Bug Summary

File:var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp
Warning:line 1854, column 5
Value stored to 'valueOffset' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name Unified_cpp_js_src_jit1.cpp -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -ffp-contract=off -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/js/src/jit -fcoverage-compilation-dir=/var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/js/src/jit -resource-dir /usr/lib/llvm-20/lib/clang/20 -include /var/lib/jenkins/workspace/firefox-scan-build/config/gcc_hidden.h -include /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/mozilla-config.h -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/stl_wrappers -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/system_wrappers -U _FORTIFY_SOURCE -D _FORTIFY_SOURCE=2 -D _GLIBCXX_ASSERTIONS -D DEBUG=1 -D WASM_SUPPORTS_HUGE_MEMORY -D JS_CACHEIR_SPEW -D JS_STRUCTURED_SPEW -D JS_HAS_CTYPES -D FFI_BUILDING -D EXPORT_JS_API -D MOZ_HAS_MOZGLUE -D MOZ_SUPPORT_LEAKCHECKING -I /var/lib/jenkins/workspace/firefox-scan-build/js/src/jit -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/js/src/jit -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/js/src -I /var/lib/jenkins/workspace/firefox-scan-build/js/src -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/include -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/include/nspr -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/include/nss -D MOZILLA_CLIENT -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../include/x86_64-linux-gnu/c++/14 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/backward -internal-isystem /usr/lib/llvm-20/lib/clang/20/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-error=tautological-type-limit-compare -Wno-invalid-offsetof -Wno-range-loop-analysis -Wno-deprecated-anon-enum-enum-conversion -Wno-deprecated-enum-enum-conversion -Wno-deprecated-this-capture -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wno-error=atomic-alignment -Wno-error=deprecated-builtins -Wno-psabi -Wno-error=builtin-macro-redefined -Wno-vla-cxx-extension -Wno-unknown-warning-option -fdeprecated-macro -ferror-limit 19 -fstrict-flex-arrays=1 -stack-protector 2 -fstack-clash-protection -ftrivial-auto-var-init=pattern -fno-rtti -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fno-sized-deallocation -fno-aligned-allocation -vectorize-loops -vectorize-slp -analyzer-checker optin.performance.Padding -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2025-01-20-090804-167946-1 -x c++ Unified_cpp_js_src_jit1.cpp
1/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7#include "jit/BaselineIC.h"
8
9#include "mozilla/DebugOnly.h"
10#include "mozilla/Sprintf.h"
11
12#include "jstypes.h"
13
14#include "builtin/Eval.h"
15#include "jit/BaselineCacheIRCompiler.h"
16#include "jit/CacheIRGenerator.h"
17#include "jit/CacheIRHealth.h"
18#include "jit/JitFrames.h"
19#include "jit/JitRuntime.h"
20#include "jit/JitSpewer.h"
21#include "jit/Linker.h"
22#include "jit/PerfSpewer.h"
23#include "jit/SharedICHelpers.h"
24#include "jit/SharedICRegisters.h"
25#include "jit/VMFunctions.h"
26#include "js/Conversions.h"
27#include "js/friend/ErrorMessages.h" // JSMSG_*
28#include "vm/BytecodeIterator.h"
29#include "vm/BytecodeLocation.h"
30#include "vm/BytecodeUtil.h"
31#include "vm/EqualityOperations.h"
32#include "vm/JSFunction.h"
33#include "vm/JSScript.h"
34#include "vm/Opcodes.h"
35#include "vm/PortableBaselineInterpret.h"
36#include "vm/TypeofEqOperand.h" // TypeofEqOperand
37#ifdef MOZ_VTUNE1
38# include "vtune/VTuneWrapper.h"
39#endif
40
41#include "jit/MacroAssembler-inl.h"
42#include "jit/SharedICHelpers-inl.h"
43#include "jit/VMFunctionList-inl.h"
44#include "vm/BytecodeIterator-inl.h"
45#include "vm/BytecodeLocation-inl.h"
46#include "vm/EnvironmentObject-inl.h"
47#include "vm/Interpreter-inl.h"
48#include "vm/JSScript-inl.h"
49
50using mozilla::DebugOnly;
51
52namespace js {
53namespace jit {
54
55// Class used to emit all Baseline IC fallback code when initializing the
56// JitRuntime.
57class MOZ_RAII FallbackICCodeCompiler final {
58 BaselineICFallbackCode& code;
59 MacroAssembler& masm;
60
61 JSContext* cx;
62 bool inStubFrame_ = false;
63
64#ifdef DEBUG1
65 bool entersStubFrame_ = false;
66 uint32_t framePushedAtEnterStubFrame_ = 0;
67#endif
68
69 [[nodiscard]] bool emitCall(bool isSpread, bool isConstructing);
70 [[nodiscard]] bool emitGetElem(bool hasReceiver);
71 [[nodiscard]] bool emitGetProp(bool hasReceiver);
72
73 public:
74 FallbackICCodeCompiler(JSContext* cx, BaselineICFallbackCode& code,
75 MacroAssembler& masm)
76 : code(code), masm(masm), cx(cx) {}
77
78#define DEF_METHOD(kind) [[nodiscard]] bool emit_##kind();
79 IC_BASELINE_FALLBACK_CODE_KIND_LIST(DEF_METHOD)DEF_METHOD(NewArray) DEF_METHOD(NewObject) DEF_METHOD(Lambda)
DEF_METHOD(ToBool) DEF_METHOD(UnaryArith) DEF_METHOD(Call) DEF_METHOD
(CallConstructing) DEF_METHOD(SpreadCall) DEF_METHOD(SpreadCallConstructing
) DEF_METHOD(GetElem) DEF_METHOD(GetElemSuper) DEF_METHOD(SetElem
) DEF_METHOD(In) DEF_METHOD(HasOwn) DEF_METHOD(CheckPrivateField
) DEF_METHOD(GetName) DEF_METHOD(BindName) DEF_METHOD(LazyConstant
) DEF_METHOD(SetProp) DEF_METHOD(GetIterator) DEF_METHOD(OptimizeSpreadCall
) DEF_METHOD(InstanceOf) DEF_METHOD(TypeOf) DEF_METHOD(TypeOfEq
) DEF_METHOD(ToPropertyKey) DEF_METHOD(Rest) DEF_METHOD(BinaryArith
) DEF_METHOD(Compare) DEF_METHOD(GetProp) DEF_METHOD(GetPropSuper
) DEF_METHOD(CloseIter) DEF_METHOD(OptimizeGetIterator) DEF_METHOD
(GetImport)
80#undef DEF_METHOD
81
82 void pushCallArguments(MacroAssembler& masm,
83 AllocatableGeneralRegisterSet regs, Register argcReg,
84 bool isConstructing);
85
86 // Push a payload specialized per compiler needed to execute stubs.
87 void PushStubPayload(MacroAssembler& masm, Register scratch);
88 void pushStubPayload(MacroAssembler& masm, Register scratch);
89
90 // Emits a tail call to a VMFunction wrapper.
91 [[nodiscard]] bool tailCallVMInternal(MacroAssembler& masm, VMFunctionId id);
92
93 template <typename Fn, Fn fn>
94 [[nodiscard]] bool tailCallVM(MacroAssembler& masm);
95
96 // Emits a normal (non-tail) call to a VMFunction wrapper.
97 [[nodiscard]] bool callVMInternal(MacroAssembler& masm, VMFunctionId id);
98
99 template <typename Fn, Fn fn>
100 [[nodiscard]] bool callVM(MacroAssembler& masm);
101
102 // A stub frame is used when a stub wants to call into the VM without
103 // performing a tail call. This is required for the return address
104 // to pc mapping to work.
105 void enterStubFrame(MacroAssembler& masm, Register scratch);
106 void assumeStubFrame();
107 void leaveStubFrame(MacroAssembler& masm);
108};
109
110AllocatableGeneralRegisterSet BaselineICAvailableGeneralRegs(size_t numInputs) {
111 AllocatableGeneralRegisterSet regs(GeneralRegisterSet::All());
112 MOZ_ASSERT(!regs.has(FramePointer))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(FramePointer))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(FramePointer)))), 0
))) { do { } while (false); MOZ_ReportAssertionFailure("!regs.has(FramePointer)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 112); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(FramePointer)"
")"); do { *((volatile int*)__null) = 112; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
113#if defined(JS_CODEGEN_ARM)
114 MOZ_ASSERT(!regs.has(ICTailCallReg))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(ICTailCallReg))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(ICTailCallReg)))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("!regs.has(ICTailCallReg)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 114); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(ICTailCallReg)"
")"); do { *((volatile int*)__null) = 114; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
115 regs.take(BaselineSecondScratchReg);
116#elif defined(JS_CODEGEN_MIPS32) || defined(JS_CODEGEN_MIPS64)
117 MOZ_ASSERT(!regs.has(ICTailCallReg))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(ICTailCallReg))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(ICTailCallReg)))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("!regs.has(ICTailCallReg)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 117); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(ICTailCallReg)"
")"); do { *((volatile int*)__null) = 117; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
118 MOZ_ASSERT(!regs.has(BaselineSecondScratchReg))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(BaselineSecondScratchReg))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(BaselineSecondScratchReg
)))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("!regs.has(BaselineSecondScratchReg)", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 118); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(BaselineSecondScratchReg)"
")"); do { *((volatile int*)__null) = 118; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
119#elif defined(JS_CODEGEN_ARM64)
120 MOZ_ASSERT(!regs.has(PseudoStackPointer))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(PseudoStackPointer))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(PseudoStackPointer
)))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("!regs.has(PseudoStackPointer)", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 120); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(PseudoStackPointer)"
")"); do { *((volatile int*)__null) = 120; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
121 MOZ_ASSERT(!regs.has(RealStackPointer))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(RealStackPointer))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(RealStackPointer))
)), 0))) { do { } while (false); MOZ_ReportAssertionFailure("!regs.has(RealStackPointer)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 121); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(RealStackPointer)"
")"); do { *((volatile int*)__null) = 121; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
122 MOZ_ASSERT(!regs.has(ICTailCallReg))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(ICTailCallReg))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(ICTailCallReg)))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("!regs.has(ICTailCallReg)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 122); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(ICTailCallReg)"
")"); do { *((volatile int*)__null) = 122; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
123#endif
124 regs.take(ICStubReg);
125
126 switch (numInputs) {
127 case 0:
128 break;
129 case 1:
130 regs.take(R0);
131 break;
132 case 2:
133 regs.take(R0);
134 regs.take(R1);
135 break;
136 default:
137 MOZ_CRASH("Invalid numInputs")do { do { } while (false); MOZ_ReportCrash("" "Invalid numInputs"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 137); AnnotateMozCrashReason("MOZ_CRASH(" "Invalid numInputs"
")"); do { *((volatile int*)__null) = 137; __attribute__((nomerge
)) ::abort(); } while (false); } while (false);
138 }
139
140 return regs;
141}
142
143static jsbytecode* StubOffsetToPc(const ICFallbackStub* stub,
144 const JSScript* script) {
145 return script->offsetToPC(stub->pcOffset());
146}
147
148#ifdef JS_JITSPEW1
149void FallbackICSpew(JSContext* cx, ICFallbackStub* stub, const char* fmt, ...) {
150 if (JitSpewEnabled(JitSpew_BaselineICFallback)) {
151 RootedScript script(cx, GetTopJitJSScript(cx));
152 jsbytecode* pc = StubOffsetToPc(stub, script);
153
154 char fmtbuf[100];
155 va_list args;
156 va_start(args, fmt)__builtin_va_start(args, fmt);
157 (void)VsprintfLiteral(fmtbuf, fmt, args);
158 va_end(args)__builtin_va_end(args);
159
160 JitSpew(
161 JitSpew_BaselineICFallback,
162 "Fallback hit for (%s:%u:%u) (pc=%zu,line=%u,uses=%u,stubs=%zu): %s",
163 script->filename(), script->lineno(), script->column().oneOriginValue(),
164 script->pcToOffset(pc), PCToLineNumber(script, pc),
165 script->getWarmUpCount(), stub->numOptimizedStubs(), fmtbuf);
166 }
167}
168#endif // JS_JITSPEW
169
170void ICEntry::trace(JSTracer* trc) {
171 ICStub* stub = firstStub();
172
173 // Trace CacheIR stubs.
