntry->isGetProp_Fallback() ||
            icEntry->isSetProp_Fallback();
 }
 static inline void*
 GetStubReturnAddress(JSContext *cx, jsbytecode *pc)
 {
     if (IsGetPropPC(pc))
         return cx->compartment()->jitCompartment()->baselineGetPropReturnFromIonAddr();
     if (IsSetPropPC(pc))
         return cx->compartment()->jitCompartment()->baselineSetPropReturnFromIonAddr();
     // This should be a call op of some kind, now.
     JS_ASSERT(IsCallPC(pc));
     return cx->compartment()->jitCompartment()->baselineCallReturnFromIonAddr();
 }
 static inline jsbytecode *
 GetNextNonLoopEntryPc(jsbytecode *pc)
 {
     JSOp op = JSOp(*pc);
     if (op == JSOP_GOTO)
         return pc + GET_JUMP_OFFSET(pc);
     if (op == JSOP_LOOPENTRY || op == JSOP_NOP || op == JSOP_LOOPHEAD)
         return GetNextPc(pc);
     return pc;
 }
 // For every inline frame, we write out the following data:
 //
 //                      |      ...      |
 //                      +---------------+
 //                      |  Descr(???)   |  --- Descr size here is (PREV_FRAME_SIZE)
 //                      +---------------+
 //                      |  ReturnAddr   |
 //             --       +===============+  --- OVERWRITE STARTS HERE  (START_STACK_ADDR)
 //             |        | PrevFramePtr  |
 //             |    +-> +---------------+
 //             |    |   |   Baseline    |
 //             |    |   |    Frame      |
 //             |    |   +---------------+
 //             |    |   |    Fixed0     |
 //             |    |   +---------------+
 //         +--<     |   |     ...       |
 //         |   |    |   +---------------+
 //         |   |    |   |    FixedF     |
 //         |   |    |   +---------------+
 //         |   |    |   |    Stack0     |
 //         |   |    |   +---------------+
 //         |   |    |   |     ...       |
 //         |   |    |   +---------------+
 //         |   |    |   |    StackS     |
 //         |   --   |   +---------------+  --- IF NOT LAST INLINE FRAME,
 //         +------------|  Descr(BLJS)  |  --- CALLING INFO STARTS HERE
 //                  |   +---------------+
 //                  |   |  ReturnAddr   | <-- return into main jitcode after IC
 //             --   |   +===============+
 //             |    |   |    StubPtr    |
 //             |    |   +---------------+
 //             |    +---|   FramePtr    |
 //             |        +---------------+
 //             |        |     ArgA      |
 //             |        +---------------+
 //             |        |     ...       |
 //         +--<         +---------------+
 //         |   |        |     Arg0      |
 //         |   |        +---------------+
 //         |   |        |     ThisV     |
 //         |   --       +---------------+
 //         |            |  ActualArgC   |
 //         |            +---------------+
 //         |            |  CalleeToken  |
 //         |            +---------------+
 //         +------------| Descr(BLStub) |
 //                      +---------------+
 //                      |  ReturnAddr   | <-- return into ICCall_Scripted IC
 //             --       +===============+ --- IF CALLEE FORMAL ARGS > ActualArgC
 //             |        |  UndefinedU   |
 //             |        +---------------+
 //             |        |     ...       |
 //             |        +---------------+
 //             |        |  Undefined0   |
 //             |        +---------------+
 //         +--<         |     ArgA      |
 //         |   |        +---------------+
 //         |   |        |     ...       |
 //         |   |        +---------------+
 //         |   |        |     Arg0      |
 //         |   |        +---------------+
 //         |   |        |     ThisV     |
 //         |   --       +---------------+
 //         |            |  ActualArgC   |
 //         |            +---------------+
 //         |            |  CalleeToken  |
 //         |            +---------------+
 //         +------------|  Descr(Rect)  |
 //                      +---------------+
 //                      |  ReturnAddr   | <-- return into ArgumentsRectifier after call
 //                      +===============+
 //
 static bool
 InitFromBailout(JSContext *cx, HandleScript caller, jsbytecode *callerPC,
                 HandleFunction fun, HandleScript script, IonScript *ionScript,
                 SnapshotIterator &iter, bool invalidate, BaselineStackBuilder &builder,
                 AutoValueVector &startFrameFormals, MutableHandleFunction nextCallee,
                 jsbytecode **callPC, const ExceptionBailoutInfo *excInfo)
 {
     MOZ_ASSERT(script->hasBaselineScript());
     // Are we catching an exception?
     bool catchingException = excInfo && excInfo->catchingException();
     // If we are catching an exception, we are bailing out to a catch or
     // finally block and this is the frame where we will resume. Usually the
     // expression stack should be empty in this case but there can be
     // iterators on the stack.
     uint32_t exprStackSlots;
     if (catchingException)
         exprStackSlots = excInfo->numExprSlots();
     else
         exprStackSlots = iter.numAllocations() - (script->nfixed() + CountArgSlots(script, fun));
     builder.resetFramePushed();
     // Build first baseline frame:
     // +===============+
     // | PrevFramePtr  |
     // +---------------+
     // |   Baseline    |
     // |    Frame      |
     // +---------------+
     // |    Fixed0     |
     // +---------------+
     // |     ...       |
     // +---------------+
     // |    FixedF     |
     // +---------------+
     // |    Stack0     |
     // +---------------+
     // |     ...       |
     // +---------------+
     // |    StackS     |
     // +---------------+  --- IF NOT LAST INLINE FRAME,
     // |  Descr(BLJS)  |  --- CALLING INFO STARTS HERE
     // +---------------+
     // |  ReturnAddr   | <-- return into main jitcode after IC
     // +===============+
     IonSpew(IonSpew_BaselineBailouts, "      Unpacking %s:%d", script->filename(), script->lineno());
     IonSpew(IonSpew_BaselineBailouts, "      [BASELINE-JS FRAME]");
     // Calculate and write the previous frame pointer value.
     // Record the virtual stack offset at this location.  Later on, if we end up
     // writing out a BaselineStub frame for the next callee, we'll need to save the
     // address.
     void *prevFramePtr = builder.calculatePrevFramePtr();
     if (!builder.writePtr(prevFramePtr, "PrevFramePtr"))
         return false;
     prevFramePtr = builder.virtualPointerAtStackOffset(0);
     // Write struct BaselineFrame.
     if (!builder.subtract(BaselineFrame::Size(), "BaselineFrame"))
         return false;
     BufferPointer<BaselineFrame> blFrame = builder.pointerAtStackOffset<BaselineFrame>(0);
     // Initialize BaselineFrame::frameSize
     uint32_t frameSize = BaselineFrame::Size() + BaselineFrame::FramePointerOffset +
                          (sizeof(Value) * (script->nfixed() + exprStackSlots));
     IonSpew(IonSpew_BaselineBailouts, "      FrameSize=%d", (int) frameSize);
     blFrame->setFrameSize(frameSize);
     uint32_t flags = 0;
     // If SPS Profiler is enabled, mark the frame as having pushed an SPS entry.
