The Tor Browser: js/src/jit/x64/Trampoline-x64.cpp@6474c204b198 (annotated)

js/src/jit/x64/Trampoline-x64.cpp@6474c204b198 (annotated)

js/src/jit/x64/Trampoline-x64.cpp

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "jit/Bailouts.h"
 #include "jit/IonFrames.h"
 #include "jit/IonLinker.h"
 #include "jit/JitCompartment.h"
 #ifdef JS_ION_PERF
 # include "jit/PerfSpewer.h"
 #endif
 #include "jit/VMFunctions.h"
 #include "jit/x64/BaselineHelpers-x64.h"
 using namespace js;
 using namespace js::jit;
 // All registers to save and restore. This includes the stack pointer, since we
 // use the ability to reference register values on the stack by index.
 static const RegisterSet AllRegs =
   RegisterSet(GeneralRegisterSet(Registers::AllMask),
               FloatRegisterSet(FloatRegisters::AllMask));
 /* This method generates a trampoline on x64 for a c++ function with
  * the following signature:
  *   bool blah(void *code, int argc, Value *argv, JSObject *scopeChain,
  *               Value *vp)
  *   ...using standard x64 fastcall calling convention
  */
 JitCode *
 JitRuntime::generateEnterJIT(JSContext *cx, EnterJitType type)
 {
     MacroAssembler masm(cx);
     const Register reg_code  = IntArgReg0;
     const Register reg_argc  = IntArgReg1;
     const Register reg_argv  = IntArgReg2;
     JS_ASSERT(OsrFrameReg == IntArgReg3);
 #if defined(_WIN64)
     const Operand token  = Operand(rbp, 16 + ShadowStackSpace);
     const Operand scopeChain = Operand(rbp, 24 + ShadowStackSpace);
     const Operand numStackValuesAddr = Operand(rbp, 32 + ShadowStackSpace);
     const Operand result = Operand(rbp, 40 + ShadowStackSpace);
 #else
     const Register token = IntArgReg4;
     const Register scopeChain = IntArgReg5;
     const Operand numStackValuesAddr = Operand(rbp, 16 + ShadowStackSpace);
     const Operand result = Operand(rbp, 24 + ShadowStackSpace);
 #endif
     // Save old stack frame pointer, set new stack frame pointer.
     masm.push(rbp);
     masm.mov(rsp, rbp);
     // Save non-volatile registers. These must be saved by the trampoline, rather
     // than by the JIT'd code, because they are scanned by the conservative scanner.
     masm.push(rbx);
     masm.push(r12);
     masm.push(r13);
     masm.push(r14);
     masm.push(r15);
 #if defined(_WIN64)
     masm.push(rdi);
     masm.push(rsi);
     // 16-byte aligment for movdqa
     masm.subq(Imm32(16 * 10 + 8), rsp);
     masm.movdqa(xmm6, Operand(rsp, 16 * 0));
     masm.movdqa(xmm7, Operand(rsp, 16 * 1));
     masm.movdqa(xmm8, Operand(rsp, 16 * 2));
     masm.movdqa(xmm9, Operand(rsp, 16 * 3));
     masm.movdqa(xmm10, Operand(rsp, 16 * 4));
     masm.movdqa(xmm11, Operand(rsp, 16 * 5));
     masm.movdqa(xmm12, Operand(rsp, 16 * 6));
     masm.movdqa(xmm13, Operand(rsp, 16 * 7));
     masm.movdqa(xmm14, Operand(rsp, 16 * 8));
     masm.movdqa(xmm15, Operand(rsp, 16 * 9));
 #endif
     // Push the EnterJIT sps mark.
     masm.spsMarkJit(&cx->runtime()->spsProfiler, rbp, rbx);
     // Save arguments passed in registers needed after function call.
     masm.push(result);
     // Remember stack depth without padding and arguments.
     masm.mov(rsp, r14);
     // Remember number of bytes occupied by argument vector
     masm.mov(reg_argc, r13);
     masm.shll(Imm32(3), r13);
     // Guarantee 16-byte alignment.