174 while (!stub->isFallback()) {
175 stub->toCacheIRStub()->trace(trc);
176 stub = stub->toCacheIRStub()->next();
177 }
178
179 // Fallback stubs use runtime-wide trampoline code we don't need to trace.
180 MOZ_ASSERT(stub->usesTrampolineCode())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(stub->usesTrampolineCode())>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(stub->usesTrampolineCode(
)))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("stub->usesTrampolineCode()", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 180); AnnotateMozCrashReason("MOZ_ASSERT" "(" "stub->usesTrampolineCode()"
")"); do { *((volatile int*)__null) = 180; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
181}
182
183inline ICFallbackStub* GetFallbackStub(ICEntry* entry) {
184 ICStub* stub = entry->firstStub();
185 while (!stub->isFallback()) {
186 stub = stub->toCacheIRStub()->next();
187 }
188 return stub->toFallbackStub();
189}
190
191bool ICEntry::traceWeak(JSTracer* trc) {
192 // Trace CacheIR stubs and remove those containing weak pointers to dead GC
193 // things. Prebarriers are not necessary because this happens as part of GC.
194
195 ICFallbackStub* fallbackStub = GetFallbackStub(this);
196
197 ICStub* stub = firstStub();
198 ICCacheIRStub* prev = nullptr;
199 bool allSurvived = true;
200 while (!stub->isFallback()) {
201 ICCacheIRStub* cacheIRStub = stub->toCacheIRStub();
202 if (!cacheIRStub->traceWeak(trc)) {
203 fallbackStub->unlinkStubUnbarriered(this, prev, cacheIRStub);
204 allSurvived = false;
205 } else {
206 prev = cacheIRStub;
207 }
208
209 stub = cacheIRStub->next();
210 MOZ_ASSERT_IF(prev, prev->next() == stub)do { if (prev) { do { static_assert( mozilla::detail::AssertionConditionType
<decltype(prev->next() == stub)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(prev->next() == stub))), 0
))) { do { } while (false); MOZ_ReportAssertionFailure("prev->next() == stub"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 210); AnnotateMozCrashReason("MOZ_ASSERT" "(" "prev->next() == stub"
")"); do { *((volatile int*)__null) = 210; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false); } } while (
false);
211 }
212
213 // Clear the folded stubs flag if we know for sure that there are none
214 // left. The flag will remain set if we have removed all folded stubs but
215 // other stubs remain.
216 if (fallbackStub->numOptimizedStubs() == 0 &&
217 fallbackStub->mayHaveFoldedStub()) {
218 fallbackStub->clearMayHaveFoldedStub();
219 }
220
221#ifdef DEBUG1
222 size_t count = 0;
223 for (ICStub* stub = firstStub(); stub != fallbackStub;
224 stub = stub->toCacheIRStub()->next()) {
225 count++;
226 }
227 MOZ_ASSERT(count == fallbackStub->state().numOptimizedStubs())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(count == fallbackStub->state().numOptimizedStubs(
))>::isValid, "invalid assertion condition"); if ((__builtin_expect
(!!(!(!!(count == fallbackStub->state().numOptimizedStubs(
)))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("count == fallbackStub->state().numOptimizedStubs()", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 227); AnnotateMozCrashReason("MOZ_ASSERT" "(" "count == fallbackStub->state().numOptimizedStubs()"
")"); do { *((volatile int*)__null) = 227; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
228#endif
229
230 return allSurvived;
231}
232
233// constexpr table mapping JSOp to BaselineICFallbackKind. Each value in the
234// table is either a fallback kind or a sentinel value (NoICValue) indicating
235// the JSOp is not a JOF_IC op.
236class MOZ_STATIC_CLASS OpToFallbackKindTable {
237 static_assert(sizeof(BaselineICFallbackKind) == sizeof(uint8_t));
238 uint8_t table_[JSOP_LIMIT] = {};
239
240 constexpr void setKind(JSOp op, BaselineICFallbackKind kind) {
241 MOZ_ASSERT(uint8_t(kind) != NoICValue)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(uint8_t(kind) != NoICValue)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(uint8_t(kind) != NoICValue))
), 0))) { do { } while (false); MOZ_ReportAssertionFailure("uint8_t(kind) != NoICValue"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 241); AnnotateMozCrashReason("MOZ_ASSERT" "(" "uint8_t(kind) != NoICValue"
")"); do { *((volatile int*)__null) = 241; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
242 table_[size_t(op)] = uint8_t(kind);
243 }
244
245 public:
246 static constexpr uint8_t NoICValue = uint8_t(BaselineICFallbackKind::Count);
247
248 uint8_t lookup(JSOp op) const { return table_[size_t(op)]; }
249
250 constexpr OpToFallbackKindTable() {
251 for (size_t i = 0; i < JSOP_LIMIT; i++) {
252 table_[i] = NoICValue;
253 }
254
255 setKind(JSOp::Not, BaselineICFallbackKind::ToBool);
256 setKind(JSOp::And, BaselineICFallbackKind::ToBool);
257 setKind(JSOp::Or, BaselineICFallbackKind::ToBool);
258 setKind(JSOp::JumpIfTrue, BaselineICFallbackKind::ToBool);
259 setKind(JSOp::JumpIfFalse, BaselineICFallbackKind::ToBool);
260
261 setKind(JSOp::BitNot, BaselineICFallbackKind::UnaryArith);
262 setKind(JSOp::Pos, BaselineICFallbackKind::UnaryArith);
263 setKind(JSOp::Neg, BaselineICFallbackKind::UnaryArith);
264 setKind(JSOp::Inc, BaselineICFallbackKind::UnaryArith);
265 setKind(JSOp::Dec, BaselineICFallbackKind::UnaryArith);
266 setKind(JSOp::ToNumeric, BaselineICFallbackKind::UnaryArith);
267
268 setKind(JSOp::BitOr, BaselineICFallbackKind::BinaryArith);
269 setKind(JSOp::BitXor, BaselineICFallbackKind::BinaryArith);
270 setKind(JSOp::BitAnd, BaselineICFallbackKind::BinaryArith);
271 setKind(JSOp::Lsh, BaselineICFallbackKind::BinaryArith);
272 setKind(JSOp::Rsh, BaselineICFallbackKind::BinaryArith);
273 setKind(JSOp::Ursh, BaselineICFallbackKind::BinaryArith);
274 setKind(JSOp::Add, BaselineICFallbackKind::BinaryArith);
275 setKind(JSOp::Sub, BaselineICFallbackKind::BinaryArith);
276 setKind(JSOp::Mul, BaselineICFallbackKind::BinaryArith);
277 setKind(JSOp::Div, BaselineICFallbackKind::BinaryArith);
278 setKind(JSOp::Mod, BaselineICFallbackKind::BinaryArith);
279 setKind(JSOp::Pow, BaselineICFallbackKind::BinaryArith);
280
281 setKind(JSOp::Eq, BaselineICFallbackKind::Compare);
282 setKind(JSOp::Ne, BaselineICFallbackKind::Compare);
283 setKind(JSOp::Lt, BaselineICFallbackKind::Compare);
284 setKind(JSOp::Le, BaselineICFallbackKind::Compare);
285 setKind(JSOp::Gt, BaselineICFallbackKind::Compare);
286 setKind(JSOp::Ge, BaselineICFallbackKind::Compare);
287 setKind(JSOp::StrictEq, BaselineICFallbackKind::Compare);
288 setKind(JSOp::StrictNe, BaselineICFallbackKind::Compare);
289
290 setKind(JSOp::NewArray, BaselineICFallbackKind::NewArray);
291
292 setKind(JSOp::NewObject, BaselineICFallbackKind::NewObject);
293 setKind(JSOp::NewInit, BaselineICFallbackKind::NewObject);
294
295 setKind(JSOp::Lambda, BaselineICFallbackKind::Lambda);
296
297 setKind(JSOp::InitElem, BaselineICFallbackKind::SetElem);
298 setKind(JSOp::InitHiddenElem, BaselineICFallbackKind::SetElem);
299 setKind(JSOp::InitLockedElem, BaselineICFallbackKind::SetElem);
300 setKind(JSOp::InitElemInc, BaselineICFallbackKind::SetElem);
301 setKind(JSOp::SetElem, BaselineICFallbackKind::SetElem);
302 setKind(JSOp::StrictSetElem, BaselineICFallbackKind::SetElem);
303
304 setKind(JSOp::InitProp, BaselineICFallbackKind::SetProp);
305 setKind(JSOp::InitLockedProp, BaselineICFallbackKind::SetProp);
306 setKind(JSOp::InitHiddenProp, BaselineICFallbackKind::SetProp);
307 setKind(JSOp::InitGLexical, BaselineICFallbackKind::SetProp);
308 setKind(JSOp::SetProp, BaselineICFallbackKind::SetProp);
309 setKind(JSOp::StrictSetProp, BaselineICFallbackKind::SetProp);
310 setKind(JSOp::SetName, BaselineICFallbackKind::SetProp);
311 setKind(JSOp::StrictSetName, BaselineICFallbackKind::SetProp);
312 setKind(JSOp::SetGName, BaselineICFallbackKind::SetProp);
313 setKind(JSOp::StrictSetGName, BaselineICFallbackKind::SetProp);
314
315 setKind(JSOp::GetProp, BaselineICFallbackKind::GetProp);
316 setKind(JSOp::GetBoundName, BaselineICFallbackKind::GetProp);
317
318 setKind(JSOp::GetPropSuper, BaselineICFallbackKind::GetPropSuper);
319
320 setKind(JSOp::GetElem, BaselineICFallbackKind::GetElem);
321
322 setKind(JSOp::GetElemSuper, BaselineICFallbackKind::GetElemSuper);
323
324 setKind(JSOp::In, BaselineICFallbackKind::In);
325
326 setKind(JSOp::HasOwn, BaselineICFallbackKind::HasOwn);
327
328 setKind(JSOp::CheckPrivateField, BaselineICFallbackKind::CheckPrivateField);
329
330 setKind(JSOp::GetName, BaselineICFallbackKind::GetName);
331 setKind(JSOp::GetGName, BaselineICFallbackKind::GetName);
332
333 setKind(JSOp::BindName, BaselineICFallbackKind::BindName);
334 setKind(JSOp::BindUnqualifiedName, BaselineICFallbackKind::BindName);
335 setKind(JSOp::BindUnqualifiedGName, BaselineICFallbackKind::BindName);
336
337 setKind(JSOp::GetIntrinsic, BaselineICFallbackKind::LazyConstant);
338 setKind(JSOp::BuiltinObject, BaselineICFallbackKind::LazyConstant);
339 setKind(JSOp::ImportMeta, BaselineICFallbackKind::LazyConstant);
340
341 setKind(JSOp::Call, BaselineICFallbackKind::Call);
342 setKind(JSOp::CallContent, BaselineICFallbackKind::Call);
343 setKind(JSOp::CallIgnoresRv, BaselineICFallbackKind::Call);
344 setKind(JSOp::CallIter, BaselineICFallbackKind::Call);
345 setKind(JSOp::CallContentIter, BaselineICFallbackKind::Call);
346 setKind(JSOp::Eval, BaselineICFallbackKind::Call);
347 setKind(JSOp::StrictEval, BaselineICFallbackKind::Call);
348
349 setKind(JSOp::SuperCall, BaselineICFallbackKind::CallConstructing);
350 setKind(JSOp::New, BaselineICFallbackKind::CallConstructing);
351 setKind(JSOp::NewContent, BaselineICFallbackKind::CallConstructing);
352
353 setKind(JSOp::SpreadCall, BaselineICFallbackKind::SpreadCall);
354 setKind(JSOp::SpreadEval, BaselineICFallbackKind::SpreadCall);
355 setKind(JSOp::StrictSpreadEval, BaselineICFallbackKind::SpreadCall);
356
357 setKind(JSOp::SpreadSuperCall,
358 BaselineICFallbackKind::SpreadCallConstructing);
359 setKind(JSOp::SpreadNew, BaselineICFallbackKind::SpreadCallConstructing);
360
361 setKind(JSOp::Instanceof, BaselineICFallbackKind::InstanceOf);
362
363 setKind(JSOp::Typeof, BaselineICFallbackKind::TypeOf);
364 setKind(JSOp::TypeofExpr, BaselineICFallbackKind::TypeOf);
365
366 setKind(JSOp::TypeofEq, BaselineICFallbackKind::TypeOfEq);
367
368 setKind(JSOp::ToPropertyKey, BaselineICFallbackKind::ToPropertyKey);
369
370 setKind(JSOp::Iter, BaselineICFallbackKind::GetIterator);
371
372 setKind(JSOp::OptimizeSpreadCall,
373 BaselineICFallbackKind::OptimizeSpreadCall);
374
375 setKind(JSOp::Rest, BaselineICFallbackKind::Rest);
376
377 setKind(JSOp::CloseIter, BaselineICFallbackKind::CloseIter);
378 setKind(JSOp::OptimizeGetIterator,
379 BaselineICFallbackKind::OptimizeGetIterator);
380
381 setKind(JSOp::GetImport, BaselineICFallbackKind::GetImport);
382 }
383};
384
385static constexpr OpToFallbackKindTable FallbackKindTable;
386
387void ICScript::initICEntries(JSContext* cx, JSScript* script) {
388 MOZ_ASSERT(cx->zone()->jitZone())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(cx->zone()->jitZone())>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(cx->zone()->jitZone())
)), 0))) { do { } while (false); MOZ_ReportAssertionFailure("cx->zone()->jitZone()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 388); AnnotateMozCrashReason("MOZ_ASSERT" "(" "cx->zone()->jitZone()"
")"); do { *((volatile int*)__null) = 388; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
389 MOZ_ASSERT(jit::IsBaselineInterpreterEnabled() ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled
())>::isValid, "invalid assertion condition"); if ((__builtin_expect
(!!(!(!!(jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled
()))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 390); AnnotateMozCrashReason("MOZ_ASSERT" "(" "jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled()"
")"); do { *((volatile int*)__null) = 390; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
390 jit::IsPortableBaselineInterpreterEnabled())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled
())>::isValid, "invalid assertion condition"); if ((__builtin_expect
(!!(!(!!(jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled
()))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 390); AnnotateMozCrashReason("MOZ_ASSERT" "(" "jit::IsBaselineInterpreterEnabled() || jit::IsPortableBaselineInterpreterEnabled()"
")"); do { *((volatile int*)__null) = 390; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
391
392 MOZ_ASSERT(numICEntries() == script->numICEntries())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(numICEntries() == script->numICEntries())>::isValid
, "invalid assertion condition"); if ((__builtin_expect(!!(!(
!!(numICEntries() == script->numICEntries()))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("numICEntries() == script->numICEntries()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 392); AnnotateMozCrashReason("MOZ_ASSERT" "(" "numICEntries() == script->numICEntries()"
")"); do { *((volatile int*)__null) = 392; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
393
394 // Index of the next ICEntry to initialize.
