From 1dee3b202b5062fcf31ed8f0af3477d6e9e0c115 Mon Sep 17 00:00:00 2001
From: Liu Yu <liuyu@loongson.cn>
Date: Fri, 22 Jul 2022 14:08:51 +0000
Subject: [PATCH] Bug 1776825 - [mips64]Fix undeclared identifier
 'PoppedFPJitEntry'/'STUB_FRAME_SIZE'. r=jandem

Port D148487,D148779 and bug1772506 to mips64

Differential Revision: https://phabricator.services.mozilla.com/D152492
---
 .../mips-shared/CodeGenerator-mips-shared.cpp |   2 +-
 .../SharedICHelpers-mips-shared-inl.h         |  28 ++---
 .../mips-shared/SharedICHelpers-mips-shared.h |  20 ++--
 js/src/jit/mips64/Assembler-mips64.h          |   2 +-
 js/src/jit/mips64/MacroAssembler-mips64.cpp   |   2 +-
 js/src/jit/mips64/Simulator-mips64.cpp        |   9 ++
 js/src/jit/mips64/Trampoline-mips64.cpp       | 113 +++++++++---------
 js/src/jit/shared/Lowering-shared-inl.h       |   2 +-
 js/src/wasm/WasmFrameIter.cpp                 |  10 +-
 9 files changed, 92 insertions(+), 96 deletions(-)

diff --git a/js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp b/js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp
index 57030ee6cf8a..febe5c684a7f 100644
--- a/js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp
+++ b/js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp
@@ -1486,7 +1486,7 @@ void CodeGeneratorMIPSShared::emitTableSwitchDispatch(MTableSwitch* mir,
 }
 
 void CodeGenerator::visitWasmHeapBase(LWasmHeapBase* ins) {
-  MOZ_ASSERT(ins->tlsPtr()->isBogus());
+  MOZ_ASSERT(ins->instance()->isBogus());
   masm.movePtr(HeapReg, ToRegister(ins->output()));
 }
 
diff --git a/js/src/jit/mips-shared/SharedICHelpers-mips-shared-inl.h b/js/src/jit/mips-shared/SharedICHelpers-mips-shared-inl.h
index e37adbc9f4ee..cee021595f57 100644
--- a/js/src/jit/mips-shared/SharedICHelpers-mips-shared-inl.h
+++ b/js/src/jit/mips-shared/SharedICHelpers-mips-shared-inl.h
@@ -20,14 +20,16 @@ inline void EmitBaselineTailCallVM(TrampolinePtr target, MacroAssembler& masm,
 #ifdef DEBUG
   Register scratch = R2.scratchReg();
 
-  // Store frame size without VMFunction arguments for debug assertions.
+  // Compute frame size.
   masm.movePtr(FramePointer, scratch);
-  masm.addPtr(Imm32(BaselineFrame::FramePointerOffset), scratch);
   masm.subPtr(StackPointer, scratch);
+
+  // Store frame size without VMFunction arguments for debug assertions.
   masm.subPtr(Imm32(argSize), scratch);
   Address frameSizeAddr(FramePointer,
                         BaselineFrame::reverseOffsetOfDebugFrameSize());
   masm.store32(scratch, frameSizeAddr);
+  masm.addPtr(Imm32(argSize), scratch);
 #endif
 
   // Push frame descriptor and perform the tail call.
@@ -35,12 +37,8 @@ inline void EmitBaselineTailCallVM(TrampolinePtr target, MacroAssembler& masm,
   // keep it there through the stub calls), but the VMWrapper code being
   // called expects the return address to also be pushed on the stack.
   MOZ_ASSERT(ICTailCallReg == ra);
-  masm.subPtr(Imm32(sizeof(CommonFrameLayout)), StackPointer);
-  masm.storePtr(ImmWord(MakeFrameDescriptor(FrameType::BaselineJS)),
-                Address(StackPointer, CommonFrameLayout::offsetOfDescriptor()));
-  masm.storePtr(
-      ra, Address(StackPointer, CommonFrameLayout::offsetOfReturnAddress()));
-
+  masm.pushFrameDescriptor(FrameType::BaselineJS);
+  masm.push(ra);
   masm.jump(target);
 }
 