     // This may be wrong for the last frame of ArgumentCheck bailout, but
     // that will be fixed later.
     if (ionScript->hasSPSInstrumentation()) {
         if (callerPC == nullptr) {
             IonSpew(IonSpew_BaselineBailouts, "      Setting SPS flag on top frame!");
             flags |= BaselineFrame::HAS_PUSHED_SPS_FRAME;
         } else if (js_JitOptions.profileInlineFrames) {
             IonSpew(IonSpew_BaselineBailouts, "      Setting SPS flag on inline frame!");
             flags |= BaselineFrame::HAS_PUSHED_SPS_FRAME;
         }
     }
     // Initialize BaselineFrame's scopeChain and argsObj
     JSObject *scopeChain = nullptr;
     Value returnValue;
     ArgumentsObject *argsObj = nullptr;
     BailoutKind bailoutKind = iter.bailoutKind();
     if (bailoutKind == Bailout_ArgumentCheck) {
         // Temporary hack -- skip the (unused) scopeChain, because it could be
         // bogus (we can fail before the scope chain slot is set). Strip the
         // hasScopeChain flag and this will be fixed up later in |FinishBailoutToBaseline|,
         // which calls |EnsureHasScopeObjects|.
         IonSpew(IonSpew_BaselineBailouts, "      Bailout_ArgumentCheck! (no valid scopeChain)");
         iter.skip();
         // skip |return value|
         iter.skip();
         returnValue = UndefinedValue();
         // Scripts with |argumentsHasVarBinding| have an extra slot.
         if (script->argumentsHasVarBinding()) {
             IonSpew(IonSpew_BaselineBailouts,
                     "      Bailout_ArgumentCheck for script with argumentsHasVarBinding!"
                     "Using empty arguments object");
             iter.skip();
         }
     } else {
         Value v = iter.read();
         if (v.isObject()) {
             scopeChain = &v.toObject();
             if (fun && fun->isHeavyweight())
                 flags |= BaselineFrame::HAS_CALL_OBJ;
         } else {
             JS_ASSERT(v.isUndefined() || v.isMagic(JS_OPTIMIZED_OUT));
             // Get scope chain from function or script.
             if (fun) {
                 // If pcOffset == 0, we may have to push a new call object, so
                 // we leave scopeChain nullptr and enter baseline code before
                 // the prologue.
                 if (iter.pcOffset() != 0 || iter.resumeAfter())
                     scopeChain = fun->environment();
             } else {
                 // For global, compile-and-go scripts the scope chain is the
                 // script's global (Ion does not compile non-compile-and-go
                 // scripts). Also note that it's invalid to resume into the
                 // prologue in this case because the prologue expects the scope
                 // chain in R1 for eval and global scripts.
                 JS_ASSERT(!script->isForEval());
                 JS_ASSERT(script->compileAndGo());
                 scopeChain = &(script->global());
             }
         }
         // Make sure to add HAS_RVAL to flags here because setFlags() below
         // will clobber it.
         returnValue = iter.read();
         flags |= BaselineFrame::HAS_RVAL;
         // If script maybe has an arguments object, the third slot will hold it.
         if (script->argumentsHasVarBinding()) {
             v = iter.read();
             JS_ASSERT(v.isObject() || v.isUndefined() || v.isMagic(JS_OPTIMIZED_OUT));
             if (v.isObject())
                 argsObj = &v.toObject().as<ArgumentsObject>();
         }
     }
     IonSpew(IonSpew_BaselineBailouts, "      ScopeChain=%p", scopeChain);
     blFrame->setScopeChain(scopeChain);
     IonSpew(IonSpew_BaselineBailouts, "      ReturnValue=%016llx", *((uint64_t *) &returnValue));
     blFrame->setReturnValue(returnValue);
     // Do not need to initialize scratchValue field in BaselineFrame.
     blFrame->setFlags(flags);
     // initArgsObjUnchecked modifies the frame's flags, so call it after setFlags.
     if (argsObj)
         blFrame->initArgsObjUnchecked(*argsObj);
     if (fun) {
         // The unpacked thisv and arguments should overwrite the pushed args present
         // in the calling frame.
         Value thisv = iter.read();
         IonSpew(IonSpew_BaselineBailouts, "      Is function!");
         IonSpew(IonSpew_BaselineBailouts, "      thisv=%016llx", *((uint64_t *) &thisv));
         size_t thisvOffset = builder.framePushed() + IonJSFrameLayout::offsetOfThis();
         *builder.valuePointerAtStackOffset(thisvOffset) = thisv;
         JS_ASSERT(iter.numAllocations() >= CountArgSlots(script, fun));
         IonSpew(IonSpew_BaselineBailouts, "      frame slots %u, nargs %u, nfixed %u",
                 iter.numAllocations(), fun->nargs(), script->nfixed());
         if (!callerPC) {
             // This is the first frame. Store the formals in a Vector until we
             // are done. Due to UCE and phi elimination, we could store an
             // UndefinedValue() here for formals we think are unused, but
             // locals may still reference the original argument slot
             // (MParameter/LArgument) and expect the original Value.
             JS_ASSERT(startFrameFormals.empty());
             if (!startFrameFormals.resize(fun->nargs()))
                 return false;
         }
         for (uint32_t i = 0; i < fun->nargs(); i++) {
             Value arg = iter.read();
             IonSpew(IonSpew_BaselineBailouts, "      arg %d = %016llx",
                         (int) i, *((uint64_t *) &arg));
             if (callerPC) {
                 size_t argOffset = builder.framePushed() + IonJSFrameLayout::offsetOfActualArg(i);
                 *builder.valuePointerAtStackOffset(argOffset) = arg;
             } else {
                 startFrameFormals[i] = arg;
             }
         }
     }
     for (uint32_t i = 0; i < script->nfixed(); i++) {
         Value slot = iter.read();
         if (!builder.writeValue(slot, "FixedValue"))
             return false;
     }
     // Get the pc. If we are handling an exception, resume at the pc of the
     // catch or finally block.
     jsbytecode *pc = catchingException ? excInfo->resumePC() : script->offsetToPC(iter.pcOffset());
     bool resumeAfter = catchingException ? false : iter.resumeAfter();
     JSOp op = JSOp(*pc);
     // Fixup inlined JSOP_FUNCALL, JSOP_FUNAPPLY, and accessors on the caller side.
     // On the caller side this must represent like the function wasn't inlined.
     uint32_t pushedSlots = 0;
     AutoValueVector savedCallerArgs(cx);
     bool needToSaveArgs = op == JSOP_FUNAPPLY || IsGetPropPC(pc) || IsSetPropPC(pc);
     if (iter.moreFrames() && (op == JSOP_FUNCALL || needToSaveArgs))
     {
         uint32_t inlined_args = 0;
         if (op == JSOP_FUNCALL)
             inlined_args = 2 + GET_ARGC(pc) - 1;
         else if (op == JSOP_FUNAPPLY)
             inlined_args = 2 + blFrame->numActualArgs();
         else
             inlined_args = 2 + IsSetPropPC(pc);
         JS_ASSERT(exprStackSlots >= inlined_args);
         pushedSlots = exprStackSlots - inlined_args;
         IonSpew(IonSpew_BaselineBailouts,
                 "      pushing %u expression stack slots before fixup",
                 pushedSlots);
         for (uint32_t i = 0; i < pushedSlots; i++) {
             Value v = iter.read();
             if (!builder.writeValue(v, "StackValue"))
                 return false;
         }
         if (op == JSOP_FUNCALL) {
             // When funcall got inlined and the native js_fun_call was bypassed,
             // the stack state is incorrect. To restore correctly it must look like
             // js_fun_call was actually called. This means transforming the stack
             // from |target, this, args| to |js_fun_call, target, this, args|
             // The js_fun_call is never read, so just pushing undefined now.