     // We push argc, callee token, frame size, and return address.
     // The latter two are 16 bytes together, so we only consider argc and the
     // token.
     masm.mov(rsp, r12);
     masm.subq(r13, r12);
     masm.subq(Imm32(8), r12);
     masm.andl(Imm32(0xf), r12);
     masm.subq(r12, rsp);
     /***************************************************************
     Loop over argv vector, push arguments onto stack in reverse order
     ***************************************************************/
     // r13 still stores the number of bytes in the argument vector.
     masm.addq(reg_argv, r13); // r13 points above last argument.
     // while r13 > rdx, push arguments.
     {
         Label header, footer;
         masm.bind(&header);
         masm.cmpq(r13, reg_argv);
         masm.j(AssemblerX86Shared::BelowOrEqual, &footer);
         masm.subq(Imm32(8), r13);
         masm.push(Operand(r13, 0));
         masm.jmp(&header);
         masm.bind(&footer);
     }
     // Push the number of actual arguments.  |result| is used to store the
     // actual number of arguments without adding an extra argument to the enter
     // JIT.
     masm.movq(result, reg_argc);
     masm.unboxInt32(Operand(reg_argc, 0), reg_argc);
     masm.push(reg_argc);
     // Push the callee token.
     masm.push(token);
     /*****************************************************************
     Push the number of bytes we've pushed so far on the stack and call
     *****************************************************************/
     masm.subq(rsp, r14);
     // Create a frame descriptor.
     masm.makeFrameDescriptor(r14, JitFrame_Entry);
     masm.push(r14);
     CodeLabel returnLabel;
     if (type == EnterJitBaseline) {
         // Handle OSR.
         GeneralRegisterSet regs(GeneralRegisterSet::All());
         regs.takeUnchecked(OsrFrameReg);
         regs.take(rbp);
         regs.take(reg_code);
         // Ensure that |scratch| does not end up being JSReturnOperand.
         // Do takeUnchecked because on Win64/x64, reg_code (IntArgReg0) and JSReturnOperand are
         // the same (rcx).  See bug 849398.
         regs.takeUnchecked(JSReturnOperand);
         Register scratch = regs.takeAny();
         Label notOsr;
         masm.branchTestPtr(Assembler::Zero, OsrFrameReg, OsrFrameReg, &notOsr);
         Register numStackValues = regs.takeAny();
         masm.movq(numStackValuesAddr, numStackValues);
         // Push return address, previous frame pointer.
         masm.mov(returnLabel.dest(), scratch);
         masm.push(scratch);
         masm.push(rbp);
         // Reserve frame.
         Register framePtr = rbp;
         masm.subPtr(Imm32(BaselineFrame::Size()), rsp);
         masm.mov(rsp, framePtr);
 #ifdef XP_WIN
         // Can't push large frames blindly on windows.  Touch frame memory incrementally.
         masm.mov(numStackValues, scratch);
         masm.lshiftPtr(Imm32(3), scratch);
         masm.subPtr(scratch, framePtr);
         {
             masm.movePtr(rsp, scratch);
             masm.subPtr(Imm32(WINDOWS_BIG_FRAME_TOUCH_INCREMENT), scratch);
             Label touchFrameLoop;
             Label touchFrameLoopEnd;
             masm.bind(&touchFrameLoop);
             masm.branchPtr(Assembler::Below, scratch, framePtr, &touchFrameLoopEnd);
             masm.store32(Imm32(0), Address(scratch, 0));
             masm.subPtr(Imm32(WINDOWS_BIG_FRAME_TOUCH_INCREMENT), scratch);
             masm.jump(&touchFrameLoop);
             masm.bind(&touchFrameLoopEnd);
         }
         masm.mov(rsp, framePtr);
 #endif
         // Reserve space for locals and stack values.
