From 8425620cf74982c4e341943ad318fdff03dcc14e Mon Sep 17 00:00:00 2001
From: "Nicolas B. Pierron" <nicolas.b.pierron@mozilla.com>
Date: Tue, 8 Nov 2016 14:06:38 +0000
Subject: [PATCH] Bug 1132888 part 1 - Re-add recover instruction for
 recovering typed array allocations. r=h4writer

---
 js/src/jit/MCallOptimize.cpp |  4 +++-
 js/src/jit/MIR.h             | 29 ++++++++++++-----------------
 js/src/jit/Recover.cpp       | 28 ++++++++++++++++++++++++++++
 js/src/jit/Recover.h         |  9 +++++++++
 4 files changed, 52 insertions(+), 18 deletions(-)

diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index 591cbf7a2133..92d78c07b9db 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -2372,7 +2372,9 @@ IonBuilder::inlineTypedArray(CallInfo& callInfo, Native native)
             return InliningStatus_NotInlined;
 
         callInfo.setImplicitlyUsedUnchecked();
-        ins = MNewTypedArray::New(alloc(), constraints(), obj,
+        MConstant* templateConst = MConstant::NewConstraintlessObject(alloc(), obj);
+        current->add(templateConst);
+        ins = MNewTypedArray::New(alloc(), constraints(), templateConst,
                                   obj->group()->initialHeap(constraints()));
     }
 
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 8e1bf3264a19..8d3e46010edc 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -3365,34 +3365,28 @@ class MNewArrayDynamicLength
     }
 };
 
-class MNewTypedArray : public MNullaryInstruction
+class MNewTypedArray
+  : public MUnaryInstruction,
+    public NoTypePolicy::Data
 {
-    CompilerGCPointer<TypedArrayObject*> templateObject_;
     gc::InitialHeap initialHeap_;
 
-    MNewTypedArray(CompilerConstraintList* constraints, TypedArrayObject* templateObject,
+    MNewTypedArray(CompilerConstraintList* constraints, MConstant* templateConst,
                    gc::InitialHeap initialHeap)
-      : templateObject_(templateObject),
+      : MUnaryInstruction(templateConst),
         initialHeap_(initialHeap)
     {
-        MOZ_ASSERT(!templateObject->isSingleton());
+        MOZ_ASSERT(!templateObject()->isSingleton());
         setResultType(MIRType::Object);
-        setResultTypeSet(MakeSingletonTypeSet(constraints, templateObject));
+        setResultTypeSet(MakeSingletonTypeSet(constraints, templateObject()));
     }
 
   public:
     INSTRUCTION_HEADER(NewTypedArray)
-
-    static MNewTypedArray* New(TempAllocator& alloc,
-                               CompilerConstraintList* constraints,
-                               TypedArrayObject* templateObject,
-                               gc::InitialHeap initialHeap)
-    {
-        return new(alloc) MNewTypedArray(constraints, templateObject, initialHeap);
-    }
+    TRIVIAL_NEW_WRAPPERS
 
     TypedArrayObject* templateObject() const {
-        return templateObject_;
+        return &getOperand(0)->toConstant()->toObject().as<TypedArrayObject>();
     }
 
     gc::InitialHeap initialHeap() const {
@@ -3403,8 +3397,9 @@ class MNewTypedArray : public MNullaryInstruction
         return AliasSet::None();
     }
 
-    bool appendRoots(MRootList& roots) const override {
-        return roots.append(templateObject_);
+    MOZ_MUST_USE bool writeRecoverData(CompactBufferWriter& writer) const override;
+    bool canRecoverOnBailout() const override {
+        return true;
     }
 };
 
diff --git a/js/src/jit/Recover.cpp b/js/src/jit/Recover.cpp
index 7894905442c9..13bf9224b3d1 100644
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -1305,6 +1305,34 @@ RNewObject::recover(JSContext* cx, SnapshotIterator& iter) const
     return true;
 }
 
+bool
+MNewTypedArray::writeRecoverData(CompactBufferWriter& writer) const
+{
+    MOZ_ASSERT(canRecoverOnBailout());
+    writer.writeUnsigned(uint32_t(RInstruction::Recover_NewTypedArray));
+    return true;
+}
+
+RNewTypedArray::RNewTypedArray(CompactBufferReader& reader)
+{
+}
+
+bool
+RNewTypedArray::recover(JSContext* cx, SnapshotIterator& iter) const
+{
+    RootedObject templateObject(cx, &iter.read().toObject());
+    RootedValue result(cx);
+
+    uint32_t length = templateObject.as<TypedArrayObject>()->length();
+    JSObject* resultObject = TypedArrayCreateWithTemplate(cx, templateObject, length);
+    if (!resultObject)
+        return false;
+
+    result.setObject(*resultObject);
+    iter.storeInstructionResult(result);
+    return true;
+}
+
 bool
 MNewArray::writeRecoverData(CompactBufferWriter& writer) const
 {
diff --git a/js/src/jit/Recover.h b/js/src/jit/Recover.h
index 73de46c05445..0a70c1acc7bd 100644
--- a/js/src/jit/Recover.h
+++ b/js/src/jit/Recover.h
@@ -100,6 +100,7 @@ namespace jit {
     _(ToFloat32)                                \
     _(TruncateToInt32)                          \
     _(NewObject)                                \
+    _(NewTypedArray)                            \
     _(NewArray)                                 \
     _(NewDerivedTypedObject)                    \
     _(CreateThisWithTemplate)                   \
@@ -565,6 +566,14 @@ class RNewObject final : public RInstruction
     MOZ_MUST_USE bool recover(JSContext* cx, SnapshotIterator& iter) const;
 };
 
+class RNewTypedArray final : public RInstruction
+{
+  public:
+    RINSTRUCTION_HEADER_NUM_OP_(NewTypedArray, 1)
+
+    MOZ_MUST_USE bool recover(JSContext* cx, SnapshotIterator& iter) const;
+};
+
 class RNewArray final : public RInstruction
 {
   private: