The Tor Browser: comparison js/src/jit/IonBuilder.cpp

--1:000000000000
+:08760ada61e6
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+* vim: set ts=8 sts=4 et sw=4 tw=99:
+* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "jit/IonBuilder.h"
+#include "mozilla/DebugOnly.h"
+#include "builtin/Eval.h"
+#include "builtin/TypedObject.h"
+#include "frontend/SourceNotes.h"
+#include "jit/BaselineFrame.h"
+#include "jit/BaselineInspector.h"
+#include "jit/Ion.h"
+#include "jit/IonOptimizationLevels.h"
+#include "jit/IonSpewer.h"
+#include "jit/Lowering.h"
+#include "jit/MIRGraph.h"
+#include "vm/ArgumentsObject.h"
+#include "vm/Opcodes.h"
+#include "vm/RegExpStatics.h"
+#include "jsinferinlines.h"
+#include "jsobjinlines.h"
+#include "jsopcodeinlines.h"
+#include "jsscriptinlines.h"
+#include "jit/CompileInfo-inl.h"
+#include "jit/ExecutionMode-inl.h"
+using namespace js;
+using namespace js::jit;
+using mozilla::DebugOnly;
+using mozilla::Maybe;
+using mozilla::SafeCast;
+class jit::BaselineFrameInspector
+{
+public:
+types::Type thisType;
+JSObject *singletonScopeChain;
+Vector<types::Type, 4, IonAllocPolicy> argTypes;
+Vector<types::Type, 4, IonAllocPolicy> varTypes;
+BaselineFrameInspector(TempAllocator *temp)
+: thisType(types::Type::UndefinedType()),
+singletonScopeChain(nullptr),
+argTypes(*temp),
+varTypes(*temp)
+{}
+};
+BaselineFrameInspector *
+jit::NewBaselineFrameInspector(TempAllocator *temp, BaselineFrame *frame, CompileInfo *info)
+{
+JS_ASSERT(frame);
+BaselineFrameInspector *inspector = temp->lifoAlloc()->new_<BaselineFrameInspector>(temp);
+if (!inspector)
+return nullptr;
+// Note: copying the actual values into a temporary structure for use
+// during compilation could capture nursery pointers, so the values' types
+// are recorded instead.
+inspector->thisType = types::GetMaybeOptimizedOutValueType(frame->thisValue());
+if (frame->scopeChain()->hasSingletonType())
+inspector->singletonScopeChain = frame->scopeChain();
+JSScript *script = frame->script();
+if (script->functionNonDelazifying()) {
+if (!inspector->argTypes.reserve(frame->numFormalArgs()))
+return nullptr;
+for (size_t i = 0; i < frame->numFormalArgs(); i++) {
+if (script->formalIsAliased(i)) {
+inspector->argTypes.infallibleAppend(types::Type::UndefinedType());
+} else if (!script->argsObjAliasesFormals()) {
+types::Type type = types::GetMaybeOptimizedOutValueType(frame->unaliasedFormal(i));
+inspector->argTypes.infallibleAppend(type);
+} else if (frame->hasArgsObj()) {
+types::Type type = types::GetMaybeOptimizedOutValueType(frame->argsObj().arg(i));
+inspector->argTypes.infallibleAppend(type);
+} else {
+inspector->argTypes.infallibleAppend(types::Type::UndefinedType());
+}
+}
+}
+if (!inspector->varTypes.reserve(frame->script()->nfixed()))
+return nullptr;
+for (size_t i = 0; i < frame->script()->nfixed(); i++) {
+if (info->isSlotAliasedAtOsr(i + info->firstLocalSlot())) {
+inspector->varTypes.infallibleAppend(types::Type::UndefinedType());
+} else {
+types::Type type = types::GetMaybeOptimizedOutValueType(frame->unaliasedLocal(i));
+inspector->varTypes.infallibleAppend(type);
+}
+}
+return inspector;
+}
+IonBuilder::IonBuilder(JSContext *analysisContext, CompileCompartment *comp,
+const JitCompileOptions &options, TempAllocator *temp,
+MIRGraph *graph, types::CompilerConstraintList *constraints,
+BaselineInspector *inspector, CompileInfo *info,
+const OptimizationInfo *optimizationInfo,
+BaselineFrameInspector *baselineFrame, size_t inliningDepth,
+uint32_t loopDepth)
+: MIRGenerator(comp, options, temp, graph, info, optimizationInfo),
+backgroundCodegen_(nullptr),
+analysisContext(analysisContext),
+baselineFrame_(baselineFrame),
+abortReason_(AbortReason_Disable),
+descrSetHash_(nullptr),
+constraints_(constraints),
+analysis_(*temp, info->script()),
+thisTypes(nullptr),
+argTypes(nullptr),
+typeArray(nullptr),
+typeArrayHint(0),
+bytecodeTypeMap(nullptr),
+loopDepth_(loopDepth),
+callerResumePoint_(nullptr),
+callerBuilder_(nullptr),
+cfgStack_(*temp),
+loops_(*temp),
+switches_(*temp),
+labels_(*temp),
+iterators_(*temp),
+loopHeaders_(*temp),
+inspector(inspector),
+inliningDepth_(inliningDepth),
+numLoopRestarts_(0),
+failedBoundsCheck_(info->script()->failedBoundsCheck()),
+failedShapeGuard_(info->script()->failedShapeGuard()),
+nonStringIteration_(false),
+lazyArguments_(nullptr),
+inlineCallInfo_(nullptr)
+{
+script_ = info->script();
+pc = info->startPC();
+JS_ASSERT(script()->hasBaselineScript() == (info->executionMode() != ArgumentsUsageAnalysis));
+JS_ASSERT(!!analysisContext == (info->executionMode() == DefinitePropertiesAnalysis));
+}
+void
+IonBuilder::clearForBackEnd()
+{
+JS_ASSERT(!analysisContext);
+baselineFrame_ = nullptr;
+// The caches below allocate data from the malloc heap. Release this before
+// later phases of compilation to avoid leaks, as the top level IonBuilder
+// is not explicitly destroyed. Note that builders for inner scripts are
+// constructed on the stack and will release this memory on destruction.
+gsn.purge();
+scopeCoordinateNameCache.purge();
+}
+bool
+IonBuilder::abort(const char *message, ...)
+{
+// Don't call PCToLineNumber in release builds.
+#ifdef DEBUG
+va_list ap;
+va_start(ap, message);
+abortFmt(message, ap);
+va_end(ap);
+IonSpew(IonSpew_Abort, "aborted @ %s:%d", script()->filename(), PCToLineNumber(script(), pc));
+#endif
+return false;
+}
+void
+IonBuilder::spew(const char *message)
+{
+// Don't call PCToLineNumber in release builds.
+#ifdef DEBUG
+IonSpew(IonSpew_MIR, "%s @ %s:%d", message, script()->filename(), PCToLineNumber(script(), pc));
+#endif
+}
+static inline int32_t
+GetJumpOffset(jsbytecode *pc)
+{
+JS_ASSERT(js_CodeSpec[JSOp(*pc)].type() == JOF_JUMP);
+return GET_JUMP_OFFSET(pc);
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::If(jsbytecode *join, MTest *test)
+{
+CFGState state;
+state.state = IF_TRUE;
+state.stopAt = join;
+state.branch.ifFalse = test->ifFalse();
+state.branch.test = test;
+return state;
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::IfElse(jsbytecode *trueEnd, jsbytecode *falseEnd, MTest *test)
+{
+MBasicBlock *ifFalse = test->ifFalse();
+CFGState state;
+// If the end of the false path is the same as the start of the
+// false path, then the "else" block is empty and we can devolve
+// this to the IF_TRUE case. We handle this here because there is
+// still an extra GOTO on the true path and we want stopAt to point
+// there, whereas the IF_TRUE case does not have the GOTO.
+state.state = (falseEnd == ifFalse->pc())
+? IF_TRUE_EMPTY_ELSE
+: IF_ELSE_TRUE;
+state.stopAt = trueEnd;
+state.branch.falseEnd = falseEnd;
+state.branch.ifFalse = ifFalse;
+state.branch.test = test;
+return state;
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::AndOr(jsbytecode *join, MBasicBlock *joinStart)
+{
+CFGState state;
+state.state = AND_OR;
+state.stopAt = join;
+state.branch.ifFalse = joinStart;
+state.branch.test = nullptr;
+return state;
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::TableSwitch(jsbytecode *exitpc, MTableSwitch *ins)
+{
+CFGState state;
+state.state = TABLE_SWITCH;
+state.stopAt = exitpc;
+state.tableswitch.exitpc = exitpc;
+state.tableswitch.breaks = nullptr;
+state.tableswitch.ins = ins;
+state.tableswitch.currentBlock = 0;
+return state;
+}
+JSFunction *
+IonBuilder::getSingleCallTarget(types::TemporaryTypeSet *calleeTypes)
+{
+if (!calleeTypes)
+return nullptr;
+JSObject *obj = calleeTypes->getSingleton();
+if (!obj || !obj->is<JSFunction>())
+return nullptr;
+return &obj->as<JSFunction>();
+}
+bool
+IonBuilder::getPolyCallTargets(types::TemporaryTypeSet *calleeTypes, bool constructing,
+ObjectVector &targets, uint32_t maxTargets, bool *gotLambda)
+{
+JS_ASSERT(targets.empty());
+JS_ASSERT(gotLambda);
+*gotLambda = false;
+if (!calleeTypes)
+return true;
+if (calleeTypes->baseFlags() != 0)
+return true;
+unsigned objCount = calleeTypes->getObjectCount();
+if (objCount == 0 || objCount > maxTargets)
+return true;
+if (!targets.reserve(objCount))
+return false;
+for(unsigned i = 0; i < objCount; i++) {
+JSObject *obj = calleeTypes->getSingleObject(i);
+JSFunction *fun;
+if (obj) {
+if (!obj->is<JSFunction>()) {
+targets.clear();
+return true;
+}
+fun = &obj->as<JSFunction>();
+} else {
+types::TypeObject *typeObj = calleeTypes->getTypeObject(i);
+JS_ASSERT(typeObj);
+if (!typeObj->interpretedFunction) {
+targets.clear();
+return true;
+}
+fun = typeObj->interpretedFunction;
+*gotLambda = true;
+}
+// Don't optimize if we're constructing and the callee is not a
+// constructor, so that CallKnown does not have to handle this case
+// (it should always throw).
+if (constructing && !fun->isInterpretedConstructor() && !fun->isNativeConstructor()) {
+targets.clear();
+return true;
+}
+DebugOnly<bool> appendOk = targets.append(fun);
+JS_ASSERT(appendOk);
+}
+// For now, only inline "singleton" lambda calls
+if (*gotLambda && targets.length() > 1)
+targets.clear();
+return true;
+}
+IonBuilder::InliningDecision
+IonBuilder::DontInline(JSScript *targetScript, const char *reason)
+{
+if (targetScript) {
+IonSpew(IonSpew_Inlining, "Cannot inline %s:%u: %s",
+targetScript->filename(), targetScript->lineno(), reason);
+} else {
+IonSpew(IonSpew_Inlining, "Cannot inline: %s", reason);
+}
+return InliningDecision_DontInline;
+}
+IonBuilder::InliningDecision
+IonBuilder::canInlineTarget(JSFunction *target, CallInfo &callInfo)
+{
+if (!optimizationInfo().inlineInterpreted())
+return InliningDecision_DontInline;
+if (!target->isInterpreted())
+return DontInline(nullptr, "Non-interpreted target");
+// Allow constructing lazy scripts when performing the definite properties
+// analysis, as baseline has not been used to warm the caller up yet.
+if (target->isInterpreted() && info().executionMode() == DefinitePropertiesAnalysis) {
+RootedScript script(analysisContext, target->getOrCreateScript(analysisContext));
+if (!script)
+return InliningDecision_Error;
+if (!script->hasBaselineScript() && script->canBaselineCompile()) {
+MethodStatus status = BaselineCompile(analysisContext, script);
+if (status == Method_Error)
+return InliningDecision_Error;
+if (status != Method_Compiled)
+return InliningDecision_DontInline;
+}
+}
+if (!target->hasScript())
+return DontInline(nullptr, "Lazy script");
+JSScript *inlineScript = target->nonLazyScript();
+if (callInfo.constructing() && !target->isInterpretedConstructor())
+return DontInline(inlineScript, "Callee is not a constructor");
+ExecutionMode executionMode = info().executionMode();
+if (!CanIonCompile(inlineScript, executionMode))
+return DontInline(inlineScript, "Disabled Ion compilation");
+// Don't inline functions which don't have baseline scripts.
+if (!inlineScript->hasBaselineScript())
+return DontInline(inlineScript, "No baseline jitcode");
+if (TooManyArguments(target->nargs()))
+return DontInline(inlineScript, "Too many args");
+if (TooManyArguments(callInfo.argc()))
+return DontInline(inlineScript, "Too many args");
+// Allow inlining of recursive calls, but only one level deep.
+IonBuilder *builder = callerBuilder_;
+while (builder) {
+if (builder->script() == inlineScript)
+return DontInline(inlineScript, "Recursive call");
+builder = builder->callerBuilder_;
+}
+if (target->isHeavyweight())
+return DontInline(inlineScript, "Heavyweight function");
+if (inlineScript->uninlineable())
+return DontInline(inlineScript, "Uninlineable script");
+if (inlineScript->needsArgsObj())
+return DontInline(inlineScript, "Script that needs an arguments object");
+if (!inlineScript->compileAndGo())
+return DontInline(inlineScript, "Non-compileAndGo script");
+types::TypeObjectKey *targetType = types::TypeObjectKey::get(target);
+if (targetType->unknownProperties())
+return DontInline(inlineScript, "Target type has unknown properties");
+return InliningDecision_Inline;
+}
+void
+IonBuilder::popCfgStack()
+{
+if (cfgStack_.back().isLoop())
+loops_.popBack();
+if (cfgStack_.back().state == CFGState::LABEL)
+labels_.popBack();
+cfgStack_.popBack();
+}
+bool
+IonBuilder::analyzeNewLoopTypes(MBasicBlock *entry, jsbytecode *start, jsbytecode *end)
+{
+// The phi inputs at the loop head only reflect types for variables that
+// were present at the start of the loop. If the variable changes to a new
+// type within the loop body, and that type is carried around to the loop
+// head, then we need to know about the new type up front.
+//
+// Since SSA information hasn't been constructed for the loop body yet, we
+// need a separate analysis to pick out the types that might flow around
+// the loop header. This is a best-effort analysis that may either over-
+// or under-approximate the set of such types.
+//
+// Over-approximating the types may lead to inefficient generated code, and
+// under-approximating the types will cause the loop body to be analyzed
+// multiple times as the correct types are deduced (see finishLoop).
+// If we restarted processing of an outer loop then get loop header types
+// directly from the last time we have previously processed this loop. This
+// both avoids repeated work from the bytecode traverse below, and will
+// also pick up types discovered while previously building the loop body.
+for (size_t i = 0; i < loopHeaders_.length(); i++) {
+if (loopHeaders_[i].pc == start) {
+MBasicBlock *oldEntry = loopHeaders_[i].header;
+for (MPhiIterator oldPhi = oldEntry->phisBegin();
+oldPhi != oldEntry->phisEnd();
+oldPhi++)
+{
+MPhi *newPhi = entry->getSlot(oldPhi->slot())->toPhi();
+if (!newPhi->addBackedgeType(oldPhi->type(), oldPhi->resultTypeSet()))
+return false;
+}
+// Update the most recent header for this loop encountered, in case
+// new types flow to the phis and the loop is processed at least
+// three times.
+loopHeaders_[i].header = entry;
+return true;
+}
+}
+loopHeaders_.append(LoopHeader(start, entry));
+jsbytecode *last = nullptr, *earlier = nullptr;
+for (jsbytecode *pc = start; pc != end; earlier = last, last = pc, pc += GetBytecodeLength(pc)) {
+uint32_t slot;
+if (*pc == JSOP_SETLOCAL)
+slot = info().localSlot(GET_LOCALNO(pc));
+else if (*pc == JSOP_SETARG)
+slot = info().argSlotUnchecked(GET_ARGNO(pc));
+else
+continue;
+if (slot >= info().firstStackSlot())
+continue;
+if (!analysis().maybeInfo(pc))
+continue;
+MPhi *phi = entry->getSlot(slot)->toPhi();
+if (*last == JSOP_POS)
+last = earlier;
+if (js_CodeSpec[*last].format & JOF_TYPESET) {
+types::TemporaryTypeSet *typeSet = bytecodeTypes(last);
+if (!typeSet->empty()) {
+MIRType type = typeSet->getKnownMIRType();
+if (!phi->addBackedgeType(type, typeSet))
+return false;
+}
+} else if (*last == JSOP_GETLOCAL || *last == JSOP_GETARG) {
+uint32_t slot = (*last == JSOP_GETLOCAL)
+? info().localSlot(GET_LOCALNO(last))
+: info().argSlotUnchecked(GET_ARGNO(last));
+if (slot < info().firstStackSlot()) {
+MPhi *otherPhi = entry->getSlot(slot)->toPhi();
+if (otherPhi->hasBackedgeType()) {
+if (!phi->addBackedgeType(otherPhi->type(), otherPhi->resultTypeSet()))
+return false;
+}
+}
+} else {
+MIRType type = MIRType_None;
+switch (*last) {
+case JSOP_VOID:
+case JSOP_UNDEFINED:
+type = MIRType_Undefined;
+break;
+case JSOP_NULL:
+type = MIRType_Null;
+break;
+case JSOP_ZERO:
+case JSOP_ONE:
+case JSOP_INT8:
+case JSOP_INT32:
+case JSOP_UINT16:
+case JSOP_UINT24:
+case JSOP_BITAND:
+case JSOP_BITOR:
+case JSOP_BITXOR:
+case JSOP_BITNOT:
+case JSOP_RSH:
+case JSOP_LSH:
+case JSOP_URSH:
+type = MIRType_Int32;
+break;
+case JSOP_FALSE:
+case JSOP_TRUE:
+case JSOP_EQ:
+case JSOP_NE:
+case JSOP_LT:
+case JSOP_LE:
+case JSOP_GT:
+case JSOP_GE:
+case JSOP_NOT:
+case JSOP_STRICTEQ:
+case JSOP_STRICTNE:
+case JSOP_IN:
+case JSOP_INSTANCEOF:
+type = MIRType_Boolean;
+break;
+case JSOP_DOUBLE:
+type = MIRType_Double;
+break;
+case JSOP_STRING:
+case JSOP_TYPEOF:
+case JSOP_TYPEOFEXPR:
+case JSOP_ITERNEXT:
+type = MIRType_String;
+break;
+case JSOP_ADD:
+case JSOP_SUB:
+case JSOP_MUL:
+case JSOP_DIV:
+case JSOP_MOD:
+case JSOP_NEG:
+type = inspector->expectedResultType(last);
+default:
+break;
+}
+if (type != MIRType_None) {
+if (!phi->addBackedgeType(type, nullptr))
+return false;
+}
+}
+}
+return true;
+}
+bool
+IonBuilder::pushLoop(CFGState::State initial, jsbytecode *stopAt, MBasicBlock *entry, bool osr,
+jsbytecode *loopHead, jsbytecode *initialPc,
+jsbytecode *bodyStart, jsbytecode *bodyEnd, jsbytecode *exitpc,
+jsbytecode *continuepc)
+{
+if (!continuepc)
+continuepc = entry->pc();
+ControlFlowInfo loop(cfgStack_.length(), continuepc);
+if (!loops_.append(loop))
+return false;
+CFGState state;
+state.state = initial;
+state.stopAt = stopAt;
+state.loop.bodyStart = bodyStart;
+state.loop.bodyEnd = bodyEnd;
+state.loop.exitpc = exitpc;
+state.loop.continuepc = continuepc;
+state.loop.entry = entry;
+state.loop.osr = osr;
+state.loop.successor = nullptr;
+state.loop.breaks = nullptr;
+state.loop.continues = nullptr;
+state.loop.initialState = initial;
+state.loop.initialPc = initialPc;
+state.loop.initialStopAt = stopAt;
+state.loop.loopHead = loopHead;
+return cfgStack_.append(state);
+}
+bool
+IonBuilder::init()
+{
+if (!types::TypeScript::FreezeTypeSets(constraints(), script(),
+&thisTypes, &argTypes, &typeArray))
+{
+return false;
+}
+if (!analysis().init(alloc(), gsn))
+return false;
+// The baseline script normally has the bytecode type map, but compute
+// it ourselves if we do not have a baseline script.
+if (script()->hasBaselineScript()) {
+bytecodeTypeMap = script()->baselineScript()->bytecodeTypeMap();
+} else {
+bytecodeTypeMap = alloc_->lifoAlloc()->newArrayUninitialized<uint32_t>(script()->nTypeSets());
+if (!bytecodeTypeMap)
+return false;
+types::FillBytecodeTypeMap(script(), bytecodeTypeMap);
+}
+return true;
+}
+bool
+IonBuilder::build()
+{
+if (!init())
+return false;
+if (!setCurrentAndSpecializePhis(newBlock(pc)))
+return false;
+if (!current)
+return false;
+#ifdef DEBUG
+if (info().executionMode() == SequentialExecution && script()->hasIonScript()) {
+IonSpew(IonSpew_Scripts, "Recompiling script %s:%d (%p) (usecount=%d, level=%s)",
+script()->filename(), script()->lineno(), (void *)script(),
+(int)script()->getUseCount(), OptimizationLevelString(optimizationInfo().level()));
+} else {
+IonSpew(IonSpew_Scripts, "Analyzing script %s:%d (%p) (usecount=%d, level=%s)",
+script()->filename(), script()->lineno(), (void *)script(),
+(int)script()->getUseCount(), OptimizationLevelString(optimizationInfo().level()));
+}
+#endif
+initParameters();
+// Initialize local variables.
+for (uint32_t i = 0; i < info().nlocals(); i++) {
+MConstant *undef = MConstant::New(alloc(), UndefinedValue());
+current->add(undef);
+current->initSlot(info().localSlot(i), undef);
+}
+// Initialize something for the scope chain. We can bail out before the
+// start instruction, but the snapshot is encoded *at* the start
+// instruction, which means generating any code that could load into
+// registers is illegal.
+MInstruction *scope = MConstant::New(alloc(), UndefinedValue());
+current->add(scope);
+current->initSlot(info().scopeChainSlot(), scope);
+// Initialize the return value.
+MInstruction *returnValue = MConstant::New(alloc(), UndefinedValue());
+current->add(returnValue);
+current->initSlot(info().returnValueSlot(), returnValue);
+// Initialize the arguments object slot to undefined if necessary.
+if (info().hasArguments()) {
+MInstruction *argsObj = MConstant::New(alloc(), UndefinedValue());
+current->add(argsObj);
+current->initSlot(info().argsObjSlot(), argsObj);
+}
+// Emit the start instruction, so we can begin real instructions.
+current->makeStart(MStart::New(alloc(), MStart::StartType_Default));
+if (instrumentedProfiling())
+current->add(MProfilerStackOp::New(alloc(), script(), MProfilerStackOp::Enter));
+// Guard against over-recursion. Do this before we start unboxing, since
+// this will create an OSI point that will read the incoming argument
+// values, which is nice to do before their last real use, to minimize
+// register/stack pressure.
+MCheckOverRecursed *check = MCheckOverRecursed::New(alloc());
+current->add(check);
+check->setResumePoint(current->entryResumePoint());
+// Parameters have been checked to correspond to the typeset, now we unbox
+// what we can in an infallible manner.
+rewriteParameters();
+// It's safe to start emitting actual IR, so now build the scope chain.
+if (!initScopeChain())
+return false;
+if (info().needsArgsObj() && !initArgumentsObject())
+return false;
+// Prevent |this| from being DCE'd: necessary for constructors.
+if (info().funMaybeLazy())
+current->getSlot(info().thisSlot())->setGuard();
+// The type analysis phase attempts to insert unbox operations near
+// definitions of values. It also attempts to replace uses in resume points
+// with the narrower, unboxed variants. However, we must prevent this
+// replacement from happening on values in the entry snapshot. Otherwise we
+// could get this:
+//
+//       v0 = MParameter(0)
+//       v1 = MParameter(1)
+//       --   ResumePoint(v2, v3)
+//       v2 = Unbox(v0, INT32)
+//       v3 = Unbox(v1, INT32)
+//
+// So we attach the initial resume point to each parameter, which the type
+// analysis explicitly checks (this is the same mechanism used for
+// effectful operations).
+for (uint32_t i = 0; i < info().endArgSlot(); i++) {
+MInstruction *ins = current->getEntrySlot(i)->toInstruction();
+if (ins->type() == MIRType_Value)
+ins->setResumePoint(current->entryResumePoint());
+}
+// lazyArguments should never be accessed in |argsObjAliasesFormals| scripts.
+if (info().hasArguments() && !info().argsObjAliasesFormals()) {
+lazyArguments_ = MConstant::New(alloc(), MagicValue(JS_OPTIMIZED_ARGUMENTS));
+current->add(lazyArguments_);
+}
+insertRecompileCheck();
+if (!traverseBytecode())
+return false;
+if (!maybeAddOsrTypeBarriers())
+return false;
+if (!processIterators())
+return false;
+JS_ASSERT(loopDepth_ == 0);
+abortReason_ = AbortReason_NoAbort;
+return true;
+}
+bool
+IonBuilder::processIterators()
+{
+// Find phis that must directly hold an iterator live.
+Vector<MPhi *, 0, SystemAllocPolicy> worklist;
+for (size_t i = 0; i < iterators_.length(); i++) {
+MInstruction *ins = iterators_[i];
+for (MUseDefIterator iter(ins); iter; iter++) {
+if (iter.def()->isPhi()) {
+if (!worklist.append(iter.def()->toPhi()))
+return false;
+}
+}
+}
+// Propagate the iterator and live status of phis to all other connected
+// phis.
+while (!worklist.empty()) {
+MPhi *phi = worklist.popCopy();
+phi->setIterator();
+phi->setImplicitlyUsedUnchecked();
+for (MUseDefIterator iter(phi); iter; iter++) {
+if (iter.def()->isPhi()) {
+MPhi *other = iter.def()->toPhi();
+if (!other->isIterator() && !worklist.append(other))
+return false;
+}
+}
+}
+return true;
+}
+bool
+IonBuilder::buildInline(IonBuilder *callerBuilder, MResumePoint *callerResumePoint,
+CallInfo &callInfo)
+{
+if (!init())
+return false;
+inlineCallInfo_ = &callInfo;
+IonSpew(IonSpew_Scripts, "Inlining script %s:%d (%p)",
+script()->filename(), script()->lineno(), (void *)script());
+callerBuilder_ = callerBuilder;
+callerResumePoint_ = callerResumePoint;
+if (callerBuilder->failedBoundsCheck_)
+failedBoundsCheck_ = true;
+if (callerBuilder->failedShapeGuard_)
+failedShapeGuard_ = true;
+// Generate single entrance block.
+if (!setCurrentAndSpecializePhis(newBlock(pc)))
+return false;
+if (!current)
+return false;
+current->setCallerResumePoint(callerResumePoint);
+// Connect the entrance block to the last block in the caller's graph.
+MBasicBlock *predecessor = callerBuilder->current;
+JS_ASSERT(predecessor == callerResumePoint->block());
+// All further instructions generated in from this scope should be
+// considered as part of the function that we're inlining. We also need to
+// keep track of the inlining depth because all scripts inlined on the same
+// level contiguously have only one InlineExit node.
+if (instrumentedProfiling()) {
+predecessor->add(MProfilerStackOp::New(alloc(), script(),
+MProfilerStackOp::InlineEnter,
+inliningDepth_));
+}
+predecessor->end(MGoto::New(alloc(), current));
+if (!current->addPredecessorWithoutPhis(predecessor))
+return false;
+// Initialize scope chain slot to Undefined.  It's set later by |initScopeChain|.
+MInstruction *scope = MConstant::New(alloc(), UndefinedValue());
+current->add(scope);
+current->initSlot(info().scopeChainSlot(), scope);
+// Initialize |return value| slot.
+MInstruction *returnValue = MConstant::New(alloc(), UndefinedValue());
+current->add(returnValue);
+current->initSlot(info().returnValueSlot(), returnValue);
+// Initialize |arguments| slot.
+if (info().hasArguments()) {
+MInstruction *argsObj = MConstant::New(alloc(), UndefinedValue());
+current->add(argsObj);
+current->initSlot(info().argsObjSlot(), argsObj);
+}
+// Initialize |this| slot.
+current->initSlot(info().thisSlot(), callInfo.thisArg());
+IonSpew(IonSpew_Inlining, "Initializing %u arg slots", info().nargs());
+// NB: Ion does not inline functions which |needsArgsObj|.  So using argSlot()
+// instead of argSlotUnchecked() below is OK
+JS_ASSERT(!info().needsArgsObj());
+// Initialize actually set arguments.
+uint32_t existing_args = Min<uint32_t>(callInfo.argc(), info().nargs());
+for (size_t i = 0; i < existing_args; ++i) {
+MDefinition *arg = callInfo.getArg(i);
+current->initSlot(info().argSlot(i), arg);
+}
+// Pass Undefined for missing arguments
+for (size_t i = callInfo.argc(); i < info().nargs(); ++i) {
+MConstant *arg = MConstant::New(alloc(), UndefinedValue());
+current->add(arg);
+current->initSlot(info().argSlot(i), arg);
+}
+// Initialize the scope chain now that args are initialized.
+if (!initScopeChain(callInfo.fun()))
+return false;
+IonSpew(IonSpew_Inlining, "Initializing %u local slots", info().nlocals());
+// Initialize local variables.
+for (uint32_t i = 0; i < info().nlocals(); i++) {
+MConstant *undef = MConstant::New(alloc(), UndefinedValue());
+current->add(undef);
+current->initSlot(info().localSlot(i), undef);
+}
+IonSpew(IonSpew_Inlining, "Inline entry block MResumePoint %p, %u operands",
+(void *) current->entryResumePoint(), current->entryResumePoint()->numOperands());
+// +2 for the scope chain and |this|, maybe another +1 for arguments object slot.
+JS_ASSERT(current->entryResumePoint()->numOperands() == info().totalSlots());
+if (script_->argumentsHasVarBinding()) {
+lazyArguments_ = MConstant::New(alloc(), MagicValue(JS_OPTIMIZED_ARGUMENTS));
+current->add(lazyArguments_);
+}
+insertRecompileCheck();
+if (!traverseBytecode())
+return false;
+return true;
+}
+void
+IonBuilder::rewriteParameter(uint32_t slotIdx, MDefinition *param, int32_t argIndex)
+{
+JS_ASSERT(param->isParameter() || param->isGetArgumentsObjectArg());
+types::TemporaryTypeSet *types = param->resultTypeSet();
+MDefinition *actual = ensureDefiniteType(param, types->getKnownMIRType());
+if (actual == param)
+return;
+// Careful! We leave the original MParameter in the entry resume point. The
+// arguments still need to be checked unless proven otherwise at the call
+// site, and these checks can bailout. We can end up:
+//   v0 = Parameter(0)
+//   v1 = Unbox(v0, INT32)
+//   --   ResumePoint(v0)
+//
+// As usual, it would be invalid for v1 to be captured in the initial
+// resume point, rather than v0.
+current->rewriteSlot(slotIdx, actual);
+}
+// Apply Type Inference information to parameters early on, unboxing them if
+// they have a definitive type. The actual guards will be emitted by the code
+// generator, explicitly, as part of the function prologue.
+void
+IonBuilder::rewriteParameters()
+{
+JS_ASSERT(info().scopeChainSlot() == 0);
+if (!info().funMaybeLazy())
+return;
+for (uint32_t i = info().startArgSlot(); i < info().endArgSlot(); i++) {
+MDefinition *param = current->getSlot(i);
+rewriteParameter(i, param, param->toParameter()->index());
+}
+}
+void
+IonBuilder::initParameters()
+{
+if (!info().funMaybeLazy())
+return;
+// If we are doing OSR on a frame which initially executed in the
+// interpreter and didn't accumulate type information, try to use that OSR
+// frame to determine possible initial types for 'this' and parameters.
+if (thisTypes->empty() && baselineFrame_)
+thisTypes->addType(baselineFrame_->thisType, alloc_->lifoAlloc());
+MParameter *param = MParameter::New(alloc(), MParameter::THIS_SLOT, thisTypes);
+current->add(param);
+current->initSlot(info().thisSlot(), param);
+for (uint32_t i = 0; i < info().nargs(); i++) {
+types::TemporaryTypeSet *types = &argTypes[i];
+if (types->empty() && baselineFrame_ &&
+!script_->baselineScript()->modifiesArguments())
+{
+types->addType(baselineFrame_->argTypes[i], alloc_->lifoAlloc());
+}
+param = MParameter::New(alloc(), i, types);
+current->add(param);
+current->initSlot(info().argSlotUnchecked(i), param);
+}
+}
+bool
+IonBuilder::initScopeChain(MDefinition *callee)
+{
+MInstruction *scope = nullptr;
+// If the script doesn't use the scopechain, then it's already initialized
+// from earlier.  However, always make a scope chain when |needsArgsObj| is true
+// for the script, since arguments object construction requires the scope chain
+// to be passed in.
+if (!info().needsArgsObj() && !analysis().usesScopeChain())
+return true;
+// The scope chain is only tracked in scripts that have NAME opcodes which
+// will try to access the scope. For other scripts, the scope instructions
+// will be held live by resume points and code will still be generated for
+// them, so just use a constant undefined value.
+if (!script()->compileAndGo())
+return abort("non-CNG global scripts are not supported");
+if (JSFunction *fun = info().funMaybeLazy()) {
+if (!callee) {
+MCallee *calleeIns = MCallee::New(alloc());
+current->add(calleeIns);
+callee = calleeIns;
+}
+scope = MFunctionEnvironment::New(alloc(), callee);
+current->add(scope);
+// This reproduce what is done in CallObject::createForFunction. Skip
+// this for analyses, as the script might not have a baseline script
+// with template objects yet.
+if (fun->isHeavyweight() && !info().executionModeIsAnalysis()) {
+if (fun->isNamedLambda()) {
+scope = createDeclEnvObject(callee, scope);
+if (!scope)
+return false;
+}
+scope = createCallObject(callee, scope);
+if (!scope)
+return false;
+}
+} else {
+scope = constant(ObjectValue(script()->global()));
+}
+current->setScopeChain(scope);
+return true;
+}
+bool
+IonBuilder::initArgumentsObject()
+{
+IonSpew(IonSpew_MIR, "%s:%d - Emitting code to initialize arguments object! block=%p",
+script()->filename(), script()->lineno(), current);
+JS_ASSERT(info().needsArgsObj());
+MCreateArgumentsObject *argsObj = MCreateArgumentsObject::New(alloc(), current->scopeChain());
+current->add(argsObj);
+current->setArgumentsObject(argsObj);
+return true;
+}
+bool
+IonBuilder::addOsrValueTypeBarrier(uint32_t slot, MInstruction **def_,
+MIRType type, types::TemporaryTypeSet *typeSet)
+{
+MInstruction *&def = *def_;
+MBasicBlock *osrBlock = def->block();
+// Clear bogus type information added in newOsrPreheader().
+def->setResultType(MIRType_Value);
+def->setResultTypeSet(nullptr);
+if (typeSet && !typeSet->unknown()) {
+MInstruction *barrier = MTypeBarrier::New(alloc(), def, typeSet);
+osrBlock->insertBefore(osrBlock->lastIns(), barrier);
+osrBlock->rewriteSlot(slot, barrier);
+def = barrier;
+} else if (type == MIRType_Null ||
+type == MIRType_Undefined ||
+type == MIRType_MagicOptimizedArguments)
+{
+// No unbox instruction will be added below, so check the type by
+// adding a type barrier for a singleton type set.
+types::Type ntype = types::Type::PrimitiveType(ValueTypeFromMIRType(type));
+typeSet = alloc_->lifoAlloc()->new_<types::TemporaryTypeSet>(ntype);
+if (!typeSet)
+return false;
+MInstruction *barrier = MTypeBarrier::New(alloc(), def, typeSet);
+osrBlock->insertBefore(osrBlock->lastIns(), barrier);
+osrBlock->rewriteSlot(slot, barrier);
+def = barrier;
+}
+switch (type) {
+case MIRType_Boolean:
+case MIRType_Int32:
+case MIRType_Double:
+case MIRType_String:
+case MIRType_Object:
+if (type != def->type()) {
+MUnbox *unbox = MUnbox::New(alloc(), def, type, MUnbox::Fallible);
+osrBlock->insertBefore(osrBlock->lastIns(), unbox);
+osrBlock->rewriteSlot(slot, unbox);
+def = unbox;
+}
+break;
+case MIRType_Null:
+{
+MConstant *c = MConstant::New(alloc(), NullValue());
+osrBlock->insertBefore(osrBlock->lastIns(), c);
+osrBlock->rewriteSlot(slot, c);
+def = c;
+break;
+}
+case MIRType_Undefined:
+{
+MConstant *c = MConstant::New(alloc(), UndefinedValue());
+osrBlock->insertBefore(osrBlock->lastIns(), c);
+osrBlock->rewriteSlot(slot, c);
+def = c;
+break;
+}
+case MIRType_MagicOptimizedArguments:
+JS_ASSERT(lazyArguments_);
+osrBlock->rewriteSlot(slot, lazyArguments_);
+def = lazyArguments_;
+break;
+default:
+break;
+}
+JS_ASSERT(def == osrBlock->getSlot(slot));
+return true;
+}
+bool
+IonBuilder::maybeAddOsrTypeBarriers()
+{
+if (!info().osrPc())
+return true;
+// The loop has successfully been processed, and the loop header phis
+// have their final type. Add unboxes and type barriers in the OSR
+// block to check that the values have the appropriate type, and update
+// the types in the preheader.
+MBasicBlock *osrBlock = graph().osrBlock();
+if (!osrBlock) {
+// Because IonBuilder does not compile catch blocks, it's possible to
+// end up without an OSR block if the OSR pc is only reachable via a
+// break-statement inside the catch block. For instance:
+//
+//   for (;;) {
+//       try {
+//           throw 3;
+//       } catch(e) {
+//           break;
+//       }
+//   }
+//   while (..) { } // <= OSR here, only reachable via catch block.
+//
+// For now we just abort in this case.
+JS_ASSERT(graph().hasTryBlock());
+return abort("OSR block only reachable through catch block");
+}
+MBasicBlock *preheader = osrBlock->getSuccessor(0);
+MBasicBlock *header = preheader->getSuccessor(0);
+static const size_t OSR_PHI_POSITION = 1;
+JS_ASSERT(preheader->getPredecessor(OSR_PHI_POSITION) == osrBlock);
+MPhiIterator headerPhi = header->phisBegin();
+while (headerPhi != header->phisEnd() && headerPhi->slot() < info().startArgSlot())
+headerPhi++;
+for (uint32_t i = info().startArgSlot(); i < osrBlock->stackDepth(); i++, headerPhi++) {
+// Aliased slots are never accessed, since they need to go through
+// the callobject. The typebarriers are added there and can be
+// discarded here.
+if (info().isSlotAliasedAtOsr(i))
+continue;
+MInstruction *def = osrBlock->getSlot(i)->toInstruction();
+JS_ASSERT(headerPhi->slot() == i);
+MPhi *preheaderPhi = preheader->getSlot(i)->toPhi();
+MIRType type = headerPhi->type();
+types::TemporaryTypeSet *typeSet = headerPhi->resultTypeSet();
+if (!addOsrValueTypeBarrier(i, &def, type, typeSet))
+return false;
+preheaderPhi->replaceOperand(OSR_PHI_POSITION, def);
+preheaderPhi->setResultType(type);
+preheaderPhi->setResultTypeSet(typeSet);
+}
+return true;
+}
+// We try to build a control-flow graph in the order that it would be built as
+// if traversing the AST. This leads to a nice ordering and lets us build SSA
+// in one pass, since the bytecode is structured.
+//
+// We traverse the bytecode iteratively, maintaining a current basic block.
+// Each basic block has a mapping of local slots to instructions, as well as a
+// stack depth. As we encounter instructions we mutate this mapping in the
+// current block.
+//
+// Things get interesting when we encounter a control structure. This can be
+// either an IFEQ, downward GOTO, or a decompiler hint stashed away in source
+// notes. Once we encounter such an opcode, we recover the structure of the
+// control flow (its branches and bounds), and push it on a stack.
+//
+// As we continue traversing the bytecode, we look for points that would
+// terminate the topmost control flow path pushed on the stack. These are:
+//  (1) The bounds of the current structure (end of a loop or join/edge of a
+//      branch).
+//  (2) A "return", "break", or "continue" statement.
+//
+// For (1), we expect that there is a current block in the progress of being
+// built, and we complete the necessary edges in the CFG. For (2), we expect
+// that there is no active block.
+//
+// For normal diamond join points, we construct Phi nodes as we add
+// predecessors. For loops, care must be taken to propagate Phi nodes back
+// through uses in the loop body.
+bool
+IonBuilder::traverseBytecode()
+{
+for (;;) {
+JS_ASSERT(pc < info().limitPC());
+for (;;) {
+if (!alloc().ensureBallast())
+return false;
+// Check if we've hit an expected join point or edge in the bytecode.
+// Leaving one control structure could place us at the edge of another,
+// thus |while| instead of |if| so we don't skip any opcodes.