@@ -55,7 +53,6 @@ inline void EmitBaselineEnterStubFrame(MacroAssembler& masm, Register scratch) {
 #ifdef DEBUG
   // Compute frame size.
   masm.movePtr(FramePointer, scratch);
-  masm.addPtr(Imm32(BaselineFrame::FramePointerOffset), scratch);
   masm.subPtr(StackPointer, scratch);
 
   Address frameSizeAddr(FramePointer,
@@ -67,18 +64,13 @@ inline void EmitBaselineEnterStubFrame(MacroAssembler& masm, Register scratch) {
   // BaselineStubFrame if needed.
 
   // Push frame descriptor and return address.
-  masm.subPtr(Imm32(STUB_FRAME_SIZE), StackPointer);
-  masm.storePtr(ImmWord(MakeFrameDescriptor(FrameType::BaselineJS)),
-                Address(StackPointer, offsetof(BaselineStubFrame, descriptor)));
-  masm.storePtr(ICTailCallReg, Address(StackPointer, offsetof(BaselineStubFrame,
-                                                              returnAddress)));
+  masm.PushFrameDescriptor(FrameType::BaselineJS);
+  masm.Push(ICTailCallReg);
 
   // Save old frame pointer, stack pointer and stub reg.
-  masm.storePtr(ICStubReg,
-                Address(StackPointer, offsetof(BaselineStubFrame, savedStub)));
-  masm.storePtr(FramePointer,
-                Address(StackPointer, offsetof(BaselineStubFrame, savedFrame)));
+  masm.Push(FramePointer);
   masm.movePtr(StackPointer, FramePointer);
+  masm.Push(ICStubReg);
 
   // Stack should remain aligned.
   masm.assertStackAlignment(sizeof(Value), 0);
diff --git a/js/src/jit/mips-shared/SharedICHelpers-mips-shared.h b/js/src/jit/mips-shared/SharedICHelpers-mips-shared.h
index 20fa8d156e84..979e4b0a42bf 100644
--- a/js/src/jit/mips-shared/SharedICHelpers-mips-shared.h
+++ b/js/src/jit/mips-shared/SharedICHelpers-mips-shared.h
@@ -48,22 +48,20 @@ inline void EmitCallIC(MacroAssembler& masm, CodeOffset* callOffset) {
 inline void EmitReturnFromIC(MacroAssembler& masm) { masm.branch(ra); }
 
 inline void EmitBaselineLeaveStubFrame(MacroAssembler& masm) {
+  masm.loadPtr(
+      Address(FramePointer, BaselineStubFrameLayout::ICStubOffsetFromFP),
+      ICStubReg);
   masm.movePtr(FramePointer, StackPointer);
-
-  masm.loadPtr(Address(StackPointer, offsetof(BaselineStubFrame, savedFrame)),
-               FramePointer);
-  masm.loadPtr(Address(StackPointer, offsetof(BaselineStubFrame, savedStub)),
-               ICStubReg);
+  masm.Pop(FramePointer);
 
   // Load the return address.
-  masm.loadPtr(
-      Address(StackPointer, offsetof(BaselineStubFrame, returnAddress)),
-      ICTailCallReg);
+  masm.Pop(ICTailCallReg);
 
   // Discard the frame descriptor.
-  masm.loadPtr(Address(StackPointer, offsetof(BaselineStubFrame, descriptor)),
-               ScratchRegister);
-  masm.addPtr(Imm32(STUB_FRAME_SIZE), StackPointer);
+  {
+    SecondScratchRegisterScope scratch2(masm);
+    masm.Pop(scratch2);
+  }
 }
 