395 uint32_t icEntryIndex = 0;
396
397 const BaselineICFallbackCode& fallbackCode =
398 cx->runtime()->jitRuntime()->baselineICFallbackCode();
399
400 // For JOF_IC ops: initialize ICEntries and fallback stubs.
401 for (BytecodeLocation loc : js::AllBytecodesIterable(script)) {
402 JSOp op = loc.getOp();
403
404 // Assert the frontend stored the correct IC index in jump target ops.
405 MOZ_ASSERT_IF(BytecodeIsJumpTarget(op), loc.icIndex() == icEntryIndex)do { if (BytecodeIsJumpTarget(op)) { do { static_assert( mozilla
::detail::AssertionConditionType<decltype(loc.icIndex() ==
icEntryIndex)>::isValid, "invalid assertion condition"); if
((__builtin_expect(!!(!(!!(loc.icIndex() == icEntryIndex))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("loc.icIndex() == icEntryIndex"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 405); AnnotateMozCrashReason("MOZ_ASSERT" "(" "loc.icIndex() == icEntryIndex"
")"); do { *((volatile int*)__null) = 405; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false); } } while (
false);
406
407 uint8_t tableValue = FallbackKindTable.lookup(op);
408
409 if (tableValue == OpToFallbackKindTable::NoICValue) {
410 MOZ_ASSERT(!BytecodeOpHasIC(op),do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!BytecodeOpHasIC(op))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!BytecodeOpHasIC(op)))), 0))
) { do { } while (false); MOZ_ReportAssertionFailure("!BytecodeOpHasIC(op)"
" (" "Missing entry in OpToFallbackKindTable for JOF_IC op" ")"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 411); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!BytecodeOpHasIC(op)"
") (" "Missing entry in OpToFallbackKindTable for JOF_IC op"
")"); do { *((volatile int*)__null) = 411; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
411 "Missing entry in OpToFallbackKindTable for JOF_IC op")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!BytecodeOpHasIC(op))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!BytecodeOpHasIC(op)))), 0))
) { do { } while (false); MOZ_ReportAssertionFailure("!BytecodeOpHasIC(op)"
" (" "Missing entry in OpToFallbackKindTable for JOF_IC op" ")"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 411); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!BytecodeOpHasIC(op)"
") (" "Missing entry in OpToFallbackKindTable for JOF_IC op"
")"); do { *((volatile int*)__null) = 411; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
412 continue;
413 }
414
415 MOZ_ASSERT(BytecodeOpHasIC(op),do { static_assert( mozilla::detail::AssertionConditionType<
decltype(BytecodeOpHasIC(op))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(BytecodeOpHasIC(op)))), 0)))
{ do { } while (false); MOZ_ReportAssertionFailure("BytecodeOpHasIC(op)"
" (" "Unexpected fallback kind for non-JOF_IC op" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 416); AnnotateMozCrashReason("MOZ_ASSERT" "(" "BytecodeOpHasIC(op)"
") (" "Unexpected fallback kind for non-JOF_IC op" ")"); do {
*((volatile int*)__null) = 416; __attribute__((nomerge)) ::abort
(); } while (false); } } while (false)
416 "Unexpected fallback kind for non-JOF_IC op")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(BytecodeOpHasIC(op))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(BytecodeOpHasIC(op)))), 0)))
{ do { } while (false); MOZ_ReportAssertionFailure("BytecodeOpHasIC(op)"
" (" "Unexpected fallback kind for non-JOF_IC op" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 416); AnnotateMozCrashReason("MOZ_ASSERT" "(" "BytecodeOpHasIC(op)"
") (" "Unexpected fallback kind for non-JOF_IC op" ")"); do {
*((volatile int*)__null) = 416; __attribute__((nomerge)) ::abort
(); } while (false); } } while (false);
417
418 BaselineICFallbackKind kind = BaselineICFallbackKind(tableValue);
419 TrampolinePtr stubCode =
420#ifdef ENABLE_PORTABLE_BASELINE_INTERP
421 !jit::IsPortableBaselineInterpreterEnabled()
422 ? fallbackCode.addr(kind)
423 : TrampolinePtr(js::pbl::GetPortableFallbackStub(kind));
424#else
425 fallbackCode.addr(kind);
426#endif
427
428 // Initialize the ICEntry and ICFallbackStub.
429 uint32_t offset = loc.bytecodeToOffset(script);
430 ICEntry& entryRef = this->icEntry(icEntryIndex);
431 ICFallbackStub* stub = fallbackStub(icEntryIndex);
432 icEntryIndex++;
433 new (&entryRef) ICEntry(stub);
434 new (stub) ICFallbackStub(offset, stubCode);
435 }
436
437 // Assert all ICEntries have been initialized.
438 MOZ_ASSERT(icEntryIndex == numICEntries())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(icEntryIndex == numICEntries())>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(icEntryIndex == numICEntries
()))), 0))) { do { } while (false); MOZ_ReportAssertionFailure
("icEntryIndex == numICEntries()", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 438); AnnotateMozCrashReason("MOZ_ASSERT" "(" "icEntryIndex == numICEntries()"
")"); do { *((volatile int*)__null) = 438; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
439}
440
441bool ICSupportsPolymorphicTypeData(JSOp op) {
442 MOZ_ASSERT(BytecodeOpHasIC(op))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(BytecodeOpHasIC(op))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(BytecodeOpHasIC(op)))), 0)))
{ do { } while (false); MOZ_ReportAssertionFailure("BytecodeOpHasIC(op)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 442); AnnotateMozCrashReason("MOZ_ASSERT" "(" "BytecodeOpHasIC(op)"
")"); do { *((volatile int*)__null) = 442; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
443 BaselineICFallbackKind kind =
444 BaselineICFallbackKind(FallbackKindTable.lookup(op));
445 switch (kind) {
446 case BaselineICFallbackKind::ToBool:
447 case BaselineICFallbackKind::TypeOf:
448 case BaselineICFallbackKind::TypeOfEq:
449 return true;
450 default:
451 return false;
452 }
453}
454
455bool ICCacheIRStub::makesGCCalls() const { return stubInfo()->makesGCCalls(); }
456
457void ICFallbackStub::trackNotAttached() { state().trackNotAttached(); }
458
459// When we enter a baseline fallback stub, if a Warp compilation
460// exists that transpiled that IC, we notify that compilation. This
461// helps the bailout code tell whether a bailing instruction hoisted
462// by LICM would have been executed anyway.
463static void MaybeNotifyWarp(JSScript* script, ICFallbackStub* stub) {
464 if (stub->state().usedByTranspiler() && script->hasIonScript()) {
465 script->ionScript()->noteBaselineFallback();
466 }
467}
468
469void ICCacheIRStub::trace(JSTracer* trc) {
470 if (hasJitCode()) {
471 JitCode* stubJitCode = jitCode();
472 TraceManuallyBarrieredEdge(trc, &stubJitCode, "baseline-ic-stub-code");
473 }
474
475 TraceCacheIRStub(trc, this, stubInfo());
476}
477
478bool ICCacheIRStub::traceWeak(JSTracer* trc) {
479 return TraceWeakCacheIRStub(trc, this, stubInfo());
480}
481
482static void MaybeTransition(JSContext* cx, BaselineFrame* frame,
483 ICFallbackStub* stub) {
484 if (stub->state().shouldTransition()) {
485 if (!TryFoldingStubs(cx, stub, frame->script(), frame->icScript())) {
486 cx->recoverFromOutOfMemory();
487 }
488 if (stub->state().maybeTransition()) {
489 ICEntry* icEntry = frame->icScript()->icEntryForStub(stub);
490#ifdef JS_CACHEIR_SPEW1
491 if (cx->spewer().enabled(cx, frame->script(),
492 SpewChannel::CacheIRHealthReport)) {
493 CacheIRHealth cih;
494 RootedScript script(cx, frame->script());
495 cih.healthReportForIC(cx, icEntry, stub, script,
496 SpewContext::Transition);
497 }
498#endif
499 stub->discardStubs(cx->zone(), icEntry);
500 }
501 }
502}
503
504// This helper handles ICState updates/transitions while attaching CacheIR
505// stubs.