         Register valuesSize = regs.takeAny();
         masm.mov(numStackValues, valuesSize);
         masm.shll(Imm32(3), valuesSize);
         masm.subPtr(valuesSize, rsp);
         // Enter exit frame.
         masm.addPtr(Imm32(BaselineFrame::Size() + BaselineFrame::FramePointerOffset), valuesSize);
         masm.makeFrameDescriptor(valuesSize, JitFrame_BaselineJS);
         masm.push(valuesSize);
         masm.push(Imm32(0)); // Fake return address.
         masm.enterFakeExitFrame();
         regs.add(valuesSize);
         masm.push(framePtr);
         masm.push(reg_code);
         masm.setupUnalignedABICall(3, scratch);
         masm.passABIArg(framePtr); // BaselineFrame
         masm.passABIArg(OsrFrameReg); // InterpreterFrame
         masm.passABIArg(numStackValues);
         masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, jit::InitBaselineFrameForOsr));
         masm.pop(reg_code);
         masm.pop(framePtr);
         JS_ASSERT(reg_code != ReturnReg);
         Label error;
         masm.addPtr(Imm32(IonExitFrameLayout::SizeWithFooter()), rsp);
         masm.addPtr(Imm32(BaselineFrame::Size()), framePtr);
         masm.branchIfFalseBool(ReturnReg, &error);
         masm.jump(reg_code);
         // OOM: load error value, discard return address and previous frame
         // pointer and return.
         masm.bind(&error);
         masm.mov(framePtr, rsp);
         masm.addPtr(Imm32(2 * sizeof(uintptr_t)), rsp);
         masm.moveValue(MagicValue(JS_ION_ERROR), JSReturnOperand);
         masm.mov(returnLabel.dest(), scratch);
         masm.jump(scratch);
         masm.bind(&notOsr);
         masm.movq(scopeChain, R1.scratchReg());
     }
     // Call function.
     masm.call(reg_code);
     if (type == EnterJitBaseline) {
         // Baseline OSR will return here.
         masm.bind(returnLabel.src());
         if (!masm.addCodeLabel(returnLabel))
             return nullptr;
     }
     // Pop arguments and padding from stack.
     masm.pop(r14);              // Pop and decode descriptor.
     masm.shrq(Imm32(FRAMESIZE_SHIFT), r14);
     masm.addq(r14, rsp);        // Remove arguments.
     /*****************************************************************
     Place return value where it belongs, pop all saved registers
     *****************************************************************/
     masm.pop(r12); // vp
     masm.storeValue(JSReturnOperand, Operand(r12, 0));
     // Unwind the sps mark.
     masm.spsUnmarkJit(&cx->runtime()->spsProfiler, rbx);
     // Restore non-volatile registers.
 #if defined(_WIN64)
     masm.movdqa(Operand(rsp, 16 * 0), xmm6);
     masm.movdqa(Operand(rsp, 16 * 1), xmm7);
     masm.movdqa(Operand(rsp, 16 * 2), xmm8);
     masm.movdqa(Operand(rsp, 16 * 3), xmm9);
     masm.movdqa(Operand(rsp, 16 * 4), xmm10);
     masm.movdqa(Operand(rsp, 16 * 5), xmm11);
     masm.movdqa(Operand(rsp, 16 * 6), xmm12);
     masm.movdqa(Operand(rsp, 16 * 7), xmm13);
     masm.movdqa(Operand(rsp, 16 * 8), xmm14);
     masm.movdqa(Operand(rsp, 16 * 9), xmm15);
     masm.addq(Imm32(16 * 10 + 8), rsp);
     masm.pop(rsi);
     masm.pop(rdi);
 #endif
     masm.pop(r15);
     masm.pop(r14);
     masm.pop(r13);
     masm.pop(r12);
     masm.pop(rbx);
     // Restore frame pointer and return.
     masm.pop(rbp);
     masm.ret();
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "EnterJIT");
 #endif
     return code;
 }
 JitCode *
 JitRuntime::generateInvalidator(JSContext *cx)
 {
     AutoIonContextAlloc aica(cx);
     MacroAssembler masm(cx);
     // See explanatory comment in x86's JitRuntime::generateInvalidator.
     masm.addq(Imm32(sizeof(uintptr_t)), rsp);
     // Push registers such that we can access them from [base + code].
     masm.PushRegsInMask(AllRegs);
     masm.movq(rsp, rax); // Argument to jit::InvalidationBailout.
