The Tor Browser: comparison js/src/jit/CodeGenerator.cpp

--1:000000000000
+:af4acada65d1
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+* vim: set ts=8 sts=4 et sw=4 tw=99:
+* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "jit/CodeGenerator.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/DebugOnly.h"
+#include "jslibmath.h"
+#include "jsmath.h"
+#include "jsnum.h"
+#include "jsprf.h"
+#include "builtin/Eval.h"
+#include "builtin/TypedObject.h"
+#ifdef JSGC_GENERATIONAL
+# include "gc/Nursery.h"
+#endif
+#include "jit/IonCaches.h"
+#include "jit/IonLinker.h"
+#include "jit/IonOptimizationLevels.h"
+#include "jit/IonSpewer.h"
+#include "jit/MIRGenerator.h"
+#include "jit/MoveEmitter.h"
+#include "jit/ParallelFunctions.h"
+#include "jit/ParallelSafetyAnalysis.h"
+#include "jit/RangeAnalysis.h"
+#include "vm/ForkJoin.h"
+#include "vm/TraceLogging.h"
+#include "jsboolinlines.h"
+#include "jit/ExecutionMode-inl.h"
+#include "jit/shared/CodeGenerator-shared-inl.h"
+#include "vm/Interpreter-inl.h"
+using namespace js;
+using namespace js::jit;
+using mozilla::DebugOnly;
+using mozilla::FloatingPoint;
+using mozilla::Maybe;
+using mozilla::NegativeInfinity;
+using mozilla::PositiveInfinity;
+using JS::GenericNaN;
+namespace js {
+namespace jit {
+// This out-of-line cache is used to do a double dispatch including it-self and
+// the wrapped IonCache.
+class OutOfLineUpdateCache :
+public OutOfLineCodeBase<CodeGenerator>,
+public IonCacheVisitor
+{
+private:
+LInstruction *lir_;
+size_t cacheIndex_;
+AddCacheState state_;
+public:
+OutOfLineUpdateCache(LInstruction *lir, size_t cacheIndex)
+: lir_(lir),
+cacheIndex_(cacheIndex)
+{ }
+void bind(MacroAssembler *masm) {
+// The binding of the initial jump is done in
+// CodeGenerator::visitOutOfLineCache.
+}
+size_t getCacheIndex() const {
+return cacheIndex_;
+}
+LInstruction *lir() const {
+return lir_;
+}
+AddCacheState &state() {
+return state_;
+}
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineCache(this);
+}
+// ICs' visit functions delegating the work to the CodeGen visit funtions.
+#define VISIT_CACHE_FUNCTION(op)                                        \
+bool visit##op##IC(CodeGenerator *codegen) {                        \
+CodeGenerator::DataPtr<op##IC> ic(codegen, getCacheIndex());    \
+return codegen->visit##op##IC(this, ic);                        \
+}
+IONCACHE_KIND_LIST(VISIT_CACHE_FUNCTION)
+#undef VISIT_CACHE_FUNCTION
+};
+// This function is declared here because it needs to instantiate an
+// OutOfLineUpdateCache, but we want to keep it visible inside the
+// CodeGeneratorShared such as we can specialize inline caches in function of
+// the architecture.
+bool
+CodeGeneratorShared::addCache(LInstruction *lir, size_t cacheIndex)
+{
+if (cacheIndex == SIZE_MAX)
+return false;
+DataPtr<IonCache> cache(this, cacheIndex);
+MInstruction *mir = lir->mirRaw()->toInstruction();
+if (mir->resumePoint())
+cache->setScriptedLocation(mir->block()->info().script(),
+mir->resumePoint()->pc());
+else
+cache->setIdempotent();
+OutOfLineUpdateCache *ool = new(alloc()) OutOfLineUpdateCache(lir, cacheIndex);
+if (!addOutOfLineCode(ool))
+return false;
+// OOL-specific state depends on the type of cache.
+cache->initializeAddCacheState(lir, &ool->state());
+cache->emitInitialJump(masm, ool->state());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineCache(OutOfLineUpdateCache *ool)
+{
+DataPtr<IonCache> cache(this, ool->getCacheIndex());
+// Register the location of the OOL path in the IC.
+cache->setFallbackLabel(masm.labelForPatch());
+cache->bindInitialJump(masm, ool->state());
+// Dispatch to ICs' accept functions.
+return cache->accept(this, ool);
+}
+StringObject *
+MNewStringObject::templateObj() const {
+return &templateObj_->as<StringObject>();
+}
+CodeGenerator::CodeGenerator(MIRGenerator *gen, LIRGraph *graph, MacroAssembler *masm)
+: CodeGeneratorSpecific(gen, graph, masm)
+, ionScriptLabels_(gen->alloc())
+{
+}
+CodeGenerator::~CodeGenerator()
+{
+JS_ASSERT_IF(!gen->compilingAsmJS(), masm.numAsmJSAbsoluteLinks() == 0);
+}
+typedef bool (*StringToNumberFn)(ThreadSafeContext *, JSString *, double *);
+typedef bool (*StringToNumberParFn)(ForkJoinContext *, JSString *, double *);
+static const VMFunctionsModal StringToNumberInfo = VMFunctionsModal(
+FunctionInfo<StringToNumberFn>(StringToNumber),
+FunctionInfo<StringToNumberParFn>(StringToNumberPar));
+bool
+CodeGenerator::visitValueToInt32(LValueToInt32 *lir)
+{
+ValueOperand operand = ToValue(lir, LValueToInt32::Input);
+Register output = ToRegister(lir->output());
+FloatRegister temp = ToFloatRegister(lir->tempFloat());
+MDefinition *input;
+if (lir->mode() == LValueToInt32::NORMAL)
+input = lir->mirNormal()->input();
+else
+input = lir->mirTruncate()->input();
+Label fails;
+if (lir->mode() == LValueToInt32::TRUNCATE) {
+OutOfLineCode *oolDouble = oolTruncateDouble(temp, output);
+if (!oolDouble)
+return false;
+// We can only handle strings in truncation contexts, like bitwise
+// operations.
+Label *stringEntry, *stringRejoin;
+Register stringReg;
+if (input->mightBeType(MIRType_String)) {
+stringReg = ToRegister(lir->temp());
+OutOfLineCode *oolString = oolCallVM(StringToNumberInfo, lir, (ArgList(), stringReg),
+StoreFloatRegisterTo(temp));
+if (!oolString)
+return false;
+stringEntry = oolString->entry();
+stringRejoin = oolString->rejoin();
+} else {
+stringReg = InvalidReg;
+stringEntry = nullptr;
+stringRejoin = nullptr;
+}
+masm.truncateValueToInt32(operand, input, stringEntry, stringRejoin, oolDouble->entry(),
+stringReg, temp, output, &fails);
+masm.bind(oolDouble->rejoin());
+} else {
+masm.convertValueToInt32(operand, input, temp, output, &fails,
+lir->mirNormal()->canBeNegativeZero(),
+lir->mirNormal()->conversion());
+}
+return bailoutFrom(&fails, lir->snapshot());
+}
+bool
+CodeGenerator::visitValueToDouble(LValueToDouble *lir)
+{
+MToDouble *mir = lir->mir();
+ValueOperand operand = ToValue(lir, LValueToDouble::Input);
+FloatRegister output = ToFloatRegister(lir->output());
+Register tag = masm.splitTagForTest(operand);
+Label isDouble, isInt32, isBool, isNull, isUndefined, done;
+bool hasBoolean = false, hasNull = false, hasUndefined = false;
+masm.branchTestDouble(Assembler::Equal, tag, &isDouble);
+masm.branchTestInt32(Assembler::Equal, tag, &isInt32);
+if (mir->conversion() != MToDouble::NumbersOnly) {
+masm.branchTestBoolean(Assembler::Equal, tag, &isBool);
+masm.branchTestUndefined(Assembler::Equal, tag, &isUndefined);
+hasBoolean = true;
+hasUndefined = true;
+if (mir->conversion() != MToDouble::NonNullNonStringPrimitives) {
+masm.branchTestNull(Assembler::Equal, tag, &isNull);
+hasNull = true;
+}
+}
+if (!bailout(lir->snapshot()))
+return false;
+if (hasNull) {
+masm.bind(&isNull);
+masm.loadConstantDouble(0.0, output);
+masm.jump(&done);
+}
+if (hasUndefined) {
+masm.bind(&isUndefined);
+masm.loadConstantDouble(GenericNaN(), output);
+masm.jump(&done);
+}
+if (hasBoolean) {
+masm.bind(&isBool);
+masm.boolValueToDouble(operand, output);
+masm.jump(&done);
+}
+masm.bind(&isInt32);
+masm.int32ValueToDouble(operand, output);
+masm.jump(&done);
+masm.bind(&isDouble);
+masm.unboxDouble(operand, output);
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitValueToFloat32(LValueToFloat32 *lir)
+{
+MToFloat32 *mir = lir->mir();
+ValueOperand operand = ToValue(lir, LValueToFloat32::Input);
+FloatRegister output = ToFloatRegister(lir->output());
+Register tag = masm.splitTagForTest(operand);
+Label isDouble, isInt32, isBool, isNull, isUndefined, done;
+bool hasBoolean = false, hasNull = false, hasUndefined = false;
+masm.branchTestDouble(Assembler::Equal, tag, &isDouble);
+masm.branchTestInt32(Assembler::Equal, tag, &isInt32);
+if (mir->conversion() != MToFloat32::NumbersOnly) {
+masm.branchTestBoolean(Assembler::Equal, tag, &isBool);
+masm.branchTestUndefined(Assembler::Equal, tag, &isUndefined);
+hasBoolean = true;
+hasUndefined = true;
+if (mir->conversion() != MToFloat32::NonNullNonStringPrimitives) {
+masm.branchTestNull(Assembler::Equal, tag, &isNull);
+hasNull = true;
+}
+}
+if (!bailout(lir->snapshot()))
+return false;
+if (hasNull) {
+masm.bind(&isNull);
+masm.loadConstantFloat32(0.0f, output);
+masm.jump(&done);
+}
+if (hasUndefined) {
+masm.bind(&isUndefined);
+masm.loadConstantFloat32(float(GenericNaN()), output);
+masm.jump(&done);
+}
+if (hasBoolean) {
+masm.bind(&isBool);
+masm.boolValueToFloat32(operand, output);
+masm.jump(&done);
+}
+masm.bind(&isInt32);
+masm.int32ValueToFloat32(operand, output);
+masm.jump(&done);
+masm.bind(&isDouble);
+masm.unboxDouble(operand, output);
+masm.convertDoubleToFloat32(output, output);
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitInt32ToDouble(LInt32ToDouble *lir)
+{
+masm.convertInt32ToDouble(ToRegister(lir->input()), ToFloatRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitFloat32ToDouble(LFloat32ToDouble *lir)
+{
+masm.convertFloat32ToDouble(ToFloatRegister(lir->input()), ToFloatRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitDoubleToFloat32(LDoubleToFloat32 *lir)
+{
+masm.convertDoubleToFloat32(ToFloatRegister(lir->input()), ToFloatRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitInt32ToFloat32(LInt32ToFloat32 *lir)
+{
+masm.convertInt32ToFloat32(ToRegister(lir->input()), ToFloatRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitDoubleToInt32(LDoubleToInt32 *lir)
+{
+Label fail;
+FloatRegister input = ToFloatRegister(lir->input());
+Register output = ToRegister(lir->output());
+masm.convertDoubleToInt32(input, output, &fail, lir->mir()->canBeNegativeZero());
+if (!bailoutFrom(&fail, lir->snapshot()))
+return false;
+return true;
+}
+bool
+CodeGenerator::visitFloat32ToInt32(LFloat32ToInt32 *lir)
+{
+Label fail;
+FloatRegister input = ToFloatRegister(lir->input());
+Register output = ToRegister(lir->output());
+masm.convertFloat32ToInt32(input, output, &fail, lir->mir()->canBeNegativeZero());
+if (!bailoutFrom(&fail, lir->snapshot()))
+return false;
+return true;
+}
+void
+CodeGenerator::emitOOLTestObject(Register objreg,
+Label *ifEmulatesUndefined,
+Label *ifDoesntEmulateUndefined,
+Register scratch)
+{
+saveVolatile(scratch);
+masm.setupUnalignedABICall(1, scratch);
+masm.passABIArg(objreg);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, js::EmulatesUndefined));
+masm.storeCallResult(scratch);
+restoreVolatile(scratch);
+masm.branchIfTrueBool(scratch, ifEmulatesUndefined);
+masm.jump(ifDoesntEmulateUndefined);
+}
+// Base out-of-line code generator for all tests of the truthiness of an
+// object, where the object might not be truthy.  (Recall that per spec all
+// objects are truthy, but we implement the JSCLASS_EMULATES_UNDEFINED class
+// flag to permit objects to look like |undefined| in certain contexts,
+// including in object truthiness testing.)  We check truthiness inline except
+// when we're testing it on a proxy (or if TI guarantees us that the specified
+// object will never emulate |undefined|), in which case out-of-line code will
+// call EmulatesUndefined for a conclusive answer.
+class OutOfLineTestObject : public OutOfLineCodeBase<CodeGenerator>
+{
+Register objreg_;
+Register scratch_;
+Label *ifEmulatesUndefined_;
+Label *ifDoesntEmulateUndefined_;
+#ifdef DEBUG
+bool initialized() { return ifEmulatesUndefined_ != nullptr; }
+#endif
+public:
+OutOfLineTestObject()
+#ifdef DEBUG
+: ifEmulatesUndefined_(nullptr), ifDoesntEmulateUndefined_(nullptr)
+#endif
+{ }
+bool accept(CodeGenerator *codegen) MOZ_FINAL MOZ_OVERRIDE {
+MOZ_ASSERT(initialized());
+codegen->emitOOLTestObject(objreg_, ifEmulatesUndefined_, ifDoesntEmulateUndefined_,
+scratch_);
+return true;
+}
+// Specify the register where the object to be tested is found, labels to
+// jump to if the object is truthy or falsy, and a scratch register for
+// use in the out-of-line path.
+void setInputAndTargets(Register objreg, Label *ifEmulatesUndefined, Label *ifDoesntEmulateUndefined,
+Register scratch)
+{
+MOZ_ASSERT(!initialized());
+MOZ_ASSERT(ifEmulatesUndefined);
+objreg_ = objreg;
+scratch_ = scratch;
+ifEmulatesUndefined_ = ifEmulatesUndefined;
+ifDoesntEmulateUndefined_ = ifDoesntEmulateUndefined;
+}
+};
+// A subclass of OutOfLineTestObject containing two extra labels, for use when
+// the ifTruthy/ifFalsy labels are needed in inline code as well as out-of-line
+// code.  The user should bind these labels in inline code, and specify them as
+// targets via setInputAndTargets, as appropriate.
+class OutOfLineTestObjectWithLabels : public OutOfLineTestObject
+{
+Label label1_;
+Label label2_;
+public:
+OutOfLineTestObjectWithLabels() { }
+Label *label1() { return &label1_; }
+Label *label2() { return &label2_; }
+};
+void
+CodeGenerator::testObjectEmulatesUndefinedKernel(Register objreg,
+Label *ifEmulatesUndefined,
+Label *ifDoesntEmulateUndefined,
+Register scratch, OutOfLineTestObject *ool)
+{
+ool->setInputAndTargets(objreg, ifEmulatesUndefined, ifDoesntEmulateUndefined, scratch);
+// Perform a fast-path check of the object's class flags if the object's
+// not a proxy.  Let out-of-line code handle the slow cases that require
+// saving registers, making a function call, and restoring registers.
+masm.branchTestObjectTruthy(false, objreg, scratch, ool->entry(), ifEmulatesUndefined);
+}
+void
+CodeGenerator::branchTestObjectEmulatesUndefined(Register objreg,
+Label *ifEmulatesUndefined,
+Label *ifDoesntEmulateUndefined,
+Register scratch, OutOfLineTestObject *ool)
+{
+MOZ_ASSERT(!ifDoesntEmulateUndefined->bound(),
+"ifDoesntEmulateUndefined will be bound to the fallthrough path");
+testObjectEmulatesUndefinedKernel(objreg, ifEmulatesUndefined, ifDoesntEmulateUndefined,
+scratch, ool);
+masm.bind(ifDoesntEmulateUndefined);
+}
+void
+CodeGenerator::testObjectEmulatesUndefined(Register objreg,
+Label *ifEmulatesUndefined,
+Label *ifDoesntEmulateUndefined,
+Register scratch, OutOfLineTestObject *ool)
+{
+testObjectEmulatesUndefinedKernel(objreg, ifEmulatesUndefined, ifDoesntEmulateUndefined,
+scratch, ool);
+masm.jump(ifDoesntEmulateUndefined);
+}
+void
+CodeGenerator::testValueTruthyKernel(const ValueOperand &value,
+const LDefinition *scratch1, const LDefinition *scratch2,
+FloatRegister fr,
+Label *ifTruthy, Label *ifFalsy,
+OutOfLineTestObject *ool)
+{
+Register tag = masm.splitTagForTest(value);
+// Eventually we will want some sort of type filter here. For now, just
+// emit all easy cases. For speed we use the cached tag for all comparison,
+// except for doubles, which we test last (as the operation can clobber the
+// tag, which may be in ScratchReg).
+masm.branchTestUndefined(Assembler::Equal, tag, ifFalsy);
+masm.branchTestNull(Assembler::Equal, tag, ifFalsy);
+Label notBoolean;
+masm.branchTestBoolean(Assembler::NotEqual, tag, &notBoolean);
+masm.branchTestBooleanTruthy(false, value, ifFalsy);
+masm.jump(ifTruthy);
+masm.bind(&notBoolean);
+Label notInt32;
+masm.branchTestInt32(Assembler::NotEqual, tag, &notInt32);
+masm.branchTestInt32Truthy(false, value, ifFalsy);
+masm.jump(ifTruthy);
+masm.bind(&notInt32);
+if (ool) {
+Label notObject;
+masm.branchTestObject(Assembler::NotEqual, tag, &notObject);
+Register objreg = masm.extractObject(value, ToRegister(scratch1));
+testObjectEmulatesUndefined(objreg, ifFalsy, ifTruthy, ToRegister(scratch2), ool);
+masm.bind(&notObject);
+} else {
+masm.branchTestObject(Assembler::Equal, tag, ifTruthy);
+}
+// Test if a string is non-empty.
+Label notString;
+masm.branchTestString(Assembler::NotEqual, tag, &notString);
+masm.branchTestStringTruthy(false, value, ifFalsy);
+masm.jump(ifTruthy);
+masm.bind(&notString);
+// If we reach here the value is a double.
+masm.unboxDouble(value, fr);
+masm.branchTestDoubleTruthy(false, fr, ifFalsy);
+// Fall through for truthy.
+}
+void
+CodeGenerator::testValueTruthy(const ValueOperand &value,
+const LDefinition *scratch1, const LDefinition *scratch2,
+FloatRegister fr,
+Label *ifTruthy, Label *ifFalsy,
+OutOfLineTestObject *ool)
+{
+testValueTruthyKernel(value, scratch1, scratch2, fr, ifTruthy, ifFalsy, ool);
+masm.jump(ifTruthy);
+}
+Label *
+CodeGenerator::getJumpLabelForBranch(MBasicBlock *block)
+{
+if (!labelForBackedgeWithImplicitCheck(block))
+return block->lir()->label();
+// We need to use a patchable jump for this backedge, but want to treat
+// this as a normal label target to simplify codegen. Efficiency isn't so
+// important here as these tests are extremely unlikely to be used in loop
+// backedges, so emit inline code for the patchable jump. Heap allocating
+// the label allows it to be used by out of line blocks.
+Label *res = GetIonContext()->temp->lifoAlloc()->new_<Label>();
+Label after;
+masm.jump(&after);
+masm.bind(res);
+jumpToBlock(block);
+masm.bind(&after);
+return res;
+}
+bool
+CodeGenerator::visitTestOAndBranch(LTestOAndBranch *lir)
+{
+MOZ_ASSERT(lir->mir()->operandMightEmulateUndefined(),
+"Objects which can't emulate undefined should have been constant-folded");
+OutOfLineTestObject *ool = new(alloc()) OutOfLineTestObject();
+if (!addOutOfLineCode(ool))
+return false;
+Label *truthy = getJumpLabelForBranch(lir->ifTruthy());
+Label *falsy = getJumpLabelForBranch(lir->ifFalsy());
+testObjectEmulatesUndefined(ToRegister(lir->input()), falsy, truthy,
+ToRegister(lir->temp()), ool);
+return true;
+}
+bool
+CodeGenerator::visitTestVAndBranch(LTestVAndBranch *lir)
+{
+OutOfLineTestObject *ool = nullptr;
+if (lir->mir()->operandMightEmulateUndefined()) {
+ool = new(alloc()) OutOfLineTestObject();
+if (!addOutOfLineCode(ool))
+return false;
+}
+Label *truthy = getJumpLabelForBranch(lir->ifTruthy());
+Label *falsy = getJumpLabelForBranch(lir->ifFalsy());
+testValueTruthy(ToValue(lir, LTestVAndBranch::Input),
+lir->temp1(), lir->temp2(),
+ToFloatRegister(lir->tempFloat()),
+truthy, falsy, ool);
+return true;
+}
+bool
+CodeGenerator::visitFunctionDispatch(LFunctionDispatch *lir)
+{
+MFunctionDispatch *mir = lir->mir();
+Register input = ToRegister(lir->input());
+Label *lastLabel;
+size_t casesWithFallback;
+// Determine if the last case is fallback or an ordinary case.
+if (!mir->hasFallback()) {
+JS_ASSERT(mir->numCases() > 0);
+casesWithFallback = mir->numCases();
+lastLabel = mir->getCaseBlock(mir->numCases() - 1)->lir()->label();
+} else {
+casesWithFallback = mir->numCases() + 1;
+lastLabel = mir->getFallback()->lir()->label();
+}
+// Compare function pointers, except for the last case.
+for (size_t i = 0; i < casesWithFallback - 1; i++) {
+JS_ASSERT(i < mir->numCases());
+JSFunction *func = mir->getCase(i);
+LBlock *target = mir->getCaseBlock(i)->lir();
+masm.branchPtr(Assembler::Equal, input, ImmGCPtr(func), target->label());
+}
+// Jump to the last case.
+masm.jump(lastLabel);
+return true;
+}
+bool
+CodeGenerator::visitTypeObjectDispatch(LTypeObjectDispatch *lir)
+{
+MTypeObjectDispatch *mir = lir->mir();
+Register input = ToRegister(lir->input());
+Register temp = ToRegister(lir->temp());
+// Hold the incoming TypeObject.
+masm.loadPtr(Address(input, JSObject::offsetOfType()), temp);
+// Compare TypeObjects.
+InlinePropertyTable *propTable = mir->propTable();
+for (size_t i = 0; i < mir->numCases(); i++) {
+JSFunction *func = mir->getCase(i);
+LBlock *target = mir->getCaseBlock(i)->lir();
+DebugOnly<bool> found = false;
+for (size_t j = 0; j < propTable->numEntries(); j++) {
+if (propTable->getFunction(j) != func)
+continue;
+types::TypeObject *typeObj = propTable->getTypeObject(j);
+masm.branchPtr(Assembler::Equal, temp, ImmGCPtr(typeObj), target->label());
+found = true;
+}
+JS_ASSERT(found);
+}
+// Unknown function: jump to fallback block.
+LBlock *fallback = mir->getFallback()->lir();
+masm.jump(fallback->label());
+return true;
+}
+bool
+CodeGenerator::visitBooleanToString(LBooleanToString *lir)
+{
+Register input = ToRegister(lir->input());
+Register output = ToRegister(lir->output());
+const JSAtomState &names = GetIonContext()->runtime->names();
+Label true_, done;
+masm.branchTest32(Assembler::NonZero, input, input, &true_);
+masm.movePtr(ImmGCPtr(names.false_), output);
+masm.jump(&done);
+masm.bind(&true_);
+masm.movePtr(ImmGCPtr(names.true_), output);
+masm.bind(&done);
+return true;
+}
+void
+CodeGenerator::emitIntToString(Register input, Register output, Label *ool)
+{
+masm.branch32(Assembler::AboveOrEqual, input, Imm32(StaticStrings::INT_STATIC_LIMIT), ool);
+// Fast path for small integers.
+masm.movePtr(ImmPtr(&GetIonContext()->runtime->staticStrings().intStaticTable), output);
+masm.loadPtr(BaseIndex(output, input, ScalePointer), output);
+}
+typedef JSFlatString *(*IntToStringFn)(ThreadSafeContext *, int);
+typedef JSFlatString *(*IntToStringParFn)(ForkJoinContext *, int);
+static const VMFunctionsModal IntToStringInfo = VMFunctionsModal(
+FunctionInfo<IntToStringFn>(Int32ToString<CanGC>),
+FunctionInfo<IntToStringParFn>(IntToStringPar));
+bool
+CodeGenerator::visitIntToString(LIntToString *lir)
+{
+Register input = ToRegister(lir->input());
+Register output = ToRegister(lir->output());
+OutOfLineCode *ool = oolCallVM(IntToStringInfo, lir, (ArgList(), input),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+emitIntToString(input, output, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSString *(*DoubleToStringFn)(ThreadSafeContext *, double);
+typedef JSString *(*DoubleToStringParFn)(ForkJoinContext *, double);
+static const VMFunctionsModal DoubleToStringInfo = VMFunctionsModal(
+FunctionInfo<DoubleToStringFn>(NumberToString<CanGC>),
+FunctionInfo<DoubleToStringParFn>(DoubleToStringPar));
+bool
+CodeGenerator::visitDoubleToString(LDoubleToString *lir)
+{
+FloatRegister input = ToFloatRegister(lir->input());
+Register temp = ToRegister(lir->tempInt());
+Register output = ToRegister(lir->output());
+OutOfLineCode *ool = oolCallVM(DoubleToStringInfo, lir, (ArgList(), input),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+// Try double to integer conversion and run integer to string code.
+masm.convertDoubleToInt32(input, temp, ool->entry(), true);
+emitIntToString(temp, output, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSString *(*PrimitiveToStringFn)(JSContext *, HandleValue);
+typedef JSString *(*PrimitiveToStringParFn)(ForkJoinContext *, HandleValue);
+static const VMFunctionsModal PrimitiveToStringInfo = VMFunctionsModal(
+FunctionInfo<PrimitiveToStringFn>(ToStringSlow),
+FunctionInfo<PrimitiveToStringParFn>(PrimitiveToStringPar));
+bool
+CodeGenerator::visitPrimitiveToString(LPrimitiveToString *lir)
+{
+ValueOperand input = ToValue(lir, LPrimitiveToString::Input);
+Register output = ToRegister(lir->output());
+OutOfLineCode *ool = oolCallVM(PrimitiveToStringInfo, lir, (ArgList(), input),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+Label done;
+Register tag = masm.splitTagForTest(input);
+const JSAtomState &names = GetIonContext()->runtime->names();
+// String
+if (lir->mir()->input()->mightBeType(MIRType_String)) {
+Label notString;
+masm.branchTestString(Assembler::NotEqual, tag, &notString);
+masm.unboxString(input, output);
+masm.jump(&done);
+masm.bind(&notString);
+}
+// Integer
+if (lir->mir()->input()->mightBeType(MIRType_Int32)) {
+Label notInteger;
+masm.branchTestInt32(Assembler::NotEqual, tag, &notInteger);
+Register unboxed = ToTempUnboxRegister(lir->tempToUnbox());
+unboxed = masm.extractInt32(input, unboxed);
+emitIntToString(unboxed, output, ool->entry());
+masm.jump(&done);
+masm.bind(&notInteger);
+}
+// Double
+if (lir->mir()->input()->mightBeType(MIRType_Double)) {
+// Note: no fastpath. Need two extra registers and can only convert doubles
+// that fit integers and are smaller than StaticStrings::INT_STATIC_LIMIT.
+masm.branchTestDouble(Assembler::Equal, tag, ool->entry());
+}
+// Undefined
+if (lir->mir()->input()->mightBeType(MIRType_Undefined)) {
+Label notUndefined;
+masm.branchTestUndefined(Assembler::NotEqual, tag, &notUndefined);
+masm.movePtr(ImmGCPtr(names.undefined), output);
+masm.jump(&done);
+masm.bind(&notUndefined);
+}
+// Null
+if (lir->mir()->input()->mightBeType(MIRType_Null)) {
+Label notNull;
+masm.branchTestNull(Assembler::NotEqual, tag, &notNull);
+masm.movePtr(ImmGCPtr(names.null), output);
+masm.jump(&done);
+masm.bind(&notNull);
+}
+// Boolean
+if (lir->mir()->input()->mightBeType(MIRType_Boolean)) {
+Label notBoolean, true_;
+masm.branchTestBoolean(Assembler::NotEqual, tag, &notBoolean);
+masm.branchTestBooleanTruthy(true, input, &true_);
+masm.movePtr(ImmGCPtr(names.false_), output);
+masm.jump(&done);
+masm.bind(&true_);
+masm.movePtr(ImmGCPtr(names.true_), output);
+masm.jump(&done);
+masm.bind(&notBoolean);
+}
+#ifdef DEBUG
+// Objects are not supported or we see a type that wasn't accounted for.
+masm.assumeUnreachable("Unexpected type for MPrimitiveToString.");
+#endif
+masm.bind(&done);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSObject *(*CloneRegExpObjectFn)(JSContext *, JSObject *);
+static const VMFunction CloneRegExpObjectInfo =
+FunctionInfo<CloneRegExpObjectFn>(CloneRegExpObject);
+bool
+CodeGenerator::visitRegExp(LRegExp *lir)
+{
+pushArg(ImmGCPtr(lir->mir()->source()));
+return callVM(CloneRegExpObjectInfo, lir);
+}
+typedef bool (*RegExpExecRawFn)(JSContext *cx, HandleObject regexp,
+HandleString input, MutableHandleValue output);
+static const VMFunction RegExpExecRawInfo = FunctionInfo<RegExpExecRawFn>(regexp_exec_raw);
+bool
+CodeGenerator::visitRegExpExec(LRegExpExec *lir)
+{
+pushArg(ToRegister(lir->string()));
+pushArg(ToRegister(lir->regexp()));
+return callVM(RegExpExecRawInfo, lir);
+}
+typedef bool (*RegExpTestRawFn)(JSContext *cx, HandleObject regexp,
+HandleString input, bool *result);
+static const VMFunction RegExpTestRawInfo = FunctionInfo<RegExpTestRawFn>(regexp_test_raw);
+bool
+CodeGenerator::visitRegExpTest(LRegExpTest *lir)
+{
+pushArg(ToRegister(lir->string()));
+pushArg(ToRegister(lir->regexp()));
+return callVM(RegExpTestRawInfo, lir);
+}
+typedef JSString *(*RegExpReplaceFn)(JSContext *, HandleString, HandleObject, HandleString);
+static const VMFunction RegExpReplaceInfo = FunctionInfo<RegExpReplaceFn>(RegExpReplace);
+bool
+CodeGenerator::visitRegExpReplace(LRegExpReplace *lir)
+{
+if (lir->replacement()->isConstant())
+pushArg(ImmGCPtr(lir->replacement()->toConstant()->toString()));
+else
+pushArg(ToRegister(lir->replacement()));
+pushArg(ToRegister(lir->pattern()));
+if (lir->string()->isConstant())
+pushArg(ImmGCPtr(lir->string()->toConstant()->toString()));
+else
+pushArg(ToRegister(lir->string()));
+return callVM(RegExpReplaceInfo, lir);
+}
+typedef JSString *(*StringReplaceFn)(JSContext *, HandleString, HandleString, HandleString);
+static const VMFunction StringReplaceInfo = FunctionInfo<StringReplaceFn>(StringReplace);
+bool
+CodeGenerator::visitStringReplace(LStringReplace *lir)
+{
+if (lir->replacement()->isConstant())
+pushArg(ImmGCPtr(lir->replacement()->toConstant()->toString()));
+else
+pushArg(ToRegister(lir->replacement()));
+if (lir->pattern()->isConstant())
+pushArg(ImmGCPtr(lir->pattern()->toConstant()->toString()));
+else
+pushArg(ToRegister(lir->pattern()));
+if (lir->string()->isConstant())
+pushArg(ImmGCPtr(lir->string()->toConstant()->toString()));
+else
+pushArg(ToRegister(lir->string()));
+return callVM(StringReplaceInfo, lir);
+}
+typedef JSObject *(*LambdaFn)(JSContext *, HandleFunction, HandleObject);
+static const VMFunction LambdaInfo = FunctionInfo<LambdaFn>(js::Lambda);
+bool
+CodeGenerator::visitLambdaForSingleton(LLambdaForSingleton *lir)
+{
+pushArg(ToRegister(lir->scopeChain()));
+pushArg(ImmGCPtr(lir->mir()->info().fun));
+return callVM(LambdaInfo, lir);
+}
+bool
+CodeGenerator::visitLambda(LLambda *lir)
+{
+Register scopeChain = ToRegister(lir->scopeChain());
+Register output = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+const LambdaFunctionInfo &info = lir->mir()->info();
+OutOfLineCode *ool = oolCallVM(LambdaInfo, lir, (ArgList(), ImmGCPtr(info.fun), scopeChain),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+JS_ASSERT(!info.singletonType);
+masm.newGCThing(output, tempReg, info.fun, ool->entry(), gc::DefaultHeap);
+masm.initGCThing(output, tempReg, info.fun);
+emitLambdaInit(output, scopeChain, info);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSObject *(*LambdaArrowFn)(JSContext *, HandleFunction, HandleObject, HandleValue);
+static const VMFunction LambdaArrowInfo = FunctionInfo<LambdaArrowFn>(js::LambdaArrow);
+bool
+CodeGenerator::visitLambdaArrow(LLambdaArrow *lir)
+{
+Register scopeChain = ToRegister(lir->scopeChain());
+ValueOperand thisv = ToValue(lir, LLambdaArrow::ThisValue);
+Register output = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+const LambdaFunctionInfo &info = lir->mir()->info();
+OutOfLineCode *ool = oolCallVM(LambdaArrowInfo, lir,
+(ArgList(), ImmGCPtr(info.fun), scopeChain, thisv),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+MOZ_ASSERT(!info.useNewTypeForClone);
+if (info.singletonType) {
+// If the function has a singleton type, this instruction will only be
+// executed once so we don't bother inlining it.
+masm.jump(ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+masm.newGCThing(output, tempReg, info.fun, ool->entry(), gc::DefaultHeap);
+masm.initGCThing(output, tempReg, info.fun);
+emitLambdaInit(output, scopeChain, info);
+// Initialize extended slots. Lexical |this| is stored in the first one.
+MOZ_ASSERT(info.flags & JSFunction::EXTENDED);
+static_assert(FunctionExtended::NUM_EXTENDED_SLOTS == 2, "All slots must be initialized");
+static_assert(FunctionExtended::ARROW_THIS_SLOT == 0, "|this| must be stored in first slot");
+masm.storeValue(thisv, Address(output, FunctionExtended::offsetOfExtendedSlot(0)));
+masm.storeValue(UndefinedValue(), Address(output, FunctionExtended::offsetOfExtendedSlot(1)));
+masm.bind(ool->rejoin());
+return true;
+}
+void
+CodeGenerator::emitLambdaInit(Register output, Register scopeChain,
+const LambdaFunctionInfo &info)
+{
+MOZ_ASSERT(!!(info.flags & JSFunction::ARROW) == !!(info.flags & JSFunction::EXTENDED));
+// Initialize nargs and flags. We do this with a single uint32 to avoid
+// 16-bit writes.
+union {
+struct S {
+uint16_t nargs;
+uint16_t flags;
+} s;
+uint32_t word;
+} u;
+u.s.nargs = info.fun->nargs();
+u.s.flags = info.flags;
+JS_ASSERT(JSFunction::offsetOfFlags() == JSFunction::offsetOfNargs() + 2);
+masm.store32(Imm32(u.word), Address(output, JSFunction::offsetOfNargs()));
+masm.storePtr(ImmGCPtr(info.scriptOrLazyScript),
+Address(output, JSFunction::offsetOfNativeOrScript()));
+masm.storePtr(scopeChain, Address(output, JSFunction::offsetOfEnvironment()));
+masm.storePtr(ImmGCPtr(info.fun->displayAtom()), Address(output, JSFunction::offsetOfAtom()));
+}
+bool
+CodeGenerator::visitLambdaPar(LLambdaPar *lir)
+{
+Register resultReg = ToRegister(lir->output());
+Register cxReg = ToRegister(lir->forkJoinContext());
+Register scopeChainReg = ToRegister(lir->scopeChain());
+Register tempReg1 = ToRegister(lir->getTemp0());
+Register tempReg2 = ToRegister(lir->getTemp1());
+const LambdaFunctionInfo &info = lir->mir()->info();
+JS_ASSERT(scopeChainReg != resultReg);
+emitAllocateGCThingPar(lir, resultReg, cxReg, tempReg1, tempReg2, info.fun);
+emitLambdaInit(resultReg, scopeChainReg, info);
+return true;
+}
+bool
+CodeGenerator::visitLabel(LLabel *lir)
+{
+return true;
+}
+bool
+CodeGenerator::visitNop(LNop *lir)
+{
+return true;
+}
+bool
+CodeGenerator::visitOsiPoint(LOsiPoint *lir)
+{
+// Note: markOsiPoint ensures enough space exists between the last
+// LOsiPoint and this one to patch adjacent call instructions.