+if (!cfgStack_.empty() && cfgStack_.back().stopAt == pc) {
+ControlStatus status = processCfgStack();
+if (status == ControlStatus_Error)
+return false;
+if (status == ControlStatus_Abort)
+return abort("Aborted while processing control flow");
+if (!current)
+return true;
+continue;
+}
+// Some opcodes need to be handled early because they affect control
+// flow, terminating the current basic block and/or instructing the
+// traversal algorithm to continue from a new pc.
+//
+//   (1) If the opcode does not affect control flow, then the opcode
+//       is inspected and transformed to IR. This is the process_opcode
+//       label.
+//   (2) A loop could be detected via a forward GOTO. In this case,
+//       we don't want to process the GOTO, but the following
+//       instruction.
+//   (3) A RETURN, STOP, BREAK, or CONTINUE may require processing the
+//       CFG stack to terminate open branches.
+//
+// Similar to above, snooping control flow could land us at another
+// control flow point, so we iterate until it's time to inspect a real
+// opcode.
+ControlStatus status;
+if ((status = snoopControlFlow(JSOp(*pc))) == ControlStatus_None)
+break;
+if (status == ControlStatus_Error)
+return false;
+if (status == ControlStatus_Abort)
+return abort("Aborted while processing control flow");
+if (!current)
+return true;
+}
+#ifdef DEBUG
+// In debug builds, after compiling this op, check that all values
+// popped by this opcode either:
+//
+//   (1) Have the ImplicitlyUsed flag set on them.
+//   (2) Have more uses than before compiling this op (the value is
+//       used as operand of a new MIR instruction).
+//
+// This is used to catch problems where IonBuilder pops a value without
+// adding any SSA uses and doesn't call setImplicitlyUsedUnchecked on it.
+Vector<MDefinition *, 4, IonAllocPolicy> popped(alloc());
+Vector<size_t, 4, IonAllocPolicy> poppedUses(alloc());
+unsigned nuses = GetUseCount(script_, script_->pcToOffset(pc));
+for (unsigned i = 0; i < nuses; i++) {
+MDefinition *def = current->peek(-int32_t(i + 1));
+if (!popped.append(def) || !poppedUses.append(def->defUseCount()))
+return false;
+}
+#endif
+// Nothing in inspectOpcode() is allowed to advance the pc.
+JSOp op = JSOp(*pc);
+if (!inspectOpcode(op))
+return false;
+#ifdef DEBUG
+for (size_t i = 0; i < popped.length(); i++) {
+switch (op) {
+case JSOP_POP:
+case JSOP_POPN:
+case JSOP_DUPAT:
+case JSOP_DUP:
+case JSOP_DUP2:
+case JSOP_PICK:
+case JSOP_SWAP:
+case JSOP_SETARG:
+case JSOP_SETLOCAL:
+case JSOP_SETRVAL:
+case JSOP_VOID:
+// Don't require SSA uses for values popped by these ops.
+break;
+case JSOP_POS:
+case JSOP_TOID:
+// These ops may leave their input on the stack without setting
+// the ImplicitlyUsed flag. If this value will be popped immediately,
+// we may replace it with |undefined|, but the difference is
+// not observable.
+JS_ASSERT(i == 0);
+if (current->peek(-1) == popped[0])
+break;
+// FALL THROUGH
+default:
+JS_ASSERT(popped[i]->isImplicitlyUsed() ||
+// MNewDerivedTypedObject instances are
+// often dead unless they escape from the
+// fn. See IonBuilder::loadTypedObjectData()
+// for more details.
+popped[i]->isNewDerivedTypedObject() ||
+popped[i]->defUseCount() > poppedUses[i]);
+break;
+}
+}
+#endif
+pc += js_CodeSpec[op].length;
+current->updateTrackedPc(pc);
+}
+return true;
+}
+IonBuilder::ControlStatus
+IonBuilder::snoopControlFlow(JSOp op)
+{
+switch (op) {
+case JSOP_NOP:
+return maybeLoop(op, info().getNote(gsn, pc));
+case JSOP_POP:
+return maybeLoop(op, info().getNote(gsn, pc));
+case JSOP_RETURN:
+case JSOP_RETRVAL:
+return processReturn(op);
+case JSOP_THROW:
+return processThrow();
+case JSOP_GOTO:
+{
+jssrcnote *sn = info().getNote(gsn, pc);
+switch (sn ? SN_TYPE(sn) : SRC_NULL) {
+case SRC_BREAK:
+case SRC_BREAK2LABEL:
+return processBreak(op, sn);
+case SRC_CONTINUE:
+return processContinue(op);
+case SRC_SWITCHBREAK:
+return processSwitchBreak(op);
+case SRC_WHILE:
+case SRC_FOR_IN:
+case SRC_FOR_OF:
+// while (cond) { }
+return whileOrForInLoop(sn);
+default:
+// Hard assert for now - make an error later.
+MOZ_ASSUME_UNREACHABLE("unknown goto case");
+}
+break;
+}
+case JSOP_TABLESWITCH:
+return tableSwitch(op, info().getNote(gsn, pc));
+case JSOP_IFNE:
+// We should never reach an IFNE, it's a stopAt point, which will
+// trigger closing the loop.
+MOZ_ASSUME_UNREACHABLE("we should never reach an ifne!");
+default:
+break;
+}
+return ControlStatus_None;
+}
+bool
+IonBuilder::inspectOpcode(JSOp op)
+{
+switch (op) {
+case JSOP_NOP:
+case JSOP_LINENO:
+case JSOP_LOOPENTRY:
+return true;
+case JSOP_LABEL:
+return jsop_label();
+case JSOP_UNDEFINED:
+return pushConstant(UndefinedValue());
+case JSOP_IFEQ:
+return jsop_ifeq(JSOP_IFEQ);
+case JSOP_TRY:
+return jsop_try();
+case JSOP_CONDSWITCH:
+return jsop_condswitch();
+case JSOP_BITNOT:
+return jsop_bitnot();
+case JSOP_BITAND:
+case JSOP_BITOR:
+case JSOP_BITXOR:
+case JSOP_LSH:
+case JSOP_RSH:
+case JSOP_URSH:
+return jsop_bitop(op);
+case JSOP_ADD:
+case JSOP_SUB:
+case JSOP_MUL:
+case JSOP_DIV:
+case JSOP_MOD:
+return jsop_binary(op);
+case JSOP_POS:
+return jsop_pos();
+case JSOP_NEG:
+return jsop_neg();
+case JSOP_AND:
+case JSOP_OR:
+return jsop_andor(op);
+case JSOP_DEFVAR:
+case JSOP_DEFCONST:
+return jsop_defvar(GET_UINT32_INDEX(pc));
+case JSOP_DEFFUN:
+return jsop_deffun(GET_UINT32_INDEX(pc));
+case JSOP_EQ:
+case JSOP_NE:
+case JSOP_STRICTEQ:
+case JSOP_STRICTNE:
+case JSOP_LT:
+case JSOP_LE:
+case JSOP_GT:
+case JSOP_GE:
+return jsop_compare(op);
+case JSOP_DOUBLE:
+return pushConstant(info().getConst(pc));
+case JSOP_STRING:
+return pushConstant(StringValue(info().getAtom(pc)));
+case JSOP_ZERO:
+return pushConstant(Int32Value(0));
+case JSOP_ONE:
+return pushConstant(Int32Value(1));
+case JSOP_NULL:
+return pushConstant(NullValue());
+case JSOP_VOID:
+current->pop();
+return pushConstant(UndefinedValue());
+case JSOP_HOLE:
+return pushConstant(MagicValue(JS_ELEMENTS_HOLE));
+case JSOP_FALSE:
+return pushConstant(BooleanValue(false));
+case JSOP_TRUE:
+return pushConstant(BooleanValue(true));
+case JSOP_ARGUMENTS:
+return jsop_arguments();
+case JSOP_RUNONCE:
+return jsop_runonce();
+case JSOP_REST:
+return jsop_rest();
+case JSOP_GETARG:
+if (info().argsObjAliasesFormals()) {
+MGetArgumentsObjectArg *getArg = MGetArgumentsObjectArg::New(alloc(),
+current->argumentsObject(),
+GET_ARGNO(pc));
+current->add(getArg);
+current->push(getArg);
+} else {
+current->pushArg(GET_ARGNO(pc));
+}
+return true;
+case JSOP_SETARG:
+return jsop_setarg(GET_ARGNO(pc));
+case JSOP_GETLOCAL:
+current->pushLocal(GET_LOCALNO(pc));
+return true;
+case JSOP_SETLOCAL:
+current->setLocal(GET_LOCALNO(pc));
+return true;
+case JSOP_POP:
+current->pop();
+// POP opcodes frequently appear where values are killed, e.g. after
+// SET* opcodes. Place a resume point afterwards to avoid capturing
+// the dead value in later snapshots, except in places where that
+// resume point is obviously unnecessary.
+if (pc[JSOP_POP_LENGTH] == JSOP_POP)
+return true;
+return maybeInsertResume();
+case JSOP_POPN:
+for (uint32_t i = 0, n = GET_UINT16(pc); i < n; i++)
+current->pop();
+return true;
+case JSOP_DUPAT:
+current->pushSlot(current->stackDepth() - 1 - GET_UINT24(pc));
+return true;
+case JSOP_NEWINIT:
+if (GET_UINT8(pc) == JSProto_Array)
+return jsop_newarray(0);
+return jsop_newobject();
+case JSOP_NEWARRAY:
+return jsop_newarray(GET_UINT24(pc));
+case JSOP_NEWOBJECT:
+return jsop_newobject();
+case JSOP_INITELEM:
+return jsop_initelem();
+case JSOP_INITELEM_ARRAY:
+return jsop_initelem_array();
+case JSOP_INITPROP:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_initprop(name);
+}
+case JSOP_MUTATEPROTO:
+{
+return jsop_mutateproto();
+}
+case JSOP_INITPROP_GETTER:
+case JSOP_INITPROP_SETTER: {
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_initprop_getter_setter(name);
+}
+case JSOP_INITELEM_GETTER:
+case JSOP_INITELEM_SETTER:
+return jsop_initelem_getter_setter();
+case JSOP_ENDINIT:
+return true;
+case JSOP_FUNCALL:
+return jsop_funcall(GET_ARGC(pc));
+case JSOP_FUNAPPLY:
+return jsop_funapply(GET_ARGC(pc));
+case JSOP_CALL:
+case JSOP_NEW:
+return jsop_call(GET_ARGC(pc), (JSOp)*pc == JSOP_NEW);
+case JSOP_EVAL:
+return jsop_eval(GET_ARGC(pc));
+case JSOP_INT8:
+return pushConstant(Int32Value(GET_INT8(pc)));
+case JSOP_UINT16:
+return pushConstant(Int32Value(GET_UINT16(pc)));
+case JSOP_GETGNAME:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_getgname(name);
+}
+case JSOP_BINDGNAME:
+return pushConstant(ObjectValue(script()->global()));
+case JSOP_SETGNAME:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+JSObject *obj = &script()->global();
+return setStaticName(obj, name);
+}
+case JSOP_NAME:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_getname(name);
+}
+case JSOP_GETINTRINSIC:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_intrinsic(name);
+}
+case JSOP_BINDNAME:
+return jsop_bindname(info().getName(pc));
+case JSOP_DUP:
+current->pushSlot(current->stackDepth() - 1);
+return true;
+case JSOP_DUP2:
+return jsop_dup2();
+case JSOP_SWAP:
+current->swapAt(-1);
+return true;
+case JSOP_PICK:
+current->pick(-GET_INT8(pc));
+return true;
+case JSOP_GETALIASEDVAR:
+return jsop_getaliasedvar(ScopeCoordinate(pc));
+case JSOP_SETALIASEDVAR:
+return jsop_setaliasedvar(ScopeCoordinate(pc));
+case JSOP_UINT24:
+return pushConstant(Int32Value(GET_UINT24(pc)));
+case JSOP_INT32:
+return pushConstant(Int32Value(GET_INT32(pc)));
+case JSOP_LOOPHEAD:
+// JSOP_LOOPHEAD is handled when processing the loop header.
+MOZ_ASSUME_UNREACHABLE("JSOP_LOOPHEAD outside loop");
+case JSOP_GETELEM:
+case JSOP_CALLELEM:
+return jsop_getelem();
+case JSOP_SETELEM:
+return jsop_setelem();
+case JSOP_LENGTH:
+return jsop_length();
+case JSOP_NOT:
+return jsop_not();
+case JSOP_THIS:
+return jsop_this();
+case JSOP_CALLEE: {
+MDefinition *callee = getCallee();
+current->push(callee);
+return true;
+}
+case JSOP_GETPROP:
+case JSOP_CALLPROP:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_getprop(name);
+}
+case JSOP_SETPROP:
+case JSOP_SETNAME:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_setprop(name);
+}
+case JSOP_DELPROP:
+{
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_delprop(name);
+}
+case JSOP_DELELEM:
+return jsop_delelem();
+case JSOP_REGEXP:
+return jsop_regexp(info().getRegExp(pc));
+case JSOP_OBJECT:
+return jsop_object(info().getObject(pc));
+case JSOP_TYPEOF:
+case JSOP_TYPEOFEXPR:
+return jsop_typeof();
+case JSOP_TOID:
+return jsop_toid();
+case JSOP_LAMBDA:
+return jsop_lambda(info().getFunction(pc));
+case JSOP_LAMBDA_ARROW:
+return jsop_lambda_arrow(info().getFunction(pc));
+case JSOP_ITER:
+return jsop_iter(GET_INT8(pc));
+case JSOP_ITERNEXT:
+return jsop_iternext();
+case JSOP_MOREITER:
+return jsop_itermore();
+case JSOP_ENDITER:
+return jsop_iterend();
+case JSOP_IN:
+return jsop_in();
+case JSOP_SETRVAL:
+JS_ASSERT(!script()->noScriptRval());
+current->setSlot(info().returnValueSlot(), current->pop());
+return true;
+case JSOP_INSTANCEOF:
+return jsop_instanceof();
+case JSOP_DEBUGLEAVEBLOCK:
+return true;
+default:
+#ifdef DEBUG
+return abort("Unsupported opcode: %s (line %d)", js_CodeName[op], info().lineno(pc));
+#else
+return abort("Unsupported opcode: %d (line %d)", op, info().lineno(pc));
+#endif
+}
+}
+// Given that the current control flow structure has ended forcefully,
+// via a return, break, or continue (rather than joining), propagate the
+// termination up. For example, a return nested 5 loops deep may terminate
+// every outer loop at once, if there are no intervening conditionals:
+//
+// for (...) {
+//   for (...) {
+//     return x;
+//   }
+// }
+//
+// If |current| is nullptr when this function returns, then there is no more
+// control flow to be processed.
+IonBuilder::ControlStatus
+IonBuilder::processControlEnd()
+{
+JS_ASSERT(!current);
+if (cfgStack_.empty()) {
+// If there is no more control flow to process, then this is the
+// last return in the function.
+return ControlStatus_Ended;
+}
+return processCfgStack();
+}
+// Processes the top of the CFG stack. This is used from two places:
+// (1) processControlEnd(), whereby a break, continue, or return may interrupt
+//     an in-progress CFG structure before reaching its actual termination
+//     point in the bytecode.
+// (2) traverseBytecode(), whereby we reach the last instruction in a CFG
+//     structure.
+IonBuilder::ControlStatus
+IonBuilder::processCfgStack()
+{
+ControlStatus status = processCfgEntry(cfgStack_.back());
+// If this terminated a CFG structure, act like processControlEnd() and
+// keep propagating upward.
+while (status == ControlStatus_Ended) {
+popCfgStack();
+if (cfgStack_.empty())
+return status;
+status = processCfgEntry(cfgStack_.back());
+}
+// If some join took place, the current structure is finished.
+if (status == ControlStatus_Joined)
+popCfgStack();
+return status;
+}
+IonBuilder::ControlStatus
+IonBuilder::processCfgEntry(CFGState &state)
+{
+switch (state.state) {
+case CFGState::IF_TRUE:
+case CFGState::IF_TRUE_EMPTY_ELSE:
+return processIfEnd(state);
+case CFGState::IF_ELSE_TRUE:
+return processIfElseTrueEnd(state);
+case CFGState::IF_ELSE_FALSE:
+return processIfElseFalseEnd(state);
+case CFGState::DO_WHILE_LOOP_BODY:
+return processDoWhileBodyEnd(state);
+case CFGState::DO_WHILE_LOOP_COND:
+return processDoWhileCondEnd(state);
+case CFGState::WHILE_LOOP_COND:
+return processWhileCondEnd(state);
+case CFGState::WHILE_LOOP_BODY:
+return processWhileBodyEnd(state);
+case CFGState::FOR_LOOP_COND:
+return processForCondEnd(state);
+case CFGState::FOR_LOOP_BODY:
+return processForBodyEnd(state);
+case CFGState::FOR_LOOP_UPDATE:
+return processForUpdateEnd(state);
+case CFGState::TABLE_SWITCH:
+return processNextTableSwitchCase(state);
+case CFGState::COND_SWITCH_CASE:
+return processCondSwitchCase(state);
+case CFGState::COND_SWITCH_BODY:
+return processCondSwitchBody(state);
+case CFGState::AND_OR:
+return processAndOrEnd(state);
+case CFGState::LABEL:
+return processLabelEnd(state);
+case CFGState::TRY:
+return processTryEnd(state);
+default:
+MOZ_ASSUME_UNREACHABLE("unknown cfgstate");
+}
+}
+IonBuilder::ControlStatus
+IonBuilder::processIfEnd(CFGState &state)
+{
+if (current) {
+// Here, the false block is the join point. Create an edge from the
+// current block to the false block. Note that a RETURN opcode
+// could have already ended the block.
+current->end(MGoto::New(alloc(), state.branch.ifFalse));
+if (!state.branch.ifFalse->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+if (!setCurrentAndSpecializePhis(state.branch.ifFalse))
+return ControlStatus_Error;
+graph().moveBlockToEnd(current);
+pc = current->pc();
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::processIfElseTrueEnd(CFGState &state)
+{
+// We've reached the end of the true branch of an if-else. Don't
+// create an edge yet, just transition to parsing the false branch.
+state.state = CFGState::IF_ELSE_FALSE;
+state.branch.ifTrue = current;
+state.stopAt = state.branch.falseEnd;
+pc = state.branch.ifFalse->pc();
+if (!setCurrentAndSpecializePhis(state.branch.ifFalse))
+return ControlStatus_Error;
+graph().moveBlockToEnd(current);
+if (state.branch.test)
+filterTypesAtTest(state.branch.test);
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processIfElseFalseEnd(CFGState &state)
+{
+// Update the state to have the latest block from the false path.
+state.branch.ifFalse = current;
+// To create the join node, we need an incoming edge that has not been
+// terminated yet.
+MBasicBlock *pred = state.branch.ifTrue
+? state.branch.ifTrue
+: state.branch.ifFalse;
+MBasicBlock *other = (pred == state.branch.ifTrue) ? state.branch.ifFalse : state.branch.ifTrue;
+if (!pred)
+return ControlStatus_Ended;
+// Create a new block to represent the join.
+MBasicBlock *join = newBlock(pred, state.branch.falseEnd);
+if (!join)
+return ControlStatus_Error;
+// Create edges from the true and false blocks as needed.
+pred->end(MGoto::New(alloc(), join));
+if (other) {
+other->end(MGoto::New(alloc(), join));
+if (!join->addPredecessor(alloc(), other))
+return ControlStatus_Error;
+}
+// Ignore unreachable remainder of false block if existent.
+if (!setCurrentAndSpecializePhis(join))
+return ControlStatus_Error;
+pc = current->pc();
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::processBrokenLoop(CFGState &state)
+{
+JS_ASSERT(!current);
+JS_ASSERT(loopDepth_);
+loopDepth_--;
+// A broken loop is not a real loop (it has no header or backedge), so
+// reset the loop depth.
+for (MBasicBlockIterator i(graph().begin(state.loop.entry)); i != graph().end(); i++) {
+if (i->loopDepth() > loopDepth_)
+i->setLoopDepth(i->loopDepth() - 1);
+}
+// If the loop started with a condition (while/for) then even if the
+// structure never actually loops, the condition itself can still fail and
+// thus we must resume at the successor, if one exists.
+if (!setCurrentAndSpecializePhis(state.loop.successor))
+return ControlStatus_Error;
+if (current) {
+JS_ASSERT(current->loopDepth() == loopDepth_);
+graph().moveBlockToEnd(current);
+}
+// Join the breaks together and continue parsing.
+if (state.loop.breaks) {
+MBasicBlock *block = createBreakCatchBlock(state.loop.breaks, state.loop.exitpc);
+if (!block)
+return ControlStatus_Error;
+if (current) {
+current->end(MGoto::New(alloc(), block));
+if (!block->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+if (!setCurrentAndSpecializePhis(block))
+return ControlStatus_Error;
+}
+// If the loop is not gated on a condition, and has only returns, we'll
+// reach this case. For example:
+// do { ... return; } while ();
+if (!current)
+return ControlStatus_Ended;
+// Otherwise, the loop is gated on a condition and/or has breaks so keep
+// parsing at the successor.
+pc = current->pc();
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::finishLoop(CFGState &state, MBasicBlock *successor)
+{
+JS_ASSERT(current);
+JS_ASSERT(loopDepth_);
+loopDepth_--;
+JS_ASSERT_IF(successor, successor->loopDepth() == loopDepth_);
+// Compute phis in the loop header and propagate them throughout the loop,
+// including the successor.
+AbortReason r = state.loop.entry->setBackedge(current);
+if (r == AbortReason_Alloc)
+return ControlStatus_Error;
+if (r == AbortReason_Disable) {
+// If there are types for variables on the backedge that were not
+// present at the original loop header, then uses of the variables'
+// phis may have generated incorrect nodes. The new types have been
+// incorporated into the header phis, so remove all blocks for the
+// loop body and restart with the new types.
+return restartLoop(state);
+}
+if (successor) {
+graph().moveBlockToEnd(successor);
+successor->inheritPhis(state.loop.entry);
+}
+if (state.loop.breaks) {
+// Propagate phis placed in the header to individual break exit points.
+DeferredEdge *edge = state.loop.breaks;
+while (edge) {
+edge->block->inheritPhis(state.loop.entry);
+edge = edge->next;
+}
+// Create a catch block to join all break exits.
+MBasicBlock *block = createBreakCatchBlock(state.loop.breaks, state.loop.exitpc);
+if (!block)
+return ControlStatus_Error;
+if (successor) {
+// Finally, create an unconditional edge from the successor to the
+// catch block.
+successor->end(MGoto::New(alloc(), block));
+if (!block->addPredecessor(alloc(), successor))
+return ControlStatus_Error;
+}
+successor = block;
+}
+if (!setCurrentAndSpecializePhis(successor))
+return ControlStatus_Error;
+// An infinite loop (for (;;) { }) will not have a successor.
+if (!current)
+return ControlStatus_Ended;
+pc = current->pc();
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::restartLoop(CFGState state)
+{
+spew("New types at loop header, restarting loop body");
+if (js_JitOptions.limitScriptSize) {
+if (++numLoopRestarts_ >= MAX_LOOP_RESTARTS)
+return ControlStatus_Abort;
+}
+MBasicBlock *header = state.loop.entry;
+// Remove all blocks in the loop body other than the header, which has phis
+// of the appropriate type and incoming edges to preserve.
+graph().removeBlocksAfter(header);
+// Remove all instructions from the header itself, and all resume points
+// except the entry resume point.
+header->discardAllInstructions();
+header->discardAllResumePoints(/* discardEntry = */ false);
+header->setStackDepth(header->getPredecessor(0)->stackDepth());
+popCfgStack();
+loopDepth_++;
+if (!pushLoop(state.loop.initialState, state.loop.initialStopAt, header, state.loop.osr,
+state.loop.loopHead, state.loop.initialPc,
+state.loop.bodyStart, state.loop.bodyEnd,
+state.loop.exitpc, state.loop.continuepc))
+{
+return ControlStatus_Error;
+}
+CFGState &nstate = cfgStack_.back();
+nstate.loop.condpc = state.loop.condpc;
+nstate.loop.updatepc = state.loop.updatepc;
+nstate.loop.updateEnd = state.loop.updateEnd;
+// Don't specializePhis(), as the header has been visited before and the
+// phis have already had their type set.
+setCurrent(header);
+if (!jsop_loophead(nstate.loop.loopHead))
+return ControlStatus_Error;
+pc = nstate.loop.initialPc;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processDoWhileBodyEnd(CFGState &state)
+{
+if (!processDeferredContinues(state))
+return ControlStatus_Error;
+// No current means control flow cannot reach the condition, so this will
+// never loop.
+if (!current)
+return processBrokenLoop(state);
+MBasicBlock *header = newBlock(current, state.loop.updatepc);
+if (!header)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), header));
+state.state = CFGState::DO_WHILE_LOOP_COND;
+state.stopAt = state.loop.updateEnd;
+pc = state.loop.updatepc;
+if (!setCurrentAndSpecializePhis(header))
+return ControlStatus_Error;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processDoWhileCondEnd(CFGState &state)
+{
+JS_ASSERT(JSOp(*pc) == JSOP_IFNE);
+// We're guaranteed a |current|, it's impossible to break or return from
+// inside the conditional expression.
+JS_ASSERT(current);
+// Pop the last value, and create the successor block.
+MDefinition *vins = current->pop();
+MBasicBlock *successor = newBlock(current, GetNextPc(pc), loopDepth_ - 1);
+if (!successor)
+return ControlStatus_Error;
+// Test for do {} while(false) and don't create a loop in that case.
+if (vins->isConstant()) {
+MConstant *cte = vins->toConstant();
+if (cte->value().isBoolean() && !cte->value().toBoolean()) {
+current->end(MGoto::New(alloc(), successor));
+current = nullptr;
+state.loop.successor = successor;
+return processBrokenLoop(state);
+}
+}
+// Create the test instruction and end the current block.
+MTest *test = MTest::New(alloc(), vins, state.loop.entry, successor);
+current->end(test);
+return finishLoop(state, successor);
+}
+IonBuilder::ControlStatus
+IonBuilder::processWhileCondEnd(CFGState &state)
+{
+JS_ASSERT(JSOp(*pc) == JSOP_IFNE || JSOp(*pc) == JSOP_IFEQ);
+// Balance the stack past the IFNE.
+MDefinition *ins = current->pop();
+// Create the body and successor blocks.
+MBasicBlock *body = newBlock(current, state.loop.bodyStart);
+state.loop.successor = newBlock(current, state.loop.exitpc, loopDepth_ - 1);
+if (!body || !state.loop.successor)
+return ControlStatus_Error;
+MTest *test;
+if (JSOp(*pc) == JSOP_IFNE)
+test = MTest::New(alloc(), ins, body, state.loop.successor);
+else
+test = MTest::New(alloc(), ins, state.loop.successor, body);
+current->end(test);
+state.state = CFGState::WHILE_LOOP_BODY;
+state.stopAt = state.loop.bodyEnd;
+pc = state.loop.bodyStart;
+if (!setCurrentAndSpecializePhis(body))
+return ControlStatus_Error;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processWhileBodyEnd(CFGState &state)
+{
+if (!processDeferredContinues(state))
+return ControlStatus_Error;
+if (!current)
+return processBrokenLoop(state);
+current->end(MGoto::New(alloc(), state.loop.entry));
+return finishLoop(state, state.loop.successor);
+}
+IonBuilder::ControlStatus
+IonBuilder::processForCondEnd(CFGState &state)
+{
+JS_ASSERT(JSOp(*pc) == JSOP_IFNE);
+// Balance the stack past the IFNE.
+MDefinition *ins = current->pop();
+// Create the body and successor blocks.
+MBasicBlock *body = newBlock(current, state.loop.bodyStart);
+state.loop.successor = newBlock(current, state.loop.exitpc, loopDepth_ - 1);
+if (!body || !state.loop.successor)
+return ControlStatus_Error;
+MTest *test = MTest::New(alloc(), ins, body, state.loop.successor);
+current->end(test);
+state.state = CFGState::FOR_LOOP_BODY;
+state.stopAt = state.loop.bodyEnd;
+pc = state.loop.bodyStart;
+if (!setCurrentAndSpecializePhis(body))
+return ControlStatus_Error;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processForBodyEnd(CFGState &state)
+{
+if (!processDeferredContinues(state))
+return ControlStatus_Error;
+// If there is no updatepc, just go right to processing what would be the
+// end of the update clause. Otherwise, |current| might be nullptr; if this is
+// the case, the udpate is unreachable anyway.
+if (!state.loop.updatepc || !current)
+return processForUpdateEnd(state);
+pc = state.loop.updatepc;
+state.state = CFGState::FOR_LOOP_UPDATE;
+state.stopAt = state.loop.updateEnd;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processForUpdateEnd(CFGState &state)
+{
+// If there is no current, we couldn't reach the loop edge and there was no
+// update clause.
+if (!current)
+return processBrokenLoop(state);
+current->end(MGoto::New(alloc(), state.loop.entry));
+return finishLoop(state, state.loop.successor);
+}
+IonBuilder::DeferredEdge *
+IonBuilder::filterDeadDeferredEdges(DeferredEdge *edge)
+{
+DeferredEdge *head = edge, *prev = nullptr;
+while (edge) {
+if (edge->block->isDead()) {
+if (prev)
+prev->next = edge->next;
+else
+head = edge->next;
+} else {
+prev = edge;
+}
+edge = edge->next;
+}
+// There must be at least one deferred edge from a block that was not
+// deleted; blocks are deleted when restarting processing of a loop, and
+// the final version of the loop body will have edges from live blocks.
+JS_ASSERT(head);
+return head;
+}
+bool
+IonBuilder::processDeferredContinues(CFGState &state)
+{
+// If there are any continues for this loop, and there is an update block,
+// then we need to create a new basic block to house the update.
+if (state.loop.continues) {
+DeferredEdge *edge = filterDeadDeferredEdges(state.loop.continues);
+MBasicBlock *update = newBlock(edge->block, loops_.back().continuepc);
+if (!update)
+return false;
+if (current) {
+current->end(MGoto::New(alloc(), update));
+if (!update->addPredecessor(alloc(), current))
+return false;
+}
+// No need to use addPredecessor for first edge,
+// because it is already predecessor.
+edge->block->end(MGoto::New(alloc(), update));
+edge = edge->next;
+// Remaining edges
+while (edge) {
+edge->block->end(MGoto::New(alloc(), update));
+if (!update->addPredecessor(alloc(), edge->block))
+return false;
+edge = edge->next;
+}
+state.loop.continues = nullptr;
+if (!setCurrentAndSpecializePhis(update))
+return ControlStatus_Error;
+}
+return true;
+}
+MBasicBlock *
+IonBuilder::createBreakCatchBlock(DeferredEdge *edge, jsbytecode *pc)
+{
+edge = filterDeadDeferredEdges(edge);
+// Create block, using the first break statement as predecessor
+MBasicBlock *successor = newBlock(edge->block, pc);
+if (!successor)
+return nullptr;
+// No need to use addPredecessor for first edge,
+// because it is already predecessor.
+edge->block->end(MGoto::New(alloc(), successor));
+edge = edge->next;
+// Finish up remaining breaks.
+while (edge) {
+edge->block->end(MGoto::New(alloc(), successor));
+if (!successor->addPredecessor(alloc(), edge->block))
+return nullptr;
+edge = edge->next;
+}
+return successor;
+}
+IonBuilder::ControlStatus
+IonBuilder::processNextTableSwitchCase(CFGState &state)
+{
+JS_ASSERT(state.state == CFGState::TABLE_SWITCH);
+state.tableswitch.currentBlock++;
+// Test if there are still unprocessed successors (cases/default)
+if (state.tableswitch.currentBlock >= state.tableswitch.ins->numBlocks())
+return processSwitchEnd(state.tableswitch.breaks, state.tableswitch.exitpc);
+// Get the next successor
+MBasicBlock *successor = state.tableswitch.ins->getBlock(state.tableswitch.currentBlock);
+// Add current block as predecessor if available.
+// This means the previous case didn't have a break statement.
+// So flow will continue in this block.
+if (current) {
+current->end(MGoto::New(alloc(), successor));
+if (!successor->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+// Insert successor after the current block, to maintain RPO.
+graph().moveBlockToEnd(successor);
+// If this is the last successor the block should stop at the end of the tableswitch
+// Else it should stop at the start of the next successor
+if (state.tableswitch.currentBlock+1 < state.tableswitch.ins->numBlocks())
+state.stopAt = state.tableswitch.ins->getBlock(state.tableswitch.currentBlock+1)->pc();
+else
+state.stopAt = state.tableswitch.exitpc;
+if (!setCurrentAndSpecializePhis(successor))
+return ControlStatus_Error;
+pc = current->pc();
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processAndOrEnd(CFGState &state)
+{
+// We just processed the RHS of an && or || expression.
+// Now jump to the join point (the false block).
+current->end(MGoto::New(alloc(), state.branch.ifFalse));
+if (!state.branch.ifFalse->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+if (!setCurrentAndSpecializePhis(state.branch.ifFalse))
+return ControlStatus_Error;
+graph().moveBlockToEnd(current);
+pc = current->pc();
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::processLabelEnd(CFGState &state)
+{
+JS_ASSERT(state.state == CFGState::LABEL);
+// If there are no breaks and no current, controlflow is terminated.
+if (!state.label.breaks && !current)
+return ControlStatus_Ended;
+// If there are no breaks to this label, there's nothing to do.
+if (!state.label.breaks)
+return ControlStatus_Joined;
+MBasicBlock *successor = createBreakCatchBlock(state.label.breaks, state.stopAt);
+if (!successor)
+return ControlStatus_Error;
+if (current) {
+current->end(MGoto::New(alloc(), successor));
+if (!successor->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+pc = state.stopAt;
+if (!setCurrentAndSpecializePhis(successor))
+return ControlStatus_Error;
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::processTryEnd(CFGState &state)
+{
+JS_ASSERT(state.state == CFGState::TRY);
+if (!state.try_.successor) {
+JS_ASSERT(!current);
+return ControlStatus_Ended;
+}
+if (current) {
+current->end(MGoto::New(alloc(), state.try_.successor));
+if (!state.try_.successor->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+// Start parsing the code after this try-catch statement.
+if (!setCurrentAndSpecializePhis(state.try_.successor))
+return ControlStatus_Error;
+graph().moveBlockToEnd(current);
+pc = current->pc();
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::processBreak(JSOp op, jssrcnote *sn)
+{
+JS_ASSERT(op == JSOP_GOTO);
+JS_ASSERT(SN_TYPE(sn) == SRC_BREAK ||
+SN_TYPE(sn) == SRC_BREAK2LABEL);
+// Find the break target.
+jsbytecode *target = pc + GetJumpOffset(pc);
+DebugOnly<bool> found = false;
+if (SN_TYPE(sn) == SRC_BREAK2LABEL) {
+for (size_t i = labels_.length() - 1; i < labels_.length(); i--) {
+CFGState &cfg = cfgStack_[labels_[i].cfgEntry];
+JS_ASSERT(cfg.state == CFGState::LABEL);
+if (cfg.stopAt == target) {
+cfg.label.breaks = new(alloc()) DeferredEdge(current, cfg.label.breaks);
+found = true;
+break;
+}
+}
+} else {
+for (size_t i = loops_.length() - 1; i < loops_.length(); i--) {
+CFGState &cfg = cfgStack_[loops_[i].cfgEntry];
+JS_ASSERT(cfg.isLoop());
+if (cfg.loop.exitpc == target) {
+cfg.loop.breaks = new(alloc()) DeferredEdge(current, cfg.loop.breaks);
+found = true;
+break;
+}
+}
+}
+JS_ASSERT(found);
+setCurrent(nullptr);
+pc += js_CodeSpec[op].length;
+return processControlEnd();
+}
+static inline jsbytecode *
+EffectiveContinue(jsbytecode *pc)
+{
+if (JSOp(*pc) == JSOP_GOTO)
+return pc + GetJumpOffset(pc);
+return pc;
+}
+IonBuilder::ControlStatus
+IonBuilder::processContinue(JSOp op)
+{
+JS_ASSERT(op == JSOP_GOTO);
+// Find the target loop.
+CFGState *found = nullptr;
+jsbytecode *target = pc + GetJumpOffset(pc);
+for (size_t i = loops_.length() - 1; i < loops_.length(); i--) {
+if (loops_[i].continuepc == target ||
+EffectiveContinue(loops_[i].continuepc) == target)
+{
+found = &cfgStack_[loops_[i].cfgEntry];
+break;
+}
+}
+// There must always be a valid target loop structure. If not, there's
+// probably an off-by-something error in which pc we track.
+JS_ASSERT(found);
+CFGState &state = *found;
+state.loop.continues = new(alloc()) DeferredEdge(current, state.loop.continues);
+setCurrent(nullptr);
+pc += js_CodeSpec[op].length;
+return processControlEnd();
+}
+IonBuilder::ControlStatus
+IonBuilder::processSwitchBreak(JSOp op)
+{
+JS_ASSERT(op == JSOP_GOTO);
+// Find the target switch.
+CFGState *found = nullptr;
+jsbytecode *target = pc + GetJumpOffset(pc);
+for (size_t i = switches_.length() - 1; i < switches_.length(); i--) {
+if (switches_[i].continuepc == target) {
+found = &cfgStack_[switches_[i].cfgEntry];
+break;
+}
+}
+// There must always be a valid target loop structure. If not, there's
+// probably an off-by-something error in which pc we track.
+JS_ASSERT(found);
+CFGState &state = *found;
+DeferredEdge **breaks = nullptr;
+switch (state.state) {
+case CFGState::TABLE_SWITCH:
+breaks = &state.tableswitch.breaks;
+break;
+case CFGState::COND_SWITCH_BODY:
+breaks = &state.condswitch.breaks;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("Unexpected switch state.");
+}
+*breaks = new(alloc()) DeferredEdge(current, *breaks);
+setCurrent(nullptr);
+pc += js_CodeSpec[op].length;
+return processControlEnd();
+}
+IonBuilder::ControlStatus
+IonBuilder::processSwitchEnd(DeferredEdge *breaks, jsbytecode *exitpc)
+{
+// No break statements, no current.
+// This means that control flow is cut-off from this point
+// (e.g. all cases have return statements).
+if (!breaks && !current)
+return ControlStatus_Ended;
+// Create successor block.
+// If there are breaks, create block with breaks as predecessor
+// Else create a block with current as predecessor
+MBasicBlock *successor = nullptr;
+if (breaks)
+successor = createBreakCatchBlock(breaks, exitpc);
+else
+successor = newBlock(current, exitpc);
+if (!successor)
+return ControlStatus_Ended;
+// If there is current, the current block flows into this one.
+// So current is also a predecessor to this block
+if (current) {
+current->end(MGoto::New(alloc(), successor));
+if (breaks) {
+if (!successor->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+}
+pc = exitpc;
+if (!setCurrentAndSpecializePhis(successor))
+return ControlStatus_Error;
+return ControlStatus_Joined;
+}
+IonBuilder::ControlStatus
+IonBuilder::maybeLoop(JSOp op, jssrcnote *sn)
+{
+// This function looks at the opcode and source note and tries to
+// determine the structure of the loop. For some opcodes, like
+// POP/NOP which are not explicitly control flow, this source note is
+// optional. For opcodes with control flow, like GOTO, an unrecognized
+// or not-present source note is a compilation failure.
+switch (op) {
+case JSOP_POP:
+// for (init; ; update?) ...
+if (sn && SN_TYPE(sn) == SRC_FOR) {
+current->pop();
+return forLoop(op, sn);
+}
+break;
+case JSOP_NOP:
+if (sn) {
+// do { } while (cond)
+if (SN_TYPE(sn) == SRC_WHILE)
+return doWhileLoop(op, sn);
+// Build a mapping such that given a basic block, whose successor
+// has a phi
+// for (; ; update?)
+if (SN_TYPE(sn) == SRC_FOR)
+return forLoop(op, sn);
+}
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("unexpected opcode");
+}
+return ControlStatus_None;
+}
+void
+IonBuilder::assertValidLoopHeadOp(jsbytecode *pc)
+{
+#ifdef DEBUG
+JS_ASSERT(JSOp(*pc) == JSOP_LOOPHEAD);
+// Make sure this is the next opcode after the loop header,
+// unless the for loop is unconditional.
+CFGState &state = cfgStack_.back();
+JS_ASSERT_IF((JSOp)*(state.loop.entry->pc()) == JSOP_GOTO,
+GetNextPc(state.loop.entry->pc()) == pc);
+// do-while loops have a source note.
+jssrcnote *sn = info().getNote(gsn, pc);
+if (sn) {
+jsbytecode *ifne = pc + js_GetSrcNoteOffset(sn, 0);
+jsbytecode *expected_ifne;
+switch (state.state) {
+case CFGState::DO_WHILE_LOOP_BODY:
+expected_ifne = state.loop.updateEnd;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("JSOP_LOOPHEAD unexpected source note");
+}
+// Make sure this loop goes to the same ifne as the loop header's
+// source notes or GOTO.