506template <typename IRGenerator, typename... Args>
507static void TryAttachStub(const char* name, JSContext* cx, BaselineFrame* frame,
508 ICFallbackStub* stub, Args&&... args) {
509 MaybeTransition(cx, frame, stub);
510
511 if (stub->state().canAttachStub()) {
512 RootedScript script(cx, frame->script());
513 ICScript* icScript = frame->icScript();
514 jsbytecode* pc = StubOffsetToPc(stub, script);
515 bool attached = false;
516 IRGenerator gen(cx, script, pc, stub->state(), std::forward<Args>(args)...);
517 switch (gen.tryAttachStub()) {
518 case AttachDecision::Attach: {
519 ICAttachResult result =
520 AttachBaselineCacheIRStub(cx, gen.writerRef(), gen.cacheKind(),
521 script, icScript, stub, gen.stubName());
522 if (result == ICAttachResult::Attached) {
523 attached = true;
524 JitSpew(JitSpew_BaselineIC, " Attached %s CacheIR stub", name);
525 }
526 } break;
527 case AttachDecision::NoAction:
528 break;
529 case AttachDecision::TemporarilyUnoptimizable:
530 case AttachDecision::Deferred:
531 MOZ_ASSERT_UNREACHABLE("Not expected in generic TryAttachStub")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(false)>::isValid, "invalid assertion condition");
if ((__builtin_expect(!!(!(!!(false))), 0))) { do { } while (
false); MOZ_ReportAssertionFailure("false" " (" "MOZ_ASSERT_UNREACHABLE: "
"Not expected in generic TryAttachStub" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 531); AnnotateMozCrashReason("MOZ_ASSERT" "(" "false" ") ("
"MOZ_ASSERT_UNREACHABLE: " "Not expected in generic TryAttachStub"
")"); do { *((volatile int*)__null) = 531; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
532 break;
533 }
534 if (!attached) {
535 stub->trackNotAttached();
536 }
537 }
538}
539
540void ICFallbackStub::unlinkStub(Zone* zone, ICEntry* icEntry,
541 ICCacheIRStub* prev, ICCacheIRStub* stub) {
542 // We are removing edges from ICStub to gcthings. Perform a barrier to let the
543 // GC know about those edges.
544 PreWriteBarrier(zone, stub);
545
546 unlinkStubUnbarriered(icEntry, prev, stub);
547}
548
549void ICFallbackStub::unlinkStubUnbarriered(ICEntry* icEntry,
550 ICCacheIRStub* prev,
551 ICCacheIRStub* stub) {
552 if (prev) {
553 MOZ_ASSERT(prev->next() == stub)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(prev->next() == stub)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(prev->next() == stub))), 0
))) { do { } while (false); MOZ_ReportAssertionFailure("prev->next() == stub"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 553); AnnotateMozCrashReason("MOZ_ASSERT" "(" "prev->next() == stub"
")"); do { *((volatile int*)__null) = 553; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
554 prev->setNext(stub->next());
555 } else {
556 MOZ_ASSERT(icEntry->firstStub() == stub)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(icEntry->firstStub() == stub)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(icEntry->firstStub() == stub
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"icEntry->firstStub() == stub", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 556); AnnotateMozCrashReason("MOZ_ASSERT" "(" "icEntry->firstStub() == stub"
")"); do { *((volatile int*)__null) = 556; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
557 icEntry->setFirstStub(stub->next());
558 }
559
560 state_.trackUnlinkedStub();
561
562#ifdef DEBUG1
563 // Poison stub code to ensure we don't call this stub again. However, if
564 // this stub can make calls, a pointer to it may be stored in a stub frame
565 // on the stack, so we can't touch the stubCode_ or GC will crash when
566 // tracing this pointer.
567 if (!stub->makesGCCalls()) {
568 stub->stubCode_ = (uint8_t*)0xbad;
569 }
570#endif
571}
572
573void ICFallbackStub::discardStubs(Zone* zone, ICEntry* icEntry) {
574 ICStub* stub = icEntry->firstStub();
575 while (stub != this) {
576 unlinkStub(zone, icEntry, /* prev = */ nullptr, stub->toCacheIRStub());
577 stub = stub->toCacheIRStub()->next();
578 }
579 clearMayHaveFoldedStub();
580}
581
582static void InitMacroAssemblerForICStub(StackMacroAssembler& masm) {
583#ifndef JS_USE_LINK_REGISTER
584 // The first value contains the return addres,
585 // which we pull into ICTailCallReg for tail calls.
586 masm.adjustFrame(sizeof(intptr_t));
587#endif
588#ifdef JS_CODEGEN_ARM
589 masm.setSecondScratchReg(BaselineSecondScratchReg);
590#endif
591}
592
593bool FallbackICCodeCompiler::tailCallVMInternal(MacroAssembler& masm,
594 VMFunctionId id) {
595 TrampolinePtr code = cx->runtime()->jitRuntime()->getVMWrapper(id);
596 const VMFunctionData& fun = GetVMFunction(id);
597 uint32_t argSize = fun.explicitStackSlots() * sizeof(void*);
598 EmitBaselineTailCallVM(code, masm, argSize);
599 return true;
600}
601
602bool FallbackICCodeCompiler::callVMInternal(MacroAssembler& masm,
603 VMFunctionId id) {
604 MOZ_ASSERT(inStubFrame_)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(inStubFrame_)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(inStubFrame_))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("inStubFrame_", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 604); AnnotateMozCrashReason("MOZ_ASSERT" "(" "inStubFrame_"
")"); do { *((volatile int*)__null) = 604; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
605
606 TrampolinePtr code = cx->runtime()->jitRuntime()->getVMWrapper(id);
607
608 EmitBaselineCallVM(code, masm);
609 return true;
610}
611
612template <typename Fn, Fn fn>
613bool FallbackICCodeCompiler::callVM(MacroAssembler& masm) {
614 VMFunctionId id = VMFunctionToId<Fn, fn>::id;
615 return callVMInternal(masm, id);
616}
617
618template <typename Fn, Fn fn>
619bool FallbackICCodeCompiler::tailCallVM(MacroAssembler& masm) {
620 VMFunctionId id = VMFunctionToId<Fn, fn>::id;
621 return tailCallVMInternal(masm, id);
622}
623
624void FallbackICCodeCompiler::enterStubFrame(MacroAssembler& masm,
625 Register scratch) {
626 EmitBaselineEnterStubFrame(masm, scratch);
627#ifdef DEBUG1
628 framePushedAtEnterStubFrame_ = masm.framePushed();
629#endif
630
631 MOZ_ASSERT(!inStubFrame_)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!inStubFrame_)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!inStubFrame_))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("!inStubFrame_",
"/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 631); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!inStubFrame_"
")"); do { *((volatile int*)__null) = 631; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
632 inStubFrame_ = true;
633
634#ifdef DEBUG1
635 entersStubFrame_ = true;
636#endif
637}
638
639void FallbackICCodeCompiler::assumeStubFrame() {
640 MOZ_ASSERT(!inStubFrame_)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!inStubFrame_)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!inStubFrame_))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("!inStubFrame_",
"/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 640); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!inStubFrame_"
")"); do { *((volatile int*)__null) = 640; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
641 inStubFrame_ = true;
642
643#ifdef DEBUG1
644 entersStubFrame_ = true;
645
646 // |framePushed| isn't tracked precisely in ICStubs, so simply assume it to
647 // be the stub frame layout and the pushed ICStub* so that assertions don't
648 // fail in leaveStubFrame
649 framePushedAtEnterStubFrame_ =
650 BaselineStubFrameLayout::Size() + sizeof(ICStub*);
651#endif
652}
653
654void FallbackICCodeCompiler::leaveStubFrame(MacroAssembler& masm) {
655 MOZ_ASSERT(entersStubFrame_ && inStubFrame_)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(entersStubFrame_ && inStubFrame_)>::isValid
, "invalid assertion condition"); if ((__builtin_expect(!!(!(
!!(entersStubFrame_ && inStubFrame_))), 0))) { do { }
while (false); MOZ_ReportAssertionFailure("entersStubFrame_ && inStubFrame_"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 655); AnnotateMozCrashReason("MOZ_ASSERT" "(" "entersStubFrame_ && inStubFrame_"
")"); do { *((volatile int*)__null) = 655; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
656 inStubFrame_ = false;
657
658#ifdef DEBUG1
659 masm.setFramePushed(framePushedAtEnterStubFrame_);
660#endif
661 EmitBaselineLeaveStubFrame(masm);
662}
663
664void FallbackICCodeCompiler::pushStubPayload(MacroAssembler& masm,
665 Register scratch) {
666 if (inStubFrame_) {
667 masm.loadPtr(Address(FramePointer, 0), scratch);
668 masm.pushBaselineFramePtr(scratch, scratch);
669 } else {
670 masm.pushBaselineFramePtr(FramePointer, scratch);
671 }
672}
673
674void FallbackICCodeCompiler::PushStubPayload(MacroAssembler& masm,
675 Register scratch) {
676 pushStubPayload(masm, scratch);
677 masm.adjustFrame(sizeof(intptr_t));
678}
679
680//
681// ToBool_Fallback
682//
683
684bool DoToBoolFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
685 HandleValue arg, MutableHandleValue ret) {
686 stub->incrementEnteredCount();
687 MaybeNotifyWarp(frame->outerScript(), stub);
688 FallbackICSpew(cx, stub, "ToBool");
689
690 TryAttachStub<ToBoolIRGenerator>("ToBool", cx, frame, stub, arg);
691
692 bool cond = ToBoolean(arg);
693 ret.setBoolean(cond);
694
695 return true;
696}
697
698bool FallbackICCodeCompiler::emit_ToBool() {
699 static_assert(R0 == JSReturnOperand);
700
701 // Restore the tail call register.
702 EmitRestoreTailCallReg(masm);
703
704 // Push arguments.
705 masm.pushValue(R0);
706 masm.push(ICStubReg);
707 pushStubPayload(masm, R0.scratchReg());
708
709 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
710 MutableHandleValue);
711 return tailCallVM<Fn, DoToBoolFallback>(masm);
712}
713
714//
715// GetElem_Fallback
716//
717
718bool DoGetElemFallback(JSContext* cx, BaselineFrame* frame,
719 ICFallbackStub* stub, HandleValue lhs, HandleValue rhs,
720 MutableHandleValue res) {
721 stub->incrementEnteredCount();
722 MaybeNotifyWarp(frame->outerScript(), stub);
723 FallbackICSpew(cx, stub, "GetElem");
724
725#ifdef DEBUG1
726 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
727 MOZ_ASSERT(JSOp(*pc) == JSOp::GetElem)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(JSOp(*pc) == JSOp::GetElem)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(JSOp(*pc) == JSOp::GetElem))
), 0))) { do { } while (false); MOZ_ReportAssertionFailure("JSOp(*pc) == JSOp::GetElem"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 727); AnnotateMozCrashReason("MOZ_ASSERT" "(" "JSOp(*pc) == JSOp::GetElem"
")"); do { *((volatile int*)__null) = 727; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
728#endif
729
730 TryAttachStub<GetPropIRGenerator>("GetElem", cx, frame, stub,
731 CacheKind::GetElem, lhs, rhs);
732
733 if (!GetElementOperation(cx, lhs, rhs, res)) {
734 return false;
735 }
736
737 return true;
738}
739
740bool DoGetElemSuperFallback(JSContext* cx, BaselineFrame* frame,
741 ICFallbackStub* stub, HandleValue lhs,
742 HandleValue rhs, HandleValue receiver,
743 MutableHandleValue res) {
744 stub->incrementEnteredCount();
745 MaybeNotifyWarp(frame->outerScript(), stub);
746
747 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
748
749 JSOp op = JSOp(*pc);
750 FallbackICSpew(cx, stub, "GetElemSuper(%s)", CodeName(op));
751
752 MOZ_ASSERT(op == JSOp::GetElemSuper)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::GetElemSuper)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::GetElemSuper))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::GetElemSuper"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 752); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::GetElemSuper"
")"); do { *((volatile int*)__null) = 752; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
753
754 // |lhs| is [[HomeObject]].[[Prototype]] which must be an Object or null.