+JS_ASSERT(masm.framePushed() == frameSize());
+uint32_t osiCallPointOffset;
+if (!markOsiPoint(lir, &osiCallPointOffset))
+return false;
+LSafepoint *safepoint = lir->associatedSafepoint();
+JS_ASSERT(!safepoint->osiCallPointOffset());
+safepoint->setOsiCallPointOffset(osiCallPointOffset);
+#ifdef DEBUG
+// There should be no movegroups or other instructions between
+// an instruction and its OsiPoint. This is necessary because
+// we use the OsiPoint's snapshot from within VM calls.
+for (LInstructionReverseIterator iter(current->rbegin(lir)); iter != current->rend(); iter++) {
+if (*iter == lir || iter->isNop())
+continue;
+JS_ASSERT(!iter->isMoveGroup());
+JS_ASSERT(iter->safepoint() == safepoint);
+break;
+}
+#endif
+#ifdef CHECK_OSIPOINT_REGISTERS
+if (shouldVerifyOsiPointRegs(safepoint))
+verifyOsiPointRegs(safepoint);
+#endif
+return true;
+}
+bool
+CodeGenerator::visitGoto(LGoto *lir)
+{
+jumpToBlock(lir->target());
+return true;
+}
+// Out-of-line path to execute any move groups between the start of a loop
+// header and its interrupt check, then invoke the interrupt handler.
+class OutOfLineInterruptCheckImplicit : public OutOfLineCodeBase<CodeGenerator>
+{
+public:
+LBlock *block;
+LInterruptCheckImplicit *lir;
+OutOfLineInterruptCheckImplicit(LBlock *block, LInterruptCheckImplicit *lir)
+: block(block), lir(lir)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineInterruptCheckImplicit(this);
+}
+};
+bool
+CodeGenerator::visitOutOfLineInterruptCheckImplicit(OutOfLineInterruptCheckImplicit *ool)
+{
+#ifdef CHECK_OSIPOINT_REGISTERS
+// This is path is entered from the patched back-edge of the loop. This
+// means that the JitAtivation flags used for checking the validity of the
+// OSI points are not reseted by the path generated by generateBody, so we
+// have to reset it here.
+resetOsiPointRegs(ool->lir->safepoint());
+#endif
+LInstructionIterator iter = ool->block->begin();
+for (; iter != ool->block->end(); iter++) {
+if (iter->isLabel()) {
+// Nothing to do.
+} else if (iter->isMoveGroup()) {
+// Replay this move group that preceds the interrupt check at the
+// start of the loop header. Any incoming jumps here will be from
+// the backedge and will skip over the move group emitted inline.
+visitMoveGroup(iter->toMoveGroup());
+} else {
+break;
+}
+}
+JS_ASSERT(*iter == ool->lir);
+saveLive(ool->lir);
+if (!callVM(InterruptCheckInfo, ool->lir))
+return false;
+restoreLive(ool->lir);
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitInterruptCheckImplicit(LInterruptCheckImplicit *lir)
+{
+OutOfLineInterruptCheckImplicit *ool = new(alloc()) OutOfLineInterruptCheckImplicit(current, lir);
+if (!addOutOfLineCode(ool))
+return false;
+lir->setOolEntry(ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitTableSwitch(LTableSwitch *ins)
+{
+MTableSwitch *mir = ins->mir();
+Label *defaultcase = mir->getDefault()->lir()->label();
+const LAllocation *temp;
+if (mir->getOperand(0)->type() != MIRType_Int32) {
+temp = ins->tempInt()->output();
+// The input is a double, so try and convert it to an integer.
+// If it does not fit in an integer, take the default case.
+masm.convertDoubleToInt32(ToFloatRegister(ins->index()), ToRegister(temp), defaultcase, false);
+} else {
+temp = ins->index();
+}
+return emitTableSwitchDispatch(mir, ToRegister(temp), ToRegisterOrInvalid(ins->tempPointer()));
+}
+bool
+CodeGenerator::visitTableSwitchV(LTableSwitchV *ins)
+{
+MTableSwitch *mir = ins->mir();
+Label *defaultcase = mir->getDefault()->lir()->label();
+Register index = ToRegister(ins->tempInt());
+ValueOperand value = ToValue(ins, LTableSwitchV::InputValue);
+Register tag = masm.extractTag(value, index);
+masm.branchTestNumber(Assembler::NotEqual, tag, defaultcase);
+Label unboxInt, isInt;
+masm.branchTestInt32(Assembler::Equal, tag, &unboxInt);
+{
+FloatRegister floatIndex = ToFloatRegister(ins->tempFloat());
+masm.unboxDouble(value, floatIndex);
+masm.convertDoubleToInt32(floatIndex, index, defaultcase, false);
+masm.jump(&isInt);
+}
+masm.bind(&unboxInt);
+masm.unboxInt32(value, index);
+masm.bind(&isInt);
+return emitTableSwitchDispatch(mir, index, ToRegisterOrInvalid(ins->tempPointer()));
+}
+typedef JSObject *(*DeepCloneObjectLiteralFn)(JSContext *, HandleObject, NewObjectKind);
+static const VMFunction DeepCloneObjectLiteralInfo =
+FunctionInfo<DeepCloneObjectLiteralFn>(DeepCloneObjectLiteral);
+bool
+CodeGenerator::visitCloneLiteral(LCloneLiteral *lir)
+{
+pushArg(ImmWord(js::MaybeSingletonObject));
+pushArg(ToRegister(lir->output()));
+return callVM(DeepCloneObjectLiteralInfo, lir);
+}
+bool
+CodeGenerator::visitParameter(LParameter *lir)
+{
+return true;
+}
+bool
+CodeGenerator::visitCallee(LCallee *lir)
+{
+// read number of actual arguments from the JS frame.
+Register callee = ToRegister(lir->output());
+Address ptr(StackPointer, frameSize() + IonJSFrameLayout::offsetOfCalleeToken());
+masm.loadPtr(ptr, callee);
+return true;
+}
+bool
+CodeGenerator::visitStart(LStart *lir)
+{
+return true;
+}
+bool
+CodeGenerator::visitReturn(LReturn *lir)
+{
+#if defined(JS_NUNBOX32)
+DebugOnly<LAllocation *> type    = lir->getOperand(TYPE_INDEX);
+DebugOnly<LAllocation *> payload = lir->getOperand(PAYLOAD_INDEX);
+JS_ASSERT(ToRegister(type)    == JSReturnReg_Type);
+JS_ASSERT(ToRegister(payload) == JSReturnReg_Data);
+#elif defined(JS_PUNBOX64)
+DebugOnly<LAllocation *> result = lir->getOperand(0);
+JS_ASSERT(ToRegister(result) == JSReturnReg);
+#endif
+// Don't emit a jump to the return label if this is the last block.
+if (current->mir() != *gen->graph().poBegin())
+masm.jump(&returnLabel_);
+return true;
+}
+bool
+CodeGenerator::visitOsrEntry(LOsrEntry *lir)
+{
+// Remember the OSR entry offset into the code buffer.
+masm.flushBuffer();
+setOsrEntryOffset(masm.size());
+#ifdef JS_TRACE_LOGGING
+if (gen->info().executionMode() == SequentialExecution) {
+if (!emitTracelogStopEvent(TraceLogger::Baseline))
+return false;
+if (!emitTracelogStartEvent(TraceLogger::IonMonkey))
+return false;
+}
+#endif
+// Allocate the full frame for this function.
+uint32_t size = frameSize();
+if (size != 0)
+masm.subPtr(Imm32(size), StackPointer);
+return true;
+}
+bool
+CodeGenerator::visitOsrScopeChain(LOsrScopeChain *lir)
+{
+const LAllocation *frame   = lir->getOperand(0);
+const LDefinition *object  = lir->getDef(0);
+const ptrdiff_t frameOffset = BaselineFrame::reverseOffsetOfScopeChain();
+masm.loadPtr(Address(ToRegister(frame), frameOffset), ToRegister(object));
+return true;
+}
+bool
+CodeGenerator::visitOsrArgumentsObject(LOsrArgumentsObject *lir)
+{
+const LAllocation *frame   = lir->getOperand(0);
+const LDefinition *object  = lir->getDef(0);
+const ptrdiff_t frameOffset = BaselineFrame::reverseOffsetOfArgsObj();
+masm.loadPtr(Address(ToRegister(frame), frameOffset), ToRegister(object));
+return true;
+}
+bool
+CodeGenerator::visitOsrValue(LOsrValue *value)
+{
+const LAllocation *frame   = value->getOperand(0);
+const ValueOperand out     = ToOutValue(value);
+const ptrdiff_t frameOffset = value->mir()->frameOffset();
+masm.loadValue(Address(ToRegister(frame), frameOffset), out);
+return true;
+}
+bool
+CodeGenerator::visitOsrReturnValue(LOsrReturnValue *lir)
+{
+const LAllocation *frame   = lir->getOperand(0);
+const ValueOperand out     = ToOutValue(lir);
+Address flags = Address(ToRegister(frame), BaselineFrame::reverseOffsetOfFlags());
+Address retval = Address(ToRegister(frame), BaselineFrame::reverseOffsetOfReturnValue());
+masm.moveValue(UndefinedValue(), out);
+Label done;
+masm.branchTest32(Assembler::Zero, flags, Imm32(BaselineFrame::HAS_RVAL), &done);
+masm.loadValue(retval, out);
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitStackArgT(LStackArgT *lir)
+{
+const LAllocation *arg = lir->getArgument();
+MIRType argType = lir->type();
+uint32_t argslot = lir->argslot();
+JS_ASSERT(argslot - 1u < graph.argumentSlotCount());
+int32_t stack_offset = StackOffsetOfPassedArg(argslot);
+Address dest(StackPointer, stack_offset);
+if (arg->isFloatReg())
+masm.storeDouble(ToFloatRegister(arg), dest);
+else if (arg->isRegister())
+masm.storeValue(ValueTypeFromMIRType(argType), ToRegister(arg), dest);
+else
+masm.storeValue(*(arg->toConstant()), dest);
+uint32_t slot = StackOffsetToSlot(stack_offset);
+JS_ASSERT(slot - 1u < graph.totalSlotCount());
+return pushedArgumentSlots_.append(slot);
+}
+bool
+CodeGenerator::visitStackArgV(LStackArgV *lir)
+{
+ValueOperand val = ToValue(lir, 0);
+uint32_t argslot = lir->argslot();
+JS_ASSERT(argslot - 1u < graph.argumentSlotCount());
+int32_t stack_offset = StackOffsetOfPassedArg(argslot);
+masm.storeValue(val, Address(StackPointer, stack_offset));
+uint32_t slot = StackOffsetToSlot(stack_offset);
+JS_ASSERT(slot - 1u < graph.totalSlotCount());
+return pushedArgumentSlots_.append(slot);
+}
+bool
+CodeGenerator::visitMoveGroup(LMoveGroup *group)
+{
+if (!group->numMoves())
+return true;
+MoveResolver &resolver = masm.moveResolver();
+for (size_t i = 0; i < group->numMoves(); i++) {
+const LMove &move = group->getMove(i);
+const LAllocation *from = move.from();
+const LAllocation *to = move.to();
+LDefinition::Type type = move.type();
+// No bogus moves.
+JS_ASSERT(*from != *to);
+JS_ASSERT(!from->isConstant());
+MoveOp::Type moveType;
+switch (type) {
+case LDefinition::OBJECT:
+case LDefinition::SLOTS:
+#ifdef JS_NUNBOX32
+case LDefinition::TYPE:
+case LDefinition::PAYLOAD:
+#else
+case LDefinition::BOX:
+#endif
+case LDefinition::GENERAL: moveType = MoveOp::GENERAL; break;
+case LDefinition::INT32:   moveType = MoveOp::INT32;   break;
+case LDefinition::FLOAT32: moveType = MoveOp::FLOAT32; break;
+case LDefinition::DOUBLE:  moveType = MoveOp::DOUBLE;  break;
+default: MOZ_ASSUME_UNREACHABLE("Unexpected move type");
+}
+if (!resolver.addMove(toMoveOperand(from), toMoveOperand(to), moveType))
+return false;
+}
+if (!resolver.resolve())
+return false;
+MoveEmitter emitter(masm);
+emitter.emit(resolver);
+emitter.finish();
+return true;
+}
+bool
+CodeGenerator::visitInteger(LInteger *lir)
+{
+masm.move32(Imm32(lir->getValue()), ToRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitPointer(LPointer *lir)
+{
+if (lir->kind() == LPointer::GC_THING)
+masm.movePtr(ImmGCPtr(lir->gcptr()), ToRegister(lir->output()));
+else
+masm.movePtr(ImmPtr(lir->ptr()), ToRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitSlots(LSlots *lir)
+{
+Address slots(ToRegister(lir->object()), JSObject::offsetOfSlots());
+masm.loadPtr(slots, ToRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitStoreSlotV(LStoreSlotV *store)
+{
+Register base = ToRegister(store->slots());
+int32_t offset = store->mir()->slot() * sizeof(Value);
+const ValueOperand value = ToValue(store, LStoreSlotV::Value);
+if (store->mir()->needsBarrier())
+emitPreBarrier(Address(base, offset), MIRType_Value);
+masm.storeValue(value, Address(base, offset));
+return true;
+}
+bool
+CodeGenerator::emitGetPropertyPolymorphic(LInstruction *ins, Register obj, Register scratch,
+const TypedOrValueRegister &output)
+{
+MGetPropertyPolymorphic *mir = ins->mirRaw()->toGetPropertyPolymorphic();
+JS_ASSERT(mir->numShapes() > 1);
+masm.loadObjShape(obj, scratch);
+Label done;
+for (size_t i = 0; i < mir->numShapes(); i++) {
+Label next;
+masm.branchPtr(Assembler::NotEqual, scratch, ImmGCPtr(mir->objShape(i)), &next);
+Shape *shape = mir->shape(i);
+if (shape->slot() < shape->numFixedSlots()) {
+// Fixed slot.
+masm.loadTypedOrValue(Address(obj, JSObject::getFixedSlotOffset(shape->slot())),
+output);
+} else {
+// Dynamic slot.
+uint32_t offset = (shape->slot() - shape->numFixedSlots()) * sizeof(js::Value);
+masm.loadPtr(Address(obj, JSObject::offsetOfSlots()), scratch);
+masm.loadTypedOrValue(Address(scratch, offset), output);
+}
+masm.jump(&done);
+masm.bind(&next);
+}
+// Bailout if no shape matches.
+if (!bailout(ins->snapshot()))
+return false;
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitGetPropertyPolymorphicV(LGetPropertyPolymorphicV *ins)
+{
+Register obj = ToRegister(ins->obj());
+ValueOperand output = GetValueOutput(ins);
+return emitGetPropertyPolymorphic(ins, obj, output.scratchReg(), output);
+}
+bool
+CodeGenerator::visitGetPropertyPolymorphicT(LGetPropertyPolymorphicT *ins)
+{
+Register obj = ToRegister(ins->obj());
+TypedOrValueRegister output(ins->mir()->type(), ToAnyRegister(ins->output()));
+Register temp = (output.type() == MIRType_Double)
+? ToRegister(ins->temp())
+: output.typedReg().gpr();
+return emitGetPropertyPolymorphic(ins, obj, temp, output);
+}
+bool
+CodeGenerator::emitSetPropertyPolymorphic(LInstruction *ins, Register obj, Register scratch,
+const ConstantOrRegister &value)
+{
+MSetPropertyPolymorphic *mir = ins->mirRaw()->toSetPropertyPolymorphic();
+JS_ASSERT(mir->numShapes() > 1);
+masm.loadObjShape(obj, scratch);
+Label done;
+for (size_t i = 0; i < mir->numShapes(); i++) {
+Label next;
+masm.branchPtr(Assembler::NotEqual, scratch, ImmGCPtr(mir->objShape(i)), &next);
+Shape *shape = mir->shape(i);
+if (shape->slot() < shape->numFixedSlots()) {
+// Fixed slot.
+Address addr(obj, JSObject::getFixedSlotOffset(shape->slot()));
+if (mir->needsBarrier())
+emitPreBarrier(addr, MIRType_Value);
+masm.storeConstantOrRegister(value, addr);
+} else {
+// Dynamic slot.
+masm.loadPtr(Address(obj, JSObject::offsetOfSlots()), scratch);
+Address addr(scratch, (shape->slot() - shape->numFixedSlots()) * sizeof(js::Value));
+if (mir->needsBarrier())
+emitPreBarrier(addr, MIRType_Value);
+masm.storeConstantOrRegister(value, addr);
+}
+masm.jump(&done);
+masm.bind(&next);
+}
+// Bailout if no shape matches.
+if (!bailout(ins->snapshot()))
+return false;
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitSetPropertyPolymorphicV(LSetPropertyPolymorphicV *ins)
+{
+Register obj = ToRegister(ins->obj());
+Register temp = ToRegister(ins->temp());
+ValueOperand value = ToValue(ins, LSetPropertyPolymorphicV::Value);
+return emitSetPropertyPolymorphic(ins, obj, temp, TypedOrValueRegister(value));
+}
+bool
+CodeGenerator::visitSetPropertyPolymorphicT(LSetPropertyPolymorphicT *ins)
+{
+Register obj = ToRegister(ins->obj());
+Register temp = ToRegister(ins->temp());
+ConstantOrRegister value;
+if (ins->mir()->value()->isConstant())
+value = ConstantOrRegister(ins->mir()->value()->toConstant()->value());
+else
+value = TypedOrValueRegister(ins->mir()->value()->type(), ToAnyRegister(ins->value()));
+return emitSetPropertyPolymorphic(ins, obj, temp, value);
+}
+bool
+CodeGenerator::visitElements(LElements *lir)
+{
+Address elements(ToRegister(lir->object()), JSObject::offsetOfElements());
+masm.loadPtr(elements, ToRegister(lir->output()));
+return true;
+}
+typedef bool (*ConvertElementsToDoublesFn)(JSContext *, uintptr_t);
+static const VMFunction ConvertElementsToDoublesInfo =
+FunctionInfo<ConvertElementsToDoublesFn>(ObjectElements::ConvertElementsToDoubles);
+bool
+CodeGenerator::visitConvertElementsToDoubles(LConvertElementsToDoubles *lir)
+{
+Register elements = ToRegister(lir->elements());
+OutOfLineCode *ool = oolCallVM(ConvertElementsToDoublesInfo, lir,
+(ArgList(), elements), StoreNothing());
+if (!ool)
+return false;
+Address convertedAddress(elements, ObjectElements::offsetOfFlags());
+Imm32 bit(ObjectElements::CONVERT_DOUBLE_ELEMENTS);
+masm.branchTest32(Assembler::Zero, convertedAddress, bit, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitMaybeToDoubleElement(LMaybeToDoubleElement *lir)
+{
+Register elements = ToRegister(lir->elements());
+Register value = ToRegister(lir->value());
+ValueOperand out = ToOutValue(lir);
+FloatRegister temp = ToFloatRegister(lir->tempFloat());
+Label convert, done;
+// If the CONVERT_DOUBLE_ELEMENTS flag is set, convert the int32
+// value to double. Else, just box it.
+masm.branchTest32(Assembler::NonZero,
+Address(elements, ObjectElements::offsetOfFlags()),
+Imm32(ObjectElements::CONVERT_DOUBLE_ELEMENTS),
+&convert);
+masm.tagValue(JSVAL_TYPE_INT32, value, out);
+masm.jump(&done);
+masm.bind(&convert);
+masm.convertInt32ToDouble(value, temp);
+masm.boxDouble(temp, out);
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitFunctionEnvironment(LFunctionEnvironment *lir)
+{
+Address environment(ToRegister(lir->function()), JSFunction::offsetOfEnvironment());
+masm.loadPtr(environment, ToRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitForkJoinContext(LForkJoinContext *lir)
+{
+const Register tempReg = ToRegister(lir->getTempReg());
+masm.setupUnalignedABICall(0, tempReg);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ForkJoinContextPar));
+JS_ASSERT(ToRegister(lir->output()) == ReturnReg);
+return true;
+}
+bool
+CodeGenerator::visitGuardThreadExclusive(LGuardThreadExclusive *lir)
+{
+JS_ASSERT(gen->info().executionMode() == ParallelExecution);
+const Register tempReg = ToRegister(lir->getTempReg());
+masm.setupUnalignedABICall(2, tempReg);
+masm.passABIArg(ToRegister(lir->forkJoinContext()));
+masm.passABIArg(ToRegister(lir->object()));
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ParallelWriteGuard));
+OutOfLineAbortPar *bail = oolAbortPar(ParallelBailoutIllegalWrite, lir);
+if (!bail)
+return false;
+// branch to the OOL failure code if false is returned
+masm.branchIfFalseBool(ReturnReg, bail->entry());
+return true;
+}
+bool
+CodeGenerator::visitGuardObjectIdentity(LGuardObjectIdentity *guard)
+{
+Register obj = ToRegister(guard->input());
+Assembler::Condition cond =
+guard->mir()->bailOnEquality() ? Assembler::Equal : Assembler::NotEqual;
+return bailoutCmpPtr(cond, obj, ImmGCPtr(guard->mir()->singleObject()), guard->snapshot());
+}
+bool
+CodeGenerator::visitTypeBarrierV(LTypeBarrierV *lir)
+{
+ValueOperand operand = ToValue(lir, LTypeBarrierV::Input);
+Register scratch = ToTempRegisterOrInvalid(lir->temp());
+Label miss;
+masm.guardTypeSet(operand, lir->mir()->resultTypeSet(), scratch, &miss);
+if (!bailoutFrom(&miss, lir->snapshot()))
+return false;
+return true;
+}
+bool
+CodeGenerator::visitTypeBarrierO(LTypeBarrierO *lir)
+{
+Register obj = ToRegister(lir->object());
+Register scratch = ToTempRegisterOrInvalid(lir->temp());
+Label miss;
+masm.guardObjectType(obj, lir->mir()->resultTypeSet(), scratch, &miss);
+if (!bailoutFrom(&miss, lir->snapshot()))
+return false;
+return true;
+}
+bool
+CodeGenerator::visitMonitorTypes(LMonitorTypes *lir)
+{
+ValueOperand operand = ToValue(lir, LMonitorTypes::Input);
+Register scratch = ToTempUnboxRegister(lir->temp());
+Label matched, miss;
+masm.guardTypeSet(operand, lir->mir()->typeSet(), scratch, &miss);
+if (!bailoutFrom(&miss, lir->snapshot()))
+return false;
+return true;
+}
+#ifdef JSGC_GENERATIONAL
+// Out-of-line path to update the store buffer.
+class OutOfLineCallPostWriteBarrier : public OutOfLineCodeBase<CodeGenerator>
+{
+LInstruction *lir_;
+const LAllocation *object_;
+public:
+OutOfLineCallPostWriteBarrier(LInstruction *lir, const LAllocation *object)
+: lir_(lir), object_(object)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineCallPostWriteBarrier(this);
+}
+LInstruction *lir() const {
+return lir_;
+}
+const LAllocation *object() const {
+return object_;
+}
+};
+bool
+CodeGenerator::visitOutOfLineCallPostWriteBarrier(OutOfLineCallPostWriteBarrier *ool)
+{
+saveLiveVolatile(ool->lir());
+const LAllocation *obj = ool->object();
+GeneralRegisterSet regs = GeneralRegisterSet::Volatile();
+Register objreg;
+bool isGlobal = false;
+if (obj->isConstant()) {
+JSObject *object = &obj->toConstant()->toObject();
+isGlobal = object->is<GlobalObject>();
+objreg = regs.takeAny();
+masm.movePtr(ImmGCPtr(object), objreg);
+} else {
+objreg = ToRegister(obj);
+regs.takeUnchecked(objreg);
+}
+Register runtimereg = regs.takeAny();
+masm.mov(ImmPtr(GetIonContext()->runtime), runtimereg);
+void (*fun)(JSRuntime*, JSObject*) = isGlobal ? PostGlobalWriteBarrier : PostWriteBarrier;
+masm.setupUnalignedABICall(2, regs.takeAny());
+masm.passABIArg(runtimereg);
+masm.passABIArg(objreg);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, fun));
+restoreLiveVolatile(ool->lir());
+masm.jump(ool->rejoin());
+return true;
+}
+#endif
+bool
+CodeGenerator::visitPostWriteBarrierO(LPostWriteBarrierO *lir)
+{
+#ifdef JSGC_GENERATIONAL
+OutOfLineCallPostWriteBarrier *ool = new(alloc()) OutOfLineCallPostWriteBarrier(lir, lir->object());
+if (!addOutOfLineCode(ool))
+return false;
+Register temp = ToTempRegisterOrInvalid(lir->temp());
+if (lir->object()->isConstant()) {
+#ifdef DEBUG
+const Nursery &nursery = GetIonContext()->runtime->gcNursery();
+JS_ASSERT(!nursery.isInside(&lir->object()->toConstant()->toObject()));
+#endif
+} else {
+masm.branchPtrInNurseryRange(ToRegister(lir->object()), temp, ool->rejoin());
+}
+masm.branchPtrInNurseryRange(ToRegister(lir->value()), temp, ool->entry());
+masm.bind(ool->rejoin());
+#endif
+return true;
+}
+bool
+CodeGenerator::visitPostWriteBarrierV(LPostWriteBarrierV *lir)
+{
+#ifdef JSGC_GENERATIONAL
+OutOfLineCallPostWriteBarrier *ool = new(alloc()) OutOfLineCallPostWriteBarrier(lir, lir->object());
+if (!addOutOfLineCode(ool))
+return false;
+Register temp = ToTempRegisterOrInvalid(lir->temp());
+if (lir->object()->isConstant()) {
+#ifdef DEBUG
+const Nursery &nursery = GetIonContext()->runtime->gcNursery();
+JS_ASSERT(!nursery.isInside(&lir->object()->toConstant()->toObject()));
+#endif
+} else {
+masm.branchPtrInNurseryRange(ToRegister(lir->object()), temp, ool->rejoin());
+}
+ValueOperand value = ToValue(lir, LPostWriteBarrierV::Input);
+masm.branchValueIsNurseryObject(value, temp, ool->entry());
+masm.bind(ool->rejoin());
+#endif
+return true;
+}
+bool
+CodeGenerator::visitCallNative(LCallNative *call)
+{
+JSFunction *target = call->getSingleTarget();
+JS_ASSERT(target);
+JS_ASSERT(target->isNative());
+int callargslot = call->argslot();
+int unusedStack = StackOffsetOfPassedArg(callargslot);
+// Registers used for callWithABI() argument-passing.
+const Register argContextReg   = ToRegister(call->getArgContextReg());
+const Register argUintNReg     = ToRegister(call->getArgUintNReg());
+const Register argVpReg        = ToRegister(call->getArgVpReg());
+// Misc. temporary registers.
+const Register tempReg = ToRegister(call->getTempReg());
+DebugOnly<uint32_t> initialStack = masm.framePushed();
+masm.checkStackAlignment();
+// Sequential native functions have the signature:
+//  bool (*)(JSContext *, unsigned, Value *vp)
+// and parallel native functions have the signature:
+//  ParallelResult (*)(ForkJoinContext *, unsigned, Value *vp)
+// Where vp[0] is space for an outparam, vp[1] is |this|, and vp[2] onward
+// are the function arguments.
+// Allocate space for the outparam, moving the StackPointer to what will be &vp[1].
+masm.adjustStack(unusedStack);
+// Push a Value containing the callee object: natives are allowed to access their callee before
+// setitng the return value. The StackPointer is moved to &vp[0].
+masm.Push(ObjectValue(*target));
+// Preload arguments into registers.
+//
+// Note that for parallel execution, loadContext does an ABI call, so we
+// need to do this before we load the other argument registers, otherwise
+// we'll hose them.
+ExecutionMode executionMode = gen->info().executionMode();
+masm.loadContext(argContextReg, tempReg, executionMode);
+masm.move32(Imm32(call->numStackArgs()), argUintNReg);
+masm.movePtr(StackPointer, argVpReg);
+masm.Push(argUintNReg);
+// Construct native exit frame.
+uint32_t safepointOffset;
+if (!masm.buildFakeExitFrame(tempReg, &safepointOffset))
+return false;
+masm.enterFakeExitFrame(argContextReg, tempReg, executionMode);
+if (!markSafepointAt(safepointOffset, call))
+return false;
+// Construct and execute call.
+masm.setupUnalignedABICall(3, tempReg);
+masm.passABIArg(argContextReg);
+masm.passABIArg(argUintNReg);
+masm.passABIArg(argVpReg);
+switch (executionMode) {
+case SequentialExecution:
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, target->native()));
+break;
+case ParallelExecution:
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, target->parallelNative()));
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+// Test for failure.
+masm.branchIfFalseBool(ReturnReg, masm.failureLabel(executionMode));
+// Load the outparam vp[0] into output register(s).
+masm.loadValue(Address(StackPointer, IonNativeExitFrameLayout::offsetOfResult()), JSReturnOperand);
+// The next instruction is removing the footer of the exit frame, so there
+// is no need for leaveFakeExitFrame.
+// Move the StackPointer back to its original location, unwinding the native exit frame.
+masm.adjustStack(IonNativeExitFrameLayout::Size() - unusedStack);
+JS_ASSERT(masm.framePushed() == initialStack);
+dropArguments(call->numStackArgs() + 1);
+return true;
+}
+bool
+CodeGenerator::visitCallDOMNative(LCallDOMNative *call)
+{
+JSFunction *target = call->getSingleTarget();
+JS_ASSERT(target);
+JS_ASSERT(target->isNative());
+JS_ASSERT(target->jitInfo());
+JS_ASSERT(call->mir()->isCallDOMNative());
+int callargslot = call->argslot();
+int unusedStack = StackOffsetOfPassedArg(callargslot);
+// Registers used for callWithABI() argument-passing.
+const Register argJSContext = ToRegister(call->getArgJSContext());
+const Register argObj       = ToRegister(call->getArgObj());
+const Register argPrivate   = ToRegister(call->getArgPrivate());
+const Register argArgs      = ToRegister(call->getArgArgs());
+DebugOnly<uint32_t> initialStack = masm.framePushed();
+masm.checkStackAlignment();
+// DOM methods have the signature:
+//  bool (*)(JSContext *, HandleObject, void *private, const JSJitMethodCallArgs& args)
+// Where args is initialized from an argc and a vp, vp[0] is space for an
+// outparam and the callee, vp[1] is |this|, and vp[2] onward are the
+// function arguments.  Note that args stores the argv, not the vp, and
+// argv == vp + 2.
+// Nestle the stack up against the pushed arguments, leaving StackPointer at
+// &vp[1]
+masm.adjustStack(unusedStack);
+// argObj is filled with the extracted object, then returned.
+Register obj = masm.extractObject(Address(StackPointer, 0), argObj);
+JS_ASSERT(obj == argObj);
+// Push a Value containing the callee object: natives are allowed to access their callee before
+// setitng the return value. After this the StackPointer points to &vp[0].
+masm.Push(ObjectValue(*target));
+// Now compute the argv value.  Since StackPointer is pointing to &vp[0] and
+// argv is &vp[2] we just need to add 2*sizeof(Value) to the current
+// StackPointer.
+JS_STATIC_ASSERT(JSJitMethodCallArgsTraits::offsetOfArgv == 0);
+JS_STATIC_ASSERT(JSJitMethodCallArgsTraits::offsetOfArgc ==
+IonDOMMethodExitFrameLayoutTraits::offsetOfArgcFromArgv);
+masm.computeEffectiveAddress(Address(StackPointer, 2 * sizeof(Value)), argArgs);
+// GetReservedSlot(obj, DOM_OBJECT_SLOT).toPrivate()
+masm.loadPrivate(Address(obj, JSObject::getFixedSlotOffset(0)), argPrivate);
+// Push argc from the call instruction into what will become the IonExitFrame
+masm.Push(Imm32(call->numStackArgs()));
+// Push our argv onto the stack
+masm.Push(argArgs);
+// And store our JSJitMethodCallArgs* in argArgs.
+masm.movePtr(StackPointer, argArgs);
+// Push |this| object for passing HandleObject. We push after argc to
+// maintain the same sp-relative location of the object pointer with other
+// DOMExitFrames.
+masm.Push(argObj);
+masm.movePtr(StackPointer, argObj);
+// Construct native exit frame.
+uint32_t safepointOffset;
+if (!masm.buildFakeExitFrame(argJSContext, &safepointOffset))
+return false;
+masm.enterFakeExitFrame(ION_FRAME_DOMMETHOD);
+if (!markSafepointAt(safepointOffset, call))
+return false;
+// Construct and execute call.
+masm.setupUnalignedABICall(4, argJSContext);
+masm.loadJSContext(argJSContext);
+masm.passABIArg(argJSContext);
+masm.passABIArg(argObj);
+masm.passABIArg(argPrivate);
+masm.passABIArg(argArgs);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, target->jitInfo()->method));
+if (target->jitInfo()->isInfallible) {
+masm.loadValue(Address(StackPointer, IonDOMMethodExitFrameLayout::offsetOfResult()),
+JSReturnOperand);
+} else {
+// Test for failure.
+masm.branchIfFalseBool(ReturnReg, masm.exceptionLabel());
+// Load the outparam vp[0] into output register(s).
+masm.loadValue(Address(StackPointer, IonDOMMethodExitFrameLayout::offsetOfResult()),
+JSReturnOperand);
+}
+// The next instruction is removing the footer of the exit frame, so there
+// is no need for leaveFakeExitFrame.
+// Move the StackPointer back to its original location, unwinding the native exit frame.
+masm.adjustStack(IonDOMMethodExitFrameLayout::Size() - unusedStack);
+JS_ASSERT(masm.framePushed() == initialStack);
+dropArguments(call->numStackArgs() + 1);
+return true;
+}
+typedef bool (*GetIntrinsicValueFn)(JSContext *cx, HandlePropertyName, MutableHandleValue);
+static const VMFunction GetIntrinsicValueInfo =
+FunctionInfo<GetIntrinsicValueFn>(GetIntrinsicValue);
+bool
+CodeGenerator::visitCallGetIntrinsicValue(LCallGetIntrinsicValue *lir)
+{
+pushArg(ImmGCPtr(lir->mir()->name()));
+return callVM(GetIntrinsicValueInfo, lir);
+}
+typedef bool (*InvokeFunctionFn)(JSContext *, HandleObject, uint32_t, Value *, Value *);
+static const VMFunction InvokeFunctionInfo = FunctionInfo<InvokeFunctionFn>(InvokeFunction);
+bool
+CodeGenerator::emitCallInvokeFunction(LInstruction *call, Register calleereg,
+uint32_t argc, uint32_t unusedStack)
+{
+// Nestle %esp up to the argument vector.
+// Each path must account for framePushed_ separately, for callVM to be valid.
+masm.freeStack(unusedStack);
+pushArg(StackPointer); // argv.
+pushArg(Imm32(argc));  // argc.
+pushArg(calleereg);    // JSFunction *.
+if (!callVM(InvokeFunctionInfo, call))
+return false;
+// Un-nestle %esp from the argument vector. No prefix was pushed.
+masm.reserveStack(unusedStack);
+return true;
+}
+bool
+CodeGenerator::visitCallGeneric(LCallGeneric *call)
+{
+Register calleereg = ToRegister(call->getFunction());
+Register objreg    = ToRegister(call->getTempObject());
+Register nargsreg  = ToRegister(call->getNargsReg());
+uint32_t unusedStack = StackOffsetOfPassedArg(call->argslot());
+ExecutionMode executionMode = gen->info().executionMode();
+Label invoke, thunk, makeCall, end;
+// Known-target case is handled by LCallKnown.
+JS_ASSERT(!call->hasSingleTarget());
+// Generate an ArgumentsRectifier.
+JitCode *argumentsRectifier = gen->jitRuntime()->getArgumentsRectifier(executionMode);
+masm.checkStackAlignment();
+// Guard that calleereg is actually a function object.
+masm.loadObjClass(calleereg, nargsreg);
+masm.branchPtr(Assembler::NotEqual, nargsreg, ImmPtr(&JSFunction::class_), &invoke);
+// Guard that calleereg is an interpreted function with a JSScript.
+// If we are constructing, also ensure the callee is a constructor.
+if (call->mir()->isConstructing())
+masm.branchIfNotInterpretedConstructor(calleereg, nargsreg, &invoke);
+else
+masm.branchIfFunctionHasNoScript(calleereg, &invoke);
+// Knowing that calleereg is a non-native function, load the JSScript.
+masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg);
+// Load script jitcode.
+masm.loadBaselineOrIonRaw(objreg, objreg, executionMode, &invoke);
+// Nestle the StackPointer up to the argument vector.
+masm.freeStack(unusedStack);
+// Construct the IonFramePrefix.
+uint32_t descriptor = MakeFrameDescriptor(masm.framePushed(), JitFrame_IonJS);
+masm.Push(Imm32(call->numActualArgs()));
+masm.Push(calleereg);
+masm.Push(Imm32(descriptor));
+// Check whether the provided arguments satisfy target argc.
+masm.load16ZeroExtend(Address(calleereg, JSFunction::offsetOfNargs()), nargsreg);
+masm.branch32(Assembler::Above, nargsreg, Imm32(call->numStackArgs()), &thunk);
+masm.jump(&makeCall);
+// Argument fixed needed. Load the ArgumentsRectifier.
+masm.bind(&thunk);
+{
+JS_ASSERT(ArgumentsRectifierReg != objreg);
+masm.movePtr(ImmGCPtr(argumentsRectifier), objreg); // Necessary for GC marking.
+masm.loadPtr(Address(objreg, JitCode::offsetOfCode()), objreg);
+masm.move32(Imm32(call->numStackArgs()), ArgumentsRectifierReg);
+}
+// Finally call the function in objreg.
+masm.bind(&makeCall);
+uint32_t callOffset = masm.callIon(objreg);
+if (!markSafepointAt(callOffset, call))
+return false;
+// Increment to remove IonFramePrefix; decrement to fill FrameSizeClass.