+JS_ASSERT(ifne == expected_ifne);
+} else {
+JS_ASSERT(state.state != CFGState::DO_WHILE_LOOP_BODY);
+}
+#endif
+}
+IonBuilder::ControlStatus
+IonBuilder::doWhileLoop(JSOp op, jssrcnote *sn)
+{
+// do { } while() loops have the following structure:
+//    NOP         ; SRC_WHILE (offset to COND)
+//    LOOPHEAD    ; SRC_WHILE (offset to IFNE)
+//    LOOPENTRY
+//    ...         ; body
+//    ...
+//    COND        ; start of condition
+//    ...
+//    IFNE ->     ; goes to LOOPHEAD
+int condition_offset = js_GetSrcNoteOffset(sn, 0);
+jsbytecode *conditionpc = pc + condition_offset;
+jssrcnote *sn2 = info().getNote(gsn, pc+1);
+int offset = js_GetSrcNoteOffset(sn2, 0);
+jsbytecode *ifne = pc + offset + 1;
+JS_ASSERT(ifne > pc);
+// Verify that the IFNE goes back to a loophead op.
+jsbytecode *loopHead = GetNextPc(pc);
+JS_ASSERT(JSOp(*loopHead) == JSOP_LOOPHEAD);
+JS_ASSERT(loopHead == ifne + GetJumpOffset(ifne));
+jsbytecode *loopEntry = GetNextPc(loopHead);
+bool canOsr = LoopEntryCanIonOsr(loopEntry);
+bool osr = info().hasOsrAt(loopEntry);
+if (osr) {
+MBasicBlock *preheader = newOsrPreheader(current, loopEntry);
+if (!preheader)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), preheader));
+if (!setCurrentAndSpecializePhis(preheader))
+return ControlStatus_Error;
+}
+unsigned stackPhiCount = 0;
+MBasicBlock *header = newPendingLoopHeader(current, pc, osr, canOsr, stackPhiCount);
+if (!header)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), header));
+jsbytecode *loophead = GetNextPc(pc);
+jsbytecode *bodyStart = GetNextPc(loophead);
+jsbytecode *bodyEnd = conditionpc;
+jsbytecode *exitpc = GetNextPc(ifne);
+if (!analyzeNewLoopTypes(header, bodyStart, exitpc))
+return ControlStatus_Error;
+if (!pushLoop(CFGState::DO_WHILE_LOOP_BODY, conditionpc, header, osr,
+loopHead, bodyStart, bodyStart, bodyEnd, exitpc, conditionpc))
+{
+return ControlStatus_Error;
+}
+CFGState &state = cfgStack_.back();
+state.loop.updatepc = conditionpc;
+state.loop.updateEnd = ifne;
+if (!setCurrentAndSpecializePhis(header))
+return ControlStatus_Error;
+if (!jsop_loophead(loophead))
+return ControlStatus_Error;
+pc = bodyStart;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::whileOrForInLoop(jssrcnote *sn)
+{
+// while (cond) { } loops have the following structure:
+//    GOTO cond   ; SRC_WHILE (offset to IFNE)
+//    LOOPHEAD
+//    ...
+//  cond:
+//    LOOPENTRY
+//    ...
+//    IFNE        ; goes to LOOPHEAD
+// for (x in y) { } loops are similar; the cond will be a MOREITER.
+JS_ASSERT(SN_TYPE(sn) == SRC_FOR_OF || SN_TYPE(sn) == SRC_FOR_IN || SN_TYPE(sn) == SRC_WHILE);
+int ifneOffset = js_GetSrcNoteOffset(sn, 0);
+jsbytecode *ifne = pc + ifneOffset;
+JS_ASSERT(ifne > pc);
+// Verify that the IFNE goes back to a loophead op.
+JS_ASSERT(JSOp(*GetNextPc(pc)) == JSOP_LOOPHEAD);
+JS_ASSERT(GetNextPc(pc) == ifne + GetJumpOffset(ifne));
+jsbytecode *loopEntry = pc + GetJumpOffset(pc);
+bool canOsr = LoopEntryCanIonOsr(loopEntry);
+bool osr = info().hasOsrAt(loopEntry);
+if (osr) {
+MBasicBlock *preheader = newOsrPreheader(current, loopEntry);
+if (!preheader)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), preheader));
+if (!setCurrentAndSpecializePhis(preheader))
+return ControlStatus_Error;
+}
+unsigned stackPhiCount;
+if (SN_TYPE(sn) == SRC_FOR_OF)
+stackPhiCount = 2;
+else if (SN_TYPE(sn) == SRC_FOR_IN)
+stackPhiCount = 1;
+else
+stackPhiCount = 0;
+MBasicBlock *header = newPendingLoopHeader(current, pc, osr, canOsr, stackPhiCount);
+if (!header)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), header));
+// Skip past the JSOP_LOOPHEAD for the body start.
+jsbytecode *loopHead = GetNextPc(pc);
+jsbytecode *bodyStart = GetNextPc(loopHead);
+jsbytecode *bodyEnd = pc + GetJumpOffset(pc);
+jsbytecode *exitpc = GetNextPc(ifne);
+if (!analyzeNewLoopTypes(header, bodyStart, exitpc))
+return ControlStatus_Error;
+if (!pushLoop(CFGState::WHILE_LOOP_COND, ifne, header, osr,
+loopHead, bodyEnd, bodyStart, bodyEnd, exitpc))
+{
+return ControlStatus_Error;
+}
+// Parse the condition first.
+if (!setCurrentAndSpecializePhis(header))
+return ControlStatus_Error;
+if (!jsop_loophead(loopHead))
+return ControlStatus_Error;
+pc = bodyEnd;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::forLoop(JSOp op, jssrcnote *sn)
+{
+// Skip the NOP or POP.
+JS_ASSERT(op == JSOP_POP || op == JSOP_NOP);
+pc = GetNextPc(pc);
+jsbytecode *condpc = pc + js_GetSrcNoteOffset(sn, 0);
+jsbytecode *updatepc = pc + js_GetSrcNoteOffset(sn, 1);
+jsbytecode *ifne = pc + js_GetSrcNoteOffset(sn, 2);
+jsbytecode *exitpc = GetNextPc(ifne);
+// for loops have the following structures:
+//
+//   NOP or POP
+//   [GOTO cond | NOP]
+//   LOOPHEAD
+// body:
+//    ; [body]
+// [increment:]
+//    ; [increment]
+// [cond:]
+//   LOOPENTRY
+//   GOTO body
+//
+// If there is a condition (condpc != ifne), this acts similar to a while
+// loop otherwise, it acts like a do-while loop.
+jsbytecode *bodyStart = pc;
+jsbytecode *bodyEnd = updatepc;
+jsbytecode *loopEntry = condpc;
+if (condpc != ifne) {
+JS_ASSERT(JSOp(*bodyStart) == JSOP_GOTO);
+JS_ASSERT(bodyStart + GetJumpOffset(bodyStart) == condpc);
+bodyStart = GetNextPc(bodyStart);
+} else {
+// No loop condition, such as for(j = 0; ; j++)
+if (op != JSOP_NOP) {
+// If the loop starts with POP, we have to skip a NOP.
+JS_ASSERT(JSOp(*bodyStart) == JSOP_NOP);
+bodyStart = GetNextPc(bodyStart);
+}
+loopEntry = GetNextPc(bodyStart);
+}
+jsbytecode *loopHead = bodyStart;
+JS_ASSERT(JSOp(*bodyStart) == JSOP_LOOPHEAD);
+JS_ASSERT(ifne + GetJumpOffset(ifne) == bodyStart);
+bodyStart = GetNextPc(bodyStart);
+bool osr = info().hasOsrAt(loopEntry);
+bool canOsr = LoopEntryCanIonOsr(loopEntry);
+if (osr) {
+MBasicBlock *preheader = newOsrPreheader(current, loopEntry);
+if (!preheader)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), preheader));
+if (!setCurrentAndSpecializePhis(preheader))
+return ControlStatus_Error;
+}
+unsigned stackPhiCount = 0;
+MBasicBlock *header = newPendingLoopHeader(current, pc, osr, canOsr, stackPhiCount);
+if (!header)
+return ControlStatus_Error;
+current->end(MGoto::New(alloc(), header));
+// If there is no condition, we immediately parse the body. Otherwise, we
+// parse the condition.
+jsbytecode *stopAt;
+CFGState::State initial;
+if (condpc != ifne) {
+pc = condpc;
+stopAt = ifne;
+initial = CFGState::FOR_LOOP_COND;
+} else {
+pc = bodyStart;
+stopAt = bodyEnd;
+initial = CFGState::FOR_LOOP_BODY;
+}
+if (!analyzeNewLoopTypes(header, bodyStart, exitpc))
+return ControlStatus_Error;
+if (!pushLoop(initial, stopAt, header, osr,
+loopHead, pc, bodyStart, bodyEnd, exitpc, updatepc))
+{
+return ControlStatus_Error;
+}
+CFGState &state = cfgStack_.back();
+state.loop.condpc = (condpc != ifne) ? condpc : nullptr;
+state.loop.updatepc = (updatepc != condpc) ? updatepc : nullptr;
+if (state.loop.updatepc)
+state.loop.updateEnd = condpc;
+if (!setCurrentAndSpecializePhis(header))
+return ControlStatus_Error;
+if (!jsop_loophead(loopHead))
+return ControlStatus_Error;
+return ControlStatus_Jumped;
+}
+int
+IonBuilder::CmpSuccessors(const void *a, const void *b)
+{
+const MBasicBlock *a0 = * (MBasicBlock * const *)a;
+const MBasicBlock *b0 = * (MBasicBlock * const *)b;
+if (a0->pc() == b0->pc())
+return 0;
+return (a0->pc() > b0->pc()) ? 1 : -1;
+}
+IonBuilder::ControlStatus
+IonBuilder::tableSwitch(JSOp op, jssrcnote *sn)
+{
+// TableSwitch op contains the following data
+// (length between data is JUMP_OFFSET_LEN)
+//
+// 0: Offset of default case
+// 1: Lowest number in tableswitch
+// 2: Highest number in tableswitch
+// 3: Offset of case low
+// 4: Offset of case low+1
+// .: ...
+// .: Offset of case high
+JS_ASSERT(op == JSOP_TABLESWITCH);
+JS_ASSERT(SN_TYPE(sn) == SRC_TABLESWITCH);
+// Pop input.
+MDefinition *ins = current->pop();
+// Get the default and exit pc
+jsbytecode *exitpc = pc + js_GetSrcNoteOffset(sn, 0);
+jsbytecode *defaultpc = pc + GET_JUMP_OFFSET(pc);
+JS_ASSERT(defaultpc > pc && defaultpc <= exitpc);
+// Get the low and high from the tableswitch
+jsbytecode *pc2 = pc;
+pc2 += JUMP_OFFSET_LEN;
+int low = GET_JUMP_OFFSET(pc2);
+pc2 += JUMP_OFFSET_LEN;
+int high = GET_JUMP_OFFSET(pc2);
+pc2 += JUMP_OFFSET_LEN;
+// Create MIR instruction
+MTableSwitch *tableswitch = MTableSwitch::New(alloc(), ins, low, high);
+// Create default case
+MBasicBlock *defaultcase = newBlock(current, defaultpc);
+if (!defaultcase)
+return ControlStatus_Error;
+tableswitch->addDefault(defaultcase);
+tableswitch->addBlock(defaultcase);
+// Create cases
+jsbytecode *casepc = nullptr;
+for (int i = 0; i < high-low+1; i++) {
+casepc = pc + GET_JUMP_OFFSET(pc2);
+JS_ASSERT(casepc >= pc && casepc <= exitpc);
+MBasicBlock *caseblock = newBlock(current, casepc);
+if (!caseblock)
+return ControlStatus_Error;
+// If the casepc equals the current pc, it is not a written case,
+// but a filled gap. That way we can use a tableswitch instead of
+// condswitch, even if not all numbers are consecutive.
+// In that case this block goes to the default case
+if (casepc == pc) {
+caseblock->end(MGoto::New(alloc(), defaultcase));
+if (!defaultcase->addPredecessor(alloc(), caseblock))
+return ControlStatus_Error;
+}
+tableswitch->addCase(tableswitch->addSuccessor(caseblock));
+// If this is an actual case (not filled gap),
+// add this block to the list that still needs to get processed
+if (casepc != pc)
+tableswitch->addBlock(caseblock);
+pc2 += JUMP_OFFSET_LEN;
+}
+// Move defaultcase to the end, to maintain RPO.
+graph().moveBlockToEnd(defaultcase);
+JS_ASSERT(tableswitch->numCases() == (uint32_t)(high - low + 1));
+JS_ASSERT(tableswitch->numSuccessors() > 0);
+// Sort the list of blocks that still needs to get processed by pc
+qsort(tableswitch->blocks(), tableswitch->numBlocks(),
+sizeof(MBasicBlock*), CmpSuccessors);
+// Create info
+ControlFlowInfo switchinfo(cfgStack_.length(), exitpc);
+if (!switches_.append(switchinfo))
+return ControlStatus_Error;
+// Use a state to retrieve some information
+CFGState state = CFGState::TableSwitch(exitpc, tableswitch);
+// Save the MIR instruction as last instruction of this block.
+current->end(tableswitch);
+// If there is only one successor the block should stop at the end of the switch
+// Else it should stop at the start of the next successor
+if (tableswitch->numBlocks() > 1)
+state.stopAt = tableswitch->getBlock(1)->pc();
+if (!setCurrentAndSpecializePhis(tableswitch->getBlock(0)))
+return ControlStatus_Error;
+if (!cfgStack_.append(state))
+return ControlStatus_Error;
+pc = current->pc();
+return ControlStatus_Jumped;
+}
+bool
+IonBuilder::filterTypesAtTest(MTest *test)
+{
+JS_ASSERT(test->ifTrue() == current || test->ifFalse() == current);
+bool trueBranch = test->ifTrue() == current;
+MDefinition *subject = nullptr;
+bool removeUndefined;
+bool removeNull;
+test->filtersUndefinedOrNull(trueBranch, &subject, &removeUndefined, &removeNull);
+// The test filters no undefined or null.
+if (!subject)
+return true;
+// There is no TypeSet that can get filtered.
+if (!subject->resultTypeSet() || subject->resultTypeSet()->unknown())
+return true;
+// Only do this optimization if the typeset does contains null or undefined.
+if ((!(removeUndefined && subject->resultTypeSet()->hasType(types::Type::UndefinedType())) &&
+!(removeNull && subject->resultTypeSet()->hasType(types::Type::NullType()))))
+{
+return true;
+}
+// Find all values on the stack that correspond to the subject
+// and replace it with a MIR with filtered TypeSet information.
+// Create the replacement MIR lazily upon first occurence.
+MDefinition *replace = nullptr;
+for (uint32_t i = 0; i < current->stackDepth(); i++) {
+if (current->getSlot(i) != subject)
+continue;
+// Create replacement MIR with filtered TypesSet.
+if (!replace) {
+types::TemporaryTypeSet *type =
+subject->resultTypeSet()->filter(alloc_->lifoAlloc(), removeUndefined,
+removeNull);
+if (!type)
+return false;
+replace = ensureDefiniteTypeSet(subject, type);
+// Make sure we don't hoist it above the MTest, we can use the
+// 'dependency' of an MInstruction. This is normally used by
+// Alias Analysis, but won't get overwritten, since this
+// instruction doesn't have an AliasSet.
+replace->setDependency(test);
+}
+current->setSlot(i, replace);
+}
+return true;
+}
+bool
+IonBuilder::jsop_label()
+{
+JS_ASSERT(JSOp(*pc) == JSOP_LABEL);
+jsbytecode *endpc = pc + GET_JUMP_OFFSET(pc);
+JS_ASSERT(endpc > pc);
+ControlFlowInfo label(cfgStack_.length(), endpc);
+if (!labels_.append(label))
+return false;
+return cfgStack_.append(CFGState::Label(endpc));
+}
+bool
+IonBuilder::jsop_condswitch()
+{
+// CondSwitch op looks as follows:
+//   condswitch [length +exit_pc; first case offset +next-case ]
+//   {
+//     {
+//       ... any code ...
+//       case (+jump) [pcdelta offset +next-case]
+//     }+
+//     default (+jump)
+//     ... jump targets ...
+//   }
+//
+// The default case is always emitted even if there is no default case in
+// the source.  The last case statement pcdelta source note might have a 0
+// offset on the last case (not all the time).
+//
+// A conditional evaluate the condition of each case and compare it to the
+// switch value with a strict equality.  Cases conditions are iterated
+// linearly until one is matching. If one case succeeds, the flow jumps into
+// the corresponding body block.  The body block might alias others and
+// might continue in the next body block if the body is not terminated with
+// a break.
+//
+// Algorithm:
+//  1/ Loop over the case chain to reach the default target
+//   & Estimate the number of uniq bodies.
+//  2/ Generate code for all cases (see processCondSwitchCase).
+//  3/ Generate code for all bodies (see processCondSwitchBody).
+JS_ASSERT(JSOp(*pc) == JSOP_CONDSWITCH);
+jssrcnote *sn = info().getNote(gsn, pc);
+JS_ASSERT(SN_TYPE(sn) == SRC_CONDSWITCH);
+// Get the exit pc
+jsbytecode *exitpc = pc + js_GetSrcNoteOffset(sn, 0);
+jsbytecode *firstCase = pc + js_GetSrcNoteOffset(sn, 1);
+// Iterate all cases in the conditional switch.
+// - Stop at the default case. (always emitted after the last case)
+// - Estimate the number of uniq bodies. This estimation might be off by 1
+//   if the default body alias a case body.
+jsbytecode *curCase = firstCase;
+jsbytecode *lastTarget = GetJumpOffset(curCase) + curCase;
+size_t nbBodies = 2; // default target and the first body.
+JS_ASSERT(pc < curCase && curCase <= exitpc);
+while (JSOp(*curCase) == JSOP_CASE) {
+// Fetch the next case.
+jssrcnote *caseSn = info().getNote(gsn, curCase);
+JS_ASSERT(caseSn && SN_TYPE(caseSn) == SRC_NEXTCASE);
+ptrdiff_t off = js_GetSrcNoteOffset(caseSn, 0);
+curCase = off ? curCase + off : GetNextPc(curCase);
+JS_ASSERT(pc < curCase && curCase <= exitpc);
+// Count non-aliased cases.
+jsbytecode *curTarget = GetJumpOffset(curCase) + curCase;
+if (lastTarget < curTarget)
+nbBodies++;
+lastTarget = curTarget;
+}
+// The current case now be the default case which jump to the body of the
+// default case, which might be behind the last target.
+JS_ASSERT(JSOp(*curCase) == JSOP_DEFAULT);
+jsbytecode *defaultTarget = GetJumpOffset(curCase) + curCase;
+JS_ASSERT(curCase < defaultTarget && defaultTarget <= exitpc);
+// Allocate the current graph state.
+CFGState state = CFGState::CondSwitch(this, exitpc, defaultTarget);
+if (!state.condswitch.bodies || !state.condswitch.bodies->init(alloc(), nbBodies))
+return ControlStatus_Error;
+// We loop on case conditions with processCondSwitchCase.
+JS_ASSERT(JSOp(*firstCase) == JSOP_CASE);
+state.stopAt = firstCase;
+state.state = CFGState::COND_SWITCH_CASE;
+return cfgStack_.append(state);
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::CondSwitch(IonBuilder *builder, jsbytecode *exitpc, jsbytecode *defaultTarget)
+{
+CFGState state;
+state.state = COND_SWITCH_CASE;
+state.stopAt = nullptr;
+state.condswitch.bodies = (FixedList<MBasicBlock *> *)builder->alloc_->allocate(
+sizeof(FixedList<MBasicBlock *>));
+state.condswitch.currentIdx = 0;
+state.condswitch.defaultTarget = defaultTarget;
+state.condswitch.defaultIdx = uint32_t(-1);
+state.condswitch.exitpc = exitpc;
+state.condswitch.breaks = nullptr;
+return state;
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::Label(jsbytecode *exitpc)
+{
+CFGState state;
+state.state = LABEL;
+state.stopAt = exitpc;
+state.label.breaks = nullptr;
+return state;
+}
+IonBuilder::CFGState
+IonBuilder::CFGState::Try(jsbytecode *exitpc, MBasicBlock *successor)
+{
+CFGState state;
+state.state = TRY;
+state.stopAt = exitpc;
+state.try_.successor = successor;
+return state;
+}
+IonBuilder::ControlStatus
+IonBuilder::processCondSwitchCase(CFGState &state)
+{
+JS_ASSERT(state.state == CFGState::COND_SWITCH_CASE);
+JS_ASSERT(!state.condswitch.breaks);
+JS_ASSERT(current);
+JS_ASSERT(JSOp(*pc) == JSOP_CASE);
+FixedList<MBasicBlock *> &bodies = *state.condswitch.bodies;
+jsbytecode *defaultTarget = state.condswitch.defaultTarget;
+uint32_t &currentIdx = state.condswitch.currentIdx;
+jsbytecode *lastTarget = currentIdx ? bodies[currentIdx - 1]->pc() : nullptr;
+// Fetch the following case in which we will continue.
+jssrcnote *sn = info().getNote(gsn, pc);
+ptrdiff_t off = js_GetSrcNoteOffset(sn, 0);
+jsbytecode *casePc = off ? pc + off : GetNextPc(pc);
+bool caseIsDefault = JSOp(*casePc) == JSOP_DEFAULT;
+JS_ASSERT(JSOp(*casePc) == JSOP_CASE || caseIsDefault);
+// Allocate the block of the matching case.
+bool bodyIsNew = false;
+MBasicBlock *bodyBlock = nullptr;
+jsbytecode *bodyTarget = pc + GetJumpOffset(pc);
+if (lastTarget < bodyTarget) {
+// If the default body is in the middle or aliasing the current target.
+if (lastTarget < defaultTarget && defaultTarget <= bodyTarget) {
+JS_ASSERT(state.condswitch.defaultIdx == uint32_t(-1));
+state.condswitch.defaultIdx = currentIdx;
+bodies[currentIdx] = nullptr;
+// If the default body does not alias any and it would be allocated
+// later and stored in the defaultIdx location.
+if (defaultTarget < bodyTarget)
+currentIdx++;
+}
+bodyIsNew = true;
+// Pop switch and case operands.
+bodyBlock = newBlockPopN(current, bodyTarget, 2);
+bodies[currentIdx++] = bodyBlock;
+} else {
+// This body alias the previous one.
+JS_ASSERT(lastTarget == bodyTarget);
+JS_ASSERT(currentIdx > 0);
+bodyBlock = bodies[currentIdx - 1];
+}
+if (!bodyBlock)
+return ControlStatus_Error;
+lastTarget = bodyTarget;
+// Allocate the block of the non-matching case.  This can either be a normal
+// case or the default case.
+bool caseIsNew = false;
+MBasicBlock *caseBlock = nullptr;
+if (!caseIsDefault) {
+caseIsNew = true;
+// Pop the case operand.
+caseBlock = newBlockPopN(current, GetNextPc(pc), 1);
+} else {
+// The non-matching case is the default case, which jump directly to its
+// body. Skip the creation of a default case block and directly create
+// the default body if it does not alias any previous body.
+if (state.condswitch.defaultIdx == uint32_t(-1)) {
+// The default target is the last target.
+JS_ASSERT(lastTarget < defaultTarget);
+state.condswitch.defaultIdx = currentIdx++;
+caseIsNew = true;
+} else if (bodies[state.condswitch.defaultIdx] == nullptr) {
+// The default target is in the middle and it does not alias any
+// case target.
+JS_ASSERT(defaultTarget < lastTarget);
+caseIsNew = true;
+} else {
+// The default target is in the middle and it alias a case target.
+JS_ASSERT(defaultTarget <= lastTarget);
+caseBlock = bodies[state.condswitch.defaultIdx];
+}
+// Allocate and register the default body.
+if (caseIsNew) {
+// Pop the case & switch operands.
+caseBlock = newBlockPopN(current, defaultTarget, 2);
+bodies[state.condswitch.defaultIdx] = caseBlock;
+}
+}
+if (!caseBlock)
+return ControlStatus_Error;
+// Terminate the last case condition block by emitting the code
+// corresponding to JSOP_CASE bytecode.
+if (bodyBlock != caseBlock) {
+MDefinition *caseOperand = current->pop();
+MDefinition *switchOperand = current->peek(-1);
+MCompare *cmpResult = MCompare::New(alloc(), switchOperand, caseOperand, JSOP_STRICTEQ);
+cmpResult->infer(inspector, pc);
+JS_ASSERT(!cmpResult->isEffectful());
+current->add(cmpResult);
+current->end(MTest::New(alloc(), cmpResult, bodyBlock, caseBlock));
+// Add last case as predecessor of the body if the body is aliasing
+// the previous case body.
+if (!bodyIsNew && !bodyBlock->addPredecessorPopN(alloc(), current, 1))
+return ControlStatus_Error;
+// Add last case as predecessor of the non-matching case if the
+// non-matching case is an aliased default case. We need to pop the
+// switch operand as we skip the default case block and use the default
+// body block directly.
+JS_ASSERT_IF(!caseIsNew, caseIsDefault);
+if (!caseIsNew && !caseBlock->addPredecessorPopN(alloc(), current, 1))
+return ControlStatus_Error;
+} else {
+// The default case alias the last case body.
+JS_ASSERT(caseIsDefault);
+current->pop(); // Case operand
+current->pop(); // Switch operand
+current->end(MGoto::New(alloc(), bodyBlock));
+if (!bodyIsNew && !bodyBlock->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+if (caseIsDefault) {
+// The last case condition is finished.  Loop in processCondSwitchBody,
+// with potential stops in processSwitchBreak.  Check that the bodies
+// fixed list is over-estimate by at most 1, and shrink the size such as
+// length can be used as an upper bound while iterating bodies.
+JS_ASSERT(currentIdx == bodies.length() || currentIdx + 1 == bodies.length());
+bodies.shrink(bodies.length() - currentIdx);
+// Handle break statements in processSwitchBreak while processing
+// bodies.
+ControlFlowInfo breakInfo(cfgStack_.length() - 1, state.condswitch.exitpc);
+if (!switches_.append(breakInfo))
+return ControlStatus_Error;
+// Jump into the first body.
+currentIdx = 0;
+setCurrent(nullptr);
+state.state = CFGState::COND_SWITCH_BODY;
+return processCondSwitchBody(state);
+}
+// Continue until the case condition.
+if (!setCurrentAndSpecializePhis(caseBlock))
+return ControlStatus_Error;
+pc = current->pc();
+state.stopAt = casePc;
+return ControlStatus_Jumped;
+}
+IonBuilder::ControlStatus
+IonBuilder::processCondSwitchBody(CFGState &state)
+{
+JS_ASSERT(state.state == CFGState::COND_SWITCH_BODY);
+JS_ASSERT(pc <= state.condswitch.exitpc);
+FixedList<MBasicBlock *> &bodies = *state.condswitch.bodies;
+uint32_t &currentIdx = state.condswitch.currentIdx;
+JS_ASSERT(currentIdx <= bodies.length());
+if (currentIdx == bodies.length()) {
+JS_ASSERT_IF(current, pc == state.condswitch.exitpc);
+return processSwitchEnd(state.condswitch.breaks, state.condswitch.exitpc);
+}
+// Get the next body
+MBasicBlock *nextBody = bodies[currentIdx++];
+JS_ASSERT_IF(current, pc == nextBody->pc());
+// Fix the reverse post-order iteration.
+graph().moveBlockToEnd(nextBody);
+// The last body continue into the new one.
+if (current) {
+current->end(MGoto::New(alloc(), nextBody));
+if (!nextBody->addPredecessor(alloc(), current))
+return ControlStatus_Error;
+}
+// Continue in the next body.
+if (!setCurrentAndSpecializePhis(nextBody))
+return ControlStatus_Error;
+pc = current->pc();
+if (currentIdx < bodies.length())
+state.stopAt = bodies[currentIdx]->pc();
+else
+state.stopAt = state.condswitch.exitpc;
+return ControlStatus_Jumped;
+}
+bool
+IonBuilder::jsop_andor(JSOp op)
+{
+JS_ASSERT(op == JSOP_AND || op == JSOP_OR);
+jsbytecode *rhsStart = pc + js_CodeSpec[op].length;
+jsbytecode *joinStart = pc + GetJumpOffset(pc);
+JS_ASSERT(joinStart > pc);
+// We have to leave the LHS on the stack.
+MDefinition *lhs = current->peek(-1);
+MBasicBlock *evalRhs = newBlock(current, rhsStart);
+MBasicBlock *join = newBlock(current, joinStart);
+if (!evalRhs || !join)
+return false;
+MTest *test = (op == JSOP_AND)
+? MTest::New(alloc(), lhs, evalRhs, join)
+: MTest::New(alloc(), lhs, join, evalRhs);
+test->infer();
+current->end(test);
+if (!cfgStack_.append(CFGState::AndOr(joinStart, join)))
+return false;
+return setCurrentAndSpecializePhis(evalRhs);
+}
+bool
+IonBuilder::jsop_dup2()
+{
+uint32_t lhsSlot = current->stackDepth() - 2;
+uint32_t rhsSlot = current->stackDepth() - 1;
+current->pushSlot(lhsSlot);
+current->pushSlot(rhsSlot);
+return true;
+}
+bool
+IonBuilder::jsop_loophead(jsbytecode *pc)
+{
+assertValidLoopHeadOp(pc);
+current->add(MInterruptCheck::New(alloc()));
+insertRecompileCheck();
+return true;
+}
+bool
+IonBuilder::jsop_ifeq(JSOp op)
+{
+// IFEQ always has a forward offset.
+jsbytecode *trueStart = pc + js_CodeSpec[op].length;
+jsbytecode *falseStart = pc + GetJumpOffset(pc);
+JS_ASSERT(falseStart > pc);
+// We only handle cases that emit source notes.
+jssrcnote *sn = info().getNote(gsn, pc);
+if (!sn)
+return abort("expected sourcenote");
+MDefinition *ins = current->pop();
+// Create true and false branches.
+MBasicBlock *ifTrue = newBlock(current, trueStart);
+MBasicBlock *ifFalse = newBlock(current, falseStart);
+if (!ifTrue || !ifFalse)
+return false;
+MTest *test = MTest::New(alloc(), ins, ifTrue, ifFalse);
+current->end(test);
+// The bytecode for if/ternary gets emitted either like this:
+//
+//    IFEQ X  ; src note (IF_ELSE, COND) points to the GOTO
+//    ...
+//    GOTO Z
+// X: ...     ; else/else if
+//    ...
+// Z:         ; join
+//
+// Or like this:
+//
+//    IFEQ X  ; src note (IF) has no offset
+//    ...
+// Z: ...     ; join
+//
+// We want to parse the bytecode as if we were parsing the AST, so for the
+// IF_ELSE/COND cases, we use the source note and follow the GOTO. For the
+// IF case, the IFEQ offset is the join point.
+switch (SN_TYPE(sn)) {
+case SRC_IF:
+if (!cfgStack_.append(CFGState::If(falseStart, test)))
+return false;
+break;
+case SRC_IF_ELSE:
+case SRC_COND:
+{
+// Infer the join point from the JSOP_GOTO[X] sitting here, then
+// assert as we much we can that this is the right GOTO.
+jsbytecode *trueEnd = pc + js_GetSrcNoteOffset(sn, 0);
+JS_ASSERT(trueEnd > pc);
+JS_ASSERT(trueEnd < falseStart);
+JS_ASSERT(JSOp(*trueEnd) == JSOP_GOTO);
+JS_ASSERT(!info().getNote(gsn, trueEnd));
+jsbytecode *falseEnd = trueEnd + GetJumpOffset(trueEnd);
+JS_ASSERT(falseEnd > trueEnd);
+JS_ASSERT(falseEnd >= falseStart);
+if (!cfgStack_.append(CFGState::IfElse(trueEnd, falseEnd, test)))
+return false;
+break;
+}
+default:
+MOZ_ASSUME_UNREACHABLE("unexpected source note type");
+}
+// Switch to parsing the true branch. Note that no PC update is needed,
+// it's the next instruction.
+if (!setCurrentAndSpecializePhis(ifTrue))
+return false;
+// Filter the types in the true branch.
+filterTypesAtTest(test);
+return true;
+}
+bool
+IonBuilder::jsop_try()
+{
+JS_ASSERT(JSOp(*pc) == JSOP_TRY);
+if (!js_JitOptions.compileTryCatch)
+return abort("Try-catch support disabled");
+// Try-finally is not yet supported.
+if (analysis().hasTryFinally())
+return abort("Has try-finally");
+// Try-catch within inline frames is not yet supported.
+JS_ASSERT(!isInlineBuilder());
+// Try-catch during the arguments usage analysis is not yet supported. Code
+// accessing the arguments within the 'catch' block is not accounted for.
+if (info().executionMode() == ArgumentsUsageAnalysis)
+return abort("Try-catch during arguments usage analysis");
+graph().setHasTryBlock();
+jssrcnote *sn = info().getNote(gsn, pc);
+JS_ASSERT(SN_TYPE(sn) == SRC_TRY);
+// Get the pc of the last instruction in the try block. It's a JSOP_GOTO to
+// jump over the catch block.
+jsbytecode *endpc = pc + js_GetSrcNoteOffset(sn, 0);
+JS_ASSERT(JSOp(*endpc) == JSOP_GOTO);
+JS_ASSERT(GetJumpOffset(endpc) > 0);
+jsbytecode *afterTry = endpc + GetJumpOffset(endpc);
+// If controlflow in the try body is terminated (by a return or throw
+// statement), the code after the try-statement may still be reachable
+// via the catch block (which we don't compile) and OSR can enter it.
+// For example:
+//
+//     try {
+//         throw 3;
+//     } catch(e) { }
+//
+//     for (var i=0; i<1000; i++) {}
+//
+// To handle this, we create two blocks: one for the try block and one
+// for the code following the try-catch statement. Both blocks are
+// connected to the graph with an MTest instruction that always jumps to
+// the try block. This ensures the successor block always has a predecessor
+// and later passes will optimize this MTest to a no-op.
+//
+// If the code after the try block is unreachable (control flow in both the
+// try and catch blocks is terminated), only create the try block, to avoid
+// parsing unreachable code.
+MBasicBlock *tryBlock = newBlock(current, GetNextPc(pc));
+if (!tryBlock)
+return false;
+MBasicBlock *successor;
+if (analysis().maybeInfo(afterTry)) {
+successor = newBlock(current, afterTry);
+if (!successor)
+return false;
+// Add MTest(true, tryBlock, successorBlock).
+MConstant *true_ = MConstant::New(alloc(), BooleanValue(true));
+current->add(true_);
+current->end(MTest::New(alloc(), true_, tryBlock, successor));
+} else {
+successor = nullptr;
+current->end(MGoto::New(alloc(), tryBlock));
+}
+if (!cfgStack_.append(CFGState::Try(endpc, successor)))
+return false;
+// The baseline compiler should not attempt to enter the catch block
+// via OSR.
+JS_ASSERT(info().osrPc() < endpc || info().osrPc() >= afterTry);
+// Start parsing the try block.
+return setCurrentAndSpecializePhis(tryBlock);
+}
+IonBuilder::ControlStatus
+IonBuilder::processReturn(JSOp op)
+{
+MDefinition *def;
+switch (op) {
+case JSOP_RETURN:
+// Return the last instruction.
+def = current->pop();
+break;
+case JSOP_RETRVAL:
+// Return undefined eagerly if script doesn't use return value.
+if (script()->noScriptRval()) {
+MInstruction *ins = MConstant::New(alloc(), UndefinedValue());
+current->add(ins);
+def = ins;
+break;
+}
+def = current->getSlot(info().returnValueSlot());
+break;
+default:
+def = nullptr;
+MOZ_ASSUME_UNREACHABLE("unknown return op");
+}
+if (instrumentedProfiling()) {
+current->add(MProfilerStackOp::New(alloc(), script(), MProfilerStackOp::Exit,
+inliningDepth_));
+}
+MReturn *ret = MReturn::New(alloc(), def);
+current->end(ret);
+if (!graph().addReturn(current))
+return ControlStatus_Error;
+// Make sure no one tries to use this block now.
+setCurrent(nullptr);
+return processControlEnd();
+}
+IonBuilder::ControlStatus
+IonBuilder::processThrow()
+{
+MDefinition *def = current->pop();
+// MThrow is not marked as effectful. This means when it throws and we
+// are inside a try block, we could use an earlier resume point and this
+// resume point may not be up-to-date, for example:
+//
+// (function() {
+//     try {
+//         var x = 1;
+//         foo(); // resume point
+//         x = 2;
+//         throw foo;
+//     } catch(e) {
+//         print(x);
+//     }
+// ])();
+//
+// If we use the resume point after the call, this will print 1 instead
+// of 2. To fix this, we create a resume point right before the MThrow.
+//
+// Note that this is not a problem for instructions other than MThrow
+// because they are either marked as effectful (have their own resume
+// point) or cannot throw a catchable exception.
+//
+// We always install this resume point (instead of only when the function
+// has a try block) in order to handle the Debugger onExceptionUnwind
+// hook. When we need to handle the hook, we bail out to baseline right
+// after the throw and propagate the exception when debug mode is on. This
+// is opposed to the normal behavior of resuming directly in the
+// associated catch block.
+MNop *nop = MNop::New(alloc());
+current->add(nop);
+if (!resumeAfter(nop))
+return ControlStatus_Error;
+MThrow *ins = MThrow::New(alloc(), def);
+current->end(ins);
+// Make sure no one tries to use this block now.
+setCurrent(nullptr);
+return processControlEnd();
+}
+bool
+IonBuilder::pushConstant(const Value &v)
+{
+current->push(constant(v));
+return true;
+}
+bool
+IonBuilder::jsop_bitnot()
+{
+MDefinition *input = current->pop();
+MBitNot *ins = MBitNot::New(alloc(), input);
+current->add(ins);
+ins->infer();
+current->push(ins);
+if (ins->isEffectful() && !resumeAfter(ins))
+return false;
+return true;
+}
+bool
+IonBuilder::jsop_bitop(JSOp op)
+{
+// Pop inputs.
+MDefinition *right = current->pop();
+MDefinition *left = current->pop();
+MBinaryBitwiseInstruction *ins;
+switch (op) {
+case JSOP_BITAND:
+ins = MBitAnd::New(alloc(), left, right);
+break;
+case JSOP_BITOR:
+ins = MBitOr::New(alloc(), left, right);
+break;
+case JSOP_BITXOR:
+ins = MBitXor::New(alloc(), left, right);
+break;
+case JSOP_LSH:
+ins = MLsh::New(alloc(), left, right);
+break;
+case JSOP_RSH:
+ins = MRsh::New(alloc(), left, right);
+break;
+case JSOP_URSH:
+ins = MUrsh::New(alloc(), left, right);
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("unexpected bitop");
+}
+current->add(ins);
+ins->infer(inspector, pc);
+current->push(ins);
+if (ins->isEffectful() && !resumeAfter(ins))
+return false;
+return true;
+}
+bool
+IonBuilder::jsop_binary(JSOp op, MDefinition *left, MDefinition *right)
+{
+// Do a string concatenation if adding two inputs that are int or string
+// and at least one is a string.
+if (op == JSOP_ADD &&
+((left->type() == MIRType_String &&
+(right->type() == MIRType_String ||
+right->type() == MIRType_Int32 ||
+right->type() == MIRType_Double)) ||
+(left->type() == MIRType_Int32 &&
+right->type() == MIRType_String) ||
+(left->type() == MIRType_Double &&
+right->type() == MIRType_String)))
+{
+MConcat *ins = MConcat::New(alloc(), left, right);
+current->add(ins);
+current->push(ins);
+return maybeInsertResume();
+}
+MBinaryArithInstruction *ins;
+switch (op) {
+case JSOP_ADD:
+ins = MAdd::New(alloc(), left, right);
+break;
+case JSOP_SUB:
+ins = MSub::New(alloc(), left, right);
+break;
+case JSOP_MUL:
+ins = MMul::New(alloc(), left, right);
+break;
+case JSOP_DIV:
+ins = MDiv::New(alloc(), left, right);
+break;
+case JSOP_MOD:
+ins = MMod::New(alloc(), left, right);
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("unexpected binary opcode");
+}
+current->add(ins);
+ins->infer(alloc(), inspector, pc);
+current->push(ins);
+if (ins->isEffectful())
+return resumeAfter(ins);
+return maybeInsertResume();
+}
+bool
+IonBuilder::jsop_binary(JSOp op)
+{
+MDefinition *right = current->pop();
+MDefinition *left = current->pop();
+return jsop_binary(op, left, right);
+}
+bool
+IonBuilder::jsop_pos()
+{
+if (IsNumberType(current->peek(-1)->type())) {
+// Already int32 or double. Set the operand as implicitly used so it
+// doesn't get optimized out if it has no other uses, as we could bail
+// out.
+current->peek(-1)->setImplicitlyUsedUnchecked();
+return true;
+}
+// Compile +x as x * 1.
+MDefinition *value = current->pop();
+MConstant *one = MConstant::New(alloc(), Int32Value(1));
+current->add(one);
+return jsop_binary(JSOP_MUL, value, one);
+}
+bool
+IonBuilder::jsop_neg()
+{
+// Since JSOP_NEG does not use a slot, we cannot push the MConstant.
+// The MConstant is therefore passed to JSOP_MUL without slot traffic.