             IonSpew(IonSpew_BaselineBailouts, "      pushing undefined to fixup funcall");
             if (!builder.writeValue(UndefinedValue(), "StackValue"))
                 return false;
         }
         if (needToSaveArgs) {
             // When an accessor is inlined, the whole thing is a lie. There
             // should never have been a call there. Fix the caller's stack to
             // forget it ever happened.
             // When funapply gets inlined we take all arguments out of the
             // arguments array. So the stack state is incorrect. To restore
             // correctly it must look like js_fun_apply was actually called.
             // This means transforming the stack from |target, this, arg1, ...|
             // to |js_fun_apply, target, this, argObject|.
             // Since the information is never read, we can just push undefined
             // for all values.
             if (op == JSOP_FUNAPPLY) {
                 IonSpew(IonSpew_BaselineBailouts, "      pushing 4x undefined to fixup funapply");
                 if (!builder.writeValue(UndefinedValue(), "StackValue"))
                     return false;
                 if (!builder.writeValue(UndefinedValue(), "StackValue"))
                     return false;
                 if (!builder.writeValue(UndefinedValue(), "StackValue"))
                     return false;
                 if (!builder.writeValue(UndefinedValue(), "StackValue"))
                     return false;
             }
             // Save the actual arguments. They are needed on the callee side
             // as the arguments. Else we can't recover them.
             if (!savedCallerArgs.resize(inlined_args))
                 return false;
             for (uint32_t i = 0; i < inlined_args; i++)
                 savedCallerArgs[i] = iter.read();
             if (IsSetPropPC(pc)) {
                 // We would love to just save all the arguments and leave them
                 // in the stub frame pushed below, but we will lose the inital
                 // argument which the function was called with, which we must
                 // return to the caller, even if the setter internally modifies
                 // its arguments. Stash the initial argument on the stack, to be
                 // later retrieved by the SetProp_Fallback stub.
                 Value initialArg = savedCallerArgs[inlined_args - 1];
                 IonSpew(IonSpew_BaselineBailouts, "     pushing setter's initial argument");
                 if (!builder.writeValue(initialArg, "StackValue"))
                     return false;
             }
             pushedSlots = exprStackSlots;
         }
     }
     IonSpew(IonSpew_BaselineBailouts, "      pushing %u expression stack slots",
                                       exprStackSlots - pushedSlots);
     for (uint32_t i = pushedSlots; i < exprStackSlots; i++) {
         Value v;
         if (!iter.moreFrames() && i == exprStackSlots - 1 &&
             cx->runtime()->hasIonReturnOverride())
         {
             // If coming from an invalidation bailout, and this is the topmost
             // value, and a value override has been specified, don't read from the
             // iterator. Otherwise, we risk using a garbage value.
             JS_ASSERT(invalidate);
             iter.skip();
             IonSpew(IonSpew_BaselineBailouts, "      [Return Override]");
             v = cx->runtime()->takeIonReturnOverride();
         } else if (excInfo && excInfo->propagatingIonExceptionForDebugMode()) {
             // If we are in the middle of propagating an exception from Ion by
             // bailing to baseline due to debug mode, we might not have all
             // the stack if we are at the newest frame.
             //
             // For instance, if calling |f()| pushed an Ion frame which threw,
             // the snapshot expects the return value to be pushed, but it's
             // possible nothing was pushed before we threw. Iterators might
             // still be on the stack, so we can't just drop the stack.
             MOZ_ASSERT(cx->compartment()->debugMode());
             if (iter.moreFrames())
                 v = iter.read();
             else
                 v = MagicValue(JS_OPTIMIZED_OUT);
         } else {
             v = iter.read();
         }
         if (!builder.writeValue(v, "StackValue"))
             return false;
     }
     size_t endOfBaselineJSFrameStack = builder.framePushed();
     // If we are resuming at a LOOPENTRY op, resume at the next op to avoid
     // a bailout -> enter Ion -> bailout loop with --ion-eager. See also
     // ThunkToInterpreter.
     //
     // The algorithm below is the "tortoise and the hare" algorithm. See bug
     // 994444 for more explanation.
     if (!resumeAfter) {
         jsbytecode *fasterPc = pc;
         while (true) {
             pc = GetNextNonLoopEntryPc(pc);
             fasterPc = GetNextNonLoopEntryPc(GetNextNonLoopEntryPc(fasterPc));
             if (fasterPc == pc)
                 break;
         }
         op = JSOp(*pc);
     }
     uint32_t pcOff = script->pcToOffset(pc);
     bool isCall = IsCallPC(pc);
     BaselineScript *baselineScript = script->baselineScript();
 #ifdef DEBUG
     uint32_t expectedDepth;
     bool reachablePC;
     if (!ReconstructStackDepth(cx, script, resumeAfter ? GetNextPc(pc) : pc, &expectedDepth, &reachablePC))
         return false;
     if (reachablePC) {
         if (op != JSOP_FUNAPPLY || !iter.moreFrames() || resumeAfter) {
             if (op == JSOP_FUNCALL) {
                 // For fun.call(this, ...); the reconstructStackDepth will
                 // include the this. When inlining that is not included.
                 // So the exprStackSlots will be one less.
                 JS_ASSERT(expectedDepth - exprStackSlots <= 1);
             } else if (iter.moreFrames() && (IsGetPropPC(pc) || IsSetPropPC(pc))) {
                 // Accessors coming out of ion are inlined via a complete
                 // lie perpetrated by the compiler internally. Ion just rearranges
                 // the stack, and pretends that it looked like a call all along.
                 // This means that the depth is actually one *more* than expected
                 // by the interpreter, as there is now a JSFunction, |this| and [arg],
                 // rather than the expected |this| and [arg]
                 // Note that none of that was pushed, but it's still reflected
                 // in exprStackSlots.
                 JS_ASSERT(exprStackSlots - expectedDepth == 1);
             } else {
                 // For fun.apply({}, arguments) the reconstructStackDepth will
                 // have stackdepth 4, but it could be that we inlined the
                 // funapply. In that case exprStackSlots, will have the real
                 // arguments in the slots and not be 4.