+// The return address has already been removed from the Ion frame.
+int prefixGarbage = sizeof(IonJSFrameLayout) - sizeof(void *);
+masm.adjustStack(prefixGarbage - unusedStack);
+masm.jump(&end);
+// Handle uncompiled or native functions.
+masm.bind(&invoke);
+switch (executionMode) {
+case SequentialExecution:
+if (!emitCallInvokeFunction(call, calleereg, call->numActualArgs(), unusedStack))
+return false;
+break;
+case ParallelExecution:
+if (!emitCallToUncompiledScriptPar(call, calleereg))
+return false;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+masm.bind(&end);
+// If the return value of the constructing function is Primitive,
+// replace the return value with the Object from CreateThis.
+if (call->mir()->isConstructing()) {
+Label notPrimitive;
+masm.branchTestPrimitive(Assembler::NotEqual, JSReturnOperand, &notPrimitive);
+masm.loadValue(Address(StackPointer, unusedStack), JSReturnOperand);
+masm.bind(&notPrimitive);
+}
+if (!checkForAbortPar(call))
+return false;
+dropArguments(call->numStackArgs() + 1);
+return true;
+}
+// Generates a call to CallToUncompiledScriptPar() and then bails out.
+// |calleeReg| should contain the JSFunction*.
+bool
+CodeGenerator::emitCallToUncompiledScriptPar(LInstruction *lir, Register calleeReg)
+{
+OutOfLineCode *bail = oolAbortPar(ParallelBailoutCalledToUncompiledScript, lir);
+if (!bail)
+return false;
+masm.movePtr(calleeReg, CallTempReg0);
+masm.setupUnalignedABICall(1, CallTempReg1);
+masm.passABIArg(CallTempReg0);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, CallToUncompiledScriptPar));
+masm.jump(bail->entry());
+return true;
+}
+bool
+CodeGenerator::visitCallKnown(LCallKnown *call)
+{
+Register calleereg = ToRegister(call->getFunction());
+Register objreg    = ToRegister(call->getTempObject());
+uint32_t unusedStack = StackOffsetOfPassedArg(call->argslot());
+DebugOnly<JSFunction *> target = call->getSingleTarget();
+ExecutionMode executionMode = gen->info().executionMode();
+Label end, uncompiled;
+// Native single targets are handled by LCallNative.
+JS_ASSERT(!target->isNative());
+// Missing arguments must have been explicitly appended by the IonBuilder.
+JS_ASSERT(target->nargs() <= call->numStackArgs());
+JS_ASSERT_IF(call->mir()->isConstructing(), target->isInterpretedConstructor());
+masm.checkStackAlignment();
+// The calleereg is known to be a non-native function, but might point to
+// a LazyScript instead of a JSScript.
+masm.branchIfFunctionHasNoScript(calleereg, &uncompiled);
+// Knowing that calleereg is a non-native function, load the JSScript.
+masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg);
+// Load script jitcode.
+if (call->mir()->needsArgCheck())
+masm.loadBaselineOrIonRaw(objreg, objreg, executionMode, &uncompiled);
+else
+masm.loadBaselineOrIonNoArgCheck(objreg, objreg, executionMode, &uncompiled);
+// Nestle the StackPointer up to the argument vector.
+masm.freeStack(unusedStack);
+// Construct the IonFramePrefix.
+uint32_t descriptor = MakeFrameDescriptor(masm.framePushed(), JitFrame_IonJS);
+masm.Push(Imm32(call->numActualArgs()));
+masm.Push(calleereg);
+masm.Push(Imm32(descriptor));
+// Finally call the function in objreg.
+uint32_t callOffset = masm.callIon(objreg);
+if (!markSafepointAt(callOffset, call))
+return false;
+// Increment to remove IonFramePrefix; decrement to fill FrameSizeClass.
+// The return address has already been removed from the Ion frame.
+int prefixGarbage = sizeof(IonJSFrameLayout) - sizeof(void *);
+masm.adjustStack(prefixGarbage - unusedStack);
+masm.jump(&end);
+// Handle uncompiled functions.
+masm.bind(&uncompiled);
+switch (executionMode) {
+case SequentialExecution:
+if (!emitCallInvokeFunction(call, calleereg, call->numActualArgs(), unusedStack))
+return false;
+break;
+case ParallelExecution:
+if (!emitCallToUncompiledScriptPar(call, calleereg))
+return false;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+masm.bind(&end);
+if (!checkForAbortPar(call))
+return false;
+// If the return value of the constructing function is Primitive,
+// replace the return value with the Object from CreateThis.
+if (call->mir()->isConstructing()) {
+Label notPrimitive;
+masm.branchTestPrimitive(Assembler::NotEqual, JSReturnOperand, &notPrimitive);
+masm.loadValue(Address(StackPointer, unusedStack), JSReturnOperand);
+masm.bind(&notPrimitive);
+}
+dropArguments(call->numStackArgs() + 1);
+return true;
+}
+bool
+CodeGenerator::checkForAbortPar(LInstruction *lir)
+{
+// In parallel mode, if we call another ion-compiled function and
+// it returns JS_ION_ERROR, that indicates a bailout that we have
+// to propagate up the stack.
+ExecutionMode executionMode = gen->info().executionMode();
+if (executionMode == ParallelExecution) {
+OutOfLinePropagateAbortPar *bail = oolPropagateAbortPar(lir);
+if (!bail)
+return false;
+masm.branchTestMagic(Assembler::Equal, JSReturnOperand, bail->entry());
+}
+return true;
+}
+bool
+CodeGenerator::emitCallInvokeFunction(LApplyArgsGeneric *apply, Register extraStackSize)
+{
+Register objreg = ToRegister(apply->getTempObject());
+JS_ASSERT(objreg != extraStackSize);
+// Push the space used by the arguments.
+masm.movePtr(StackPointer, objreg);
+masm.Push(extraStackSize);
+pushArg(objreg);                           // argv.
+pushArg(ToRegister(apply->getArgc()));     // argc.
+pushArg(ToRegister(apply->getFunction())); // JSFunction *.
+// This specialization og callVM restore the extraStackSize after the call.
+if (!callVM(InvokeFunctionInfo, apply, &extraStackSize))
+return false;
+masm.Pop(extraStackSize);
+return true;
+}
+// Do not bailout after the execution of this function since the stack no longer
+// correspond to what is expected by the snapshots.
+void
+CodeGenerator::emitPushArguments(LApplyArgsGeneric *apply, Register extraStackSpace)
+{
+// Holds the function nargs. Initially undefined.
+Register argcreg = ToRegister(apply->getArgc());
+Register copyreg = ToRegister(apply->getTempObject());
+size_t argvOffset = frameSize() + IonJSFrameLayout::offsetOfActualArgs();
+Label end;
+// Initialize the loop counter AND Compute the stack usage (if == 0)
+masm.movePtr(argcreg, extraStackSpace);
+masm.branchTestPtr(Assembler::Zero, argcreg, argcreg, &end);
+// Copy arguments.
+{
+Register count = extraStackSpace; // <- argcreg
+Label loop;
+masm.bind(&loop);
+// We remove sizeof(void*) from argvOffset because withtout it we target
+// the address after the memory area that we want to copy.
+BaseIndex disp(StackPointer, argcreg, ScaleFromElemWidth(sizeof(Value)), argvOffset - sizeof(void*));
+// Do not use Push here because other this account to 1 in the framePushed
+// instead of 0.  These push are only counted by argcreg.
+masm.loadPtr(disp, copyreg);
+masm.push(copyreg);
+// Handle 32 bits architectures.
+if (sizeof(Value) == 2 * sizeof(void*)) {
+masm.loadPtr(disp, copyreg);
+masm.push(copyreg);
+}
+masm.decBranchPtr(Assembler::NonZero, count, Imm32(1), &loop);
+}
+// Compute the stack usage.
+masm.movePtr(argcreg, extraStackSpace);
+masm.lshiftPtr(Imm32::ShiftOf(ScaleFromElemWidth(sizeof(Value))), extraStackSpace);
+// Join with all arguments copied and the extra stack usage computed.
+masm.bind(&end);
+// Push |this|.
+masm.addPtr(Imm32(sizeof(Value)), extraStackSpace);
+masm.pushValue(ToValue(apply, LApplyArgsGeneric::ThisIndex));
+}
+void
+CodeGenerator::emitPopArguments(LApplyArgsGeneric *apply, Register extraStackSpace)
+{
+// Pop |this| and Arguments.
+masm.freeStack(extraStackSpace);
+}
+bool
+CodeGenerator::visitApplyArgsGeneric(LApplyArgsGeneric *apply)
+{
+// Holds the function object.
+Register calleereg = ToRegister(apply->getFunction());
+// Temporary register for modifying the function object.
+Register objreg = ToRegister(apply->getTempObject());
+Register copyreg = ToRegister(apply->getTempCopy());
+// Holds the function nargs. Initially undefined.
+Register argcreg = ToRegister(apply->getArgc());
+// Unless already known, guard that calleereg is actually a function object.
+if (!apply->hasSingleTarget()) {
+masm.loadObjClass(calleereg, objreg);
+ImmPtr ptr = ImmPtr(&JSFunction::class_);
+if (!bailoutCmpPtr(Assembler::NotEqual, objreg, ptr, apply->snapshot()))
+return false;
+}
+// Copy the arguments of the current function.
+emitPushArguments(apply, copyreg);
+masm.checkStackAlignment();
+// If the function is known to be uncompilable, only emit the call to InvokeFunction.
+ExecutionMode executionMode = gen->info().executionMode();
+if (apply->hasSingleTarget()) {
+JSFunction *target = apply->getSingleTarget();
+if (target->isNative()) {
+if (!emitCallInvokeFunction(apply, copyreg))
+return false;
+emitPopArguments(apply, copyreg);
+return true;
+}
+}
+Label end, invoke;
+// Guard that calleereg is an interpreted function with a JSScript:
+if (!apply->hasSingleTarget()) {
+masm.branchIfFunctionHasNoScript(calleereg, &invoke);
+} else {
+// Native single targets are handled by LCallNative.
+JS_ASSERT(!apply->getSingleTarget()->isNative());
+}
+// Knowing that calleereg is a non-native function, load the JSScript.
+masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg);
+// Load script jitcode.
+masm.loadBaselineOrIonRaw(objreg, objreg, executionMode, &invoke);
+// Call with an Ion frame or a rectifier frame.
+{
+// Create the frame descriptor.
+unsigned pushed = masm.framePushed();
+masm.addPtr(Imm32(pushed), copyreg);
+masm.makeFrameDescriptor(copyreg, JitFrame_IonJS);
+masm.Push(argcreg);
+masm.Push(calleereg);
+masm.Push(copyreg); // descriptor
+Label underflow, rejoin;
+// Check whether the provided arguments satisfy target argc.
+if (!apply->hasSingleTarget()) {
+masm.load16ZeroExtend(Address(calleereg, JSFunction::offsetOfNargs()), copyreg);
+masm.branch32(Assembler::Below, argcreg, copyreg, &underflow);
+} else {
+masm.branch32(Assembler::Below, argcreg, Imm32(apply->getSingleTarget()->nargs()),
+&underflow);
+}
+// Skip the construction of the rectifier frame because we have no
+// underflow.
+masm.jump(&rejoin);
+// Argument fixup needed. Get ready to call the argumentsRectifier.
+{
+masm.bind(&underflow);
+// Hardcode the address of the argumentsRectifier code.
+JitCode *argumentsRectifier = gen->jitRuntime()->getArgumentsRectifier(executionMode);
+JS_ASSERT(ArgumentsRectifierReg != objreg);
+masm.movePtr(ImmGCPtr(argumentsRectifier), objreg); // Necessary for GC marking.
+masm.loadPtr(Address(objreg, JitCode::offsetOfCode()), objreg);
+masm.movePtr(argcreg, ArgumentsRectifierReg);
+}
+masm.bind(&rejoin);
+// Finally call the function in objreg, as assigned by one of the paths above.
+uint32_t callOffset = masm.callIon(objreg);
+if (!markSafepointAt(callOffset, apply))
+return false;
+// Recover the number of arguments from the frame descriptor.
+masm.loadPtr(Address(StackPointer, 0), copyreg);
+masm.rshiftPtr(Imm32(FRAMESIZE_SHIFT), copyreg);
+masm.subPtr(Imm32(pushed), copyreg);
+// Increment to remove IonFramePrefix; decrement to fill FrameSizeClass.
+// The return address has already been removed from the Ion frame.
+int prefixGarbage = sizeof(IonJSFrameLayout) - sizeof(void *);
+masm.adjustStack(prefixGarbage);
+masm.jump(&end);
+}
+// Handle uncompiled or native functions.
+{
+masm.bind(&invoke);
+if (!emitCallInvokeFunction(apply, copyreg))
+return false;
+}
+// Pop arguments and continue.
+masm.bind(&end);
+emitPopArguments(apply, copyreg);
+return true;
+}
+typedef bool (*ArraySpliceDenseFn)(JSContext *, HandleObject, uint32_t, uint32_t);
+static const VMFunction ArraySpliceDenseInfo = FunctionInfo<ArraySpliceDenseFn>(ArraySpliceDense);
+bool
+CodeGenerator::visitArraySplice(LArraySplice *lir)
+{
+pushArg(ToRegister(lir->getDeleteCount()));
+pushArg(ToRegister(lir->getStart()));
+pushArg(ToRegister(lir->getObject()));
+return callVM(ArraySpliceDenseInfo, lir);
+}
+bool
+CodeGenerator::visitBail(LBail *lir)
+{
+return bailout(lir->snapshot());
+}
+bool
+CodeGenerator::visitGetDynamicName(LGetDynamicName *lir)
+{
+Register scopeChain = ToRegister(lir->getScopeChain());
+Register name = ToRegister(lir->getName());
+Register temp1 = ToRegister(lir->temp1());
+Register temp2 = ToRegister(lir->temp2());
+Register temp3 = ToRegister(lir->temp3());
+masm.loadJSContext(temp3);
+/* Make space for the outparam. */
+masm.adjustStack(-int32_t(sizeof(Value)));
+masm.movePtr(StackPointer, temp2);
+masm.setupUnalignedABICall(4, temp1);
+masm.passABIArg(temp3);
+masm.passABIArg(scopeChain);
+masm.passABIArg(name);
+masm.passABIArg(temp2);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, GetDynamicName));
+const ValueOperand out = ToOutValue(lir);
+masm.loadValue(Address(StackPointer, 0), out);
+masm.adjustStack(sizeof(Value));
+Label undefined;
+masm.branchTestUndefined(Assembler::Equal, out, &undefined);
+return bailoutFrom(&undefined, lir->snapshot());
+}
+bool
+CodeGenerator::emitFilterArgumentsOrEval(LInstruction *lir, Register string,
+Register temp1, Register temp2)
+{
+masm.loadJSContext(temp2);
+masm.setupUnalignedABICall(2, temp1);
+masm.passABIArg(temp2);
+masm.passABIArg(string);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, FilterArgumentsOrEval));
+Label bail;
+masm.branchIfFalseBool(ReturnReg, &bail);
+return bailoutFrom(&bail, lir->snapshot());
+}
+bool
+CodeGenerator::visitFilterArgumentsOrEvalS(LFilterArgumentsOrEvalS *lir)
+{
+return emitFilterArgumentsOrEval(lir, ToRegister(lir->getString()),
+ToRegister(lir->temp1()),
+ToRegister(lir->temp2()));
+}
+bool
+CodeGenerator::visitFilterArgumentsOrEvalV(LFilterArgumentsOrEvalV *lir)
+{
+ValueOperand input = ToValue(lir, LFilterArgumentsOrEvalV::Input);
+// Act as nop on non-strings.
+Label done;
+masm.branchTestString(Assembler::NotEqual, input, &done);
+if (!emitFilterArgumentsOrEval(lir, masm.extractString(input, ToRegister(lir->temp3())),
+ToRegister(lir->temp1()), ToRegister(lir->temp2())))
+{
+return false;
+}
+masm.bind(&done);
+return true;
+}
+typedef bool (*DirectEvalSFn)(JSContext *, HandleObject, HandleScript, HandleValue, HandleString,
+jsbytecode *, MutableHandleValue);
+static const VMFunction DirectEvalStringInfo = FunctionInfo<DirectEvalSFn>(DirectEvalStringFromIon);
+bool
+CodeGenerator::visitCallDirectEvalS(LCallDirectEvalS *lir)
+{
+Register scopeChain = ToRegister(lir->getScopeChain());
+Register string = ToRegister(lir->getString());
+pushArg(ImmPtr(lir->mir()->pc()));
+pushArg(string);
+pushArg(ToValue(lir, LCallDirectEvalS::ThisValue));
+pushArg(ImmGCPtr(gen->info().script()));
+pushArg(scopeChain);
+return callVM(DirectEvalStringInfo, lir);
+}
+typedef bool (*DirectEvalVFn)(JSContext *, HandleObject, HandleScript, HandleValue, HandleValue,
+jsbytecode *, MutableHandleValue);
+static const VMFunction DirectEvalValueInfo = FunctionInfo<DirectEvalVFn>(DirectEvalValueFromIon);
+bool
+CodeGenerator::visitCallDirectEvalV(LCallDirectEvalV *lir)
+{
+Register scopeChain = ToRegister(lir->getScopeChain());
+pushArg(ImmPtr(lir->mir()->pc()));
+pushArg(ToValue(lir, LCallDirectEvalV::Argument));
+pushArg(ToValue(lir, LCallDirectEvalV::ThisValue));
+pushArg(ImmGCPtr(gen->info().script()));
+pushArg(scopeChain);
+return callVM(DirectEvalValueInfo, lir);
+}
+// Registers safe for use before generatePrologue().
+static const uint32_t EntryTempMask = Registers::TempMask & ~(1 << OsrFrameReg.code());
+bool
+CodeGenerator::generateArgumentsChecks(bool bailout)
+{
+// This function can be used the normal way to check the argument types,
+// before entering the function and bailout when arguments don't match.
+// For debug purpose, this is can also be used to force/check that the
+// arguments are correct. Upon fail it will hit a breakpoint.
+MIRGraph &mir = gen->graph();
+MResumePoint *rp = mir.entryResumePoint();
+// Reserve the amount of stack the actual frame will use. We have to undo
+// this before falling through to the method proper though, because the
+// monomorphic call case will bypass this entire path.
+masm.reserveStack(frameSize());
+// No registers are allocated yet, so it's safe to grab anything.
+Register temp = GeneralRegisterSet(EntryTempMask).getAny();
+CompileInfo &info = gen->info();
+Label miss;
+for (uint32_t i = info.startArgSlot(); i < info.endArgSlot(); i++) {
+// All initial parameters are guaranteed to be MParameters.
+MParameter *param = rp->getOperand(i)->toParameter();
+const types::TypeSet *types = param->resultTypeSet();
+if (!types || types->unknown())
+continue;
+// Calculate the offset on the stack of the argument.
+// (i - info.startArgSlot())    - Compute index of arg within arg vector.
+// ... * sizeof(Value)          - Scale by value size.
+// ArgToStackOffset(...)        - Compute displacement within arg vector.
+int32_t offset = ArgToStackOffset((i - info.startArgSlot()) * sizeof(Value));
+masm.guardTypeSet(Address(StackPointer, offset), types, temp, &miss);
+}
+if (miss.used()) {
+if (bailout) {
+if (!bailoutFrom(&miss, graph.entrySnapshot()))
+return false;
+} else {
+Label success;
+masm.jump(&success);
+masm.bind(&miss);
+masm.assumeUnreachable("Argument check fail.");
+masm.bind(&success);
+}
+}
+masm.freeStack(frameSize());
+return true;
+}
+// Out-of-line path to report over-recursed error and fail.
+class CheckOverRecursedFailure : public OutOfLineCodeBase<CodeGenerator>
+{
+LCheckOverRecursed *lir_;
+public:
+CheckOverRecursedFailure(LCheckOverRecursed *lir)
+: lir_(lir)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitCheckOverRecursedFailure(this);
+}
+LCheckOverRecursed *lir() const {
+return lir_;
+}
+};
+bool
+CodeGenerator::visitCheckOverRecursed(LCheckOverRecursed *lir)
+{
+// If we don't push anything on the stack, skip the check.
+if (omitOverRecursedCheck())
+return true;
+// Ensure that this frame will not cross the stack limit.
+// This is a weak check, justified by Ion using the C stack: we must always
+// be some distance away from the actual limit, since if the limit is
+// crossed, an error must be thrown, which requires more frames.
+//
+// It must always be possible to trespass past the stack limit.
+// Ion may legally place frames very close to the limit. Calling additional
+// C functions may then violate the limit without any checking.
+// Since Ion frames exist on the C stack, the stack limit may be
+// dynamically set by JS_SetThreadStackLimit() and JS_SetNativeStackQuota().
+const void *limitAddr = GetIonContext()->runtime->addressOfJitStackLimit();
+CheckOverRecursedFailure *ool = new(alloc()) CheckOverRecursedFailure(lir);
+if (!addOutOfLineCode(ool))
+return false;
+// Conditional forward (unlikely) branch to failure.
+masm.branchPtr(Assembler::AboveOrEqual, AbsoluteAddress(limitAddr), StackPointer, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+typedef bool (*DefVarOrConstFn)(JSContext *, HandlePropertyName, unsigned, HandleObject);
+static const VMFunction DefVarOrConstInfo =
+FunctionInfo<DefVarOrConstFn>(DefVarOrConst);
+bool
+CodeGenerator::visitDefVar(LDefVar *lir)
+{
+Register scopeChain = ToRegister(lir->scopeChain());
+pushArg(scopeChain); // JSObject *
+pushArg(Imm32(lir->mir()->attrs())); // unsigned
+pushArg(ImmGCPtr(lir->mir()->name())); // PropertyName *
+if (!callVM(DefVarOrConstInfo, lir))
+return false;
+return true;
+}
+typedef bool (*DefFunOperationFn)(JSContext *, HandleScript, HandleObject, HandleFunction);
+static const VMFunction DefFunOperationInfo = FunctionInfo<DefFunOperationFn>(DefFunOperation);
+bool
+CodeGenerator::visitDefFun(LDefFun *lir)
+{
+Register scopeChain = ToRegister(lir->scopeChain());
+pushArg(ImmGCPtr(lir->mir()->fun()));
+pushArg(scopeChain);
+pushArg(ImmGCPtr(current->mir()->info().script()));
+return callVM(DefFunOperationInfo, lir);
+}
+typedef bool (*ReportOverRecursedFn)(JSContext *);
+static const VMFunction CheckOverRecursedInfo =
+FunctionInfo<ReportOverRecursedFn>(CheckOverRecursed);
+bool
+CodeGenerator::visitCheckOverRecursedFailure(CheckOverRecursedFailure *ool)
+{
+// The OOL path is hit if the recursion depth has been exceeded.
+// Throw an InternalError for over-recursion.
+// LFunctionEnvironment can appear before LCheckOverRecursed, so we have
+// to save all live registers to avoid crashes if CheckOverRecursed triggers
+// a GC.
+saveLive(ool->lir());
+if (!callVM(CheckOverRecursedInfo, ool->lir()))
+return false;
+restoreLive(ool->lir());
+masm.jump(ool->rejoin());
+return true;
+}
+// Out-of-line path to report over-recursed error and fail.
+class CheckOverRecursedFailurePar : public OutOfLineCodeBase<CodeGenerator>
+{
+LCheckOverRecursedPar *lir_;
+public:
+CheckOverRecursedFailurePar(LCheckOverRecursedPar *lir)
+: lir_(lir)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitCheckOverRecursedFailurePar(this);
+}
+LCheckOverRecursedPar *lir() const {
+return lir_;
+}
+};
+bool
+CodeGenerator::visitCheckOverRecursedPar(LCheckOverRecursedPar *lir)
+{
+// See above: unlike visitCheckOverRecursed(), this code runs in
+// parallel mode and hence uses the jitStackLimit from the current
+// thread state.  Also, we must check the interrupt flags because
+// on interrupt or abort, only the stack limit for the main thread
+// is reset, not the worker threads.  See comment in vm/ForkJoin.h
+// for more details.
+Register cxReg = ToRegister(lir->forkJoinContext());
+Register tempReg = ToRegister(lir->getTempReg());
+masm.loadPtr(Address(cxReg, offsetof(ForkJoinContext, perThreadData)), tempReg);
+masm.loadPtr(Address(tempReg, offsetof(PerThreadData, jitStackLimit)), tempReg);
+// Conditional forward (unlikely) branch to failure.
+CheckOverRecursedFailurePar *ool = new(alloc()) CheckOverRecursedFailurePar(lir);
+if (!addOutOfLineCode(ool))
+return false;
+masm.branchPtr(Assembler::BelowOrEqual, StackPointer, tempReg, ool->entry());
+masm.checkInterruptFlagPar(tempReg, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitCheckOverRecursedFailurePar(CheckOverRecursedFailurePar *ool)
+{
+OutOfLinePropagateAbortPar *bail = oolPropagateAbortPar(ool->lir());
+if (!bail)
+return false;
+// Avoid saving/restoring the temp register since we will put the
+// ReturnReg into it below and we don't want to clobber that
+// during PopRegsInMask():
+LCheckOverRecursedPar *lir = ool->lir();
+Register tempReg = ToRegister(lir->getTempReg());
+RegisterSet saveSet(lir->safepoint()->liveRegs());
+saveSet.takeUnchecked(tempReg);
+masm.PushRegsInMask(saveSet);
+masm.movePtr(ToRegister(lir->forkJoinContext()), CallTempReg0);
+masm.setupUnalignedABICall(1, CallTempReg1);
+masm.passABIArg(CallTempReg0);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, CheckOverRecursedPar));
+masm.movePtr(ReturnReg, tempReg);
+masm.PopRegsInMask(saveSet);
+masm.branchIfFalseBool(tempReg, bail->entry());
+masm.jump(ool->rejoin());
+return true;
+}
+// Out-of-line path to report over-recursed error and fail.
+class OutOfLineInterruptCheckPar : public OutOfLineCodeBase<CodeGenerator>
+{
+public:
+LInterruptCheckPar *const lir;
+OutOfLineInterruptCheckPar(LInterruptCheckPar *lir)
+: lir(lir)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineInterruptCheckPar(this);
+}
+};
+bool
+CodeGenerator::visitInterruptCheckPar(LInterruptCheckPar *lir)
+{
+// First check for cx->shared->interrupt_.
+OutOfLineInterruptCheckPar *ool = new(alloc()) OutOfLineInterruptCheckPar(lir);
+if (!addOutOfLineCode(ool))
+return false;
+Register tempReg = ToRegister(lir->getTempReg());
+masm.checkInterruptFlagPar(tempReg, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineInterruptCheckPar(OutOfLineInterruptCheckPar *ool)
+{
+OutOfLinePropagateAbortPar *bail = oolPropagateAbortPar(ool->lir);
+if (!bail)
+return false;
+// Avoid saving/restoring the temp register since we will put the
+// ReturnReg into it below and we don't want to clobber that
+// during PopRegsInMask():
+LInterruptCheckPar *lir = ool->lir;
+Register tempReg = ToRegister(lir->getTempReg());
+RegisterSet saveSet(lir->safepoint()->liveRegs());
+saveSet.takeUnchecked(tempReg);
+masm.PushRegsInMask(saveSet);
+masm.movePtr(ToRegister(ool->lir->forkJoinContext()), CallTempReg0);
+masm.setupUnalignedABICall(1, CallTempReg1);
+masm.passABIArg(CallTempReg0);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, InterruptCheckPar));
+masm.movePtr(ReturnReg, tempReg);
+masm.PopRegsInMask(saveSet);
+masm.branchIfFalseBool(tempReg, bail->entry());
+masm.jump(ool->rejoin());
+return true;
+}
+IonScriptCounts *
+CodeGenerator::maybeCreateScriptCounts()
+{
+// If scripts are being profiled, create a new IonScriptCounts and attach
+// it to the script. This must be done on the main thread.
+JSContext *cx = GetIonContext()->cx;
+if (!cx || !cx->runtime()->profilingScripts)
+return nullptr;
+CompileInfo *outerInfo = &gen->info();
+JSScript *script = outerInfo->script();
+if (!script)
+return nullptr;
+if (!script->hasScriptCounts() && !script->initScriptCounts(cx))
+return nullptr;
+IonScriptCounts *counts = js_new<IonScriptCounts>();
+if (!counts || !counts->init(graph.numBlocks())) {
+js_delete(counts);
+return nullptr;
+}
+for (size_t i = 0; i < graph.numBlocks(); i++) {
+MBasicBlock *block = graph.getBlock(i)->mir();
+// Find a PC offset in the outermost script to use. If this block
+// is from an inlined script, find a location in the outer script
+// to associate information about the inlining with.
+MResumePoint *resume = block->entryResumePoint();
+while (resume->caller())
+resume = resume->caller();
+uint32_t offset = script->pcToOffset(resume->pc());
+if (!counts->block(i).init(block->id(), offset, block->numSuccessors())) {
+js_delete(counts);
+return nullptr;
+}
+for (size_t j = 0; j < block->numSuccessors(); j++)
+counts->block(i).setSuccessor(j, block->getSuccessor(j)->id());
+}
+script->addIonCounts(counts);
+return counts;
+}
+// Structure for managing the state tracked for a block by script counters.
+struct ScriptCountBlockState
+{
+IonBlockCounts &block;
+MacroAssembler &masm;
+Sprinter printer;
+public:
+ScriptCountBlockState(IonBlockCounts *block, MacroAssembler *masm)
+: block(*block), masm(*masm), printer(GetIonContext()->cx)
+{
+}
+bool init()
+{
+if (!printer.init())
+return false;
+// Bump the hit count for the block at the start. This code is not
+// included in either the text for the block or the instruction byte
+// counts.
+masm.inc64(AbsoluteAddress(block.addressOfHitCount()));
+// Collect human readable assembly for the code generated in the block.
+masm.setPrinter(&printer);
+return true;
+}
+void visitInstruction(LInstruction *ins)
+{
+// Prefix stream of assembly instructions with their LIR instruction
+// name and any associated high level info.
+if (const char *extra = ins->extraName())
+printer.printf("[%s:%s]\n", ins->opName(), extra);
+else
+printer.printf("[%s]\n", ins->opName());
+}
+~ScriptCountBlockState()
+{
+masm.setPrinter(nullptr);
+block.setCode(printer.string());
+}
+};
+#ifdef DEBUG
+bool
+CodeGenerator::branchIfInvalidated(Register temp, Label *invalidated)
+{
+CodeOffsetLabel label = masm.movWithPatch(ImmWord(uintptr_t(-1)), temp);
+if (!ionScriptLabels_.append(label))
+return false;
+// If IonScript::refcount != 0, the script has been invalidated.
+masm.branch32(Assembler::NotEqual,
+Address(temp, IonScript::offsetOfRefcount()),
+Imm32(0),
+invalidated);
+return true;
+}
+bool
+CodeGenerator::emitObjectOrStringResultChecks(LInstruction *lir, MDefinition *mir)
+{
+if (lir->numDefs() == 0)
+return true;
+JS_ASSERT(lir->numDefs() == 1);
+Register output = ToRegister(lir->getDef(0));
+GeneralRegisterSet regs(GeneralRegisterSet::All());
+regs.take(output);
+Register temp = regs.takeAny();
+masm.push(temp);
+// Don't check if the script has been invalidated. In that case invalid
+// types are expected (until we reach the OsiPoint and bailout).
+Label done;
+if (!branchIfInvalidated(temp, &done))
+return false;
+if (mir->type() == MIRType_Object &&
+mir->resultTypeSet() &&
+!mir->resultTypeSet()->unknownObject())
+{
+// We have a result TypeSet, assert this object is in it.
+Label miss, ok;
+if (mir->resultTypeSet()->getObjectCount() > 0)
+masm.guardObjectType(output, mir->resultTypeSet(), temp, &miss);
+else
+masm.jump(&miss);
+masm.jump(&ok);
+masm.bind(&miss);
+masm.assumeUnreachable("MIR instruction returned object with unexpected type");
+masm.bind(&ok);
+}
+// Check that we have a valid GC pointer.
+if (gen->info().executionMode() != ParallelExecution) {
+saveVolatile();
+masm.setupUnalignedABICall(2, temp);
+masm.loadJSContext(temp);
+masm.passABIArg(temp);
+masm.passABIArg(output);
+masm.callWithABINoProfiling(mir->type() == MIRType_Object
+? JS_FUNC_TO_DATA_PTR(void *, AssertValidObjectPtr)
+: JS_FUNC_TO_DATA_PTR(void *, AssertValidStringPtr));
+restoreVolatile();
+}
+masm.bind(&done);
+masm.pop(temp);
+return true;
+}
+bool
+CodeGenerator::emitValueResultChecks(LInstruction *lir, MDefinition *mir)
+{
+if (lir->numDefs() == 0)
+return true;
+JS_ASSERT(lir->numDefs() == BOX_PIECES);
+if (!lir->getDef(0)->output()->isRegister())
+return true;
+ValueOperand output = ToOutValue(lir);
+GeneralRegisterSet regs(GeneralRegisterSet::All());
+regs.take(output);
+Register temp1 = regs.takeAny();
+Register temp2 = regs.takeAny();
+masm.push(temp1);
+masm.push(temp2);
+// Don't check if the script has been invalidated. In that case invalid
+// types are expected (until we reach the OsiPoint and bailout).
+Label done;
+if (!branchIfInvalidated(temp1, &done))
+return false;
+if (mir->resultTypeSet() && !mir->resultTypeSet()->unknown()) {
+// We have a result TypeSet, assert this value is in it.
+Label miss, ok;
+masm.guardTypeSet(output, mir->resultTypeSet(), temp1, &miss);
+masm.jump(&ok);
+masm.bind(&miss);
+masm.assumeUnreachable("MIR instruction returned value with unexpected type");
+masm.bind(&ok);
+}
+// Check that we have a valid GC pointer.
+if (gen->info().executionMode() != ParallelExecution) {
+saveVolatile();
+masm.pushValue(output);
+masm.movePtr(StackPointer, temp1);
+masm.setupUnalignedABICall(2, temp2);
+masm.loadJSContext(temp2);
+masm.passABIArg(temp2);
+masm.passABIArg(temp1);
+masm.callWithABINoProfiling(JS_FUNC_TO_DATA_PTR(void *, AssertValidValue));
+masm.popValue(output);
+restoreVolatile();
+}
+masm.bind(&done);
+masm.pop(temp2);
+masm.pop(temp1);
+return true;
+}
+bool
+CodeGenerator::emitDebugResultChecks(LInstruction *ins)
+{
+// In debug builds, check that LIR instructions return valid values.
+MDefinition *mir = ins->mirRaw();
+if (!mir)
+return true;
+switch (mir->type()) {
+case MIRType_Object:
+case MIRType_String:
+return emitObjectOrStringResultChecks(ins, mir);
+case MIRType_Value:
+return emitValueResultChecks(ins, mir);
+default:
+return true;
+}
+}
+#endif
+bool
+CodeGenerator::generateBody()
+{
+IonScriptCounts *counts = maybeCreateScriptCounts();
+#if defined(JS_ION_PERF)
+PerfSpewer *perfSpewer = &perfSpewer_;
+if (gen->compilingAsmJS())
+perfSpewer = &gen->perfSpewer();
+#endif
+for (size_t i = 0; i < graph.numBlocks(); i++) {
+current = graph.getBlock(i);
+masm.bind(current->label());
+mozilla::Maybe<ScriptCountBlockState> blockCounts;
+if (counts) {
+blockCounts.construct(&counts->block(i), &masm);
+if (!blockCounts.ref().init())
+return false;
+}
+#if defined(JS_ION_PERF)
+perfSpewer->startBasicBlock(current->mir(), masm);
+#endif
+for (LInstructionIterator iter = current->begin(); iter != current->end(); iter++) {
+IonSpewStart(IonSpew_Codegen, "instruction %s", iter->opName());
+#ifdef DEBUG
+if (const char *extra = iter->extraName())
+IonSpewCont(IonSpew_Codegen, ":%s", extra);
+#endif
+IonSpewFin(IonSpew_Codegen);
+if (counts)
+blockCounts.ref().visitInstruction(*iter);
+if (iter->safepoint() && pushedArgumentSlots_.length()) {
+if (!markArgumentSlots(iter->safepoint()))
+return false;
+}
+#ifdef CHECK_OSIPOINT_REGISTERS
+if (iter->safepoint())
+resetOsiPointRegs(iter->safepoint());
+#endif
+if (!callTraceLIR(i, *iter))
+return false;
+if (!iter->accept(this))
+return false;
+#ifdef DEBUG
+if (!emitDebugResultChecks(*iter))
+return false;
+#endif
+}
+if (masm.oom())
+return false;
+#if defined(JS_ION_PERF)
+perfSpewer->endBasicBlock(masm);
+#endif
+}
+JS_ASSERT(pushedArgumentSlots_.empty());
+return true;
+}
+// Out-of-line object allocation for LNewArray.