+MConstant *negator = MConstant::New(alloc(), Int32Value(-1));
+current->add(negator);
+MDefinition *right = current->pop();
+if (!jsop_binary(JSOP_MUL, negator, right))
+return false;
+return true;
+}
+class AutoAccumulateReturns
+{
+MIRGraph &graph_;
+MIRGraphReturns *prev_;
+public:
+AutoAccumulateReturns(MIRGraph &graph, MIRGraphReturns &returns)
+: graph_(graph)
+{
+prev_ = graph_.returnAccumulator();
+graph_.setReturnAccumulator(&returns);
+}
+~AutoAccumulateReturns() {
+graph_.setReturnAccumulator(prev_);
+}
+};
+bool
+IonBuilder::inlineScriptedCall(CallInfo &callInfo, JSFunction *target)
+{
+JS_ASSERT(target->hasScript());
+JS_ASSERT(IsIonInlinablePC(pc));
+callInfo.setImplicitlyUsedUnchecked();
+// Ensure sufficient space in the slots: needed for inlining from FUNAPPLY.
+uint32_t depth = current->stackDepth() + callInfo.numFormals();
+if (depth > current->nslots()) {
+if (!current->increaseSlots(depth - current->nslots()))
+return false;
+}
+// Create new |this| on the caller-side for inlined constructors.
+if (callInfo.constructing()) {
+MDefinition *thisDefn = createThis(target, callInfo.fun());
+if (!thisDefn)
+return false;
+callInfo.setThis(thisDefn);
+}
+// Capture formals in the outer resume point.
+callInfo.pushFormals(current);
+MResumePoint *outerResumePoint =
+MResumePoint::New(alloc(), current, pc, callerResumePoint_, MResumePoint::Outer);
+if (!outerResumePoint)
+return false;
+// Pop formals again, except leave |fun| on stack for duration of call.
+callInfo.popFormals(current);
+current->push(callInfo.fun());
+JSScript *calleeScript = target->nonLazyScript();
+BaselineInspector inspector(calleeScript);
+// Improve type information of |this| when not set.
+if (callInfo.constructing() &&
+!callInfo.thisArg()->resultTypeSet() &&
+calleeScript->types)
+{
+types::StackTypeSet *types = types::TypeScript::ThisTypes(calleeScript);
+if (!types->unknown()) {
+types::TemporaryTypeSet *clonedTypes = types->clone(alloc_->lifoAlloc());
+if (!clonedTypes)
+return oom();
+MTypeBarrier *barrier = MTypeBarrier::New(alloc(), callInfo.thisArg(), clonedTypes);
+current->add(barrier);
+callInfo.setThis(barrier);
+}
+}
+// Start inlining.
+LifoAlloc *lifoAlloc = alloc_->lifoAlloc();
+CompileInfo *info = lifoAlloc->new_<CompileInfo>(calleeScript, target,
+(jsbytecode *)nullptr, callInfo.constructing(),
+this->info().executionMode(),
+/* needsArgsObj = */ false);
+if (!info)
+return false;
+MIRGraphReturns returns(alloc());
+AutoAccumulateReturns aar(graph(), returns);
+// Build the graph.
+IonBuilder inlineBuilder(analysisContext, compartment, options, &alloc(), &graph(), constraints(),
+&inspector, info, &optimizationInfo(), nullptr, inliningDepth_ + 1,
+loopDepth_);
+if (!inlineBuilder.buildInline(this, outerResumePoint, callInfo)) {
+if (analysisContext && analysisContext->isExceptionPending()) {
+IonSpew(IonSpew_Abort, "Inline builder raised exception.");
+abortReason_ = AbortReason_Error;
+return false;
+}
+// Inlining the callee failed. Mark the callee as uninlineable only if
+// the inlining was aborted for a non-exception reason.
+if (inlineBuilder.abortReason_ == AbortReason_Disable) {
+calleeScript->setUninlineable();
+abortReason_ = AbortReason_Inlining;
+} else if (inlineBuilder.abortReason_ == AbortReason_Inlining) {
+abortReason_ = AbortReason_Inlining;
+}
+return false;
+}
+// Create return block.
+jsbytecode *postCall = GetNextPc(pc);
+MBasicBlock *returnBlock = newBlock(nullptr, postCall);
+if (!returnBlock)
+return false;
+returnBlock->setCallerResumePoint(callerResumePoint_);
+// When profiling add InlineExit instruction to indicate end of inlined function.
+if (instrumentedProfiling())
+returnBlock->add(MProfilerStackOp::New(alloc(), nullptr, MProfilerStackOp::InlineExit));
+// Inherit the slots from current and pop |fun|.
+returnBlock->inheritSlots(current);
+returnBlock->pop();
+// Accumulate return values.
+if (returns.empty()) {
+// Inlining of functions that have no exit is not supported.
+calleeScript->setUninlineable();
+abortReason_ = AbortReason_Inlining;
+return false;
+}
+MDefinition *retvalDefn = patchInlinedReturns(callInfo, returns, returnBlock);
+if (!retvalDefn)
+return false;
+returnBlock->push(retvalDefn);
+// Initialize entry slots now that the stack has been fixed up.
+if (!returnBlock->initEntrySlots(alloc()))
+return false;
+return setCurrentAndSpecializePhis(returnBlock);
+}
+MDefinition *
+IonBuilder::patchInlinedReturn(CallInfo &callInfo, MBasicBlock *exit, MBasicBlock *bottom)
+{
+// Replaces the MReturn in the exit block with an MGoto.
+MDefinition *rdef = exit->lastIns()->toReturn()->input();
+exit->discardLastIns();
+// Constructors must be patched by the caller to always return an object.
+if (callInfo.constructing()) {
+if (rdef->type() == MIRType_Value) {
+// Unknown return: dynamically detect objects.
+MReturnFromCtor *filter = MReturnFromCtor::New(alloc(), rdef, callInfo.thisArg());
+exit->add(filter);
+rdef = filter;
+} else if (rdef->type() != MIRType_Object) {
+// Known non-object return: force |this|.
+rdef = callInfo.thisArg();
+}
+} else if (callInfo.isSetter()) {
+// Setters return their argument, not whatever value is returned.
+rdef = callInfo.getArg(0);
+}
+MGoto *replacement = MGoto::New(alloc(), bottom);
+exit->end(replacement);
+if (!bottom->addPredecessorWithoutPhis(exit))
+return nullptr;
+return rdef;
+}
+MDefinition *
+IonBuilder::patchInlinedReturns(CallInfo &callInfo, MIRGraphReturns &returns, MBasicBlock *bottom)
+{
+// Replaces MReturns with MGotos, returning the MDefinition
+// representing the return value, or nullptr.
+JS_ASSERT(returns.length() > 0);
+if (returns.length() == 1)
+return patchInlinedReturn(callInfo, returns[0], bottom);
+// Accumulate multiple returns with a phi.
+MPhi *phi = MPhi::New(alloc(), bottom->stackDepth());
+if (!phi->reserveLength(returns.length()))
+return nullptr;
+for (size_t i = 0; i < returns.length(); i++) {
+MDefinition *rdef = patchInlinedReturn(callInfo, returns[i], bottom);
+if (!rdef)
+return nullptr;
+phi->addInput(rdef);
+}
+bottom->addPhi(phi);
+return phi;
+}
+IonBuilder::InliningDecision
+IonBuilder::makeInliningDecision(JSFunction *target, CallInfo &callInfo)
+{
+// When there is no target, inlining is impossible.
+if (target == nullptr)
+return InliningDecision_DontInline;
+// Never inline during the arguments usage analysis.
+if (info().executionMode() == ArgumentsUsageAnalysis)
+return InliningDecision_DontInline;
+// Native functions provide their own detection in inlineNativeCall().
+if (target->isNative())
+return InliningDecision_Inline;
+// Determine whether inlining is possible at callee site
+InliningDecision decision = canInlineTarget(target, callInfo);
+if (decision != InliningDecision_Inline)
+return decision;
+// Heuristics!
+JSScript *targetScript = target->nonLazyScript();
+// Skip heuristics if we have an explicit hint to inline.
+if (!targetScript->shouldInline()) {
+// Cap the inlining depth.
+if (js_JitOptions.isSmallFunction(targetScript)) {
+if (inliningDepth_ >= optimizationInfo().smallFunctionMaxInlineDepth())
+return DontInline(targetScript, "Vetoed: exceeding allowed inline depth");
+} else {
+if (inliningDepth_ >= optimizationInfo().maxInlineDepth())
+return DontInline(targetScript, "Vetoed: exceeding allowed inline depth");
+if (targetScript->hasLoops())
+return DontInline(targetScript, "Vetoed: big function that contains a loop");
+// Caller must not be excessively large.
+if (script()->length() >= optimizationInfo().inliningMaxCallerBytecodeLength())
+return DontInline(targetScript, "Vetoed: caller excessively large");
+}
+// Callee must not be excessively large.
+// This heuristic also applies to the callsite as a whole.
+if (targetScript->length() > optimizationInfo().inlineMaxTotalBytecodeLength())
+return DontInline(targetScript, "Vetoed: callee excessively large");
+// Callee must have been called a few times to have somewhat stable
+// type information, except for definite properties analysis,
+// as the caller has not run yet.
+if (targetScript->getUseCount() < optimizationInfo().usesBeforeInlining() &&
+info().executionMode() != DefinitePropertiesAnalysis)
+{
+return DontInline(targetScript, "Vetoed: callee is insufficiently hot.");
+}
+}
+// TI calls ObjectStateChange to trigger invalidation of the caller.
+types::TypeObjectKey *targetType = types::TypeObjectKey::get(target);
+targetType->watchStateChangeForInlinedCall(constraints());
+// We mustn't relazify functions that have been inlined, because there's
+// no way to tell if it safe to do so.
+script()->setHasBeenInlined();
+return InliningDecision_Inline;
+}
+bool
+IonBuilder::selectInliningTargets(ObjectVector &targets, CallInfo &callInfo, BoolVector &choiceSet,
+uint32_t *numInlineable)
+{
+*numInlineable = 0;
+uint32_t totalSize = 0;
+// For each target, ask whether it may be inlined.
+if (!choiceSet.reserve(targets.length()))
+return false;
+for (size_t i = 0; i < targets.length(); i++) {
+JSFunction *target = &targets[i]->as<JSFunction>();
+bool inlineable;
+InliningDecision decision = makeInliningDecision(target, callInfo);
+switch (decision) {
+case InliningDecision_Error:
+return false;
+case InliningDecision_DontInline:
+inlineable = false;
+break;
+case InliningDecision_Inline:
+inlineable = true;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("Unhandled InliningDecision value!");
+}
+// Enforce a maximum inlined bytecode limit at the callsite.
+if (inlineable && target->isInterpreted()) {
+totalSize += target->nonLazyScript()->length();
+if (totalSize > optimizationInfo().inlineMaxTotalBytecodeLength())
+inlineable = false;
+}
+choiceSet.append(inlineable);
+if (inlineable)
+*numInlineable += 1;
+}
+JS_ASSERT(choiceSet.length() == targets.length());
+return true;
+}
+static bool
+CanInlineGetPropertyCache(MGetPropertyCache *cache, MDefinition *thisDef)
+{
+JS_ASSERT(cache->object()->type() == MIRType_Object);
+if (cache->object() != thisDef)
+return false;
+InlinePropertyTable *table = cache->propTable();
+if (!table)
+return false;
+if (table->numEntries() == 0)
+return false;
+return true;
+}
+MGetPropertyCache *
+IonBuilder::getInlineableGetPropertyCache(CallInfo &callInfo)
+{
+if (callInfo.constructing())
+return nullptr;
+MDefinition *thisDef = callInfo.thisArg();
+if (thisDef->type() != MIRType_Object)
+return nullptr;
+MDefinition *funcDef = callInfo.fun();
+if (funcDef->type() != MIRType_Object)
+return nullptr;
+// MGetPropertyCache with no uses may be optimized away.
+if (funcDef->isGetPropertyCache()) {
+MGetPropertyCache *cache = funcDef->toGetPropertyCache();
+if (cache->hasUses())
+return nullptr;
+if (!CanInlineGetPropertyCache(cache, thisDef))
+return nullptr;
+return cache;
+}
+// Optimize away the following common pattern:
+// MTypeBarrier[MIRType_Object] <- MGetPropertyCache
+if (funcDef->isTypeBarrier()) {
+MTypeBarrier *barrier = funcDef->toTypeBarrier();
+if (barrier->hasUses())
+return nullptr;
+if (barrier->type() != MIRType_Object)
+return nullptr;
+if (!barrier->input()->isGetPropertyCache())
+return nullptr;
+MGetPropertyCache *cache = barrier->input()->toGetPropertyCache();
+if (cache->hasUses() && !cache->hasOneUse())
+return nullptr;
+if (!CanInlineGetPropertyCache(cache, thisDef))
+return nullptr;
+return cache;
+}
+return nullptr;
+}
+IonBuilder::InliningStatus
+IonBuilder::inlineSingleCall(CallInfo &callInfo, JSFunction *target)
+{
+// Expects formals to be popped and wrapped.
+if (target->isNative())
+return inlineNativeCall(callInfo, target);
+if (!inlineScriptedCall(callInfo, target))
+return InliningStatus_Error;
+return InliningStatus_Inlined;
+}
+IonBuilder::InliningStatus
+IonBuilder::inlineCallsite(ObjectVector &targets, ObjectVector &originals,
+bool lambda, CallInfo &callInfo)
+{
+if (targets.empty())
+return InliningStatus_NotInlined;
+// Is the function provided by an MGetPropertyCache?
+// If so, the cache may be movable to a fallback path, with a dispatch
+// instruction guarding on the incoming TypeObject.
+MGetPropertyCache *propCache = getInlineableGetPropertyCache(callInfo);
+// Inline single targets -- unless they derive from a cache, in which case
+// avoiding the cache and guarding is still faster.
+if (!propCache && targets.length() == 1) {
+JSFunction *target = &targets[0]->as<JSFunction>();
+InliningDecision decision = makeInliningDecision(target, callInfo);
+switch (decision) {
+case InliningDecision_Error:
+return InliningStatus_Error;
+case InliningDecision_DontInline:
+return InliningStatus_NotInlined;
+case InliningDecision_Inline:
+break;
+}
+// Inlining will elminate uses of the original callee, but it needs to
+// be preserved in phis if we bail out.  Mark the old callee definition as
+// implicitly used to ensure this happens.
+callInfo.fun()->setImplicitlyUsedUnchecked();
+// If the callee is not going to be a lambda (which may vary across
+// different invocations), then the callee definition can be replaced by a
+// constant.
+if (!lambda) {
+// Replace the function with an MConstant.
+MConstant *constFun = constant(ObjectValue(*target));
+callInfo.setFun(constFun);
+}
+return inlineSingleCall(callInfo, target);
+}
+// Choose a subset of the targets for polymorphic inlining.
+BoolVector choiceSet(alloc());
+uint32_t numInlined;
+if (!selectInliningTargets(targets, callInfo, choiceSet, &numInlined))
+return InliningStatus_Error;
+if (numInlined == 0)
+return InliningStatus_NotInlined;
+// Perform a polymorphic dispatch.
+if (!inlineCalls(callInfo, targets, originals, choiceSet, propCache))
+return InliningStatus_Error;
+return InliningStatus_Inlined;
+}
+bool
+IonBuilder::inlineGenericFallback(JSFunction *target, CallInfo &callInfo, MBasicBlock *dispatchBlock,
+bool clonedAtCallsite)
+{
+// Generate a new block with all arguments on-stack.
+MBasicBlock *fallbackBlock = newBlock(dispatchBlock, pc);
+if (!fallbackBlock)
+return false;
+// Create a new CallInfo to track modified state within this block.
+CallInfo fallbackInfo(alloc(), callInfo.constructing());
+if (!fallbackInfo.init(callInfo))
+return false;
+fallbackInfo.popFormals(fallbackBlock);
+// Generate an MCall, which uses stateful |current|.
+if (!setCurrentAndSpecializePhis(fallbackBlock))
+return false;
+if (!makeCall(target, fallbackInfo, clonedAtCallsite))
+return false;
+// Pass return block to caller as |current|.
+return true;
+}
+bool
+IonBuilder::inlineTypeObjectFallback(CallInfo &callInfo, MBasicBlock *dispatchBlock,
+MTypeObjectDispatch *dispatch, MGetPropertyCache *cache,
+MBasicBlock **fallbackTarget)
+{
+// Getting here implies the following:
+// 1. The call function is an MGetPropertyCache, or an MGetPropertyCache
+//    followed by an MTypeBarrier.
+JS_ASSERT(callInfo.fun()->isGetPropertyCache() || callInfo.fun()->isTypeBarrier());
+// 2. The MGetPropertyCache has inlineable cases by guarding on the TypeObject.
+JS_ASSERT(dispatch->numCases() > 0);
+// 3. The MGetPropertyCache (and, if applicable, MTypeBarrier) only
+//    have at most a single use.
+JS_ASSERT_IF(callInfo.fun()->isGetPropertyCache(), !cache->hasUses());
+JS_ASSERT_IF(callInfo.fun()->isTypeBarrier(), cache->hasOneUse());
+// This means that no resume points yet capture the MGetPropertyCache,
+// so everything from the MGetPropertyCache up until the call is movable.
+// We now move the MGetPropertyCache and friends into a fallback path.
+// Create a new CallInfo to track modified state within the fallback path.
+CallInfo fallbackInfo(alloc(), callInfo.constructing());
+if (!fallbackInfo.init(callInfo))
+return false;
+// Capture stack prior to the call operation. This captures the function.
+MResumePoint *preCallResumePoint =
+MResumePoint::New(alloc(), dispatchBlock, pc, callerResumePoint_, MResumePoint::ResumeAt);
+if (!preCallResumePoint)
+return false;
+DebugOnly<size_t> preCallFuncIndex = preCallResumePoint->numOperands() - callInfo.numFormals();
+JS_ASSERT(preCallResumePoint->getOperand(preCallFuncIndex) == fallbackInfo.fun());
+// In the dispatch block, replace the function's slot entry with Undefined.
+MConstant *undefined = MConstant::New(alloc(), UndefinedValue());
+dispatchBlock->add(undefined);
+dispatchBlock->rewriteAtDepth(-int(callInfo.numFormals()), undefined);
+// Construct a block that does nothing but remove formals from the stack.
+// This is effectively changing the entry resume point of the later fallback block.
+MBasicBlock *prepBlock = newBlock(dispatchBlock, pc);
+if (!prepBlock)
+return false;
+fallbackInfo.popFormals(prepBlock);
+// Construct a block into which the MGetPropertyCache can be moved.
+// This is subtle: the pc and resume point are those of the MGetPropertyCache!
+InlinePropertyTable *propTable = cache->propTable();
+JS_ASSERT(propTable->pc() != nullptr);
+JS_ASSERT(propTable->priorResumePoint() != nullptr);
+MBasicBlock *getPropBlock = newBlock(prepBlock, propTable->pc(), propTable->priorResumePoint());
+if (!getPropBlock)
+return false;
+prepBlock->end(MGoto::New(alloc(), getPropBlock));
+// Since the getPropBlock inherited the stack from right before the MGetPropertyCache,
+// the target of the MGetPropertyCache is still on the stack.
+DebugOnly<MDefinition *> checkObject = getPropBlock->pop();
+JS_ASSERT(checkObject == cache->object());
+// Move the MGetPropertyCache and friends into the getPropBlock.
+if (fallbackInfo.fun()->isGetPropertyCache()) {
+JS_ASSERT(fallbackInfo.fun()->toGetPropertyCache() == cache);
+getPropBlock->addFromElsewhere(cache);
+getPropBlock->push(cache);
+} else {
+MTypeBarrier *barrier = callInfo.fun()->toTypeBarrier();
+JS_ASSERT(barrier->type() == MIRType_Object);
+JS_ASSERT(barrier->input()->isGetPropertyCache());
+JS_ASSERT(barrier->input()->toGetPropertyCache() == cache);
+getPropBlock->addFromElsewhere(cache);
+getPropBlock->addFromElsewhere(barrier);
+getPropBlock->push(barrier);
+}
+// Construct an end block with the correct resume point.
+MBasicBlock *preCallBlock = newBlock(getPropBlock, pc, preCallResumePoint);
+if (!preCallBlock)
+return false;
+getPropBlock->end(MGoto::New(alloc(), preCallBlock));
+// Now inline the MCallGeneric, using preCallBlock as the dispatch point.
+if (!inlineGenericFallback(nullptr, fallbackInfo, preCallBlock, false))
+return false;
+// inlineGenericFallback() set the return block as |current|.
+preCallBlock->end(MGoto::New(alloc(), current));
+*fallbackTarget = prepBlock;
+return true;
+}
+bool
+IonBuilder::inlineCalls(CallInfo &callInfo, ObjectVector &targets,
+ObjectVector &originals, BoolVector &choiceSet,
+MGetPropertyCache *maybeCache)
+{
+// Only handle polymorphic inlining.
+JS_ASSERT(IsIonInlinablePC(pc));
+JS_ASSERT(choiceSet.length() == targets.length());
+JS_ASSERT_IF(!maybeCache, targets.length() >= 2);
+JS_ASSERT_IF(maybeCache, targets.length() >= 1);
+MBasicBlock *dispatchBlock = current;
+callInfo.setImplicitlyUsedUnchecked();
+callInfo.pushFormals(dispatchBlock);
+// Patch any InlinePropertyTable to only contain functions that are inlineable.
+//
+// Note that we trim using originals, as callsite clones are not user
+// visible. We don't patch the entries inside the table with the cloned
+// targets, as the entries should only be used for comparison.
+//
+// The InlinePropertyTable will also be patched at the end to exclude native functions
+// that vetoed inlining.
+if (maybeCache) {
+InlinePropertyTable *propTable = maybeCache->propTable();
+propTable->trimToTargets(originals);
+if (propTable->numEntries() == 0)
+maybeCache = nullptr;
+}
+// Generate a dispatch based on guard kind.
+MDispatchInstruction *dispatch;
+if (maybeCache) {
+dispatch = MTypeObjectDispatch::New(alloc(), maybeCache->object(), maybeCache->propTable());
+callInfo.fun()->setImplicitlyUsedUnchecked();
+} else {
+dispatch = MFunctionDispatch::New(alloc(), callInfo.fun());
+}
+// Generate a return block to host the rval-collecting MPhi.
+jsbytecode *postCall = GetNextPc(pc);
+MBasicBlock *returnBlock = newBlock(nullptr, postCall);
+if (!returnBlock)
+return false;
+returnBlock->setCallerResumePoint(callerResumePoint_);
+// Set up stack, used to manually create a post-call resume point.
+returnBlock->inheritSlots(dispatchBlock);
+callInfo.popFormals(returnBlock);
+MPhi *retPhi = MPhi::New(alloc(), returnBlock->stackDepth());
+returnBlock->addPhi(retPhi);
+returnBlock->push(retPhi);
+// Create a resume point from current stack state.
+returnBlock->initEntrySlots(alloc());
+// Reserve the capacity for the phi.
+// Note: this is an upperbound. Unreachable targets and uninlineable natives are also counted.
+uint32_t count = 1; // Possible fallback block.
+for (uint32_t i = 0; i < targets.length(); i++) {
+if (choiceSet[i])
+count++;
+}
+retPhi->reserveLength(count);
+// During inlining the 'this' value is assigned a type set which is
+// specialized to the type objects which can generate that inlining target.
+// After inlining the original type set is restored.
+types::TemporaryTypeSet *cacheObjectTypeSet =
+maybeCache ? maybeCache->object()->resultTypeSet() : nullptr;
+// Inline each of the inlineable targets.
+JS_ASSERT(targets.length() == originals.length());
+for (uint32_t i = 0; i < targets.length(); i++) {
+// When original != target, the target is a callsite clone. The
+// original should be used for guards, and the target should be the
+// actual function inlined.
+JSFunction *original = &originals[i]->as<JSFunction>();
+JSFunction *target = &targets[i]->as<JSFunction>();
+// Target must be inlineable.
+if (!choiceSet[i])
+continue;
+// Target must be reachable by the MDispatchInstruction.
+if (maybeCache && !maybeCache->propTable()->hasFunction(original)) {
+choiceSet[i] = false;
+continue;
+}
+MBasicBlock *inlineBlock = newBlock(dispatchBlock, pc);
+if (!inlineBlock)
+return false;
+// Create a function MConstant to use in the entry ResumePoint.
+MConstant *funcDef = MConstant::New(alloc(), ObjectValue(*target), constraints());
+funcDef->setImplicitlyUsedUnchecked();
+dispatchBlock->add(funcDef);
+// Use the MConstant in the inline resume point and on stack.
+int funIndex = inlineBlock->entryResumePoint()->numOperands() - callInfo.numFormals();
+inlineBlock->entryResumePoint()->replaceOperand(funIndex, funcDef);
+inlineBlock->rewriteSlot(funIndex, funcDef);
+// Create a new CallInfo to track modified state within the inline block.
+CallInfo inlineInfo(alloc(), callInfo.constructing());
+if (!inlineInfo.init(callInfo))
+return false;
+inlineInfo.popFormals(inlineBlock);
+inlineInfo.setFun(funcDef);
+if (maybeCache) {
+JS_ASSERT(callInfo.thisArg() == maybeCache->object());
+types::TemporaryTypeSet *targetThisTypes =
+maybeCache->propTable()->buildTypeSetForFunction(original);
+if (!targetThisTypes)
+return false;
+maybeCache->object()->setResultTypeSet(targetThisTypes);
+}
+// Inline the call into the inlineBlock.
+if (!setCurrentAndSpecializePhis(inlineBlock))
+return false;
+InliningStatus status = inlineSingleCall(inlineInfo, target);
+if (status == InliningStatus_Error)
+return false;
+// Natives may veto inlining.
+if (status == InliningStatus_NotInlined) {
+JS_ASSERT(target->isNative());
+JS_ASSERT(current == inlineBlock);
+inlineBlock->discardAllResumePoints();
+graph().removeBlock(inlineBlock);
+choiceSet[i] = false;
+continue;
+}
+// inlineSingleCall() changed |current| to the inline return block.
+MBasicBlock *inlineReturnBlock = current;
+setCurrent(dispatchBlock);
+// Connect the inline path to the returnBlock.
+//
+// Note that guarding is on the original function pointer even
+// if there is a clone, since cloning occurs at the callsite.
+dispatch->addCase(original, inlineBlock);
+MDefinition *retVal = inlineReturnBlock->peek(-1);
+retPhi->addInput(retVal);
+inlineReturnBlock->end(MGoto::New(alloc(), returnBlock));
+if (!returnBlock->addPredecessorWithoutPhis(inlineReturnBlock))
+return false;
+}
+// Patch the InlinePropertyTable to not dispatch to vetoed paths.
+//
+// Note that like above, we trim using originals instead of targets.
+if (maybeCache) {
+maybeCache->object()->setResultTypeSet(cacheObjectTypeSet);
+InlinePropertyTable *propTable = maybeCache->propTable();
+propTable->trimTo(originals, choiceSet);
+// If all paths were vetoed, output only a generic fallback path.
+if (propTable->numEntries() == 0) {
+JS_ASSERT(dispatch->numCases() == 0);
+maybeCache = nullptr;
+}
+}
+// If necessary, generate a fallback path.
+// MTypeObjectDispatch always uses a fallback path.
+if (maybeCache || dispatch->numCases() < targets.length()) {
+// Generate fallback blocks, and set |current| to the fallback return block.
+if (maybeCache) {
+MBasicBlock *fallbackTarget;
+if (!inlineTypeObjectFallback(callInfo, dispatchBlock, (MTypeObjectDispatch *)dispatch,
+maybeCache, &fallbackTarget))
+{
+return false;
+}
+dispatch->addFallback(fallbackTarget);
+} else {
+JSFunction *remaining = nullptr;
+bool clonedAtCallsite = false;
+// If there is only 1 remaining case, we can annotate the fallback call
+// with the target information.
+if (dispatch->numCases() + 1 == originals.length()) {
+for (uint32_t i = 0; i < originals.length(); i++) {
+if (choiceSet[i])
+continue;
+remaining = &targets[i]->as<JSFunction>();
+clonedAtCallsite = targets[i] != originals[i];
+break;
+}
+}
+if (!inlineGenericFallback(remaining, callInfo, dispatchBlock, clonedAtCallsite))
+return false;
+dispatch->addFallback(current);
+}
+MBasicBlock *fallbackReturnBlock = current;
+// Connect fallback case to return infrastructure.
+MDefinition *retVal = fallbackReturnBlock->peek(-1);
+retPhi->addInput(retVal);
+fallbackReturnBlock->end(MGoto::New(alloc(), returnBlock));
+if (!returnBlock->addPredecessorWithoutPhis(fallbackReturnBlock))
+return false;
+}
+// Finally add the dispatch instruction.
+// This must be done at the end so that add() may be called above.
+dispatchBlock->end(dispatch);
+// Check the depth change: +1 for retval
+JS_ASSERT(returnBlock->stackDepth() == dispatchBlock->stackDepth() - callInfo.numFormals() + 1);
+graph().moveBlockToEnd(returnBlock);
+return setCurrentAndSpecializePhis(returnBlock);
+}
+MInstruction *
+IonBuilder::createDeclEnvObject(MDefinition *callee, MDefinition *scope)
+{
+// Get a template CallObject that we'll use to generate inline object
+// creation.
+DeclEnvObject *templateObj = inspector->templateDeclEnvObject();
+// One field is added to the function to handle its name.  This cannot be a
+// dynamic slot because there is still plenty of room on the DeclEnv object.
+JS_ASSERT(!templateObj->hasDynamicSlots());
+// Allocate the actual object. It is important that no intervening
+// instructions could potentially bailout, thus leaking the dynamic slots
+// pointer.
+MInstruction *declEnvObj = MNewDeclEnvObject::New(alloc(), templateObj);
+current->add(declEnvObj);
+// Initialize the object's reserved slots. No post barrier is needed here:
+// the object will be allocated in the nursery if possible, and if the
+// tenured heap is used instead, a minor collection will have been performed
+// that moved scope/callee to the tenured heap.
+current->add(MStoreFixedSlot::New(alloc(), declEnvObj, DeclEnvObject::enclosingScopeSlot(), scope));
+current->add(MStoreFixedSlot::New(alloc(), declEnvObj, DeclEnvObject::lambdaSlot(), callee));
+return declEnvObj;
+}
+MInstruction *
+IonBuilder::createCallObject(MDefinition *callee, MDefinition *scope)
+{
+// Get a template CallObject that we'll use to generate inline object
+// creation.
+CallObject *templateObj = inspector->templateCallObject();
+// If the CallObject needs dynamic slots, allocate those now.
+MInstruction *slots;
+if (templateObj->hasDynamicSlots()) {
+size_t nslots = JSObject::dynamicSlotsCount(templateObj->numFixedSlots(),
+templateObj->lastProperty()->slotSpan(templateObj->getClass()),
+templateObj->getClass());
+slots = MNewSlots::New(alloc(), nslots);
+} else {
+slots = MConstant::New(alloc(), NullValue());
+}
+current->add(slots);
+// Allocate the actual object. It is important that no intervening
+// instructions could potentially bailout, thus leaking the dynamic slots
+// pointer. Run-once scripts need a singleton type, so always do a VM call
+// in such cases.
+MUnaryInstruction *callObj;
+if (script()->treatAsRunOnce())
+callObj = MNewRunOnceCallObject::New(alloc(), templateObj, slots);
+else
+callObj = MNewCallObject::New(alloc(), templateObj, slots);
+current->add(callObj);
+// Initialize the object's reserved slots. No post barrier is needed here,
+// for the same reason as in createDeclEnvObject.
+current->add(MStoreFixedSlot::New(alloc(), callObj, CallObject::enclosingScopeSlot(), scope));
+current->add(MStoreFixedSlot::New(alloc(), callObj, CallObject::calleeSlot(), callee));
+// Initialize argument slots.
+for (AliasedFormalIter i(script()); i; i++) {
+unsigned slot = i.scopeSlot();
+unsigned formal = i.frameIndex();
+MDefinition *param = current->getSlot(info().argSlotUnchecked(formal));
+if (slot >= templateObj->numFixedSlots())
+current->add(MStoreSlot::New(alloc(), slots, slot - templateObj->numFixedSlots(), param));
+else
+current->add(MStoreFixedSlot::New(alloc(), callObj, slot, param));
+}
+return callObj;
+}
+MDefinition *
+IonBuilder::createThisScripted(MDefinition *callee)
+{
+// Get callee.prototype.
+//
+// This instruction MUST be idempotent: since it does not correspond to an
+// explicit operation in the bytecode, we cannot use resumeAfter().
+// Getters may not override |prototype| fetching, so this operation is indeed idempotent.
+// - First try an idempotent property cache.
+// - Upon failing idempotent property cache, we can't use a non-idempotent cache,
+//   therefore we fallback to CallGetProperty
+//
+// Note: both CallGetProperty and GetPropertyCache can trigger a GC,
+//       and thus invalidation.
+MInstruction *getProto;
+if (!invalidatedIdempotentCache()) {
+MGetPropertyCache *getPropCache = MGetPropertyCache::New(alloc(), callee, names().prototype,
+/* monitored = */ false);
+getPropCache->setIdempotent();
+getProto = getPropCache;
+} else {
+MCallGetProperty *callGetProp = MCallGetProperty::New(alloc(), callee, names().prototype,
+/* callprop = */ false);
+callGetProp->setIdempotent();
+getProto = callGetProp;
+}
+current->add(getProto);
+// Create this from prototype
+MCreateThisWithProto *createThis = MCreateThisWithProto::New(alloc(), callee, getProto);
+current->add(createThis);
+return createThis;
+}
+JSObject *
+IonBuilder::getSingletonPrototype(JSFunction *target)
+{
+if (!target || !target->hasSingletonType())
+return nullptr;
+types::TypeObjectKey *targetType = types::TypeObjectKey::get(target);
+if (targetType->unknownProperties())
+return nullptr;
+jsid protoid = NameToId(names().prototype);
+types::HeapTypeSetKey protoProperty = targetType->property(protoid);
+return protoProperty.singleton(constraints());
+}
+MDefinition *
+IonBuilder::createThisScriptedSingleton(JSFunction *target, MDefinition *callee)
+{
+// Get the singleton prototype (if exists)
+JSObject *proto = getSingletonPrototype(target);
+if (!proto)
+return nullptr;
+JSObject *templateObject = inspector->getTemplateObject(pc);
+if (!templateObject || !templateObject->is<JSObject>())
+return nullptr;
+if (!templateObject->hasTenuredProto() || templateObject->getProto() != proto)
+return nullptr;
+if (!target->nonLazyScript()->types)
+return nullptr;
+if (!types::TypeScript::ThisTypes(target->nonLazyScript())->hasType(types::Type::ObjectType(templateObject)))
+return nullptr;
+// For template objects with NewScript info, the appropriate allocation
+// kind to use may change due to dynamic property adds. In these cases
+// calling Ion code will be invalidated, but any baseline template object
+// may be stale. Update to the correct template object in this case.
+types::TypeObject *templateType = templateObject->type();
+if (templateType->hasNewScript()) {
+templateObject = templateType->newScript()->templateObject;
+JS_ASSERT(templateObject->type() == templateType);
+// Trigger recompilation if the templateObject changes.
+types::TypeObjectKey::get(templateType)->watchStateChangeForNewScriptTemplate(constraints());
+}
+// Generate an inline path to create a new |this| object with
+// the given singleton prototype.
+MCreateThisWithTemplate *createThis =
+MCreateThisWithTemplate::New(alloc(), constraints(), templateObject,
+templateObject->type()->initialHeap(constraints()));
+current->add(createThis);
+return createThis;
+}
+MDefinition *
+IonBuilder::createThis(JSFunction *target, MDefinition *callee)
+{
+// Create this for unknown target
+if (!target) {
+MCreateThis *createThis = MCreateThis::New(alloc(), callee);
+current->add(createThis);
+return createThis;
+}
+// Native constructors build the new Object themselves.
+if (target->isNative()) {
+if (!target->isNativeConstructor())
+return nullptr;
+MConstant *magic = MConstant::New(alloc(), MagicValue(JS_IS_CONSTRUCTING));
+current->add(magic);
+return magic;
+}
+// Try baking in the prototype.
+MDefinition *createThis = createThisScriptedSingleton(target, callee);
+if (createThis)
+return createThis;
+return createThisScripted(callee);
+}
+bool
+IonBuilder::jsop_funcall(uint32_t argc)
+{
+// Stack for JSOP_FUNCALL:
+// 1:      arg0
+// ...
+// argc:   argN
+// argc+1: JSFunction*, the 'f' in |f.call()|, in |this| position.
+// argc+2: The native 'call' function.
+int calleeDepth = -((int)argc + 2);
+int funcDepth = -((int)argc + 1);
+// If |Function.prototype.call| may be overridden, don't optimize callsite.
+types::TemporaryTypeSet *calleeTypes = current->peek(calleeDepth)->resultTypeSet();
+JSFunction *native = getSingleCallTarget(calleeTypes);
+if (!native || !native->isNative() || native->native() != &js_fun_call) {
+CallInfo callInfo(alloc(), false);
+if (!callInfo.init(current, argc))
+return false;
+return makeCall(native, callInfo, false);
+}
+current->peek(calleeDepth)->setImplicitlyUsedUnchecked();
+// Extract call target.
+types::TemporaryTypeSet *funTypes = current->peek(funcDepth)->resultTypeSet();
+JSFunction *target = getSingleCallTarget(funTypes);
+// Shimmy the slots down to remove the native 'call' function.
+current->shimmySlots(funcDepth - 1);
+bool zeroArguments = (argc == 0);
+// If no |this| argument was provided, explicitly pass Undefined.
+// Pushing is safe here, since one stack slot has been removed.
+if (zeroArguments) {
+pushConstant(UndefinedValue());
+} else {
+// |this| becomes implicit in the call.
+argc -= 1;
+}
+CallInfo callInfo(alloc(), false);
+if (!callInfo.init(current, argc))
+return false;
+// Try to inline the call.
+if (!zeroArguments) {
+InliningDecision decision = makeInliningDecision(target, callInfo);
+switch (decision) {
+case InliningDecision_Error:
+return false;
+case InliningDecision_DontInline:
+break;
+case InliningDecision_Inline:
+if (target->isInterpreted())
+return inlineScriptedCall(callInfo, target);
+break;
+}
+}
+// Call without inlining.
+return makeCall(target, callInfo, false);
+}
+bool
+IonBuilder::jsop_funapply(uint32_t argc)
+{
+int calleeDepth = -((int)argc + 2);
+types::TemporaryTypeSet *calleeTypes = current->peek(calleeDepth)->resultTypeSet();
+JSFunction *native = getSingleCallTarget(calleeTypes);
+if (argc != 2) {
+CallInfo callInfo(alloc(), false);
+if (!callInfo.init(current, argc))
+return false;
+return makeCall(native, callInfo, false);
+}
+// Disable compilation if the second argument to |apply| cannot be guaranteed
+// to be either definitely |arguments| or definitely not |arguments|.
+MDefinition *argument = current->peek(-1);
+if (script()->argumentsHasVarBinding() &&
+argument->mightBeType(MIRType_MagicOptimizedArguments) &&
+argument->type() != MIRType_MagicOptimizedArguments)
+{
+return abort("fun.apply with MaybeArguments");
+}
+// Fallback to regular call if arg 2 is not definitely |arguments|.
+if (argument->type() != MIRType_MagicOptimizedArguments) {
+CallInfo callInfo(alloc(), false);
+if (!callInfo.init(current, argc))
+return false;
+return makeCall(native, callInfo, false);
+}
+if (!native ||
+!native->isNative() ||
+native->native() != js_fun_apply)
+{
+return abort("fun.apply speculation failed");
+}
+current->peek(calleeDepth)->setImplicitlyUsedUnchecked();
+// Use funapply that definitely uses |arguments|
+return jsop_funapplyarguments(argc);
+}
+bool
+IonBuilder::jsop_funapplyarguments(uint32_t argc)
+{
+// Stack for JSOP_FUNAPPLY:
+// 1:      Vp
+// 2:      This
+// argc+1: JSFunction*, the 'f' in |f.call()|, in |this| position.
+// argc+2: The native 'apply' function.
+int funcDepth = -((int)argc + 1);
+// Extract call target.
+types::TemporaryTypeSet *funTypes = current->peek(funcDepth)->resultTypeSet();
+JSFunction *target = getSingleCallTarget(funTypes);
+// When this script isn't inlined, use MApplyArgs,
+// to copy the arguments from the stack and call the function
+if (inliningDepth_ == 0 && info().executionMode() != DefinitePropertiesAnalysis) {
+// The array argument corresponds to the arguments object. As the JIT
+// is implicitly reading the arguments object in the next instruction,
+// we need to prevent the deletion of the arguments object from resume
+// points, so that Baseline will behave correctly after a bailout.
+MDefinition *vp = current->pop();
+vp->setImplicitlyUsedUnchecked();
+MDefinition *argThis = current->pop();
+// Unwrap the (JSFunction *) parameter.
+MDefinition *argFunc = current->pop();
+// Pop apply function.
+current->pop();
+MArgumentsLength *numArgs = MArgumentsLength::New(alloc());
+current->add(numArgs);
+MApplyArgs *apply = MApplyArgs::New(alloc(), target, argFunc, numArgs, argThis);
+current->add(apply);
+current->push(apply);
+if (!resumeAfter(apply))
+return false;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return pushTypeBarrier(apply, types, true);
+}
+// When inlining we have the arguments the function gets called with
+// and can optimize even more, by just calling the functions with the args.
