From 4f5ec5b4dcc5ff97ee5885c59bbf5cf4a037aa27 Mon Sep 17 00:00:00 2001
From: Ted Campbell <tcampbell@mozilla.com>
Date: Thu, 25 Oct 2018 19:50:02 +0000
Subject: [PATCH] Bug 1502090 - Fix bailout tracking with fun.call. r=nbp

NOTE: Multi-arg array.push is still disabled in Ion.

Differential Revision: https://phabricator.services.mozilla.com/D9803

--HG--
extra : moz-landing-system : lando
---
 js/src/jit-test/tests/ion/bug1502090.js | 13 +++++++++++++
 js/src/jit/IonBuilder.cpp               | 10 ++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/ion/bug1502090.js

diff --git a/js/src/jit-test/tests/ion/bug1502090.js b/js/src/jit-test/tests/ion/bug1502090.js
new file mode 100644
index 000000000000..c7638e7e7342
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1502090.js
@@ -0,0 +1,13 @@
+function f(o) {
+   var a = [o];
+   a.length = a[0];
+   var useless = function() {}
+   var sz = Array.prototype.push.call(a, 42, 43);
+   (function(){
+       sz;
+   })(new Boolean(false));
+}
+for (var i = 0; i < 2; i++) {
+   f(1);
+}
+f(2);
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index f9f208a9b253..733e2a401267 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5356,6 +5356,14 @@ IonBuilder::jsop_funcall(uint32_t argc)
     TemporaryTypeSet* funTypes = current->peek(funcDepth)->resultTypeSet();
     JSFunction* target = getSingleCallTarget(funTypes);
 
+    CallInfo callInfo(alloc(), pc, /* constructing = */ false,
+                      /* ignoresReturnValue = */ BytecodeIsPopped(pc));
+
+    // Save prior call stack in case we need to resolve during bailout
+    // recovery of inner inlined function. This includes the JSFunction and the
+    // 'call' native function.
+    MOZ_TRY(callInfo.savePriorCallStack(this, current, argc + 2));
+
     // Shimmy the slots down to remove the native 'call' function.
     current->shimmySlots(funcDepth - 1);
 
@@ -5370,8 +5378,6 @@ IonBuilder::jsop_funcall(uint32_t argc)
         argc -= 1;
     }
 
-    CallInfo callInfo(alloc(), pc, /* constructing = */ false,
-                      /* ignoresReturnValue = */ BytecodeIsPopped(pc));
     if (!callInfo.init(current, argc)) {
         return abort(AbortReason::Alloc);
     }