+class OutOfLineNewArray : public OutOfLineCodeBase<CodeGenerator>
+{
+LNewArray *lir_;
+public:
+OutOfLineNewArray(LNewArray *lir)
+: lir_(lir)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineNewArray(this);
+}
+LNewArray *lir() const {
+return lir_;
+}
+};
+typedef JSObject *(*NewInitArrayFn)(JSContext *, uint32_t, types::TypeObject *);
+static const VMFunction NewInitArrayInfo =
+FunctionInfo<NewInitArrayFn>(NewInitArray);
+bool
+CodeGenerator::visitNewArrayCallVM(LNewArray *lir)
+{
+JS_ASSERT(gen->info().executionMode() == SequentialExecution);
+Register objReg = ToRegister(lir->output());
+JS_ASSERT(!lir->isCall());
+saveLive(lir);
+JSObject *templateObject = lir->mir()->templateObject();
+types::TypeObject *type =
+templateObject->hasSingletonType() ? nullptr : templateObject->type();
+pushArg(ImmGCPtr(type));
+pushArg(Imm32(lir->mir()->count()));
+if (!callVM(NewInitArrayInfo, lir))
+return false;
+if (ReturnReg != objReg)
+masm.movePtr(ReturnReg, objReg);
+restoreLive(lir);
+return true;
+}
+typedef JSObject *(*NewDerivedTypedObjectFn)(JSContext *,
+HandleObject type,
+HandleObject owner,
+int32_t offset);
+static const VMFunction CreateDerivedTypedObjInfo =
+FunctionInfo<NewDerivedTypedObjectFn>(CreateDerivedTypedObj);
+bool
+CodeGenerator::visitNewDerivedTypedObject(LNewDerivedTypedObject *lir)
+{
+// Not yet made safe for par exec:
+JS_ASSERT(gen->info().executionMode() == SequentialExecution);
+pushArg(ToRegister(lir->offset()));
+pushArg(ToRegister(lir->owner()));
+pushArg(ToRegister(lir->type()));
+return callVM(CreateDerivedTypedObjInfo, lir);
+}
+bool
+CodeGenerator::visitNewSlots(LNewSlots *lir)
+{
+Register temp1 = ToRegister(lir->temp1());
+Register temp2 = ToRegister(lir->temp2());
+Register temp3 = ToRegister(lir->temp3());
+Register output = ToRegister(lir->output());
+masm.mov(ImmPtr(GetIonContext()->runtime), temp1);
+masm.mov(ImmWord(lir->mir()->nslots()), temp2);
+masm.setupUnalignedABICall(2, temp3);
+masm.passABIArg(temp1);
+masm.passABIArg(temp2);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, NewSlots));
+if (!bailoutTestPtr(Assembler::Zero, output, output, lir->snapshot()))
+return false;
+return true;
+}
+bool CodeGenerator::visitAtan2D(LAtan2D *lir)
+{
+Register temp = ToRegister(lir->temp());
+FloatRegister y = ToFloatRegister(lir->y());
+FloatRegister x = ToFloatRegister(lir->x());
+masm.setupUnalignedABICall(2, temp);
+masm.passABIArg(y, MoveOp::DOUBLE);
+masm.passABIArg(x, MoveOp::DOUBLE);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ecmaAtan2), MoveOp::DOUBLE);
+JS_ASSERT(ToFloatRegister(lir->output()) == ReturnFloatReg);
+return true;
+}
+bool CodeGenerator::visitHypot(LHypot *lir)
+{
+Register temp = ToRegister(lir->temp());
+FloatRegister x = ToFloatRegister(lir->x());
+FloatRegister y = ToFloatRegister(lir->y());
+masm.setupUnalignedABICall(2, temp);
+masm.passABIArg(x, MoveOp::DOUBLE);
+masm.passABIArg(y, MoveOp::DOUBLE);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ecmaHypot), MoveOp::DOUBLE);
+JS_ASSERT(ToFloatRegister(lir->output()) == ReturnFloatReg);
+return true;
+}
+bool
+CodeGenerator::visitNewArray(LNewArray *lir)
+{
+JS_ASSERT(gen->info().executionMode() == SequentialExecution);
+Register objReg = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+JSObject *templateObject = lir->mir()->templateObject();
+DebugOnly<uint32_t> count = lir->mir()->count();
+JS_ASSERT(count < JSObject::NELEMENTS_LIMIT);
+if (lir->mir()->shouldUseVM())
+return visitNewArrayCallVM(lir);
+OutOfLineNewArray *ool = new(alloc()) OutOfLineNewArray(lir);
+if (!addOutOfLineCode(ool))
+return false;
+masm.newGCThing(objReg, tempReg, templateObject, ool->entry(), lir->mir()->initialHeap());
+masm.initGCThing(objReg, tempReg, templateObject);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineNewArray(OutOfLineNewArray *ool)
+{
+if (!visitNewArrayCallVM(ool->lir()))
+return false;
+masm.jump(ool->rejoin());
+return true;
+}
+// Out-of-line object allocation for JSOP_NEWOBJECT.
+class OutOfLineNewObject : public OutOfLineCodeBase<CodeGenerator>
+{
+LNewObject *lir_;
+public:
+OutOfLineNewObject(LNewObject *lir)
+: lir_(lir)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineNewObject(this);
+}
+LNewObject *lir() const {
+return lir_;
+}
+};
+typedef JSObject *(*NewInitObjectFn)(JSContext *, HandleObject);
+static const VMFunction NewInitObjectInfo = FunctionInfo<NewInitObjectFn>(NewInitObject);
+typedef JSObject *(*NewInitObjectWithClassPrototypeFn)(JSContext *, HandleObject);
+static const VMFunction NewInitObjectWithClassPrototypeInfo =
+FunctionInfo<NewInitObjectWithClassPrototypeFn>(NewInitObjectWithClassPrototype);
+bool
+CodeGenerator::visitNewObjectVMCall(LNewObject *lir)
+{
+JS_ASSERT(gen->info().executionMode() == SequentialExecution);
+Register objReg = ToRegister(lir->output());
+JS_ASSERT(!lir->isCall());
+saveLive(lir);
+pushArg(ImmGCPtr(lir->mir()->templateObject()));
+// If we're making a new object with a class prototype (that is, an object
+// that derives its class from its prototype instead of being
+// JSObject::class_'d) from self-hosted code, we need a different init
+// function.
+if (lir->mir()->templateObjectIsClassPrototype()) {
+if (!callVM(NewInitObjectWithClassPrototypeInfo, lir))
+return false;
+} else if (!callVM(NewInitObjectInfo, lir)) {
+return false;
+}
+if (ReturnReg != objReg)
+masm.movePtr(ReturnReg, objReg);
+restoreLive(lir);
+return true;
+}
+bool
+CodeGenerator::visitNewObject(LNewObject *lir)
+{
+JS_ASSERT(gen->info().executionMode() == SequentialExecution);
+Register objReg = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+JSObject *templateObject = lir->mir()->templateObject();
+if (lir->mir()->shouldUseVM())
+return visitNewObjectVMCall(lir);
+OutOfLineNewObject *ool = new(alloc()) OutOfLineNewObject(lir);
+if (!addOutOfLineCode(ool))
+return false;
+masm.newGCThing(objReg, tempReg, templateObject, ool->entry(), lir->mir()->initialHeap());
+masm.initGCThing(objReg, tempReg, templateObject);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineNewObject(OutOfLineNewObject *ool)
+{
+if (!visitNewObjectVMCall(ool->lir()))
+return false;
+masm.jump(ool->rejoin());
+return true;
+}
+typedef js::DeclEnvObject *(*NewDeclEnvObjectFn)(JSContext *, HandleFunction, gc::InitialHeap);
+static const VMFunction NewDeclEnvObjectInfo =
+FunctionInfo<NewDeclEnvObjectFn>(DeclEnvObject::createTemplateObject);
+bool
+CodeGenerator::visitNewDeclEnvObject(LNewDeclEnvObject *lir)
+{
+Register objReg = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+JSObject *templateObj = lir->mir()->templateObj();
+CompileInfo &info = lir->mir()->block()->info();
+// If we have a template object, we can inline call object creation.
+OutOfLineCode *ool = oolCallVM(NewDeclEnvObjectInfo, lir,
+(ArgList(), ImmGCPtr(info.funMaybeLazy()),
+Imm32(gc::DefaultHeap)),
+StoreRegisterTo(objReg));
+if (!ool)
+return false;
+masm.newGCThing(objReg, tempReg, templateObj, ool->entry(), gc::DefaultHeap);
+masm.initGCThing(objReg, tempReg, templateObj);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSObject *(*NewCallObjectFn)(JSContext *, HandleShape, HandleTypeObject, HeapSlot *);
+static const VMFunction NewCallObjectInfo =
+FunctionInfo<NewCallObjectFn>(NewCallObject);
+bool
+CodeGenerator::visitNewCallObject(LNewCallObject *lir)
+{
+Register objReg = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+JSObject *templateObj = lir->mir()->templateObject();
+OutOfLineCode *ool;
+if (lir->slots()->isRegister()) {
+ool = oolCallVM(NewCallObjectInfo, lir,
+(ArgList(), ImmGCPtr(templateObj->lastProperty()),
+ImmGCPtr(templateObj->type()),
+ToRegister(lir->slots())),
+StoreRegisterTo(objReg));
+} else {
+ool = oolCallVM(NewCallObjectInfo, lir,
+(ArgList(), ImmGCPtr(templateObj->lastProperty()),
+ImmGCPtr(templateObj->type()),
+ImmPtr(nullptr)),
+StoreRegisterTo(objReg));
+}
+if (!ool)
+return false;
+#ifdef JSGC_GENERATIONAL
+if (templateObj->hasDynamicSlots()) {
+// Slot initialization is unbarriered in this case, so we must either
+// allocate in the nursery or bail if that is not possible.
+masm.jump(ool->entry());
+} else
+#endif
+{
+// Inline call object creation, using the OOL path only for tricky cases.
+masm.newGCThing(objReg, tempReg, templateObj, ool->entry(), gc::DefaultHeap);
+masm.initGCThing(objReg, tempReg, templateObj);
+}
+if (lir->slots()->isRegister())
+masm.storePtr(ToRegister(lir->slots()), Address(objReg, JSObject::offsetOfSlots()));
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSObject *(*NewSingletonCallObjectFn)(JSContext *, HandleShape, HeapSlot *);
+static const VMFunction NewSingletonCallObjectInfo =
+FunctionInfo<NewSingletonCallObjectFn>(NewSingletonCallObject);
+bool
+CodeGenerator::visitNewSingletonCallObject(LNewSingletonCallObject *lir)
+{
+Register objReg = ToRegister(lir->output());
+JSObject *templateObj = lir->mir()->templateObject();
+OutOfLineCode *ool;
+if (lir->slots()->isRegister()) {
+ool = oolCallVM(NewSingletonCallObjectInfo, lir,
+(ArgList(), ImmGCPtr(templateObj->lastProperty()),
+ToRegister(lir->slots())),
+StoreRegisterTo(objReg));
+} else {
+ool = oolCallVM(NewSingletonCallObjectInfo, lir,
+(ArgList(), ImmGCPtr(templateObj->lastProperty()),
+ImmPtr(nullptr)),
+StoreRegisterTo(objReg));
+}
+if (!ool)
+return false;
+// Objects can only be given singleton types in VM calls.  We make the call
+// out of line to not bloat inline code, even if (naively) this seems like
+// extra work.
+masm.jump(ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitNewCallObjectPar(LNewCallObjectPar *lir)
+{
+Register resultReg = ToRegister(lir->output());
+Register cxReg = ToRegister(lir->forkJoinContext());
+Register tempReg1 = ToRegister(lir->getTemp0());
+Register tempReg2 = ToRegister(lir->getTemp1());
+JSObject *templateObj = lir->mir()->templateObj();
+emitAllocateGCThingPar(lir, resultReg, cxReg, tempReg1, tempReg2, templateObj);
+// NB: !lir->slots()->isRegister() implies that there is no slots
+// array at all, and the memory is already zeroed when copying
+// from the template object
+if (lir->slots()->isRegister()) {
+Register slotsReg = ToRegister(lir->slots());
+JS_ASSERT(slotsReg != resultReg);
+masm.storePtr(slotsReg, Address(resultReg, JSObject::offsetOfSlots()));
+}
+return true;
+}
+bool
+CodeGenerator::visitNewDenseArrayPar(LNewDenseArrayPar *lir)
+{
+Register cxReg = ToRegister(lir->forkJoinContext());
+Register lengthReg = ToRegister(lir->length());
+Register tempReg0 = ToRegister(lir->getTemp0());
+Register tempReg1 = ToRegister(lir->getTemp1());
+Register tempReg2 = ToRegister(lir->getTemp2());
+JSObject *templateObj = lir->mir()->templateObject();
+// Allocate the array into tempReg2.  Don't use resultReg because it
+// may alias cxReg etc.
+emitAllocateGCThingPar(lir, tempReg2, cxReg, tempReg0, tempReg1, templateObj);
+// Invoke a C helper to allocate the elements.  For convenience,
+// this helper also returns the array back to us, or nullptr, which
+// obviates the need to preserve the register across the call.  In
+// reality, we should probably just have the C helper also
+// *allocate* the array, but that would require that it initialize
+// the various fields of the object, and I didn't want to
+// duplicate the code in initGCThing() that already does such an
+// admirable job.
+masm.setupUnalignedABICall(3, tempReg0);
+masm.passABIArg(cxReg);
+masm.passABIArg(tempReg2);
+masm.passABIArg(lengthReg);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ExtendArrayPar));
+Register resultReg = ToRegister(lir->output());
+JS_ASSERT(resultReg == ReturnReg);
+OutOfLineAbortPar *bail = oolAbortPar(ParallelBailoutOutOfMemory, lir);
+if (!bail)
+return false;
+masm.branchTestPtr(Assembler::Zero, resultReg, resultReg, bail->entry());
+return true;
+}
+typedef JSObject *(*NewStringObjectFn)(JSContext *, HandleString);
+static const VMFunction NewStringObjectInfo = FunctionInfo<NewStringObjectFn>(NewStringObject);
+bool
+CodeGenerator::visitNewStringObject(LNewStringObject *lir)
+{
+Register input = ToRegister(lir->input());
+Register output = ToRegister(lir->output());
+Register temp = ToRegister(lir->temp());
+StringObject *templateObj = lir->mir()->templateObj();
+OutOfLineCode *ool = oolCallVM(NewStringObjectInfo, lir, (ArgList(), input),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+masm.newGCThing(output, temp, templateObj, ool->entry(), gc::DefaultHeap);
+masm.initGCThing(output, temp, templateObj);
+masm.loadStringLength(input, temp);
+masm.storeValue(JSVAL_TYPE_STRING, input, Address(output, StringObject::offsetOfPrimitiveValue()));
+masm.storeValue(JSVAL_TYPE_INT32, temp, Address(output, StringObject::offsetOfLength()));
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitNewPar(LNewPar *lir)
+{
+Register objReg = ToRegister(lir->output());
+Register cxReg = ToRegister(lir->forkJoinContext());
+Register tempReg1 = ToRegister(lir->getTemp0());
+Register tempReg2 = ToRegister(lir->getTemp1());
+JSObject *templateObject = lir->mir()->templateObject();
+emitAllocateGCThingPar(lir, objReg, cxReg, tempReg1, tempReg2, templateObject);
+return true;
+}
+class OutOfLineNewGCThingPar : public OutOfLineCodeBase<CodeGenerator>
+{
+public:
+LInstruction *lir;
+gc::AllocKind allocKind;
+Register objReg;
+Register cxReg;
+OutOfLineNewGCThingPar(LInstruction *lir, gc::AllocKind allocKind, Register objReg,
+Register cxReg)
+: lir(lir), allocKind(allocKind), objReg(objReg), cxReg(cxReg)
+{}
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineNewGCThingPar(this);
+}
+};
+bool
+CodeGenerator::emitAllocateGCThingPar(LInstruction *lir, Register objReg, Register cxReg,
+Register tempReg1, Register tempReg2, JSObject *templateObj)
+{
+gc::AllocKind allocKind = templateObj->tenuredGetAllocKind();
+OutOfLineNewGCThingPar *ool = new(alloc()) OutOfLineNewGCThingPar(lir, allocKind, objReg, cxReg);
+if (!ool || !addOutOfLineCode(ool))
+return false;
+masm.newGCThingPar(objReg, cxReg, tempReg1, tempReg2, templateObj, ool->entry());
+masm.bind(ool->rejoin());
+masm.initGCThing(objReg, tempReg1, templateObj);
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineNewGCThingPar(OutOfLineNewGCThingPar *ool)
+{
+// As a fallback for allocation in par. exec. mode, we invoke the
+// C helper NewGCThingPar(), which calls into the GC code.  If it
+// returns nullptr, we bail.  If returns non-nullptr, we rejoin the
+// original instruction.
+Register out = ool->objReg;
+saveVolatile(out);
+masm.setupUnalignedABICall(2, out);
+masm.passABIArg(ool->cxReg);
+masm.move32(Imm32(ool->allocKind), out);
+masm.passABIArg(out);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, NewGCThingPar));
+masm.storeCallResult(out);
+restoreVolatile(out);
+OutOfLineAbortPar *bail = oolAbortPar(ParallelBailoutOutOfMemory, ool->lir);
+if (!bail)
+return false;
+masm.branchTestPtr(Assembler::Zero, out, out, bail->entry());
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitAbortPar(LAbortPar *lir)
+{
+OutOfLineAbortPar *bail = oolAbortPar(ParallelBailoutUnsupported, lir);
+if (!bail)
+return false;
+masm.jump(bail->entry());
+return true;
+}
+typedef bool(*InitElemFn)(JSContext *cx, HandleObject obj,
+HandleValue id, HandleValue value);
+static const VMFunction InitElemInfo =
+FunctionInfo<InitElemFn>(InitElemOperation);
+bool
+CodeGenerator::visitInitElem(LInitElem *lir)
+{
+Register objReg = ToRegister(lir->getObject());
+pushArg(ToValue(lir, LInitElem::ValueIndex));
+pushArg(ToValue(lir, LInitElem::IdIndex));
+pushArg(objReg);
+return callVM(InitElemInfo, lir);
+}
+typedef bool (*InitElemGetterSetterFn)(JSContext *, jsbytecode *, HandleObject, HandleValue,
+HandleObject);
+static const VMFunction InitElemGetterSetterInfo =
+FunctionInfo<InitElemGetterSetterFn>(InitGetterSetterOperation);
+bool
+CodeGenerator::visitInitElemGetterSetter(LInitElemGetterSetter *lir)
+{
+Register obj = ToRegister(lir->object());
+Register value = ToRegister(lir->value());
+pushArg(value);
+pushArg(ToValue(lir, LInitElemGetterSetter::IdIndex));
+pushArg(obj);
+pushArg(ImmPtr(lir->mir()->resumePoint()->pc()));
+return callVM(InitElemGetterSetterInfo, lir);
+}
+typedef bool(*MutatePrototypeFn)(JSContext *cx, HandleObject obj, HandleValue value);
+static const VMFunction MutatePrototypeInfo =
+FunctionInfo<MutatePrototypeFn>(MutatePrototype);
+bool
+CodeGenerator::visitMutateProto(LMutateProto *lir)
+{
+Register objReg = ToRegister(lir->getObject());
+pushArg(ToValue(lir, LMutateProto::ValueIndex));
+pushArg(objReg);
+return callVM(MutatePrototypeInfo, lir);
+}
+typedef bool(*InitPropFn)(JSContext *cx, HandleObject obj,
+HandlePropertyName name, HandleValue value);
+static const VMFunction InitPropInfo =
+FunctionInfo<InitPropFn>(InitProp);
+bool
+CodeGenerator::visitInitProp(LInitProp *lir)
+{
+Register objReg = ToRegister(lir->getObject());
+pushArg(ToValue(lir, LInitProp::ValueIndex));
+pushArg(ImmGCPtr(lir->mir()->propertyName()));
+pushArg(objReg);
+return callVM(InitPropInfo, lir);
+}
+typedef bool(*InitPropGetterSetterFn)(JSContext *, jsbytecode *, HandleObject, HandlePropertyName,
+HandleObject);
+static const VMFunction InitPropGetterSetterInfo =
+FunctionInfo<InitPropGetterSetterFn>(InitGetterSetterOperation);
+bool
+CodeGenerator::visitInitPropGetterSetter(LInitPropGetterSetter *lir)
+{
+Register obj = ToRegister(lir->object());
+Register value = ToRegister(lir->value());
+pushArg(value);
+pushArg(ImmGCPtr(lir->mir()->name()));
+pushArg(obj);
+pushArg(ImmPtr(lir->mir()->resumePoint()->pc()));
+return callVM(InitPropGetterSetterInfo, lir);
+}
+typedef bool (*CreateThisFn)(JSContext *cx, HandleObject callee, MutableHandleValue rval);
+static const VMFunction CreateThisInfoCodeGen = FunctionInfo<CreateThisFn>(CreateThis);
+bool
+CodeGenerator::visitCreateThis(LCreateThis *lir)
+{
+const LAllocation *callee = lir->getCallee();
+if (callee->isConstant())
+pushArg(ImmGCPtr(&callee->toConstant()->toObject()));
+else
+pushArg(ToRegister(callee));
+return callVM(CreateThisInfoCodeGen, lir);
+}
+static JSObject *
+CreateThisForFunctionWithProtoWrapper(JSContext *cx, js::HandleObject callee, JSObject *proto)
+{
+return CreateThisForFunctionWithProto(cx, callee, proto);
+}
+typedef JSObject *(*CreateThisWithProtoFn)(JSContext *cx, HandleObject callee, JSObject *proto);
+static const VMFunction CreateThisWithProtoInfo =
+FunctionInfo<CreateThisWithProtoFn>(CreateThisForFunctionWithProtoWrapper);
+bool
+CodeGenerator::visitCreateThisWithProto(LCreateThisWithProto *lir)
+{
+const LAllocation *callee = lir->getCallee();
+const LAllocation *proto = lir->getPrototype();
+if (proto->isConstant())
+pushArg(ImmGCPtr(&proto->toConstant()->toObject()));
+else
+pushArg(ToRegister(proto));
+if (callee->isConstant())
+pushArg(ImmGCPtr(&callee->toConstant()->toObject()));
+else
+pushArg(ToRegister(callee));
+return callVM(CreateThisWithProtoInfo, lir);
+}
+typedef JSObject *(*NewGCObjectFn)(JSContext *cx, gc::AllocKind allocKind,
+gc::InitialHeap initialHeap);
+static const VMFunction NewGCObjectInfo =
+FunctionInfo<NewGCObjectFn>(js::jit::NewGCObject);
+bool
+CodeGenerator::visitCreateThisWithTemplate(LCreateThisWithTemplate *lir)
+{
+JSObject *templateObject = lir->mir()->templateObject();
+gc::AllocKind allocKind = templateObject->tenuredGetAllocKind();
+gc::InitialHeap initialHeap = lir->mir()->initialHeap();
+Register objReg = ToRegister(lir->output());
+Register tempReg = ToRegister(lir->temp());
+OutOfLineCode *ool = oolCallVM(NewGCObjectInfo, lir,
+(ArgList(), Imm32(allocKind), Imm32(initialHeap)),
+StoreRegisterTo(objReg));
+if (!ool)
+return false;
+// Allocate. If the FreeList is empty, call to VM, which may GC.
+masm.newGCThing(objReg, tempReg, templateObject, ool->entry(), lir->mir()->initialHeap());
+// Initialize based on the templateObject.
+masm.bind(ool->rejoin());
+masm.initGCThing(objReg, tempReg, templateObject);
+return true;
+}
+typedef JSObject *(*NewIonArgumentsObjectFn)(JSContext *cx, IonJSFrameLayout *frame, HandleObject);
+static const VMFunction NewIonArgumentsObjectInfo =
+FunctionInfo<NewIonArgumentsObjectFn>((NewIonArgumentsObjectFn) ArgumentsObject::createForIon);
+bool
+CodeGenerator::visitCreateArgumentsObject(LCreateArgumentsObject *lir)
+{
+// This should be getting constructed in the first block only, and not any OSR entry blocks.
+JS_ASSERT(lir->mir()->block()->id() == 0);
+const LAllocation *callObj = lir->getCallObject();
+Register temp = ToRegister(lir->getTemp(0));
+masm.movePtr(StackPointer, temp);
+masm.addPtr(Imm32(frameSize()), temp);
+pushArg(ToRegister(callObj));
+pushArg(temp);
+return callVM(NewIonArgumentsObjectInfo, lir);
+}
+bool
+CodeGenerator::visitGetArgumentsObjectArg(LGetArgumentsObjectArg *lir)
+{
+Register temp = ToRegister(lir->getTemp(0));
+Register argsObj = ToRegister(lir->getArgsObject());
+ValueOperand out = ToOutValue(lir);
+masm.loadPrivate(Address(argsObj, ArgumentsObject::getDataSlotOffset()), temp);
+Address argAddr(temp, ArgumentsData::offsetOfArgs() + lir->mir()->argno() * sizeof(Value));
+masm.loadValue(argAddr, out);
+#ifdef DEBUG
+Label success;
+masm.branchTestMagic(Assembler::NotEqual, out, &success);
+masm.assumeUnreachable("Result from ArgumentObject shouldn't be JSVAL_TYPE_MAGIC.");
+masm.bind(&success);
+#endif
+return true;
+}
+bool
+CodeGenerator::visitSetArgumentsObjectArg(LSetArgumentsObjectArg *lir)
+{
+Register temp = ToRegister(lir->getTemp(0));
+Register argsObj = ToRegister(lir->getArgsObject());
+ValueOperand value = ToValue(lir, LSetArgumentsObjectArg::ValueIndex);
+masm.loadPrivate(Address(argsObj, ArgumentsObject::getDataSlotOffset()), temp);
+Address argAddr(temp, ArgumentsData::offsetOfArgs() + lir->mir()->argno() * sizeof(Value));
+emitPreBarrier(argAddr, MIRType_Value);
+#ifdef DEBUG
+Label success;
+masm.branchTestMagic(Assembler::NotEqual, argAddr, &success);
+masm.assumeUnreachable("Result in ArgumentObject shouldn't be JSVAL_TYPE_MAGIC.");
+masm.bind(&success);
+#endif
+masm.storeValue(value, argAddr);
+return true;
+}
+bool
+CodeGenerator::visitReturnFromCtor(LReturnFromCtor *lir)
+{
+ValueOperand value = ToValue(lir, LReturnFromCtor::ValueIndex);
+Register obj = ToRegister(lir->getObject());
+Register output = ToRegister(lir->output());
+Label valueIsObject, end;
+masm.branchTestObject(Assembler::Equal, value, &valueIsObject);
+// Value is not an object. Return that other object.
+masm.movePtr(obj, output);
+masm.jump(&end);
+// Value is an object. Return unbox(Value).
+masm.bind(&valueIsObject);
+Register payload = masm.extractObject(value, output);
+if (payload != output)
+masm.movePtr(payload, output);
+masm.bind(&end);
+return true;
+}
+typedef JSObject *(*BoxNonStrictThisFn)(JSContext *, HandleValue);
+static const VMFunction BoxNonStrictThisInfo = FunctionInfo<BoxNonStrictThisFn>(BoxNonStrictThis);
+bool
+CodeGenerator::visitComputeThis(LComputeThis *lir)
+{
+ValueOperand value = ToValue(lir, LComputeThis::ValueIndex);
+Register output = ToRegister(lir->output());
+OutOfLineCode *ool = oolCallVM(BoxNonStrictThisInfo, lir, (ArgList(), value),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+masm.branchTestObject(Assembler::NotEqual, value, ool->entry());
+masm.unboxObject(value, output);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitLoadArrowThis(LLoadArrowThis *lir)
+{
+Register callee = ToRegister(lir->callee());
+ValueOperand output = ToOutValue(lir);
+masm.loadValue(Address(callee, FunctionExtended::offsetOfArrowThisSlot()), output);
+return true;
+}
+bool
+CodeGenerator::visitArrayLength(LArrayLength *lir)
+{
+Address length(ToRegister(lir->elements()), ObjectElements::offsetOfLength());
+masm.load32(length, ToRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitSetArrayLength(LSetArrayLength *lir)
+{
+Address length(ToRegister(lir->elements()), ObjectElements::offsetOfLength());
+Int32Key newLength = ToInt32Key(lir->index());
+masm.bumpKey(&newLength, 1);
+masm.storeKey(newLength, length);
+// Restore register value if it is used/captured after.
+masm.bumpKey(&newLength, -1);
+return true;
+}
+bool
+CodeGenerator::visitTypedArrayLength(LTypedArrayLength *lir)
+{
+Register obj = ToRegister(lir->object());
+Register out = ToRegister(lir->output());
+masm.unboxInt32(Address(obj, TypedArrayObject::lengthOffset()), out);
+return true;
+}
+bool
+CodeGenerator::visitTypedArrayElements(LTypedArrayElements *lir)
+{
+Register obj = ToRegister(lir->object());
+Register out = ToRegister(lir->output());
+masm.loadPtr(Address(obj, TypedArrayObject::dataOffset()), out);
+return true;
+}
+bool
+CodeGenerator::visitNeuterCheck(LNeuterCheck *lir)
+{
+Register obj = ToRegister(lir->object());
+Register temp = ToRegister(lir->temp());
+masm.extractObject(Address(obj, TypedObject::offsetOfOwnerSlot()), temp);
+masm.unboxInt32(Address(temp, ArrayBufferObject::flagsOffset()), temp);
+Imm32 flag(ArrayBufferObject::neuteredFlag());
+if (!bailoutTest32(Assembler::NonZero, temp, flag, lir->snapshot()))
+return false;
+return true;
+}
+bool
+CodeGenerator::visitTypedObjectElements(LTypedObjectElements *lir)
+{
+Register obj = ToRegister(lir->object());
+Register out = ToRegister(lir->output());
+masm.loadPtr(Address(obj, TypedObject::offsetOfDataSlot()), out);
+return true;
+}
+bool
+CodeGenerator::visitSetTypedObjectOffset(LSetTypedObjectOffset *lir)
+{
+Register object = ToRegister(lir->object());
+Register offset = ToRegister(lir->offset());
+Register temp0 = ToRegister(lir->temp0());
+// `offset` is an absolute offset into the base buffer. One way
+// to implement this instruction would be load the base address
+// from the buffer and add `offset`. But that'd be an extra load.
+// We can instead load the current base pointer and current
+// offset, compute the difference with `offset`, and then adjust
+// the current base pointer. This is two loads but to adjacent
+// fields in the same object, which should come in the same cache
+// line.
+//
+// The C code I would probably write is the following:
+//
+// void SetTypedObjectOffset(TypedObject *obj, int32_t offset) {
+//     int32_t temp0 = obj->byteOffset;
+//     obj->pointer = obj->pointer - temp0 + offset;
+//     obj->byteOffset = offset;
+// }
+//
+// But what we actually compute is more like this, because it
+// saves us a temporary to do it this way:
+//
+// void SetTypedObjectOffset(TypedObject *obj, int32_t offset) {
+//     int32_t temp0 = obj->byteOffset;
+//     obj->pointer = obj->pointer - (temp0 - offset);
+//     obj->byteOffset = offset;
+// }
+// temp0 = typedObj->byteOffset;
+masm.unboxInt32(Address(object, TypedObject::offsetOfByteOffsetSlot()), temp0);
+// temp0 -= offset;
+masm.subPtr(offset, temp0);
+// obj->pointer -= temp0;
+masm.subPtr(temp0, Address(object, TypedObject::offsetOfDataSlot()));
+// obj->byteOffset = offset;
+masm.storeValue(JSVAL_TYPE_INT32, offset,
+Address(object, TypedObject::offsetOfByteOffsetSlot()));
+return true;
+}
+bool
+CodeGenerator::visitStringLength(LStringLength *lir)
+{
+Register input = ToRegister(lir->string());
+Register output = ToRegister(lir->output());
+masm.loadStringLength(input, output);
+return true;
+}
+bool
+CodeGenerator::visitMinMaxI(LMinMaxI *ins)
+{
+Register first = ToRegister(ins->first());
+Register output = ToRegister(ins->output());
+JS_ASSERT(first == output);
+Label done;
+Assembler::Condition cond = ins->mir()->isMax()
+? Assembler::GreaterThan
+: Assembler::LessThan;
+if (ins->second()->isConstant()) {
+masm.branch32(cond, first, Imm32(ToInt32(ins->second())), &done);
+masm.move32(Imm32(ToInt32(ins->second())), output);
+} else {
+masm.branch32(cond, first, ToRegister(ins->second()), &done);
+masm.move32(ToRegister(ins->second()), output);
+}
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitAbsI(LAbsI *ins)
+{
+Register input = ToRegister(ins->input());
+Label positive;
+JS_ASSERT(input == ToRegister(ins->output()));
+masm.branchTest32(Assembler::NotSigned, input, input, &positive);
+masm.neg32(input);
+#ifdef JS_CODEGEN_MIPS
+LSnapshot *snapshot = ins->snapshot();
+if (snapshot && !bailoutCmp32(Assembler::Equal, input, Imm32(INT32_MIN), snapshot))
+return false;
+#else
+if (ins->snapshot() && !bailoutIf(Assembler::Overflow, ins->snapshot()))
+return false;
+#endif
+masm.bind(&positive);
+return true;
+}
+bool
+CodeGenerator::visitPowI(LPowI *ins)
+{
+FloatRegister value = ToFloatRegister(ins->value());
+Register power = ToRegister(ins->power());
+Register temp = ToRegister(ins->temp());
+JS_ASSERT(power != temp);
+// In all implementations, setupUnalignedABICall() relinquishes use of
+// its scratch register. We can therefore save an input register by
+// reusing the scratch register to pass constants to callWithABI.