                 JS_ASSERT(exprStackSlots == expectedDepth);
             }
         }
     }
     IonSpew(IonSpew_BaselineBailouts, "      Resuming %s pc offset %d (op %s) (line %d) of %s:%d",
                 resumeAfter ? "after" : "at", (int) pcOff, js_CodeName[op],
                 PCToLineNumber(script, pc), script->filename(), (int) script->lineno());
     IonSpew(IonSpew_BaselineBailouts, "      Bailout kind: %s",
             BailoutKindString(bailoutKind));
 #endif
     // If this was the last inline frame, or we are bailing out to a catch or
     // finally block in this frame, then unpacking is almost done.
     if (!iter.moreFrames() || catchingException) {
         // Last frame, so PC for call to next frame is set to nullptr.
         *callPC = nullptr;
         // If the bailout was a resumeAfter, and the opcode is monitored,
         // then the bailed out state should be in a position to enter
         // into the ICTypeMonitor chain for the op.
         bool enterMonitorChain = false;
         if (resumeAfter && (js_CodeSpec[op].format & JOF_TYPESET)) {
             // Not every monitored op has a monitored fallback stub, e.g.
             // JSOP_NEWOBJECT, which always returns the same type for a
             // particular script/pc location.
             ICEntry &icEntry = baselineScript->icEntryFromPCOffset(pcOff);
             ICFallbackStub *fallbackStub = icEntry.firstStub()->getChainFallback();
             if (fallbackStub->isMonitoredFallback())
                 enterMonitorChain = true;
         }
         uint32_t numCallArgs = isCall ? GET_ARGC(pc) : 0;
         if (resumeAfter && !enterMonitorChain)
             pc = GetNextPc(pc);
         builder.setResumeFramePtr(prevFramePtr);
         if (enterMonitorChain) {
             ICEntry &icEntry = baselineScript->icEntryFromPCOffset(pcOff);
             ICFallbackStub *fallbackStub = icEntry.firstStub()->getChainFallback();
             JS_ASSERT(fallbackStub->isMonitoredFallback());
             IonSpew(IonSpew_BaselineBailouts, "      [TYPE-MONITOR CHAIN]");
             ICMonitoredFallbackStub *monFallbackStub = fallbackStub->toMonitoredFallbackStub();
             ICStub *firstMonStub = monFallbackStub->fallbackMonitorStub()->firstMonitorStub();
             // To enter a monitoring chain, we load the top stack value into R0
             IonSpew(IonSpew_BaselineBailouts, "      Popping top stack value into R0.");
             builder.popValueInto(PCMappingSlotInfo::SlotInR0);
             // Need to adjust the frameSize for the frame to match the values popped
             // into registers.
             frameSize -= sizeof(Value);
             blFrame->setFrameSize(frameSize);
             IonSpew(IonSpew_BaselineBailouts, "      Adjusted framesize -= %d: %d",
                             (int) sizeof(Value), (int) frameSize);
             // If resuming into a JSOP_CALL, baseline keeps the arguments on the
             // stack and pops them only after returning from the call IC.
             // Push undefs onto the stack in anticipation of the popping of the
             // callee, thisv, and actual arguments passed from the caller's frame.
             if (isCall) {
                 builder.writeValue(UndefinedValue(), "CallOp FillerCallee");
                 builder.writeValue(UndefinedValue(), "CallOp FillerThis");
                 for (uint32_t i = 0; i < numCallArgs; i++)
                     builder.writeValue(UndefinedValue(), "CallOp FillerArg");
                 frameSize += (numCallArgs + 2) * sizeof(Value);
                 blFrame->setFrameSize(frameSize);
                 IonSpew(IonSpew_BaselineBailouts, "      Adjusted framesize += %d: %d",
                                 (int) ((numCallArgs + 2) * sizeof(Value)), (int) frameSize);
             }
             // Set the resume address to the return point from the IC, and set
             // the monitor stub addr.
             builder.setResumeAddr(baselineScript->returnAddressForIC(icEntry));
             builder.setMonitorStub(firstMonStub);
             IonSpew(IonSpew_BaselineBailouts, "      Set resumeAddr=%p monitorStub=%p",
                     baselineScript->returnAddressForIC(icEntry), firstMonStub);
         } else {
             // If needed, initialize BaselineBailoutInfo's valueR0 and/or valueR1 with the
             // top stack values.
             PCMappingSlotInfo slotInfo;
             uint8_t *nativeCodeForPC = baselineScript->nativeCodeForPC(script, pc, &slotInfo);
             unsigned numUnsynced = slotInfo.numUnsynced();
             JS_ASSERT(numUnsynced <= 2);
             PCMappingSlotInfo::SlotLocation loc1, loc2;
             if (numUnsynced > 0) {
                 loc1 = slotInfo.topSlotLocation();
                 IonSpew(IonSpew_BaselineBailouts, "      Popping top stack value into %d.",
                             (int) loc1);
                 builder.popValueInto(loc1);
             }
             if (numUnsynced > 1) {
                 loc2 = slotInfo.nextSlotLocation();
                 IonSpew(IonSpew_BaselineBailouts, "      Popping next stack value into %d.",
                             (int) loc2);
                 JS_ASSERT_IF(loc1 != PCMappingSlotInfo::SlotIgnore, loc1 != loc2);
                 builder.popValueInto(loc2);
             }
             // Need to adjust the frameSize for the frame to match the values popped
             // into registers.
             frameSize -= sizeof(Value) * numUnsynced;
             blFrame->setFrameSize(frameSize);
             IonSpew(IonSpew_BaselineBailouts, "      Adjusted framesize -= %d: %d",
                             int(sizeof(Value) * numUnsynced), int(frameSize));
             // If scopeChain is nullptr, then bailout is occurring during argument check.
             // In this case, resume into the prologue.
             uint8_t *opReturnAddr;
             if (scopeChain == nullptr) {
                 // Global and eval scripts expect the scope chain in R1, so only
                 // resume into the prologue for function scripts.
                 JS_ASSERT(fun);
                 JS_ASSERT(numUnsynced == 0);
                 opReturnAddr = baselineScript->prologueEntryAddr();
                 IonSpew(IonSpew_BaselineBailouts, "      Resuming into prologue.");
                 // If bailing into prologue, HAS_PUSHED_SPS_FRAME should not be set on frame.
                 blFrame->unsetPushedSPSFrame();
                 if (cx->runtime()->spsProfiler.enabled()) {
                     if (js_JitOptions.profileInlineFrames) {
                         // If SPS is enabled, there are two corner cases to handle:
                         //  1. If resuming into the prologue, and innermost frame is an inlined
                         //     frame, and bailout is because of argument check failure, then:
                         //          Top SPS profiler entry would be for caller frame.
                         //          Ion would not have set the PC index field on that frame
                         //              (since this bailout happens before MFunctionBoundary).
                         //          Make sure that's done now.
                         //  2. If resuming into the prologue, and the bailout is NOT because of an
                         //     argument check, then:
                         //          Top SPS profiler entry would be for callee frame.
                         //          Ion would already have pushed an SPS entry for this frame.
                         //          The pc for this entry would be set to nullptr.
                         //          Make sure it's set to script->pc.