+// We also try this path when doing the definite properties analysis, as we
+// can inline the apply() target and don't care about the actual arguments
+// that were passed in.
+CallInfo callInfo(alloc(), false);
+// Vp
+MDefinition *vp = current->pop();
+vp->setImplicitlyUsedUnchecked();
+// Arguments
+MDefinitionVector args(alloc());
+if (inliningDepth_) {
+if (!args.appendAll(inlineCallInfo_->argv()))
+return false;
+}
+callInfo.setArgs(&args);
+// This
+MDefinition *argThis = current->pop();
+callInfo.setThis(argThis);
+// Pop function parameter.
+MDefinition *argFunc = current->pop();
+callInfo.setFun(argFunc);
+// Pop apply function.
+current->pop();
+// Try to inline the call.
+InliningDecision decision = makeInliningDecision(target, callInfo);
+switch (decision) {
+case InliningDecision_Error:
+return false;
+case InliningDecision_DontInline:
+break;
+case InliningDecision_Inline:
+if (target->isInterpreted())
+return inlineScriptedCall(callInfo, target);
+}
+return makeCall(target, callInfo, false);
+}
+bool
+IonBuilder::jsop_call(uint32_t argc, bool constructing)
+{
+// If this call has never executed, try to seed the observed type set
+// based on how the call result is used.
+types::TemporaryTypeSet *observed = bytecodeTypes(pc);
+if (observed->empty()) {
+if (BytecodeFlowsToBitop(pc)) {
+observed->addType(types::Type::Int32Type(), alloc_->lifoAlloc());
+} else if (*GetNextPc(pc) == JSOP_POS) {
+// Note: this is lame, overspecialized on the code patterns used
+// by asm.js and should be replaced by a more general mechanism.
+// See bug 870847.
+observed->addType(types::Type::DoubleType(), alloc_->lifoAlloc());
+}
+}
+int calleeDepth = -((int)argc + 2);
+// Acquire known call target if existent.
+ObjectVector originals(alloc());
+bool gotLambda = false;
+types::TemporaryTypeSet *calleeTypes = current->peek(calleeDepth)->resultTypeSet();
+if (calleeTypes) {
+if (!getPolyCallTargets(calleeTypes, constructing, originals, 4, &gotLambda))
+return false;
+}
+JS_ASSERT_IF(gotLambda, originals.length() <= 1);
+// If any call targets need to be cloned, look for existing clones to use.
+// Keep track of the originals as we need to case on them for poly inline.
+bool hasClones = false;
+ObjectVector targets(alloc());
+for (uint32_t i = 0; i < originals.length(); i++) {
+JSFunction *fun = &originals[i]->as<JSFunction>();
+if (fun->hasScript() && fun->nonLazyScript()->shouldCloneAtCallsite()) {
+if (JSFunction *clone = ExistingCloneFunctionAtCallsite(compartment->callsiteClones(), fun, script(), pc)) {
+fun = clone;
+hasClones = true;
+}
+}
+if (!targets.append(fun))
+return false;
+}
+CallInfo callInfo(alloc(), constructing);
+if (!callInfo.init(current, argc))
+return false;
+// Try inlining
+InliningStatus status = inlineCallsite(targets, originals, gotLambda, callInfo);
+if (status == InliningStatus_Inlined)
+return true;
+if (status == InliningStatus_Error)
+return false;
+// No inline, just make the call.
+JSFunction *target = nullptr;
+if (targets.length() == 1)
+target = &targets[0]->as<JSFunction>();
+return makeCall(target, callInfo, hasClones);
+}
+MDefinition *
+IonBuilder::makeCallsiteClone(JSFunction *target, MDefinition *fun)
+{
+// Bake in the clone eagerly if we have a known target. We have arrived here
+// because TI told us that the known target is a should-clone-at-callsite
+// function, which means that target already is the clone. Make sure to ensure
+// that the old definition remains in resume points.
+if (target) {
+fun->setImplicitlyUsedUnchecked();
+return constant(ObjectValue(*target));
+}
+// Add a callsite clone IC if we have multiple targets. Note that we
+// should have checked already that at least some targets are marked as
+// should-clone-at-callsite.
+MCallsiteCloneCache *clone = MCallsiteCloneCache::New(alloc(), fun, pc);
+current->add(clone);
+return clone;
+}
+bool
+IonBuilder::testShouldDOMCall(types::TypeSet *inTypes,
+JSFunction *func, JSJitInfo::OpType opType)
+{
+if (!func->isNative() || !func->jitInfo())
+return false;
+// If all the DOM objects flowing through are legal with this
+// property, we can bake in a call to the bottom half of the DOM
+// accessor
+DOMInstanceClassMatchesProto instanceChecker =
+compartment->runtime()->DOMcallbacks()->instanceClassMatchesProto;
+const JSJitInfo *jinfo = func->jitInfo();
+if (jinfo->type() != opType)
+return false;
+for (unsigned i = 0; i < inTypes->getObjectCount(); i++) {
+types::TypeObjectKey *curType = inTypes->getObject(i);
+if (!curType)
+continue;
+if (!curType->hasTenuredProto())
+return false;
+JSObject *proto = curType->proto().toObjectOrNull();
+if (!instanceChecker(proto, jinfo->protoID, jinfo->depth))
+return false;
+}
+return true;
+}
+static bool
+ArgumentTypesMatch(MDefinition *def, types::StackTypeSet *calleeTypes)
+{
+if (def->resultTypeSet()) {
+JS_ASSERT(def->type() == MIRType_Value || def->mightBeType(def->type()));
+return def->resultTypeSet()->isSubset(calleeTypes);
+}
+if (def->type() == MIRType_Value)
+return false;
+if (def->type() == MIRType_Object)
+return calleeTypes->unknownObject();
+return calleeTypes->mightBeMIRType(def->type());
+}
+bool
+IonBuilder::testNeedsArgumentCheck(JSFunction *target, CallInfo &callInfo)
+{
+// If we have a known target, check if the caller arg types are a subset of callee.
+// Since typeset accumulates and can't decrease that means we don't need to check
+// the arguments anymore.
+if (!target->hasScript())
+return true;
+JSScript *targetScript = target->nonLazyScript();
+if (!targetScript->types)
+return true;
+if (!ArgumentTypesMatch(callInfo.thisArg(), types::TypeScript::ThisTypes(targetScript)))
+return true;
+uint32_t expected_args = Min<uint32_t>(callInfo.argc(), target->nargs());
+for (size_t i = 0; i < expected_args; i++) {
+if (!ArgumentTypesMatch(callInfo.getArg(i), types::TypeScript::ArgTypes(targetScript, i)))
+return true;
+}
+for (size_t i = callInfo.argc(); i < target->nargs(); i++) {
+if (!types::TypeScript::ArgTypes(targetScript, i)->mightBeMIRType(MIRType_Undefined))
+return true;
+}
+return false;
+}
+MCall *
+IonBuilder::makeCallHelper(JSFunction *target, CallInfo &callInfo, bool cloneAtCallsite)
+{
+// This function may be called with mutated stack.
+// Querying TI for popped types is invalid.
+uint32_t targetArgs = callInfo.argc();
+// Collect number of missing arguments provided that the target is
+// scripted. Native functions are passed an explicit 'argc' parameter.
+if (target && !target->isNative())
+targetArgs = Max<uint32_t>(target->nargs(), callInfo.argc());
+bool isDOMCall = false;
+if (target && !callInfo.constructing()) {
+// We know we have a single call target.  Check whether the "this" types
+// are DOM types and our function a DOM function, and if so flag the
+// MCall accordingly.
+types::TemporaryTypeSet *thisTypes = callInfo.thisArg()->resultTypeSet();
+if (thisTypes &&
+thisTypes->getKnownMIRType() == MIRType_Object &&
+thisTypes->isDOMClass() &&
+testShouldDOMCall(thisTypes, target, JSJitInfo::Method))
+{
+isDOMCall = true;
+}
+}
+MCall *call = MCall::New(alloc(), target, targetArgs + 1, callInfo.argc(),
+callInfo.constructing(), isDOMCall);
+if (!call)
+return nullptr;
+// Explicitly pad any missing arguments with |undefined|.
+// This permits skipping the argumentsRectifier.
+for (int i = targetArgs; i > (int)callInfo.argc(); i--) {
+JS_ASSERT_IF(target, !target->isNative());
+MConstant *undef = constant(UndefinedValue());
+call->addArg(i, undef);
+}
+// Add explicit arguments.
+// Skip addArg(0) because it is reserved for this
+for (int32_t i = callInfo.argc() - 1; i >= 0; i--)
+call->addArg(i + 1, callInfo.getArg(i));
+// Now that we've told it about all the args, compute whether it's movable
+call->computeMovable();
+// Inline the constructor on the caller-side.
+if (callInfo.constructing()) {
+MDefinition *create = createThis(target, callInfo.fun());
+if (!create) {
+abort("Failure inlining constructor for call.");
+return nullptr;
+}
+callInfo.thisArg()->setImplicitlyUsedUnchecked();
+callInfo.setThis(create);
+}
+// Pass |this| and function.
+MDefinition *thisArg = callInfo.thisArg();
+call->addArg(0, thisArg);
+// Add a callsite clone IC for multiple targets which all should be
+// callsite cloned, or bake in the clone for a single target.
+if (cloneAtCallsite) {
+MDefinition *fun = makeCallsiteClone(target, callInfo.fun());
+callInfo.setFun(fun);
+}
+if (target && !testNeedsArgumentCheck(target, callInfo))
+call->disableArgCheck();
+call->initFunction(callInfo.fun());
+current->add(call);
+return call;
+}
+static bool
+DOMCallNeedsBarrier(const JSJitInfo* jitinfo, types::TemporaryTypeSet *types)
+{
+// If the return type of our DOM native is in "types" already, we don't
+// actually need a barrier.
+if (jitinfo->returnType() == JSVAL_TYPE_UNKNOWN)
+return true;
+// JSVAL_TYPE_OBJECT doesn't tell us much; we still have to barrier on the
+// actual type of the object.
+if (jitinfo->returnType() == JSVAL_TYPE_OBJECT)
+return true;
+// No need for a barrier if we're already expecting the type we'll produce.
+return MIRTypeFromValueType(jitinfo->returnType()) != types->getKnownMIRType();
+}
+bool
+IonBuilder::makeCall(JSFunction *target, CallInfo &callInfo, bool cloneAtCallsite)
+{
+// Constructor calls to non-constructors should throw. We don't want to use
+// CallKnown in this case.
+JS_ASSERT_IF(callInfo.constructing() && target,
+target->isInterpretedConstructor() || target->isNativeConstructor());
+MCall *call = makeCallHelper(target, callInfo, cloneAtCallsite);
+if (!call)
+return false;
+current->push(call);
+if (call->isEffectful() && !resumeAfter(call))
+return false;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+if (call->isCallDOMNative())
+return pushDOMTypeBarrier(call, types, call->getSingleTarget());
+return pushTypeBarrier(call, types, true);
+}
+bool
+IonBuilder::jsop_eval(uint32_t argc)
+{
+int calleeDepth = -((int)argc + 2);
+types::TemporaryTypeSet *calleeTypes = current->peek(calleeDepth)->resultTypeSet();
+// Emit a normal call if the eval has never executed. This keeps us from
+// disabling compilation for the script when testing with --ion-eager.
+if (calleeTypes && calleeTypes->empty())
+return jsop_call(argc, /* constructing = */ false);
+JSFunction *singleton = getSingleCallTarget(calleeTypes);
+if (!singleton)
+return abort("No singleton callee for eval()");
+if (script()->global().valueIsEval(ObjectValue(*singleton))) {
+if (argc != 1)
+return abort("Direct eval with more than one argument");
+if (!info().funMaybeLazy())
+return abort("Direct eval in global code");
+// The 'this' value for the outer and eval scripts must be the
+// same. This is not guaranteed if a primitive string/number/etc.
+// is passed through to the eval invoke as the primitive may be
+// boxed into different objects if accessed via 'this'.
+MIRType type = thisTypes->getKnownMIRType();
+if (type != MIRType_Object && type != MIRType_Null && type != MIRType_Undefined)
+return abort("Direct eval from script with maybe-primitive 'this'");
+CallInfo callInfo(alloc(), /* constructing = */ false);
+if (!callInfo.init(current, argc))
+return false;
+callInfo.setImplicitlyUsedUnchecked();
+callInfo.fun()->setImplicitlyUsedUnchecked();
+MDefinition *scopeChain = current->scopeChain();
+MDefinition *string = callInfo.getArg(0);
+// Direct eval acts as identity on non-string types according to
+// ES5 15.1.2.1 step 1.
+if (!string->mightBeType(MIRType_String)) {
+current->push(string);
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return pushTypeBarrier(string, types, true);
+}
+current->pushSlot(info().thisSlot());
+MDefinition *thisValue = current->pop();
+// Try to pattern match 'eval(v + "()")'. In this case v is likely a
+// name on the scope chain and the eval is performing a call on that
+// value. Use a dynamic scope chain lookup rather than a full eval.
+if (string->isConcat() &&
+string->getOperand(1)->isConstant() &&
+string->getOperand(1)->toConstant()->value().isString())
+{
+JSAtom *atom = &string->getOperand(1)->toConstant()->value().toString()->asAtom();
+if (StringEqualsAscii(atom, "()")) {
+MDefinition *name = string->getOperand(0);
+MInstruction *dynamicName = MGetDynamicName::New(alloc(), scopeChain, name);
+current->add(dynamicName);
+current->push(dynamicName);
+current->push(thisValue);
+CallInfo evalCallInfo(alloc(), /* constructing = */ false);
+if (!evalCallInfo.init(current, /* argc = */ 0))
+return false;
+return makeCall(nullptr, evalCallInfo, false);
+}
+}
+MInstruction *filterArguments = MFilterArgumentsOrEval::New(alloc(), string);
+current->add(filterArguments);
+MInstruction *ins = MCallDirectEval::New(alloc(), scopeChain, string, thisValue, pc);
+current->add(ins);
+current->push(ins);
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return resumeAfter(ins) && pushTypeBarrier(ins, types, true);
+}
+return jsop_call(argc, /* constructing = */ false);
+}
+bool
+IonBuilder::jsop_compare(JSOp op)
+{
+MDefinition *right = current->pop();
+MDefinition *left = current->pop();
+MCompare *ins = MCompare::New(alloc(), left, right, op);
+current->add(ins);
+current->push(ins);
+ins->infer(inspector, pc);
+if (ins->isEffectful() && !resumeAfter(ins))
+return false;
+return true;
+}
+bool
+IonBuilder::jsop_newarray(uint32_t count)
+{
+JS_ASSERT(script()->compileAndGo());
+JSObject *templateObject = inspector->getTemplateObject(pc);
+if (!templateObject)
+return abort("No template object for NEWARRAY");
+JS_ASSERT(templateObject->is<ArrayObject>());
+if (templateObject->type()->unknownProperties()) {
+// We will get confused in jsop_initelem_array if we can't find the
+// type object being initialized.
+return abort("New array has unknown properties");
+}
+MNewArray *ins = MNewArray::New(alloc(), constraints(), count, templateObject,
+templateObject->type()->initialHeap(constraints()),
+MNewArray::NewArray_Allocating);
+current->add(ins);
+current->push(ins);
+types::TemporaryTypeSet::DoubleConversion conversion =
+ins->resultTypeSet()->convertDoubleElements(constraints());
+if (conversion == types::TemporaryTypeSet::AlwaysConvertToDoubles)
+templateObject->setShouldConvertDoubleElements();
+else
+templateObject->clearShouldConvertDoubleElements();
+return true;
+}
+bool
+IonBuilder::jsop_newobject()
+{
+// Don't bake in the TypeObject for non-CNG scripts.
+JS_ASSERT(script()->compileAndGo());
+JSObject *templateObject = inspector->getTemplateObject(pc);
+if (!templateObject)
+return abort("No template object for NEWOBJECT");
+JS_ASSERT(templateObject->is<JSObject>());
+MNewObject *ins = MNewObject::New(alloc(), constraints(), templateObject,
+templateObject->hasSingletonType()
+? gc::TenuredHeap
+: templateObject->type()->initialHeap(constraints()),
+/* templateObjectIsClassPrototype = */ false);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_initelem()
+{
+MDefinition *value = current->pop();
+MDefinition *id = current->pop();
+MDefinition *obj = current->peek(-1);
+MInitElem *initElem = MInitElem::New(alloc(), obj, id, value);
+current->add(initElem);
+return resumeAfter(initElem);
+}
+bool
+IonBuilder::jsop_initelem_array()
+{
+MDefinition *value = current->pop();
+MDefinition *obj = current->peek(-1);
+// Make sure that arrays have the type being written to them by the
+// intializer, and that arrays are marked as non-packed when writing holes
+// to them during initialization.
+bool needStub = false;
+types::TypeObjectKey *initializer = obj->resultTypeSet()->getObject(0);
+if (value->type() == MIRType_MagicHole) {
+if (!initializer->hasFlags(constraints(), types::OBJECT_FLAG_NON_PACKED))
+needStub = true;
+} else if (!initializer->unknownProperties()) {
+types::HeapTypeSetKey elemTypes = initializer->property(JSID_VOID);
+if (!TypeSetIncludes(elemTypes.maybeTypes(), value->type(), value->resultTypeSet())) {
+elemTypes.freeze(constraints());
+needStub = true;
+}
+}
+if (NeedsPostBarrier(info(), value))
+current->add(MPostWriteBarrier::New(alloc(), obj, value));
+if (needStub) {
+MCallInitElementArray *store = MCallInitElementArray::New(alloc(), obj, GET_UINT24(pc), value);
+current->add(store);
+return resumeAfter(store);
+}
+MConstant *id = MConstant::New(alloc(), Int32Value(GET_UINT24(pc)));
+current->add(id);
+// Get the elements vector.
+MElements *elements = MElements::New(alloc(), obj);
+current->add(elements);
+JSObject *templateObject = obj->toNewArray()->templateObject();
+if (templateObject->shouldConvertDoubleElements()) {
+MInstruction *valueDouble = MToDouble::New(alloc(), value);
+current->add(valueDouble);
+value = valueDouble;
+}
+// Store the value.
+MStoreElement *store = MStoreElement::New(alloc(), elements, id, value, /* needsHoleCheck = */ false);
+current->add(store);
+// Update the initialized length. (The template object for this array has
+// the array's ultimate length, so the length field is already correct: no
+// updating needed.)
+MSetInitializedLength *initLength = MSetInitializedLength::New(alloc(), elements, id);
+current->add(initLength);
+if (!resumeAfter(initLength))
+return false;
+return true;
+}
+bool
+IonBuilder::jsop_mutateproto()
+{
+MDefinition *value = current->pop();
+MDefinition *obj = current->peek(-1);
+MMutateProto *mutate = MMutateProto::New(alloc(), obj, value);
+current->add(mutate);
+return resumeAfter(mutate);
+}
+bool
+IonBuilder::jsop_initprop(PropertyName *name)
+{
+MDefinition *value = current->pop();
+MDefinition *obj = current->peek(-1);
+JSObject *templateObject = obj->toNewObject()->templateObject();
+Shape *shape = templateObject->lastProperty()->searchLinear(NameToId(name));
+if (!shape) {
+// JSOP_NEWINIT becomes an MNewObject without preconfigured properties.
+MInitProp *init = MInitProp::New(alloc(), obj, name, value);
+current->add(init);
+return resumeAfter(init);
+}
+if (PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current,
+&obj, name, &value, /* canModify = */ true))
+{
+// JSOP_NEWINIT becomes an MNewObject without preconfigured properties.
+MInitProp *init = MInitProp::New(alloc(), obj, name, value);
+current->add(init);
+return resumeAfter(init);
+}
+if (NeedsPostBarrier(info(), value))
+current->add(MPostWriteBarrier::New(alloc(), obj, value));
+bool needsBarrier = true;
+if (obj->resultTypeSet() &&
+!obj->resultTypeSet()->propertyNeedsBarrier(constraints(), NameToId(name)))
+{
+needsBarrier = false;
+}
+// In parallel execution, we never require write barriers.  See
+// forkjoin.cpp for more information.
+if (info().executionMode() == ParallelExecution)
+needsBarrier = false;
+if (templateObject->isFixedSlot(shape->slot())) {
+MStoreFixedSlot *store = MStoreFixedSlot::New(alloc(), obj, shape->slot(), value);
+if (needsBarrier)
+store->setNeedsBarrier();
+current->add(store);
+return resumeAfter(store);
+}
+MSlots *slots = MSlots::New(alloc(), obj);
+current->add(slots);
+uint32_t slot = templateObject->dynamicSlotIndex(shape->slot());
+MStoreSlot *store = MStoreSlot::New(alloc(), slots, slot, value);
+if (needsBarrier)
+store->setNeedsBarrier();
+current->add(store);
+return resumeAfter(store);
+}
+bool
+IonBuilder::jsop_initprop_getter_setter(PropertyName *name)
+{
+MDefinition *value = current->pop();
+MDefinition *obj = current->peek(-1);
+MInitPropGetterSetter *init = MInitPropGetterSetter::New(alloc(), obj, name, value);
+current->add(init);
+return resumeAfter(init);
+}
+bool
+IonBuilder::jsop_initelem_getter_setter()
+{
+MDefinition *value = current->pop();
+MDefinition *id = current->pop();
+MDefinition *obj = current->peek(-1);
+MInitElemGetterSetter *init = MInitElemGetterSetter::New(alloc(), obj, id, value);
+current->add(init);
+return resumeAfter(init);
+}
+MBasicBlock *
+IonBuilder::addBlock(MBasicBlock *block, uint32_t loopDepth)
+{
+if (!block)
+return nullptr;
+graph().addBlock(block);
+block->setLoopDepth(loopDepth);
+return block;
+}
+MBasicBlock *
+IonBuilder::newBlock(MBasicBlock *predecessor, jsbytecode *pc)
+{
+MBasicBlock *block = MBasicBlock::New(graph(), &analysis(), info(),
+predecessor, pc, MBasicBlock::NORMAL);
+return addBlock(block, loopDepth_);
+}
+MBasicBlock *
+IonBuilder::newBlock(MBasicBlock *predecessor, jsbytecode *pc, MResumePoint *priorResumePoint)
+{
+MBasicBlock *block = MBasicBlock::NewWithResumePoint(graph(), info(), predecessor, pc,
+priorResumePoint);
+return addBlock(block, loopDepth_);
+}
+MBasicBlock *
+IonBuilder::newBlockPopN(MBasicBlock *predecessor, jsbytecode *pc, uint32_t popped)
+{
+MBasicBlock *block = MBasicBlock::NewPopN(graph(), info(), predecessor, pc, MBasicBlock::NORMAL, popped);
+return addBlock(block, loopDepth_);
+}
+MBasicBlock *
+IonBuilder::newBlockAfter(MBasicBlock *at, MBasicBlock *predecessor, jsbytecode *pc)
+{
+MBasicBlock *block = MBasicBlock::New(graph(), &analysis(), info(),
+predecessor, pc, MBasicBlock::NORMAL);
+if (!block)
+return nullptr;
+graph().insertBlockAfter(at, block);
+return block;
+}
+MBasicBlock *
+IonBuilder::newBlock(MBasicBlock *predecessor, jsbytecode *pc, uint32_t loopDepth)
+{
+MBasicBlock *block = MBasicBlock::New(graph(), &analysis(), info(),
+predecessor, pc, MBasicBlock::NORMAL);
+return addBlock(block, loopDepth);
+}
+MBasicBlock *
+IonBuilder::newOsrPreheader(MBasicBlock *predecessor, jsbytecode *loopEntry)
+{
+JS_ASSERT(LoopEntryCanIonOsr(loopEntry));
+JS_ASSERT(loopEntry == info().osrPc());
+// Create two blocks: one for the OSR entry with no predecessors, one for
+// the preheader, which has the OSR entry block as a predecessor. The
+// OSR block is always the second block (with id 1).
+MBasicBlock *osrBlock  = newBlockAfter(*graph().begin(), loopEntry);
+MBasicBlock *preheader = newBlock(predecessor, loopEntry);
+if (!osrBlock || !preheader)
+return nullptr;
+MOsrEntry *entry = MOsrEntry::New(alloc());
+osrBlock->add(entry);
+// Initialize |scopeChain|.
+{
+uint32_t slot = info().scopeChainSlot();
+MInstruction *scopev;
+if (analysis().usesScopeChain()) {
+scopev = MOsrScopeChain::New(alloc(), entry);
+} else {
+// Use an undefined value if the script does not need its scope
+// chain, to match the type that is already being tracked for the
+// slot.
+scopev = MConstant::New(alloc(), UndefinedValue());
+}
+osrBlock->add(scopev);
+osrBlock->initSlot(slot, scopev);
+}
+// Initialize |return value|
+{
+MInstruction *returnValue;
+if (!script()->noScriptRval())
+returnValue = MOsrReturnValue::New(alloc(), entry);
+else
+returnValue = MConstant::New(alloc(), UndefinedValue());
+osrBlock->add(returnValue);
+osrBlock->initSlot(info().returnValueSlot(), returnValue);
+}
+// Initialize arguments object.
+bool needsArgsObj = info().needsArgsObj();
+MInstruction *argsObj = nullptr;
+if (info().hasArguments()) {
+if (needsArgsObj)
+argsObj = MOsrArgumentsObject::New(alloc(), entry);
+else
+argsObj = MConstant::New(alloc(), UndefinedValue());
+osrBlock->add(argsObj);
+osrBlock->initSlot(info().argsObjSlot(), argsObj);
+}
+if (info().funMaybeLazy()) {
+// Initialize |this| parameter.
+MParameter *thisv = MParameter::New(alloc(), MParameter::THIS_SLOT, nullptr);
+osrBlock->add(thisv);
+osrBlock->initSlot(info().thisSlot(), thisv);
+// Initialize arguments.
+for (uint32_t i = 0; i < info().nargs(); i++) {
+uint32_t slot = needsArgsObj ? info().argSlotUnchecked(i) : info().argSlot(i);
+// Only grab arguments from the arguments object if the arguments object
+// aliases formals.  If the argsobj does not alias formals, then the
+// formals may have been assigned to during interpretation, and that change
+// will not be reflected in the argsobj.
+if (needsArgsObj && info().argsObjAliasesFormals()) {
+JS_ASSERT(argsObj && argsObj->isOsrArgumentsObject());
+// If this is an aliased formal, then the arguments object
+// contains a hole at this index.  Any references to this
+// variable in the jitcode will come from JSOP_*ALIASEDVAR
+// opcodes, so the slot itself can be set to undefined.  If
+// it's not aliased, it must be retrieved from the arguments
+// object.
+MInstruction *osrv;
+if (script()->formalIsAliased(i))
+osrv = MConstant::New(alloc(), UndefinedValue());
+else
+osrv = MGetArgumentsObjectArg::New(alloc(), argsObj, i);
+osrBlock->add(osrv);
+osrBlock->initSlot(slot, osrv);
+} else {
+MParameter *arg = MParameter::New(alloc(), i, nullptr);
+osrBlock->add(arg);
+osrBlock->initSlot(slot, arg);
+}
+}
+}
+// Initialize locals.
+for (uint32_t i = 0; i < info().nlocals(); i++) {
+uint32_t slot = info().localSlot(i);
+ptrdiff_t offset = BaselineFrame::reverseOffsetOfLocal(i);
+MOsrValue *osrv = MOsrValue::New(alloc(), entry, offset);
+osrBlock->add(osrv);
+osrBlock->initSlot(slot, osrv);
+}
+// Initialize stack.
+uint32_t numStackSlots = preheader->stackDepth() - info().firstStackSlot();
+for (uint32_t i = 0; i < numStackSlots; i++) {
+uint32_t slot = info().stackSlot(i);
+ptrdiff_t offset = BaselineFrame::reverseOffsetOfLocal(info().nlocals() + i);
+MOsrValue *osrv = MOsrValue::New(alloc(), entry, offset);
+osrBlock->add(osrv);
+osrBlock->initSlot(slot, osrv);
+}
+// Create an MStart to hold the first valid MResumePoint.
+MStart *start = MStart::New(alloc(), MStart::StartType_Osr);
+osrBlock->add(start);
+graph().setOsrStart(start);
+// MOsrValue instructions are infallible, so the first MResumePoint must
+// occur after they execute, at the point of the MStart.
+if (!resumeAt(start, loopEntry))
+return nullptr;
+// Link the same MResumePoint from the MStart to each MOsrValue.
+// This causes logic in ShouldSpecializeInput() to not replace Uses with
+// Unboxes in the MResumePiont, so that the MStart always sees Values.
+osrBlock->linkOsrValues(start);
+// Clone types of the other predecessor of the pre-header to the osr block,
+// such as pre-header phi's won't discard specialized type of the
+// predecessor.
+JS_ASSERT(predecessor->stackDepth() == osrBlock->stackDepth());
+JS_ASSERT(info().scopeChainSlot() == 0);
+// Treat the OSR values as having the same type as the existing values
+// coming in to the loop. These will be fixed up with appropriate
+// unboxing and type barriers in finishLoop, once the possible types
+// at the loop header are known.
+for (uint32_t i = info().startArgSlot(); i < osrBlock->stackDepth(); i++) {
+MDefinition *existing = current->getSlot(i);
+MDefinition *def = osrBlock->getSlot(i);
+JS_ASSERT_IF(!needsArgsObj || !info().isSlotAliasedAtOsr(i), def->type() == MIRType_Value);
+// Aliased slots are never accessed, since they need to go through
+// the callobject. No need to type them here.
+if (info().isSlotAliasedAtOsr(i))
+continue;
+def->setResultType(existing->type());
+def->setResultTypeSet(existing->resultTypeSet());
+}
+// Finish the osrBlock.
+osrBlock->end(MGoto::New(alloc(), preheader));
+if (!preheader->addPredecessor(alloc(), osrBlock))
+return nullptr;
+graph().setOsrBlock(osrBlock);
+// Wrap |this| with a guaranteed use, to prevent instruction elimination.
+// Prevent |this| from being DCE'd: necessary for constructors.
+if (info().funMaybeLazy())
+preheader->getSlot(info().thisSlot())->setGuard();
+return preheader;
+}
+MBasicBlock *
+IonBuilder::newPendingLoopHeader(MBasicBlock *predecessor, jsbytecode *pc, bool osr, bool canOsr,
+unsigned stackPhiCount)
+{
+loopDepth_++;
+// If this site can OSR, all values on the expression stack are part of the loop.
+if (canOsr)
+stackPhiCount = predecessor->stackDepth() - info().firstStackSlot();
+MBasicBlock *block = MBasicBlock::NewPendingLoopHeader(graph(), info(), predecessor, pc,
+stackPhiCount);
+if (!addBlock(block, loopDepth_))
+return nullptr;
+if (osr) {
+// Incorporate type information from the OSR frame into the loop
+// header. The OSR frame may have unexpected types due to type changes
+// within the loop body or due to incomplete profiling information,
+// in which case this may avoid restarts of loop analysis or bailouts
+// during the OSR itself.
+// Unbox the MOsrValue if it is known to be unboxable.
+for (uint32_t i = info().startArgSlot(); i < block->stackDepth(); i++) {
+// The value of aliased args and slots are in the callobject. So we can't
+// the value from the baseline frame.
+if (info().isSlotAliasedAtOsr(i))
+continue;
+// Don't bother with expression stack values. The stack should be
+// empty except for let variables (not Ion-compiled) or iterators.
+if (i >= info().firstStackSlot())
+continue;
+MPhi *phi = block->getSlot(i)->toPhi();
+// Get the type from the baseline frame.
+types::Type existingType = types::Type::UndefinedType();
+uint32_t arg = i - info().firstArgSlot();
+uint32_t var = i - info().firstLocalSlot();
+if (info().funMaybeLazy() && i == info().thisSlot())
+existingType = baselineFrame_->thisType;
+else if (arg < info().nargs())
+existingType = baselineFrame_->argTypes[arg];
+else
+existingType = baselineFrame_->varTypes[var];
+// Extract typeset from value.
+types::TemporaryTypeSet *typeSet =
+alloc_->lifoAlloc()->new_<types::TemporaryTypeSet>(existingType);
+if (!typeSet)
+return nullptr;
+MIRType type = typeSet->getKnownMIRType();
+if (!phi->addBackedgeType(type, typeSet))
+return nullptr;
+}
+}
+return block;
+}
+// A resume point is a mapping of stack slots to MDefinitions. It is used to
+// capture the environment such that if a guard fails, and IonMonkey needs
+// to exit back to the interpreter, the interpreter state can be
+// reconstructed.
+//
+// We capture stack state at critical points:
+//   * (1) At the beginning of every basic block.
+//   * (2) After every effectful operation.
+//
+// As long as these two properties are maintained, instructions can
+// be moved, hoisted, or, eliminated without problems, and ops without side
+// effects do not need to worry about capturing state at precisely the
+// right point in time.
+//
+// Effectful instructions, of course, need to capture state after completion,
+// where the interpreter will not attempt to repeat the operation. For this,
+// ResumeAfter must be used. The state is attached directly to the effectful
+// instruction to ensure that no intermediate instructions could be injected
+// in between by a future analysis pass.
+//
+// During LIR construction, if an instruction can bail back to the interpreter,
+// we create an LSnapshot, which uses the last known resume point to request
+// register/stack assignments for every live value.
+bool
+IonBuilder::resume(MInstruction *ins, jsbytecode *pc, MResumePoint::Mode mode)
+{
+JS_ASSERT(ins->isEffectful() || !ins->isMovable());
+MResumePoint *resumePoint = MResumePoint::New(alloc(), ins->block(), pc, callerResumePoint_,
+mode);
+if (!resumePoint)
+return false;
+ins->setResumePoint(resumePoint);
+resumePoint->setInstruction(ins);
+return true;
+}
+bool
+IonBuilder::resumeAt(MInstruction *ins, jsbytecode *pc)
+{
+return resume(ins, pc, MResumePoint::ResumeAt);
+}
+bool
+IonBuilder::resumeAfter(MInstruction *ins)
+{
+return resume(ins, pc, MResumePoint::ResumeAfter);
+}
+bool
+IonBuilder::maybeInsertResume()
+{
+// Create a resume point at the current position, without an existing
+// effectful instruction. This resume point is not necessary for correct
+// behavior (see above), but is added to avoid holding any values from the
+// previous resume point which are now dead. This shortens the live ranges
+// of such values and improves register allocation.
+//
+// This optimization is not performed outside of loop bodies, where good
+// register allocation is not as critical, in order to avoid creating
+// excessive resume points.
+if (loopDepth_ == 0)
+return true;
+MNop *ins = MNop::New(alloc());
+current->add(ins);
+return resumeAfter(ins);
+}
+static bool
+ClassHasEffectlessLookup(const Class *clasp, PropertyName *name)
+{
+return clasp->isNative() && !clasp->ops.lookupGeneric;
+}
+static bool
+ClassHasResolveHook(CompileCompartment *comp, const Class *clasp, PropertyName *name)
+{
+// While arrays do not have resolve hooks, the types of their |length|
+// properties are not reflected in type information, so pretend there is a
+// resolve hook for this property.
+if (clasp == &ArrayObject::class_)
+return name == comp->runtime()->names().length;
+if (clasp->resolve == JS_ResolveStub)
+return false;
+if (clasp->resolve == (JSResolveOp)str_resolve) {
+// str_resolve only resolves integers, not names.
+return false;
+}
+if (clasp->resolve == (JSResolveOp)fun_resolve)
+return FunctionHasResolveHook(comp->runtime()->names(), name);
+return true;
+}
+void
+IonBuilder::insertRecompileCheck()
+{
+// PJS doesn't recompile and doesn't need recompile checks.
+if (info().executionMode() != SequentialExecution)
+return;
+// No need for recompile checks if this is the highest optimization level.
+OptimizationLevel curLevel = optimizationInfo().level();
+if (js_IonOptimizations.isLastLevel(curLevel))
+return;
+// Add recompile check.
+// Get the topmost builder. The topmost script will get recompiled when
+// usecount is high enough to justify a higher optimization level.
+IonBuilder *topBuilder = this;
+while (topBuilder->callerBuilder_)
+topBuilder = topBuilder->callerBuilder_;
+// Add recompile check to recompile when the usecount reaches the usecount
+// of the next optimization level.
+OptimizationLevel nextLevel = js_IonOptimizations.nextLevel(curLevel);
+const OptimizationInfo *info = js_IonOptimizations.get(nextLevel);
+uint32_t useCount = info->usesBeforeCompile(topBuilder->script());
+current->add(MRecompileCheck::New(alloc(), topBuilder->script(), useCount));
+}
+JSObject *
+IonBuilder::testSingletonProperty(JSObject *obj, PropertyName *name)
+{
+// We would like to completely no-op property/global accesses which can
+// produce only a particular JSObject. When indicating the access result is
+// definitely an object, type inference does not account for the
+// possibility that the property is entirely missing from the input object
+// and its prototypes (if this happens, a semantic trigger would be hit and
+// the pushed types updated, even if there is no type barrier).
+//
+// If the access definitely goes through obj, either directly or on the
+// prototype chain, and the object has singleton type, then the type
+// information for that property reflects the value that will definitely be
+// read on accesses to the object. If the property is later deleted or
+// reconfigured as a getter/setter then the type information for the
+// property will change and trigger invalidation.
+while (obj) {
+if (!ClassHasEffectlessLookup(obj->getClass(), name))
+return nullptr;
+types::TypeObjectKey *objType = types::TypeObjectKey::get(obj);
+if (analysisContext)
+objType->ensureTrackedProperty(analysisContext, NameToId(name));
+if (objType->unknownProperties())
+return nullptr;
+types::HeapTypeSetKey property = objType->property(NameToId(name));
+if (property.isOwnProperty(constraints())) {
+if (obj->hasSingletonType())
+return property.singleton(constraints());
+return nullptr;
+}
+if (ClassHasResolveHook(compartment, obj->getClass(), name))
+return nullptr;
+if (!obj->hasTenuredProto())
+return nullptr;
+obj = obj->getProto();
+}
+return nullptr;
+}
+bool
+IonBuilder::testSingletonPropertyTypes(MDefinition *obj, JSObject *singleton, PropertyName *name,
+bool *testObject, bool *testString)
+{
+// As for TestSingletonProperty, but the input is any value in a type set
+// rather than a specific object. If testObject is set then the constant
+// result can only be used after ensuring the input is an object.
+*testObject = false;
+*testString = false;
+types::TemporaryTypeSet *types = obj->resultTypeSet();
+if (types && types->unknownObject())
+return false;
+JSObject *objectSingleton = types ? types->getSingleton() : nullptr;
+if (objectSingleton)
+return testSingletonProperty(objectSingleton, name) == singleton;
+JSProtoKey key;
+switch (obj->type()) {
+case MIRType_String:
+key = JSProto_String;
+break;
+case MIRType_Int32:
+case MIRType_Double:
+key = JSProto_Number;
+break;
+case MIRType_Boolean:
+key = JSProto_Boolean;
+break;
+case MIRType_Object:
+case MIRType_Value: {
+if (!types)
+return false;
+if (types->hasType(types::Type::StringType())) {
+key = JSProto_String;
+*testString = true;
+break;
+}
+if (!types->maybeObject())
+return false;
+// For property accesses which may be on many objects, we just need to
+// find a prototype common to all the objects; if that prototype
+// has the singleton property, the access will not be on a missing property.
+for (unsigned i = 0; i < types->getObjectCount(); i++) {
+types::TypeObjectKey *object = types->getObject(i);
+if (!object)
+continue;
+if (analysisContext)
+object->ensureTrackedProperty(analysisContext, NameToId(name));
+const Class *clasp = object->clasp();
+if (!ClassHasEffectlessLookup(clasp, name) || ClassHasResolveHook(compartment, clasp, name))
+return false;
+if (object->unknownProperties())
+return false;
+types::HeapTypeSetKey property = object->property(NameToId(name));
+if (property.isOwnProperty(constraints()))
+return false;
+if (!object->hasTenuredProto())
+return false;
+if (JSObject *proto = object->proto().toObjectOrNull()) {
+// Test this type.
+if (testSingletonProperty(proto, name) != singleton)
+return false;
+} else {
+// Can't be on the prototype chain with no prototypes...
+return false;
+}
+}
+// If this is not a known object, a test will be needed.
+*testObject = (obj->type() != MIRType_Object);
+return true;
+}
+default:
+return false;
+}
+JSObject *proto = GetBuiltinPrototypePure(&script()->global(), key);
+if (proto)
+return testSingletonProperty(proto, name) == singleton;
+return false;
+}
+// Given an observed type set, annotates the IR as much as possible:
+// (1) If no type information is provided, the value on the top of the stack is
+//     left in place.
+// (2) If a single type definitely exists, and no type barrier is needed,
+//     then an infallible unbox instruction replaces the value on the top of
+//     the stack.
+// (3) If a type barrier is needed, but has an unknown type set, leave the
+//     value at the top of the stack.
+// (4) If a type barrier is needed, and has a single type, an unbox
+//     instruction replaces the top of the stack.
+// (5) Lastly, a type barrier instruction replaces the top of the stack.
+bool
+IonBuilder::pushTypeBarrier(MDefinition *def, types::TemporaryTypeSet *observed, bool needsBarrier)
+{
+// Barriers are never needed for instructions whose result will not be used.