+masm.setupUnalignedABICall(2, temp);
+masm.passABIArg(value, MoveOp::DOUBLE);
+masm.passABIArg(power);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, js::powi), MoveOp::DOUBLE);
+JS_ASSERT(ToFloatRegister(ins->output()) == ReturnFloatReg);
+return true;
+}
+bool
+CodeGenerator::visitPowD(LPowD *ins)
+{
+FloatRegister value = ToFloatRegister(ins->value());
+FloatRegister power = ToFloatRegister(ins->power());
+Register temp = ToRegister(ins->temp());
+masm.setupUnalignedABICall(2, temp);
+masm.passABIArg(value, MoveOp::DOUBLE);
+masm.passABIArg(power, MoveOp::DOUBLE);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ecmaPow), MoveOp::DOUBLE);
+JS_ASSERT(ToFloatRegister(ins->output()) == ReturnFloatReg);
+return true;
+}
+bool
+CodeGenerator::visitRandom(LRandom *ins)
+{
+Register temp = ToRegister(ins->temp());
+Register temp2 = ToRegister(ins->temp2());
+masm.loadJSContext(temp);
+masm.setupUnalignedABICall(1, temp2);
+masm.passABIArg(temp);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, math_random_no_outparam), MoveOp::DOUBLE);
+JS_ASSERT(ToFloatRegister(ins->output()) == ReturnFloatReg);
+return true;
+}
+bool
+CodeGenerator::visitMathFunctionD(LMathFunctionD *ins)
+{
+Register temp = ToRegister(ins->temp());
+FloatRegister input = ToFloatRegister(ins->input());
+JS_ASSERT(ToFloatRegister(ins->output()) == ReturnFloatReg);
+const MathCache *mathCache = ins->mir()->cache();
+masm.setupUnalignedABICall(mathCache ? 2 : 1, temp);
+if (mathCache) {
+masm.movePtr(ImmPtr(mathCache), temp);
+masm.passABIArg(temp);
+}
+masm.passABIArg(input, MoveOp::DOUBLE);
+#   define MAYBE_CACHED(fcn) (mathCache ? (void*)fcn ## _impl : (void*)fcn ## _uncached)
+void *funptr = nullptr;
+switch (ins->mir()->function()) {
+case MMathFunction::Log:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_log));
+break;
+case MMathFunction::Sin:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_sin));
+break;
+case MMathFunction::Cos:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_cos));
+break;
+case MMathFunction::Exp:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_exp));
+break;
+case MMathFunction::Tan:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_tan));
+break;
+case MMathFunction::ATan:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_atan));
+break;
+case MMathFunction::ASin:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_asin));
+break;
+case MMathFunction::ACos:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_acos));
+break;
+case MMathFunction::Log10:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_log10));
+break;
+case MMathFunction::Log2:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_log2));
+break;
+case MMathFunction::Log1P:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_log1p));
+break;
+case MMathFunction::ExpM1:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_expm1));
+break;
+case MMathFunction::CosH:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_cosh));
+break;
+case MMathFunction::SinH:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_sinh));
+break;
+case MMathFunction::TanH:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_tanh));
+break;
+case MMathFunction::ACosH:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_acosh));
+break;
+case MMathFunction::ASinH:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_asinh));
+break;
+case MMathFunction::ATanH:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_atanh));
+break;
+case MMathFunction::Sign:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_sign));
+break;
+case MMathFunction::Trunc:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_trunc));
+break;
+case MMathFunction::Cbrt:
+funptr = JS_FUNC_TO_DATA_PTR(void *, MAYBE_CACHED(js::math_cbrt));
+break;
+case MMathFunction::Floor:
+funptr = JS_FUNC_TO_DATA_PTR(void *, js::math_floor_impl);
+break;
+case MMathFunction::Ceil:
+funptr = JS_FUNC_TO_DATA_PTR(void *, js::math_ceil_impl);
+break;
+case MMathFunction::Round:
+funptr = JS_FUNC_TO_DATA_PTR(void *, js::math_round_impl);
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("Unknown math function");
+}
+#   undef MAYBE_CACHED
+masm.callWithABI(funptr, MoveOp::DOUBLE);
+return true;
+}
+bool
+CodeGenerator::visitMathFunctionF(LMathFunctionF *ins)
+{
+Register temp = ToRegister(ins->temp());
+FloatRegister input = ToFloatRegister(ins->input());
+JS_ASSERT(ToFloatRegister(ins->output()) == ReturnFloatReg);
+masm.setupUnalignedABICall(1, temp);
+masm.passABIArg(input, MoveOp::FLOAT32);
+void *funptr = nullptr;
+switch (ins->mir()->function()) {
+case MMathFunction::Floor: funptr = JS_FUNC_TO_DATA_PTR(void *, floorf);           break;
+case MMathFunction::Round: funptr = JS_FUNC_TO_DATA_PTR(void *, math_roundf_impl); break;
+case MMathFunction::Ceil:  funptr = JS_FUNC_TO_DATA_PTR(void *, ceilf);            break;
+default:
+MOZ_ASSUME_UNREACHABLE("Unknown or unsupported float32 math function");
+}
+masm.callWithABI(funptr, MoveOp::FLOAT32);
+return true;
+}
+bool
+CodeGenerator::visitModD(LModD *ins)
+{
+FloatRegister lhs = ToFloatRegister(ins->lhs());
+FloatRegister rhs = ToFloatRegister(ins->rhs());
+Register temp = ToRegister(ins->temp());
+JS_ASSERT(ToFloatRegister(ins->output()) == ReturnFloatReg);
+masm.setupUnalignedABICall(2, temp);
+masm.passABIArg(lhs, MoveOp::DOUBLE);
+masm.passABIArg(rhs, MoveOp::DOUBLE);
+if (gen->compilingAsmJS())
+masm.callWithABI(AsmJSImm_ModD, MoveOp::DOUBLE);
+else
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, NumberMod), MoveOp::DOUBLE);
+return true;
+}
+typedef bool (*BinaryFn)(JSContext *, MutableHandleValue, MutableHandleValue, MutableHandleValue);
+typedef bool (*BinaryParFn)(ForkJoinContext *, HandleValue, HandleValue, MutableHandleValue);
+static const VMFunction AddInfo = FunctionInfo<BinaryFn>(js::AddValues);
+static const VMFunction SubInfo = FunctionInfo<BinaryFn>(js::SubValues);
+static const VMFunction MulInfo = FunctionInfo<BinaryFn>(js::MulValues);
+static const VMFunction DivInfo = FunctionInfo<BinaryFn>(js::DivValues);
+static const VMFunction ModInfo = FunctionInfo<BinaryFn>(js::ModValues);
+static const VMFunctionsModal UrshInfo = VMFunctionsModal(
+FunctionInfo<BinaryFn>(js::UrshValues),
+FunctionInfo<BinaryParFn>(UrshValuesPar));
+bool
+CodeGenerator::visitBinaryV(LBinaryV *lir)
+{
+pushArg(ToValue(lir, LBinaryV::RhsInput));
+pushArg(ToValue(lir, LBinaryV::LhsInput));
+switch (lir->jsop()) {
+case JSOP_ADD:
+return callVM(AddInfo, lir);
+case JSOP_SUB:
+return callVM(SubInfo, lir);
+case JSOP_MUL:
+return callVM(MulInfo, lir);
+case JSOP_DIV:
+return callVM(DivInfo, lir);
+case JSOP_MOD:
+return callVM(ModInfo, lir);
+case JSOP_URSH:
+return callVM(UrshInfo, lir);
+default:
+MOZ_ASSUME_UNREACHABLE("Unexpected binary op");
+}
+}
+typedef bool (*StringCompareFn)(JSContext *, HandleString, HandleString, bool *);
+typedef bool (*StringCompareParFn)(ForkJoinContext *, HandleString, HandleString, bool *);
+static const VMFunctionsModal StringsEqualInfo = VMFunctionsModal(
+FunctionInfo<StringCompareFn>(jit::StringsEqual<true>),
+FunctionInfo<StringCompareParFn>(jit::StringsEqualPar));
+static const VMFunctionsModal StringsNotEqualInfo = VMFunctionsModal(
+FunctionInfo<StringCompareFn>(jit::StringsEqual<false>),
+FunctionInfo<StringCompareParFn>(jit::StringsUnequalPar));
+bool
+CodeGenerator::emitCompareS(LInstruction *lir, JSOp op, Register left, Register right,
+Register output, Register temp)
+{
+JS_ASSERT(lir->isCompareS() || lir->isCompareStrictS());
+OutOfLineCode *ool = nullptr;
+if (op == JSOP_EQ || op == JSOP_STRICTEQ) {
+ool = oolCallVM(StringsEqualInfo, lir, (ArgList(), left, right),  StoreRegisterTo(output));
+} else {
+JS_ASSERT(op == JSOP_NE || op == JSOP_STRICTNE);
+ool = oolCallVM(StringsNotEqualInfo, lir, (ArgList(), left, right), StoreRegisterTo(output));
+}
+if (!ool)
+return false;
+masm.compareStrings(op, left, right, output, temp, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitCompareStrictS(LCompareStrictS *lir)
+{
+JSOp op = lir->mir()->jsop();
+JS_ASSERT(op == JSOP_STRICTEQ || op == JSOP_STRICTNE);
+const ValueOperand leftV = ToValue(lir, LCompareStrictS::Lhs);
+Register right = ToRegister(lir->right());
+Register output = ToRegister(lir->output());
+Register temp = ToRegister(lir->temp());
+Register tempToUnbox = ToTempUnboxRegister(lir->tempToUnbox());
+Label string, done;
+masm.branchTestString(Assembler::Equal, leftV, &string);
+masm.move32(Imm32(op == JSOP_STRICTNE), output);
+masm.jump(&done);
+masm.bind(&string);
+Register left = masm.extractString(leftV, tempToUnbox);
+if (!emitCompareS(lir, op, left, right, output, temp))
+return false;
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitCompareS(LCompareS *lir)
+{
+JSOp op = lir->mir()->jsop();
+Register left = ToRegister(lir->left());
+Register right = ToRegister(lir->right());
+Register output = ToRegister(lir->output());
+Register temp = ToRegister(lir->temp());
+return emitCompareS(lir, op, left, right, output, temp);
+}
+typedef bool (*CompareFn)(JSContext *, MutableHandleValue, MutableHandleValue, bool *);
+typedef bool (*CompareParFn)(ForkJoinContext *, MutableHandleValue, MutableHandleValue, bool *);
+static const VMFunctionsModal EqInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::LooselyEqual<true>),
+FunctionInfo<CompareParFn>(jit::LooselyEqualPar));
+static const VMFunctionsModal NeInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::LooselyEqual<false>),
+FunctionInfo<CompareParFn>(jit::LooselyUnequalPar));
+static const VMFunctionsModal StrictEqInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::StrictlyEqual<true>),
+FunctionInfo<CompareParFn>(jit::StrictlyEqualPar));
+static const VMFunctionsModal StrictNeInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::StrictlyEqual<false>),
+FunctionInfo<CompareParFn>(jit::StrictlyUnequalPar));
+static const VMFunctionsModal LtInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::LessThan),
+FunctionInfo<CompareParFn>(jit::LessThanPar));
+static const VMFunctionsModal LeInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::LessThanOrEqual),
+FunctionInfo<CompareParFn>(jit::LessThanOrEqualPar));
+static const VMFunctionsModal GtInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::GreaterThan),
+FunctionInfo<CompareParFn>(jit::GreaterThanPar));
+static const VMFunctionsModal GeInfo = VMFunctionsModal(
+FunctionInfo<CompareFn>(jit::GreaterThanOrEqual),
+FunctionInfo<CompareParFn>(jit::GreaterThanOrEqualPar));
+bool
+CodeGenerator::visitCompareVM(LCompareVM *lir)
+{
+pushArg(ToValue(lir, LBinaryV::RhsInput));
+pushArg(ToValue(lir, LBinaryV::LhsInput));
+switch (lir->mir()->jsop()) {
+case JSOP_EQ:
+return callVM(EqInfo, lir);
+case JSOP_NE:
+return callVM(NeInfo, lir);
+case JSOP_STRICTEQ:
+return callVM(StrictEqInfo, lir);
+case JSOP_STRICTNE:
+return callVM(StrictNeInfo, lir);
+case JSOP_LT:
+return callVM(LtInfo, lir);
+case JSOP_LE:
+return callVM(LeInfo, lir);
+case JSOP_GT:
+return callVM(GtInfo, lir);
+case JSOP_GE:
+return callVM(GeInfo, lir);
+default:
+MOZ_ASSUME_UNREACHABLE("Unexpected compare op");
+}
+}
+bool
+CodeGenerator::visitIsNullOrLikeUndefined(LIsNullOrLikeUndefined *lir)
+{
+JSOp op = lir->mir()->jsop();
+MCompare::CompareType compareType = lir->mir()->compareType();
+JS_ASSERT(compareType == MCompare::Compare_Undefined ||
+compareType == MCompare::Compare_Null);
+const ValueOperand value = ToValue(lir, LIsNullOrLikeUndefined::Value);
+Register output = ToRegister(lir->output());
+if (op == JSOP_EQ || op == JSOP_NE) {
+MOZ_ASSERT(lir->mir()->lhs()->type() != MIRType_Object ||
+lir->mir()->operandMightEmulateUndefined(),
+"Operands which can't emulate undefined should have been folded");
+OutOfLineTestObjectWithLabels *ool = nullptr;
+Maybe<Label> label1, label2;
+Label *nullOrLikeUndefined;
+Label *notNullOrLikeUndefined;
+if (lir->mir()->operandMightEmulateUndefined()) {
+ool = new(alloc()) OutOfLineTestObjectWithLabels();
+if (!addOutOfLineCode(ool))
+return false;
+nullOrLikeUndefined = ool->label1();
+notNullOrLikeUndefined = ool->label2();
+} else {
+label1.construct();
+label2.construct();
+nullOrLikeUndefined = label1.addr();
+notNullOrLikeUndefined = label2.addr();
+}
+Register tag = masm.splitTagForTest(value);
+masm.branchTestNull(Assembler::Equal, tag, nullOrLikeUndefined);
+masm.branchTestUndefined(Assembler::Equal, tag, nullOrLikeUndefined);
+if (ool) {
+// Check whether it's a truthy object or a falsy object that emulates
+// undefined.
+masm.branchTestObject(Assembler::NotEqual, tag, notNullOrLikeUndefined);
+Register objreg = masm.extractObject(value, ToTempUnboxRegister(lir->tempToUnbox()));
+branchTestObjectEmulatesUndefined(objreg, nullOrLikeUndefined, notNullOrLikeUndefined,
+ToRegister(lir->temp()), ool);
+// fall through
+}
+Label done;
+// It's not null or undefined, and if it's an object it doesn't
+// emulate undefined, so it's not like undefined.
+masm.move32(Imm32(op == JSOP_NE), output);
+masm.jump(&done);
+masm.bind(nullOrLikeUndefined);
+masm.move32(Imm32(op == JSOP_EQ), output);
+// Both branches meet here.
+masm.bind(&done);
+return true;
+}
+JS_ASSERT(op == JSOP_STRICTEQ || op == JSOP_STRICTNE);
+Assembler::Condition cond = JSOpToCondition(compareType, op);
+if (compareType == MCompare::Compare_Null)
+masm.testNullSet(cond, value, output);
+else
+masm.testUndefinedSet(cond, value, output);
+return true;
+}
+bool
+CodeGenerator::visitIsNullOrLikeUndefinedAndBranch(LIsNullOrLikeUndefinedAndBranch *lir)
+{
+JSOp op = lir->cmpMir()->jsop();
+MCompare::CompareType compareType = lir->cmpMir()->compareType();
+JS_ASSERT(compareType == MCompare::Compare_Undefined ||
+compareType == MCompare::Compare_Null);
+const ValueOperand value = ToValue(lir, LIsNullOrLikeUndefinedAndBranch::Value);
+if (op == JSOP_EQ || op == JSOP_NE) {
+MBasicBlock *ifTrue;
+MBasicBlock *ifFalse;
+if (op == JSOP_EQ) {
+ifTrue = lir->ifTrue();
+ifFalse = lir->ifFalse();
+} else {
+// Swap branches.
+ifTrue = lir->ifFalse();
+ifFalse = lir->ifTrue();
+op = JSOP_EQ;
+}
+MOZ_ASSERT(lir->cmpMir()->lhs()->type() != MIRType_Object ||
+lir->cmpMir()->operandMightEmulateUndefined(),
+"Operands which can't emulate undefined should have been folded");
+OutOfLineTestObject *ool = nullptr;
+if (lir->cmpMir()->operandMightEmulateUndefined()) {
+ool = new(alloc()) OutOfLineTestObject();
+if (!addOutOfLineCode(ool))
+return false;
+}
+Register tag = masm.splitTagForTest(value);
+Label *ifTrueLabel = getJumpLabelForBranch(ifTrue);
+Label *ifFalseLabel = getJumpLabelForBranch(ifFalse);
+masm.branchTestNull(Assembler::Equal, tag, ifTrueLabel);
+masm.branchTestUndefined(Assembler::Equal, tag, ifTrueLabel);
+if (ool) {
+masm.branchTestObject(Assembler::NotEqual, tag, ifFalseLabel);
+// Objects that emulate undefined are loosely equal to null/undefined.
+Register objreg = masm.extractObject(value, ToTempUnboxRegister(lir->tempToUnbox()));
+Register scratch = ToRegister(lir->temp());
+testObjectEmulatesUndefined(objreg, ifTrueLabel, ifFalseLabel, scratch, ool);
+} else {
+masm.jump(ifFalseLabel);
+}
+return true;
+}
+JS_ASSERT(op == JSOP_STRICTEQ || op == JSOP_STRICTNE);
+Assembler::Condition cond = JSOpToCondition(compareType, op);
+if (compareType == MCompare::Compare_Null)
+testNullEmitBranch(cond, value, lir->ifTrue(), lir->ifFalse());
+else
+testUndefinedEmitBranch(cond, value, lir->ifTrue(), lir->ifFalse());
+return true;
+}
+bool
+CodeGenerator::visitEmulatesUndefined(LEmulatesUndefined *lir)
+{
+MOZ_ASSERT(lir->mir()->compareType() == MCompare::Compare_Undefined ||
+lir->mir()->compareType() == MCompare::Compare_Null);
+MOZ_ASSERT(lir->mir()->lhs()->type() == MIRType_Object);
+MOZ_ASSERT(lir->mir()->operandMightEmulateUndefined(),
+"If the object couldn't emulate undefined, this should have been folded.");
+JSOp op = lir->mir()->jsop();
+MOZ_ASSERT(op == JSOP_EQ || op == JSOP_NE, "Strict equality should have been folded");
+OutOfLineTestObjectWithLabels *ool = new(alloc()) OutOfLineTestObjectWithLabels();
+if (!addOutOfLineCode(ool))
+return false;
+Label *emulatesUndefined = ool->label1();
+Label *doesntEmulateUndefined = ool->label2();
+Register objreg = ToRegister(lir->input());
+Register output = ToRegister(lir->output());
+branchTestObjectEmulatesUndefined(objreg, emulatesUndefined, doesntEmulateUndefined,
+output, ool);
+Label done;
+masm.move32(Imm32(op == JSOP_NE), output);
+masm.jump(&done);
+masm.bind(emulatesUndefined);
+masm.move32(Imm32(op == JSOP_EQ), output);
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitEmulatesUndefinedAndBranch(LEmulatesUndefinedAndBranch *lir)
+{
+MOZ_ASSERT(lir->cmpMir()->compareType() == MCompare::Compare_Undefined ||
+lir->cmpMir()->compareType() == MCompare::Compare_Null);
+MOZ_ASSERT(lir->cmpMir()->operandMightEmulateUndefined(),
+"Operands which can't emulate undefined should have been folded");
+JSOp op = lir->cmpMir()->jsop();
+MOZ_ASSERT(op == JSOP_EQ || op == JSOP_NE, "Strict equality should have been folded");
+OutOfLineTestObject *ool = new(alloc()) OutOfLineTestObject();
+if (!addOutOfLineCode(ool))
+return false;
+Label *equal;
+Label *unequal;
+{
+MBasicBlock *ifTrue;
+MBasicBlock *ifFalse;
+if (op == JSOP_EQ) {
+ifTrue = lir->ifTrue();
+ifFalse = lir->ifFalse();
+} else {
+// Swap branches.
+ifTrue = lir->ifFalse();
+ifFalse = lir->ifTrue();
+op = JSOP_EQ;
+}
+equal = getJumpLabelForBranch(ifTrue);
+unequal = getJumpLabelForBranch(ifFalse);
+}
+Register objreg = ToRegister(lir->input());
+testObjectEmulatesUndefined(objreg, equal, unequal, ToRegister(lir->temp()), ool);
+return true;
+}
+typedef JSString *(*ConcatStringsFn)(ThreadSafeContext *, HandleString, HandleString);
+typedef JSString *(*ConcatStringsParFn)(ForkJoinContext *, HandleString, HandleString);
+static const VMFunctionsModal ConcatStringsInfo = VMFunctionsModal(
+FunctionInfo<ConcatStringsFn>(ConcatStrings<CanGC>),
+FunctionInfo<ConcatStringsParFn>(ConcatStringsPar));
+bool
+CodeGenerator::emitConcat(LInstruction *lir, Register lhs, Register rhs, Register output)
+{
+OutOfLineCode *ool = oolCallVM(ConcatStringsInfo, lir, (ArgList(), lhs, rhs),
+StoreRegisterTo(output));
+if (!ool)
+return false;
+ExecutionMode mode = gen->info().executionMode();
+JitCode *stringConcatStub = gen->compartment->jitCompartment()->stringConcatStub(mode);
+masm.call(stringConcatStub);
+masm.branchTestPtr(Assembler::Zero, output, output, ool->entry());
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitConcat(LConcat *lir)
+{
+Register lhs = ToRegister(lir->lhs());
+Register rhs = ToRegister(lir->rhs());
+Register output = ToRegister(lir->output());
+JS_ASSERT(lhs == CallTempReg0);
+JS_ASSERT(rhs == CallTempReg1);
+JS_ASSERT(ToRegister(lir->temp1()) == CallTempReg0);
+JS_ASSERT(ToRegister(lir->temp2()) == CallTempReg1);
+JS_ASSERT(ToRegister(lir->temp3()) == CallTempReg2);
+JS_ASSERT(ToRegister(lir->temp4()) == CallTempReg3);
+JS_ASSERT(ToRegister(lir->temp5()) == CallTempReg4);
+JS_ASSERT(output == CallTempReg5);
+return emitConcat(lir, lhs, rhs, output);
+}
+bool
+CodeGenerator::visitConcatPar(LConcatPar *lir)
+{
+DebugOnly<Register> cx = ToRegister(lir->forkJoinContext());
+Register lhs = ToRegister(lir->lhs());
+Register rhs = ToRegister(lir->rhs());
+Register output = ToRegister(lir->output());
+JS_ASSERT(lhs == CallTempReg0);
+JS_ASSERT(rhs == CallTempReg1);
+JS_ASSERT((Register)cx == CallTempReg4);
+JS_ASSERT(ToRegister(lir->temp1()) == CallTempReg0);
+JS_ASSERT(ToRegister(lir->temp2()) == CallTempReg1);
+JS_ASSERT(ToRegister(lir->temp3()) == CallTempReg2);
+JS_ASSERT(ToRegister(lir->temp4()) == CallTempReg3);
+JS_ASSERT(output == CallTempReg5);
+return emitConcat(lir, lhs, rhs, output);
+}
+static void
+CopyStringChars(MacroAssembler &masm, Register to, Register from, Register len, Register scratch)
+{
+// Copy |len| jschars from |from| to |to|. Assumes len > 0 (checked below in
+// debug builds), and when done |to| must point to the next available char.
+#ifdef DEBUG
+Label ok;
+masm.branch32(Assembler::GreaterThan, len, Imm32(0), &ok);
+masm.assumeUnreachable("Length should be greater than 0.");
+masm.bind(&ok);
+#endif
+JS_STATIC_ASSERT(sizeof(jschar) == 2);
+Label start;
+masm.bind(&start);
+masm.load16ZeroExtend(Address(from, 0), scratch);
+masm.store16(scratch, Address(to, 0));
+masm.addPtr(Imm32(2), from);
+masm.addPtr(Imm32(2), to);
+masm.branchSub32(Assembler::NonZero, Imm32(1), len, &start);
+}
+JitCode *
+JitCompartment::generateStringConcatStub(JSContext *cx, ExecutionMode mode)
+{
+MacroAssembler masm(cx);
+Register lhs = CallTempReg0;
+Register rhs = CallTempReg1;
+Register temp1 = CallTempReg2;
+Register temp2 = CallTempReg3;
+Register temp3 = CallTempReg4;
+Register output = CallTempReg5;
+// In parallel execution, we pass in the ForkJoinContext in CallTempReg4, as
+// by the time we need to use the temp3 we no longer have need of the
+// cx.
+Register forkJoinContext = CallTempReg4;
+Label failure, failurePopTemps;
+// If lhs is empty, return rhs.
+Label leftEmpty;
+masm.loadStringLength(lhs, temp1);
+masm.branchTest32(Assembler::Zero, temp1, temp1, &leftEmpty);
+// If rhs is empty, return lhs.
+Label rightEmpty;
+masm.loadStringLength(rhs, temp2);
+masm.branchTest32(Assembler::Zero, temp2, temp2, &rightEmpty);
+masm.add32(temp1, temp2);
+// Check if we can use a JSFatInlineString.
+Label isFatInline;
+masm.branch32(Assembler::BelowOrEqual, temp2, Imm32(JSFatInlineString::MAX_FAT_INLINE_LENGTH),
+&isFatInline);
+// Ensure result length <= JSString::MAX_LENGTH.
+masm.branch32(Assembler::Above, temp2, Imm32(JSString::MAX_LENGTH), &failure);
+// Allocate a new rope.
+switch (mode) {
+case SequentialExecution:
+masm.newGCString(output, temp3, &failure);
+break;
+case ParallelExecution:
+masm.push(temp1);
+masm.push(temp2);
+masm.newGCStringPar(output, forkJoinContext, temp1, temp2, &failurePopTemps);
+masm.pop(temp2);
+masm.pop(temp1);
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+// Store lengthAndFlags.
+JS_STATIC_ASSERT(JSString::ROPE_FLAGS == 0);
+masm.lshiftPtr(Imm32(JSString::LENGTH_SHIFT), temp2);
+masm.storePtr(temp2, Address(output, JSString::offsetOfLengthAndFlags()));
+// Store left and right nodes.
+masm.storePtr(lhs, Address(output, JSRope::offsetOfLeft()));
+masm.storePtr(rhs, Address(output, JSRope::offsetOfRight()));
+masm.ret();
+masm.bind(&leftEmpty);
+masm.mov(rhs, output);
+masm.ret();
+masm.bind(&rightEmpty);
+masm.mov(lhs, output);
+masm.ret();
+masm.bind(&isFatInline);
+// State: lhs length in temp1, result length in temp2.
+// Ensure both strings are linear (flags != 0).
+JS_STATIC_ASSERT(JSString::ROPE_FLAGS == 0);
+masm.branchTestPtr(Assembler::Zero, Address(lhs, JSString::offsetOfLengthAndFlags()),
+Imm32(JSString::FLAGS_MASK), &failure);
+masm.branchTestPtr(Assembler::Zero, Address(rhs, JSString::offsetOfLengthAndFlags()),
+Imm32(JSString::FLAGS_MASK), &failure);
+// Allocate a JSFatInlineString.
+switch (mode) {
+case SequentialExecution:
+masm.newGCFatInlineString(output, temp3, &failure);
+break;
+case ParallelExecution:
+masm.push(temp1);
+masm.push(temp2);
+masm.newGCFatInlineStringPar(output, forkJoinContext, temp1, temp2, &failurePopTemps);
+masm.pop(temp2);
+masm.pop(temp1);
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+// Set lengthAndFlags.
+masm.lshiftPtr(Imm32(JSString::LENGTH_SHIFT), temp2);
+masm.orPtr(Imm32(JSString::FIXED_FLAGS), temp2);
+masm.storePtr(temp2, Address(output, JSString::offsetOfLengthAndFlags()));
+// Set chars pointer, keep in temp2 for copy loop below.
+masm.computeEffectiveAddress(Address(output, JSFatInlineString::offsetOfInlineStorage()), temp2);
+masm.storePtr(temp2, Address(output, JSFatInlineString::offsetOfChars()));
+{
+// We use temp3 in this block, which in parallel execution also holds
+// a live ForkJoinContext pointer. If we are compiling for parallel
+// execution, be sure to save and restore the ForkJoinContext.
+if (mode == ParallelExecution)
+masm.push(temp3);
+// Copy lhs chars. Temp1 still holds the lhs length. Note that this
+// advances temp2 to point to the next char. Note that this also
+// repurposes the lhs register.
+masm.loadPtr(Address(lhs, JSString::offsetOfChars()), lhs);
+CopyStringChars(masm, temp2, lhs, temp1, temp3);
+// Copy rhs chars.
+masm.loadStringLength(rhs, temp1);
+masm.loadPtr(Address(rhs, JSString::offsetOfChars()), rhs);
+CopyStringChars(masm, temp2, rhs, temp1, temp3);
+if (mode == ParallelExecution)
+masm.pop(temp3);
+}
+// Null-terminate.
+masm.store16(Imm32(0), Address(temp2, 0));
+masm.ret();
+masm.bind(&failurePopTemps);
+masm.pop(temp2);
+masm.pop(temp1);
+masm.bind(&failure);
+masm.movePtr(ImmPtr(nullptr), output);
+masm.ret();
+Linker linker(masm);
+AutoFlushICache afc("StringConcatStub");
+JitCode *code = linker.newCode<CanGC>(cx, JSC::OTHER_CODE);
+#ifdef JS_ION_PERF
+writePerfSpewerJitCodeProfile(code, "StringConcatStub");
+#endif
+return code;
+}
+typedef bool (*CharCodeAtFn)(JSContext *, HandleString, int32_t, uint32_t *);
+static const VMFunction CharCodeAtInfo = FunctionInfo<CharCodeAtFn>(jit::CharCodeAt);
+bool
+CodeGenerator::visitCharCodeAt(LCharCodeAt *lir)
+{
+Register str = ToRegister(lir->str());
+Register index = ToRegister(lir->index());
+Register output = ToRegister(lir->output());
+OutOfLineCode *ool = oolCallVM(CharCodeAtInfo, lir, (ArgList(), str, index), StoreRegisterTo(output));
+if (!ool)
+return false;
+Address lengthAndFlagsAddr(str, JSString::offsetOfLengthAndFlags());
+masm.branchTest32(Assembler::Zero, lengthAndFlagsAddr, Imm32(JSString::FLAGS_MASK), ool->entry());
+// getChars
+Address charsAddr(str, JSString::offsetOfChars());
+masm.loadPtr(charsAddr, output);
+masm.load16ZeroExtend(BaseIndex(output, index, TimesTwo, 0), output);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSFlatString *(*StringFromCharCodeFn)(JSContext *, int32_t);
+static const VMFunction StringFromCharCodeInfo = FunctionInfo<StringFromCharCodeFn>(jit::StringFromCharCode);
+bool
+CodeGenerator::visitFromCharCode(LFromCharCode *lir)
+{
+Register code = ToRegister(lir->code());
+Register output = ToRegister(lir->output());
+OutOfLineCode *ool = oolCallVM(StringFromCharCodeInfo, lir, (ArgList(), code), StoreRegisterTo(output));
+if (!ool)
+return false;
+// OOL path if code >= UNIT_STATIC_LIMIT.
+masm.branch32(Assembler::AboveOrEqual, code, Imm32(StaticStrings::UNIT_STATIC_LIMIT),
+ool->entry());
+masm.movePtr(ImmPtr(&GetIonContext()->runtime->staticStrings().unitStaticTable), output);
+masm.loadPtr(BaseIndex(output, code, ScalePointer), output);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef JSObject *(*StringSplitFn)(JSContext *, HandleTypeObject, HandleString, HandleString);
+static const VMFunction StringSplitInfo = FunctionInfo<StringSplitFn>(js::str_split_string);
+bool
+CodeGenerator::visitStringSplit(LStringSplit *lir)
+{
+pushArg(ToRegister(lir->separator()));
+pushArg(ToRegister(lir->string()));
+pushArg(ImmGCPtr(lir->mir()->typeObject()));
+return callVM(StringSplitInfo, lir);
+}
+bool
+CodeGenerator::visitInitializedLength(LInitializedLength *lir)
+{
+Address initLength(ToRegister(lir->elements()), ObjectElements::offsetOfInitializedLength());
+masm.load32(initLength, ToRegister(lir->output()));
+return true;
+}
+bool
+CodeGenerator::visitSetInitializedLength(LSetInitializedLength *lir)
+{
+Address initLength(ToRegister(lir->elements()), ObjectElements::offsetOfInitializedLength());
+Int32Key index = ToInt32Key(lir->index());
+masm.bumpKey(&index, 1);
+masm.storeKey(index, initLength);
+// Restore register value if it is used/captured after.
+masm.bumpKey(&index, -1);
+return true;
+}
+bool
+CodeGenerator::visitNotO(LNotO *lir)
+{
+MOZ_ASSERT(lir->mir()->operandMightEmulateUndefined(),
+"This should be constant-folded if the object can't emulate undefined.");
+OutOfLineTestObjectWithLabels *ool = new(alloc()) OutOfLineTestObjectWithLabels();
+if (!addOutOfLineCode(ool))
+return false;
+Label *ifEmulatesUndefined = ool->label1();
+Label *ifDoesntEmulateUndefined = ool->label2();
+Register objreg = ToRegister(lir->input());
+Register output = ToRegister(lir->output());
+branchTestObjectEmulatesUndefined(objreg, ifEmulatesUndefined, ifDoesntEmulateUndefined,
+output, ool);
+// fall through
+Label join;
+masm.move32(Imm32(0), output);
+masm.jump(&join);
+masm.bind(ifEmulatesUndefined);
+masm.move32(Imm32(1), output);
+masm.bind(&join);
+return true;
+}
+bool
+CodeGenerator::visitNotV(LNotV *lir)
+{
+Maybe<Label> ifTruthyLabel, ifFalsyLabel;
+Label *ifTruthy;
+Label *ifFalsy;
+OutOfLineTestObjectWithLabels *ool = nullptr;
+if (lir->mir()->operandMightEmulateUndefined()) {
+ool = new(alloc()) OutOfLineTestObjectWithLabels();
+if (!addOutOfLineCode(ool))
+return false;
+ifTruthy = ool->label1();
+ifFalsy = ool->label2();
+} else {
+ifTruthyLabel.construct();
+ifFalsyLabel.construct();
+ifTruthy = ifTruthyLabel.addr();
+ifFalsy = ifFalsyLabel.addr();
+}
+testValueTruthyKernel(ToValue(lir, LNotV::Input), lir->temp1(), lir->temp2(),
+ToFloatRegister(lir->tempFloat()),
+ifTruthy, ifFalsy, ool);
+Label join;
+Register output = ToRegister(lir->output());
+// Note that the testValueTruthyKernel call above may choose to fall through
+// to ifTruthy instead of branching there.
+masm.bind(ifTruthy);
+masm.move32(Imm32(0), output);
+masm.jump(&join);
+masm.bind(ifFalsy);
+masm.move32(Imm32(1), output);
+// both branches meet here.
+masm.bind(&join);
+return true;
+}
+bool
+CodeGenerator::visitBoundsCheck(LBoundsCheck *lir)
+{
+if (lir->index()->isConstant()) {
+// Use uint32 so that the comparison is unsigned.
+uint32_t index = ToInt32(lir->index());
+if (lir->length()->isConstant()) {
+uint32_t length = ToInt32(lir->length());
+if (index < length)
+return true;
+return bailout(lir->snapshot());
+}
+return bailoutCmp32(Assembler::BelowOrEqual, ToOperand(lir->length()), Imm32(index),
+lir->snapshot());
+}
+if (lir->length()->isConstant()) {
+return bailoutCmp32(Assembler::AboveOrEqual, ToRegister(lir->index()),
+Imm32(ToInt32(lir->length())), lir->snapshot());
+}
+return bailoutCmp32(Assembler::BelowOrEqual, ToOperand(lir->length()),
+ToRegister(lir->index()), lir->snapshot());
+}
+bool
+CodeGenerator::visitBoundsCheckRange(LBoundsCheckRange *lir)
+{
+int32_t min = lir->mir()->minimum();
+int32_t max = lir->mir()->maximum();
+JS_ASSERT(max >= min);
+Register temp = ToRegister(lir->getTemp(0));
+if (lir->index()->isConstant()) {
+int32_t nmin, nmax;
+int32_t index = ToInt32(lir->index());
+if (SafeAdd(index, min, &nmin) && SafeAdd(index, max, &nmax) && nmin >= 0) {
+return bailoutCmp32(Assembler::BelowOrEqual, ToOperand(lir->length()), Imm32(nmax),
+lir->snapshot());
+}
+masm.mov(ImmWord(index), temp);
+} else {
+masm.mov(ToRegister(lir->index()), temp);
+}
+// If the minimum and maximum differ then do an underflow check first.
+// If the two are the same then doing an unsigned comparison on the
+// length will also catch a negative index.
+if (min != max) {
+if (min != 0) {
+Label bail;
+masm.branchAdd32(Assembler::Overflow, Imm32(min), temp, &bail);
+if (!bailoutFrom(&bail, lir->snapshot()))
+return false;
+}
+if (!bailoutCmp32(Assembler::LessThan, temp, Imm32(0), lir->snapshot()))
+return false;
+if (min != 0) {
+int32_t diff;
+if (SafeSub(max, min, &diff))
+max = diff;
+else
+masm.sub32(Imm32(min), temp);
+}
+}
+// Compute the maximum possible index. No overflow check is needed when
+// max > 0. We can only wraparound to a negative number, which will test as
+// larger than all nonnegative numbers in the unsigned comparison, and the
+// length is required to be nonnegative (else testing a negative length
+// would succeed on any nonnegative index).
+if (max != 0) {
+if (max < 0) {
+Label bail;
+masm.branchAdd32(Assembler::Overflow, Imm32(max), temp, &bail);
+if (!bailoutFrom(&bail, lir->snapshot()))
+return false;
+} else {
+masm.add32(Imm32(max), temp);
+}
+}
+return bailoutCmp32(Assembler::BelowOrEqual, ToOperand(lir->length()), temp, lir->snapshot());
+}
+bool
+CodeGenerator::visitBoundsCheckLower(LBoundsCheckLower *lir)
+{
+int32_t min = lir->mir()->minimum();
+return bailoutCmp32(Assembler::LessThan, ToRegister(lir->index()), Imm32(min),
+lir->snapshot());
+}
+class OutOfLineStoreElementHole : public OutOfLineCodeBase<CodeGenerator>
+{
+LInstruction *ins_;
+Label rejoinStore_;
+public:
+OutOfLineStoreElementHole(LInstruction *ins)
+: ins_(ins)
+{
+JS_ASSERT(ins->isStoreElementHoleV() || ins->isStoreElementHoleT());
+}
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineStoreElementHole(this);
+}
+LInstruction *ins() const {
+return ins_;
+}
+Label *rejoinStore() {
+return &rejoinStore_;
+}
+};
+bool
+CodeGenerator::emitStoreHoleCheck(Register elements, const LAllocation *index, LSnapshot *snapshot)
+{
+Label bail;
+if (index->isConstant()) {
+masm.branchTestMagic(Assembler::Equal,
+Address(elements, ToInt32(index) * sizeof(js::Value)), &bail);
+} else {
+masm.branchTestMagic(Assembler::Equal,
+BaseIndex(elements, ToRegister(index), TimesEight), &bail);
+}
+return bailoutFrom(&bail, snapshot);
+}
+bool
+CodeGenerator::visitStoreElementT(LStoreElementT *store)
+{
+Register elements = ToRegister(store->elements());
+const LAllocation *index = store->index();
+if (store->mir()->needsBarrier())
+emitPreBarrier(elements, index, store->mir()->elementType());
+if (store->mir()->needsHoleCheck() && !emitStoreHoleCheck(elements, index, store->snapshot()))
+return false;
+storeElementTyped(store->value(), store->mir()->value()->type(), store->mir()->elementType(),
+elements, index);
+return true;
+}
+bool
+CodeGenerator::visitStoreElementV(LStoreElementV *lir)
+{
+const ValueOperand value = ToValue(lir, LStoreElementV::Value);
+Register elements = ToRegister(lir->elements());
+const LAllocation *index = lir->index();
+if (lir->mir()->needsBarrier())
+emitPreBarrier(elements, index, MIRType_Value);
+if (lir->mir()->needsHoleCheck() && !emitStoreHoleCheck(elements, index, lir->snapshot()))
+return false;
+if (lir->index()->isConstant())
+masm.storeValue(value, Address(elements, ToInt32(lir->index()) * sizeof(js::Value)));
+else
+masm.storeValue(value, BaseIndex(elements, ToRegister(lir->index()), TimesEight));
+return true;
+}
+bool
+CodeGenerator::visitStoreElementHoleT(LStoreElementHoleT *lir)
+{
+OutOfLineStoreElementHole *ool = new(alloc()) OutOfLineStoreElementHole(lir);
+if (!addOutOfLineCode(ool))
+return false;
+Register elements = ToRegister(lir->elements());
+const LAllocation *index = lir->index();
+// OOL path if index >= initializedLength.
+Address initLength(elements, ObjectElements::offsetOfInitializedLength());
+masm.branchKey(Assembler::BelowOrEqual, initLength, ToInt32Key(index), ool->entry());
+if (lir->mir()->needsBarrier())
+emitPreBarrier(elements, index, lir->mir()->elementType());
+masm.bind(ool->rejoinStore());
+storeElementTyped(lir->value(), lir->mir()->value()->type(), lir->mir()->elementType(),
+elements, index);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitStoreElementHoleV(LStoreElementHoleV *lir)
+{
+OutOfLineStoreElementHole *ool = new(alloc()) OutOfLineStoreElementHole(lir);
+if (!addOutOfLineCode(ool))
+return false;
+Register elements = ToRegister(lir->elements());
+const LAllocation *index = lir->index();
+const ValueOperand value = ToValue(lir, LStoreElementHoleV::Value);
+// OOL path if index >= initializedLength.