     // Make space for InvalidationBailout's frameSize outparam.
     masm.reserveStack(sizeof(size_t));
     masm.movq(rsp, rbx);
     // Make space for InvalidationBailout's bailoutInfo outparam.
     masm.reserveStack(sizeof(void *));
     masm.movq(rsp, r9);
     masm.setupUnalignedABICall(3, rdx);
     masm.passABIArg(rax);
     masm.passABIArg(rbx);
     masm.passABIArg(r9);
     masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, InvalidationBailout));
     masm.pop(r9); // Get the bailoutInfo outparam.
     masm.pop(rbx); // Get the frameSize outparam.
     // Pop the machine state and the dead frame.
     masm.lea(Operand(rsp, rbx, TimesOne, sizeof(InvalidationBailoutStack)), rsp);
     // Jump to shared bailout tail. The BailoutInfo pointer has to be in r9.
     JitCode *bailoutTail = cx->runtime()->jitRuntime()->getBailoutTail();
     masm.jmp(bailoutTail);
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "Invalidator");
 #endif
     return code;
 }
 JitCode *
 JitRuntime::generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut)
 {
     // Do not erase the frame pointer in this function.
     MacroAssembler masm(cx);
     // ArgumentsRectifierReg contains the |nargs| pushed onto the current frame.
     // Including |this|, there are (|nargs| + 1) arguments to copy.
     JS_ASSERT(ArgumentsRectifierReg == r8);
     // Load the number of |undefined|s to push into %rcx.
     masm.loadPtr(Address(rsp, IonRectifierFrameLayout::offsetOfCalleeToken()), rax);
     masm.movzwl(Operand(rax, JSFunction::offsetOfNargs()), rcx);
     masm.subq(r8, rcx);
     // Copy the number of actual arguments
     masm.loadPtr(Address(rsp, IonRectifierFrameLayout::offsetOfNumActualArgs()), rdx);
     masm.moveValue(UndefinedValue(), r10);
     masm.movq(rsp, r9); // Save %rsp.
     // Push undefined.
     {
         Label undefLoopTop;
         masm.bind(&undefLoopTop);
         masm.push(r10);
         masm.subl(Imm32(1), rcx);
         masm.j(Assembler::NonZero, &undefLoopTop);
     }
     // Get the topmost argument.
     BaseIndex b = BaseIndex(r9, r8, TimesEight, sizeof(IonRectifierFrameLayout));
     masm.lea(Operand(b), rcx);
     // Push arguments, |nargs| + 1 times (to include |this|).
     masm.addl(Imm32(1), r8);
     {
         Label copyLoopTop;
         masm.bind(&copyLoopTop);
         masm.push(Operand(rcx, 0x0));
         masm.subq(Imm32(sizeof(Value)), rcx);
         masm.subl(Imm32(1), r8);
         masm.j(Assembler::NonZero, &copyLoopTop);
     }
     // Construct descriptor.
     masm.subq(rsp, r9);
     masm.makeFrameDescriptor(r9, JitFrame_Rectifier);
     // Construct IonJSFrameLayout.
     masm.push(rdx); // numActualArgs
     masm.push(rax); // callee token
     masm.push(r9); // descriptor
     // Call the target function.
     // Note that this code assumes the function is JITted.
     masm.loadPtr(Address(rax, JSFunction::offsetOfNativeOrScript()), rax);
     masm.loadBaselineOrIonRaw(rax, rax, mode, nullptr);
     masm.call(rax);
     uint32_t returnOffset = masm.currentOffset();
     // Remove the rectifier frame.
     masm.pop(r9);             // r9 <- descriptor with FrameType.
     masm.shrq(Imm32(FRAMESIZE_SHIFT), r9);
     masm.pop(r11);            // Discard calleeToken.
     masm.pop(r11);            // Discard numActualArgs.