+if (BytecodeIsPopped(pc))
+return true;
+// If the instruction has no side effects, we'll resume the entire operation.
+// The actual type barrier will occur in the interpreter. If the
+// instruction is effectful, even if it has a singleton type, there
+// must be a resume point capturing the original def, and resuming
+// to that point will explicitly monitor the new type.
+if (!needsBarrier) {
+MDefinition *replace = ensureDefiniteType(def, observed->getKnownMIRType());
+if (replace != def) {
+current->pop();
+current->push(replace);
+}
+replace->setResultTypeSet(observed);
+return true;
+}
+if (observed->unknown())
+return true;
+current->pop();
+MInstruction *barrier = MTypeBarrier::New(alloc(), def, observed);
+current->add(barrier);
+if (barrier->type() == MIRType_Undefined)
+return pushConstant(UndefinedValue());
+if (barrier->type() == MIRType_Null)
+return pushConstant(NullValue());
+current->push(barrier);
+return true;
+}
+bool
+IonBuilder::pushDOMTypeBarrier(MInstruction *ins, types::TemporaryTypeSet *observed, JSFunction* func)
+{
+JS_ASSERT(func && func->isNative() && func->jitInfo());
+const JSJitInfo *jitinfo = func->jitInfo();
+bool barrier = DOMCallNeedsBarrier(jitinfo, observed);
+// Need to be a bit careful: if jitinfo->returnType is JSVAL_TYPE_DOUBLE but
+// types->getKnownMIRType() is MIRType_Int32, then don't unconditionally
+// unbox as a double.  Instead, go ahead and barrier on having an int type,
+// since we know we need a barrier anyway due to the type mismatch.  This is
+// the only situation in which TI actually has more information about the
+// JSValueType than codegen can, short of jitinfo->returnType just being
+// JSVAL_TYPE_UNKNOWN.
+MDefinition* replace = ins;
+if (jitinfo->returnType() != JSVAL_TYPE_DOUBLE ||
+observed->getKnownMIRType() != MIRType_Int32) {
+replace = ensureDefiniteType(ins, MIRTypeFromValueType(jitinfo->returnType()));
+if (replace != ins) {
+current->pop();
+current->push(replace);
+}
+} else {
+JS_ASSERT(barrier);
+}
+return pushTypeBarrier(replace, observed, barrier);
+}
+MDefinition *
+IonBuilder::ensureDefiniteType(MDefinition *def, MIRType definiteType)
+{
+MInstruction *replace;
+switch (definiteType) {
+case MIRType_Undefined:
+def->setImplicitlyUsedUnchecked();
+replace = MConstant::New(alloc(), UndefinedValue());
+break;
+case MIRType_Null:
+def->setImplicitlyUsedUnchecked();
+replace = MConstant::New(alloc(), NullValue());
+break;
+case MIRType_Value:
+return def;
+default: {
+if (def->type() != MIRType_Value) {
+JS_ASSERT(def->type() == definiteType);
+return def;
+}
+replace = MUnbox::New(alloc(), def, definiteType, MUnbox::Infallible);
+break;
+}
+}
+current->add(replace);
+return replace;
+}
+MDefinition *
+IonBuilder::ensureDefiniteTypeSet(MDefinition *def, types::TemporaryTypeSet *types)
+{
+// We cannot arbitrarily add a typeset to a definition. It can be shared
+// in another path. So we always need to create a new MIR.
+// Use ensureDefiniteType to do unboxing. If that happened the type can
+// be added on the newly created unbox operation.
+MDefinition *replace = ensureDefiniteType(def, types->getKnownMIRType());
+if (replace != def) {
+replace->setResultTypeSet(types);
+return replace;
+}
+// Create a NOP mir instruction to filter the typeset.
+MFilterTypeSet *filter = MFilterTypeSet::New(alloc(), def, types);
+current->add(filter);
+return filter;
+}
+static size_t
+NumFixedSlots(JSObject *object)
+{
+// Note: we can't use object->numFixedSlots() here, as this will read the
+// shape and can race with the main thread if we are building off thread.
+// The allocation kind and object class (which goes through the type) can
+// be read freely, however.
+gc::AllocKind kind = object->tenuredGetAllocKind();
+return gc::GetGCKindSlots(kind, object->getClass());
+}
+bool
+IonBuilder::getStaticName(JSObject *staticObject, PropertyName *name, bool *psucceeded)
+{
+jsid id = NameToId(name);
+JS_ASSERT(staticObject->is<GlobalObject>() || staticObject->is<CallObject>());
+JS_ASSERT(staticObject->hasSingletonType());
+*psucceeded = true;
+if (staticObject->is<GlobalObject>()) {
+// Optimize undefined, NaN, and Infinity.
+if (name == names().undefined)
+return pushConstant(UndefinedValue());
+if (name == names().NaN)
+return pushConstant(compartment->runtime()->NaNValue());
+if (name == names().Infinity)
+return pushConstant(compartment->runtime()->positiveInfinityValue());
+}
+types::TypeObjectKey *staticType = types::TypeObjectKey::get(staticObject);
+if (analysisContext)
+staticType->ensureTrackedProperty(analysisContext, NameToId(name));
+if (staticType->unknownProperties()) {
+*psucceeded = false;
+return true;
+}
+types::HeapTypeSetKey property = staticType->property(id);
+if (!property.maybeTypes() ||
+!property.maybeTypes()->definiteProperty() ||
+property.nonData(constraints()))
+{
+// The property has been reconfigured as non-configurable, non-enumerable
+// or non-writable.
+*psucceeded = false;
+return true;
+}
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+bool barrier = PropertyReadNeedsTypeBarrier(analysisContext, constraints(), staticType,
+name, types, /* updateObserved = */ true);
+JSObject *singleton = types->getSingleton();
+MIRType knownType = types->getKnownMIRType();
+if (!barrier) {
+if (singleton) {
+// Try to inline a known constant value.
+if (testSingletonProperty(staticObject, name) == singleton)
+return pushConstant(ObjectValue(*singleton));
+}
+if (knownType == MIRType_Undefined)
+return pushConstant(UndefinedValue());
+if (knownType == MIRType_Null)
+return pushConstant(NullValue());
+}
+MInstruction *obj = constant(ObjectValue(*staticObject));
+MIRType rvalType = types->getKnownMIRType();
+if (barrier)
+rvalType = MIRType_Value;
+return loadSlot(obj, property.maybeTypes()->definiteSlot(), NumFixedSlots(staticObject),
+rvalType, barrier, types);
+}
+// Whether 'types' includes all possible values represented by input/inputTypes.
+bool
+jit::TypeSetIncludes(types::TypeSet *types, MIRType input, types::TypeSet *inputTypes)
+{
+if (!types)
+return inputTypes && inputTypes->empty();
+switch (input) {
+case MIRType_Undefined:
+case MIRType_Null:
+case MIRType_Boolean:
+case MIRType_Int32:
+case MIRType_Double:
+case MIRType_Float32:
+case MIRType_String:
+case MIRType_MagicOptimizedArguments:
+return types->hasType(types::Type::PrimitiveType(ValueTypeFromMIRType(input)));
+case MIRType_Object:
+return types->unknownObject() || (inputTypes && inputTypes->isSubset(types));
+case MIRType_Value:
+return types->unknown() || (inputTypes && inputTypes->isSubset(types));
+default:
+MOZ_ASSUME_UNREACHABLE("Bad input type");
+}
+}
+// Whether a write of the given value may need a post-write barrier for GC purposes.
+bool
+jit::NeedsPostBarrier(CompileInfo &info, MDefinition *value)
+{
+return info.executionMode() != ParallelExecution && value->mightBeType(MIRType_Object);
+}
+bool
+IonBuilder::setStaticName(JSObject *staticObject, PropertyName *name)
+{
+jsid id = NameToId(name);
+JS_ASSERT(staticObject->is<GlobalObject>() || staticObject->is<CallObject>());
+MDefinition *value = current->peek(-1);
+types::TypeObjectKey *staticType = types::TypeObjectKey::get(staticObject);
+if (staticType->unknownProperties())
+return jsop_setprop(name);
+types::HeapTypeSetKey property = staticType->property(id);
+if (!property.maybeTypes() ||
+!property.maybeTypes()->definiteProperty() ||
+property.nonData(constraints()) ||
+property.nonWritable(constraints()))
+{
+// The property has been reconfigured as non-configurable, non-enumerable
+// or non-writable.
+return jsop_setprop(name);
+}
+if (!TypeSetIncludes(property.maybeTypes(), value->type(), value->resultTypeSet()))
+return jsop_setprop(name);
+current->pop();
+// Pop the bound object on the stack.
+MDefinition *obj = current->pop();
+JS_ASSERT(&obj->toConstant()->value().toObject() == staticObject);
+if (NeedsPostBarrier(info(), value))
+current->add(MPostWriteBarrier::New(alloc(), obj, value));
+// If the property has a known type, we may be able to optimize typed stores by not
+// storing the type tag.
+MIRType slotType = MIRType_None;
+MIRType knownType = property.knownMIRType(constraints());
+if (knownType != MIRType_Value)
+slotType = knownType;
+bool needsBarrier = property.needsBarrier(constraints());
+return storeSlot(obj, property.maybeTypes()->definiteSlot(), NumFixedSlots(staticObject),
+value, needsBarrier, slotType);
+}
+bool
+IonBuilder::jsop_getgname(PropertyName *name)
+{
+JSObject *obj = &script()->global();
+bool succeeded;
+if (!getStaticName(obj, name, &succeeded))
+return false;
+if (succeeded)
+return true;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+// Spoof the stack to call into the getProp path.
+// First, make sure there's room.
+if (!current->ensureHasSlots(1))
+return false;
+pushConstant(ObjectValue(*obj));
+if (!getPropTryCommonGetter(&succeeded, name, types))
+return false;
+if (succeeded)
+return true;
+// Clean up the pushed global object if we were not sucessful.
+current->pop();
+return jsop_getname(name);
+}
+bool
+IonBuilder::jsop_getname(PropertyName *name)
+{
+MDefinition *object;
+if (js_CodeSpec[*pc].format & JOF_GNAME) {
+MInstruction *global = constant(ObjectValue(script()->global()));
+object = global;
+} else {
+current->push(current->scopeChain());
+object = current->pop();
+}
+MGetNameCache *ins;
+if (JSOp(*GetNextPc(pc)) == JSOP_TYPEOF)
+ins = MGetNameCache::New(alloc(), object, name, MGetNameCache::NAMETYPEOF);
+else
+ins = MGetNameCache::New(alloc(), object, name, MGetNameCache::NAME);
+current->add(ins);
+current->push(ins);
+if (!resumeAfter(ins))
+return false;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return pushTypeBarrier(ins, types, true);
+}
+bool
+IonBuilder::jsop_intrinsic(PropertyName *name)
+{
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+// If we haven't executed this opcode yet, we need to get the intrinsic
+// value and monitor the result.
+if (types->empty()) {
+MCallGetIntrinsicValue *ins = MCallGetIntrinsicValue::New(alloc(), name);
+current->add(ins);
+current->push(ins);
+if (!resumeAfter(ins))
+return false;
+return pushTypeBarrier(ins, types, true);
+}
+// Bake in the intrinsic. Make sure that TI agrees with us on the type.
+Value vp;
+JS_ALWAYS_TRUE(script()->global().maybeGetIntrinsicValue(name, &vp));
+JS_ASSERT(types->hasType(types::GetValueType(vp)));
+pushConstant(vp);
+return true;
+}
+bool
+IonBuilder::jsop_bindname(PropertyName *name)
+{
+JS_ASSERT(analysis().usesScopeChain());
+MDefinition *scopeChain = current->scopeChain();
+MBindNameCache *ins = MBindNameCache::New(alloc(), scopeChain, name, script(), pc);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+static MIRType
+GetElemKnownType(bool needsHoleCheck, types::TemporaryTypeSet *types)
+{
+MIRType knownType = types->getKnownMIRType();
+// Null and undefined have no payload so they can't be specialized.
+// Since folding null/undefined while building SSA is not safe (see the
+// comment in IsPhiObservable), we just add an untyped load instruction
+// and rely on pushTypeBarrier and DCE to replace it with a null/undefined
+// constant.
+if (knownType == MIRType_Undefined || knownType == MIRType_Null)
+knownType = MIRType_Value;
+// Different architectures may want typed element reads which require
+// hole checks to be done as either value or typed reads.
+if (needsHoleCheck && !LIRGenerator::allowTypedElementHoleCheck())
+knownType = MIRType_Value;
+return knownType;
+}
+bool
+IonBuilder::jsop_getelem()
+{
+MDefinition *index = current->pop();
+MDefinition *obj = current->pop();
+// Always use a call if we are performing analysis and not actually
+// emitting code, to simplify later analysis.
+if (info().executionModeIsAnalysis()) {
+MInstruction *ins = MCallGetElement::New(alloc(), obj, index);
+current->add(ins);
+current->push(ins);
+if (!resumeAfter(ins))
+return false;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return pushTypeBarrier(ins, types, true);
+}
+bool emitted = false;
+if (!getElemTryTypedObject(&emitted, obj, index) || emitted)
+return emitted;
+if (!getElemTryDense(&emitted, obj, index) || emitted)
+return emitted;
+if (!getElemTryTypedStatic(&emitted, obj, index) || emitted)
+return emitted;
+if (!getElemTryTypedArray(&emitted, obj, index) || emitted)
+return emitted;
+if (!getElemTryString(&emitted, obj, index) || emitted)
+return emitted;
+if (!getElemTryArguments(&emitted, obj, index) || emitted)
+return emitted;
+if (!getElemTryArgumentsInlined(&emitted, obj, index) || emitted)
+return emitted;
+if (script()->argumentsHasVarBinding() && obj->mightBeType(MIRType_MagicOptimizedArguments))
+return abort("Type is not definitely lazy arguments.");
+if (!getElemTryCache(&emitted, obj, index) || emitted)
+return emitted;
+// Emit call.
+MInstruction *ins = MCallGetElement::New(alloc(), obj, index);
+current->add(ins);
+current->push(ins);
+if (!resumeAfter(ins))
+return false;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return pushTypeBarrier(ins, types, true);
+}
+bool
+IonBuilder::getElemTryTypedObject(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+TypeDescrSet objDescrs;
+if (!lookupTypeDescrSet(obj, &objDescrs))
+return false;
+if (!objDescrs.allOfArrayKind())
+return true;
+TypeDescrSet elemDescrs;
+if (!objDescrs.arrayElementType(*this, &elemDescrs))
+return false;
+if (elemDescrs.empty())
+return true;
+JS_ASSERT(TypeDescr::isSized(elemDescrs.kind()));
+int32_t elemSize;
+if (!elemDescrs.allHaveSameSize(&elemSize))
+return true;
+switch (elemDescrs.kind()) {
+case TypeDescr::X4:
+// FIXME (bug 894105): load into a MIRType_float32x4 etc
+return true;
+case TypeDescr::Struct:
+case TypeDescr::SizedArray:
+return getElemTryComplexElemOfTypedObject(emitted,
+obj,
+index,
+objDescrs,
+elemDescrs,
+elemSize);
+case TypeDescr::Scalar:
+return getElemTryScalarElemOfTypedObject(emitted,
+obj,
+index,
+objDescrs,
+elemDescrs,
+elemSize);
+case TypeDescr::Reference:
+return true;
+case TypeDescr::UnsizedArray:
+MOZ_ASSUME_UNREACHABLE("Unsized arrays cannot be element types");
+}
+MOZ_ASSUME_UNREACHABLE("Bad kind");
+}
+static MIRType
+MIRTypeForTypedArrayRead(ScalarTypeDescr::Type arrayType,
+bool observedDouble);
+bool
+IonBuilder::checkTypedObjectIndexInBounds(int32_t elemSize,
+MDefinition *obj,
+MDefinition *index,
+TypeDescrSet objDescrs,
+MDefinition **indexAsByteOffset,
+bool *canBeNeutered)
+{
+// Ensure index is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), index);
+current->add(idInt32);
+// If we know the length statically from the type, just embed it.
+// Otherwise, load it from the appropriate reserved slot on the
+// typed object.  We know it's an int32, so we can convert from
+// Value to int32 using truncation.
+int32_t lenOfAll;
+MDefinition *length;
+if (objDescrs.hasKnownArrayLength(&lenOfAll)) {
+length = constantInt(lenOfAll);
+// If we are not loading the length from the object itself,
+// then we still need to check if the object was neutered.
+*canBeNeutered = true;
+} else {
+MInstruction *lengthValue = MLoadFixedSlot::New(alloc(), obj, JS_TYPEDOBJ_SLOT_LENGTH);
+current->add(lengthValue);
+MInstruction *length32 = MTruncateToInt32::New(alloc(), lengthValue);
+current->add(length32);
+length = length32;
+// If we are loading the length from the object itself,
+// then we do not need an extra neuter check, because the length
+// will have been set to 0 when the object was neutered.
+*canBeNeutered = false;
+}
+index = addBoundsCheck(idInt32, length);
+// Since we passed the bounds check, it is impossible for the
+// result of multiplication to overflow; so enable imul path.
+MMul *mul = MMul::New(alloc(), index, constantInt(elemSize),
+MIRType_Int32, MMul::Integer);
+current->add(mul);
+*indexAsByteOffset = mul;
+return true;
+}
+bool
+IonBuilder::getElemTryScalarElemOfTypedObject(bool *emitted,
+MDefinition *obj,
+MDefinition *index,
+TypeDescrSet objDescrs,
+TypeDescrSet elemDescrs,
+int32_t elemSize)
+{
+JS_ASSERT(objDescrs.allOfArrayKind());
+// Must always be loading the same scalar type
+ScalarTypeDescr::Type elemType;
+if (!elemDescrs.scalarType(&elemType))
+return true;
+JS_ASSERT(elemSize == ScalarTypeDescr::alignment(elemType));
+bool canBeNeutered;
+MDefinition *indexAsByteOffset;
+if (!checkTypedObjectIndexInBounds(elemSize, obj, index, objDescrs,
+&indexAsByteOffset, &canBeNeutered))
+{
+return false;
+}
+return pushScalarLoadFromTypedObject(emitted, obj, indexAsByteOffset, elemType, canBeNeutered);
+}
+bool
+IonBuilder::pushScalarLoadFromTypedObject(bool *emitted,
+MDefinition *obj,
+MDefinition *offset,
+ScalarTypeDescr::Type elemType,
+bool canBeNeutered)
+{
+int32_t size = ScalarTypeDescr::size(elemType);
+JS_ASSERT(size == ScalarTypeDescr::alignment(elemType));
+// Find location within the owner object.
+MDefinition *elements, *scaledOffset;
+loadTypedObjectElements(obj, offset, size, canBeNeutered,
+&elements, &scaledOffset);
+// Load the element.
+MLoadTypedArrayElement *load = MLoadTypedArrayElement::New(alloc(), elements, scaledOffset, elemType);
+current->add(load);
+current->push(load);
+// If we are reading in-bounds elements, we can use knowledge about
+// the array type to determine the result type, even if the opcode has
+// never executed. The known pushed type is only used to distinguish
+// uint32 reads that may produce either doubles or integers.
+types::TemporaryTypeSet *resultTypes = bytecodeTypes(pc);
+bool allowDouble = resultTypes->hasType(types::Type::DoubleType());
+// Note: knownType is not necessarily in resultTypes; e.g. if we
+// have only observed integers coming out of float array.
+MIRType knownType = MIRTypeForTypedArrayRead(elemType, allowDouble);
+// Note: we can ignore the type barrier here, we know the type must
+// be valid and unbarriered. Also, need not set resultTypeSet,
+// because knownType is scalar and a resultTypeSet would provide
+// no useful additional info.
+load->setResultType(knownType);
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryComplexElemOfTypedObject(bool *emitted,
+MDefinition *obj,
+MDefinition *index,
+TypeDescrSet objDescrs,
+TypeDescrSet elemDescrs,
+int32_t elemSize)
+{
+JS_ASSERT(objDescrs.allOfArrayKind());
+MDefinition *type = loadTypedObjectType(obj);
+MDefinition *elemTypeObj = typeObjectForElementFromArrayStructType(type);
+bool canBeNeutered;
+MDefinition *indexAsByteOffset;
+if (!checkTypedObjectIndexInBounds(elemSize, obj, index, objDescrs,
+&indexAsByteOffset, &canBeNeutered))
+{
+return false;
+}
+return pushDerivedTypedObject(emitted, obj, indexAsByteOffset,
+elemDescrs, elemTypeObj, canBeNeutered);
+}
+bool
+IonBuilder::pushDerivedTypedObject(bool *emitted,
+MDefinition *obj,
+MDefinition *offset,
+TypeDescrSet derivedTypeDescrs,
+MDefinition *derivedTypeObj,
+bool canBeNeutered)
+{
+// Find location within the owner object.
+MDefinition *owner, *ownerOffset;
+loadTypedObjectData(obj, offset, canBeNeutered, &owner, &ownerOffset);
+// Create the derived typed object.
+MInstruction *derivedTypedObj = MNewDerivedTypedObject::New(alloc(),
+derivedTypeDescrs,
+derivedTypeObj,
+owner,
+ownerOffset);
+current->add(derivedTypedObj);
+current->push(derivedTypedObj);
+// Determine (if possible) the class/proto that `derivedTypedObj`
+// will have. For derived typed objects, the class (transparent vs
+// opaque) will be the same as the incoming object from which the
+// derived typed object is, well, derived. The prototype will be
+// determined based on the type descriptor (and is immutable).
+types::TemporaryTypeSet *objTypes = obj->resultTypeSet();
+const Class *expectedClass = objTypes ? objTypes->getKnownClass() : nullptr;
+JSObject *expectedProto = derivedTypeDescrs.knownPrototype();
+JS_ASSERT_IF(expectedClass, IsTypedObjectClass(expectedClass));
+// Determine (if possible) the class/proto that the observed type set
+// describes.
+types::TemporaryTypeSet *observedTypes = bytecodeTypes(pc);
+const Class *observedClass = observedTypes->getKnownClass();
+JSObject *observedProto = observedTypes->getCommonPrototype();
+// If expectedClass/expectedProto are both non-null (and hence
+// known), we can predict precisely what TI type object
+// derivedTypedObj will have. Therefore, if we observe that this
+// TI type object is already contained in the set of
+// observedTypes, we can skip the barrier.
+//
+// Barriers still wind up being needed in some relatively
+// rare cases:
+//
+// - if multiple kinds of typed objects flow into this point,
+//   in which case we will not be able to predict expectedClass
+//   nor expectedProto.
+//
+// - if the code has never executed, in which case the set of
+//   observed types will be incomplete.
+//
+// Barriers are particularly expensive here because they prevent
+// us from optimizing the MNewDerivedTypedObject away.
+if (observedClass && observedProto && observedClass == expectedClass &&
+observedProto == expectedProto)
+{
+derivedTypedObj->setResultTypeSet(observedTypes);
+} else {
+if (!pushTypeBarrier(derivedTypedObj, observedTypes, true))
+return false;
+}
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryDense(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+if (!ElementAccessIsDenseNative(obj, index))
+return true;
+// Don't generate a fast path if there have been bounds check failures
+// and this access might be on a sparse property.
+if (ElementAccessHasExtraIndexedProperty(constraints(), obj) && failedBoundsCheck_)
+return true;
+// Don't generate a fast path if this pc has seen negative indexes accessed,
+// which will not appear to be extra indexed properties.
+if (inspector->hasSeenNegativeIndexGetElement(pc))
+return true;
+// Emit dense getelem variant.
+if (!jsop_getelem_dense(obj, index))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryTypedStatic(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+ScalarTypeDescr::Type arrayType;
+if (!ElementAccessIsTypedArray(obj, index, &arrayType))
+return true;
+if (!LIRGenerator::allowStaticTypedArrayAccesses())
+return true;
+if (ElementAccessHasExtraIndexedProperty(constraints(), obj))
+return true;
+if (!obj->resultTypeSet())
+return true;
+JSObject *tarrObj = obj->resultTypeSet()->getSingleton();
+if (!tarrObj)
+return true;
+TypedArrayObject *tarr = &tarrObj->as<TypedArrayObject>();
+types::TypeObjectKey *tarrType = types::TypeObjectKey::get(tarr);
+if (tarrType->unknownProperties())
+return true;
+// LoadTypedArrayElementStatic currently treats uint32 arrays as int32.
+ArrayBufferView::ViewType viewType = (ArrayBufferView::ViewType) tarr->type();
+if (viewType == ArrayBufferView::TYPE_UINT32)
+return true;
+MDefinition *ptr = convertShiftToMaskForStaticTypedArray(index, viewType);
+if (!ptr)
+return true;
+// Emit LoadTypedArrayElementStatic.
+tarrType->watchStateChangeForTypedArrayData(constraints());
+obj->setImplicitlyUsedUnchecked();
+index->setImplicitlyUsedUnchecked();
+MLoadTypedArrayElementStatic *load = MLoadTypedArrayElementStatic::New(alloc(), tarr, ptr);
+current->add(load);
+current->push(load);
+// The load is infallible if an undefined result will be coerced to the
+// appropriate numeric type if the read is out of bounds. The truncation
+// analysis picks up some of these cases, but is incomplete with respect
+// to others. For now, sniff the bytecode for simple patterns following
+// the load which guarantee a truncation or numeric conversion.
+if (viewType == ArrayBufferView::TYPE_FLOAT32 || viewType == ArrayBufferView::TYPE_FLOAT64) {
+jsbytecode *next = pc + JSOP_GETELEM_LENGTH;
+if (*next == JSOP_POS)
+load->setInfallible();
+} else {
+jsbytecode *next = pc + JSOP_GETELEM_LENGTH;
+if (*next == JSOP_ZERO && *(next + JSOP_ZERO_LENGTH) == JSOP_BITOR)
+load->setInfallible();
+}
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryTypedArray(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+ScalarTypeDescr::Type arrayType;
+if (!ElementAccessIsTypedArray(obj, index, &arrayType))
+return true;
+// Emit typed getelem variant.
+if (!jsop_getelem_typed(obj, index, arrayType))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryString(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+if (obj->type() != MIRType_String || !IsNumberType(index->type()))
+return true;
+// If the index is expected to be out-of-bounds, don't optimize to avoid
+// frequent bailouts.
+if (bytecodeTypes(pc)->hasType(types::Type::UndefinedType()))
+return true;
+// Emit fast path for string[index].
+MInstruction *idInt32 = MToInt32::New(alloc(), index);
+current->add(idInt32);
+index = idInt32;
+MStringLength *length = MStringLength::New(alloc(), obj);
+current->add(length);
+index = addBoundsCheck(index, length);
+MCharCodeAt *charCode = MCharCodeAt::New(alloc(), obj, index);
+current->add(charCode);
+MFromCharCode *result = MFromCharCode::New(alloc(), charCode);
+current->add(result);
+current->push(result);
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryArguments(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+if (inliningDepth_ > 0)
+return true;
+if (obj->type() != MIRType_MagicOptimizedArguments)
+return true;
+// Emit GetFrameArgument.
+JS_ASSERT(!info().argsObjAliasesFormals());
+// Type Inference has guaranteed this is an optimized arguments object.
+obj->setImplicitlyUsedUnchecked();
+// To ensure that we are not looking above the number of actual arguments.
+MArgumentsLength *length = MArgumentsLength::New(alloc());
+current->add(length);
+// Ensure index is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), index);
+current->add(idInt32);
+index = idInt32;
+// Bailouts if we read more than the number of actual arguments.
+index = addBoundsCheck(index, length);
+// Load the argument from the actual arguments.
+MGetFrameArgument *load = MGetFrameArgument::New(alloc(), index, analysis_.hasSetArg());
+current->add(load);
+current->push(load);
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+if (!pushTypeBarrier(load, types, true))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getElemTryArgumentsInlined(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+if (inliningDepth_ == 0)
+return true;
+if (obj->type() != MIRType_MagicOptimizedArguments)
+return true;
+// Emit inlined arguments.
+obj->setImplicitlyUsedUnchecked();
+JS_ASSERT(!info().argsObjAliasesFormals());
+// When the id is constant, we can just return the corresponding inlined argument
+if (index->isConstant() && index->toConstant()->value().isInt32()) {
+JS_ASSERT(inliningDepth_ > 0);
+int32_t id = index->toConstant()->value().toInt32();
+index->setImplicitlyUsedUnchecked();
+if (id < (int32_t)inlineCallInfo_->argc() && id >= 0)
+current->push(inlineCallInfo_->getArg(id));
+else
+pushConstant(UndefinedValue());
+*emitted = true;
+return true;
+}
+// inlined not constant not supported, yet.
+return abort("NYI inlined not constant get argument element");
+}
+bool
+IonBuilder::getElemTryCache(bool *emitted, MDefinition *obj, MDefinition *index)
+{
+JS_ASSERT(*emitted == false);
+// Make sure we have at least an object.
+if (!obj->mightBeType(MIRType_Object))
+return true;
+// Don't cache for strings.
+if (obj->mightBeType(MIRType_String))
+return true;
+// Index should be integer or string
+if (!index->mightBeType(MIRType_Int32) && !index->mightBeType(MIRType_String))
+return true;
+// Turn off cacheing if the element is int32 and we've seen non-native objects as the target
+// of this getelem.
+bool nonNativeGetElement = inspector->hasSeenNonNativeGetElement(pc);
+if (index->mightBeType(MIRType_Int32) && nonNativeGetElement)
+return true;
+// Emit GetElementCache.
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+bool barrier = PropertyReadNeedsTypeBarrier(analysisContext, constraints(), obj, nullptr, types);
+// Always add a barrier if the index might be a string, so that the cache
+// can attach stubs for particular properties.
+if (index->mightBeType(MIRType_String))
+barrier = true;
+// See note about always needing a barrier in jsop_getprop.
+if (needsToMonitorMissingProperties(types))
+barrier = true;
+MInstruction *ins = MGetElementCache::New(alloc(), obj, index, barrier);
+current->add(ins);
+current->push(ins);
+if (!resumeAfter(ins))
+return false;
+// Spice up type information.
+if (index->type() == MIRType_Int32 && !barrier) {
+bool needHoleCheck = !ElementAccessIsPacked(constraints(), obj);
+MIRType knownType = GetElemKnownType(needHoleCheck, types);
+if (knownType != MIRType_Value && knownType != MIRType_Double)
+ins->setResultType(knownType);
+}
+if (!pushTypeBarrier(ins, types, barrier))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::jsop_getelem_dense(MDefinition *obj, MDefinition *index)
+{
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+if (JSOp(*pc) == JSOP_CALLELEM && !index->mightBeType(MIRType_String)) {
+// Indexed call on an element of an array. Populate the observed types
+// with any objects that could be in the array, to avoid extraneous
+// type barriers.
+AddObjectsForPropertyRead(obj, nullptr, types);
+}
+bool barrier = PropertyReadNeedsTypeBarrier(analysisContext, constraints(), obj, nullptr, types);
+bool needsHoleCheck = !ElementAccessIsPacked(constraints(), obj);
+// Reads which are on holes in the object do not have to bail out if
+// undefined values have been observed at this access site and the access
+// cannot hit another indexed property on the object or its prototypes.
+bool readOutOfBounds =
+types->hasType(types::Type::UndefinedType()) &&
+!ElementAccessHasExtraIndexedProperty(constraints(), obj);
+MIRType knownType = MIRType_Value;
+if (!barrier)
+knownType = GetElemKnownType(needsHoleCheck, types);
+// Ensure index is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), index);
+current->add(idInt32);
+index = idInt32;
+// Get the elements vector.
+MInstruction *elements = MElements::New(alloc(), obj);
+current->add(elements);
+// Note: to help GVN, use the original MElements instruction and not
+// MConvertElementsToDoubles as operand. This is fine because converting
+// elements to double does not change the initialized length.
+MInitializedLength *initLength = MInitializedLength::New(alloc(), elements);
+current->add(initLength);
+// If we can load the element as a definite double, make sure to check that
+// the array has been converted to homogenous doubles first.
+//
+// NB: We disable this optimization in parallel execution mode
+// because it is inherently not threadsafe (how do you convert the
+// array atomically when there might be concurrent readers)?
+types::TemporaryTypeSet *objTypes = obj->resultTypeSet();
+ExecutionMode executionMode = info().executionMode();
+bool loadDouble =
+executionMode == SequentialExecution &&
+!barrier &&
+loopDepth_ &&
+!readOutOfBounds &&
+!needsHoleCheck &&
+knownType == MIRType_Double &&
+objTypes &&
+objTypes->convertDoubleElements(constraints()) == types::TemporaryTypeSet::AlwaysConvertToDoubles;
+if (loadDouble)
+elements = addConvertElementsToDoubles(elements);
+MInstruction *load;
+if (!readOutOfBounds) {
+// This load should not return undefined, so likely we're reading
+// in-bounds elements, and the array is packed or its holes are not
+// read. This is the best case: we can separate the bounds check for
+// hoisting.
+index = addBoundsCheck(index, initLength);
+load = MLoadElement::New(alloc(), elements, index, needsHoleCheck, loadDouble);
+current->add(load);
+} else {
+// This load may return undefined, so assume that we *can* read holes,
+// or that we can read out-of-bounds accesses. In this case, the bounds
+// check is part of the opcode.
+load = MLoadElementHole::New(alloc(), elements, index, initLength, needsHoleCheck);
+current->add(load);
+// If maybeUndefined was true, the typeset must have undefined, and
+// then either additional types or a barrier. This means we should
+// never have a typed version of LoadElementHole.
+JS_ASSERT(knownType == MIRType_Value);
+}
+// If the array is being converted to doubles, but we've observed
+// just int, substitute a type set of int+double into the observed
+// type set. The reason for this is that, in the
+// interpreter+baseline, such arrays may consist of mixed
+// ints/doubles, but when we enter ion code, we will be coercing
+// all inputs to doubles. Therefore, the type barrier checking for
+// just int is highly likely (*almost* guaranteed) to fail sooner
+// or later. Essentially, by eagerly coercing to double, ion is
+// making the observed types outdated. To compensate for this, we
+// substitute a broader observed type set consisting of both ints
+// and doubles. There is perhaps a tradeoff here, so we limit this
+// optimization to parallel code, where it is needed to prevent
+// perpetual bailouts in some extreme cases. (Bug 977853)
+//
+// NB: we have not added a MConvertElementsToDoubles MIR, so we
+// cannot *assume* the result is a double.
+if (executionMode == ParallelExecution &&
+barrier &&
+types->getKnownMIRType() == MIRType_Int32 &&
+objTypes &&
+objTypes->convertDoubleElements(constraints()) == types::TemporaryTypeSet::AlwaysConvertToDoubles)
+{
+// Note: double implies int32 as well for typesets
+types = alloc_->lifoAlloc()->new_<types::TemporaryTypeSet>(types::Type::DoubleType());
+if (!types)
+return false;
+barrier = false; // Don't need a barrier anymore
+}
+if (knownType != MIRType_Value)
+load->setResultType(knownType);
+current->push(load);
+return pushTypeBarrier(load, types, barrier);
+}
+void
+IonBuilder::addTypedArrayLengthAndData(MDefinition *obj,
+BoundsChecking checking,
+MDefinition **index,
+MInstruction **length, MInstruction **elements)
+{
+MOZ_ASSERT((index != nullptr) == (elements != nullptr));
+if (obj->isConstant() && obj->toConstant()->value().isObject()) {
+TypedArrayObject *tarr = &obj->toConstant()->value().toObject().as<TypedArrayObject>();
+void *data = tarr->viewData();
+// Bug 979449 - Optimistically embed the elements and use TI to
+//              invalidate if we move them.
+if (!gc::IsInsideNursery(tarr->runtimeFromMainThread(), data)) {
+// The 'data' pointer can change in rare circumstances
+// (ArrayBufferObject::changeContents).
+types::TypeObjectKey *tarrType = types::TypeObjectKey::get(tarr);
+if (!tarrType->unknownProperties()) {
+tarrType->watchStateChangeForTypedArrayData(constraints());
+obj->setImplicitlyUsedUnchecked();
+int32_t len = SafeCast<int32_t>(tarr->length());
+*length = MConstant::New(alloc(), Int32Value(len));
+current->add(*length);
+if (index) {
+if (checking == DoBoundsCheck)
+*index = addBoundsCheck(*index, *length);
+*elements = MConstantElements::New(alloc(), data);
+current->add(*elements);
+}
+return;
+}
+}
+}
+*length = MTypedArrayLength::New(alloc(), obj);
+current->add(*length);
+if (index) {
+if (checking == DoBoundsCheck)
+*index = addBoundsCheck(*index, *length);
+*elements = MTypedArrayElements::New(alloc(), obj);
+current->add(*elements);
+}
+}
+MDefinition *
+IonBuilder::convertShiftToMaskForStaticTypedArray(MDefinition *id,
+ArrayBufferView::ViewType viewType)
+{
+// No shifting is necessary if the typed array has single byte elements.
+if (TypedArrayShift(viewType) == 0)
+return id;
+// If the index is an already shifted constant, undo the shift to get the
+// absolute offset being accessed.
+if (id->isConstant() && id->toConstant()->value().isInt32()) {
+int32_t index = id->toConstant()->value().toInt32();
+MConstant *offset = MConstant::New(alloc(), Int32Value(index << TypedArrayShift(viewType)));
+current->add(offset);
+return offset;
+}
+if (!id->isRsh() || id->isEffectful())
+return nullptr;
+if (!id->getOperand(1)->isConstant())
+return nullptr;
+const Value &value = id->getOperand(1)->toConstant()->value();
+if (!value.isInt32() || uint32_t(value.toInt32()) != TypedArrayShift(viewType))
+return nullptr;
+// Instead of shifting, mask off the low bits of the index so that
+// a non-scaled access on the typed array can be performed.
+MConstant *mask = MConstant::New(alloc(), Int32Value(~((1 << value.toInt32()) - 1)));
+MBitAnd *ptr = MBitAnd::New(alloc(), id->getOperand(0), mask);
+ptr->infer(nullptr, nullptr);
+JS_ASSERT(!ptr->isEffectful());
+current->add(mask);
+current->add(ptr);
+return ptr;
+}
+static MIRType
+MIRTypeForTypedArrayRead(ScalarTypeDescr::Type arrayType,
+bool observedDouble)
+{
+switch (arrayType) {
+case ScalarTypeDescr::TYPE_INT8:
+case ScalarTypeDescr::TYPE_UINT8:
+case ScalarTypeDescr::TYPE_UINT8_CLAMPED:
+case ScalarTypeDescr::TYPE_INT16:
+case ScalarTypeDescr::TYPE_UINT16:
+case ScalarTypeDescr::TYPE_INT32:
+return MIRType_Int32;
+case ScalarTypeDescr::TYPE_UINT32:
+return observedDouble ? MIRType_Double : MIRType_Int32;
+case ScalarTypeDescr::TYPE_FLOAT32:
+return (LIRGenerator::allowFloat32Optimizations()) ? MIRType_Float32 : MIRType_Double;
+case ScalarTypeDescr::TYPE_FLOAT64:
+return MIRType_Double;
+}
+MOZ_ASSUME_UNREACHABLE("Unknown typed array type");
+}
+bool
+IonBuilder::jsop_getelem_typed(MDefinition *obj, MDefinition *index,
+ScalarTypeDescr::Type arrayType)
+{
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+bool maybeUndefined = types->hasType(types::Type::UndefinedType());
+// Reading from an Uint32Array will result in a double for values
+// that don't fit in an int32. We have to bailout if this happens
+// and the instruction is not known to return a double.
+bool allowDouble = types->hasType(types::Type::DoubleType());
+// Ensure id is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), index);
+current->add(idInt32);
+index = idInt32;
+if (!maybeUndefined) {
+// Assume the index is in range, so that we can hoist the length,
+// elements vector and bounds check.
+// If we are reading in-bounds elements, we can use knowledge about
+// the array type to determine the result type, even if the opcode has
+// never executed. The known pushed type is only used to distinguish
+// uint32 reads that may produce either doubles or integers.
+MIRType knownType = MIRTypeForTypedArrayRead(arrayType, allowDouble);
+// Get length, bounds-check, then get elements, and add all instructions.
+MInstruction *length;
+MInstruction *elements;
+addTypedArrayLengthAndData(obj, DoBoundsCheck, &index, &length, &elements);
+// Load the element.
+MLoadTypedArrayElement *load = MLoadTypedArrayElement::New(alloc(), elements, index, arrayType);
+current->add(load);
+current->push(load);
+// Note: we can ignore the type barrier here, we know the type must
+// be valid and unbarriered.
+load->setResultType(knownType);
+return true;
+} else {
+// We need a type barrier if the array's element type has never been
+// observed (we've only read out-of-bounds values). Note that for
+// Uint32Array, we only check for int32: if allowDouble is false we
+// will bailout when we read a double.
+bool needsBarrier = true;
+switch (arrayType) {
+case ScalarTypeDescr::TYPE_INT8:
+case ScalarTypeDescr::TYPE_UINT8:
+case ScalarTypeDescr::TYPE_UINT8_CLAMPED:
+case ScalarTypeDescr::TYPE_INT16:
+case ScalarTypeDescr::TYPE_UINT16:
+case ScalarTypeDescr::TYPE_INT32:
+case ScalarTypeDescr::TYPE_UINT32:
+if (types->hasType(types::Type::Int32Type()))
+needsBarrier = false;
+break;
+case ScalarTypeDescr::TYPE_FLOAT32:
+case ScalarTypeDescr::TYPE_FLOAT64:
+if (allowDouble)
+needsBarrier = false;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("Unknown typed array type");
+}
+// Assume we will read out-of-bound values. In this case the
+// bounds check will be part of the instruction, and the instruction
+// will always return a Value.