+Address initLength(elements, ObjectElements::offsetOfInitializedLength());
+masm.branchKey(Assembler::BelowOrEqual, initLength, ToInt32Key(index), ool->entry());
+if (lir->mir()->needsBarrier())
+emitPreBarrier(elements, index, lir->mir()->elementType());
+masm.bind(ool->rejoinStore());
+if (lir->index()->isConstant())
+masm.storeValue(value, Address(elements, ToInt32(lir->index()) * sizeof(js::Value)));
+else
+masm.storeValue(value, BaseIndex(elements, ToRegister(lir->index()), TimesEight));
+masm.bind(ool->rejoin());
+return true;
+}
+typedef bool (*SetDenseElementFn)(JSContext *, HandleObject, int32_t, HandleValue,
+bool strict);
+typedef bool (*SetDenseElementParFn)(ForkJoinContext *, HandleObject, int32_t, HandleValue, bool);
+static const VMFunctionsModal SetDenseElementInfo = VMFunctionsModal(
+FunctionInfo<SetDenseElementFn>(SetDenseElement),
+FunctionInfo<SetDenseElementParFn>(SetDenseElementPar));
+bool
+CodeGenerator::visitOutOfLineStoreElementHole(OutOfLineStoreElementHole *ool)
+{
+Register object, elements;
+LInstruction *ins = ool->ins();
+const LAllocation *index;
+MIRType valueType;
+ConstantOrRegister value;
+if (ins->isStoreElementHoleV()) {
+LStoreElementHoleV *store = ins->toStoreElementHoleV();
+object = ToRegister(store->object());
+elements = ToRegister(store->elements());
+index = store->index();
+valueType = store->mir()->value()->type();
+value = TypedOrValueRegister(ToValue(store, LStoreElementHoleV::Value));
+} else {
+LStoreElementHoleT *store = ins->toStoreElementHoleT();
+object = ToRegister(store->object());
+elements = ToRegister(store->elements());
+index = store->index();
+valueType = store->mir()->value()->type();
+if (store->value()->isConstant())
+value = ConstantOrRegister(*store->value()->toConstant());
+else
+value = TypedOrValueRegister(valueType, ToAnyRegister(store->value()));
+}
+// If index == initializedLength, try to bump the initialized length inline.
+// If index > initializedLength, call a stub. Note that this relies on the
+// condition flags sticking from the incoming branch.
+Label callStub;
+#ifdef JS_CODEGEN_MIPS
+// Had to reimplement for MIPS because there are no flags.
+Address initLength(elements, ObjectElements::offsetOfInitializedLength());
+masm.branchKey(Assembler::NotEqual, initLength, ToInt32Key(index), &callStub);
+#else
+masm.j(Assembler::NotEqual, &callStub);
+#endif
+Int32Key key = ToInt32Key(index);
+// Check array capacity.
+masm.branchKey(Assembler::BelowOrEqual, Address(elements, ObjectElements::offsetOfCapacity()),
+key, &callStub);
+// Update initialized length. The capacity guard above ensures this won't overflow,
+// due to NELEMENTS_LIMIT.
+masm.bumpKey(&key, 1);
+masm.storeKey(key, Address(elements, ObjectElements::offsetOfInitializedLength()));
+// Update length if length < initializedLength.
+Label dontUpdate;
+masm.branchKey(Assembler::AboveOrEqual, Address(elements, ObjectElements::offsetOfLength()),
+key, &dontUpdate);
+masm.storeKey(key, Address(elements, ObjectElements::offsetOfLength()));
+masm.bind(&dontUpdate);
+masm.bumpKey(&key, -1);
+if (ins->isStoreElementHoleT() && valueType != MIRType_Double) {
+// The inline path for StoreElementHoleT does not always store the type tag,
+// so we do the store on the OOL path. We use MIRType_None for the element type
+// so that storeElementTyped will always store the type tag.
+storeElementTyped(ins->toStoreElementHoleT()->value(), valueType, MIRType_None, elements,
+index);
+masm.jump(ool->rejoin());
+} else {
+// Jump to the inline path where we will store the value.
+masm.jump(ool->rejoinStore());
+}
+masm.bind(&callStub);
+saveLive(ins);
+pushArg(Imm32(current->mir()->strict()));
+pushArg(value);
+if (index->isConstant())
+pushArg(Imm32(ToInt32(index)));
+else
+pushArg(ToRegister(index));
+pushArg(object);
+if (!callVM(SetDenseElementInfo, ins))
+return false;
+restoreLive(ins);
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*ArrayPopShiftFn)(JSContext *, HandleObject, MutableHandleValue);
+static const VMFunction ArrayPopDenseInfo = FunctionInfo<ArrayPopShiftFn>(jit::ArrayPopDense);
+static const VMFunction ArrayShiftDenseInfo = FunctionInfo<ArrayPopShiftFn>(jit::ArrayShiftDense);
+bool
+CodeGenerator::emitArrayPopShift(LInstruction *lir, const MArrayPopShift *mir, Register obj,
+Register elementsTemp, Register lengthTemp, TypedOrValueRegister out)
+{
+OutOfLineCode *ool;
+if (mir->mode() == MArrayPopShift::Pop) {
+ool = oolCallVM(ArrayPopDenseInfo, lir, (ArgList(), obj), StoreValueTo(out));
+if (!ool)
+return false;
+} else {
+JS_ASSERT(mir->mode() == MArrayPopShift::Shift);
+ool = oolCallVM(ArrayShiftDenseInfo, lir, (ArgList(), obj), StoreValueTo(out));
+if (!ool)
+return false;
+}
+// VM call if a write barrier is necessary.
+masm.branchTestNeedsBarrier(Assembler::NonZero, lengthTemp, ool->entry());
+// Load elements and length.
+masm.loadPtr(Address(obj, JSObject::offsetOfElements()), elementsTemp);
+masm.load32(Address(elementsTemp, ObjectElements::offsetOfLength()), lengthTemp);
+// VM call if length != initializedLength.
+Int32Key key = Int32Key(lengthTemp);
+Address initLength(elementsTemp, ObjectElements::offsetOfInitializedLength());
+masm.branchKey(Assembler::NotEqual, initLength, key, ool->entry());
+// Test for length != 0. On zero length either take a VM call or generate
+// an undefined value, depending on whether the call is known to produce
+// undefined.
+Label done;
+if (mir->maybeUndefined()) {
+Label notEmpty;
+masm.branchTest32(Assembler::NonZero, lengthTemp, lengthTemp, &notEmpty);
+masm.moveValue(UndefinedValue(), out.valueReg());
+masm.jump(&done);
+masm.bind(&notEmpty);
+} else {
+masm.branchTest32(Assembler::Zero, lengthTemp, lengthTemp, ool->entry());
+}
+masm.bumpKey(&key, -1);
+if (mir->mode() == MArrayPopShift::Pop) {
+masm.loadElementTypedOrValue(BaseIndex(elementsTemp, lengthTemp, TimesEight), out,
+mir->needsHoleCheck(), ool->entry());
+} else {
+JS_ASSERT(mir->mode() == MArrayPopShift::Shift);
+masm.loadElementTypedOrValue(Address(elementsTemp, 0), out, mir->needsHoleCheck(),
+ool->entry());
+}
+// Handle the failure case when the array length is non-writable in the
+// OOL path.  (Unlike in the adding-an-element cases, we can't rely on the
+// capacity <= length invariant for such arrays to avoid an explicit
+// check.)
+Address elementFlags(elementsTemp, ObjectElements::offsetOfFlags());
+Imm32 bit(ObjectElements::NONWRITABLE_ARRAY_LENGTH);
+masm.branchTest32(Assembler::NonZero, elementFlags, bit, ool->entry());
+// Now adjust length and initializedLength.
+masm.store32(lengthTemp, Address(elementsTemp, ObjectElements::offsetOfLength()));
+masm.store32(lengthTemp, Address(elementsTemp, ObjectElements::offsetOfInitializedLength()));
+if (mir->mode() == MArrayPopShift::Shift) {
+// Don't save the temp registers.
+RegisterSet temps;
+temps.add(elementsTemp);
+temps.add(lengthTemp);
+saveVolatile(temps);
+masm.setupUnalignedABICall(1, lengthTemp);
+masm.passABIArg(obj);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, js::ArrayShiftMoveElements));
+restoreVolatile(temps);
+}
+masm.bind(&done);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitArrayPopShiftV(LArrayPopShiftV *lir)
+{
+Register obj = ToRegister(lir->object());
+Register elements = ToRegister(lir->temp0());
+Register length = ToRegister(lir->temp1());
+TypedOrValueRegister out(ToOutValue(lir));
+return emitArrayPopShift(lir, lir->mir(), obj, elements, length, out);
+}
+bool
+CodeGenerator::visitArrayPopShiftT(LArrayPopShiftT *lir)
+{
+Register obj = ToRegister(lir->object());
+Register elements = ToRegister(lir->temp0());
+Register length = ToRegister(lir->temp1());
+TypedOrValueRegister out(lir->mir()->type(), ToAnyRegister(lir->output()));
+return emitArrayPopShift(lir, lir->mir(), obj, elements, length, out);
+}
+typedef bool (*ArrayPushDenseFn)(JSContext *, HandleObject, HandleValue, uint32_t *);
+static const VMFunction ArrayPushDenseInfo =
+FunctionInfo<ArrayPushDenseFn>(jit::ArrayPushDense);
+bool
+CodeGenerator::emitArrayPush(LInstruction *lir, const MArrayPush *mir, Register obj,
+ConstantOrRegister value, Register elementsTemp, Register length)
+{
+OutOfLineCode *ool = oolCallVM(ArrayPushDenseInfo, lir, (ArgList(), obj, value), StoreRegisterTo(length));
+if (!ool)
+return false;
+// Load elements and length.
+masm.loadPtr(Address(obj, JSObject::offsetOfElements()), elementsTemp);
+masm.load32(Address(elementsTemp, ObjectElements::offsetOfLength()), length);
+Int32Key key = Int32Key(length);
+Address initLength(elementsTemp, ObjectElements::offsetOfInitializedLength());
+Address capacity(elementsTemp, ObjectElements::offsetOfCapacity());
+// Guard length == initializedLength.
+masm.branchKey(Assembler::NotEqual, initLength, key, ool->entry());
+// Guard length < capacity.
+masm.branchKey(Assembler::BelowOrEqual, capacity, key, ool->entry());
+masm.storeConstantOrRegister(value, BaseIndex(elementsTemp, length, TimesEight));
+masm.bumpKey(&key, 1);
+masm.store32(length, Address(elementsTemp, ObjectElements::offsetOfLength()));
+masm.store32(length, Address(elementsTemp, ObjectElements::offsetOfInitializedLength()));
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitArrayPushV(LArrayPushV *lir)
+{
+Register obj = ToRegister(lir->object());
+Register elementsTemp = ToRegister(lir->temp());
+Register length = ToRegister(lir->output());
+ConstantOrRegister value = TypedOrValueRegister(ToValue(lir, LArrayPushV::Value));
+return emitArrayPush(lir, lir->mir(), obj, value, elementsTemp, length);
+}
+bool
+CodeGenerator::visitArrayPushT(LArrayPushT *lir)
+{
+Register obj = ToRegister(lir->object());
+Register elementsTemp = ToRegister(lir->temp());
+Register length = ToRegister(lir->output());
+ConstantOrRegister value;
+if (lir->value()->isConstant())
+value = ConstantOrRegister(*lir->value()->toConstant());
+else
+value = TypedOrValueRegister(lir->mir()->value()->type(), ToAnyRegister(lir->value()));
+return emitArrayPush(lir, lir->mir(), obj, value, elementsTemp, length);
+}
+typedef JSObject *(*ArrayConcatDenseFn)(JSContext *, HandleObject, HandleObject, HandleObject);
+static const VMFunction ArrayConcatDenseInfo = FunctionInfo<ArrayConcatDenseFn>(ArrayConcatDense);
+bool
+CodeGenerator::visitArrayConcat(LArrayConcat *lir)
+{
+Register lhs = ToRegister(lir->lhs());
+Register rhs = ToRegister(lir->rhs());
+Register temp1 = ToRegister(lir->temp1());
+Register temp2 = ToRegister(lir->temp2());
+// If 'length == initializedLength' for both arrays we try to allocate an object
+// inline and pass it to the stub. Else, we just pass nullptr and the stub falls
+// back to a slow path.
+Label fail, call;
+masm.loadPtr(Address(lhs, JSObject::offsetOfElements()), temp1);
+masm.load32(Address(temp1, ObjectElements::offsetOfInitializedLength()), temp2);
+masm.branch32(Assembler::NotEqual, Address(temp1, ObjectElements::offsetOfLength()), temp2, &fail);
+masm.loadPtr(Address(rhs, JSObject::offsetOfElements()), temp1);
+masm.load32(Address(temp1, ObjectElements::offsetOfInitializedLength()), temp2);
+masm.branch32(Assembler::NotEqual, Address(temp1, ObjectElements::offsetOfLength()), temp2, &fail);
+// Try to allocate an object.
+JSObject *templateObj = lir->mir()->templateObj();
+masm.newGCThing(temp1, temp2, templateObj, &fail, lir->mir()->initialHeap());
+masm.initGCThing(temp1, temp2, templateObj);
+masm.jump(&call);
+{
+masm.bind(&fail);
+masm.movePtr(ImmPtr(nullptr), temp1);
+}
+masm.bind(&call);
+pushArg(temp1);
+pushArg(ToRegister(lir->rhs()));
+pushArg(ToRegister(lir->lhs()));
+return callVM(ArrayConcatDenseInfo, lir);
+}
+typedef JSObject *(*GetIteratorObjectFn)(JSContext *, HandleObject, uint32_t);
+static const VMFunction GetIteratorObjectInfo = FunctionInfo<GetIteratorObjectFn>(GetIteratorObject);
+bool
+CodeGenerator::visitCallIteratorStart(LCallIteratorStart *lir)
+{
+pushArg(Imm32(lir->mir()->flags()));
+pushArg(ToRegister(lir->object()));
+return callVM(GetIteratorObjectInfo, lir);
+}
+bool
+CodeGenerator::visitIteratorStart(LIteratorStart *lir)
+{
+const Register obj = ToRegister(lir->object());
+const Register output = ToRegister(lir->output());
+uint32_t flags = lir->mir()->flags();
+OutOfLineCode *ool = oolCallVM(GetIteratorObjectInfo, lir,
+(ArgList(), obj, Imm32(flags)), StoreRegisterTo(output));
+if (!ool)
+return false;
+const Register temp1 = ToRegister(lir->temp1());
+const Register temp2 = ToRegister(lir->temp2());
+const Register niTemp = ToRegister(lir->temp3()); // Holds the NativeIterator object.
+// Iterators other than for-in should use LCallIteratorStart.
+JS_ASSERT(flags == JSITER_ENUMERATE);
+// Fetch the most recent iterator and ensure it's not nullptr.
+masm.loadPtr(AbsoluteAddress(GetIonContext()->runtime->addressOfLastCachedNativeIterator()), output);
+masm.branchTestPtr(Assembler::Zero, output, output, ool->entry());
+// Load NativeIterator.
+masm.loadObjPrivate(output, JSObject::ITER_CLASS_NFIXED_SLOTS, niTemp);
+// Ensure the |active| and |unreusable| bits are not set.
+masm.branchTest32(Assembler::NonZero, Address(niTemp, offsetof(NativeIterator, flags)),
+Imm32(JSITER_ACTIVE|JSITER_UNREUSABLE), ool->entry());
+// Load the iterator's shape array.
+masm.loadPtr(Address(niTemp, offsetof(NativeIterator, shapes_array)), temp2);
+// Compare shape of object with the first shape.
+masm.loadObjShape(obj, temp1);
+masm.branchPtr(Assembler::NotEqual, Address(temp2, 0), temp1, ool->entry());
+// Compare shape of object's prototype with the second shape.
+masm.loadObjProto(obj, temp1);
+masm.loadObjShape(temp1, temp1);
+masm.branchPtr(Assembler::NotEqual, Address(temp2, sizeof(Shape *)), temp1, ool->entry());
+// Ensure the object's prototype's prototype is nullptr. The last native
+// iterator will always have a prototype chain length of one (i.e. it must
+// be a plain ), so we do not need to generate a loop here.
+masm.loadObjProto(obj, temp1);
+masm.loadObjProto(temp1, temp1);
+masm.branchTestPtr(Assembler::NonZero, temp1, temp1, ool->entry());
+// Ensure the object does not have any elements. The presence of dense
+// elements is not captured by the shape tests above.
+masm.branchPtr(Assembler::NotEqual,
+Address(obj, JSObject::offsetOfElements()),
+ImmPtr(js::emptyObjectElements),
+ool->entry());
+// Write barrier for stores to the iterator. We only need to take a write
+// barrier if NativeIterator::obj is actually going to change.
+{
+#ifdef JSGC_GENERATIONAL
+// Bug 867815: When using a nursery, we unconditionally take this out-
+// of-line so that we do not have to post-barrier the store to
+// NativeIter::obj. This just needs JIT support for the Cell* buffer.
+Address objAddr(niTemp, offsetof(NativeIterator, obj));
+masm.branchPtr(Assembler::NotEqual, objAddr, obj, ool->entry());
+#else
+Label noBarrier;
+masm.branchTestNeedsBarrier(Assembler::Zero, temp1, &noBarrier);
+Address objAddr(niTemp, offsetof(NativeIterator, obj));
+masm.branchPtr(Assembler::NotEqual, objAddr, obj, ool->entry());
+masm.bind(&noBarrier);
+#endif // !JSGC_GENERATIONAL
+}
+// Mark iterator as active.
+masm.storePtr(obj, Address(niTemp, offsetof(NativeIterator, obj)));
+masm.or32(Imm32(JSITER_ACTIVE), Address(niTemp, offsetof(NativeIterator, flags)));
+// Chain onto the active iterator stack.
+masm.loadPtr(AbsoluteAddress(gen->compartment->addressOfEnumerators()), temp1);
+// ni->next = list
+masm.storePtr(temp1, Address(niTemp, NativeIterator::offsetOfNext()));
+// ni->prev = list->prev
+masm.loadPtr(Address(temp1, NativeIterator::offsetOfPrev()), temp2);
+masm.storePtr(temp2, Address(niTemp, NativeIterator::offsetOfPrev()));
+// list->prev->next = ni
+masm.storePtr(niTemp, Address(temp2, NativeIterator::offsetOfNext()));
+// list->prev = ni
+masm.storePtr(niTemp, Address(temp1, NativeIterator::offsetOfPrev()));
+masm.bind(ool->rejoin());
+return true;
+}
+static void
+LoadNativeIterator(MacroAssembler &masm, Register obj, Register dest, Label *failures)
+{
+JS_ASSERT(obj != dest);
+// Test class.
+masm.branchTestObjClass(Assembler::NotEqual, obj, dest, &PropertyIteratorObject::class_, failures);
+// Load NativeIterator object.
+masm.loadObjPrivate(obj, JSObject::ITER_CLASS_NFIXED_SLOTS, dest);
+}
+typedef bool (*IteratorNextFn)(JSContext *, HandleObject, MutableHandleValue);
+static const VMFunction IteratorNextInfo = FunctionInfo<IteratorNextFn>(js_IteratorNext);
+bool
+CodeGenerator::visitIteratorNext(LIteratorNext *lir)
+{
+const Register obj = ToRegister(lir->object());
+const Register temp = ToRegister(lir->temp());
+const ValueOperand output = ToOutValue(lir);
+OutOfLineCode *ool = oolCallVM(IteratorNextInfo, lir, (ArgList(), obj), StoreValueTo(output));
+if (!ool)
+return false;
+LoadNativeIterator(masm, obj, temp, ool->entry());
+masm.branchTest32(Assembler::NonZero, Address(temp, offsetof(NativeIterator, flags)),
+Imm32(JSITER_FOREACH), ool->entry());
+// Get cursor, next string.
+masm.loadPtr(Address(temp, offsetof(NativeIterator, props_cursor)), output.scratchReg());
+masm.loadPtr(Address(output.scratchReg(), 0), output.scratchReg());
+masm.tagValue(JSVAL_TYPE_STRING, output.scratchReg(), output);
+// Increase the cursor.
+masm.addPtr(Imm32(sizeof(JSString *)), Address(temp, offsetof(NativeIterator, props_cursor)));
+masm.bind(ool->rejoin());
+return true;
+}
+typedef bool (*IteratorMoreFn)(JSContext *, HandleObject, bool *);
+static const VMFunction IteratorMoreInfo = FunctionInfo<IteratorMoreFn>(jit::IteratorMore);
+bool
+CodeGenerator::visitIteratorMore(LIteratorMore *lir)
+{
+const Register obj = ToRegister(lir->object());
+const Register output = ToRegister(lir->output());
+const Register temp = ToRegister(lir->temp());
+OutOfLineCode *ool = oolCallVM(IteratorMoreInfo, lir,
+(ArgList(), obj), StoreRegisterTo(output));
+if (!ool)
+return false;
+LoadNativeIterator(masm, obj, output, ool->entry());
+masm.branchTest32(Assembler::NonZero, Address(output, offsetof(NativeIterator, flags)),
+Imm32(JSITER_FOREACH), ool->entry());
+// Set output to true if props_cursor < props_end.
+masm.loadPtr(Address(output, offsetof(NativeIterator, props_end)), temp);
+masm.cmpPtrSet(Assembler::LessThan, Address(output, offsetof(NativeIterator, props_cursor)),
+temp, output);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef bool (*CloseIteratorFn)(JSContext *, HandleObject);
+static const VMFunction CloseIteratorInfo = FunctionInfo<CloseIteratorFn>(CloseIterator);
+bool
+CodeGenerator::visitIteratorEnd(LIteratorEnd *lir)
+{
+const Register obj = ToRegister(lir->object());
+const Register temp1 = ToRegister(lir->temp1());
+const Register temp2 = ToRegister(lir->temp2());
+const Register temp3 = ToRegister(lir->temp3());
+OutOfLineCode *ool = oolCallVM(CloseIteratorInfo, lir, (ArgList(), obj), StoreNothing());
+if (!ool)
+return false;
+LoadNativeIterator(masm, obj, temp1, ool->entry());
+masm.branchTest32(Assembler::Zero, Address(temp1, offsetof(NativeIterator, flags)),
+Imm32(JSITER_ENUMERATE), ool->entry());
+// Clear active bit.
+masm.and32(Imm32(~JSITER_ACTIVE), Address(temp1, offsetof(NativeIterator, flags)));
+// Reset property cursor.
+masm.loadPtr(Address(temp1, offsetof(NativeIterator, props_array)), temp2);
+masm.storePtr(temp2, Address(temp1, offsetof(NativeIterator, props_cursor)));
+// Unlink from the iterator list.
+const Register next = temp2;
+const Register prev = temp3;
+masm.loadPtr(Address(temp1, NativeIterator::offsetOfNext()), next);
+masm.loadPtr(Address(temp1, NativeIterator::offsetOfPrev()), prev);
+masm.storePtr(prev, Address(next, NativeIterator::offsetOfPrev()));
+masm.storePtr(next, Address(prev, NativeIterator::offsetOfNext()));
+#ifdef DEBUG
+masm.storePtr(ImmPtr(nullptr), Address(temp1, NativeIterator::offsetOfNext()));
+masm.storePtr(ImmPtr(nullptr), Address(temp1, NativeIterator::offsetOfPrev()));
+#endif
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitArgumentsLength(LArgumentsLength *lir)
+{
+// read number of actual arguments from the JS frame.
+Register argc = ToRegister(lir->output());
+Address ptr(StackPointer, frameSize() + IonJSFrameLayout::offsetOfNumActualArgs());
+masm.loadPtr(ptr, argc);
+return true;
+}
+bool
+CodeGenerator::visitGetFrameArgument(LGetFrameArgument *lir)
+{
+ValueOperand result = GetValueOutput(lir);
+const LAllocation *index = lir->index();
+size_t argvOffset = frameSize() + IonJSFrameLayout::offsetOfActualArgs();
+if (index->isConstant()) {
+int32_t i = index->toConstant()->toInt32();
+Address argPtr(StackPointer, sizeof(Value) * i + argvOffset);
+masm.loadValue(argPtr, result);
+} else {
+Register i = ToRegister(index);
+BaseIndex argPtr(StackPointer, i, ScaleFromElemWidth(sizeof(Value)), argvOffset);
+masm.loadValue(argPtr, result);
+}
+return true;
+}
+bool
+CodeGenerator::visitSetFrameArgumentT(LSetFrameArgumentT *lir)
+{
+size_t argOffset = frameSize() + IonJSFrameLayout::offsetOfActualArgs() +
+(sizeof(Value) * lir->mir()->argno());
+MIRType type = lir->mir()->value()->type();
+if (type == MIRType_Double) {
+// Store doubles directly.
+FloatRegister input = ToFloatRegister(lir->input());
+masm.storeDouble(input, Address(StackPointer, argOffset));
+} else {
+Register input = ToRegister(lir->input());
+masm.storeValue(ValueTypeFromMIRType(type), input, Address(StackPointer, argOffset));
+}
+return true;
+}
+bool
+CodeGenerator:: visitSetFrameArgumentC(LSetFrameArgumentC *lir)
+{
+size_t argOffset = frameSize() + IonJSFrameLayout::offsetOfActualArgs() +
+(sizeof(Value) * lir->mir()->argno());
+masm.storeValue(lir->val(), Address(StackPointer, argOffset));
+return true;
+}
+bool
+CodeGenerator:: visitSetFrameArgumentV(LSetFrameArgumentV *lir)
+{
+const ValueOperand val = ToValue(lir, LSetFrameArgumentV::Input);
+size_t argOffset = frameSize() + IonJSFrameLayout::offsetOfActualArgs() +
+(sizeof(Value) * lir->mir()->argno());
+masm.storeValue(val, Address(StackPointer, argOffset));
+return true;
+}
+typedef bool (*RunOnceScriptPrologueFn)(JSContext *, HandleScript);
+static const VMFunction RunOnceScriptPrologueInfo =
+FunctionInfo<RunOnceScriptPrologueFn>(js::RunOnceScriptPrologue);
+bool
+CodeGenerator::visitRunOncePrologue(LRunOncePrologue *lir)
+{
+pushArg(ImmGCPtr(lir->mir()->block()->info().script()));
+return callVM(RunOnceScriptPrologueInfo, lir);
+}
+typedef JSObject *(*InitRestParameterFn)(JSContext *, uint32_t, Value *, HandleObject,
+HandleObject);
+typedef JSObject *(*InitRestParameterParFn)(ForkJoinContext *, uint32_t, Value *,
+HandleObject, HandleObject);
+static const VMFunctionsModal InitRestParameterInfo = VMFunctionsModal(
+FunctionInfo<InitRestParameterFn>(InitRestParameter),
+FunctionInfo<InitRestParameterParFn>(InitRestParameterPar));
+bool
+CodeGenerator::emitRest(LInstruction *lir, Register array, Register numActuals,
+Register temp0, Register temp1, unsigned numFormals,
+JSObject *templateObject)
+{
+// Compute actuals() + numFormals.
+size_t actualsOffset = frameSize() + IonJSFrameLayout::offsetOfActualArgs();
+masm.movePtr(StackPointer, temp1);
+masm.addPtr(Imm32(sizeof(Value) * numFormals + actualsOffset), temp1);
+// Compute numActuals - numFormals.
+Label emptyLength, joinLength;
+masm.movePtr(numActuals, temp0);
+masm.branch32(Assembler::LessThanOrEqual, temp0, Imm32(numFormals), &emptyLength);
+masm.sub32(Imm32(numFormals), temp0);
+masm.jump(&joinLength);
+{
+masm.bind(&emptyLength);
+masm.move32(Imm32(0), temp0);
+}
+masm.bind(&joinLength);
+pushArg(array);
+pushArg(ImmGCPtr(templateObject));
+pushArg(temp1);
+pushArg(temp0);
+return callVM(InitRestParameterInfo, lir);
+}
+bool
+CodeGenerator::visitRest(LRest *lir)
+{
+Register numActuals = ToRegister(lir->numActuals());
+Register temp0 = ToRegister(lir->getTemp(0));
+Register temp1 = ToRegister(lir->getTemp(1));
+Register temp2 = ToRegister(lir->getTemp(2));
+unsigned numFormals = lir->mir()->numFormals();
+JSObject *templateObject = lir->mir()->templateObject();
+Label joinAlloc, failAlloc;
+masm.newGCThing(temp2, temp0, templateObject, &failAlloc, gc::DefaultHeap);
+masm.initGCThing(temp2, temp0, templateObject);
+masm.jump(&joinAlloc);
+{
+masm.bind(&failAlloc);
+masm.movePtr(ImmPtr(nullptr), temp2);
+}
+masm.bind(&joinAlloc);
+return emitRest(lir, temp2, numActuals, temp0, temp1, numFormals, templateObject);
+}
+bool
+CodeGenerator::visitRestPar(LRestPar *lir)
+{
+Register numActuals = ToRegister(lir->numActuals());
+Register cx = ToRegister(lir->forkJoinContext());
+Register temp0 = ToRegister(lir->getTemp(0));
+Register temp1 = ToRegister(lir->getTemp(1));
+Register temp2 = ToRegister(lir->getTemp(2));
+unsigned numFormals = lir->mir()->numFormals();
+JSObject *templateObject = lir->mir()->templateObject();
+if (!emitAllocateGCThingPar(lir, temp2, cx, temp0, temp1, templateObject))
+return false;
+return emitRest(lir, temp2, numActuals, temp0, temp1, numFormals, templateObject);
+}
+bool
+CodeGenerator::generateAsmJS(Label *stackOverflowLabel)
+{
+IonSpew(IonSpew_Codegen, "# Emitting asm.js code");
+// AsmJS doesn't do profiler instrumentation.
+sps_.disable();
+// The caller (either another asm.js function or the external-entry
+// trampoline) has placed all arguments in registers and on the stack
+// according to the system ABI. The MAsmJSParameters which represent these
+// parameters have been useFixed()ed to these ABI-specified positions.
+// Thus, there is nothing special to do in the prologue except (possibly)
+// bump the stack.
+if (!generateAsmJSPrologue(stackOverflowLabel))
+return false;
+if (!generateBody())
+return false;
+if (!generateEpilogue())
+return false;
+#if defined(JS_ION_PERF)
+// Note the end of the inline code and start of the OOL code.
+gen->perfSpewer().noteEndInlineCode(masm);
+#endif
+if (!generateOutOfLineCode())
+return false;
+// The only remaining work needed to compile this function is to patch the
+// switch-statement jump tables (the entries of the table need the absolute
+// address of the cases). These table entries are accmulated as CodeLabels
+// in the MacroAssembler's codeLabels_ list and processed all at once at in
+// the "static-link" phase of module compilation. It is critical that there
+// is nothing else to do after this point since the LifoAlloc memory
+// holding the MIR graph is about to be popped and reused. In particular,
+// every step in CodeGenerator::link must be a nop, as asserted here:
+JS_ASSERT(snapshots_.listSize() == 0);
+JS_ASSERT(snapshots_.RVATableSize() == 0);
+JS_ASSERT(recovers_.size() == 0);
+JS_ASSERT(bailouts_.empty());
+JS_ASSERT(graph.numConstants() == 0);
+JS_ASSERT(safepointIndices_.empty());
+JS_ASSERT(osiIndices_.empty());
+JS_ASSERT(cacheList_.empty());
+JS_ASSERT(safepoints_.size() == 0);
+return true;
+}
+bool
+CodeGenerator::generate()
+{
+IonSpew(IonSpew_Codegen, "# Emitting code for script %s:%d",
+gen->info().script()->filename(),
+gen->info().script()->lineno());
+if (!snapshots_.init())
+return false;
+if (!safepoints_.init(gen->alloc(), graph.totalSlotCount()))
+return false;
+#ifdef JS_TRACE_LOGGING
+if (!gen->compilingAsmJS() && gen->info().executionMode() == SequentialExecution) {
+if (!emitTracelogScriptStart())
+return false;
+if (!emitTracelogStartEvent(TraceLogger::IonMonkey))
+return false;
+}
+#endif
+// Before generating any code, we generate type checks for all parameters.
+// This comes before deoptTable_, because we can't use deopt tables without
+// creating the actual frame.
+if (!generateArgumentsChecks())
+return false;
+if (frameClass_ != FrameSizeClass::None()) {
+deoptTable_ = gen->jitRuntime()->getBailoutTable(frameClass_);
+if (!deoptTable_)
+return false;
+}
+#ifdef JS_TRACE_LOGGING
+Label skip;
+masm.jump(&skip);
+#endif
+// Remember the entry offset to skip the argument check.
+masm.flushBuffer();
+setSkipArgCheckEntryOffset(masm.size());
+#ifdef JS_TRACE_LOGGING
+if (!gen->compilingAsmJS() && gen->info().executionMode() == SequentialExecution) {
+if (!emitTracelogScriptStart())
+return false;
+if (!emitTracelogStartEvent(TraceLogger::IonMonkey))
+return false;
+}
+masm.bind(&skip);
+#endif
+#ifdef DEBUG
+// Assert that the argument types are correct.
+if (!generateArgumentsChecks(/* bailout = */ false))
+return false;
+#endif
+if (!generatePrologue())
+return false;
+if (!generateBody())
+return false;
+if (!generateEpilogue())
+return false;
+if (!generateInvalidateEpilogue())
+return false;
+#if defined(JS_ION_PERF)
+// Note the end of the inline code and start of the OOL code.
+perfSpewer_.noteEndInlineCode(masm);
+#endif
+if (!generateOutOfLineCode())
+return false;
+return !masm.oom();
+}
+bool
+CodeGenerator::link(JSContext *cx, types::CompilerConstraintList *constraints)
+{
+RootedScript script(cx, gen->info().script());
+ExecutionMode executionMode = gen->info().executionMode();
+OptimizationLevel optimizationLevel = gen->optimizationInfo().level();
+JS_ASSERT_IF(HasIonScript(script, executionMode), executionMode == SequentialExecution);
+// We finished the new IonScript. Invalidate the current active IonScript,
+// so we can replace it with this new (probably higher optimized) version.
+if (HasIonScript(script, executionMode)) {
+JS_ASSERT(GetIonScript(script, executionMode)->isRecompiling());
+// Do a normal invalidate, except don't cancel offThread compilations,
+// since that will cancel this compilation too.
+if (!Invalidate(cx, script, SequentialExecution,
+/* resetUses */ false, /* cancelOffThread*/ false))
+{
+return false;
+}
+}
+// Check to make sure we didn't have a mid-build invalidation. If so, we
+// will trickle to jit::Compile() and return Method_Skipped.
+types::RecompileInfo recompileInfo;
+if (!types::FinishCompilation(cx, script, executionMode, constraints, &recompileInfo))
+return true;
+uint32_t scriptFrameSize = frameClass_ == FrameSizeClass::None()
+? frameDepth_
+: FrameSizeClass::FromDepth(frameDepth_).frameSize();
+// We encode safepoints after the OSI-point offsets have been determined.
+encodeSafepoints();
+// List of possible scripts that this graph may call. Currently this is
+// only tracked when compiling for parallel execution.
+CallTargetVector callTargets(alloc());
+if (executionMode == ParallelExecution)
+AddPossibleCallees(cx, graph.mir(), callTargets);
+IonScript *ionScript =
+IonScript::New(cx, recompileInfo,
+graph.totalSlotCount(), scriptFrameSize,
+snapshots_.listSize(), snapshots_.RVATableSize(),
+recovers_.size(), bailouts_.length(), graph.numConstants(),
+safepointIndices_.length(), osiIndices_.length(),
+cacheList_.length(), runtimeData_.length(),
+safepoints_.size(), callTargets.length(),
+patchableBackedges_.length(), optimizationLevel);
+if (!ionScript) {
+recompileInfo.compilerOutput(cx->zone()->types)->invalidate();
+return false;
+}
+// Lock the runtime against interrupt callbacks during the link.
+// We don't want an interrupt request to protect the code for the script
+// before it has been filled in, as we could segv before the runtime's
+// patchable backedges have been fully updated.
+JSRuntime::AutoLockForInterrupt lock(cx->runtime());
+// Make sure we don't segv while filling in the code, to avoid deadlocking
+// inside the signal handler.
+cx->runtime()->jitRuntime()->ensureIonCodeAccessible(cx->runtime());
+// Implicit interrupts are used only for sequential code. In parallel mode
+// use the normal executable allocator so that we cannot segv during
+// execution off the main thread.
+Linker linker(masm);
+AutoFlushICache afc("IonLink");
+JitCode *code = (executionMode == SequentialExecution)
+? linker.newCodeForIonScript(cx)
+: linker.newCode<CanGC>(cx, JSC::ION_CODE);
+if (!code) {
+// Use js_free instead of IonScript::Destroy: the cache list and
+// backedge list are still uninitialized.
+js_free(ionScript);
+recompileInfo.compilerOutput(cx->zone()->types)->invalidate();
+return false;
+}
+ionScript->setMethod(code);
+ionScript->setSkipArgCheckEntryOffset(getSkipArgCheckEntryOffset());
+// If SPS is enabled, mark IonScript as having been instrumented with SPS
+if (sps_.enabled())
+ionScript->setHasSPSInstrumentation();
+SetIonScript(script, executionMode, ionScript);
+if (cx->runtime()->spsProfiler.enabled()) {
+const char *filename = script->filename();
+if (filename == nullptr)
+filename = "<unknown>";
+unsigned len = strlen(filename) + 50;
+char *buf = js_pod_malloc<char>(len);
+if (!buf)
+return false;
+JS_snprintf(buf, len, "Ion compiled %s:%d", filename, (int) script->lineno());
+cx->runtime()->spsProfiler.markEvent(buf);
+js_free(buf);
+}
+// In parallel execution mode, when we first compile a script, we
+// don't know that its potential callees are compiled, so set a
+// flag warning that the callees may not be fully compiled.