755 MOZ_ASSERT(lhs.isObjectOrNull())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(lhs.isObjectOrNull())>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(lhs.isObjectOrNull()))), 0))
) { do { } while (false); MOZ_ReportAssertionFailure("lhs.isObjectOrNull()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 755); AnnotateMozCrashReason("MOZ_ASSERT" "(" "lhs.isObjectOrNull()"
")"); do { *((volatile int*)__null) = 755; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
756
757 int lhsIndex = -1;
758 RootedObject lhsObj(
759 cx, ToObjectFromStackForPropertyAccess(cx, lhs, lhsIndex, rhs));
760 if (!lhsObj) {
761 return false;
762 }
763
764 TryAttachStub<GetPropIRGenerator>("GetElemSuper", cx, frame, stub,
765 CacheKind::GetElemSuper, lhs, rhs);
766
767 return GetObjectElementOperation(cx, op, lhsObj, receiver, rhs, res);
768}
769
770bool FallbackICCodeCompiler::emitGetElem(bool hasReceiver) {
771 static_assert(R0 == JSReturnOperand);
772
773 // Restore the tail call register.
774 EmitRestoreTailCallReg(masm);
775
776 // Super property getters use a |this| that differs from base object
777 if (hasReceiver) {
778 // State: receiver in R0, index in R1, obj on the stack
779
780 // Ensure stack is fully synced for the expression decompiler.
781 // We need: receiver, index, obj
782 masm.pushValue(R0);
783 masm.pushValue(R1);
784 masm.pushValue(Address(masm.getStackPointer(), sizeof(Value) * 2));
785
786 // Push arguments.
787 masm.pushValue(R0); // Receiver
788 masm.pushValue(R1); // Index
789 masm.pushValue(Address(masm.getStackPointer(), sizeof(Value) * 5)); // Obj
790 masm.push(ICStubReg);
791 masm.pushBaselineFramePtr(FramePointer, R0.scratchReg());
792
793 using Fn =
794 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
795 HandleValue, HandleValue, MutableHandleValue);
796 if (!tailCallVM<Fn, DoGetElemSuperFallback>(masm)) {
797 return false;
798 }
799 } else {
800 // Ensure stack is fully synced for the expression decompiler.
801 masm.pushValue(R0);
802 masm.pushValue(R1);
803
804 // Push arguments.
805 masm.pushValue(R1);
806 masm.pushValue(R0);
807 masm.push(ICStubReg);
808 masm.pushBaselineFramePtr(FramePointer, R0.scratchReg());
809
810 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*,
811 HandleValue, HandleValue, MutableHandleValue);
812 if (!tailCallVM<Fn, DoGetElemFallback>(masm)) {
813 return false;
814 }
815 }
816
817 // This is the resume point used when bailout rewrites call stack to undo
818 // Ion inlined frames. The return address pushed onto reconstructed stack
819 // will point here.
820 assumeStubFrame();
821 if (hasReceiver) {
822 code.initBailoutReturnOffset(BailoutReturnKind::GetElemSuper,
823 masm.currentOffset());
824 } else {
825 code.initBailoutReturnOffset(BailoutReturnKind::GetElem,
826 masm.currentOffset());
827 }
828
829 leaveStubFrame(masm);
830
831 EmitReturnFromIC(masm);
832 return true;
833}
834
835bool FallbackICCodeCompiler::emit_GetElem() {
836 return emitGetElem(/* hasReceiver = */ false);
837}
838
839bool FallbackICCodeCompiler::emit_GetElemSuper() {
840 return emitGetElem(/* hasReceiver = */ true);
841}
842
843bool DoSetElemFallback(JSContext* cx, BaselineFrame* frame,
844 ICFallbackStub* stub, Value* stack, HandleValue objv,
845 HandleValue index, HandleValue rhs) {
846 using DeferType = SetPropIRGenerator::DeferType;
847
848 stub->incrementEnteredCount();
849 MaybeNotifyWarp(frame->outerScript(), stub);
850
851 RootedScript script(cx, frame->script());
852 RootedScript outerScript(cx, script);
853 jsbytecode* pc = StubOffsetToPc(stub, script);
854 JSOp op = JSOp(*pc);
855 FallbackICSpew(cx, stub, "SetElem(%s)", CodeName(JSOp(*pc)));
856
857 MOZ_ASSERT(op == JSOp::SetElem || op == JSOp::StrictSetElem ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetElem || op == JSOp::StrictSetElem || op
== JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp
::InitLockedElem || op == JSOp::InitElemInc)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetElem || op ==
JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem
|| op == JSOp::InitLockedElem || op == JSOp::InitElemInc))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::SetElem || op == JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp::InitLockedElem || op == JSOp::InitElemInc"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 859); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetElem || op == JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp::InitLockedElem || op == JSOp::InitElemInc"
")"); do { *((volatile int*)__null) = 859; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
858 op == JSOp::InitElem || op == JSOp::InitHiddenElem ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetElem || op == JSOp::StrictSetElem || op
== JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp
::InitLockedElem || op == JSOp::InitElemInc)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetElem || op ==
JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem
|| op == JSOp::InitLockedElem || op == JSOp::InitElemInc))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::SetElem || op == JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp::InitLockedElem || op == JSOp::InitElemInc"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 859); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetElem || op == JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp::InitLockedElem || op == JSOp::InitElemInc"
")"); do { *((volatile int*)__null) = 859; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
859 op == JSOp::InitLockedElem || op == JSOp::InitElemInc)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetElem || op == JSOp::StrictSetElem || op
== JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp
::InitLockedElem || op == JSOp::InitElemInc)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetElem || op ==
JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem
|| op == JSOp::InitLockedElem || op == JSOp::InitElemInc))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::SetElem || op == JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp::InitLockedElem || op == JSOp::InitElemInc"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 859); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetElem || op == JSOp::StrictSetElem || op == JSOp::InitElem || op == JSOp::InitHiddenElem || op == JSOp::InitLockedElem || op == JSOp::InitElemInc"
")"); do { *((volatile int*)__null) = 859; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
860
861 int objvIndex = -3;
862 RootedObject obj(
863 cx, ToObjectFromStackForPropertyAccess(cx, objv, objvIndex, index));
864 if (!obj) {
865 return false;
866 }
867
868 Rooted<Shape*> oldShape(cx, obj->shape());
869
870 DeferType deferType = DeferType::None;
871 bool attached = false;
872
873 MaybeTransition(cx, frame, stub);
874
875 if (stub->state().canAttachStub()) {
876 ICScript* icScript = frame->icScript();
877 SetPropIRGenerator gen(cx, script, pc, CacheKind::SetElem, stub->state(),
878 objv, index, rhs);
879 switch (gen.tryAttachStub()) {
880 case AttachDecision::Attach: {
881 ICAttachResult result = AttachBaselineCacheIRStub(
882 cx, gen.writerRef(), gen.cacheKind(), frame->script(), icScript,
883 stub, gen.stubName());
884 if (result == ICAttachResult::Attached) {
885 attached = true;
886 JitSpew(JitSpew_BaselineIC, " Attached SetElem CacheIR stub");
887 }
888 } break;
889 case AttachDecision::NoAction:
890 break;
891 case AttachDecision::TemporarilyUnoptimizable:
892 attached = true;
893 break;
894 case AttachDecision::Deferred:
895 deferType = gen.deferType();
896 MOZ_ASSERT(deferType != DeferType::None)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(deferType != DeferType::None)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(deferType != DeferType::None
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"deferType != DeferType::None", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 896); AnnotateMozCrashReason("MOZ_ASSERT" "(" "deferType != DeferType::None"
")"); do { *((volatile int*)__null) = 896; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
897 break;
898 }
899 if (deferType == DeferType::None && !attached) {
900 stub->trackNotAttached();
901 }
902 }
903
904 if (op == JSOp::InitElem || op == JSOp::InitHiddenElem ||
905 op == JSOp::InitLockedElem) {
906 if (!InitElemOperation(cx, pc, obj, index, rhs)) {
907 return false;
908 }
909 } else if (op == JSOp::InitElemInc) {
910 if (!InitElemIncOperation(cx, obj.as<ArrayObject>(), index.toInt32(),
911 rhs)) {
912 return false;
913 }
914 } else {
915 if (!SetObjectElementWithReceiver(cx, obj, index, rhs, objv,
916 JSOp(*pc) == JSOp::StrictSetElem)) {
917 return false;
918 }
919 }
920
921 if (stack) {
922 // Overwrite the object on the stack (pushed for the decompiler) with the
923 // rhs.
924 MOZ_ASSERT(stack[2] == objv)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(stack[2] == objv)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(stack[2] == objv))), 0))) { do
{ } while (false); MOZ_ReportAssertionFailure("stack[2] == objv"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 924); AnnotateMozCrashReason("MOZ_ASSERT" "(" "stack[2] == objv"
")"); do { *((volatile int*)__null) = 924; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
925 stack[2] = rhs;
926 }
927
928 if (attached) {
929 return true;
930 }
931
932 // The SetObjectElement call might have entered this IC recursively, so try
933 // to transition.
934 MaybeTransition(cx, frame, stub);
935
936 bool canAttachStub = stub->state().canAttachStub();
937
938 if (deferType != DeferType::None && canAttachStub) {
939 SetPropIRGenerator gen(cx, script, pc, CacheKind::SetElem, stub->state(),
940 objv, index, rhs);
941
942 MOZ_ASSERT(deferType == DeferType::AddSlot)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(deferType == DeferType::AddSlot)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(deferType == DeferType::AddSlot
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"deferType == DeferType::AddSlot", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 942); AnnotateMozCrashReason("MOZ_ASSERT" "(" "deferType == DeferType::AddSlot"
")"); do { *((volatile int*)__null) = 942; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
943 AttachDecision decision = gen.tryAttachAddSlotStub(oldShape);
944
945 switch (decision) {
946 case AttachDecision::Attach: {
947 ICScript* icScript = frame->icScript();
948 ICAttachResult result = AttachBaselineCacheIRStub(
949 cx, gen.writerRef(), gen.cacheKind(), frame->script(), icScript,
950 stub, gen.stubName());
951 if (result == ICAttachResult::Attached) {
952 attached = true;
953 JitSpew(JitSpew_BaselineIC, " Attached SetElem CacheIR stub");
954 }
955 } break;
956 case AttachDecision::NoAction:
957 gen.trackAttached(IRGenerator::NotAttached);
958 break;
959 case AttachDecision::TemporarilyUnoptimizable:
960 case AttachDecision::Deferred:
961 MOZ_ASSERT_UNREACHABLE("Invalid attach result")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(false)>::isValid, "invalid assertion condition");
if ((__builtin_expect(!!(!(!!(false))), 0))) { do { } while (
false); MOZ_ReportAssertionFailure("false" " (" "MOZ_ASSERT_UNREACHABLE: "
"Invalid attach result" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 961); AnnotateMozCrashReason("MOZ_ASSERT" "(" "false" ") ("
"MOZ_ASSERT_UNREACHABLE: " "Invalid attach result" ")"); do {
*((volatile int*)__null) = 961; __attribute__((nomerge)) ::abort
(); } while (false); } } while (false);
962 break;
963 }
964 if (!attached) {
965 stub->trackNotAttached();
966 }
967 }
968
969 return true;
970}
971
972bool FallbackICCodeCompiler::emit_SetElem() {
973 static_assert(R0 == JSReturnOperand);
974
975 EmitRestoreTailCallReg(masm);
976
977 // State: R0: object, R1: index, stack: rhs.
978 // For the decompiler, the stack has to be: object, index, rhs,
979 // so we push the index, then overwrite the rhs Value with R0
980 // and push the rhs value.
981 masm.pushValue(R1);
982 masm.loadValue(Address(masm.getStackPointer(), sizeof(Value)), R1);
983 masm.storeValue(R0, Address(masm.getStackPointer(), sizeof(Value)));
984 masm.pushValue(R1);
985
986 // Push arguments.