     masm.addq(r9, rsp);       // Discard pushed arguments.
     masm.ret();
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "ArgumentsRectifier");
 #endif
     CodeOffsetLabel returnLabel(returnOffset);
     returnLabel.fixup(&masm);
     if (returnAddrOut)
         *returnAddrOut = (void *) (code->raw() + returnLabel.offset());
     return code;
 }
 static void
 GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
 {
     // Push registers such that we can access them from [base + code].
     masm.PushRegsInMask(AllRegs);
     // Get the stack pointer into a register, pre-alignment.
     masm.movq(rsp, r8);
     // Make space for Bailout's bailoutInfo outparam.
     masm.reserveStack(sizeof(void *));
     masm.movq(rsp, r9);
     // Call the bailout function.
     masm.setupUnalignedABICall(2, rax);
     masm.passABIArg(r8);
     masm.passABIArg(r9);
     masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, Bailout));
     masm.pop(r9); // Get the bailoutInfo outparam.
     // Stack is:
     //     [frame]
     //     snapshotOffset
     //     frameSize
     //     [bailoutFrame]
     //
     // Remove both the bailout frame and the topmost Ion frame's stack.
     static const uint32_t BailoutDataSize = sizeof(void *) * Registers::Total +
                                           sizeof(double) * FloatRegisters::Total;
     masm.addq(Imm32(BailoutDataSize), rsp);
     masm.pop(rcx);
     masm.lea(Operand(rsp, rcx, TimesOne, sizeof(void *)), rsp);
     // Jump to shared bailout tail. The BailoutInfo pointer has to be in r9.
     JitCode *bailoutTail = cx->runtime()->jitRuntime()->getBailoutTail();
     masm.jmp(bailoutTail);
 }
 JitCode *
 JitRuntime::generateBailoutTable(JSContext *cx, uint32_t frameClass)
 {
     MOZ_ASSUME_UNREACHABLE("x64 does not use bailout tables");
 }
 JitCode *
 JitRuntime::generateBailoutHandler(JSContext *cx)
 {
     MacroAssembler masm;
     GenerateBailoutThunk(cx, masm, NO_FRAME_SIZE_CLASS_ID);
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "BailoutHandler");
 #endif
     return code;
 }
 JitCode *
 JitRuntime::generateVMWrapper(JSContext *cx, const VMFunction &f)
 {
     JS_ASSERT(!StackKeptAligned);
     JS_ASSERT(functionWrappers_);
     JS_ASSERT(functionWrappers_->initialized());
     VMWrapperMap::AddPtr p = functionWrappers_->lookupForAdd(&f);
     if (p)
         return p->value();
     // Generate a separated code for the wrapper.
     MacroAssembler masm;
     // Avoid conflicts with argument registers while discarding the result after
     // the function call.
     GeneralRegisterSet regs = GeneralRegisterSet(Register::Codes::WrapperMask);
     // Wrapper register set is a superset of Volatile register set.
     JS_STATIC_ASSERT((Register::Codes::VolatileMask & ~Register::Codes::WrapperMask) == 0);
     // The context is the first argument.
     Register cxreg = IntArgReg0;
     regs.take(cxreg);
     // Stack is:
     //    ... frame ...
     //  +12 [args]
     //  +8  descriptor
     //  +0  returnAddress
     //
     // We're aligned to an exit frame, so link it up.
     masm.enterExitFrameAndLoadContext(&f, cxreg, regs.getAny(), f.executionMode);
     // Save the current stack pointer as the base for copying arguments.
     Register argsBase = InvalidReg;
     if (f.explicitArgs) {
         argsBase = r10;
         regs.take(argsBase);
         masm.lea(Operand(rsp,IonExitFrameLayout::SizeWithFooter()), argsBase);
     }
     // Reserve space for the outparameter.