+if (!callTargets.empty())
+ionScript->setHasUncompiledCallTarget();
+invalidateEpilogueData_.fixup(&masm);
+Assembler::patchDataWithValueCheck(CodeLocationLabel(code, invalidateEpilogueData_),
+ImmPtr(ionScript),
+ImmPtr((void*)-1));
+IonSpew(IonSpew_Codegen, "Created IonScript %p (raw %p)",
+(void *) ionScript, (void *) code->raw());
+ionScript->setInvalidationEpilogueDataOffset(invalidateEpilogueData_.offset());
+ionScript->setOsrPc(gen->info().osrPc());
+ionScript->setOsrEntryOffset(getOsrEntryOffset());
+ptrdiff_t real_invalidate = masm.actualOffset(invalidate_.offset());
+ionScript->setInvalidationEpilogueOffset(real_invalidate);
+ionScript->setDeoptTable(deoptTable_);
+#if defined(JS_ION_PERF)
+if (PerfEnabled())
+perfSpewer_.writeProfile(script, code, masm);
+#endif
+for (size_t i = 0; i < ionScriptLabels_.length(); i++) {
+ionScriptLabels_[i].fixup(&masm);
+Assembler::patchDataWithValueCheck(CodeLocationLabel(code, ionScriptLabels_[i]),
+ImmPtr(ionScript),
+ImmPtr((void*)-1));
+}
+// for generating inline caches during the execution.
+if (runtimeData_.length())
+ionScript->copyRuntimeData(&runtimeData_[0]);
+if (cacheList_.length())
+ionScript->copyCacheEntries(&cacheList_[0], masm);
+// for marking during GC.
+if (safepointIndices_.length())
+ionScript->copySafepointIndices(&safepointIndices_[0], masm);
+if (safepoints_.size())
+ionScript->copySafepoints(&safepoints_);
+// for reconvering from an Ion Frame.
+if (bailouts_.length())
+ionScript->copyBailoutTable(&bailouts_[0]);
+if (osiIndices_.length())
+ionScript->copyOsiIndices(&osiIndices_[0], masm);
+if (snapshots_.listSize())
+ionScript->copySnapshots(&snapshots_);
+MOZ_ASSERT_IF(snapshots_.listSize(), recovers_.size());
+if (recovers_.size())
+ionScript->copyRecovers(&recovers_);
+if (graph.numConstants())
+ionScript->copyConstants(graph.constantPool());
+if (callTargets.length() > 0)
+ionScript->copyCallTargetEntries(callTargets.begin());
+if (patchableBackedges_.length() > 0)
+ionScript->copyPatchableBackedges(cx, code, patchableBackedges_.begin());
+#ifdef JS_TRACE_LOGGING
+TraceLogger *logger = TraceLoggerForMainThread(cx->runtime());
+for (uint32_t i = 0; i < patchableTraceLoggers_.length(); i++) {
+patchableTraceLoggers_[i].fixup(&masm);
+Assembler::patchDataWithValueCheck(CodeLocationLabel(code, patchableTraceLoggers_[i]),
+ImmPtr(logger),
+ImmPtr(nullptr));
+}
+uint32_t scriptId = TraceLogCreateTextId(logger, script);
+for (uint32_t i = 0; i < patchableTLScripts_.length(); i++) {
+patchableTLScripts_[i].fixup(&masm);
+Assembler::patchDataWithValueCheck(CodeLocationLabel(code, patchableTLScripts_[i]),
+ImmPtr((void *) uintptr_t(scriptId)),
+ImmPtr((void *)0));
+}
+#endif
+switch (executionMode) {
+case SequentialExecution:
+// The correct state for prebarriers is unknown until the end of compilation,
+// since a GC can occur during code generation. All barriers are emitted
+// off-by-default, and are toggled on here if necessary.
+if (cx->zone()->needsBarrier())
+ionScript->toggleBarriers(true);
+break;
+case ParallelExecution:
+// We don't run incremental GC during parallel execution; no need to
+// turn on barriers.
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+return true;
+}
+// An out-of-line path to convert a boxed int32 to either a float or double.
+class OutOfLineUnboxFloatingPoint : public OutOfLineCodeBase<CodeGenerator>
+{
+LUnboxFloatingPoint *unboxFloatingPoint_;
+public:
+OutOfLineUnboxFloatingPoint(LUnboxFloatingPoint *unboxFloatingPoint)
+: unboxFloatingPoint_(unboxFloatingPoint)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineUnboxFloatingPoint(this);
+}
+LUnboxFloatingPoint *unboxFloatingPoint() const {
+return unboxFloatingPoint_;
+}
+};
+bool
+CodeGenerator::visitUnboxFloatingPoint(LUnboxFloatingPoint *lir)
+{
+const ValueOperand box = ToValue(lir, LUnboxFloatingPoint::Input);
+const LDefinition *result = lir->output();
+// Out-of-line path to convert int32 to double or bailout
+// if this instruction is fallible.
+OutOfLineUnboxFloatingPoint *ool = new(alloc()) OutOfLineUnboxFloatingPoint(lir);
+if (!addOutOfLineCode(ool))
+return false;
+FloatRegister resultReg = ToFloatRegister(result);
+masm.branchTestDouble(Assembler::NotEqual, box, ool->entry());
+masm.unboxDouble(box, resultReg);
+if (lir->type() == MIRType_Float32)
+masm.convertDoubleToFloat32(resultReg, resultReg);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineUnboxFloatingPoint(OutOfLineUnboxFloatingPoint *ool)
+{
+LUnboxFloatingPoint *ins = ool->unboxFloatingPoint();
+const ValueOperand value = ToValue(ins, LUnboxFloatingPoint::Input);
+if (ins->mir()->fallible()) {
+Label bail;
+masm.branchTestInt32(Assembler::NotEqual, value, &bail);
+if (!bailoutFrom(&bail, ins->snapshot()))
+return false;
+}
+masm.int32ValueToFloatingPoint(value, ToFloatRegister(ins->output()), ins->type());
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*GetPropertyFn)(JSContext *, HandleValue, HandlePropertyName, MutableHandleValue);
+static const VMFunction GetPropertyInfo = FunctionInfo<GetPropertyFn>(GetProperty);
+static const VMFunction CallPropertyInfo = FunctionInfo<GetPropertyFn>(CallProperty);
+bool
+CodeGenerator::visitCallGetProperty(LCallGetProperty *lir)
+{
+pushArg(ImmGCPtr(lir->mir()->name()));
+pushArg(ToValue(lir, LCallGetProperty::Value));
+if (lir->mir()->callprop())
+return callVM(CallPropertyInfo, lir);
+return callVM(GetPropertyInfo, lir);
+}
+typedef bool (*GetOrCallElementFn)(JSContext *, MutableHandleValue, HandleValue, MutableHandleValue);
+static const VMFunction GetElementInfo = FunctionInfo<GetOrCallElementFn>(js::GetElement);
+static const VMFunction CallElementInfo = FunctionInfo<GetOrCallElementFn>(js::CallElement);
+bool
+CodeGenerator::visitCallGetElement(LCallGetElement *lir)
+{
+pushArg(ToValue(lir, LCallGetElement::RhsInput));
+pushArg(ToValue(lir, LCallGetElement::LhsInput));
+JSOp op = JSOp(*lir->mir()->resumePoint()->pc());
+if (op == JSOP_GETELEM) {
+return callVM(GetElementInfo, lir);
+} else {
+JS_ASSERT(op == JSOP_CALLELEM);
+return callVM(CallElementInfo, lir);
+}
+}
+typedef bool (*SetObjectElementFn)(JSContext *, HandleObject, HandleValue, HandleValue,
+bool strict);
+typedef bool (*SetElementParFn)(ForkJoinContext *, HandleObject, HandleValue, HandleValue, bool);
+static const VMFunctionsModal SetObjectElementInfo = VMFunctionsModal(
+FunctionInfo<SetObjectElementFn>(SetObjectElement),
+FunctionInfo<SetElementParFn>(SetElementPar));
+bool
+CodeGenerator::visitCallSetElement(LCallSetElement *lir)
+{
+pushArg(Imm32(current->mir()->strict()));
+pushArg(ToValue(lir, LCallSetElement::Value));
+pushArg(ToValue(lir, LCallSetElement::Index));
+pushArg(ToRegister(lir->getOperand(0)));
+return callVM(SetObjectElementInfo, lir);
+}
+typedef bool (*InitElementArrayFn)(JSContext *, jsbytecode *, HandleObject, uint32_t, HandleValue);
+static const VMFunction InitElementArrayInfo = FunctionInfo<InitElementArrayFn>(js::InitElementArray);
+bool
+CodeGenerator::visitCallInitElementArray(LCallInitElementArray *lir)
+{
+pushArg(ToValue(lir, LCallInitElementArray::Value));
+pushArg(Imm32(lir->mir()->index()));
+pushArg(ToRegister(lir->getOperand(0)));
+pushArg(ImmPtr(lir->mir()->resumePoint()->pc()));
+return callVM(InitElementArrayInfo, lir);
+}
+bool
+CodeGenerator::visitLoadFixedSlotV(LLoadFixedSlotV *ins)
+{
+const Register obj = ToRegister(ins->getOperand(0));
+size_t slot = ins->mir()->slot();
+ValueOperand result = GetValueOutput(ins);
+masm.loadValue(Address(obj, JSObject::getFixedSlotOffset(slot)), result);
+return true;
+}
+bool
+CodeGenerator::visitLoadFixedSlotT(LLoadFixedSlotT *ins)
+{
+const Register obj = ToRegister(ins->getOperand(0));
+size_t slot = ins->mir()->slot();
+AnyRegister result = ToAnyRegister(ins->getDef(0));
+MIRType type = ins->mir()->type();
+masm.loadUnboxedValue(Address(obj, JSObject::getFixedSlotOffset(slot)), type, result);
+return true;
+}
+bool
+CodeGenerator::visitStoreFixedSlotV(LStoreFixedSlotV *ins)
+{
+const Register obj = ToRegister(ins->getOperand(0));
+size_t slot = ins->mir()->slot();
+const ValueOperand value = ToValue(ins, LStoreFixedSlotV::Value);
+Address address(obj, JSObject::getFixedSlotOffset(slot));
+if (ins->mir()->needsBarrier())
+emitPreBarrier(address, MIRType_Value);
+masm.storeValue(value, address);
+return true;
+}
+bool
+CodeGenerator::visitStoreFixedSlotT(LStoreFixedSlotT *ins)
+{
+const Register obj = ToRegister(ins->getOperand(0));
+size_t slot = ins->mir()->slot();
+const LAllocation *value = ins->value();
+MIRType valueType = ins->mir()->value()->type();
+ConstantOrRegister nvalue = value->isConstant()
+? ConstantOrRegister(*value->toConstant())
+: TypedOrValueRegister(valueType, ToAnyRegister(value));
+Address address(obj, JSObject::getFixedSlotOffset(slot));
+if (ins->mir()->needsBarrier())
+emitPreBarrier(address, MIRType_Value);
+masm.storeConstantOrRegister(nvalue, address);
+return true;
+}
+bool
+CodeGenerator::visitCallsiteCloneCache(LCallsiteCloneCache *ins)
+{
+const MCallsiteCloneCache *mir = ins->mir();
+Register callee = ToRegister(ins->callee());
+Register output = ToRegister(ins->output());
+CallsiteCloneIC cache(callee, mir->block()->info().script(), mir->callPc(), output);
+return addCache(ins, allocateCache(cache));
+}
+typedef JSObject *(*CallsiteCloneICFn)(JSContext *, size_t, HandleObject);
+const VMFunction CallsiteCloneIC::UpdateInfo =
+FunctionInfo<CallsiteCloneICFn>(CallsiteCloneIC::update);
+bool
+CodeGenerator::visitCallsiteCloneIC(OutOfLineUpdateCache *ool, DataPtr<CallsiteCloneIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->calleeReg());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(CallsiteCloneIC::UpdateInfo, lir))
+return false;
+StoreRegisterTo(ic->outputReg()).generate(this);
+restoreLiveIgnore(lir, StoreRegisterTo(ic->outputReg()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitGetNameCache(LGetNameCache *ins)
+{
+RegisterSet liveRegs = ins->safepoint()->liveRegs();
+Register scopeChain = ToRegister(ins->scopeObj());
+TypedOrValueRegister output(GetValueOutput(ins));
+bool isTypeOf = ins->mir()->accessKind() != MGetNameCache::NAME;
+NameIC cache(liveRegs, isTypeOf, scopeChain, ins->mir()->name(), output);
+return addCache(ins, allocateCache(cache));
+}
+typedef bool (*NameICFn)(JSContext *, size_t, HandleObject, MutableHandleValue);
+const VMFunction NameIC::UpdateInfo = FunctionInfo<NameICFn>(NameIC::update);
+bool
+CodeGenerator::visitNameIC(OutOfLineUpdateCache *ool, DataPtr<NameIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->scopeChainReg());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(NameIC::UpdateInfo, lir))
+return false;
+StoreValueTo(ic->outputReg()).generate(this);
+restoreLiveIgnore(lir, StoreValueTo(ic->outputReg()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::addGetPropertyCache(LInstruction *ins, RegisterSet liveRegs, Register objReg,
+PropertyName *name, TypedOrValueRegister output,
+bool monitoredResult)
+{
+switch (gen->info().executionMode()) {
+case SequentialExecution: {
+GetPropertyIC cache(liveRegs, objReg, name, output, monitoredResult);
+return addCache(ins, allocateCache(cache));
+}
+case ParallelExecution: {
+GetPropertyParIC cache(objReg, name, output);
+return addCache(ins, allocateCache(cache));
+}
+default:
+MOZ_ASSUME_UNREACHABLE("Bad execution mode");
+}
+}
+bool
+CodeGenerator::addSetPropertyCache(LInstruction *ins, RegisterSet liveRegs, Register objReg,
+PropertyName *name, ConstantOrRegister value, bool strict,
+bool needsTypeBarrier)
+{
+switch (gen->info().executionMode()) {
+case SequentialExecution: {
+SetPropertyIC cache(liveRegs, objReg, name, value, strict, needsTypeBarrier);
+return addCache(ins, allocateCache(cache));
+}
+case ParallelExecution: {
+SetPropertyParIC cache(objReg, name, value, strict, needsTypeBarrier);
+return addCache(ins, allocateCache(cache));
+}
+default:
+MOZ_ASSUME_UNREACHABLE("Bad execution mode");
+}
+}
+bool
+CodeGenerator::addSetElementCache(LInstruction *ins, Register obj, Register unboxIndex,
+Register temp, FloatRegister tempFloat, ValueOperand index,
+ConstantOrRegister value, bool strict, bool guardHoles)
+{
+switch (gen->info().executionMode()) {
+case SequentialExecution: {
+SetElementIC cache(obj, unboxIndex, temp, tempFloat, index, value, strict,
+guardHoles);
+return addCache(ins, allocateCache(cache));
+}
+case ParallelExecution: {
+SetElementParIC cache(obj, unboxIndex, temp, tempFloat, index, value, strict,
+guardHoles);
+return addCache(ins, allocateCache(cache));
+}
+default:
+MOZ_ASSUME_UNREACHABLE("Bad execution mode");
+}
+}
+bool
+CodeGenerator::visitGetPropertyCacheV(LGetPropertyCacheV *ins)
+{
+RegisterSet liveRegs = ins->safepoint()->liveRegs();
+Register objReg = ToRegister(ins->getOperand(0));
+PropertyName *name = ins->mir()->name();
+bool monitoredResult = ins->mir()->monitoredResult();
+TypedOrValueRegister output = TypedOrValueRegister(GetValueOutput(ins));
+return addGetPropertyCache(ins, liveRegs, objReg, name, output, monitoredResult);
+}
+bool
+CodeGenerator::visitGetPropertyCacheT(LGetPropertyCacheT *ins)
+{
+RegisterSet liveRegs = ins->safepoint()->liveRegs();
+Register objReg = ToRegister(ins->getOperand(0));
+PropertyName *name = ins->mir()->name();
+bool monitoredResult = ins->mir()->monitoredResult();
+TypedOrValueRegister output(ins->mir()->type(), ToAnyRegister(ins->getDef(0)));
+return addGetPropertyCache(ins, liveRegs, objReg, name, output, monitoredResult);
+}
+typedef bool (*GetPropertyICFn)(JSContext *, size_t, HandleObject, MutableHandleValue);
+const VMFunction GetPropertyIC::UpdateInfo =
+FunctionInfo<GetPropertyICFn>(GetPropertyIC::update);
+bool
+CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache *ool, DataPtr<GetPropertyIC> &ic)
+{
+LInstruction *lir = ool->lir();
+if (ic->idempotent()) {
+size_t numLocs;
+CacheLocationList &cacheLocs = lir->mirRaw()->toGetPropertyCache()->location();
+size_t locationBase = addCacheLocations(cacheLocs, &numLocs);
+ic->setLocationInfo(locationBase, numLocs);
+}
+saveLive(lir);
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(GetPropertyIC::UpdateInfo, lir))
+return false;
+StoreValueTo(ic->output()).generate(this);
+restoreLiveIgnore(lir, StoreValueTo(ic->output()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*GetPropertyParICFn)(ForkJoinContext *, size_t, HandleObject, MutableHandleValue);
+const VMFunction GetPropertyParIC::UpdateInfo =
+FunctionInfo<GetPropertyParICFn>(GetPropertyParIC::update);
+bool
+CodeGenerator::visitGetPropertyParIC(OutOfLineUpdateCache *ool, DataPtr<GetPropertyParIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(GetPropertyParIC::UpdateInfo, lir))
+return false;
+StoreValueTo(ic->output()).generate(this);
+restoreLiveIgnore(lir, StoreValueTo(ic->output()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::addGetElementCache(LInstruction *ins, Register obj, ConstantOrRegister index,
+TypedOrValueRegister output, bool monitoredResult,
+bool allowDoubleResult)
+{
+switch (gen->info().executionMode()) {
+case SequentialExecution: {
+RegisterSet liveRegs = ins->safepoint()->liveRegs();
+GetElementIC cache(liveRegs, obj, index, output, monitoredResult, allowDoubleResult);
+return addCache(ins, allocateCache(cache));
+}
+case ParallelExecution: {
+GetElementParIC cache(obj, index, output, monitoredResult, allowDoubleResult);
+return addCache(ins, allocateCache(cache));
+}
+default:
+MOZ_ASSUME_UNREACHABLE("No such execution mode");
+}
+}
+bool
+CodeGenerator::visitGetElementCacheV(LGetElementCacheV *ins)
+{
+Register obj = ToRegister(ins->object());
+ConstantOrRegister index = TypedOrValueRegister(ToValue(ins, LGetElementCacheV::Index));
+TypedOrValueRegister output = TypedOrValueRegister(GetValueOutput(ins));
+const MGetElementCache *mir = ins->mir();
+return addGetElementCache(ins, obj, index, output, mir->monitoredResult(), mir->allowDoubleResult());
+}
+bool
+CodeGenerator::visitGetElementCacheT(LGetElementCacheT *ins)
+{
+Register obj = ToRegister(ins->object());
+ConstantOrRegister index = TypedOrValueRegister(MIRType_Int32, ToAnyRegister(ins->index()));
+TypedOrValueRegister output(ins->mir()->type(), ToAnyRegister(ins->output()));
+const MGetElementCache *mir = ins->mir();
+return addGetElementCache(ins, obj, index, output, mir->monitoredResult(), mir->allowDoubleResult());
+}
+typedef bool (*GetElementICFn)(JSContext *, size_t, HandleObject, HandleValue, MutableHandleValue);
+const VMFunction GetElementIC::UpdateInfo =
+FunctionInfo<GetElementICFn>(GetElementIC::update);
+bool
+CodeGenerator::visitGetElementIC(OutOfLineUpdateCache *ool, DataPtr<GetElementIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->index());
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(GetElementIC::UpdateInfo, lir))
+return false;
+StoreValueTo(ic->output()).generate(this);
+restoreLiveIgnore(lir, StoreValueTo(ic->output()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitSetElementCacheV(LSetElementCacheV *ins)
+{
+Register obj = ToRegister(ins->object());
+Register unboxIndex = ToTempUnboxRegister(ins->tempToUnboxIndex());
+Register temp = ToRegister(ins->temp());
+FloatRegister tempFloat = ToFloatRegister(ins->tempFloat());
+ValueOperand index = ToValue(ins, LSetElementCacheV::Index);
+ConstantOrRegister value = TypedOrValueRegister(ToValue(ins, LSetElementCacheV::Value));
+return addSetElementCache(ins, obj, unboxIndex, temp, tempFloat, index, value,
+ins->mir()->strict(), ins->mir()->guardHoles());
+}
+bool
+CodeGenerator::visitSetElementCacheT(LSetElementCacheT *ins)
+{
+Register obj = ToRegister(ins->object());
+Register unboxIndex = ToTempUnboxRegister(ins->tempToUnboxIndex());
+Register temp = ToRegister(ins->temp());
+FloatRegister tempFloat = ToFloatRegister(ins->tempFloat());
+ValueOperand index = ToValue(ins, LSetElementCacheT::Index);
+ConstantOrRegister value;
+const LAllocation *tmp = ins->value();
+if (tmp->isConstant())
+value = *tmp->toConstant();
+else
+value = TypedOrValueRegister(ins->mir()->value()->type(), ToAnyRegister(tmp));
+return addSetElementCache(ins, obj, unboxIndex, temp, tempFloat, index, value,
+ins->mir()->strict(), ins->mir()->guardHoles());
+}
+typedef bool (*SetElementICFn)(JSContext *, size_t, HandleObject, HandleValue, HandleValue);
+const VMFunction SetElementIC::UpdateInfo =
+FunctionInfo<SetElementICFn>(SetElementIC::update);
+bool
+CodeGenerator::visitSetElementIC(OutOfLineUpdateCache *ool, DataPtr<SetElementIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->value());
+pushArg(ic->index());
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(SetElementIC::UpdateInfo, lir))
+return false;
+restoreLive(lir);
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*SetElementParICFn)(ForkJoinContext *, size_t, HandleObject, HandleValue, HandleValue);
+const VMFunction SetElementParIC::UpdateInfo =
+FunctionInfo<SetElementParICFn>(SetElementParIC::update);
+bool
+CodeGenerator::visitSetElementParIC(OutOfLineUpdateCache *ool, DataPtr<SetElementParIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->value());
+pushArg(ic->index());
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(SetElementParIC::UpdateInfo, lir))
+return false;
+restoreLive(lir);
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*GetElementParICFn)(ForkJoinContext *, size_t, HandleObject, HandleValue,
+MutableHandleValue);
+const VMFunction GetElementParIC::UpdateInfo =
+FunctionInfo<GetElementParICFn>(GetElementParIC::update);
+bool
+CodeGenerator::visitGetElementParIC(OutOfLineUpdateCache *ool, DataPtr<GetElementParIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->index());
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(GetElementParIC::UpdateInfo, lir))
+return false;
+StoreValueTo(ic->output()).generate(this);
+restoreLiveIgnore(lir, StoreValueTo(ic->output()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitBindNameCache(LBindNameCache *ins)
+{
+Register scopeChain = ToRegister(ins->scopeChain());
+Register output = ToRegister(ins->output());
+BindNameIC cache(scopeChain, ins->mir()->name(), output);
+return addCache(ins, allocateCache(cache));
+}
+typedef JSObject *(*BindNameICFn)(JSContext *, size_t, HandleObject);
+const VMFunction BindNameIC::UpdateInfo =
+FunctionInfo<BindNameICFn>(BindNameIC::update);
+bool
+CodeGenerator::visitBindNameIC(OutOfLineUpdateCache *ool, DataPtr<BindNameIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->scopeChainReg());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(BindNameIC::UpdateInfo, lir))
+return false;
+StoreRegisterTo(ic->outputReg()).generate(this);
+restoreLiveIgnore(lir, StoreRegisterTo(ic->outputReg()).clobbered());
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*SetPropertyFn)(JSContext *, HandleObject,
+HandlePropertyName, const HandleValue, bool, jsbytecode *);
+typedef bool (*SetPropertyParFn)(ForkJoinContext *, HandleObject,
+HandlePropertyName, const HandleValue, bool, jsbytecode *);
+static const VMFunctionsModal SetPropertyInfo = VMFunctionsModal(
+FunctionInfo<SetPropertyFn>(SetProperty),
+FunctionInfo<SetPropertyParFn>(SetPropertyPar));
+bool
+CodeGenerator::visitCallSetProperty(LCallSetProperty *ins)
+{
+ConstantOrRegister value = TypedOrValueRegister(ToValue(ins, LCallSetProperty::Value));
+const Register objReg = ToRegister(ins->getOperand(0));
+pushArg(ImmPtr(ins->mir()->resumePoint()->pc()));
+pushArg(Imm32(ins->mir()->strict()));
+pushArg(value);
+pushArg(ImmGCPtr(ins->mir()->name()));
+pushArg(objReg);
+return callVM(SetPropertyInfo, ins);
+}
+typedef bool (*DeletePropertyFn)(JSContext *, HandleValue, HandlePropertyName, bool *);
+static const VMFunction DeletePropertyStrictInfo =
+FunctionInfo<DeletePropertyFn>(DeleteProperty<true>);
+static const VMFunction DeletePropertyNonStrictInfo =
+FunctionInfo<DeletePropertyFn>(DeleteProperty<false>);
+bool
+CodeGenerator::visitCallDeleteProperty(LCallDeleteProperty *lir)
+{
+pushArg(ImmGCPtr(lir->mir()->name()));
+pushArg(ToValue(lir, LCallDeleteProperty::Value));
+if (lir->mir()->block()->info().script()->strict())
+return callVM(DeletePropertyStrictInfo, lir);
+return callVM(DeletePropertyNonStrictInfo, lir);
+}
+typedef bool (*DeleteElementFn)(JSContext *, HandleValue, HandleValue, bool *);
+static const VMFunction DeleteElementStrictInfo =
+FunctionInfo<DeleteElementFn>(DeleteElement<true>);
+static const VMFunction DeleteElementNonStrictInfo =
+FunctionInfo<DeleteElementFn>(DeleteElement<false>);
+bool
+CodeGenerator::visitCallDeleteElement(LCallDeleteElement *lir)
+{
+pushArg(ToValue(lir, LCallDeleteElement::Index));
+pushArg(ToValue(lir, LCallDeleteElement::Value));
+if (lir->mir()->block()->info().script()->strict())
+return callVM(DeleteElementStrictInfo, lir);
+return callVM(DeleteElementNonStrictInfo, lir);
+}
+bool
+CodeGenerator::visitSetPropertyCacheV(LSetPropertyCacheV *ins)
+{
+RegisterSet liveRegs = ins->safepoint()->liveRegs();
+Register objReg = ToRegister(ins->getOperand(0));
+ConstantOrRegister value = TypedOrValueRegister(ToValue(ins, LSetPropertyCacheV::Value));
+return addSetPropertyCache(ins, liveRegs, objReg, ins->mir()->name(), value,
+ins->mir()->strict(), ins->mir()->needsTypeBarrier());
+}
+bool
+CodeGenerator::visitSetPropertyCacheT(LSetPropertyCacheT *ins)
+{
+RegisterSet liveRegs = ins->safepoint()->liveRegs();
+Register objReg = ToRegister(ins->getOperand(0));
+ConstantOrRegister value;
+if (ins->getOperand(1)->isConstant())
+value = ConstantOrRegister(*ins->getOperand(1)->toConstant());
+else
+value = TypedOrValueRegister(ins->valueType(), ToAnyRegister(ins->getOperand(1)));
+return addSetPropertyCache(ins, liveRegs, objReg, ins->mir()->name(), value,
+ins->mir()->strict(), ins->mir()->needsTypeBarrier());
+}
+typedef bool (*SetPropertyICFn)(JSContext *, size_t, HandleObject, HandleValue);
+const VMFunction SetPropertyIC::UpdateInfo =
+FunctionInfo<SetPropertyICFn>(SetPropertyIC::update);
+bool
+CodeGenerator::visitSetPropertyIC(OutOfLineUpdateCache *ool, DataPtr<SetPropertyIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->value());
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(SetPropertyIC::UpdateInfo, lir))
+return false;
+restoreLive(lir);
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*SetPropertyParICFn)(ForkJoinContext *, size_t, HandleObject, HandleValue);
+const VMFunction SetPropertyParIC::UpdateInfo =
+FunctionInfo<SetPropertyParICFn>(SetPropertyParIC::update);
+bool
+CodeGenerator::visitSetPropertyParIC(OutOfLineUpdateCache *ool, DataPtr<SetPropertyParIC> &ic)
+{
+LInstruction *lir = ool->lir();
+saveLive(lir);
+pushArg(ic->value());
+pushArg(ic->object());
+pushArg(Imm32(ool->getCacheIndex()));
+if (!callVM(SetPropertyParIC::UpdateInfo, lir))
+return false;
+restoreLive(lir);
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*ThrowFn)(JSContext *, HandleValue);
+static const VMFunction ThrowInfoCodeGen = FunctionInfo<ThrowFn>(js::Throw);
+bool
+CodeGenerator::visitThrow(LThrow *lir)
+{
+pushArg(ToValue(lir, LThrow::Value));
+return callVM(ThrowInfoCodeGen, lir);
+}
+typedef bool (*BitNotFn)(JSContext *, HandleValue, int *p);
+typedef bool (*BitNotParFn)(ForkJoinContext *, HandleValue, int32_t *);
+static const VMFunctionsModal BitNotInfo = VMFunctionsModal(
+FunctionInfo<BitNotFn>(BitNot),
+FunctionInfo<BitNotParFn>(BitNotPar));
+bool
+CodeGenerator::visitBitNotV(LBitNotV *lir)
+{
+pushArg(ToValue(lir, LBitNotV::Input));
+return callVM(BitNotInfo, lir);
+}
+typedef bool (*BitopFn)(JSContext *, HandleValue, HandleValue, int *p);
+typedef bool (*BitopParFn)(ForkJoinContext *, HandleValue, HandleValue, int32_t *);
+static const VMFunctionsModal BitAndInfo = VMFunctionsModal(
+FunctionInfo<BitopFn>(BitAnd),
+FunctionInfo<BitopParFn>(BitAndPar));
+static const VMFunctionsModal BitOrInfo = VMFunctionsModal(
+FunctionInfo<BitopFn>(BitOr),
+FunctionInfo<BitopParFn>(BitOrPar));
+static const VMFunctionsModal BitXorInfo = VMFunctionsModal(
+FunctionInfo<BitopFn>(BitXor),
+FunctionInfo<BitopParFn>(BitXorPar));
+static const VMFunctionsModal BitLhsInfo = VMFunctionsModal(
+FunctionInfo<BitopFn>(BitLsh),
+FunctionInfo<BitopParFn>(BitLshPar));
+static const VMFunctionsModal BitRhsInfo = VMFunctionsModal(
+FunctionInfo<BitopFn>(BitRsh),
+FunctionInfo<BitopParFn>(BitRshPar));
+bool
+CodeGenerator::visitBitOpV(LBitOpV *lir)
+{
+pushArg(ToValue(lir, LBitOpV::RhsInput));
+pushArg(ToValue(lir, LBitOpV::LhsInput));
+switch (lir->jsop()) {
+case JSOP_BITAND:
+return callVM(BitAndInfo, lir);
+case JSOP_BITOR:
+return callVM(BitOrInfo, lir);
+case JSOP_BITXOR:
+return callVM(BitXorInfo, lir);
+case JSOP_LSH:
+return callVM(BitLhsInfo, lir);
+case JSOP_RSH:
+return callVM(BitRhsInfo, lir);
+default:
+break;
+}
+MOZ_ASSUME_UNREACHABLE("unexpected bitop");
+}
+class OutOfLineTypeOfV : public OutOfLineCodeBase<CodeGenerator>
+{
+LTypeOfV *ins_;
+public:
+OutOfLineTypeOfV(LTypeOfV *ins)
+: ins_(ins)
+{ }
+bool accept(CodeGenerator *codegen) {
+return codegen->visitOutOfLineTypeOfV(this);
+}
+LTypeOfV *ins() const {
+return ins_;
+}
+};
+bool
+CodeGenerator::visitTypeOfV(LTypeOfV *lir)
+{
+const ValueOperand value = ToValue(lir, LTypeOfV::Input);
+Register output = ToRegister(lir->output());
+Register tag = masm.splitTagForTest(value);
+const JSAtomState &names = GetIonContext()->runtime->names();
+Label done;
+OutOfLineTypeOfV *ool = nullptr;
+if (lir->mir()->inputMaybeCallableOrEmulatesUndefined()) {
+// The input may be a callable object (result is "function") or may
+// emulate undefined (result is "undefined"). Use an OOL path.
+ool = new(alloc()) OutOfLineTypeOfV(lir);
+if (!addOutOfLineCode(ool))
+return false;
+masm.branchTestObject(Assembler::Equal, tag, ool->entry());
+} else {
+// Input is not callable and does not emulate undefined, so if
+// it's an object the result is always "object".
+Label notObject;
+masm.branchTestObject(Assembler::NotEqual, tag, &notObject);
+masm.movePtr(ImmGCPtr(names.object), output);
+masm.jump(&done);
+masm.bind(&notObject);
+}
+Label notNumber;
+masm.branchTestNumber(Assembler::NotEqual, tag, &notNumber);
+masm.movePtr(ImmGCPtr(names.number), output);
+masm.jump(&done);
+masm.bind(&notNumber);
+Label notUndefined;
+masm.branchTestUndefined(Assembler::NotEqual, tag, &notUndefined);
+masm.movePtr(ImmGCPtr(names.undefined), output);
+masm.jump(&done);
+masm.bind(&notUndefined);
+Label notNull;
+masm.branchTestNull(Assembler::NotEqual, tag, &notNull);
+masm.movePtr(ImmGCPtr(names.object), output);
+masm.jump(&done);
+masm.bind(&notNull);
+Label notBoolean;
+masm.branchTestBoolean(Assembler::NotEqual, tag, &notBoolean);
+masm.movePtr(ImmGCPtr(names.boolean), output);
+masm.jump(&done);
+masm.bind(&notBoolean);
+masm.movePtr(ImmGCPtr(names.string), output);
+masm.bind(&done);
+if (ool)
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitOutOfLineTypeOfV(OutOfLineTypeOfV *ool)
+{
+LTypeOfV *ins = ool->ins();
+ValueOperand input = ToValue(ins, LTypeOfV::Input);
+Register temp = ToTempUnboxRegister(ins->tempToUnbox());
+Register output = ToRegister(ins->output());
+Register obj = masm.extractObject(input, temp);
+saveVolatile(output);
+masm.setupUnalignedABICall(2, output);
+masm.passABIArg(obj);
+masm.movePtr(ImmPtr(GetIonContext()->runtime), output);
+masm.passABIArg(output);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, js::TypeOfObjectOperation));
+masm.storeCallResult(output);
+restoreVolatile(output);
+masm.jump(ool->rejoin());
+return true;
+}
+typedef bool (*ToIdFn)(JSContext *, HandleScript, jsbytecode *, HandleValue, HandleValue,
+MutableHandleValue);
+static const VMFunction ToIdInfo = FunctionInfo<ToIdFn>(ToIdOperation);
+bool
+CodeGenerator::visitToIdV(LToIdV *lir)
+{
+Label notInt32;
+FloatRegister temp = ToFloatRegister(lir->tempFloat());
+const ValueOperand out = ToOutValue(lir);
+ValueOperand index = ToValue(lir, LToIdV::Index);
+OutOfLineCode *ool = oolCallVM(ToIdInfo, lir,
+(ArgList(),
+ImmGCPtr(current->mir()->info().script()),
+ImmPtr(lir->mir()->resumePoint()->pc()),
+ToValue(lir, LToIdV::Object),
+ToValue(lir, LToIdV::Index)),
+StoreValueTo(out));
+Register tag = masm.splitTagForTest(index);
+masm.branchTestInt32(Assembler::NotEqual, tag, &notInt32);
+masm.moveValue(index, out);
+masm.jump(ool->rejoin());
+masm.bind(&notInt32);
+masm.branchTestDouble(Assembler::NotEqual, tag, ool->entry());
+masm.unboxDouble(index, temp);
+masm.convertDoubleToInt32(temp, out.scratchReg(), ool->entry(), true);
+masm.tagValue(JSVAL_TYPE_INT32, out.scratchReg(), out);
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitLoadElementV(LLoadElementV *load)
+{
+Register elements = ToRegister(load->elements());
+const ValueOperand out = ToOutValue(load);
+if (load->index()->isConstant())
+masm.loadValue(Address(elements, ToInt32(load->index()) * sizeof(Value)), out);
+else
+masm.loadValue(BaseIndex(elements, ToRegister(load->index()), TimesEight), out);
+if (load->mir()->needsHoleCheck()) {
+Label testMagic;
+masm.branchTestMagic(Assembler::Equal, out, &testMagic);
+if (!bailoutFrom(&testMagic, load->snapshot()))
+return false;
+}
+return true;
+}
+bool
+CodeGenerator::visitLoadElementHole(LLoadElementHole *lir)
+{
+Register elements = ToRegister(lir->elements());
+Register initLength = ToRegister(lir->initLength());
+const ValueOperand out = ToOutValue(lir);
+const MLoadElementHole *mir = lir->mir();
+// If the index is out of bounds, load |undefined|. Otherwise, load the
+// value.