 template <typename AddrType>
diff --git a/js/src/jit/mips64/Assembler-mips64.h b/js/src/jit/mips64/Assembler-mips64.h
index dacbdeab07d8..90382ef399e7 100644
--- a/js/src/jit/mips64/Assembler-mips64.h
+++ b/js/src/jit/mips64/Assembler-mips64.h
@@ -187,7 +187,7 @@ static const uint32_t WasmTrapInstructionLength = 4;
 // See comments in wasm::GenerateFunctionPrologue.  The difference between these
 // is the size of the largest callable prologue on the platform.
 static constexpr uint32_t WasmCheckedCallEntryOffset = 0u;
-static constexpr uint32_t WasmCheckedTailEntryOffset = 16u;
+static constexpr uint32_t WasmCheckedTailEntryOffset = 20u;
 
 static constexpr Scale ScalePointer = TimesEight;
 
diff --git a/js/src/jit/mips64/MacroAssembler-mips64.cpp b/js/src/jit/mips64/MacroAssembler-mips64.cpp
index c8f7db2d25ff..ec69fa4755ed 100644
--- a/js/src/jit/mips64/MacroAssembler-mips64.cpp
+++ b/js/src/jit/mips64/MacroAssembler-mips64.cpp
@@ -1049,7 +1049,7 @@ void MacroAssemblerMIPS64::ma_push(FloatRegister f) {
 bool MacroAssemblerMIPS64Compat::buildOOLFakeExitFrame(void* fakeReturnAddr) {
   asMasm().PushFrameDescriptor(FrameType::IonJS);  // descriptor_
   asMasm().Push(ImmPtr(fakeReturnAddr));
-
+  asMasm().Push(FramePointer);
   return true;
 }
 
diff --git a/js/src/jit/mips64/Simulator-mips64.cpp b/js/src/jit/mips64/Simulator-mips64.cpp
index e3c0a1102e32..68f7f6a55e6e 100644
--- a/js/src/jit/mips64/Simulator-mips64.cpp
+++ b/js/src/jit/mips64/Simulator-mips64.cpp
@@ -1964,6 +1964,8 @@ typedef int32_t (*Prototype_Int32_GeneralInt32Int32Int32Int32)(int64_t, int32_t,
                                                                int32_t);
 typedef int32_t (*Prototype_Int32_GeneralInt32Int32Int32Int32Int32)(
     int64_t, int32_t, int32_t, int32_t, int32_t, int32_t);
+typedef int32_t (*Prototype_Int32_GeneralInt32Int32Int32Int32General)(
+    int64_t, int32_t, int32_t, int32_t, int32_t, int64_t);
 typedef int32_t (*Prototype_Int32_GeneralInt32Int32Int32General)(
     int64_t, int32_t, int32_t, int32_t, int64_t);
 typedef int32_t (*Prototype_Int32_GeneralInt32Int32Int64)(int64_t, int32_t,
@@ -2302,6 +2304,13 @@ void Simulator::softwareInterrupt(SimInstruction* instr) {
         setRegister(v0, I64(ret));
         break;
       }
+      case Args_Int32_GeneralInt32Int32Int32Int32General: {
+        int32_t ret = reinterpret_cast<
+            Prototype_Int32_GeneralInt32Int32Int32Int32General>(nativeFn)(
+            arg0, I32(arg1), I32(arg2), I32(arg3), I32(arg4), arg5);
+        setRegister(v0, I64(ret));
+        break;
+      }
       case Args_Int32_GeneralInt32Int32Int32General: {
         int32_t ret =
             reinterpret_cast<Prototype_Int32_GeneralInt32Int32Int32General>(
diff --git a/js/src/jit/mips64/Trampoline-mips64.cpp b/js/src/jit/mips64/Trampoline-mips64.cpp
index a79f3f70a9e2..0d6baada0bdd 100644
--- a/js/src/jit/mips64/Trampoline-mips64.cpp
+++ b/js/src/jit/mips64/Trampoline-mips64.cpp
@@ -222,12 +222,8 @@ void JitRuntime::generateEnterJIT(JSContext* cx, MacroAssembler& masm) {
   }
   masm.bind(&footer);
 
