Bug 899735 - IonMonkey: Add a function to the shell that makes it possible to cause a bailout in IM, r=jandem

js/src/builtin/TestingFunctions.cpp

@@ -985,6 +985,14 @@ GetObjectMetadata(JSContext *cx, unsigned argc, jsval *vp)
     return true;
 }
 
+JSBool
+js::testingFunc_bailout(JSContext *cx, unsigned argc, jsval *vp)
+{
+    // NOP when not in IonMonkey
+    JS_SET_RVAL(cx, vp, JSVAL_VOID);
+    return true;
+}
+
 static JSFunctionSpecWithHelp TestingFunctions[] = {
     JS_FN_HELP("gc", ::GC, 0, 0,
 "gc([obj] | 'compartment')",
@@ -1163,6 +1171,10 @@ static JSFunctionSpecWithHelp TestingFunctions[] = {
 "getObjectMetadata(obj)",
 "  Get the metadata for an object."),
 
+    JS_FN_HELP("bailout", testingFunc_bailout, 0, 0,
+"bailout()",
+"  Force a bailout out of ionmonkey (if running in ionmonkey)."),
+
     JS_FS_HELP_END
 };
 

js/src/builtin/TestingFunctions.h

@@ -17,6 +17,9 @@ DefineTestingFunctions(JSContext *cx, HandleObject obj);
 JSBool
 testingFunc_inParallelSection(JSContext *cx, unsigned argc, jsval *vp);
 
+JSBool
+testingFunc_bailout(JSContext *cx, unsigned argc, jsval *vp);
+
 } /* namespace js */
 
 #endif /* builtin_TestingFunctions_h */

js/src/ion/CodeGenerator.cpp

@@ -2080,6 +2080,12 @@ CodeGenerator::visitApplyArgsGeneric(LApplyArgsGeneric *apply)
     return true;
 }
 
+bool
+CodeGenerator::visitBail(LBail *lir)
+{
+    return bailout(lir->snapshot());
+}
+
 bool
 CodeGenerator::visitGetDynamicName(LGetDynamicName *lir)
 {

js/src/ion/CodeGenerator.h

@@ -105,6 +105,7 @@ class CodeGenerator : public CodeGeneratorSpecific
     void emitPushArguments(LApplyArgsGeneric *apply, Register extraStackSpace);
     void emitPopArguments(LApplyArgsGeneric *apply, Register extraStackSize);
     bool visitApplyArgsGeneric(LApplyArgsGeneric *apply);
+    bool visitBail(LBail *lir);
     bool visitGetDynamicName(LGetDynamicName *lir);
     bool visitFilterArguments(LFilterArguments *lir);
     bool visitCallDirectEval(LCallDirectEval *lir);

js/src/ion/IonBuilder.h

@@ -499,7 +499,6 @@ class IonBuilder : public MIRGenerator
     InliningStatus inlineUnsafeGetReservedSlot(CallInfo &callInfo);
 
     // Parallel intrinsics.
-    InliningStatus inlineForceSequentialOrInParallelSection(CallInfo &callInfo);
     InliningStatus inlineNewParallelArray(CallInfo &callInfo);
     InliningStatus inlineParallelArray(CallInfo &callInfo);
     InliningStatus inlineParallelArrayTail(CallInfo &callInfo,
@@ -515,6 +514,10 @@ class IonBuilder : public MIRGenerator
     InliningStatus inlineToObject(CallInfo &callInfo);
     InliningStatus inlineDump(CallInfo &callInfo);
 
+    // Testing functions.
+    InliningStatus inlineForceSequentialOrInParallelSection(CallInfo &callInfo);
+    InliningStatus inlineBailout(CallInfo &callInfo);
+
     // Main inlining functions
     InliningStatus inlineNativeCall(CallInfo &callInfo, JSNative native);
     bool inlineScriptedCall(CallInfo &callInfo, JSFunction *target);

js/src/ion/LIR-Common.h

@@ -1062,6 +1062,12 @@ class LCallDOMNative : public LJSCallInstructionHelper<BOX_PIECES, 0, 4>
     }
 };
 
+class LBail : public LInstructionHelper<0, 0, 0>
+{
+  public:
+    LIR_HEADER(Bail)
+};
+
 template <size_t defs, size_t ops>
 class LDOMPropertyInstructionHelper : public LCallInstructionHelper<defs, 1 + ops, 3>
 {

js/src/ion/LOpcodes.h

@@ -44,6 +44,7 @@
     _(CallGeneric)                  \
     _(CallNative)                   \
     _(ApplyArgsGeneric)             \
+    _(Bail)                         \
     _(GetDynamicName)               \
     _(FilterArguments)              \
     _(CallDirectEval)               \

js/src/ion/Lowering.cpp

@@ -476,6 +476,13 @@ LIRGenerator::visitApplyArgs(MApplyArgs *apply)
     return true;
 }
 