                         if (caller && bailoutKind == Bailout_ArgumentCheck) {
                             IonSpew(IonSpew_BaselineBailouts, "      Setting PCidx on innermost "
                                     "inlined frame's parent's SPS entry (%s:%d) (pcIdx=%d)!",
                                     caller->filename(), caller->lineno(),
                                     caller->pcToOffset(callerPC));
                             cx->runtime()->spsProfiler.updatePC(caller, callerPC);
                         } else if (bailoutKind != Bailout_ArgumentCheck) {
                             IonSpew(IonSpew_BaselineBailouts,
                                     "      Popping SPS entry for innermost inlined frame");
                             cx->runtime()->spsProfiler.exit(script, fun);
                         }
                     } else {
                         // If not profiling inline frames, then this is logically simpler.
                         //
                         // 1. If resuming into inline code, then the top SPS entry will be
                         // for the outermost caller, and will have an uninitialized PC.
                         // This will be fixed up later in BailoutIonToBaseline.
                         //
                         // 2. If resuming into top-level code prologue, with ArgumentCheck,
                         // no SPS entry will have been pushed.  Can be left alone.
                         //
                         // 3. If resuming into top-level code prologue, without ArgumentCheck,
                         // an SPS entry will have been pushed, and needs to be popped.
                         //
                         // 4. If resuming into top-level code main body, an SPS entry will
                         // have been pushed, and can be left alone.
                         //
                         // Only need to handle case 3 here.
                         if (!caller && bailoutKind != Bailout_ArgumentCheck) {
                             IonSpew(IonSpew_BaselineBailouts,
                                     "      Popping SPS entry for outermost frame");
                             cx->runtime()->spsProfiler.exit(script, fun);
                         }
                     }
                 }
             } else {
                 opReturnAddr = nativeCodeForPC;
             }
             builder.setResumeAddr(opReturnAddr);
             IonSpew(IonSpew_BaselineBailouts, "      Set resumeAddr=%p", opReturnAddr);
         }
         if (cx->runtime()->spsProfiler.enabled()) {
             if (blFrame->hasPushedSPSFrame()) {
                 // Set PC index to 0 for the innermost frame to match what the
                 // interpreter and Baseline do: they update the SPS pc for
                 // JSOP_CALL ops but set it to 0 when running other ops. Ion code
                 // can set the pc to NullPCIndex and this will confuse SPS when
                 // Baseline calls into the VM at non-CALL ops and re-enters JS.
                 IonSpew(IonSpew_BaselineBailouts, "      Setting PCidx for last frame to 0");
                 cx->runtime()->spsProfiler.updatePC(script, script->code());
             }
             // Register bailout with profiler.
             const char *filename = script->filename();
             if (filename == nullptr)
                 filename = "<unknown>";
             unsigned len = strlen(filename) + 200;
             char *buf = js_pod_malloc<char>(len);
             if (buf == nullptr)
                 return false;
             JS_snprintf(buf, len, "%s %s %s on line %d of %s:%d",
                                   BailoutKindString(bailoutKind),
                                   resumeAfter ? "after" : "at",
                                   js_CodeName[op],
                                   int(PCToLineNumber(script, pc)),
                                   filename,
                                   int(script->lineno()));
             cx->runtime()->spsProfiler.markEvent(buf);
             js_free(buf);
         }
         return true;
     }
     *callPC = pc;
     // Write out descriptor of BaselineJS frame.
     size_t baselineFrameDescr = MakeFrameDescriptor((uint32_t) builder.framePushed(),
                                                     JitFrame_BaselineJS);
     if (!builder.writeWord(baselineFrameDescr, "Descriptor"))
         return false;
     // Calculate and write out return address.
     // The icEntry in question MUST have an inlinable fallback stub.
     ICEntry &icEntry = baselineScript->icEntryFromPCOffset(pcOff);
     JS_ASSERT(IsInlinableFallback(icEntry.firstStub()->getChainFallback()));
     if (!builder.writePtr(baselineScript->returnAddressForIC(icEntry), "ReturnAddr"))
         return false;
     // Build baseline stub frame:
     // +===============+
     // |    StubPtr    |
     // +---------------+
     // |   FramePtr    |
     // +---------------+
     // |     ArgA      |
     // +---------------+
     // |     ...       |
     // +---------------+
     // |     Arg0      |
     // +---------------+
     // |     ThisV     |
     // +---------------+
     // |  ActualArgC   |
     // +---------------+
     // |  CalleeToken  |
     // +---------------+
     // | Descr(BLStub) |
     // +---------------+
     // |  ReturnAddr   |
     // +===============+
     IonSpew(IonSpew_BaselineBailouts, "      [BASELINE-STUB FRAME]");
     size_t startOfBaselineStubFrame = builder.framePushed();
     // Write stub pointer.
     JS_ASSERT(IsInlinableFallback(icEntry.fallbackStub()));
     if (!builder.writePtr(icEntry.fallbackStub(), "StubPtr"))
         return false;
     // Write previous frame pointer (saved earlier).
     if (!builder.writePtr(prevFramePtr, "PrevFramePtr"))
         return false;
     prevFramePtr = builder.virtualPointerAtStackOffset(0);
     // Write out actual arguments (and thisv), copied from unpacked stack of BaselineJS frame.
     // Arguments are reversed on the BaselineJS frame's stack values.
     JS_ASSERT(IsIonInlinablePC(pc));
     unsigned actualArgc;
     if (needToSaveArgs) {
         // For FUNAPPLY or an accessor, the arguments are not on the stack anymore,
         // but they are copied in a vector and are written here.
         if (op == JSOP_FUNAPPLY)
             actualArgc = blFrame->numActualArgs();
         else
             actualArgc = IsSetPropPC(pc);
         JS_ASSERT(actualArgc + 2 <= exprStackSlots);
         JS_ASSERT(savedCallerArgs.length() == actualArgc + 2);
         for (unsigned i = 0; i < actualArgc + 1; i++) {
             size_t arg = savedCallerArgs.length() - (i + 1);
             if (!builder.writeValue(savedCallerArgs[arg], "ArgVal"))
                 return false;
         }
     } else {
         actualArgc = GET_ARGC(pc);
         if (op == JSOP_FUNCALL) {
             JS_ASSERT(actualArgc > 0);
             actualArgc--;
         }
         JS_ASSERT(actualArgc + 2 <= exprStackSlots);
         for (unsigned i = 0; i < actualArgc + 1; i++) {
             size_t argSlot = (script->nfixed() + exprStackSlots) - (i + 1);
             if (!builder.writeValue(*blFrame->valueSlot(argSlot), "ArgVal"))
                 return false;
         }
     }
     // In case these arguments need to be copied on the stack again for a rectifier frame,
     // save the framePushed values here for later use.
     size_t endOfBaselineStubArgs = builder.framePushed();
     // Calculate frame size for descriptor.
     size_t baselineStubFrameSize = builder.framePushed() - startOfBaselineStubFrame;
     size_t baselineStubFrameDescr = MakeFrameDescriptor((uint32_t) baselineStubFrameSize,
                                                         JitFrame_BaselineStub);
     // Push actual argc
     if (!builder.writeWord(actualArgc, "ActualArgc"))
         return false;
     // Push callee token (must be a JS Function)
     Value callee;
     if (needToSaveArgs) {
         // The arguments of FUNAPPLY or inlined accessors are not writen to the stack.