-  masm.subPtr(Imm32(2 * sizeof(uintptr_t)), StackPointer);
-  masm.storePtr(s3,
-                Address(StackPointer, sizeof(uintptr_t)));  // actual arguments
-  masm.storePtr(reg_token, Address(StackPointer, 0));       // callee token
-
-  masm.pushFrameDescriptor(FrameType::CppToJSJit);
+  masm.push(reg_token);
+  masm.pushFrameDescriptorForJitCall(FrameType::CppToJSJit, s3, s3);
 
   CodeLabel returnLabel;
   Label oomReturnLabel;
@@ -237,7 +233,6 @@ void JitRuntime::generateEnterJIT(JSContext* cx, MacroAssembler& masm) {
     MOZ_ASSERT(!regs.has(FramePointer));
     regs.take(OsrFrameReg);
     regs.take(reg_code);
-    regs.take(ReturnReg);
 
     Label notOsr;
     masm.ma_b(OsrFrameReg, OsrFrameReg, &notOsr, Assembler::Zero, ShortJump);
@@ -257,20 +252,24 @@ void JitRuntime::generateEnterJIT(JSContext* cx, MacroAssembler& masm) {
 
     // Reserve frame.
     Register framePtr = FramePointer;
-    masm.subPtr(Imm32(BaselineFrame::Size()), StackPointer);
     masm.movePtr(StackPointer, framePtr);
+    masm.subPtr(Imm32(BaselineFrame::Size()), StackPointer);
+
+    Register framePtrScratch = regs.takeAny();
+    masm.movePtr(sp, framePtrScratch);
 
     // Reserve space for locals and stack values.
     masm.ma_dsll(scratch, numStackValues, Imm32(3));
     masm.subPtr(scratch, StackPointer);
 
     // Enter exit frame.
-    // Push frame descriptor and fake return address.
-    masm.reserveStack(2 * sizeof(uintptr_t));
+    masm.reserveStack(3 * sizeof(uintptr_t));
     masm.storePtr(
         ImmWord(MakeFrameDescriptor(FrameType::BaselineJS)),
-        Address(StackPointer, sizeof(uintptr_t)));  // Frame descriptor
-    masm.storePtr(zero, Address(StackPointer, 0));  // fake return address
+        Address(StackPointer, 2 * sizeof(uintptr_t)));  // Frame descriptor
+    masm.storePtr(
+        zero, Address(StackPointer, sizeof(uintptr_t)));  // fake return address
+    masm.storePtr(FramePointer, Address(StackPointer, 0));
 
     // No GC things to mark, push a bare token.
     masm.loadJSContext(scratch);
@@ -284,8 +283,8 @@ void JitRuntime::generateEnterJIT(JSContext* cx, MacroAssembler& masm) {
     using Fn = bool (*)(BaselineFrame * frame, InterpreterFrame * interpFrame,
                         uint32_t numStackValues);
     masm.setupUnalignedABICall(scratch);
-    masm.passABIArg(FramePointer);  // BaselineFrame
-    masm.passABIArg(OsrFrameReg);   // InterpreterFrame
+    masm.passABIArg(framePtrScratch);  // BaselineFrame
+    masm.passABIArg(OsrFrameReg);      // InterpreterFrame
     masm.passABIArg(numStackValues);
     masm.callWithABI<Fn, jit::InitBaselineFrameForOsr>(
         MoveOp::GENERAL, CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -298,7 +297,6 @@ void JitRuntime::generateEnterJIT(JSContext* cx, MacroAssembler& masm) {
 
     Label error;
     masm.freeStack(ExitFrameLayout::SizeWithFooter());
-    masm.addPtr(Imm32(BaselineFrame::Size()), framePtr);
     masm.branchIfFalseBool(ReturnReg, &error);
 
     // If OSR-ing, then emit instrumentation for setting lastProfilerFrame
@@ -331,7 +329,7 @@ void JitRuntime::generateEnterJIT(JSContext* cx, MacroAssembler& masm) {
 
   // The call will push the return address on the stack, thus we check that
   // the stack would be aligned once the call is complete.
-  masm.assertStackAlignment(JitStackAlignment, sizeof(uintptr_t));
+  masm.assertStackAlignment(JitStackAlignment, 2 * sizeof(uintptr_t));
 
