Bug 1586762 - Set BaselineFrame::interpreterICEntry correctly for BaselineDebugModeOSR at debug prologue. r=iain

We were using the first pc, but that skips the prologue's type monitor ICs.

This bug is pretty hard to trigger in practice (I was unable to write a test
that doesn't use setJitCompilerOption) because usually we switch immediately
from Baseline Interpreter to Baseline JIT code after returning from the
DebugPrologue call and don't use the (invalid) interpreterICEntry value.

Differential Revision: https://phabricator.services.mozilla.com/D49590

--HG--
extra : moz-landing-system : lando

js/src/jit-test/tests/debug/bug1586762.js

@@ -0,0 +1,9 @@
+setJitCompilerOption("baseline.warmup.trigger", 0);
+var g = newGlobal({newCompartment: true});
+var dbg = new Debugger;
+dbg.addDebuggee(g);
+g.eval("" + function f() { return 7; });
+dbg.onEnterFrame = function() {
+  dbg.removeDebuggee(g);
+}
+assertEq(g.f(), 7);

js/src/jit/BaselineBailouts.cpp

@@ -1129,7 +1129,7 @@ static bool InitFromBailout(JSContext* cx, size_t frameNo, HandleFunction fun,
     if (isPrologueBailout) {
       JitSpew(JitSpew_BaselineBailouts, "      Resuming into prologue.");
       MOZ_ASSERT(pc == script->code());
-      blFrame->setInterpreterFieldsForPrologueBailout(script);
+      blFrame->setInterpreterFieldsForPrologue(script);
       resumeAddr = baselineInterp.bailoutPrologueEntryAddr();
     } else if (excInfo && excInfo->propagatingIonExceptionForDebugMode()) {
       // When propagating an exception for debug mode, set the

js/src/jit/BaselineDebugModeOSR.cpp

@@ -321,7 +321,11 @@ static void PatchBaselineFramesForDebugMode(
             // Resume in the Baseline Interpreter because these callVMs are not
             // present in the new BaselineScript if we recompiled without debug
             // instrumentation.
-            frame.baselineFrame()->switchFromJitToInterpreter(cx, pc);
+            if (kind == RetAddrEntry::Kind::DebugPrologue) {
+              frame.baselineFrame()->switchFromJitToInterpreterAtPrologue(cx);
+            } else {
+              frame.baselineFrame()->switchFromJitToInterpreter(cx, pc);
+            }
             switch (kind) {
               case RetAddrEntry::Kind::DebugTrap:
                 // DebugTrap handling is different from the ones below because

js/src/jit/BaselineFrame.cpp

@@ -119,7 +119,7 @@ void BaselineFrame::setInterpreterFields(JSScript* script, jsbytecode* pc) {
   interpreterICEntry_ = jitScript->interpreterICEntryFromPCOffset(pcOffset);
 }
 
-void BaselineFrame::setInterpreterFieldsForPrologueBailout(JSScript* script) {
+void BaselineFrame::setInterpreterFieldsForPrologue(JSScript* script) {
   JitScript* jitScript = script->jitScript();
   interpreterScript_ = script;
   interpreterPC_ = script->code();

js/src/jit/BaselineFrame.h

@@ -242,6 +242,12 @@ class BaselineFrame {
     flags_ |= RUNNING_IN_INTERPRETER;
     setInterpreterFields(pc);
   }
+  void switchFromJitToInterpreterAtPrologue(JSContext* cx) {
+    MOZ_ASSERT(!cx->isProfilerSamplingEnabled());
+    MOZ_ASSERT(!runningInInterpreter());
+    flags_ |= RUNNING_IN_INTERPRETER;
+    setInterpreterFieldsForPrologue(script());
+  }
 
   // Like switchFromJitToInterpreter, but set the interpreterICEntry_ field to
   // nullptr. Initializing this field requires a binary search on the
@@ -275,7 +281,9 @@ class BaselineFrame {
     setInterpreterFields(script(), pc);
   }
 
-  void setInterpreterFieldsForPrologueBailout(JSScript* script);
+  // Initialize interpreter fields for resuming in the prologue (before the
+  // argument type check ICs).
+  void setInterpreterFieldsForPrologue(JSScript* script);
 
   bool hasReturnValue() const { return flags_ & HAS_RVAL; }
   MutableHandleValue returnValue() {