         // So get the callee from the specially saved vector.
         callee = savedCallerArgs[0];
     } else {
         uint32_t calleeStackSlot = exprStackSlots - uint32_t(actualArgc + 2);
         size_t calleeOffset = (builder.framePushed() - endOfBaselineJSFrameStack)
             + ((exprStackSlots - (calleeStackSlot + 1)) * sizeof(Value));
         callee = *builder.valuePointerAtStackOffset(calleeOffset);
         IonSpew(IonSpew_BaselineBailouts, "      CalleeStackSlot=%d", (int) calleeStackSlot);
     }
     IonSpew(IonSpew_BaselineBailouts, "      Callee = %016llx", *((uint64_t *) &callee));
     JS_ASSERT(callee.isObject() && callee.toObject().is<JSFunction>());
     JSFunction *calleeFun = &callee.toObject().as<JSFunction>();
     if (!builder.writePtr(CalleeToToken(calleeFun), "CalleeToken"))
         return false;
     nextCallee.set(calleeFun);
     // Push BaselineStub frame descriptor
     if (!builder.writeWord(baselineStubFrameDescr, "Descriptor"))
         return false;
     // Push return address into ICCall_Scripted stub, immediately after the call.
     void *baselineCallReturnAddr = GetStubReturnAddress(cx, pc);
     JS_ASSERT(baselineCallReturnAddr);
     if (!builder.writePtr(baselineCallReturnAddr, "ReturnAddr"))
         return false;
     // If actualArgc >= fun->nargs, then we are done.  Otherwise, we need to push on
     // a reconstructed rectifier frame.
     if (actualArgc >= calleeFun->nargs())
         return true;
     // Push a reconstructed rectifier frame.
     // +===============+
     // |  UndefinedU   |
     // +---------------+
     // |     ...       |
     // +---------------+
     // |  Undefined0   |
     // +---------------+
     // |     ArgA      |
     // +---------------+
     // |     ...       |
     // +---------------+
     // |     Arg0      |
     // +---------------+
     // |     ThisV     |
     // +---------------+
     // |  ActualArgC   |
     // +---------------+
     // |  CalleeToken  |
     // +---------------+
     // |  Descr(Rect)  |
     // +---------------+
     // |  ReturnAddr   |
     // +===============+
     IonSpew(IonSpew_BaselineBailouts, "      [RECTIFIER FRAME]");
     size_t startOfRectifierFrame = builder.framePushed();
     // On x86-only, the frame pointer is saved again in the rectifier frame.
 #if defined(JS_CODEGEN_X86)
     if (!builder.writePtr(prevFramePtr, "PrevFramePtr-X86Only"))
         return false;
 #endif
     // Push undefined for missing arguments.
     for (unsigned i = 0; i < (calleeFun->nargs() - actualArgc); i++) {
         if (!builder.writeValue(UndefinedValue(), "FillerVal"))
             return false;
     }
     // Copy arguments + thisv from BaselineStub frame.
     if (!builder.subtract((actualArgc + 1) * sizeof(Value), "CopiedArgs"))
         return false;
     BufferPointer<uint8_t> stubArgsEnd =
         builder.pointerAtStackOffset<uint8_t>(builder.framePushed() - endOfBaselineStubArgs);
     IonSpew(IonSpew_BaselineBailouts, "      MemCpy from %p", stubArgsEnd.get());
     memcpy(builder.pointerAtStackOffset<uint8_t>(0).get(), stubArgsEnd.get(),
            (actualArgc + 1) * sizeof(Value));
     // Calculate frame size for descriptor.
     size_t rectifierFrameSize = builder.framePushed() - startOfRectifierFrame;
     size_t rectifierFrameDescr = MakeFrameDescriptor((uint32_t) rectifierFrameSize,
                                                      JitFrame_Rectifier);
     // Push actualArgc
     if (!builder.writeWord(actualArgc, "ActualArgc"))
         return false;
     // Push calleeToken again.
     if (!builder.writePtr(CalleeToToken(calleeFun), "CalleeToken"))
         return false;
     // Push rectifier frame descriptor
     if (!builder.writeWord(rectifierFrameDescr, "Descriptor"))
         return false;
     // Push return address into the ArgumentsRectifier code, immediately after the ioncode
     // call.
     void *rectReturnAddr = cx->runtime()->jitRuntime()->getArgumentsRectifierReturnAddr();
     JS_ASSERT(rectReturnAddr);
     if (!builder.writePtr(rectReturnAddr, "ReturnAddr"))
         return false;
     return true;
 }
 uint32_t
 jit::BailoutIonToBaseline(JSContext *cx, JitActivation *activation, IonBailoutIterator &iter,
                           bool invalidate, BaselineBailoutInfo **bailoutInfo,
                           const ExceptionBailoutInfo *excInfo)
 {
     JS_ASSERT(bailoutInfo != nullptr);
     JS_ASSERT(*bailoutInfo == nullptr);
     TraceLogger *logger = TraceLoggerForMainThread(cx->runtime());
     TraceLogStopEvent(logger, TraceLogger::IonMonkey);
     TraceLogStartEvent(logger, TraceLogger::Baseline);
     // The caller of the top frame must be one of the following:
     //      IonJS - Ion calling into Ion.
     //      BaselineStub - Baseline calling into Ion.
     //      Entry - Interpreter or other calling into Ion.
     //      Rectifier - Arguments rectifier calling into Ion.
     JS_ASSERT(iter.isIonJS());
     FrameType prevFrameType = iter.prevType();
     JS_ASSERT(prevFrameType == JitFrame_IonJS ||
               prevFrameType == JitFrame_BaselineStub ||
               prevFrameType == JitFrame_Entry ||
               prevFrameType == JitFrame_Rectifier);
     // All incoming frames are going to look like this:
     //
     //      +---------------+
     //      |     ...       |
     //      +---------------+
     //      |     Args      |
     //      |     ...       |
     //      +---------------+
     //      |    ThisV      |
     //      +---------------+
     //      |  ActualArgC   |
     //      +---------------+
     //      |  CalleeToken  |
     //      +---------------+
     //      |  Descriptor   |
     //      +---------------+
     //      |  ReturnAddr   |
     //      +---------------+
     //      |    |||||      | <---- Overwrite starting here.
     //      |    |||||      |
     //      |    |||||      |
     //      +---------------+
     IonSpew(IonSpew_BaselineBailouts, "Bailing to baseline %s:%u (IonScript=%p) (FrameType=%d)",
             iter.script()->filename(), iter.script()->lineno(), (void *) iter.ionScript(),
             (int) prevFrameType);
     bool catchingException;
     bool propagatingExceptionForDebugMode;
     if (excInfo) {
         catchingException = excInfo->catchingException();
         propagatingExceptionForDebugMode = excInfo->propagatingIonExceptionForDebugMode();
         if (catchingException)
             IonSpew(IonSpew_BaselineBailouts, "Resuming in catch or finally block");
         if (propagatingExceptionForDebugMode)
             IonSpew(IonSpew_BaselineBailouts, "Resuming in-place for debug mode");
     } else {
         catchingException = false;
         propagatingExceptionForDebugMode = false;
     }
     IonSpew(IonSpew_BaselineBailouts, "  Reading from snapshot offset %u size %u",
             iter.snapshotOffset(), iter.ionScript()->snapshotsListSize());
     if (!excInfo)
         iter.ionScript()->incNumBailouts();
     iter.script()->updateBaselineOrIonRaw();
     // Allocate buffer to hold stack replacement data.