   // Call the function with pushing return address to stack.
   masm.callJitNoProfiler(reg_code);
@@ -392,11 +390,10 @@ void JitRuntime::generateInvalidator(MacroAssembler& masm, Label* bailoutTail) {
   masm.callWithABI<Fn, InvalidationBailout>(
       MoveOp::GENERAL, CheckUnsafeCallWithABI::DontCheckOther);
 
-  masm.loadPtr(Address(StackPointer, 0), a2);
+  masm.pop(a2);
 
   // Pop the machine state and the dead frame.
   masm.moveToStackPtr(FramePointer);
-  masm.pop(FramePointer);
 
   // Jump to shared bailout tail. The BailoutInfo pointer has to be in r2.
   masm.jump(bailoutTail);
@@ -421,12 +418,16 @@ void JitRuntime::generateArgumentsRectifier(MacroAssembler& masm,
   // Caller:
   // [arg2] [arg1] [this] [[argc] [callee] [descr] [raddr]] <- sp
 
-#error "Port changes from bug 1772506"
+  // Frame prologue.
+  //
+  // NOTE: if this changes, fix the Baseline bailout code too!
+  // See BaselineStackBuilder::calculatePrevFramePtr and
+  // BaselineStackBuilder::buildRectifierFrame (in BaselineBailouts.cpp).
+  masm.push(FramePointer);
+  masm.mov(StackPointer, FramePointer);
 
-  // Add |this|, in the counter of known arguments.
-  masm.loadPtr(
-      Address(StackPointer, RectifierFrameLayout::offsetOfNumActualArgs()), s3);
-  masm.addPtr(Imm32(1), s3);
+  // Load argc.
+  masm.loadNumActualArgs(FramePointer, s3);
 
   Register numActArgsReg = a6;
   Register calleeTokenReg = a7;
@@ -434,7 +435,7 @@ void JitRuntime::generateArgumentsRectifier(MacroAssembler& masm,
 
   // Load |nformals| into numArgsReg.
   masm.loadPtr(
-      Address(StackPointer, RectifierFrameLayout::offsetOfCalleeToken()),
+      Address(FramePointer, RectifierFrameLayout::offsetOfCalleeToken()),
       calleeTokenReg);
   masm.mov(calleeTokenReg, numArgsReg);
   masm.andPtr(Imm32(uint32_t(CalleeTokenMask)), numArgsReg);
@@ -468,27 +469,24 @@ void JitRuntime::generateArgumentsRectifier(MacroAssembler& masm,
   masm.add32(t2, numArgsReg);
   masm.and32(Imm32(~(JitStackValueAlignment - 1)), numArgsReg);
 
-  // Load the number of |undefined|s to push into t1.
+  // Load the number of |undefined|s to push into t1. Subtract 1 for |this|.
   masm.as_dsubu(t1, numArgsReg, s3);
+  masm.sub32(Imm32(1), t1);
 
   // Caller:
-  // [arg2] [arg1] [this] [ [argc] [callee] [descr] [raddr] ] <- sp <- t2
-  // '------ s3 -------'
+  // [arg2] [arg1] [this] [ [argc] [callee] [descr] [raddr] ] <- sp
+  // '--- s3 ----'
   //
   // Rectifier frame:
-  // [undef] [undef] [undef] [arg2] [arg1] [this] [ [argc] [callee]
-  //                                                [descr] [raddr] ]
-  // '-------- t1 ---------' '------- s3 -------'
+  // [fp'][undef] [undef] [undef] [arg2] [arg1] [this] [ [argc] [callee]
+  //                                                   [descr] [raddr] ]
+  //      '-------- t1 ---------' '--- s3 ----'
 
   // Copy number of actual arguments into numActArgsReg
-  masm.loadPtr(
-      Address(StackPointer, RectifierFrameLayout::offsetOfNumActualArgs()),
-      numActArgsReg);
+  masm.mov(s3, numActArgsReg);  // Save %sp.
 
   masm.moveValue(UndefinedValue(), ValueOperand(t0));
 