     Register outReg = InvalidReg;
     switch (f.outParam) {
       case Type_Value:
         outReg = regs.takeAny();
         masm.reserveStack(sizeof(Value));
         masm.movq(esp, outReg);
         break;
       case Type_Handle:
         outReg = regs.takeAny();
         masm.PushEmptyRooted(f.outParamRootType);
         masm.movq(esp, outReg);
         break;
       case Type_Int32:
       case Type_Bool:
         outReg = regs.takeAny();
         masm.reserveStack(sizeof(int32_t));
         masm.movq(esp, outReg);
         break;
       case Type_Double:
         outReg = regs.takeAny();
         masm.reserveStack(sizeof(double));
         masm.movq(esp, outReg);
         break;
       case Type_Pointer:
         outReg = regs.takeAny();
         masm.reserveStack(sizeof(uintptr_t));
         masm.movq(esp, outReg);
         break;
       default:
         JS_ASSERT(f.outParam == Type_Void);
         break;
     }
     masm.setupUnalignedABICall(f.argc(), regs.getAny());
     masm.passABIArg(cxreg);
     size_t argDisp = 0;
     // Copy arguments.
     for (uint32_t explicitArg = 0; explicitArg < f.explicitArgs; explicitArg++) {
         MoveOperand from;
         switch (f.argProperties(explicitArg)) {
           case VMFunction::WordByValue:
             if (f.argPassedInFloatReg(explicitArg))
                 masm.passABIArg(MoveOperand(argsBase, argDisp), MoveOp::DOUBLE);
             else
                 masm.passABIArg(MoveOperand(argsBase, argDisp), MoveOp::GENERAL);
             argDisp += sizeof(void *);
             break;
           case VMFunction::WordByRef:
             masm.passABIArg(MoveOperand(argsBase, argDisp, MoveOperand::EFFECTIVE_ADDRESS),
                             MoveOp::GENERAL);
             argDisp += sizeof(void *);
             break;
           case VMFunction::DoubleByValue:
           case VMFunction::DoubleByRef:
             MOZ_ASSUME_UNREACHABLE("NYI: x64 callVM should not be used with 128bits values.");
         }
     }
     // Copy the implicit outparam, if any.
     if (outReg != InvalidReg)
         masm.passABIArg(outReg);
     masm.callWithABI(f.wrapped);
     // Test for failure.
     switch (f.failType()) {
       case Type_Object:
         masm.branchTestPtr(Assembler::Zero, rax, rax, masm.failureLabel(f.executionMode));
         break;
       case Type_Bool:
         masm.testb(rax, rax);
         masm.j(Assembler::Zero, masm.failureLabel(f.executionMode));
         break;
       default:
         MOZ_ASSUME_UNREACHABLE("unknown failure kind");
     }
     // Load the outparam and free any allocated stack.
     switch (f.outParam) {
       case Type_Handle:
         masm.popRooted(f.outParamRootType, ReturnReg, JSReturnOperand);
         break;
       case Type_Value:
         masm.loadValue(Address(esp, 0), JSReturnOperand);
         masm.freeStack(sizeof(Value));
         break;
       case Type_Int32:
         masm.load32(Address(esp, 0), ReturnReg);
         masm.freeStack(sizeof(int32_t));
         break;
       case Type_Bool:
         masm.load8ZeroExtend(Address(esp, 0), ReturnReg);
         masm.freeStack(sizeof(int32_t));
         break;
       case Type_Double:
         JS_ASSERT(cx->runtime()->jitSupportsFloatingPoint);
         masm.loadDouble(Address(esp, 0), ReturnFloatReg);
         masm.freeStack(sizeof(double));
         break;
       case Type_Pointer:
         masm.loadPtr(Address(esp, 0), ReturnReg);
         masm.freeStack(sizeof(uintptr_t));
         break;
       default:
         JS_ASSERT(f.outParam == Type_Void);
         break;
     }
     masm.leaveExitFrame();
     masm.retn(Imm32(sizeof(IonExitFrameLayout) +
                     f.explicitStackSlots() * sizeof(void *) +
                     f.extraValuesToPop * sizeof(Value)));
     Linker linker(masm);
     JitCode *wrapper = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
     if (!wrapper)
         return nullptr;
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(wrapper, "VMWrapper");
 #endif
     // linker.newCode may trigger a GC and sweep functionWrappers_ so we have to
     // use relookupOrAdd instead of add.