987 masm.pushValue(R1); // RHS
988
989 // Push index. On x86 and ARM two push instructions are emitted so use a
990 // separate register to store the old stack pointer.
991 masm.moveStackPtrTo(R1.scratchReg());
992 masm.pushValue(Address(R1.scratchReg(), 2 * sizeof(Value)));
993 masm.pushValue(R0); // Object.
994
995 // Push pointer to stack values, so that the stub can overwrite the object
996 // (pushed for the decompiler) with the rhs.
997 masm.computeEffectiveAddress(
998 Address(masm.getStackPointer(), 3 * sizeof(Value)), R0.scratchReg());
999 masm.push(R0.scratchReg());
1000
1001 masm.push(ICStubReg);
1002 pushStubPayload(masm, R0.scratchReg());
1003
1004 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, Value*,
1005 HandleValue, HandleValue, HandleValue);
1006 return tailCallVM<Fn, DoSetElemFallback>(masm);
1007}
1008
1009//
1010// In_Fallback
1011//
1012
1013bool DoInFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
1014 HandleValue key, HandleValue objValue,
1015 MutableHandleValue res) {
1016 stub->incrementEnteredCount();
1017 MaybeNotifyWarp(frame->outerScript(), stub);
1018 FallbackICSpew(cx, stub, "In");
1019
1020 if (!objValue.isObject()) {
1021 ReportInNotObjectError(cx, key, objValue);
1022 return false;
1023 }
1024
1025 TryAttachStub<HasPropIRGenerator>("In", cx, frame, stub, CacheKind::In, key,
1026 objValue);
1027
1028 RootedObject obj(cx, &objValue.toObject());
1029 bool cond = false;
1030 if (!OperatorIn(cx, key, obj, &cond)) {
1031 return false;
1032 }
1033 res.setBoolean(cond);
1034
1035 return true;
1036}
1037
1038bool FallbackICCodeCompiler::emit_In() {
1039 EmitRestoreTailCallReg(masm);
1040
1041 // Sync for the decompiler.
1042 masm.pushValue(R0);
1043 masm.pushValue(R1);
1044
1045 // Push arguments.
1046 masm.pushValue(R1);
1047 masm.pushValue(R0);
1048 masm.push(ICStubReg);
1049 pushStubPayload(masm, R0.scratchReg());
1050
1051 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
1052 HandleValue, MutableHandleValue);
1053 return tailCallVM<Fn, DoInFallback>(masm);
1054}
1055
1056//
1057// HasOwn_Fallback
1058//
1059
1060bool DoHasOwnFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
1061 HandleValue keyValue, HandleValue objValue,
1062 MutableHandleValue res) {
1063 stub->incrementEnteredCount();
1064 MaybeNotifyWarp(frame->outerScript(), stub);
1065 FallbackICSpew(cx, stub, "HasOwn");
1066
1067 TryAttachStub<HasPropIRGenerator>("HasOwn", cx, frame, stub,
1068 CacheKind::HasOwn, keyValue, objValue);
1069
1070 bool found;
1071 if (!HasOwnProperty(cx, objValue, keyValue, &found)) {
1072 return false;
1073 }
1074
1075 res.setBoolean(found);
1076 return true;
1077}
1078
1079bool FallbackICCodeCompiler::emit_HasOwn() {
1080 EmitRestoreTailCallReg(masm);
1081
1082 // Sync for the decompiler.
1083 masm.pushValue(R0);
1084 masm.pushValue(R1);
1085
1086 // Push arguments.
1087 masm.pushValue(R1);
1088 masm.pushValue(R0);
1089 masm.push(ICStubReg);
1090 pushStubPayload(masm, R0.scratchReg());
1091
1092 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
1093 HandleValue, MutableHandleValue);
1094 return tailCallVM<Fn, DoHasOwnFallback>(masm);
1095}
1096
1097//
1098// CheckPrivate_Fallback
1099//
1100
1101bool DoCheckPrivateFieldFallback(JSContext* cx, BaselineFrame* frame,
1102 ICFallbackStub* stub, HandleValue objValue,
1103 HandleValue keyValue, MutableHandleValue res) {
1104 stub->incrementEnteredCount();
1105 MaybeNotifyWarp(frame->outerScript(), stub);
1106
1107 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
1108
1109 FallbackICSpew(cx, stub, "CheckPrivateField");
1110
1111 MOZ_ASSERT(keyValue.isSymbol() && keyValue.toSymbol()->isPrivateName())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(keyValue.isSymbol() && keyValue.toSymbol()->
isPrivateName())>::isValid, "invalid assertion condition")
; if ((__builtin_expect(!!(!(!!(keyValue.isSymbol() &&
keyValue.toSymbol()->isPrivateName()))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("keyValue.isSymbol() && keyValue.toSymbol()->isPrivateName()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1111); AnnotateMozCrashReason("MOZ_ASSERT" "(" "keyValue.isSymbol() && keyValue.toSymbol()->isPrivateName()"
")"); do { *((volatile int*)__null) = 1111; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1112
1113 TryAttachStub<CheckPrivateFieldIRGenerator>("CheckPrivate", cx, frame, stub,
1114 CacheKind::CheckPrivateField,
1115 keyValue, objValue);
1116
1117 bool result;
1118 if (!CheckPrivateFieldOperation(cx, pc, objValue, keyValue, &result)) {
1119 return false;
1120 }
1121
1122 res.setBoolean(result);
1123 return true;
1124}
1125
1126bool FallbackICCodeCompiler::emit_CheckPrivateField() {
1127 EmitRestoreTailCallReg(masm);
1128
1129 // Sync for the decompiler.
1130 masm.pushValue(R0);
1131 masm.pushValue(R1);
1132
1133 // Push arguments.
1134 masm.pushValue(R1);
1135 masm.pushValue(R0);
1136 masm.push(ICStubReg);
1137 pushStubPayload(masm, R0.scratchReg());
1138
1139 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
1140 HandleValue, MutableHandleValue);
1141 return tailCallVM<Fn, DoCheckPrivateFieldFallback>(masm);
1142}
1143
1144//
1145// GetName_Fallback
1146//
1147
1148bool DoGetNameFallback(JSContext* cx, BaselineFrame* frame,
1149 ICFallbackStub* stub, HandleObject envChain,
1150 MutableHandleValue res) {
1151 stub->incrementEnteredCount();
1152 MaybeNotifyWarp(frame->outerScript(), stub);
1153
1154 RootedScript script(cx, frame->script());
1155 jsbytecode* pc = StubOffsetToPc(stub, script);
1156 mozilla::DebugOnly<JSOp> op = JSOp(*pc);
1157 FallbackICSpew(cx, stub, "GetName(%s)", CodeName(JSOp(*pc)));
1158
1159 MOZ_ASSERT(op == JSOp::GetName || op == JSOp::GetGName)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::GetName || op == JSOp::GetGName)>::isValid
, "invalid assertion condition"); if ((__builtin_expect(!!(!(
!!(op == JSOp::GetName || op == JSOp::GetGName))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("op == JSOp::GetName || op == JSOp::GetGName"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1159); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::GetName || op == JSOp::GetGName"
")"); do { *((volatile int*)__null) = 1159; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1160
1161 Rooted<PropertyName*> name(cx, script->getName(pc));
1162
1163 TryAttachStub<GetNameIRGenerator>("GetName", cx, frame, stub, envChain, name);
1164
1165 static_assert(JSOpLength_GetGName == JSOpLength_GetName,
1166 "Otherwise our check for JSOp::Typeof isn't ok");
1167 if (IsTypeOfNameOp(JSOp(pc[JSOpLength_GetGName]))) {
1168 if (!GetEnvironmentName<GetNameMode::TypeOf>(cx, envChain, name, res)) {
1169 return false;
1170 }
1171 } else {
1172 if (!GetEnvironmentName<GetNameMode::Normal>(cx, envChain, name, res)) {
1173 return false;
1174 }
1175 }
1176
1177 return true;
1178}
1179
1180bool FallbackICCodeCompiler::emit_GetName() {
1181 static_assert(R0 == JSReturnOperand);
1182
1183 EmitRestoreTailCallReg(masm);
1184
1185 masm.push(R0.scratchReg());
1186 masm.push(ICStubReg);
1187 pushStubPayload(masm, R0.scratchReg());
1188
1189 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleObject,
1190 MutableHandleValue);
1191 return tailCallVM<Fn, DoGetNameFallback>(masm);
1192}
1193
1194//
1195// BindName_Fallback
1196//
1197
1198bool DoBindNameFallback(JSContext* cx, BaselineFrame* frame,
1199 ICFallbackStub* stub, HandleObject envChain,
1200 MutableHandleValue res) {
1201 stub->incrementEnteredCount();
1202 MaybeNotifyWarp(frame->outerScript(), stub);
1203
1204 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
1205 JSOp op = JSOp(*pc);
1206 FallbackICSpew(cx, stub, "BindName(%s)", CodeName(JSOp(*pc)));
1207
1208 MOZ_ASSERT(op == JSOp::BindName || op == JSOp::BindUnqualifiedName ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::BindName || op == JSOp::BindUnqualifiedName
|| op == JSOp::BindUnqualifiedGName)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::BindName || op ==
JSOp::BindUnqualifiedName || op == JSOp::BindUnqualifiedGName
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"op == JSOp::BindName || op == JSOp::BindUnqualifiedName || op == JSOp::BindUnqualifiedGName"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1209); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::BindName || op == JSOp::BindUnqualifiedName || op == JSOp::BindUnqualifiedGName"
")"); do { *((volatile int*)__null) = 1209; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1209 op == JSOp::BindUnqualifiedGName)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::BindName || op == JSOp::BindUnqualifiedName
|| op == JSOp::BindUnqualifiedGName)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::BindName || op ==
JSOp::BindUnqualifiedName || op == JSOp::BindUnqualifiedGName
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"op == JSOp::BindName || op == JSOp::BindUnqualifiedName || op == JSOp::BindUnqualifiedGName"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1209); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::BindName || op == JSOp::BindUnqualifiedName || op == JSOp::BindUnqualifiedGName"
")"); do { *((volatile int*)__null) = 1209; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1210
1211 Rooted<PropertyName*> name(cx, frame->script()->getName(pc));
1212
1213 TryAttachStub<BindNameIRGenerator>("BindName", cx, frame, stub, envChain,
1214 name);
1215
1216 JSObject* env;
1217 if (op == JSOp::BindName) {
1218 env = LookupNameWithGlobalDefault(cx, name, envChain);
1219 } else {
1220 env = LookupNameUnqualified(cx, name, envChain);
1221 }
1222 if (!env) {
1223 return false;
1224 }
1225
1226 res.setObject(*env);
1227 return true;
1228}
1229
1230bool FallbackICCodeCompiler::emit_BindName() {
1231 static_assert(R0 == JSReturnOperand);
1232
1233 EmitRestoreTailCallReg(masm);
1234
1235 masm.push(R0.scratchReg());
1236 masm.push(ICStubReg);
1237 pushStubPayload(masm, R0.scratchReg());
1238
1239 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleObject,
1240 MutableHandleValue);
1241 return tailCallVM<Fn, DoBindNameFallback>(masm);
1242}
1243
1244//
1245// LazyConstant_Fallback
1246//
1247
1248bool DoLazyConstantFallback(JSContext* cx, BaselineFrame* frame,
1249 ICFallbackStub* stub, MutableHandleValue res) {
1250 stub->incrementEnteredCount();
1251 MaybeNotifyWarp(frame->outerScript(), stub);
1252
1253 RootedScript script(cx, frame->script());
1254 jsbytecode* pc = StubOffsetToPc(stub, script);
1255 JSOp op = JSOp(*pc);
1256 FallbackICSpew(cx, stub, "LazyConstant(%s)", CodeName(JSOp(*pc)));
1257
1258 MOZ_ASSERT(op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject
|| op == JSOp::ImportMeta)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::GetIntrinsic || op
== JSOp::BuiltinObject || op == JSOp::ImportMeta))), 0))) { do
{ } while (false); MOZ_ReportAssertionFailure("op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject || op == JSOp::ImportMeta"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1259); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject || op == JSOp::ImportMeta"
")"); do { *((volatile int*)__null) = 1259; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1259 op == JSOp::ImportMeta)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject
|| op == JSOp::ImportMeta)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::GetIntrinsic || op
== JSOp::BuiltinObject || op == JSOp::ImportMeta))), 0))) { do