+MLoadTypedArrayElementHole *load =
+MLoadTypedArrayElementHole::New(alloc(), obj, index, arrayType, allowDouble);
+current->add(load);
+current->push(load);
+return pushTypeBarrier(load, types, needsBarrier);
+}
+}
+bool
+IonBuilder::jsop_setelem()
+{
+bool emitted = false;
+MDefinition *value = current->pop();
+MDefinition *index = current->pop();
+MDefinition *object = current->pop();
+if (!setElemTryTypedObject(&emitted, object, index, value) || emitted)
+return emitted;
+if (!setElemTryTypedStatic(&emitted, object, index, value) || emitted)
+return emitted;
+if (!setElemTryTypedArray(&emitted, object, index, value) || emitted)
+return emitted;
+if (!setElemTryDense(&emitted, object, index, value) || emitted)
+return emitted;
+if (!setElemTryArguments(&emitted, object, index, value) || emitted)
+return emitted;
+if (script()->argumentsHasVarBinding() && object->mightBeType(MIRType_MagicOptimizedArguments))
+return abort("Type is not definitely lazy arguments.");
+if (!setElemTryCache(&emitted, object, index, value) || emitted)
+return emitted;
+// Emit call.
+MInstruction *ins = MCallSetElement::New(alloc(), object, index, value);
+current->add(ins);
+current->push(value);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::setElemTryTypedObject(bool *emitted, MDefinition *obj,
+MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+TypeDescrSet objTypeDescrs;
+if (!lookupTypeDescrSet(obj, &objTypeDescrs))
+return false;
+if (!objTypeDescrs.allOfArrayKind())
+return true;
+TypeDescrSet elemTypeDescrs;
+if (!objTypeDescrs.arrayElementType(*this, &elemTypeDescrs))
+return false;
+if (elemTypeDescrs.empty())
+return true;
+JS_ASSERT(TypeDescr::isSized(elemTypeDescrs.kind()));
+int32_t elemSize;
+if (!elemTypeDescrs.allHaveSameSize(&elemSize))
+return true;
+switch (elemTypeDescrs.kind()) {
+case TypeDescr::X4:
+// FIXME (bug 894105): store a MIRType_float32x4 etc
+return true;
+case TypeDescr::Reference:
+case TypeDescr::Struct:
+case TypeDescr::SizedArray:
+case TypeDescr::UnsizedArray:
+// For now, only optimize storing scalars.
+return true;
+case TypeDescr::Scalar:
+return setElemTryScalarElemOfTypedObject(emitted,
+obj,
+index,
+objTypeDescrs,
+value,
+elemTypeDescrs,
+elemSize);
+}
+MOZ_ASSUME_UNREACHABLE("Bad kind");
+}
+bool
+IonBuilder::setElemTryScalarElemOfTypedObject(bool *emitted,
+MDefinition *obj,
+MDefinition *index,
+TypeDescrSet objTypeDescrs,
+MDefinition *value,
+TypeDescrSet elemTypeDescrs,
+int32_t elemSize)
+{
+// Must always be loading the same scalar type
+ScalarTypeDescr::Type elemType;
+if (!elemTypeDescrs.scalarType(&elemType))
+return true;
+JS_ASSERT(elemSize == ScalarTypeDescr::alignment(elemType));
+bool canBeNeutered;
+MDefinition *indexAsByteOffset;
+if (!checkTypedObjectIndexInBounds(elemSize, obj, index, objTypeDescrs,
+&indexAsByteOffset, &canBeNeutered))
+{
+return false;
+}
+// Store the element
+if (!storeScalarTypedObjectValue(obj, indexAsByteOffset, elemType, canBeNeutered, false, value))
+return false;
+current->push(value);
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setElemTryTypedStatic(bool *emitted, MDefinition *object,
+MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+ScalarTypeDescr::Type arrayType;
+if (!ElementAccessIsTypedArray(object, index, &arrayType))
+return true;
+if (!LIRGenerator::allowStaticTypedArrayAccesses())
+return true;
+if (ElementAccessHasExtraIndexedProperty(constraints(), object))
+return true;
+if (!object->resultTypeSet())
+return true;
+JSObject *tarrObj = object->resultTypeSet()->getSingleton();
+if (!tarrObj)
+return true;
+TypedArrayObject *tarr = &tarrObj->as<TypedArrayObject>();
+types::TypeObjectKey *tarrType = types::TypeObjectKey::get(tarr);
+if (tarrType->unknownProperties())
+return true;
+ArrayBufferView::ViewType viewType = (ArrayBufferView::ViewType) tarr->type();
+MDefinition *ptr = convertShiftToMaskForStaticTypedArray(index, viewType);
+if (!ptr)
+return true;
+// Emit StoreTypedArrayElementStatic.
+tarrType->watchStateChangeForTypedArrayData(constraints());
+object->setImplicitlyUsedUnchecked();
+index->setImplicitlyUsedUnchecked();
+// Clamp value to [0, 255] for Uint8ClampedArray.
+MDefinition *toWrite = value;
+if (viewType == ArrayBufferView::TYPE_UINT8_CLAMPED) {
+toWrite = MClampToUint8::New(alloc(), value);
+current->add(toWrite->toInstruction());
+}
+MInstruction *store = MStoreTypedArrayElementStatic::New(alloc(), tarr, ptr, toWrite);
+current->add(store);
+current->push(value);
+if (!resumeAfter(store))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setElemTryTypedArray(bool *emitted, MDefinition *object,
+MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+ScalarTypeDescr::Type arrayType;
+if (!ElementAccessIsTypedArray(object, index, &arrayType))
+return true;
+// Emit typed setelem variant.
+if (!jsop_setelem_typed(arrayType, SetElem_Normal, object, index, value))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setElemTryDense(bool *emitted, MDefinition *object,
+MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+if (!ElementAccessIsDenseNative(object, index))
+return true;
+if (PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current,
+&object, nullptr, &value, /* canModify = */ true))
+{
+return true;
+}
+if (!object->resultTypeSet())
+return true;
+types::TemporaryTypeSet::DoubleConversion conversion =
+object->resultTypeSet()->convertDoubleElements(constraints());
+// If AmbiguousDoubleConversion, only handle int32 values for now.
+if (conversion == types::TemporaryTypeSet::AmbiguousDoubleConversion &&
+value->type() != MIRType_Int32)
+{
+return true;
+}
+// Don't generate a fast path if there have been bounds check failures
+// and this access might be on a sparse property.
+if (ElementAccessHasExtraIndexedProperty(constraints(), object) && failedBoundsCheck_)
+return true;
+// Emit dense setelem variant.
+if (!jsop_setelem_dense(conversion, SetElem_Normal, object, index, value))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setElemTryArguments(bool *emitted, MDefinition *object,
+MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+if (object->type() != MIRType_MagicOptimizedArguments)
+return true;
+// Arguments are not supported yet.
+return abort("NYI arguments[]=");
+}
+bool
+IonBuilder::setElemTryCache(bool *emitted, MDefinition *object,
+MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+if (!object->mightBeType(MIRType_Object))
+return true;
+if (!index->mightBeType(MIRType_Int32) && !index->mightBeType(MIRType_String))
+return true;
+// TODO: Bug 876650: remove this check:
+// Temporary disable the cache if non dense native,
+// until the cache supports more ics
+SetElemICInspector icInspect(inspector->setElemICInspector(pc));
+if (!icInspect.sawDenseWrite() && !icInspect.sawTypedArrayWrite())
+return true;
+if (PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current,
+&object, nullptr, &value, /* canModify = */ true))
+{
+return true;
+}
+// We can avoid worrying about holes in the IC if we know a priori we are safe
+// from them. If TI can guard that there are no indexed properties on the prototype
+// chain, we know that we anen't missing any setters by overwriting the hole with
+// another value.
+bool guardHoles = ElementAccessHasExtraIndexedProperty(constraints(), object);
+if (NeedsPostBarrier(info(), value))
+current->add(MPostWriteBarrier::New(alloc(), object, value));
+// Emit SetElementCache.
+MInstruction *ins = MSetElementCache::New(alloc(), object, index, value, script()->strict(), guardHoles);
+current->add(ins);
+current->push(value);
+if (!resumeAfter(ins))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::jsop_setelem_dense(types::TemporaryTypeSet::DoubleConversion conversion,
+SetElemSafety safety,
+MDefinition *obj, MDefinition *id, MDefinition *value)
+{
+MIRType elementType = DenseNativeElementType(constraints(), obj);
+bool packed = ElementAccessIsPacked(constraints(), obj);
+// Writes which are on holes in the object do not have to bail out if they
+// cannot hit another indexed property on the object or its prototypes.
+bool writeOutOfBounds = !ElementAccessHasExtraIndexedProperty(constraints(), obj);
+if (NeedsPostBarrier(info(), value))
+current->add(MPostWriteBarrier::New(alloc(), obj, value));
+// Ensure id is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), id);
+current->add(idInt32);
+id = idInt32;
+// Get the elements vector.
+MElements *elements = MElements::New(alloc(), obj);
+current->add(elements);
+// Ensure the value is a double, if double conversion might be needed.
+MDefinition *newValue = value;
+switch (conversion) {
+case types::TemporaryTypeSet::AlwaysConvertToDoubles:
+case types::TemporaryTypeSet::MaybeConvertToDoubles: {
+MInstruction *valueDouble = MToDouble::New(alloc(), value);
+current->add(valueDouble);
+newValue = valueDouble;
+break;
+}
+case types::TemporaryTypeSet::AmbiguousDoubleConversion: {
+JS_ASSERT(value->type() == MIRType_Int32);
+MInstruction *maybeDouble = MMaybeToDoubleElement::New(alloc(), elements, value);
+current->add(maybeDouble);
+newValue = maybeDouble;
+break;
+}
+case types::TemporaryTypeSet::DontConvertToDoubles:
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("Unknown double conversion");
+}
+bool writeHole = false;
+if (safety == SetElem_Normal) {
+SetElemICInspector icInspect(inspector->setElemICInspector(pc));
+writeHole = icInspect.sawOOBDenseWrite();
+}
+// Use MStoreElementHole if this SETELEM has written to out-of-bounds
+// indexes in the past. Otherwise, use MStoreElement so that we can hoist
+// the initialized length and bounds check.
+MStoreElementCommon *store;
+if (writeHole && writeOutOfBounds) {
+JS_ASSERT(safety == SetElem_Normal);
+MStoreElementHole *ins = MStoreElementHole::New(alloc(), obj, elements, id, newValue);
+store = ins;
+current->add(ins);
+current->push(value);
+if (!resumeAfter(ins))
+return false;
+} else {
+MInitializedLength *initLength = MInitializedLength::New(alloc(), elements);
+current->add(initLength);
+bool needsHoleCheck;
+if (safety == SetElem_Normal) {
+id = addBoundsCheck(id, initLength);
+needsHoleCheck = !packed && !writeOutOfBounds;
+} else {
+needsHoleCheck = false;
+}
+MStoreElement *ins = MStoreElement::New(alloc(), elements, id, newValue, needsHoleCheck);
+store = ins;
+if (safety == SetElem_Unsafe)
+ins->setRacy();
+current->add(ins);
+if (safety == SetElem_Normal)
+current->push(value);
+if (!resumeAfter(ins))
+return false;
+}
+// Determine whether a write barrier is required.
+if (obj->resultTypeSet()->propertyNeedsBarrier(constraints(), JSID_VOID))
+store->setNeedsBarrier();
+if (elementType != MIRType_None && packed)
+store->setElementType(elementType);
+return true;
+}
+bool
+IonBuilder::jsop_setelem_typed(ScalarTypeDescr::Type arrayType,
+SetElemSafety safety,
+MDefinition *obj, MDefinition *id, MDefinition *value)
+{
+bool expectOOB;
+if (safety == SetElem_Normal) {
+SetElemICInspector icInspect(inspector->setElemICInspector(pc));
+expectOOB = icInspect.sawOOBTypedArrayWrite();
+} else {
+expectOOB = false;
+}
+if (expectOOB)
+spew("Emitting OOB TypedArray SetElem");
+// Ensure id is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), id);
+current->add(idInt32);
+id = idInt32;
+// Get length, bounds-check, then get elements, and add all instructions.
+MInstruction *length;
+MInstruction *elements;
+BoundsChecking checking = (!expectOOB && safety == SetElem_Normal)
+? DoBoundsCheck
+: SkipBoundsCheck;
+addTypedArrayLengthAndData(obj, checking, &id, &length, &elements);
+// Clamp value to [0, 255] for Uint8ClampedArray.
+MDefinition *toWrite = value;
+if (arrayType == ScalarTypeDescr::TYPE_UINT8_CLAMPED) {
+toWrite = MClampToUint8::New(alloc(), value);
+current->add(toWrite->toInstruction());
+}
+// Store the value.
+MInstruction *ins;
+if (expectOOB) {
+ins = MStoreTypedArrayElementHole::New(alloc(), elements, length, id, toWrite, arrayType);
+} else {
+MStoreTypedArrayElement *store =
+MStoreTypedArrayElement::New(alloc(), elements, id, toWrite, arrayType);
+if (safety == SetElem_Unsafe)
+store->setRacy();
+ins = store;
+}
+current->add(ins);
+if (safety == SetElem_Normal)
+current->push(value);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_setelem_typed_object(ScalarTypeDescr::Type arrayType,
+SetElemSafety safety,
+bool racy,
+MDefinition *object, MDefinition *index, MDefinition *value)
+{
+JS_ASSERT(safety == SetElem_Unsafe); // Can be fixed, but there's been no reason to as of yet
+MInstruction *int_index = MToInt32::New(alloc(), index);
+current->add(int_index);
+size_t elemSize = ScalarTypeDescr::alignment(arrayType);
+MMul *byteOffset = MMul::New(alloc(), int_index, constantInt(elemSize),
+MIRType_Int32, MMul::Integer);
+current->add(byteOffset);
+if (!storeScalarTypedObjectValue(object, byteOffset, arrayType, false, racy, value))
+return false;
+return true;
+}
+bool
+IonBuilder::jsop_length()
+{
+if (jsop_length_fastPath())
+return true;
+PropertyName *name = info().getAtom(pc)->asPropertyName();
+return jsop_getprop(name);
+}
+bool
+IonBuilder::jsop_length_fastPath()
+{
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+if (types->getKnownMIRType() != MIRType_Int32)
+return false;
+MDefinition *obj = current->peek(-1);
+if (obj->mightBeType(MIRType_String)) {
+if (obj->mightBeType(MIRType_Object))
+return false;
+current->pop();
+MStringLength *ins = MStringLength::New(alloc(), obj);
+current->add(ins);
+current->push(ins);
+return true;
+}
+if (obj->mightBeType(MIRType_Object)) {
+types::TemporaryTypeSet *objTypes = obj->resultTypeSet();
+if (objTypes &&
+objTypes->getKnownClass() == &ArrayObject::class_ &&
+!objTypes->hasObjectFlags(constraints(), types::OBJECT_FLAG_LENGTH_OVERFLOW))
+{
+current->pop();
+MElements *elements = MElements::New(alloc(), obj);
+current->add(elements);
+// Read length.
+MArrayLength *length = MArrayLength::New(alloc(), elements);
+current->add(length);
+current->push(length);
+return true;
+}
+if (objTypes && objTypes->getTypedArrayType() != ScalarTypeDescr::TYPE_MAX) {
+current->pop();
+MInstruction *length = addTypedArrayLength(obj);
+current->push(length);
+return true;
+}
+}
+return false;
+}
+bool
+IonBuilder::jsop_arguments()
+{
+if (info().needsArgsObj()) {
+current->push(current->argumentsObject());
+return true;
+}
+JS_ASSERT(lazyArguments_);
+current->push(lazyArguments_);
+return true;
+}
+bool
+IonBuilder::jsop_arguments_length()
+{
+// Type Inference has guaranteed this is an optimized arguments object.
+MDefinition *args = current->pop();
+args->setImplicitlyUsedUnchecked();
+// We don't know anything from the callee
+if (inliningDepth_ == 0) {
+MInstruction *ins = MArgumentsLength::New(alloc());
+current->add(ins);
+current->push(ins);
+return true;
+}
+// We are inlining and know the number of arguments the callee pushed
+return pushConstant(Int32Value(inlineCallInfo_->argv().length()));
+}
+bool
+IonBuilder::jsop_rest()
+{
+JSObject *templateObject = inspector->getTemplateObject(pc);
+JS_ASSERT(templateObject->is<ArrayObject>());
+if (inliningDepth_ == 0) {
+// We don't know anything about the callee.
+MArgumentsLength *numActuals = MArgumentsLength::New(alloc());
+current->add(numActuals);
+// Pass in the number of actual arguments, the number of formals (not
+// including the rest parameter slot itself), and the template object.
+MRest *rest = MRest::New(alloc(), constraints(), numActuals, info().nargs() - 1,
+templateObject);
+current->add(rest);
+current->push(rest);
+return true;
+}
+// We know the exact number of arguments the callee pushed.
+unsigned numActuals = inlineCallInfo_->argv().length();
+unsigned numFormals = info().nargs() - 1;
+unsigned numRest = numActuals > numFormals ? numActuals - numFormals : 0;
+MNewArray *array = MNewArray::New(alloc(), constraints(), numRest, templateObject,
+templateObject->type()->initialHeap(constraints()),
+MNewArray::NewArray_Allocating);
+current->add(array);
+if (numRest == 0) {
+// No more updating to do. (Note that in this one case the length from
+// the template object is already correct.)
+current->push(array);
+return true;
+}
+MElements *elements = MElements::New(alloc(), array);
+current->add(elements);
+// Unroll the argument copy loop. We don't need to do any bounds or hole
+// checking here.
+MConstant *index = nullptr;
+for (unsigned i = numFormals; i < numActuals; i++) {
+index = MConstant::New(alloc(), Int32Value(i - numFormals));
+current->add(index);
+MDefinition *arg = inlineCallInfo_->argv()[i];
+MStoreElement *store = MStoreElement::New(alloc(), elements, index, arg,
+/* needsHoleCheck = */ false);
+current->add(store);
+if (NeedsPostBarrier(info(), arg))
+current->add(MPostWriteBarrier::New(alloc(), array, arg));
+}
+// The array's length is incorrectly 0 now, from the template object
+// created by BaselineCompiler::emit_JSOP_REST() before the actual argument
+// count was known. Set the correct length now that we know that count.
+MSetArrayLength *length = MSetArrayLength::New(alloc(), elements, index);
+current->add(length);
+// Update the initialized length for all the (necessarily non-hole)
+// elements added.
+MSetInitializedLength *initLength = MSetInitializedLength::New(alloc(), elements, index);
+current->add(initLength);
+current->push(array);
+return true;
+}
+bool
+IonBuilder::getDefiniteSlot(types::TemporaryTypeSet *types, PropertyName *name,
+types::HeapTypeSetKey *property)
+{
+if (!types || types->unknownObject() || types->getObjectCount() != 1)
+return false;
+types::TypeObjectKey *type = types->getObject(0);
+if (type->unknownProperties() || type->singleton())
+return false;
+jsid id = NameToId(name);
+*property = type->property(id);
+return property->maybeTypes() &&
+property->maybeTypes()->definiteProperty() &&
+!property->nonData(constraints());
+}
+bool
+IonBuilder::jsop_runonce()
+{
+MRunOncePrologue *ins = MRunOncePrologue::New(alloc());
+current->add(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_not()
+{
+MDefinition *value = current->pop();
+MNot *ins = MNot::New(alloc(), value);
+current->add(ins);
+current->push(ins);
+ins->infer();
+return true;
+}
+bool
+IonBuilder::objectsHaveCommonPrototype(types::TemporaryTypeSet *types, PropertyName *name,
+bool isGetter, JSObject *foundProto)
+{
+// With foundProto a prototype with a getter or setter for name, return
+// whether looking up name on any object in |types| will go through
+// foundProto, i.e. all the objects have foundProto on their prototype
+// chain and do not have a property for name before reaching foundProto.
+// No sense looking if we don't know what's going on.
+if (!types || types->unknownObject())
+return false;
+for (unsigned i = 0; i < types->getObjectCount(); i++) {
+if (types->getSingleObject(i) == foundProto)
+continue;
+types::TypeObjectKey *type = types->getObject(i);
+if (!type)
+continue;
+while (type) {
+if (type->unknownProperties())
+return false;
+const Class *clasp = type->clasp();
+if (!ClassHasEffectlessLookup(clasp, name) || ClassHasResolveHook(compartment, clasp, name))
+return false;
+// Look for a getter/setter on the class itself which may need
+// to be called. Ignore the getGeneric hook for typed arrays, it
+// only handles integers and forwards names to the prototype.
+if (isGetter && clasp->ops.getGeneric && !IsTypedArrayClass(clasp))
+return false;
+if (!isGetter && clasp->ops.setGeneric)
+return false;
+// Test for isOwnProperty() without freezing. If we end up
+// optimizing, freezePropertiesForCommonPropFunc will freeze the
+// property type sets later on.
+types::HeapTypeSetKey property = type->property(NameToId(name));
+if (types::TypeSet *types = property.maybeTypes()) {
+if (!types->empty() || types->nonDataProperty())
+return false;
+}
+if (JSObject *obj = type->singleton()) {
+if (types::CanHaveEmptyPropertyTypesForOwnProperty(obj))
+return false;
+}
+if (!type->hasTenuredProto())
+return false;
+JSObject *proto = type->proto().toObjectOrNull();
+if (proto == foundProto)
+break;
+if (!proto) {
+// The foundProto being searched for did not show up on the
+// object's prototype chain.
+return false;
+}
+type = types::TypeObjectKey::get(type->proto().toObjectOrNull());
+}
+}
+return true;
+}
+void
+IonBuilder::freezePropertiesForCommonPrototype(types::TemporaryTypeSet *types, PropertyName *name,
+JSObject *foundProto)
+{
+for (unsigned i = 0; i < types->getObjectCount(); i++) {
+// If we found a Singleton object's own-property, there's nothing to
+// freeze.
+if (types->getSingleObject(i) == foundProto)
+continue;
+types::TypeObjectKey *type = types->getObject(i);
+if (!type)
+continue;
+while (true) {
+types::HeapTypeSetKey property = type->property(NameToId(name));
+JS_ALWAYS_TRUE(!property.isOwnProperty(constraints()));
+// Don't mark the proto. It will be held down by the shape
+// guard. This allows us to use properties found on prototypes
+// with properties unknown to TI.
+if (type->proto() == foundProto)
+break;
+type = types::TypeObjectKey::get(type->proto().toObjectOrNull());
+}
+}
+}
+inline MDefinition *
+IonBuilder::testCommonGetterSetter(types::TemporaryTypeSet *types, PropertyName *name,
+bool isGetter, JSObject *foundProto, Shape *lastProperty)
+{
+// Check if all objects being accessed will lookup the name through foundProto.
+if (!objectsHaveCommonPrototype(types, name, isGetter, foundProto))
+return nullptr;
+// We can optimize the getter/setter, so freeze all involved properties to
+// ensure there isn't a lower shadowing getter or setter installed in the
+// future.
+freezePropertiesForCommonPrototype(types, name, foundProto);
+// Add a shape guard on the prototype we found the property on. The rest of
+// the prototype chain is guarded by TI freezes. Note that a shape guard is
+// good enough here, even in the proxy case, because we have ensured there
+// are no lookup hooks for this property.
+MInstruction *wrapper = constant(ObjectValue(*foundProto));
+return addShapeGuard(wrapper, lastProperty, Bailout_ShapeGuard);
+}
+bool
+IonBuilder::annotateGetPropertyCache(MDefinition *obj, MGetPropertyCache *getPropCache,
+types::TemporaryTypeSet *objTypes,
+types::TemporaryTypeSet *pushedTypes)
+{
+PropertyName *name = getPropCache->name();
+// Ensure every pushed value is a singleton.
+if (pushedTypes->unknownObject() || pushedTypes->baseFlags() != 0)
+return true;
+for (unsigned i = 0; i < pushedTypes->getObjectCount(); i++) {
+if (pushedTypes->getTypeObject(i) != nullptr)
+return true;
+}
+// Object's typeset should be a proper object
+if (!objTypes || objTypes->baseFlags() || objTypes->unknownObject())
+return true;
+unsigned int objCount = objTypes->getObjectCount();
+if (objCount == 0)
+return true;
+InlinePropertyTable *inlinePropTable = getPropCache->initInlinePropertyTable(alloc(), pc);
+if (!inlinePropTable)
+return false;
+// Ensure that the relevant property typeset for each type object is
+// is a single-object typeset containing a JSFunction
+for (unsigned int i = 0; i < objCount; i++) {
+types::TypeObject *baseTypeObj = objTypes->getTypeObject(i);
+if (!baseTypeObj)
+continue;
+types::TypeObjectKey *typeObj = types::TypeObjectKey::get(baseTypeObj);
+if (typeObj->unknownProperties() || !typeObj->hasTenuredProto() || !typeObj->proto().isObject())
+continue;
+const Class *clasp = typeObj->clasp();
+if (!ClassHasEffectlessLookup(clasp, name) || ClassHasResolveHook(compartment, clasp, name))
+continue;
+types::HeapTypeSetKey ownTypes = typeObj->property(NameToId(name));
+if (ownTypes.isOwnProperty(constraints()))
+continue;
+JSObject *singleton = testSingletonProperty(typeObj->proto().toObject(), name);
+if (!singleton || !singleton->is<JSFunction>())
+continue;
+// Don't add cases corresponding to non-observed pushes
+if (!pushedTypes->hasType(types::Type::ObjectType(singleton)))
+continue;
+if (!inlinePropTable->addEntry(alloc(), baseTypeObj, &singleton->as<JSFunction>()))
+return false;
+}
+if (inlinePropTable->numEntries() == 0) {
+getPropCache->clearInlinePropertyTable();
+return true;
+}
+#ifdef DEBUG
+if (inlinePropTable->numEntries() > 0)
+IonSpew(IonSpew_Inlining, "Annotated GetPropertyCache with %d/%d inline cases",
+(int) inlinePropTable->numEntries(), (int) objCount);
+#endif
+// If we successfully annotated the GetPropertyCache and there are inline cases,
+// then keep a resume point of the state right before this instruction for use
+// later when we have to bail out to this point in the fallback case of a
+// PolyInlineDispatch.
+if (inlinePropTable->numEntries() > 0) {
+// Push the object back onto the stack temporarily to capture the resume point.
+current->push(obj);
+MResumePoint *resumePoint = MResumePoint::New(alloc(), current, pc, callerResumePoint_,
+MResumePoint::ResumeAt);
+if (!resumePoint)
+return false;
+inlinePropTable->setPriorResumePoint(resumePoint);
+current->pop();
+}
+return true;
+}
+// Returns true if an idempotent cache has ever invalidated this script
+// or an outer script.
+bool
+IonBuilder::invalidatedIdempotentCache()
+{
+IonBuilder *builder = this;
+do {
+if (builder->script()->invalidatedIdempotentCache())
+return true;
+builder = builder->callerBuilder_;
+} while (builder);
+return false;
+}
+bool
+IonBuilder::loadSlot(MDefinition *obj, size_t slot, size_t nfixed, MIRType rvalType,
+bool barrier, types::TemporaryTypeSet *types)
+{
+if (slot < nfixed) {
+MLoadFixedSlot *load = MLoadFixedSlot::New(alloc(), obj, slot);
+current->add(load);
+current->push(load);
+load->setResultType(rvalType);
+return pushTypeBarrier(load, types, barrier);
+}
+MSlots *slots = MSlots::New(alloc(), obj);
+current->add(slots);
+MLoadSlot *load = MLoadSlot::New(alloc(), slots, slot - nfixed);
+current->add(load);
+current->push(load);
+load->setResultType(rvalType);
+return pushTypeBarrier(load, types, barrier);
+}
+bool
+IonBuilder::loadSlot(MDefinition *obj, Shape *shape, MIRType rvalType,
+bool barrier, types::TemporaryTypeSet *types)
+{
+return loadSlot(obj, shape->slot(), shape->numFixedSlots(), rvalType, barrier, types);
+}
+bool
+IonBuilder::storeSlot(MDefinition *obj, size_t slot, size_t nfixed,
+MDefinition *value, bool needsBarrier,
+MIRType slotType /* = MIRType_None */)
+{
+if (slot < nfixed) {
+MStoreFixedSlot *store = MStoreFixedSlot::New(alloc(), obj, slot, value);
+current->add(store);
+current->push(value);
+if (needsBarrier)
+store->setNeedsBarrier();
+return resumeAfter(store);
+}
+MSlots *slots = MSlots::New(alloc(), obj);
+current->add(slots);
+MStoreSlot *store = MStoreSlot::New(alloc(), slots, slot - nfixed, value);
+current->add(store);
+current->push(value);
+if (needsBarrier)
+store->setNeedsBarrier();
+if (slotType != MIRType_None)
+store->setSlotType(slotType);
+return resumeAfter(store);
+}
+bool
+IonBuilder::storeSlot(MDefinition *obj, Shape *shape, MDefinition *value, bool needsBarrier,
+MIRType slotType /* = MIRType_None */)
+{
+JS_ASSERT(shape->writable());
+return storeSlot(obj, shape->slot(), shape->numFixedSlots(), value, needsBarrier, slotType);
+}
+bool
+IonBuilder::jsop_getprop(PropertyName *name)
+{
+bool emitted = false;
+// Try to optimize arguments.length.
+if (!getPropTryArgumentsLength(&emitted) || emitted)
+return emitted;
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+bool barrier = PropertyReadNeedsTypeBarrier(analysisContext, constraints(),
+current->peek(-1), name, types);
+// Always use a call if we are performing analysis and
+// not actually emitting code, to simplify later analysis. Also skip deeper
+// analysis if there are no known types for this operation, as it will
+// always invalidate when executing.
+if (info().executionModeIsAnalysis() || types->empty()) {
+MDefinition *obj = current->peek(-1);
+MCallGetProperty *call = MCallGetProperty::New(alloc(), obj, name, *pc == JSOP_CALLPROP);
+current->add(call);
+// During the definite properties analysis we can still try to bake in
+// constants read off the prototype chain, to allow inlining later on.
+// In this case we still need the getprop call so that the later
+// analysis knows when the |this| value has been read from.
+if (info().executionModeIsAnalysis()) {
+if (!getPropTryConstant(&emitted, name, types) || emitted)
+return emitted;
+}
+current->pop();
+current->push(call);
+return resumeAfter(call) && pushTypeBarrier(call, types, true);
+}
+// Try to hardcode known constants.
+if (!getPropTryConstant(&emitted, name, types) || emitted)
+return emitted;
+// Try to emit loads from known binary data blocks
+if (!getPropTryTypedObject(&emitted, name, types) || emitted)
+return emitted;
+// Try to emit loads from definite slots.
+if (!getPropTryDefiniteSlot(&emitted, name, barrier, types) || emitted)
+return emitted;
+// Try to inline a common property getter, or make a call.
+if (!getPropTryCommonGetter(&emitted, name, types) || emitted)
+return emitted;
+// Try to emit a monomorphic/polymorphic access based on baseline caches.
+if (!getPropTryInlineAccess(&emitted, name, barrier, types) || emitted)
+return emitted;
+// Try to emit a polymorphic cache.
+if (!getPropTryCache(&emitted, name, barrier, types) || emitted)
+return emitted;
+// Emit a call.
+MDefinition *obj = current->pop();
+MCallGetProperty *call = MCallGetProperty::New(alloc(), obj, name, *pc == JSOP_CALLPROP);
+current->add(call);
+current->push(call);
+if (!resumeAfter(call))
+return false;
+return pushTypeBarrier(call, types, true);
+}
+bool
+IonBuilder::getPropTryArgumentsLength(bool *emitted)
+{
+JS_ASSERT(*emitted == false);
+if (current->peek(-1)->type() != MIRType_MagicOptimizedArguments) {
+if (script()->argumentsHasVarBinding() &&
+current->peek(-1)->mightBeType(MIRType_MagicOptimizedArguments))
+{
+return abort("Type is not definitely lazy arguments.");
+}
+return true;
+}
+if (JSOp(*pc) != JSOP_LENGTH)
+return true;
+*emitted = true;
+return jsop_arguments_length();
+}
+bool
+IonBuilder::getPropTryConstant(bool *emitted, PropertyName *name,
+types::TemporaryTypeSet *types)
+{
+JS_ASSERT(*emitted == false);
+JSObject *singleton = types ? types->getSingleton() : nullptr;
+if (!singleton)
+return true;
+bool testObject, testString;
+if (!testSingletonPropertyTypes(current->peek(-1), singleton, name, &testObject, &testString))
+return true;
+MDefinition *obj = current->pop();
+// Property access is a known constant -- safe to emit.
+JS_ASSERT(!testString || !testObject);
+if (testObject)
+current->add(MGuardObject::New(alloc(), obj));
+else if (testString)
+current->add(MGuardString::New(alloc(), obj));
+else
+obj->setImplicitlyUsedUnchecked();
+pushConstant(ObjectValue(*singleton));
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getPropTryTypedObject(bool *emitted, PropertyName *name,
+types::TemporaryTypeSet *resultTypes)
+{
+TypeDescrSet fieldDescrs;
+int32_t fieldOffset;
+size_t fieldIndex;
+if (!lookupTypedObjectField(current->peek(-1), name, &fieldOffset,
+&fieldDescrs, &fieldIndex))
+return false;
+if (fieldDescrs.empty())
+return true;
+switch (fieldDescrs.kind()) {
+case TypeDescr::Reference:
+return true;
+case TypeDescr::X4:
+// FIXME (bug 894104): load into a MIRType_float32x4 etc
+return true;
+case TypeDescr::Struct:
+case TypeDescr::SizedArray:
+return getPropTryComplexPropOfTypedObject(emitted,
+fieldOffset,
+fieldDescrs,
+fieldIndex,
+resultTypes);
+case TypeDescr::Scalar:
+return getPropTryScalarPropOfTypedObject(emitted,
+fieldOffset,
+fieldDescrs,
+resultTypes);
+case TypeDescr::UnsizedArray:
+MOZ_ASSUME_UNREACHABLE("Field of unsized array type");
+}
+MOZ_ASSUME_UNREACHABLE("Bad kind");
+}
+bool
+IonBuilder::getPropTryScalarPropOfTypedObject(bool *emitted,
+int32_t fieldOffset,
+TypeDescrSet fieldDescrs,
+types::TemporaryTypeSet *resultTypes)
+{
+// Must always be loading the same scalar type
+ScalarTypeDescr::Type fieldType;
+if (!fieldDescrs.scalarType(&fieldType))
+return true;
+// OK, perform the optimization
+MDefinition *typedObj = current->pop();
+return pushScalarLoadFromTypedObject(emitted, typedObj, constantInt(fieldOffset),
+fieldType, true);
+}
+bool
+IonBuilder::getPropTryComplexPropOfTypedObject(bool *emitted,
+int32_t fieldOffset,
+TypeDescrSet fieldDescrs,
+size_t fieldIndex,
+types::TemporaryTypeSet *resultTypes)
+{
+// Must know the field index so that we can load the new type
+// object for the derived value
+if (fieldIndex == SIZE_MAX)
+return true;
+// OK, perform the optimization
+MDefinition *typedObj = current->pop();
+// Identify the type object for the field.
+MDefinition *type = loadTypedObjectType(typedObj);
+MDefinition *fieldTypeObj = typeObjectForFieldFromStructType(type, fieldIndex);
+return pushDerivedTypedObject(emitted, typedObj, constantInt(fieldOffset),
+fieldDescrs, fieldTypeObj, true);
+}
+bool
+IonBuilder::getPropTryDefiniteSlot(bool *emitted, PropertyName *name,
+bool barrier, types::TemporaryTypeSet *types)
+{
+JS_ASSERT(*emitted == false);
+types::HeapTypeSetKey property;
+if (!getDefiniteSlot(current->peek(-1)->resultTypeSet(), name, &property))
+return true;
+MDefinition *obj = current->pop();
+MDefinition *useObj = obj;
+if (obj->type() != MIRType_Object) {
+MGuardObject *guard = MGuardObject::New(alloc(), obj);
+current->add(guard);
+useObj = guard;
+}
+MLoadFixedSlot *fixed = MLoadFixedSlot::New(alloc(), useObj, property.maybeTypes()->definiteSlot());
+if (!barrier)
+fixed->setResultType(types->getKnownMIRType());
+current->add(fixed);
+current->push(fixed);
+if (!pushTypeBarrier(fixed, types, barrier))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getPropTryCommonGetter(bool *emitted, PropertyName *name,
+types::TemporaryTypeSet *types)
+{
+JS_ASSERT(*emitted == false);
+Shape *lastProperty = nullptr;
+JSFunction *commonGetter = nullptr;
+JSObject *foundProto = inspector->commonGetPropFunction(pc, &lastProperty, &commonGetter);
+if (!foundProto)
+return true;
+types::TemporaryTypeSet *objTypes = current->peek(-1)->resultTypeSet();
+MDefinition *guard = testCommonGetterSetter(objTypes, name, /* isGetter = */ true,
+foundProto, lastProperty);
+if (!guard)
+return true;
+bool isDOM = objTypes->isDOMClass();
+MDefinition *obj = current->pop();
+if (isDOM && testShouldDOMCall(objTypes, commonGetter, JSJitInfo::Getter)) {
+const JSJitInfo *jitinfo = commonGetter->jitInfo();
+MInstruction *get;
+if (jitinfo->isInSlot) {
+// We can't use MLoadFixedSlot here because it might not have the
+// right aliasing behavior; we want to alias DOM setters.
+get = MGetDOMMember::New(alloc(), jitinfo, obj, guard);
+} else {
+get = MGetDOMProperty::New(alloc(), jitinfo, obj, guard);
+}
+current->add(get);
+current->push(get);
+if (get->isEffectful() && !resumeAfter(get))
+return false;
+if (!pushDOMTypeBarrier(get, types, commonGetter))
+return false;
+*emitted = true;
+return true;
+}
+// Don't call the getter with a primitive value.
+if (objTypes->getKnownMIRType() != MIRType_Object) {
+MGuardObject *guardObj = MGuardObject::New(alloc(), obj);
+current->add(guardObj);
+obj = guardObj;
+}
+// Spoof stack to expected state for call.
+// Make sure there's enough room
+if (!current->ensureHasSlots(2))
+return false;
+pushConstant(ObjectValue(*commonGetter));
+current->push(obj);
+CallInfo callInfo(alloc(), false);
+if (!callInfo.init(current, 0))
+return false;
+// Inline if we can, otherwise, forget it and just generate a call.
+bool inlineable = false;
+if (commonGetter->isInterpreted()) {
+InliningDecision decision = makeInliningDecision(commonGetter, callInfo);
+switch (decision) {
+case InliningDecision_Error:
+return false;
+case InliningDecision_DontInline:
+break;
+case InliningDecision_Inline:
+inlineable = true;
+break;
+}
+}
+if (inlineable) {
+if (!inlineScriptedCall(callInfo, commonGetter))
+return false;
+} else {
+if (!makeCall(commonGetter, callInfo, false))
+return false;
+}
+*emitted = true;
+return true;
+}
+static bool
+CanInlinePropertyOpShapes(const BaselineInspector::ShapeVector &shapes)
+{
+for (size_t i = 0; i < shapes.length(); i++) {
+// We inline the property access as long as the shape is not in
+// dictionary made. We cannot be sure that the shape is still a
+// lastProperty, and calling Shape::search() on dictionary mode
+// shapes that aren't lastProperty is invalid.
+if (shapes[i]->inDictionary())
+return false;
+}
+return true;
+}
+bool
+IonBuilder::getPropTryInlineAccess(bool *emitted, PropertyName *name,
+bool barrier, types::TemporaryTypeSet *types)
+{
+JS_ASSERT(*emitted == false);
+if (current->peek(-1)->type() != MIRType_Object)
+return true;
+BaselineInspector::ShapeVector shapes(alloc());
+if (!inspector->maybeShapesForPropertyOp(pc, shapes))
+return false;
+if (shapes.empty() || !CanInlinePropertyOpShapes(shapes))
+return true;
+MIRType rvalType = types->getKnownMIRType();
+if (barrier || IsNullOrUndefined(rvalType))
+rvalType = MIRType_Value;
+MDefinition *obj = current->pop();
+if (shapes.length() == 1) {
+// In the monomorphic case, use separate ShapeGuard and LoadSlot
+// instructions.