-  masm.movePtr(StackPointer, t2);  // Save %sp.
-
   // Push undefined. (including the padding)
   {
     Label undefLoopTop;
@@ -504,13 +502,14 @@ void JitRuntime::generateArgumentsRectifier(MacroAssembler& masm,
   // Get the topmost argument.
   static_assert(sizeof(Value) == 8, "TimesEight is used to skip arguments");
 
-  // | - sizeof(Value)| is used to put rcx such that we can read the last
-  // argument, and not the value which is after.
-  masm.ma_dsll(t0, s3, Imm32(3));  // t0 <- nargs * 8
-  masm.as_daddu(t1, t2, t0);       // t1 <- t2(saved sp) + nargs * 8
-  masm.addPtr(Imm32(sizeof(RectifierFrameLayout) - sizeof(Value)), t1);
+  // Get the topmost argument.
+  masm.ma_dsll(t0, s3, Imm32(3));       // t0 <- nargs * 8
+  masm.as_daddu(t1, FramePointer, t0);  // t1 <- fp(saved sp) + nargs * 8
+  masm.addPtr(Imm32(sizeof(RectifierFrameLayout)), t1);
 
-  // Copy & Push arguments, |nargs| + 1 times (to include |this|).
+  // Push arguments, |nargs| + 1 times (to include |this|).
+
+  masm.addPtr(Imm32(1), s3);
   {
     Label copyLoopTop;
 
@@ -535,8 +534,8 @@ void JitRuntime::generateArgumentsRectifier(MacroAssembler& masm,
     // thisFrame[numFormals] = prevFrame[argc]
     ValueOperand newTarget(t0);
 
-    // +1 for |this|. We want vp[argc], so don't subtract 1
-    BaseIndex newTargetSrc(t2, numActArgsReg, TimesEight,
+    // Load vp[argc]. Add sizeof(Value) for |this|.
+    BaseIndex newTargetSrc(FramePointer, numActArgsReg, TimesEight,
                            sizeof(RectifierFrameLayout) + sizeof(Value));
     masm.loadValue(newTargetSrc, newTarget);
 
@@ -548,22 +547,17 @@ void JitRuntime::generateArgumentsRectifier(MacroAssembler& masm,
   }
 
   // Caller:
-  // [arg2] [arg1] [this] [ [argc] [callee] [descr] [raddr] ] <- t2
+  // [arg2] [arg1] [this] [ [argc] [callee] [descr] [raddr] ]
   //
   //
   // Rectifier frame:
-  // [undef] [undef] [undef] [arg2] [arg1] [this] <- sp [ [argc] [callee]
-  //                                                      [descr] [raddr] ]
+  // [fp'] <- fp [undef] [undef] [undef] [arg2] [arg1] [this] <- sp [ [argc]
+  //                                              [callee] [descr] [raddr] ]
 
   // Construct JitFrameLayout.
-  masm.subPtr(Imm32(3 * sizeof(uintptr_t)), StackPointer);
-  // Push actual arguments.
-  masm.storePtr(numActArgsReg, Address(StackPointer, 2 * sizeof(uintptr_t)));
-  // Push callee token.
-  masm.storePtr(calleeTokenReg, Address(StackPointer, sizeof(uintptr_t)));
-  // Push frame descriptor.
-  masm.storePtr(ImmWord(MakeFrameDescriptor(FrameType::Rectifier)),
-                Address(StackPointer, 0));
+  masm.push(calleeTokenReg);
+  masm.pushFrameDescriptorForJitCall(FrameType::Rectifier, numActArgsReg,
+                                     numActArgsReg);
 
   // Call the target function.
   masm.andPtr(Imm32(uint32_t(CalleeTokenMask)), calleeTokenReg);
@@ -629,7 +623,6 @@ static void GenerateBailoutThunk(MacroAssembler& masm, Label* bailoutTail) {
 
   // Remove both the bailout frame and the topmost Ion frame's stack.
   masm.moveToStackPtr(FramePointer);
-  masm.pop(FramePointer);
 