+Label undefined, done;
+if (lir->index()->isConstant()) {
+masm.branch32(Assembler::BelowOrEqual, initLength, Imm32(ToInt32(lir->index())), &undefined);
+masm.loadValue(Address(elements, ToInt32(lir->index()) * sizeof(Value)), out);
+} else {
+masm.branch32(Assembler::BelowOrEqual, initLength, ToRegister(lir->index()), &undefined);
+masm.loadValue(BaseIndex(elements, ToRegister(lir->index()), TimesEight), out);
+}
+// If a hole check is needed, and the value wasn't a hole, we're done.
+// Otherwise, we'll load undefined.
+if (lir->mir()->needsHoleCheck())
+masm.branchTestMagic(Assembler::NotEqual, out, &done);
+else
+masm.jump(&done);
+masm.bind(&undefined);
+if (mir->needsNegativeIntCheck()) {
+if (lir->index()->isConstant()) {
+if (ToInt32(lir->index()) < 0 && !bailout(lir->snapshot()))
+return false;
+} else {
+Label negative;
+masm.branch32(Assembler::LessThan, ToRegister(lir->index()), Imm32(0), &negative);
+if (!bailoutFrom(&negative, lir->snapshot()))
+return false;
+}
+}
+masm.moveValue(UndefinedValue(), out);
+masm.bind(&done);
+return true;
+}
+bool
+CodeGenerator::visitLoadTypedArrayElement(LLoadTypedArrayElement *lir)
+{
+Register elements = ToRegister(lir->elements());
+Register temp = lir->temp()->isBogusTemp() ? InvalidReg : ToRegister(lir->temp());
+AnyRegister out = ToAnyRegister(lir->output());
+int arrayType = lir->mir()->arrayType();
+int width = TypedArrayObject::slotWidth(arrayType);
+Label fail;
+if (lir->index()->isConstant()) {
+Address source(elements, ToInt32(lir->index()) * width);
+masm.loadFromTypedArray(arrayType, source, out, temp, &fail);
+} else {
+BaseIndex source(elements, ToRegister(lir->index()), ScaleFromElemWidth(width));
+masm.loadFromTypedArray(arrayType, source, out, temp, &fail);
+}
+if (fail.used() && !bailoutFrom(&fail, lir->snapshot()))
+return false;
+return true;
+}
+bool
+CodeGenerator::visitLoadTypedArrayElementHole(LLoadTypedArrayElementHole *lir)
+{
+Register object = ToRegister(lir->object());
+const ValueOperand out = ToOutValue(lir);
+// Load the length.
+Register scratch = out.scratchReg();
+Int32Key key = ToInt32Key(lir->index());
+masm.unboxInt32(Address(object, TypedArrayObject::lengthOffset()), scratch);
+// Load undefined unless length > key.
+Label inbounds, done;
+masm.branchKey(Assembler::Above, scratch, key, &inbounds);
+masm.moveValue(UndefinedValue(), out);
+masm.jump(&done);
+// Load the elements vector.
+masm.bind(&inbounds);
+masm.loadPtr(Address(object, TypedArrayObject::dataOffset()), scratch);
+int arrayType = lir->mir()->arrayType();
+int width = TypedArrayObject::slotWidth(arrayType);
+Label fail;
+if (key.isConstant()) {
+Address source(scratch, key.constant() * width);
+masm.loadFromTypedArray(arrayType, source, out, lir->mir()->allowDouble(),
+out.scratchReg(), &fail);
+} else {
+BaseIndex source(scratch, key.reg(), ScaleFromElemWidth(width));
+masm.loadFromTypedArray(arrayType, source, out, lir->mir()->allowDouble(),
+out.scratchReg(), &fail);
+}
+if (fail.used() && !bailoutFrom(&fail, lir->snapshot()))
+return false;
+masm.bind(&done);
+return true;
+}
+template <typename T>
+static inline void
+StoreToTypedArray(MacroAssembler &masm, int arrayType, const LAllocation *value, const T &dest)
+{
+if (arrayType == ScalarTypeDescr::TYPE_FLOAT32 ||
+arrayType == ScalarTypeDescr::TYPE_FLOAT64)
+{
+masm.storeToTypedFloatArray(arrayType, ToFloatRegister(value), dest);
+} else {
+if (value->isConstant())
+masm.storeToTypedIntArray(arrayType, Imm32(ToInt32(value)), dest);
+else
+masm.storeToTypedIntArray(arrayType, ToRegister(value), dest);
+}
+}
+bool
+CodeGenerator::visitStoreTypedArrayElement(LStoreTypedArrayElement *lir)
+{
+Register elements = ToRegister(lir->elements());
+const LAllocation *value = lir->value();
+int arrayType = lir->mir()->arrayType();
+int width = TypedArrayObject::slotWidth(arrayType);
+if (lir->index()->isConstant()) {
+Address dest(elements, ToInt32(lir->index()) * width);
+StoreToTypedArray(masm, arrayType, value, dest);
+} else {
+BaseIndex dest(elements, ToRegister(lir->index()), ScaleFromElemWidth(width));
+StoreToTypedArray(masm, arrayType, value, dest);
+}
+return true;
+}
+bool
+CodeGenerator::visitStoreTypedArrayElementHole(LStoreTypedArrayElementHole *lir)
+{
+Register elements = ToRegister(lir->elements());
+const LAllocation *value = lir->value();
+int arrayType = lir->mir()->arrayType();
+int width = TypedArrayObject::slotWidth(arrayType);
+bool guardLength = true;
+if (lir->index()->isConstant() && lir->length()->isConstant()) {
+uint32_t idx = ToInt32(lir->index());
+uint32_t len = ToInt32(lir->length());
+if (idx >= len)
+return true;
+guardLength = false;
+}
+Label skip;
+if (lir->index()->isConstant()) {
+uint32_t idx = ToInt32(lir->index());
+if (guardLength)
+masm.branch32(Assembler::BelowOrEqual, ToOperand(lir->length()), Imm32(idx), &skip);
+Address dest(elements, idx * width);
+StoreToTypedArray(masm, arrayType, value, dest);
+} else {
+Register idxReg = ToRegister(lir->index());
+JS_ASSERT(guardLength);
+if (lir->length()->isConstant())
+masm.branch32(Assembler::AboveOrEqual, idxReg, Imm32(ToInt32(lir->length())), &skip);
+else
+masm.branch32(Assembler::BelowOrEqual, ToOperand(lir->length()), idxReg, &skip);
+BaseIndex dest(elements, ToRegister(lir->index()), ScaleFromElemWidth(width));
+StoreToTypedArray(masm, arrayType, value, dest);
+}
+if (guardLength)
+masm.bind(&skip);
+return true;
+}
+bool
+CodeGenerator::visitClampIToUint8(LClampIToUint8 *lir)
+{
+Register output = ToRegister(lir->output());
+JS_ASSERT(output == ToRegister(lir->input()));
+masm.clampIntToUint8(output);
+return true;
+}
+bool
+CodeGenerator::visitClampDToUint8(LClampDToUint8 *lir)
+{
+FloatRegister input = ToFloatRegister(lir->input());
+Register output = ToRegister(lir->output());
+masm.clampDoubleToUint8(input, output);
+return true;
+}
+bool
+CodeGenerator::visitClampVToUint8(LClampVToUint8 *lir)
+{
+ValueOperand operand = ToValue(lir, LClampVToUint8::Input);
+FloatRegister tempFloat = ToFloatRegister(lir->tempFloat());
+Register output = ToRegister(lir->output());
+MDefinition *input = lir->mir()->input();
+Label *stringEntry, *stringRejoin;
+if (input->mightBeType(MIRType_String)) {
+OutOfLineCode *oolString = oolCallVM(StringToNumberInfo, lir, (ArgList(), output),
+StoreFloatRegisterTo(tempFloat));
+if (!oolString)
+return false;
+stringEntry = oolString->entry();
+stringRejoin = oolString->rejoin();
+} else {
+stringEntry = nullptr;
+stringRejoin = nullptr;
+}
+Label fails;
+masm.clampValueToUint8(operand, input,
+stringEntry, stringRejoin,
+output, tempFloat, output, &fails);
+if (!bailoutFrom(&fails, lir->snapshot()))
+return false;
+return true;
+}
+typedef bool (*OperatorInFn)(JSContext *, HandleValue, HandleObject, bool *);
+static const VMFunction OperatorInInfo = FunctionInfo<OperatorInFn>(OperatorIn);
+bool
+CodeGenerator::visitIn(LIn *ins)
+{
+pushArg(ToRegister(ins->rhs()));
+pushArg(ToValue(ins, LIn::LHS));
+return callVM(OperatorInInfo, ins);
+}
+typedef bool (*OperatorInIFn)(JSContext *, uint32_t, HandleObject, bool *);
+static const VMFunction OperatorInIInfo = FunctionInfo<OperatorInIFn>(OperatorInI);
+bool
+CodeGenerator::visitInArray(LInArray *lir)
+{
+const MInArray *mir = lir->mir();
+Register elements = ToRegister(lir->elements());
+Register initLength = ToRegister(lir->initLength());
+Register output = ToRegister(lir->output());
+// When the array is not packed we need to do a hole check in addition to the bounds check.
+Label falseBranch, done, trueBranch;
+OutOfLineCode *ool = nullptr;
+Label* failedInitLength = &falseBranch;
+if (lir->index()->isConstant()) {
+int32_t index = ToInt32(lir->index());
+JS_ASSERT_IF(index < 0, mir->needsNegativeIntCheck());
+if (mir->needsNegativeIntCheck()) {
+ool = oolCallVM(OperatorInIInfo, lir,
+(ArgList(), Imm32(index), ToRegister(lir->object())),
+StoreRegisterTo(output));
+failedInitLength = ool->entry();
+}
+masm.branch32(Assembler::BelowOrEqual, initLength, Imm32(index), failedInitLength);
+if (mir->needsHoleCheck()) {
+Address address = Address(elements, index * sizeof(Value));
+masm.branchTestMagic(Assembler::Equal, address, &falseBranch);
+}
+} else {
+Label negativeIntCheck;
+Register index = ToRegister(lir->index());
+if (mir->needsNegativeIntCheck())
+failedInitLength = &negativeIntCheck;
+masm.branch32(Assembler::BelowOrEqual, initLength, index, failedInitLength);
+if (mir->needsHoleCheck()) {
+BaseIndex address = BaseIndex(elements, ToRegister(lir->index()), TimesEight);
+masm.branchTestMagic(Assembler::Equal, address, &falseBranch);
+}
+masm.jump(&trueBranch);
+if (mir->needsNegativeIntCheck()) {
+masm.bind(&negativeIntCheck);
+ool = oolCallVM(OperatorInIInfo, lir,
+(ArgList(), index, ToRegister(lir->object())),
+StoreRegisterTo(output));
+masm.branch32(Assembler::LessThan, index, Imm32(0), ool->entry());
+masm.jump(&falseBranch);
+}
+}
+masm.bind(&trueBranch);
+masm.move32(Imm32(1), output);
+masm.jump(&done);
+masm.bind(&falseBranch);
+masm.move32(Imm32(0), output);
+masm.bind(&done);
+if (ool)
+masm.bind(ool->rejoin());
+return true;
+}
+bool
+CodeGenerator::visitInstanceOfO(LInstanceOfO *ins)
+{
+return emitInstanceOf(ins, ins->mir()->prototypeObject());
+}
+bool
+CodeGenerator::visitInstanceOfV(LInstanceOfV *ins)
+{
+return emitInstanceOf(ins, ins->mir()->prototypeObject());
+}
+// Wrap IsDelegateOfObject, which takes a JSObject*, not a HandleObject
+static bool
+IsDelegateObject(JSContext *cx, HandleObject protoObj, HandleObject obj, bool *res)
+{
+return IsDelegateOfObject(cx, protoObj, obj, res);
+}
+typedef bool (*IsDelegateObjectFn)(JSContext *, HandleObject, HandleObject, bool *);
+static const VMFunction IsDelegateObjectInfo = FunctionInfo<IsDelegateObjectFn>(IsDelegateObject);
+bool
+CodeGenerator::emitInstanceOf(LInstruction *ins, JSObject *prototypeObject)
+{
+// This path implements fun_hasInstance when the function's prototype is
+// known to be prototypeObject.
+Label done;
+Register output = ToRegister(ins->getDef(0));
+// If the lhs is a primitive, the result is false.
+Register objReg;
+if (ins->isInstanceOfV()) {
+Label isObject;
+ValueOperand lhsValue = ToValue(ins, LInstanceOfV::LHS);
+masm.branchTestObject(Assembler::Equal, lhsValue, &isObject);
+masm.mov(ImmWord(0), output);
+masm.jump(&done);
+masm.bind(&isObject);
+objReg = masm.extractObject(lhsValue, output);
+} else {
+objReg = ToRegister(ins->toInstanceOfO()->lhs());
+}
+// Crawl the lhs's prototype chain in a loop to search for prototypeObject.
+// This follows the main loop of js::IsDelegate, though additionally breaks
+// out of the loop on Proxy::LazyProto.
+// Load the lhs's prototype.
+masm.loadObjProto(objReg, output);
+Label testLazy;
+{
+Label loopPrototypeChain;
+masm.bind(&loopPrototypeChain);
+// Test for the target prototype object.
+Label notPrototypeObject;
+masm.branchPtr(Assembler::NotEqual, output, ImmGCPtr(prototypeObject), &notPrototypeObject);
+masm.mov(ImmWord(1), output);
+masm.jump(&done);
+masm.bind(&notPrototypeObject);
+JS_ASSERT(uintptr_t(TaggedProto::LazyProto) == 1);
+// Test for nullptr or Proxy::LazyProto
+masm.branchPtr(Assembler::BelowOrEqual, output, ImmWord(1), &testLazy);
+// Load the current object's prototype.
+masm.loadObjProto(output, output);
+masm.jump(&loopPrototypeChain);
+}
+// Make a VM call if an object with a lazy proto was found on the prototype
+// chain. This currently occurs only for cross compartment wrappers, which
+// we do not expect to be compared with non-wrapper functions from this
+// compartment. Otherwise, we stopped on a nullptr prototype and the output
+// register is already correct.
+OutOfLineCode *ool = oolCallVM(IsDelegateObjectInfo, ins,
+(ArgList(), ImmGCPtr(prototypeObject), objReg),
+StoreRegisterTo(output));
+// Regenerate the original lhs object for the VM call.
+Label regenerate, *lazyEntry;
+if (objReg != output) {
+lazyEntry = ool->entry();
+} else {
+masm.bind(&regenerate);
+lazyEntry = &regenerate;
+if (ins->isInstanceOfV()) {
+ValueOperand lhsValue = ToValue(ins, LInstanceOfV::LHS);
+objReg = masm.extractObject(lhsValue, output);
+} else {
+objReg = ToRegister(ins->toInstanceOfO()->lhs());
+}
+JS_ASSERT(objReg == output);
+masm.jump(ool->entry());
+}
+masm.bind(&testLazy);
+masm.branchPtr(Assembler::Equal, output, ImmWord(1), lazyEntry);
+masm.bind(&done);
+masm.bind(ool->rejoin());
+return true;
+}
+typedef bool (*HasInstanceFn)(JSContext *, HandleObject, HandleValue, bool *);
+static const VMFunction HasInstanceInfo = FunctionInfo<HasInstanceFn>(js::HasInstance);
+bool
+CodeGenerator::visitCallInstanceOf(LCallInstanceOf *ins)
+{
+ValueOperand lhs = ToValue(ins, LCallInstanceOf::LHS);
+Register rhs = ToRegister(ins->rhs());
+JS_ASSERT(ToRegister(ins->output()) == ReturnReg);
+pushArg(lhs);
+pushArg(rhs);
+return callVM(HasInstanceInfo, ins);
+}
+bool
+CodeGenerator::visitGetDOMProperty(LGetDOMProperty *ins)
+{
+const Register JSContextReg = ToRegister(ins->getJSContextReg());
+const Register ObjectReg = ToRegister(ins->getObjectReg());
+const Register PrivateReg = ToRegister(ins->getPrivReg());
+const Register ValueReg = ToRegister(ins->getValueReg());
+DebugOnly<uint32_t> initialStack = masm.framePushed();
+masm.checkStackAlignment();
+// Make space for the outparam.  Pre-initialize it to UndefinedValue so we
+// can trace it at GC time.
+masm.Push(UndefinedValue());
+// We pass the pointer to our out param as an instance of
+// JSJitGetterCallArgs, since on the binary level it's the same thing.
+JS_STATIC_ASSERT(sizeof(JSJitGetterCallArgs) == sizeof(Value*));
+masm.movePtr(StackPointer, ValueReg);
+masm.Push(ObjectReg);
+// GetReservedSlot(obj, DOM_OBJECT_SLOT).toPrivate()
+masm.loadPrivate(Address(ObjectReg, JSObject::getFixedSlotOffset(0)), PrivateReg);
+// Rooting will happen at GC time.
+masm.movePtr(StackPointer, ObjectReg);
+uint32_t safepointOffset;
+if (!masm.buildFakeExitFrame(JSContextReg, &safepointOffset))
+return false;
+masm.enterFakeExitFrame(ION_FRAME_DOMGETTER);
+if (!markSafepointAt(safepointOffset, ins))
+return false;
+masm.setupUnalignedABICall(4, JSContextReg);
+masm.loadJSContext(JSContextReg);
+masm.passABIArg(JSContextReg);
+masm.passABIArg(ObjectReg);
+masm.passABIArg(PrivateReg);
+masm.passABIArg(ValueReg);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ins->mir()->fun()));
+if (ins->mir()->isInfallible()) {
+masm.loadValue(Address(StackPointer, IonDOMExitFrameLayout::offsetOfResult()),
+JSReturnOperand);
+} else {
+masm.branchIfFalseBool(ReturnReg, masm.exceptionLabel());
+masm.loadValue(Address(StackPointer, IonDOMExitFrameLayout::offsetOfResult()),
+JSReturnOperand);
+}
+masm.adjustStack(IonDOMExitFrameLayout::Size());
+JS_ASSERT(masm.framePushed() == initialStack);
+return true;
+}
+bool
+CodeGenerator::visitGetDOMMember(LGetDOMMember *ins)
+{
+// It's simple to duplicate visitLoadFixedSlotV here than it is to try to
+// use an LLoadFixedSlotV or some subclass of it for this case: that would
+// require us to have MGetDOMMember inherit from MLoadFixedSlot, and then
+// we'd have to duplicate a bunch of stuff we now get for free from
+// MGetDOMProperty.
+Register object = ToRegister(ins->object());
+size_t slot = ins->mir()->domMemberSlotIndex();
+ValueOperand result = GetValueOutput(ins);
+masm.loadValue(Address(object, JSObject::getFixedSlotOffset(slot)), result);
+return true;
+}
+bool
+CodeGenerator::visitSetDOMProperty(LSetDOMProperty *ins)
+{
+const Register JSContextReg = ToRegister(ins->getJSContextReg());
+const Register ObjectReg = ToRegister(ins->getObjectReg());
+const Register PrivateReg = ToRegister(ins->getPrivReg());
+const Register ValueReg = ToRegister(ins->getValueReg());
+DebugOnly<uint32_t> initialStack = masm.framePushed();
+masm.checkStackAlignment();
+// Push the argument. Rooting will happen at GC time.
+ValueOperand argVal = ToValue(ins, LSetDOMProperty::Value);
+masm.Push(argVal);
+// We pass the pointer to our out param as an instance of
+// JSJitGetterCallArgs, since on the binary level it's the same thing.
+JS_STATIC_ASSERT(sizeof(JSJitSetterCallArgs) == sizeof(Value*));
+masm.movePtr(StackPointer, ValueReg);
+masm.Push(ObjectReg);
+// GetReservedSlot(obj, DOM_OBJECT_SLOT).toPrivate()
+masm.loadPrivate(Address(ObjectReg, JSObject::getFixedSlotOffset(0)), PrivateReg);
+// Rooting will happen at GC time.
+masm.movePtr(StackPointer, ObjectReg);
+uint32_t safepointOffset;
+if (!masm.buildFakeExitFrame(JSContextReg, &safepointOffset))
+return false;
+masm.enterFakeExitFrame(ION_FRAME_DOMSETTER);
+if (!markSafepointAt(safepointOffset, ins))
+return false;
+masm.setupUnalignedABICall(4, JSContextReg);
+masm.loadJSContext(JSContextReg);
+masm.passABIArg(JSContextReg);
+masm.passABIArg(ObjectReg);
+masm.passABIArg(PrivateReg);
+masm.passABIArg(ValueReg);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, ins->mir()->fun()));
+masm.branchIfFalseBool(ReturnReg, masm.exceptionLabel());
+masm.adjustStack(IonDOMExitFrameLayout::Size());
+JS_ASSERT(masm.framePushed() == initialStack);
+return true;
+}
+typedef bool(*SPSFn)(JSContext *, HandleScript);
+static const VMFunction SPSEnterInfo = FunctionInfo<SPSFn>(SPSEnter);
+static const VMFunction SPSExitInfo = FunctionInfo<SPSFn>(SPSExit);
+bool
+CodeGenerator::visitProfilerStackOp(LProfilerStackOp *lir)
+{
+Register temp = ToRegister(lir->temp()->output());
+bool inlinedFunction = lir->inlineLevel() > 0;
+switch (lir->type()) {
+case MProfilerStackOp::InlineEnter:
+// Multiple scripts can be inlined at one depth, but there is only
+// one InlineExit node to signify this. To deal with this, if we
+// reach the entry of another inline script on the same level, then
+// just reset the sps metadata about the frame. We must balance
+// calls to leave()/reenter(), so perform the balance without
+// emitting any instrumentation. Technically the previous inline
+// call at this same depth has reentered, but the instrumentation
+// will be emitted at the common join point for all inlines at the
+// same depth.
+if (sps_.inliningDepth() == lir->inlineLevel()) {
+sps_.leaveInlineFrame();
+sps_.skipNextReenter();
+sps_.reenter(masm, temp);
+}
+sps_.leave(masm, temp, /* inlinedFunction = */ true);
+if (!sps_.enterInlineFrame())
+return false;
+// fallthrough
+case MProfilerStackOp::Enter:
+if (gen->options.spsSlowAssertionsEnabled()) {
+if (!inlinedFunction || js_JitOptions.profileInlineFrames) {
+saveLive(lir);
+pushArg(ImmGCPtr(lir->script()));
+if (!callVM(SPSEnterInfo, lir))
+return false;
+restoreLive(lir);
+}
+sps_.pushManual(lir->script(), masm, temp, /* inlinedFunction = */ inlinedFunction);
+return true;
+}
+return sps_.push(lir->script(), masm, temp, /* inlinedFunction = */ inlinedFunction);
+case MProfilerStackOp::InlineExit:
+// all inline returns were covered with ::Exit, so we just need to
+// maintain the state of inline frames currently active and then
+// reenter the caller
+sps_.leaveInlineFrame();
+sps_.reenter(masm, temp, /* inlinedFunction = */ true);
+return true;
+case MProfilerStackOp::Exit:
+if (gen->options.spsSlowAssertionsEnabled()) {
+if (!inlinedFunction || js_JitOptions.profileInlineFrames) {
+saveLive(lir);
+pushArg(ImmGCPtr(lir->script()));
+// Once we've exited, then we shouldn't emit instrumentation for
+// the corresponding reenter() because we no longer have a
+// frame.
+sps_.skipNextReenter();
+if (!callVM(SPSExitInfo, lir))
+return false;
+restoreLive(lir);
+}
+return true;
+}
+sps_.pop(masm, temp, /* inlinedFunction = */ inlinedFunction);
+return true;
+default:
+MOZ_ASSUME_UNREACHABLE("invalid LProfilerStackOp type");
+}
+}
+bool
+CodeGenerator::visitOutOfLineAbortPar(OutOfLineAbortPar *ool)
+{
+ParallelBailoutCause cause = ool->cause();
+jsbytecode *bytecode = ool->bytecode();
+masm.move32(Imm32(cause), CallTempReg0);
+loadOutermostJSScript(CallTempReg1);
+loadJSScriptForBlock(ool->basicBlock(), CallTempReg2);
+masm.movePtr(ImmPtr(bytecode), CallTempReg3);
+masm.setupUnalignedABICall(4, CallTempReg4);
+masm.passABIArg(CallTempReg0);
+masm.passABIArg(CallTempReg1);
+masm.passABIArg(CallTempReg2);
+masm.passABIArg(CallTempReg3);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, AbortPar));
+masm.moveValue(MagicValue(JS_ION_ERROR), JSReturnOperand);
+masm.jump(&returnLabel_);
+return true;
+}
+bool
+CodeGenerator::visitIsCallable(LIsCallable *ins)
+{
+Register object = ToRegister(ins->object());
+Register output = ToRegister(ins->output());
+masm.loadObjClass(object, output);
+// An object is callable iff (is<JSFunction>() || getClass()->call).
+Label notFunction, done, notCall;
+masm.branchPtr(Assembler::NotEqual, output, ImmPtr(&JSFunction::class_), &notFunction);
+masm.move32(Imm32(1), output);
+masm.jump(&done);
+masm.bind(&notFunction);
+masm.cmpPtrSet(Assembler::NonZero, Address(output, offsetof(js::Class, call)), ImmPtr(nullptr), output);
+masm.bind(&done);
+return true;
+}
+void
+CodeGenerator::loadOutermostJSScript(Register reg)
+{
+// The "outermost" JSScript means the script that we are compiling
+// basically; this is not always the script associated with the
+// current basic block, which might be an inlined script.
+MIRGraph &graph = current->mir()->graph();
+MBasicBlock *entryBlock = graph.entryBlock();
+masm.movePtr(ImmGCPtr(entryBlock->info().script()), reg);
+}
+void
+CodeGenerator::loadJSScriptForBlock(MBasicBlock *block, Register reg)
+{
+// The current JSScript means the script for the current
+// basic block. This may be an inlined script.
+JSScript *script = block->info().script();
+masm.movePtr(ImmGCPtr(script), reg);
+}
+bool
+CodeGenerator::visitOutOfLinePropagateAbortPar(OutOfLinePropagateAbortPar *ool)
+{
+loadOutermostJSScript(CallTempReg0);
+loadJSScriptForBlock(ool->lir()->mirRaw()->block(), CallTempReg1);
+masm.setupUnalignedABICall(2, CallTempReg2);
+masm.passABIArg(CallTempReg0);
+masm.passABIArg(CallTempReg1);
+masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, PropagateAbortPar));
+masm.moveValue(MagicValue(JS_ION_ERROR), JSReturnOperand);
+masm.jump(&returnLabel_);
+return true;
+}
+bool
+CodeGenerator::visitHaveSameClass(LHaveSameClass *ins)
+{
+Register lhs = ToRegister(ins->lhs());
+Register rhs = ToRegister(ins->rhs());
+Register temp = ToRegister(ins->getTemp(0));
+Register output = ToRegister(ins->output());
+masm.loadObjClass(lhs, temp);
+masm.loadObjClass(rhs, output);
+masm.cmpPtrSet(Assembler::Equal, temp, output, output);
+return true;
+}
+bool
+CodeGenerator::visitHasClass(LHasClass *ins)
+{
+Register lhs = ToRegister(ins->lhs());
+Register output = ToRegister(ins->output());
+masm.loadObjClass(lhs, output);
+masm.cmpPtrSet(Assembler::Equal, output, ImmPtr(ins->mir()->getClass()), output);
+return true;
+}
+bool
+CodeGenerator::visitAsmJSCall(LAsmJSCall *ins)
+{
+MAsmJSCall *mir = ins->mir();
+#if defined(JS_CODEGEN_ARM)
+if (!useHardFpABI() && mir->callee().which() == MAsmJSCall::Callee::Builtin) {
+for (unsigned i = 0, e = ins->numOperands(); i < e; i++) {
+LAllocation *a = ins->getOperand(i);
+if (a->isFloatReg()) {
+FloatRegister fr = ToFloatRegister(a);
+int srcId = fr.code() * 2;
+masm.ma_vxfer(fr, Register::FromCode(srcId), Register::FromCode(srcId+1));
+}
+}
+}
+#endif
+if (mir->spIncrement())
+masm.freeStack(mir->spIncrement());
+JS_ASSERT((AlignmentAtPrologue +  masm.framePushed()) % StackAlignment == 0);
+#ifdef DEBUG
+Label ok;
+JS_ASSERT(IsPowerOfTwo(StackAlignment));
+masm.branchTestPtr(Assembler::Zero, StackPointer, Imm32(StackAlignment - 1), &ok);
+masm.assumeUnreachable("Stack should be aligned.");
+masm.bind(&ok);
+#endif
+MAsmJSCall::Callee callee = mir->callee();
+switch (callee.which()) {
+case MAsmJSCall::Callee::Internal:
+masm.call(mir->desc(), callee.internal());
+break;
+case MAsmJSCall::Callee::Dynamic:
+masm.call(mir->desc(), ToRegister(ins->getOperand(mir->dynamicCalleeOperandIndex())));
+break;
+case MAsmJSCall::Callee::Builtin:
+masm.call(mir->desc(), callee.builtin());
+break;
+}
+if (mir->spIncrement())
+masm.reserveStack(mir->spIncrement());
+postAsmJSCall(ins);
+return true;
+}
+bool
+CodeGenerator::visitAsmJSParameter(LAsmJSParameter *lir)
+{
+return true;
+}
+bool
+CodeGenerator::visitAsmJSReturn(LAsmJSReturn *lir)
+{
+// Don't emit a jump to the return label if this is the last block.
+if (current->mir() != *gen->graph().poBegin())
+masm.jump(&returnLabel_);
+return true;
+}
+bool
+CodeGenerator::visitAsmJSVoidReturn(LAsmJSVoidReturn *lir)
+{
+// Don't emit a jump to the return label if this is the last block.
+if (current->mir() != *gen->graph().poBegin())
+masm.jump(&returnLabel_);
+return true;
+}
+bool
+CodeGenerator::emitAssertRangeI(const Range *r, Register input)
+{
+// Check the lower bound.
+if (r->hasInt32LowerBound() && r->lower() > INT32_MIN) {
+Label success;
+masm.branch32(Assembler::GreaterThanOrEqual, input, Imm32(r->lower()), &success);
+masm.assumeUnreachable("Integer input should be equal or higher than Lowerbound.");
+masm.bind(&success);
+}
+// Check the upper bound.
+if (r->hasInt32UpperBound() && r->upper() < INT32_MAX) {
+Label success;
+masm.branch32(Assembler::LessThanOrEqual, input, Imm32(r->upper()), &success);
+masm.assumeUnreachable("Integer input should be lower or equal than Upperbound.");
+masm.bind(&success);
+}
+// For r->canHaveFractionalPart() and r->exponent(), there's nothing to check, because
+// if we ended up in the integer range checking code, the value is already
+// in an integer register in the integer range.
+return true;
+}
+bool
+CodeGenerator::emitAssertRangeD(const Range *r, FloatRegister input, FloatRegister temp)
+{
+// Check the lower bound.
+if (r->hasInt32LowerBound()) {
+Label success;
+masm.loadConstantDouble(r->lower(), temp);
+if (r->canBeNaN())
+masm.branchDouble(Assembler::DoubleUnordered, input, input, &success);
+masm.branchDouble(Assembler::DoubleGreaterThanOrEqual, input, temp, &success);
+masm.assumeUnreachable("Double input should be equal or higher than Lowerbound.");
+masm.bind(&success);
+}
+// Check the upper bound.
+if (r->hasInt32UpperBound()) {
+Label success;
+masm.loadConstantDouble(r->upper(), temp);
+if (r->canBeNaN())
+masm.branchDouble(Assembler::DoubleUnordered, input, input, &success);
+masm.branchDouble(Assembler::DoubleLessThanOrEqual, input, temp, &success);
+masm.assumeUnreachable("Double input should be lower or equal than Upperbound.");
+masm.bind(&success);
+}
+// This code does not yet check r->canHaveFractionalPart(). This would require new
+// assembler interfaces to make rounding instructions available.
+if (!r->hasInt32Bounds() && !r->canBeInfiniteOrNaN() &&
+r->exponent() < FloatingPoint<double>::ExponentBias)
+{
+// Check the bounds implied by the maximum exponent.
+Label exponentLoOk;
+masm.loadConstantDouble(pow(2.0, r->exponent() + 1), temp);
+masm.branchDouble(Assembler::DoubleUnordered, input, input, &exponentLoOk);
+masm.branchDouble(Assembler::DoubleLessThanOrEqual, input, temp, &exponentLoOk);
+masm.assumeUnreachable("Check for exponent failed.");
+masm.bind(&exponentLoOk);
+Label exponentHiOk;
+masm.loadConstantDouble(-pow(2.0, r->exponent() + 1), temp);
+masm.branchDouble(Assembler::DoubleUnordered, input, input, &exponentHiOk);
+masm.branchDouble(Assembler::DoubleGreaterThanOrEqual, input, temp, &exponentHiOk);
+masm.assumeUnreachable("Check for exponent failed.");
+masm.bind(&exponentHiOk);
+} else if (!r->hasInt32Bounds() && !r->canBeNaN()) {
+// If we think the value can't be NaN, check that it isn't.
+Label notnan;
+masm.branchDouble(Assembler::DoubleOrdered, input, input, &notnan);
+masm.assumeUnreachable("Input shouldn't be NaN.");
+masm.bind(&notnan);
+// If we think the value also can't be an infinity, check that it isn't.
+if (!r->canBeInfiniteOrNaN()) {
+Label notposinf;
+masm.loadConstantDouble(PositiveInfinity<double>(), temp);
+masm.branchDouble(Assembler::DoubleLessThan, input, temp, &notposinf);
+masm.assumeUnreachable("Input shouldn't be +Inf.");
+masm.bind(&notposinf);
+Label notneginf;
+masm.loadConstantDouble(NegativeInfinity<double>(), temp);
+masm.branchDouble(Assembler::DoubleGreaterThan, input, temp, &notneginf);
+masm.assumeUnreachable("Input shouldn't be -Inf.");
+masm.bind(&notneginf);
+}
+}
+return true;
+}
+bool
+CodeGenerator::visitAssertRangeI(LAssertRangeI *ins)
+{
+Register input = ToRegister(ins->input());
+const Range *r = ins->range();
+return emitAssertRangeI(r, input);
+}
+bool
+CodeGenerator::visitAssertRangeD(LAssertRangeD *ins)
+{
+FloatRegister input = ToFloatRegister(ins->input());
+FloatRegister temp = ToFloatRegister(ins->temp());
+const Range *r = ins->range();
+return emitAssertRangeD(r, input, temp);
+}
+bool
+CodeGenerator::visitAssertRangeF(LAssertRangeF *ins)
+{
+FloatRegister input = ToFloatRegister(ins->input());
+FloatRegister temp = ToFloatRegister(ins->temp());
+const Range *r = ins->range();
+masm.convertFloat32ToDouble(input, input);
+bool success = emitAssertRangeD(r, input, temp);
+masm.convertDoubleToFloat32(input, input);
+return success;
+}
+bool
+CodeGenerator::visitAssertRangeV(LAssertRangeV *ins)
+{
+const Range *r = ins->range();
+const ValueOperand value = ToValue(ins, LAssertRangeV::Input);
+Register tag = masm.splitTagForTest(value);
+Label done;
+{
+Label isNotInt32;
+masm.branchTestInt32(Assembler::NotEqual, tag, &isNotInt32);
+Register unboxInt32 = ToTempUnboxRegister(ins->temp());
+Register input = masm.extractInt32(value, unboxInt32);
+emitAssertRangeI(r, input);
+masm.jump(&done);
+masm.bind(&isNotInt32);
+}
+{
+Label isNotDouble;
+masm.branchTestDouble(Assembler::NotEqual, tag, &isNotDouble);
+FloatRegister input = ToFloatRegister(ins->floatTemp1());
+FloatRegister temp = ToFloatRegister(ins->floatTemp2());
+masm.unboxDouble(value, input);
+emitAssertRangeD(r, input, temp);
+masm.jump(&done);
+masm.bind(&isNotDouble);
+}
+masm.assumeUnreachable("Incorrect range for Value.");
+masm.bind(&done);
+return true;
+}
+typedef bool (*RecompileFn)(JSContext *);
+static const VMFunction RecompileFnInfo = FunctionInfo<RecompileFn>(Recompile);
+bool
+CodeGenerator::visitRecompileCheck(LRecompileCheck *ins)
+{
+Label done;
+Register tmp = ToRegister(ins->scratch());
+OutOfLineCode *ool = oolCallVM(RecompileFnInfo, ins, (ArgList()), StoreRegisterTo(tmp));
+// Check if usecount is high enough.
+masm.movePtr(ImmPtr(ins->mir()->script()->addressOfUseCount()), tmp);
+Address ptr(tmp, 0);
+masm.add32(Imm32(1), tmp);
+masm.branch32(Assembler::BelowOrEqual, ptr, Imm32(ins->mir()->useCount()), &done);
+// Check if not yet recompiling.
+CodeOffsetLabel label = masm.movWithPatch(ImmWord(uintptr_t(-1)), tmp);
+if (!ionScriptLabels_.append(label))
+return false;
+masm.branch32(Assembler::Equal,
+Address(tmp, IonScript::offsetOfRecompiling()),
+Imm32(0),
+ool->entry());
+masm.bind(ool->rejoin());
+masm.bind(&done);
+return true;
+}
+} // namespace jit
+} // namespace js

The Tor Browser / file comparison

comparison: js/src/jit/CodeGenerator.cpp

js/src/jit/CodeGenerator.cpp