     if (!functionWrappers_->relookupOrAdd(p, &f, wrapper))
         return nullptr;
     return wrapper;
 }
 JitCode *
 JitRuntime::generatePreBarrier(JSContext *cx, MIRType type)
 {
     MacroAssembler masm;
     RegisterSet regs = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),
                                    FloatRegisterSet(FloatRegisters::VolatileMask));
     masm.PushRegsInMask(regs);
     JS_ASSERT(PreBarrierReg == rdx);
     masm.mov(ImmPtr(cx->runtime()), rcx);
     masm.setupUnalignedABICall(2, rax);
     masm.passABIArg(rcx);
     masm.passABIArg(rdx);
     if (type == MIRType_Value) {
         masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, MarkValueFromIon));
     } else {
         JS_ASSERT(type == MIRType_Shape);
         masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, MarkShapeFromIon));
     }
     masm.PopRegsInMask(regs);
     masm.ret();
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "PreBarrier");
 #endif
     return code;
 }
 typedef bool (*HandleDebugTrapFn)(JSContext *, BaselineFrame *, uint8_t *, bool *);
 static const VMFunction HandleDebugTrapInfo = FunctionInfo<HandleDebugTrapFn>(HandleDebugTrap);
 JitCode *
 JitRuntime::generateDebugTrapHandler(JSContext *cx)
 {
     MacroAssembler masm;
     Register scratch1 = rax;
     Register scratch2 = rcx;
     Register scratch3 = rdx;
     // Load the return address in scratch1.
     masm.loadPtr(Address(rsp, 0), scratch1);
     // Load BaselineFrame pointer in scratch2.
     masm.mov(rbp, scratch2);
     masm.subPtr(Imm32(BaselineFrame::Size()), scratch2);
     // Enter a stub frame and call the HandleDebugTrap VM function. Ensure
     // the stub frame has a nullptr ICStub pointer, since this pointer is marked
     // during GC.
     masm.movePtr(ImmPtr(nullptr), BaselineStubReg);
     EmitEnterStubFrame(masm, scratch3);
     JitCode *code = cx->runtime()->jitRuntime()->getVMWrapper(HandleDebugTrapInfo);
     if (!code)
         return nullptr;
     masm.push(scratch1);
     masm.push(scratch2);
     EmitCallVM(code, masm);
     EmitLeaveStubFrame(masm);
     // If the stub returns |true|, we have to perform a forced return
     // (return from the JS frame). If the stub returns |false|, just return
     // from the trap stub so that execution continues at the current pc.
     Label forcedReturn;
     masm.branchTest32(Assembler::NonZero, ReturnReg, ReturnReg, &forcedReturn);
     masm.ret();
     masm.bind(&forcedReturn);
     masm.loadValue(Address(ebp, BaselineFrame::reverseOffsetOfReturnValue()),
                    JSReturnOperand);
     masm.mov(rbp, rsp);
     masm.pop(rbp);
     masm.ret();
     Linker linker(masm);
     JitCode *codeDbg = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(codeDbg, "DebugTrapHandler");
 #endif
     return codeDbg;
 }
 JitCode *
 JitRuntime::generateExceptionTailStub(JSContext *cx)
 {
     MacroAssembler masm;
     masm.handleFailureWithHandlerTail();
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "ExceptionTailStub");
 #endif
     return code;
 }
 JitCode *
 JitRuntime::generateBailoutTailStub(JSContext *cx)
 {
     MacroAssembler masm;
     masm.generateBailoutTail(rdx, r9);
     Linker linker(masm);
     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
 #ifdef JS_ION_PERF
     writePerfSpewerJitCodeProfile(code, "BailoutTailStub");
 #endif
     return code;
 }

The Tor Browser / annotate

js/src/jit/x64/Trampoline-x64.cpp@6474c204b198 (annotated)

js/src/jit/x64/Trampoline-x64.cpp