   // Jump to shared bailout tail. The BailoutInfo pointer has to be in a2.
   masm.jump(bailoutTail);
@@ -668,7 +661,8 @@ bool JitRuntime::generateVMWrapper(JSContext* cx, MacroAssembler& masm,
     masm.pushReturnAddress();
   }
 
-  // We're aligned to an exit frame, so link it up.
+  // Push the frame pointer to finish the exit frame, then link it up.
+  masm.Push(FramePointer);
   masm.loadJSContext(cxreg);
   masm.enterExitFrame(cxreg, regs.getAny(), &f);
 
@@ -809,8 +803,11 @@ bool JitRuntime::generateVMWrapper(JSContext* cx, MacroAssembler& masm,
       break;
   }
 
-  masm.leaveExitFrame();
-  masm.retn(Imm32(sizeof(ExitFrameLayout) +
+  // Pop ExitFooterFrame and the frame pointer.
+  masm.leaveExitFrame(sizeof(void*));
+
+  // Return. Subtract sizeof(void*) for the frame pointer.
+  masm.retn(Imm32(sizeof(ExitFrameLayout) - sizeof(void*) +
                   f.explicitStackSlots() * sizeof(void*) +
                   f.extraValuesToPop * sizeof(Value)));
 
diff --git a/js/src/jit/shared/Lowering-shared-inl.h b/js/src/jit/shared/Lowering-shared-inl.h
index 9b496e88ba3d..30f00601cd59 100644
--- a/js/src/jit/shared/Lowering-shared-inl.h
+++ b/js/src/jit/shared/Lowering-shared-inl.h
@@ -519,7 +519,7 @@ LAllocation LIRGeneratorShared::useRegisterOrNonDoubleConstant(
 }
 
 #if defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_ARM64) || \
-    defined(JS_CODEGEN_LOONG64)
+    defined(JS_CODEGEN_LOONG64) || defined(JS_CODEGEN_MIPS64)
 LAllocation LIRGeneratorShared::useAnyOrConstant(MDefinition* mir) {
   return useRegisterOrConstant(mir);
 }
diff --git a/js/src/wasm/WasmFrameIter.cpp b/js/src/wasm/WasmFrameIter.cpp
index e91d5965df3c..20e98a4a9d6d 100644
--- a/js/src/wasm/WasmFrameIter.cpp
+++ b/js/src/wasm/WasmFrameIter.cpp
@@ -387,9 +387,10 @@ static_assert(BeforePushRetAddr == 0, "Required by StartUnwinding");
 static_assert(PushedFP > PushedRetAddr, "Required by StartUnwinding");
 #elif defined(JS_CODEGEN_MIPS64)
 static const unsigned PushedRetAddr = 8;
-static const unsigned PushedFP = 12;
-static const unsigned SetFP = 16;
+static const unsigned PushedFP = 16;
+static const unsigned SetFP = 20;
 static const unsigned PoppedFP = 4;
+static const unsigned PoppedFPJitEntry = 0;
 #elif defined(JS_CODEGEN_LOONG64)
 static const unsigned PushedRetAddr = 8;
 static const unsigned PushedFP = 16;
@@ -458,10 +459,9 @@ static void GenerateCallablePrologue(MacroAssembler& masm, uint32_t* entry) {
   {
     *entry = masm.currentOffset();
 
-    masm.subFromStackPtr(Imm32(sizeof(Frame)));
-    masm.storePtr(ra, Address(StackPointer, Frame::returnAddressOffset()));
+    masm.ma_push(ra);
     MOZ_ASSERT_IF(!masm.oom(), PushedRetAddr == masm.currentOffset() - *entry);
-    masm.storePtr(FramePointer, Address(StackPointer, Frame::callerFPOffset()));
+    masm.ma_push(FramePointer);
     MOZ_ASSERT_IF(!masm.oom(), PushedFP == masm.currentOffset() - *entry);
     masm.moveStackPtrTo(FramePointer);
     MOZ_ASSERT_IF(!masm.oom(), SetFP == masm.currentOffset() - *entry);