Bug 1502090 - Fix bailout tracking with fun.call. r=nbp

NOTE: Multi-arg array.push is still disabled in Ion. Differential Revision: https://phabricator.services.mozilla.com/D9803 --HG-- extra : moz-landing-system : lando
2018-10-25 19:50:02 +00:00 · 2018-10-25 19:50:02 +00:00 · 4f5ec5b4dc
--- a/js/src/jit-test/tests/ion/bug1502090.js
+++ b/js/src/jit-test/tests/ion/bug1502090.js
@ -0,0 +1,13 @@
+function f(o) {
+   var a = [o];
+   a.length = a[0];
+   var useless = function() {}
+   var sz = Array.prototype.push.call(a, 42, 43);
+   (function(){
+       sz;
+   })(new Boolean(false));
+}
+for (var i = 0; i < 2; i++) {
+   f(1);
+}
+f(2);
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@ -5356,6 +5356,14 @@ IonBuilder::jsop_funcall(uint32_t argc)
    TemporaryTypeSet* funTypes = current->peek(funcDepth)->resultTypeSet();
    JSFunction* target = getSingleCallTarget(funTypes);

+    CallInfo callInfo(alloc(), pc, /* constructing = */ false,
+                      /* ignoresReturnValue = */ BytecodeIsPopped(pc));
+
+    // Save prior call stack in case we need to resolve during bailout
+    // recovery of inner inlined function. This includes the JSFunction and the
+    // 'call' native function.
+    MOZ_TRY(callInfo.savePriorCallStack(this, current, argc + 2));
+
    // Shimmy the slots down to remove the native 'call' function.
    current->shimmySlots(funcDepth - 1);

@ -5370,8 +5378,6 @@ IonBuilder::jsop_funcall(uint32_t argc)
        argc -= 1;
    }

-    CallInfo callInfo(alloc(), pc, /* constructing = */ false,
-                      /* ignoresReturnValue = */ BytecodeIsPopped(pc));
    if (!callInfo.init(current, argc)) {
        return abort(AbortReason::Alloc);
    }