+spew("Inlining monomorphic GETPROP");
+Shape *objShape = shapes[0];
+obj = addShapeGuard(obj, objShape, Bailout_ShapeGuard);
+Shape *shape = objShape->searchLinear(NameToId(name));
+JS_ASSERT(shape);
+if (!loadSlot(obj, shape, rvalType, barrier, types))
+return false;
+} else {
+JS_ASSERT(shapes.length() > 1);
+spew("Inlining polymorphic GETPROP");
+MGetPropertyPolymorphic *load = MGetPropertyPolymorphic::New(alloc(), obj, name);
+current->add(load);
+current->push(load);
+for (size_t i = 0; i < shapes.length(); i++) {
+Shape *objShape = shapes[i];
+Shape *shape =  objShape->searchLinear(NameToId(name));
+JS_ASSERT(shape);
+if (!load->addShape(objShape, shape))
+return false;
+}
+if (failedShapeGuard_)
+load->setNotMovable();
+load->setResultType(rvalType);
+if (!pushTypeBarrier(load, types, barrier))
+return false;
+}
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::getPropTryCache(bool *emitted, PropertyName *name,
+bool barrier, types::TemporaryTypeSet *types)
+{
+JS_ASSERT(*emitted == false);
+MDefinition *obj = current->peek(-1);
+// The input value must either be an object, or we should have strong suspicions
+// that it can be safely unboxed to an object.
+if (obj->type() != MIRType_Object) {
+types::TemporaryTypeSet *types = obj->resultTypeSet();
+if (!types || !types->objectOrSentinel())
+return true;
+}
+// Since getters have no guaranteed return values, we must barrier in order to be
+// able to attach stubs for them.
+if (inspector->hasSeenAccessedGetter(pc))
+barrier = true;
+if (needsToMonitorMissingProperties(types))
+barrier = true;
+// Caches can read values from prototypes, so update the barrier to
+// reflect such possible values.
+if (!barrier)
+barrier = PropertyReadOnPrototypeNeedsTypeBarrier(constraints(), obj, name, types);
+current->pop();
+MGetPropertyCache *load = MGetPropertyCache::New(alloc(), obj, name, barrier);
+// Try to mark the cache as idempotent.
+//
+// In parallel execution, idempotency of caches is ignored, since we
+// repeat the entire ForkJoin workload if we bail out. Note that it's
+// overly restrictive to mark everything as idempotent, because we can
+// treat non-idempotent caches in parallel as repeatable.
+if (obj->type() == MIRType_Object && !invalidatedIdempotentCache() &&
+info().executionMode() != ParallelExecution)
+{
+if (PropertyReadIsIdempotent(constraints(), obj, name))
+load->setIdempotent();
+}
+if (JSOp(*pc) == JSOP_CALLPROP) {
+if (!annotateGetPropertyCache(obj, load, obj->resultTypeSet(), types))
+return false;
+}
+current->add(load);
+current->push(load);
+if (load->isEffectful() && !resumeAfter(load))
+return false;
+MIRType rvalType = types->getKnownMIRType();
+if (barrier || IsNullOrUndefined(rvalType))
+rvalType = MIRType_Value;
+load->setResultType(rvalType);
+if (!pushTypeBarrier(load, types, barrier))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::needsToMonitorMissingProperties(types::TemporaryTypeSet *types)
+{
+// GetPropertyParIC and GetElementParIC cannot safely call
+// TypeScript::Monitor to ensure that the observed type set contains
+// undefined. To account for possible missing properties, which property
+// types do not track, we must always insert a type barrier.
+return (info().executionMode() == ParallelExecution &&
+!types->hasType(types::Type::UndefinedType()));
+}
+bool
+IonBuilder::jsop_setprop(PropertyName *name)
+{
+MDefinition *value = current->pop();
+MDefinition *obj = current->pop();
+bool emitted = false;
+// Always use a call if we are doing the definite properties analysis and
+// not actually emitting code, to simplify later analysis.
+if (info().executionModeIsAnalysis()) {
+MInstruction *ins = MCallSetProperty::New(alloc(), obj, value, name, script()->strict());
+current->add(ins);
+current->push(value);
+return resumeAfter(ins);
+}
+// Add post barrier if needed.
+if (NeedsPostBarrier(info(), value))
+current->add(MPostWriteBarrier::New(alloc(), obj, value));
+// Try to inline a common property setter, or make a call.
+if (!setPropTryCommonSetter(&emitted, obj, name, value) || emitted)
+return emitted;
+types::TemporaryTypeSet *objTypes = obj->resultTypeSet();
+bool barrier = PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current, &obj, name, &value,
+/* canModify = */ true);
+// Try to emit stores to known binary data blocks
+if (!setPropTryTypedObject(&emitted, obj, name, value) || emitted)
+return emitted;
+// Try to emit store from definite slots.
+if (!setPropTryDefiniteSlot(&emitted, obj, name, value, barrier, objTypes) || emitted)
+return emitted;
+// Try to emit a monomorphic/polymorphic store based on baseline caches.
+if (!setPropTryInlineAccess(&emitted, obj, name, value, barrier, objTypes) || emitted)
+return emitted;
+// Try to emit a polymorphic cache.
+if (!setPropTryCache(&emitted, obj, name, value, barrier, objTypes) || emitted)
+return emitted;
+// Emit call.
+MInstruction *ins = MCallSetProperty::New(alloc(), obj, value, name, script()->strict());
+current->add(ins);
+current->push(value);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::setPropTryCommonSetter(bool *emitted, MDefinition *obj,
+PropertyName *name, MDefinition *value)
+{
+JS_ASSERT(*emitted == false);
+Shape *lastProperty = nullptr;
+JSFunction *commonSetter = nullptr;
+JSObject *foundProto = inspector->commonSetPropFunction(pc, &lastProperty, &commonSetter);
+if (!foundProto)
+return true;
+types::TemporaryTypeSet *objTypes = obj->resultTypeSet();
+MDefinition *guard = testCommonGetterSetter(objTypes, name, /* isGetter = */ false,
+foundProto, lastProperty);
+if (!guard)
+return true;
+bool isDOM = objTypes->isDOMClass();
+// Emit common setter.
+// Setters can be called even if the property write needs a type
+// barrier, as calling the setter does not actually write any data
+// properties.
+// Try emitting dom call.
+if (!setPropTryCommonDOMSetter(emitted, obj, value, commonSetter, isDOM))
+return false;
+if (*emitted)
+return true;
+// Don't call the setter with a primitive value.
+if (objTypes->getKnownMIRType() != MIRType_Object) {
+MGuardObject *guardObj = MGuardObject::New(alloc(), obj);
+current->add(guardObj);
+obj = guardObj;
+}
+// Dummy up the stack, as in getprop. We are pushing an extra value, so
+// ensure there is enough space.
+if (!current->ensureHasSlots(3))
+return false;
+pushConstant(ObjectValue(*commonSetter));
+current->push(obj);
+current->push(value);
+// Call the setter. Note that we have to push the original value, not
+// the setter's return value.
+CallInfo callInfo(alloc(), false);
+if (!callInfo.init(current, 1))
+return false;
+// Ensure that we know we are calling a setter in case we inline it.
+callInfo.markAsSetter();
+// Inline the setter if we can.
+if (commonSetter->isInterpreted()) {
+InliningDecision decision = makeInliningDecision(commonSetter, callInfo);
+switch (decision) {
+case InliningDecision_Error:
+return false;
+case InliningDecision_DontInline:
+break;
+case InliningDecision_Inline:
+if (!inlineScriptedCall(callInfo, commonSetter))
+return false;
+*emitted = true;
+return true;
+}
+}
+MCall *call = makeCallHelper(commonSetter, callInfo, false);
+if (!call)
+return false;
+current->push(value);
+if (!resumeAfter(call))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setPropTryCommonDOMSetter(bool *emitted, MDefinition *obj,
+MDefinition *value, JSFunction *setter,
+bool isDOM)
+{
+JS_ASSERT(*emitted == false);
+if (!isDOM)
+return true;
+types::TemporaryTypeSet *objTypes = obj->resultTypeSet();
+if (!testShouldDOMCall(objTypes, setter, JSJitInfo::Setter))
+return true;
+// Emit SetDOMProperty.
+JS_ASSERT(setter->jitInfo()->type() == JSJitInfo::Setter);
+MSetDOMProperty *set = MSetDOMProperty::New(alloc(), setter->jitInfo()->setter, obj, value);
+current->add(set);
+current->push(value);
+if (!resumeAfter(set))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setPropTryTypedObject(bool *emitted, MDefinition *obj,
+PropertyName *name, MDefinition *value)
+{
+TypeDescrSet fieldDescrs;
+int32_t fieldOffset;
+size_t fieldIndex;
+if (!lookupTypedObjectField(obj, name, &fieldOffset, &fieldDescrs,
+&fieldIndex))
+return false;
+if (fieldDescrs.empty())
+return true;
+switch (fieldDescrs.kind()) {
+case TypeDescr::X4:
+// FIXME (bug 894104): store into a MIRType_float32x4 etc
+return true;
+case TypeDescr::Reference:
+case TypeDescr::Struct:
+case TypeDescr::SizedArray:
+case TypeDescr::UnsizedArray:
+// For now, only optimize storing scalars.
+return true;
+case TypeDescr::Scalar:
+return setPropTryScalarPropOfTypedObject(emitted, obj, fieldOffset,
+value, fieldDescrs);
+}
+MOZ_ASSUME_UNREACHABLE("Unknown kind");
+}
+bool
+IonBuilder::setPropTryScalarPropOfTypedObject(bool *emitted,
+MDefinition *obj,
+int32_t fieldOffset,
+MDefinition *value,
+TypeDescrSet fieldDescrs)
+{
+// Must always be loading the same scalar type
+ScalarTypeDescr::Type fieldType;
+if (!fieldDescrs.scalarType(&fieldType))
+return true;
+// OK! Perform the optimization.
+if (!storeScalarTypedObjectValue(obj, constantInt(fieldOffset), fieldType, true, false, value))
+return false;
+current->push(value);
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setPropTryDefiniteSlot(bool *emitted, MDefinition *obj,
+PropertyName *name, MDefinition *value,
+bool barrier, types::TemporaryTypeSet *objTypes)
+{
+JS_ASSERT(*emitted == false);
+if (barrier)
+return true;
+types::HeapTypeSetKey property;
+if (!getDefiniteSlot(obj->resultTypeSet(), name, &property))
+return true;
+if (property.nonWritable(constraints()))
+return true;
+MStoreFixedSlot *fixed = MStoreFixedSlot::New(alloc(), obj, property.maybeTypes()->definiteSlot(), value);
+current->add(fixed);
+current->push(value);
+if (property.needsBarrier(constraints()))
+fixed->setNeedsBarrier();
+if (!resumeAfter(fixed))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setPropTryInlineAccess(bool *emitted, MDefinition *obj,
+PropertyName *name,
+MDefinition *value, bool barrier,
+types::TemporaryTypeSet *objTypes)
+{
+JS_ASSERT(*emitted == false);
+if (barrier)
+return true;
+BaselineInspector::ShapeVector shapes(alloc());
+if (!inspector->maybeShapesForPropertyOp(pc, shapes))
+return false;
+if (shapes.empty())
+return true;
+if (!CanInlinePropertyOpShapes(shapes))
+return true;
+if (shapes.length() == 1) {
+spew("Inlining monomorphic SETPROP");
+// The Baseline IC was monomorphic, so we inline the property access as
+// long as the shape is not in dictionary mode. We cannot be sure
+// that the shape is still a lastProperty, and calling Shape::search
+// on dictionary mode shapes that aren't lastProperty is invalid.
+Shape *objShape = shapes[0];
+obj = addShapeGuard(obj, objShape, Bailout_ShapeGuard);
+Shape *shape = objShape->searchLinear(NameToId(name));
+JS_ASSERT(shape);
+bool needsBarrier = objTypes->propertyNeedsBarrier(constraints(), NameToId(name));
+if (!storeSlot(obj, shape, value, needsBarrier))
+return false;
+} else {
+JS_ASSERT(shapes.length() > 1);
+spew("Inlining polymorphic SETPROP");
+MSetPropertyPolymorphic *ins = MSetPropertyPolymorphic::New(alloc(), obj, value);
+current->add(ins);
+current->push(value);
+for (size_t i = 0; i < shapes.length(); i++) {
+Shape *objShape = shapes[i];
+Shape *shape =  objShape->searchLinear(NameToId(name));
+JS_ASSERT(shape);
+if (!ins->addShape(objShape, shape))
+return false;
+}
+if (objTypes->propertyNeedsBarrier(constraints(), NameToId(name)))
+ins->setNeedsBarrier();
+if (!resumeAfter(ins))
+return false;
+}
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::setPropTryCache(bool *emitted, MDefinition *obj,
+PropertyName *name, MDefinition *value,
+bool barrier, types::TemporaryTypeSet *objTypes)
+{
+JS_ASSERT(*emitted == false);
+// Emit SetPropertyCache.
+MSetPropertyCache *ins = MSetPropertyCache::New(alloc(), obj, value, name, script()->strict(), barrier);
+if (!objTypes || objTypes->propertyNeedsBarrier(constraints(), NameToId(name)))
+ins->setNeedsBarrier();
+current->add(ins);
+current->push(value);
+if (!resumeAfter(ins))
+return false;
+*emitted = true;
+return true;
+}
+bool
+IonBuilder::jsop_delprop(PropertyName *name)
+{
+MDefinition *obj = current->pop();
+MInstruction *ins = MDeleteProperty::New(alloc(), obj, name);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_delelem()
+{
+MDefinition *index = current->pop();
+MDefinition *obj = current->pop();
+MDeleteElement *ins = MDeleteElement::New(alloc(), obj, index);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_regexp(RegExpObject *reobj)
+{
+// JS semantics require regular expression literals to create different
+// objects every time they execute. We only need to do this cloning if the
+// script could actually observe the effect of such cloning, for instance
+// by getting or setting properties on it.
+//
+// First, make sure the regex is one we can safely optimize. Lowering can
+// then check if this regex object only flows into known natives and can
+// avoid cloning in this case.
+bool mustClone = true;
+types::TypeObjectKey *typeObj = types::TypeObjectKey::get(&script()->global());
+if (!typeObj->hasFlags(constraints(), types::OBJECT_FLAG_REGEXP_FLAGS_SET)) {
+RegExpStatics *res = script()->global().getRegExpStatics();
+DebugOnly<uint32_t> origFlags = reobj->getFlags();
+DebugOnly<uint32_t> staticsFlags = res->getFlags();
+JS_ASSERT((origFlags & staticsFlags) == staticsFlags);
+if (!reobj->global() && !reobj->sticky())
+mustClone = false;
+}
+MRegExp *regexp = MRegExp::New(alloc(), constraints(), reobj, mustClone);
+current->add(regexp);
+current->push(regexp);
+return true;
+}
+bool
+IonBuilder::jsop_object(JSObject *obj)
+{
+if (options.cloneSingletons()) {
+MCloneLiteral *clone = MCloneLiteral::New(alloc(), constant(ObjectValue(*obj)));
+current->add(clone);
+current->push(clone);
+return resumeAfter(clone);
+}
+compartment->setSingletonsAsValues();
+pushConstant(ObjectValue(*obj));
+return true;
+}
+bool
+IonBuilder::jsop_lambda(JSFunction *fun)
+{
+MOZ_ASSERT(analysis().usesScopeChain());
+MOZ_ASSERT(!fun->isArrow());
+if (fun->isNative() && IsAsmJSModuleNative(fun->native()))
+return abort("asm.js module function");
+MLambda *ins = MLambda::New(alloc(), constraints(), current->scopeChain(), fun);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_lambda_arrow(JSFunction *fun)
+{
+MOZ_ASSERT(analysis().usesScopeChain());
+MOZ_ASSERT(fun->isArrow());
+MOZ_ASSERT(!fun->isNative());
+MDefinition *thisDef = current->pop();
+MLambdaArrow *ins = MLambdaArrow::New(alloc(), constraints(), current->scopeChain(),
+thisDef, fun);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_setarg(uint32_t arg)
+{
+// To handle this case, we should spill the arguments to the space where
+// actual arguments are stored. The tricky part is that if we add a MIR
+// to wrap the spilling action, we don't want the spilling to be
+// captured by the GETARG and by the resume point, only by
+// MGetFrameArgument.
+JS_ASSERT(analysis_.hasSetArg());
+MDefinition *val = current->peek(-1);
+// If an arguments object is in use, and it aliases formals, then all SETARGs
+// must go through the arguments object.
+if (info().argsObjAliasesFormals()) {
+if (NeedsPostBarrier(info(), val))
+current->add(MPostWriteBarrier::New(alloc(), current->argumentsObject(), val));
+current->add(MSetArgumentsObjectArg::New(alloc(), current->argumentsObject(),
+GET_ARGNO(pc), val));
+return true;
+}
+// :TODO: if hasArguments() is true, and the script has a JSOP_SETARG, then
+// convert all arg accesses to go through the arguments object. (see Bug 957475)
+if (info().hasArguments())
+	return abort("NYI: arguments & setarg.");
+// Otherwise, if a magic arguments is in use, and it aliases formals, and there exist
+// arguments[...] GETELEM expressions in the script, then SetFrameArgument must be used.
+// If no arguments[...] GETELEM expressions are in the script, and an argsobj is not
+// required, then it means that any aliased argument set can never be observed, and
+// the frame does not actually need to be updated with the new arg value.
+if (info().argumentsAliasesFormals()) {
+// JSOP_SETARG with magic arguments within inline frames is not yet supported.
+JS_ASSERT(script()->uninlineable() && !isInlineBuilder());
+MSetFrameArgument *store = MSetFrameArgument::New(alloc(), arg, val);
+modifiesFrameArguments_ = true;
+current->add(store);
+current->setArg(arg);
+return true;
+}
+// If this assignment is at the start of the function and is coercing
+// the original value for the argument which was passed in, loosen
+// the type information for that original argument if it is currently
+// empty due to originally executing in the interpreter.
+if (graph().numBlocks() == 1 &&
+(val->isBitOr() || val->isBitAnd() || val->isMul() /* for JSOP_POS */))
+{
+for (size_t i = 0; i < val->numOperands(); i++) {
+MDefinition *op = val->getOperand(i);
+if (op->isParameter() &&
+op->toParameter()->index() == (int32_t)arg &&
+op->resultTypeSet() &&
+op->resultTypeSet()->empty())
+{
+bool otherUses = false;
+for (MUseDefIterator iter(op); iter; iter++) {
+MDefinition *def = iter.def();
+if (def == val)
+continue;
+otherUses = true;
+}
+if (!otherUses) {
+JS_ASSERT(op->resultTypeSet() == &argTypes[arg]);
+argTypes[arg].addType(types::Type::UnknownType(), alloc_->lifoAlloc());
+if (val->isMul()) {
+val->setResultType(MIRType_Double);
+val->toMul()->setSpecialization(MIRType_Double);
+} else {
+JS_ASSERT(val->type() == MIRType_Int32);
+}
+val->setResultTypeSet(nullptr);
+}
+}
+}
+}
+current->setArg(arg);
+return true;
+}
+bool
+IonBuilder::jsop_defvar(uint32_t index)
+{
+JS_ASSERT(JSOp(*pc) == JSOP_DEFVAR || JSOp(*pc) == JSOP_DEFCONST);
+PropertyName *name = script()->getName(index);
+// Bake in attrs.
+unsigned attrs = JSPROP_ENUMERATE | JSPROP_PERMANENT;
+if (JSOp(*pc) == JSOP_DEFCONST)
+attrs |= JSPROP_READONLY;
+// Pass the ScopeChain.
+JS_ASSERT(analysis().usesScopeChain());
+// Bake the name pointer into the MDefVar.
+MDefVar *defvar = MDefVar::New(alloc(), name, attrs, current->scopeChain());
+current->add(defvar);
+return resumeAfter(defvar);
+}
+bool
+IonBuilder::jsop_deffun(uint32_t index)
+{
+JSFunction *fun = script()->getFunction(index);
+if (fun->isNative() && IsAsmJSModuleNative(fun->native()))
+return abort("asm.js module function");
+JS_ASSERT(analysis().usesScopeChain());
+MDefFun *deffun = MDefFun::New(alloc(), fun, current->scopeChain());
+current->add(deffun);
+return resumeAfter(deffun);
+}
+bool
+IonBuilder::jsop_this()
+{
+if (!info().funMaybeLazy())
+return abort("JSOP_THIS outside of a JSFunction.");
+if (info().funMaybeLazy()->isArrow()) {
+// Arrow functions store their lexical |this| in an extended slot.
+MLoadArrowThis *thisObj = MLoadArrowThis::New(alloc(), getCallee());
+current->add(thisObj);
+current->push(thisObj);
+return true;
+}
+if (script()->strict() || info().funMaybeLazy()->isSelfHostedBuiltin()) {
+// No need to wrap primitive |this| in strict mode or self-hosted code.
+current->pushSlot(info().thisSlot());
+return true;
+}
+if (thisTypes->getKnownMIRType() == MIRType_Object ||
+(thisTypes->empty() && baselineFrame_ && baselineFrame_->thisType.isSomeObject()))
+{
+// This is safe, because if the entry type of |this| is an object, it
+// will necessarily be an object throughout the entire function. OSR
+// can introduce a phi, but this phi will be specialized.
+current->pushSlot(info().thisSlot());
+return true;
+}
+// If we are doing an analysis, we might not yet know the type of |this|.
+// Instead of bailing out just push the |this| slot, as this code won't
+// actually execute and it does not matter whether |this| is primitive.
+if (info().executionModeIsAnalysis()) {
+current->pushSlot(info().thisSlot());
+return true;
+}
+// Hard case: |this| may be a primitive we have to wrap.
+MDefinition *def = current->getSlot(info().thisSlot());
+if (def->type() == MIRType_Object) {
+// If we already computed a |this| object, we can reuse it.
+current->push(def);
+return true;
+}
+MComputeThis *thisObj = MComputeThis::New(alloc(), def);
+current->add(thisObj);
+current->push(thisObj);
+current->setSlot(info().thisSlot(), thisObj);
+return resumeAfter(thisObj);
+}
+bool
+IonBuilder::jsop_typeof()
+{
+MDefinition *input = current->pop();
+MTypeOf *ins = MTypeOf::New(alloc(), input, input->type());
+ins->infer();
+current->add(ins);
+current->push(ins);
+return true;
+}
+bool
+IonBuilder::jsop_toid()
+{
+// No-op if the index is an integer.
+if (current->peek(-1)->type() == MIRType_Int32)
+return true;
+MDefinition *index = current->pop();
+MToId *ins = MToId::New(alloc(), current->peek(-1), index);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_iter(uint8_t flags)
+{
+if (flags != JSITER_ENUMERATE)
+nonStringIteration_ = true;
+MDefinition *obj = current->pop();
+MInstruction *ins = MIteratorStart::New(alloc(), obj, flags);
+if (!iterators_.append(ins))
+return false;
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_iternext()
+{
+MDefinition *iter = current->peek(-1);
+MInstruction *ins = MIteratorNext::New(alloc(), iter);
+current->add(ins);
+current->push(ins);
+if (!resumeAfter(ins))
+return false;
+if (!nonStringIteration_ && !inspector->hasSeenNonStringIterNext(pc)) {
+ins = MUnbox::New(alloc(), ins, MIRType_String, MUnbox::Fallible, Bailout_BaselineInfo);
+current->add(ins);
+current->rewriteAtDepth(-1, ins);
+}
+return true;
+}
+bool
+IonBuilder::jsop_itermore()
+{
+MDefinition *iter = current->peek(-1);
+MInstruction *ins = MIteratorMore::New(alloc(), iter);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_iterend()
+{
+MDefinition *iter = current->pop();
+MInstruction *ins = MIteratorEnd::New(alloc(), iter);
+current->add(ins);
+return resumeAfter(ins);
+}
+MDefinition *
+IonBuilder::walkScopeChain(unsigned hops)
+{
+MDefinition *scope = current->getSlot(info().scopeChainSlot());
+for (unsigned i = 0; i < hops; i++) {
+MInstruction *ins = MEnclosingScope::New(alloc(), scope);
+current->add(ins);
+scope = ins;
+}
+return scope;
+}
+bool
+IonBuilder::hasStaticScopeObject(ScopeCoordinate sc, JSObject **pcall)
+{
+JSScript *outerScript = ScopeCoordinateFunctionScript(script(), pc);
+if (!outerScript || !outerScript->treatAsRunOnce())
+return false;
+types::TypeObjectKey *funType =
+types::TypeObjectKey::get(outerScript->functionNonDelazifying());
+if (funType->hasFlags(constraints(), types::OBJECT_FLAG_RUNONCE_INVALIDATED))
+return false;
+// The script this aliased var operation is accessing will run only once,
+// so there will be only one call object and the aliased var access can be
+// compiled in the same manner as a global access. We still need to find
+// the call object though.
+// Look for the call object on the current script's function's scope chain.
+// If the current script is inner to the outer script and the function has
+// singleton type then it should show up here.
+MDefinition *scope = current->getSlot(info().scopeChainSlot());
+scope->setImplicitlyUsedUnchecked();
+JSObject *environment = script()->functionNonDelazifying()->environment();
+while (environment && !environment->is<GlobalObject>()) {
+if (environment->is<CallObject>() &&
+!environment->as<CallObject>().isForEval() &&
+environment->as<CallObject>().callee().nonLazyScript() == outerScript)
+{
+JS_ASSERT(environment->hasSingletonType());
+*pcall = environment;
+return true;
+}
+environment = environment->enclosingScope();
+}
+// Look for the call object on the current frame, if we are compiling the
+// outer script itself. Don't do this if we are at entry to the outer
+// script, as the call object we see will not be the real one --- after
+// entering the Ion code a different call object will be created.
+if (script() == outerScript && baselineFrame_ && info().osrPc()) {
+JSObject *singletonScope = baselineFrame_->singletonScopeChain;
+if (singletonScope &&
+singletonScope->is<CallObject>() &&
+singletonScope->as<CallObject>().callee().nonLazyScript() == outerScript)
+{
+JS_ASSERT(singletonScope->hasSingletonType());
+*pcall = singletonScope;
+return true;
+}
+}
+return true;
+}
+bool
+IonBuilder::jsop_getaliasedvar(ScopeCoordinate sc)
+{
+JSObject *call = nullptr;
+if (hasStaticScopeObject(sc, &call) && call) {
+PropertyName *name = ScopeCoordinateName(scopeCoordinateNameCache, script(), pc);
+bool succeeded;
+if (!getStaticName(call, name, &succeeded))
+return false;
+if (succeeded)
+return true;
+}
+MDefinition *obj = walkScopeChain(sc.hops());
+Shape *shape = ScopeCoordinateToStaticScopeShape(script(), pc);
+MInstruction *load;
+if (shape->numFixedSlots() <= sc.slot()) {
+MInstruction *slots = MSlots::New(alloc(), obj);
+current->add(slots);
+load = MLoadSlot::New(alloc(), slots, sc.slot() - shape->numFixedSlots());
+} else {
+load = MLoadFixedSlot::New(alloc(), obj, sc.slot());
+}
+current->add(load);
+current->push(load);
+types::TemporaryTypeSet *types = bytecodeTypes(pc);
+return pushTypeBarrier(load, types, true);
+}
+bool
+IonBuilder::jsop_setaliasedvar(ScopeCoordinate sc)
+{
+JSObject *call = nullptr;
+if (hasStaticScopeObject(sc, &call)) {
+uint32_t depth = current->stackDepth() + 1;
+if (depth > current->nslots()) {
+if (!current->increaseSlots(depth - current->nslots()))
+return false;
+}
+MDefinition *value = current->pop();
+PropertyName *name = ScopeCoordinateName(scopeCoordinateNameCache, script(), pc);
+if (call) {
+// Push the object on the stack to match the bound object expected in
+// the global and property set cases.
+pushConstant(ObjectValue(*call));
+current->push(value);
+return setStaticName(call, name);
+}
+// The call object has type information we need to respect but we
+// couldn't find it. Just do a normal property assign.
+MDefinition *obj = walkScopeChain(sc.hops());
+current->push(obj);
+current->push(value);
+return jsop_setprop(name);
+}
+MDefinition *rval = current->peek(-1);
+MDefinition *obj = walkScopeChain(sc.hops());
+Shape *shape = ScopeCoordinateToStaticScopeShape(script(), pc);
+if (NeedsPostBarrier(info(), rval))
+current->add(MPostWriteBarrier::New(alloc(), obj, rval));
+MInstruction *store;
+if (shape->numFixedSlots() <= sc.slot()) {
+MInstruction *slots = MSlots::New(alloc(), obj);
+current->add(slots);
+store = MStoreSlot::NewBarriered(alloc(), slots, sc.slot() - shape->numFixedSlots(), rval);
+} else {
+store = MStoreFixedSlot::NewBarriered(alloc(), obj, sc.slot(), rval);
+}
+current->add(store);
+return resumeAfter(store);
+}
+bool
+IonBuilder::jsop_in()
+{
+MDefinition *obj = current->peek(-1);
+MDefinition *id = current->peek(-2);
+if (ElementAccessIsDenseNative(obj, id) &&
+!ElementAccessHasExtraIndexedProperty(constraints(), obj))
+{
+return jsop_in_dense();
+}
+current->pop();
+current->pop();
+MIn *ins = MIn::New(alloc(), id, obj);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+bool
+IonBuilder::jsop_in_dense()
+{
+MDefinition *obj = current->pop();
+MDefinition *id = current->pop();
+bool needsHoleCheck = !ElementAccessIsPacked(constraints(), obj);
+// Ensure id is an integer.
+MInstruction *idInt32 = MToInt32::New(alloc(), id);
+current->add(idInt32);
+id = idInt32;
+// Get the elements vector.
+MElements *elements = MElements::New(alloc(), obj);
+current->add(elements);
+MInitializedLength *initLength = MInitializedLength::New(alloc(), elements);
+current->add(initLength);
+// Check if id < initLength and elem[id] not a hole.
+MInArray *ins = MInArray::New(alloc(), elements, id, initLength, obj, needsHoleCheck);
+current->add(ins);
+current->push(ins);
+return true;
+}
+bool
+IonBuilder::jsop_instanceof()
+{
+MDefinition *rhs = current->pop();
+MDefinition *obj = current->pop();
+// If this is an 'x instanceof function' operation and we can determine the
+// exact function and prototype object being tested for, use a typed path.
+do {
+types::TemporaryTypeSet *rhsTypes = rhs->resultTypeSet();
+JSObject *rhsObject = rhsTypes ? rhsTypes->getSingleton() : nullptr;
+if (!rhsObject || !rhsObject->is<JSFunction>() || rhsObject->isBoundFunction())
+break;
+types::TypeObjectKey *rhsType = types::TypeObjectKey::get(rhsObject);
+if (rhsType->unknownProperties())
+break;
+types::HeapTypeSetKey protoProperty =
+rhsType->property(NameToId(names().prototype));
+JSObject *protoObject = protoProperty.singleton(constraints());
+if (!protoObject)
+break;
+rhs->setImplicitlyUsedUnchecked();
+MInstanceOf *ins = MInstanceOf::New(alloc(), obj, protoObject);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+} while (false);
+MCallInstanceOf *ins = MCallInstanceOf::New(alloc(), obj, rhs);
+current->add(ins);
+current->push(ins);
+return resumeAfter(ins);
+}
+MInstruction *
+IonBuilder::addConvertElementsToDoubles(MDefinition *elements)
+{
+MInstruction *convert = MConvertElementsToDoubles::New(alloc(), elements);
+current->add(convert);
+return convert;
+}
+MInstruction *
+IonBuilder::addBoundsCheck(MDefinition *index, MDefinition *length)
+{
+MInstruction *check = MBoundsCheck::New(alloc(), index, length);
+current->add(check);
+// If a bounds check failed in the past, don't optimize bounds checks.
+if (failedBoundsCheck_)
+check->setNotMovable();
+return check;
+}
+MInstruction *
+IonBuilder::addShapeGuard(MDefinition *obj, Shape *const shape, BailoutKind bailoutKind)
+{
+MGuardShape *guard = MGuardShape::New(alloc(), obj, shape, bailoutKind);
+current->add(guard);
+// If a shape guard failed in the past, don't optimize shape guard.
+if (failedShapeGuard_)
+guard->setNotMovable();
+return guard;
+}
+types::TemporaryTypeSet *
+IonBuilder::bytecodeTypes(jsbytecode *pc)
+{
+return types::TypeScript::BytecodeTypes(script(), pc, bytecodeTypeMap, &typeArrayHint, typeArray);
+}
+TypeDescrSetHash *
+IonBuilder::getOrCreateDescrSetHash()
+{
+if (!descrSetHash_) {
+TypeDescrSetHash *hash =
+alloc_->lifoAlloc()->new_<TypeDescrSetHash>(alloc());
+if (!hash || !hash->init())
+return nullptr;
+descrSetHash_ = hash;
+}
+return descrSetHash_;
+}
+bool
+IonBuilder::lookupTypeDescrSet(MDefinition *typedObj,
+TypeDescrSet *out)
+{
+*out = TypeDescrSet(); // default to unknown
+// Extract TypeDescrSet directly if we can
+if (typedObj->isNewDerivedTypedObject()) {
+*out = typedObj->toNewDerivedTypedObject()->set();
+return true;
+}
+types::TemporaryTypeSet *types = typedObj->resultTypeSet();
+return typeSetToTypeDescrSet(types, out);
+}
+bool
+IonBuilder::typeSetToTypeDescrSet(types::TemporaryTypeSet *types,
+TypeDescrSet *out)
+{
+// Extract TypeDescrSet directly if we can
+if (!types || types->getKnownMIRType() != MIRType_Object)
+return true;
+// And only known objects.
+if (types->unknownObject())
+return true;
+TypeDescrSetBuilder set;
+for (uint32_t i = 0; i < types->getObjectCount(); i++) {
+types::TypeObject *type = types->getTypeObject(i);
+if (!type || type->unknownProperties())
+return true;
+if (!type->hasTypedObject())
+return true;
+TypeDescr &descr = type->typedObject()->descr();
+if (!set.insert(&descr))
+return false;
+}
+return set.build(*this, out);
+}
+MDefinition *
+IonBuilder::loadTypedObjectType(MDefinition *typedObj)
+{
+// Shortcircuit derived type objects, meaning the intermediate
+// objects created to represent `a.b` in an expression like
+// `a.b.c`. In that case, the type object can be simply pulled
+// from the operands of that instruction.
+if (typedObj->isNewDerivedTypedObject())
+return typedObj->toNewDerivedTypedObject()->type();
+MInstruction *load = MLoadFixedSlot::New(alloc(), typedObj,
+JS_TYPEDOBJ_SLOT_TYPE_DESCR);
+current->add(load);
+return load;
+}
+// Given a typed object `typedObj` and an offset `offset` into that
+// object's data, returns another typed object and adusted offset
+// where the data can be found. Often, these returned values are the
+// same as the inputs, but in cases where intermediate derived type
+// objects have been created, the return values will remove
+// intermediate layers (often rendering those derived type objects
+// into dead code).
+void
+IonBuilder::loadTypedObjectData(MDefinition *typedObj,
+MDefinition *offset,
+bool canBeNeutered,
+MDefinition **owner,
+MDefinition **ownerOffset)
+{
+JS_ASSERT(typedObj->type() == MIRType_Object);
+JS_ASSERT(offset->type() == MIRType_Int32);
+// Shortcircuit derived type objects, meaning the intermediate
+// objects created to represent `a.b` in an expression like
+// `a.b.c`. In that case, the owned and a base offset can be
+// pulled from the operands of the instruction and combined with
+// `offset`.
+if (typedObj->isNewDerivedTypedObject()) {
+MNewDerivedTypedObject *ins = typedObj->toNewDerivedTypedObject();
+// Note: we never need to check for neutering on this path,
+// because when we create the derived typed object, we check
+// for neutering there, if needed.
+MAdd *offsetAdd = MAdd::NewAsmJS(alloc(), ins->offset(), offset, MIRType_Int32);
+current->add(offsetAdd);
+*owner = ins->owner();
+*ownerOffset = offsetAdd;
+return;
+}
+if (canBeNeutered) {
+MNeuterCheck *chk = MNeuterCheck::New(alloc(), typedObj);
+current->add(chk);
+typedObj = chk;
+}
+*owner = typedObj;
+*ownerOffset = offset;
+}
+// Takes as input a typed object, an offset into that typed object's
+// memory, and the type repr of the data found at that offset. Returns
+// the elements pointer and a scaled offset. The scaled offset is
+// expressed in units of `unit`; when working with typed array MIR,
+// this is typically the alignment.
+void
+IonBuilder::loadTypedObjectElements(MDefinition *typedObj,
+MDefinition *offset,
+int32_t unit,
+bool canBeNeutered,
+MDefinition **ownerElements,
+MDefinition **ownerScaledOffset)
+{
+MDefinition *owner, *ownerOffset;
+loadTypedObjectData(typedObj, offset, canBeNeutered, &owner, &ownerOffset);
+// Load the element data.
+MTypedObjectElements *elements = MTypedObjectElements::New(alloc(), owner);
+current->add(elements);
+// Scale to a different unit for compat with typed array MIRs.
+if (unit != 1) {
+MDiv *scaledOffset = MDiv::NewAsmJS(alloc(), ownerOffset, constantInt(unit), MIRType_Int32,
+/* unsignd = */ false);
+current->add(scaledOffset);
+*ownerScaledOffset = scaledOffset;
+} else {
+*ownerScaledOffset = ownerOffset;
+}
+*ownerElements = elements;
+}
+// Looks up the offset/type-repr-set of the field `id`, given the type
+// set `objTypes` of the field owner. Note that even when true is
+// returned, `*fieldDescrs` might be empty if no useful type/offset
+// pair could be determined.
+bool
+IonBuilder::lookupTypedObjectField(MDefinition *typedObj,
+PropertyName *name,
+int32_t *fieldOffset,
+TypeDescrSet *fieldDescrs,
+size_t *fieldIndex)
+{
+TypeDescrSet objDescrs;
+if (!lookupTypeDescrSet(typedObj, &objDescrs))
+return false;
+// Must be accessing a struct.
+if (!objDescrs.allOfKind(TypeDescr::Struct))
+return true;
+// Determine the type/offset of the field `name`, if any.
+int32_t offset;
+if (!objDescrs.fieldNamed(*this, NameToId(name), &offset,
+fieldDescrs, fieldIndex))
+return false;
+if (fieldDescrs->empty())
+return true;
+JS_ASSERT(offset >= 0);
+*fieldOffset = offset;
+return true;
+}
+MDefinition *
+IonBuilder::typeObjectForElementFromArrayStructType(MDefinition *typeObj)
+{
+MInstruction *elemType = MLoadFixedSlot::New(alloc(), typeObj, JS_DESCR_SLOT_ARRAY_ELEM_TYPE);
+current->add(elemType);
+MInstruction *unboxElemType = MUnbox::New(alloc(), elemType, MIRType_Object, MUnbox::Infallible);
+current->add(unboxElemType);
+return unboxElemType;
+}
+MDefinition *
+IonBuilder::typeObjectForFieldFromStructType(MDefinition *typeObj,
+size_t fieldIndex)
+{
+// Load list of field type objects.
+MInstruction *fieldTypes = MLoadFixedSlot::New(alloc(), typeObj, JS_DESCR_SLOT_STRUCT_FIELD_TYPES);
+current->add(fieldTypes);
+MInstruction *unboxFieldTypes = MUnbox::New(alloc(), fieldTypes, MIRType_Object, MUnbox::Infallible);
+current->add(unboxFieldTypes);
+// Index into list with index of field.
+MInstruction *fieldTypesElements = MElements::New(alloc(), unboxFieldTypes);
+current->add(fieldTypesElements);
+MConstant *fieldIndexDef = constantInt(fieldIndex);
+MInstruction *fieldType = MLoadElement::New(alloc(), fieldTypesElements, fieldIndexDef, false, false);
+current->add(fieldType);
+MInstruction *unboxFieldType = MUnbox::New(alloc(), fieldType, MIRType_Object, MUnbox::Infallible);
+current->add(unboxFieldType);
+return unboxFieldType;
+}
+bool
+IonBuilder::storeScalarTypedObjectValue(MDefinition *typedObj,
+MDefinition *byteOffset,
+ScalarTypeDescr::Type type,
+bool canBeNeutered,
+bool racy,
+MDefinition *value)
+{
+// Find location within the owner object.
+MDefinition *elements, *scaledOffset;
+size_t alignment = ScalarTypeDescr::alignment(type);
+loadTypedObjectElements(typedObj, byteOffset, alignment, canBeNeutered,
+&elements, &scaledOffset);
+// Clamp value to [0, 255] when type is Uint8Clamped
+MDefinition *toWrite = value;
+if (type == ScalarTypeDescr::TYPE_UINT8_CLAMPED) {
+toWrite = MClampToUint8::New(alloc(), value);
+current->add(toWrite->toInstruction());
+}
+MStoreTypedArrayElement *store =
+MStoreTypedArrayElement::New(alloc(), elements, scaledOffset, toWrite,
+type);
+if (racy)
+store->setRacy();
+current->add(store);
+return true;
+}
+MConstant *
+IonBuilder::constant(const Value &v)
+{
+MConstant *c = MConstant::New(alloc(), v, constraints());
+current->add(c);
+return c;
+}
+MConstant *
+IonBuilder::constantInt(int32_t i)
+{
+return constant(Int32Value(i));
+}
+MDefinition *
+IonBuilder::getCallee()
+{
+if (inliningDepth_ == 0) {
+MInstruction *callee = MCallee::New(alloc());
+current->add(callee);
+return callee;
+}
+return inlineCallInfo_->fun();
+}

The Tor Browser / file comparison

comparison: js/src/jit/IonBuilder.cpp

js/src/jit/IonBuilder.cpp