+bool
+LIRGenerator::visitBail(MBail *bail)
+{
+    LBail *lir = new LBail();
+    return assignSnapshot(lir) && add(lir, bail);
+}
+
 bool
 LIRGenerator::visitGetDynamicName(MGetDynamicName *ins)
 {

js/src/ion/Lowering.h

@@ -112,6 +112,7 @@ class LIRGenerator : public LIRGeneratorSpecific
     bool visitReturnFromCtor(MReturnFromCtor *ins);
     bool visitCall(MCall *call);
     bool visitApplyArgs(MApplyArgs *apply);
+    bool visitBail(MBail *bail);
     bool visitGetDynamicName(MGetDynamicName *ins);
     bool visitFilterArguments(MFilterArguments *ins);
     bool visitCallDirectEval(MCallDirectEval *ins);

js/src/ion/MCallOptimize.cpp

@@ -130,8 +130,6 @@ IonBuilder::inlineNativeCall(CallInfo &callInfo, JSNative native)
     // Parallel intrinsics.
     if (native == intrinsic_ShouldForceSequential)
         return inlineForceSequentialOrInParallelSection(callInfo);
-    if (native == testingFunc_inParallelSection)
-        return inlineForceSequentialOrInParallelSection(callInfo);
     if (native == intrinsic_NewParallelArray)
         return inlineNewParallelArray(callInfo);
     if (native == ParallelArrayObject::construct)
@@ -147,6 +145,12 @@ IonBuilder::inlineNativeCall(CallInfo &callInfo, JSNative native)
     if (native == intrinsic_ToObject)
         return inlineToObject(callInfo);
 
+    // Testing Functions
+    if (native == testingFunc_inParallelSection)
+        return inlineForceSequentialOrInParallelSection(callInfo);
+    if (native == testingFunc_bailout)
+        return inlineBailout(callInfo);
+
     return InliningStatus_NotInlined;
 }
 
@@ -1498,5 +1502,17 @@ IonBuilder::inlineToObject(CallInfo &callInfo)
     return InliningStatus_Inlined;
 }
 
+IonBuilder::InliningStatus
+IonBuilder::inlineBailout(CallInfo &callInfo)
+{
+    callInfo.unwrapArgs();
+
+    current->add(MBail::New());
+
+    MConstant *undefined = MConstant::New(UndefinedValue());
+    current->push(undefined);
+    return InliningStatus_Inlined;
+}
+
 } // namespace ion
 } // namespace js

js/src/ion/MIR.h

@@ -1796,6 +1796,24 @@ class MApplyArgs
     }
 };
 
+class MBail : public MNullaryInstruction
+{
+  protected:
+    MBail()
+    {
+        setGuard();
+    }
+
+  public:
+    INSTRUCTION_HEADER(Bail)
+
+    static MBail *
+    New() {
+        return new MBail();
+    }
+
+};
+
 class MGetDynamicName
   : public MAryInstruction<2>,
     public MixPolicy<ObjectPolicy<0>, StringPolicy<1> >

js/src/ion/MOpcodes.h

@@ -39,6 +39,7 @@ namespace ion {
     _(PassArg)                                                              \
     _(Call)                                                                 \
     _(ApplyArgs)                                                            \
+    _(Bail)                                                                 \
     _(GetDynamicName)                                                       \
     _(FilterArguments)                                                      \
     _(CallDirectEval)                                                       \

js/src/ion/ParallelSafetyAnalysis.cpp

@@ -133,6 +133,7 @@ class ParallelSafetyVisitor : public MInstructionVisitor
     SAFE_OP(PassArg)
     CUSTOM_OP(Call)
     UNSAFE_OP(ApplyArgs)
+    UNSAFE_OP(Bail)
     UNSAFE_OP(GetDynamicName)
     UNSAFE_OP(FilterArguments)
     UNSAFE_OP(CallDirectEval)

js/src/jit-test/tests/ion/bug765454.js

@@ -1,5 +1,3 @@
-var bailout = Proxy.createFunction({}, Math.sin);
-
 var seen = -1;
 
 // Test to make sure the jits get the number of calls, and return value

js/src/jit-test/tests/ion/bug813784.js

@@ -122,7 +122,6 @@ assertEq(args[2], 6);
 
 //////////////////
 
-var bailout = Proxy.createFunction({}, Math.sin);
 function arg_len2() { assertEq(arguments.length, 4); }
 function bailing_arg_len(a) {
     if (a == 90) {

js/src/jit-test/tests/ion/entryOverflowBailout.js

@@ -1,7 +1,6 @@
 var o;
 var f1;
 var counter = 0;
-var bailout = Proxy.createFunction({}, Math.sin);
 
 function f2(a) {
     bailout();