     BaselineStackBuilder builder(iter, 1024);
     if (!builder.init())
         return BAILOUT_RETURN_FATAL_ERROR;
     IonSpew(IonSpew_BaselineBailouts, "  Incoming frame ptr = %p", builder.startFrame());
     SnapshotIterator snapIter(iter);
     RootedFunction callee(cx, iter.maybeCallee());
     RootedScript scr(cx, iter.script());
     if (callee) {
         IonSpew(IonSpew_BaselineBailouts, "  Callee function (%s:%u)",
                 scr->filename(), scr->lineno());
     } else {
         IonSpew(IonSpew_BaselineBailouts, "  No callee!");
     }
     if (iter.isConstructing())
         IonSpew(IonSpew_BaselineBailouts, "  Constructing!");
     else
         IonSpew(IonSpew_BaselineBailouts, "  Not constructing!");
     IonSpew(IonSpew_BaselineBailouts, "  Restoring frames:");
     size_t frameNo = 0;
     // Reconstruct baseline frames using the builder.
     RootedScript caller(cx);
     jsbytecode *callerPC = nullptr;
     RootedFunction fun(cx, callee);
     AutoValueVector startFrameFormals(cx);
     RootedScript topCaller(cx);
     jsbytecode *topCallerPC = nullptr;
     while (true) {
         MOZ_ASSERT(snapIter.instruction()->isResumePoint());
         if (frameNo > 0) {
             TraceLogStartEvent(logger, TraceLogCreateTextId(logger, scr));
             TraceLogStartEvent(logger, TraceLogger::Baseline);
         }
         IonSpew(IonSpew_BaselineBailouts, "    FrameNo %d", frameNo);
         // If we are bailing out to a catch or finally block in this frame,
         // pass excInfo to InitFromBailout and don't unpack any other frames.
         bool handleException = (catchingException && excInfo->frameNo() == frameNo);
         // We also need to pass excInfo if we're bailing out in place for
         // debug mode.
         bool passExcInfo = handleException || propagatingExceptionForDebugMode;
         jsbytecode *callPC = nullptr;
         RootedFunction nextCallee(cx, nullptr);
         if (!InitFromBailout(cx, caller, callerPC, fun, scr, iter.ionScript(),
                              snapIter, invalidate, builder, startFrameFormals,
                              &nextCallee, &callPC, passExcInfo ? excInfo : nullptr))
         {
             return BAILOUT_RETURN_FATAL_ERROR;
         }
         if (!snapIter.moreFrames()) {
             JS_ASSERT(!callPC);
             break;
         }
         if (handleException)
             break;
         JS_ASSERT(nextCallee);
         JS_ASSERT(callPC);
         caller = scr;
         callerPC = callPC;
         fun = nextCallee;
         scr = fun->existingScriptForInlinedFunction();
         // Save top caller info for adjusting SPS frames later.
         if (!topCaller) {
             JS_ASSERT(frameNo == 0);
             topCaller = caller;
             topCallerPC = callerPC;
         }
         frameNo++;
         snapIter.nextInstruction();
     }
     IonSpew(IonSpew_BaselineBailouts, "  Done restoring frames");
     // If there were multiple inline frames unpacked, and inline frame profiling
     // is off, then the current top SPS frame is for the outermost caller, and
     // has an uninitialized PC.  Initialize it now.
     if (frameNo > 0 && !js_JitOptions.profileInlineFrames)
         cx->runtime()->spsProfiler.updatePC(topCaller, topCallerPC);
     BailoutKind bailoutKind = snapIter.bailoutKind();
     if (!startFrameFormals.empty()) {
         // Set the first frame's formals, see the comment in InitFromBailout.
         Value *argv = builder.startFrame()->argv() + 1; // +1 to skip |this|.
         mozilla::PodCopy(argv, startFrameFormals.begin(), startFrameFormals.length());
     }
     // Do stack check.
     bool overRecursed = false;
     BaselineBailoutInfo *info = builder.info();
     uint8_t *newsp = info->incomingStack - (info->copyStackTop - info->copyStackBottom);
 #ifdef JS_ARM_SIMULATOR
     if (Simulator::Current()->overRecursed(uintptr_t(newsp)))
         overRecursed = true;
 #else
     JS_CHECK_RECURSION_WITH_SP_DONT_REPORT(cx, newsp, overRecursed = true);
 #endif
     if (overRecursed) {
         IonSpew(IonSpew_BaselineBailouts, "  Overrecursion check failed!");
         return BAILOUT_RETURN_OVERRECURSED;
     }
     // Take the reconstructed baseline stack so it doesn't get freed when builder destructs.
     info = builder.takeBuffer();
     info->numFrames = frameNo + 1;
     info->bailoutKind = bailoutKind;
     *bailoutInfo = info;
     return BAILOUT_RETURN_OK;
 }
 static bool
 HandleBoundsCheckFailure(JSContext *cx, HandleScript outerScript, HandleScript innerScript)
 {
     IonSpew(IonSpew_Bailouts, "Bounds check failure %s:%d, inlined into %s:%d",
             innerScript->filename(), innerScript->lineno(),
             outerScript->filename(), outerScript->lineno());
     JS_ASSERT(!outerScript->ionScript()->invalidated());
     // TODO: Currently this mimic's Ion's handling of this case.  Investigate setting
     // the flag on innerScript as opposed to outerScript, and maybe invalidating both
     // inner and outer scripts, instead of just the outer one.
     if (!outerScript->failedBoundsCheck())
         outerScript->setFailedBoundsCheck();
     IonSpew(IonSpew_BaselineBailouts, "Invalidating due to bounds check failure");
     return Invalidate(cx, outerScript);
 }
 static bool
 HandleShapeGuardFailure(JSContext *cx, HandleScript outerScript, HandleScript innerScript)
 {
     IonSpew(IonSpew_Bailouts, "Shape guard failure %s:%d, inlined into %s:%d",
             innerScript->filename(), innerScript->lineno(),
             outerScript->filename(), outerScript->lineno());
     JS_ASSERT(!outerScript->ionScript()->invalidated());
     // TODO: Currently this mimic's Ion's handling of this case.  Investigate setting
     // the flag on innerScript as opposed to outerScript, and maybe invalidating both
     // inner and outer scripts, instead of just the outer one.
     outerScript->setFailedShapeGuard();
     IonSpew(IonSpew_BaselineBailouts, "Invalidating due to shape guard failure");
     return Invalidate(cx, outerScript);
 }
 static bool
 HandleBaselineInfoBailout(JSContext *cx, JSScript *outerScript, JSScript *innerScript)
 {
     IonSpew(IonSpew_Bailouts, "Baseline info failure %s:%d, inlined into %s:%d",
             innerScript->filename(), innerScript->lineno(),
             outerScript->filename(), outerScript->lineno());
     JS_ASSERT(!outerScript->ionScript()->invalidated());
     IonSpew(IonSpew_BaselineBailouts, "Invalidating due to invalid baseline info");
     return Invalidate(cx, outerScript);
 }
 static bool
 CopyFromRematerializedFrame(JSContext *cx, JitActivation *act, uint8_t *fp, size_t inlineDepth,
                             BaselineFrame *frame)
 {
     RematerializedFrame *rematFrame = act->lookupRematerializedFrame(fp, inlineDepth);
     // We might not have rematerialized a frame if the user never requested a
     // Debugger.Frame for it.
     if (!rematFrame)
         return true;
     MOZ_ASSERT(rematFrame->script() == frame->script());
     MOZ_ASSERT(rematFrame->numActualArgs() == frame->numActualArgs());
     frame->setScopeChain(rematFrame->scopeChain());
     frame->thisValue() = rematFrame->thisValue();
     for (unsigned i = 0; i < frame->numActualArgs(); i++)
         frame->argv()[i] = rematFrame->argv()[i];
     for (size_t i = 0; i < frame->script()->nfixed(); i++)
         *frame->valueSlot(i) = rematFrame->locals()[i];
     IonSpew(IonSpew_BaselineBailouts,
             "  Copied from rematerialized frame at (%p,%u)",
             fp, inlineDepth);
     if (cx->compartment()->debugMode())
         return Debugger::handleIonBailout(cx, rematFrame, frame);
     return true;
 }
 uint32_t
 jit::FinishBailoutToBaseline(BaselineBailoutInfo *bailoutInfo)
 {
     // The caller pushes R0 and R1 on the stack without rooting them.
     // Since GC here is very unlikely just suppress it.
     JSContext *cx = GetJSContextFromJitCode();
     js::gc::AutoSuppressGC suppressGC(cx);
     IonSpew(IonSpew_BaselineBailouts, "  Done restoring frames");
     // Check that we can get the current script's PC.
 #ifdef DEBUG
     jsbytecode *pc;
     cx->currentScript(&pc);
     IonSpew(IonSpew_BaselineBailouts, "  Got pc=%p", pc);
 #endif
     uint32_t numFrames = bailoutInfo->numFrames;
     JS_ASSERT(numFrames > 0);
     BailoutKind bailoutKind = bailoutInfo->bailoutKind;
     // Free the bailout buffer.
     js_free(bailoutInfo);
     bailoutInfo = nullptr;
     // Ensure the frame has a call object if it needs one. If the scope chain
     // is nullptr, we will enter baseline code at the prologue so no need to do
     // anything in that case.
     BaselineFrame *topFrame = GetTopBaselineFrame(cx);
     if (topFrame->scopeChain() && !EnsureHasScopeObjects(cx, topFrame))
         return false;
     // Create arguments objects for bailed out frames, to maintain the invariant
     // that script->needsArgsObj() implies frame->hasArgsObj().
     RootedScript innerScript(cx, nullptr);
     RootedScript outerScript(cx, nullptr);
     JS_ASSERT(cx->currentlyRunningInJit());
     JitFrameIterator iter(cx);
     uint8_t *outerFp = nullptr;
     uint32_t frameno = 0;
     while (frameno < numFrames) {
         JS_ASSERT(!iter.isIonJS());
         if (iter.isBaselineJS()) {
             BaselineFrame *frame = iter.baselineFrame();
             MOZ_ASSERT(frame->script()->hasBaselineScript());
             // If the frame doesn't even have a scope chain set yet, then it's resuming
             // into the the prologue before the scope chain is initialized.  Any
             // necessary args object will also be initialized there.
             if (frame->scopeChain() && frame->script()->needsArgsObj()) {
                 ArgumentsObject *argsObj;
                 if (frame->hasArgsObj()) {
                     argsObj = &frame->argsObj();
                 } else {
                     argsObj = ArgumentsObject::createExpected(cx, frame);
                     if (!argsObj)
                         return false;
                 }
                 // The arguments is a local binding and needsArgsObj does not
                 // check if it is clobbered. Ensure that the local binding
                 // restored during bailout before storing the arguments object
                 // to the slot.
                 RootedScript script(cx, frame->script());
                 SetFrameArgumentsObject(cx, frame, script, argsObj);
             }
             if (frameno == 0)
                 innerScript = frame->script();
             if (frameno == numFrames - 1) {
                 outerScript = frame->script();
                 outerFp = iter.fp();
             }
             frameno++;
         }
         ++iter;
     }
     MOZ_ASSERT(innerScript);
     MOZ_ASSERT(outerScript);
     MOZ_ASSERT(outerFp);
     // If we rematerialized Ion frames due to debug mode toggling, copy their
     // values into the baseline frame. We need to do this even when debug mode
     // is off, as we should respect the mutations made while debug mode was
     // on.
     JitActivation *act = cx->mainThread().activation()->asJit();
     if (act->hasRematerializedFrame(outerFp)) {
         JitFrameIterator iter(cx);
         size_t inlineDepth = numFrames;
         while (inlineDepth > 0) {
             if (iter.isBaselineJS() &&
                 !CopyFromRematerializedFrame(cx, act, outerFp, --inlineDepth,
                                              iter.baselineFrame()))
             {
                 return false;
             }
             ++iter;
         }
         // After copying from all the rematerialized frames, remove them from
         // the table to keep the table up to date.
         act->removeRematerializedFrame(outerFp);
     }
     IonSpew(IonSpew_BaselineBailouts,
             "  Restored outerScript=(%s:%u,%u) innerScript=(%s:%u,%u) (bailoutKind=%u)",
             outerScript->filename(), outerScript->lineno(), outerScript->getUseCount(),
             innerScript->filename(), innerScript->lineno(), innerScript->getUseCount(),
             (unsigned) bailoutKind);
     switch (bailoutKind) {
       case Bailout_Normal:
         // Do nothing.
         break;
       case Bailout_ArgumentCheck:
         // Do nothing, bailout will resume before the argument monitor ICs.
         break;
       case Bailout_BoundsCheck:
         if (!HandleBoundsCheckFailure(cx, outerScript, innerScript))
             return false;
         break;
       case Bailout_ShapeGuard:
         if (!HandleShapeGuardFailure(cx, outerScript, innerScript))
             return false;
         break;
       case Bailout_BaselineInfo:
         if (!HandleBaselineInfoBailout(cx, outerScript, innerScript))
             return false;
         break;
       case Bailout_IonExceptionDebugMode:
         // Return false to resume in HandleException with reconstructed
         // baseline frame.
         return false;
       default:
         MOZ_ASSUME_UNREACHABLE("Unknown bailout kind!");
     }
     if (!CheckFrequentBailouts(cx, outerScript))
         return false;
     return true;
 }

The Tor Browser / annotate

js/src/jit/BaselineBailouts.cpp@129ffea94266 (annotated)

js/src/jit/BaselineBailouts.cpp