{ } while (false); MOZ_ReportAssertionFailure("op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject || op == JSOp::ImportMeta"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1259); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::GetIntrinsic || op == JSOp::BuiltinObject || op == JSOp::ImportMeta"
")"); do { *((volatile int*)__null) = 1259; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1260
1261 if (op == JSOp::GetIntrinsic) {
1262 if (!GetIntrinsicOperation(cx, script, pc, res)) {
1263 return false;
1264 }
1265 } else if (op == JSOp::BuiltinObject) {
1266 auto kind = BuiltinObjectKind(GET_UINT8(pc));
1267 JSObject* builtinObject = BuiltinObjectOperation(cx, kind);
1268 if (!builtinObject) {
1269 return false;
1270 }
1271 res.setObject(*builtinObject);
1272 } else {
1273 JSObject* metaObject = ImportMetaOperation(cx, script);
1274 if (!metaObject) {
1275 return false;
1276 }
1277 res.setObject(*metaObject);
1278 }
1279
1280 TryAttachStub<LazyConstantIRGenerator>("LazyConstant", cx, frame, stub, res);
1281
1282 return true;
1283}
1284
1285bool FallbackICCodeCompiler::emit_LazyConstant() {
1286 EmitRestoreTailCallReg(masm);
1287
1288 masm.push(ICStubReg);
1289 pushStubPayload(masm, R0.scratchReg());
1290
1291 using Fn =
1292 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, MutableHandleValue);
1293 return tailCallVM<Fn, DoLazyConstantFallback>(masm);
1294}
1295
1296//
1297// GetProp_Fallback
1298//
1299
1300bool DoGetPropFallback(JSContext* cx, BaselineFrame* frame,
1301 ICFallbackStub* stub, MutableHandleValue val,
1302 MutableHandleValue res) {
1303 stub->incrementEnteredCount();
1304 MaybeNotifyWarp(frame->outerScript(), stub);
1305
1306 RootedScript script(cx, frame->script());
1307 jsbytecode* pc = StubOffsetToPc(stub, script);
1308 JSOp op = JSOp(*pc);
1309 FallbackICSpew(cx, stub, "GetProp(%s)", CodeName(op));
1310
1311 MOZ_ASSERT(op == JSOp::GetProp || op == JSOp::GetBoundName)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::GetProp || op == JSOp::GetBoundName)>
::isValid, "invalid assertion condition"); if ((__builtin_expect
(!!(!(!!(op == JSOp::GetProp || op == JSOp::GetBoundName))), 0
))) { do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::GetProp || op == JSOp::GetBoundName"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1311); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::GetProp || op == JSOp::GetBoundName"
")"); do { *((volatile int*)__null) = 1311; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1312
1313 Rooted<PropertyName*> name(cx, script->getName(pc));
1314 RootedValue idVal(cx, StringValue(name));
1315
1316 TryAttachStub<GetPropIRGenerator>("GetProp", cx, frame, stub,
1317 CacheKind::GetProp, val, idVal);
1318
1319 if (op == JSOp::GetBoundName) {
1320 RootedObject env(cx, &val.toObject());
1321 RootedId id(cx, NameToId(name));
1322 return GetNameBoundInEnvironment(cx, env, id, res);
1323 }
1324
1325 MOZ_ASSERT(op == JSOp::GetProp)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::GetProp)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::GetProp))), 0)))
{ do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::GetProp"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1325); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::GetProp"
")"); do { *((volatile int*)__null) = 1325; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1326 if (!GetProperty(cx, val, name, res)) {
1327 return false;
1328 }
1329
1330 return true;
1331}
1332
1333bool DoGetPropSuperFallback(JSContext* cx, BaselineFrame* frame,
1334 ICFallbackStub* stub, HandleValue receiver,
1335 MutableHandleValue val, MutableHandleValue res) {
1336 stub->incrementEnteredCount();
1337 MaybeNotifyWarp(frame->outerScript(), stub);
1338
1339 RootedScript script(cx, frame->script());
1340 jsbytecode* pc = StubOffsetToPc(stub, script);
1341 FallbackICSpew(cx, stub, "GetPropSuper(%s)", CodeName(JSOp(*pc)));
1342
1343 MOZ_ASSERT(JSOp(*pc) == JSOp::GetPropSuper)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(JSOp(*pc) == JSOp::GetPropSuper)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(JSOp(*pc) == JSOp::GetPropSuper
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"JSOp(*pc) == JSOp::GetPropSuper", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1343); AnnotateMozCrashReason("MOZ_ASSERT" "(" "JSOp(*pc) == JSOp::GetPropSuper"
")"); do { *((volatile int*)__null) = 1343; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1344
1345 Rooted<PropertyName*> name(cx, script->getName(pc));
1346 RootedValue idVal(cx, StringValue(name));
1347
1348 // |val| is [[HomeObject]].[[Prototype]] which must be an Object or null.
1349 MOZ_ASSERT(val.isObjectOrNull())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(val.isObjectOrNull())>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(val.isObjectOrNull()))), 0))
) { do { } while (false); MOZ_ReportAssertionFailure("val.isObjectOrNull()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1349); AnnotateMozCrashReason("MOZ_ASSERT" "(" "val.isObjectOrNull()"
")"); do { *((volatile int*)__null) = 1349; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1350
1351 int valIndex = -1;
1352 RootedObject valObj(
1353 cx, ToObjectFromStackForPropertyAccess(cx, val, valIndex, name));
1354 if (!valObj) {
1355 return false;
1356 }
1357
1358 TryAttachStub<GetPropIRGenerator>("GetPropSuper", cx, frame, stub,
1359 CacheKind::GetPropSuper, val, idVal);
1360
1361 if (!GetProperty(cx, valObj, receiver, name, res)) {
1362 return false;
1363 }
1364
1365 return true;
1366}
1367
1368bool FallbackICCodeCompiler::emitGetProp(bool hasReceiver) {
1369 static_assert(R0 == JSReturnOperand);
1370
1371 EmitRestoreTailCallReg(masm);
1372
1373 // Super property getters use a |this| that differs from base object
1374 if (hasReceiver) {
1375 // Push arguments.
1376 masm.pushValue(R0);
1377 masm.pushValue(R1);
1378 masm.push(ICStubReg);
1379 masm.pushBaselineFramePtr(FramePointer, R0.scratchReg());
1380
1381 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*,
1382 HandleValue, MutableHandleValue, MutableHandleValue);
1383 if (!tailCallVM<Fn, DoGetPropSuperFallback>(masm)) {
1384 return false;
1385 }
1386 } else {
1387 // Ensure stack is fully synced for the expression decompiler.
1388 masm.pushValue(R0);
1389
1390 // Push arguments.
1391 masm.pushValue(R0);
1392 masm.push(ICStubReg);
1393 masm.pushBaselineFramePtr(FramePointer, R0.scratchReg());
1394
1395 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*,
1396 MutableHandleValue, MutableHandleValue);
1397 if (!tailCallVM<Fn, DoGetPropFallback>(masm)) {
1398 return false;
1399 }
1400 }
1401
1402 // This is the resume point used when bailout rewrites call stack to undo
1403 // Ion inlined frames. The return address pushed onto reconstructed stack
1404 // will point here.
1405 assumeStubFrame();
1406 if (hasReceiver) {
1407 code.initBailoutReturnOffset(BailoutReturnKind::GetPropSuper,
1408 masm.currentOffset());
1409 } else {
1410 code.initBailoutReturnOffset(BailoutReturnKind::GetProp,
1411 masm.currentOffset());
1412 }
1413
1414 leaveStubFrame(masm);
1415
1416 EmitReturnFromIC(masm);
1417 return true;
1418}
1419
1420bool FallbackICCodeCompiler::emit_GetProp() {
1421 return emitGetProp(/* hasReceiver = */ false);
1422}
1423
1424bool FallbackICCodeCompiler::emit_GetPropSuper() {
1425 return emitGetProp(/* hasReceiver = */ true);
1426}
1427
1428//
1429// SetProp_Fallback
1430//
1431
1432bool DoSetPropFallback(JSContext* cx, BaselineFrame* frame,
1433 ICFallbackStub* stub, Value* stack, HandleValue lhs,
1434 HandleValue rhs) {
1435 using DeferType = SetPropIRGenerator::DeferType;
1436
1437 stub->incrementEnteredCount();
1438 MaybeNotifyWarp(frame->outerScript(), stub);
1439
1440 RootedScript script(cx, frame->script());
1441 jsbytecode* pc = StubOffsetToPc(stub, script);
1442 JSOp op = JSOp(*pc);
1443 FallbackICSpew(cx, stub, "SetProp(%s)", CodeName(op));
1444
1445 MOZ_ASSERT(op == JSOp::SetProp || op == JSOp::StrictSetProp ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetProp || op == JSOp::StrictSetProp || op
== JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::
SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp
|| op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp ||
op == JSOp::InitGLexical)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetProp || op ==
JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName
|| op == JSOp::SetGName || op == JSOp::StrictSetGName || op ==
JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::
InitHiddenProp || op == JSOp::InitGLexical))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1449); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
")"); do { *((volatile int*)__null) = 1449; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1446 op == JSOp::SetName || op == JSOp::StrictSetName ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetProp || op == JSOp::StrictSetProp || op
== JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::
SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp
|| op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp ||
op == JSOp::InitGLexical)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetProp || op ==
JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName
|| op == JSOp::SetGName || op == JSOp::StrictSetGName || op ==
JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::
InitHiddenProp || op == JSOp::InitGLexical))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1449); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
")"); do { *((volatile int*)__null) = 1449; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1447 op == JSOp::SetGName || op == JSOp::StrictSetGName ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetProp || op == JSOp::StrictSetProp || op
== JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::
SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp
|| op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp ||
op == JSOp::InitGLexical)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetProp || op ==
JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName
|| op == JSOp::SetGName || op == JSOp::StrictSetGName || op ==
JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::
InitHiddenProp || op == JSOp::InitGLexical))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1449); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
")"); do { *((volatile int*)__null) = 1449; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1448 op == JSOp::InitProp || op == JSOp::InitLockedProp ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetProp || op == JSOp::StrictSetProp || op
== JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::
SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp
|| op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp ||
op == JSOp::InitGLexical)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetProp || op ==
JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName
|| op == JSOp::SetGName || op == JSOp::StrictSetGName || op ==
JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::
InitHiddenProp || op == JSOp::InitGLexical))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1449); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
")"); do { *((volatile int*)__null) = 1449; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1449 op == JSOp::InitHiddenProp || op == JSOp::InitGLexical)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetProp || op == JSOp::StrictSetProp || op
== JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::
SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp
|| op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp ||
op == JSOp::InitGLexical)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(op == JSOp::SetProp || op ==
JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName
|| op == JSOp::SetGName || op == JSOp::StrictSetGName || op ==
JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::
InitHiddenProp || op == JSOp::InitGLexical))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1449); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetProp || op == JSOp::StrictSetProp || op == JSOp::SetName || op == JSOp::StrictSetName || op == JSOp::SetGName || op == JSOp::StrictSetGName || op == JSOp::InitProp || op == JSOp::InitLockedProp || op == JSOp::InitHiddenProp || op == JSOp::InitGLexical"
")"); do { *((volatile int*)__null) = 1449; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1450
1451 Rooted<PropertyName*> name(cx, script->getName(pc));
1452 RootedId id(cx, NameToId(name));
1453
1454 int lhsIndex = stack ? -2 : JSDVG_IGNORE_STACK0;
1455 RootedObject obj(cx,
1456 ToObjectFromStackForPropertyAccess(cx, lhs, lhsIndex, id));
1457 if (!obj) {
1458 return false;
1459 }
1460 Rooted<Shape*> oldShape(cx, obj->shape());
1461
1462 DeferType deferType = DeferType::None;
1463 bool attached = false;
1464 MaybeTransition(cx, frame, stub);
1465
1466 if (stub->state().canAttachStub()) {
1467 RootedValue idVal(cx, StringValue(name));
1468 SetPropIRGenerator gen(cx, script, pc, CacheKind::SetProp, stub->state(),
1469 lhs, idVal, rhs);
1470 switch (gen.tryAttachStub()) {
1471 case AttachDecision::Attach: {
1472 ICScript* icScript = frame->icScript();
1473 ICAttachResult result = AttachBaselineCacheIRStub(
1474 cx, gen.writerRef(), gen.cacheKind(), frame->script(), icScript,
1475 stub, gen.stubName());
1476 if (result == ICAttachResult::Attached) {
1477 attached = true;
1478 JitSpew(JitSpew_BaselineIC, " Attached SetProp CacheIR stub");
1479 }
1480 } break;
1481 case AttachDecision::NoAction:
1482 break;
1483 case AttachDecision::TemporarilyUnoptimizable:
1484 attached = true;
1485 break;
1486 case AttachDecision::Deferred:
1487 deferType = gen.deferType();
1488 MOZ_ASSERT(deferType != DeferType::None)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(deferType != DeferType::None)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(deferType != DeferType::None
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"deferType != DeferType::None", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1488); AnnotateMozCrashReason("MOZ_ASSERT" "(" "deferType != DeferType::None"
")"); do { *((volatile int*)__null) = 1488; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1489 break;
1490 }
1491 if (deferType == DeferType::None && !attached) {
1492 stub->trackNotAttached();
1493 }
1494 }
1495
1496 if (op == JSOp::InitProp || op == JSOp::InitLockedProp ||
1497 op == JSOp::InitHiddenProp) {
1498 if (!InitPropertyOperation(cx, pc, obj, name, rhs)) {
1499 return false;
1500 }
1501 } else if (op == JSOp::SetName || op == JSOp::StrictSetName ||
1502 op == JSOp::SetGName || op == JSOp::StrictSetGName) {
1503 if (!SetNameOperation(cx, script, pc, obj, rhs)) {
1504 return false;
1505 }
1506 } else if (op == JSOp::InitGLexical) {
1507 ExtensibleLexicalEnvironmentObject* lexicalEnv;
1508 if (script->hasNonSyntacticScope()) {
1509 lexicalEnv = &NearestEnclosingExtensibleLexicalEnvironment(
1510 frame->environmentChain());
1511 } else {
1512 lexicalEnv = &cx->global()->lexicalEnvironment();
1513 }
1514 InitGlobalLexicalOperation(cx, lexicalEnv, script, pc, rhs);
1515 } else {
1516 MOZ_ASSERT(op == JSOp::SetProp || op == JSOp::StrictSetProp)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::SetProp || op == JSOp::StrictSetProp)>
::isValid, "invalid assertion condition"); if ((__builtin_expect
(!!(!(!!(op == JSOp::SetProp || op == JSOp::StrictSetProp))),
0))) { do { } while (false); MOZ_ReportAssertionFailure("op == JSOp::SetProp || op == JSOp::StrictSetProp"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1516); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::SetProp || op == JSOp::StrictSetProp"
")"); do { *((volatile int*)__null) = 1516; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1517
1518 ObjectOpResult result;
1519 if (!SetProperty(cx, obj, id, rhs, lhs, result) ||
1520 !result.checkStrictModeError(cx, obj, id, op == JSOp::StrictSetProp)) {
1521 return false;
1522 }
1523 }
1524
1525 if (stack) {
1526 // Overwrite the LHS on the stack (pushed for the decompiler) with the RHS.
1527 MOZ_ASSERT(stack[1] == lhs)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(stack[1] == lhs)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(stack[1] == lhs))), 0))) { do
{ } while (false); MOZ_ReportAssertionFailure("stack[1] == lhs"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1527); AnnotateMozCrashReason("MOZ_ASSERT" "(" "stack[1] == lhs"
")"); do { *((volatile int*)__null) = 1527; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1528 stack[1] = rhs;
1529 }
1530
1531 if (attached) {
1532 return true;
1533 }
1534
1535 // The SetProperty call might have entered this IC recursively, so try
1536 // to transition.
1537 MaybeTransition(cx, frame, stub);
1538
1539 bool canAttachStub = stub->state().canAttachStub();
1540
1541 if (deferType != DeferType::None && canAttachStub) {
1542 RootedValue idVal(cx, StringValue(name));
1543 SetPropIRGenerator gen(cx, script, pc, CacheKind::SetProp, stub->state(),
1544 lhs, idVal, rhs);
1545
1546 MOZ_ASSERT(deferType == DeferType::AddSlot)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(deferType == DeferType::AddSlot)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(deferType == DeferType::AddSlot
))), 0))) { do { } while (false); MOZ_ReportAssertionFailure(
"deferType == DeferType::AddSlot", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1546); AnnotateMozCrashReason("MOZ_ASSERT" "(" "deferType == DeferType::AddSlot"
")"); do { *((volatile int*)__null) = 1546; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1547 AttachDecision decision = gen.tryAttachAddSlotStub(oldShape);
1548
1549 switch (decision) {
1550 case AttachDecision::Attach: {
1551 ICScript* icScript = frame->icScript();
1552 ICAttachResult result = AttachBaselineCacheIRStub(
1553 cx, gen.writerRef(), gen.cacheKind(), frame->script(), icScript,
1554 stub, gen.stubName());
1555 if (result == ICAttachResult::Attached) {
1556 attached = true;
1557 JitSpew(JitSpew_BaselineIC, " Attached SetElem CacheIR stub");
1558 }
1559 } break;
1560 case AttachDecision::NoAction:
1561 gen.trackAttached(IRGenerator::NotAttached);
1562 break;
1563 case AttachDecision::TemporarilyUnoptimizable:
1564 case AttachDecision::Deferred:
1565 MOZ_ASSERT_UNREACHABLE("Invalid attach result")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(false)>::isValid, "invalid assertion condition");
if ((__builtin_expect(!!(!(!!(false))), 0))) { do { } while (
false); MOZ_ReportAssertionFailure("false" " (" "MOZ_ASSERT_UNREACHABLE: "
"Invalid attach result" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1565); AnnotateMozCrashReason("MOZ_ASSERT" "(" "false" ") ("
"MOZ_ASSERT_UNREACHABLE: " "Invalid attach result" ")"); do {
*((volatile int*)__null) = 1565; __attribute__((nomerge)) ::
abort(); } while (false); } } while (false);
1566 break;
1567 }
1568 if (!attached) {
1569 stub->trackNotAttached();
1570 }
1571 }
1572
1573 return true;
1574}
1575
1576bool FallbackICCodeCompiler::emit_SetProp() {
1577 static_assert(R0 == JSReturnOperand);
1578
1579 EmitRestoreTailCallReg(masm);
1580
1581 // Ensure stack is fully synced for the expression decompiler.
1582 // Overwrite the RHS value on top of the stack with the object, then push
1583 // the RHS in R1 on top of that.
1584 masm.storeValue(R0, Address(masm.getStackPointer(), 0));
1585 masm.pushValue(R1);
1586
1587 // Push arguments.
1588 masm.pushValue(R1);
1589 masm.pushValue(R0);
1590
1591 // Push pointer to stack values, so that the stub can overwrite the object
1592 // (pushed for the decompiler) with the RHS.
1593 masm.computeEffectiveAddress(
1594 Address(masm.getStackPointer(), 2 * sizeof(Value)), R0.scratchReg());
1595 masm.push(R0.scratchReg());
1596
1597 masm.push(ICStubReg);
1598 pushStubPayload(masm, R0.scratchReg());
1599
1600 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, Value*,
1601 HandleValue, HandleValue);
1602 if (!tailCallVM<Fn, DoSetPropFallback>(masm)) {
1603 return false;
1604 }
1605
1606 // This is the resume point used when bailout rewrites call stack to undo
1607 // Ion inlined frames. The return address pushed onto reconstructed stack
1608 // will point here.
1609 assumeStubFrame();
1610 code.initBailoutReturnOffset(BailoutReturnKind::SetProp,
1611 masm.currentOffset());
1612
1613 leaveStubFrame(masm);
1614 EmitReturnFromIC(masm);
1615
1616 return true;
1617}
1618
1619//
1620// Call_Fallback
1621//
1622
1623bool DoCallFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
1624 uint32_t argc, Value* vp, MutableHandleValue res) {
1625 stub->incrementEnteredCount();
1626 MaybeNotifyWarp(frame->outerScript(), stub);
1627
1628 RootedScript script(cx, frame->script());
1629 jsbytecode* pc = StubOffsetToPc(stub, script);
1630 JSOp op = JSOp(*pc);
1631 FallbackICSpew(cx, stub, "Call(%s)", CodeName(op));
1632
1633 MOZ_ASSERT(argc == GET_ARGC(pc))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(argc == GET_ARGC(pc))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(argc == GET_ARGC(pc)))), 0))
) { do { } while (false); MOZ_ReportAssertionFailure("argc == GET_ARGC(pc)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1633); AnnotateMozCrashReason("MOZ_ASSERT" "(" "argc == GET_ARGC(pc)"
")"); do { *((volatile int*)__null) = 1633; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1634 bool constructing =
1635 (op == JSOp::New || op == JSOp::NewContent || op == JSOp::SuperCall);
1636 bool ignoresReturnValue = (op == JSOp::CallIgnoresRv);
1637
1638 // Ensure vp array is rooted - we may GC in here.
1639 size_t numValues = argc + 2 + constructing;
1640 RootedExternalValueArray vpRoot(cx, numValues, vp);
1641
1642 CallArgs callArgs = CallArgsFromSp(argc + constructing, vp + numValues,
1643 constructing, ignoresReturnValue);
1644 RootedValue callee(cx, vp[0]);
1645 RootedValue newTarget(cx, constructing ? callArgs.newTarget() : NullValue());
1646
1647 // Transition stub state to megamorphic or generic if warranted.
1648 MaybeTransition(cx, frame, stub);
1649
1650 bool canAttachStub = stub->state().canAttachStub();
1651 bool handled = false;
1652
1653 // Only bother to try optimizing JSOp::Call with CacheIR if the chain is still
1654 // allowed to attach stubs.
1655 if (canAttachStub) {
1656 HandleValueArray args = HandleValueArray::fromMarkedLocation(argc, vp + 2);
1657 CallIRGenerator gen(cx, script, pc, op, stub->state(), frame, argc, callee,
1658 callArgs.thisv(), newTarget, args);
1659 switch (gen.tryAttachStub()) {
1660 case AttachDecision::NoAction:
1661 break;
1662 case AttachDecision::Attach: {
1663 ICScript* icScript = frame->icScript();
1664 ICAttachResult result =
1665 AttachBaselineCacheIRStub(cx, gen.writerRef(), gen.cacheKind(),
1666 script, icScript, stub, gen.stubName());
1667 if (result == ICAttachResult::Attached) {
1668 handled = true;
1669 JitSpew(JitSpew_BaselineIC, " Attached Call CacheIR stub");
1670 }
1671 } break;
1672 case AttachDecision::TemporarilyUnoptimizable:
1673 handled = true;
1674 break;
1675 case AttachDecision::Deferred:
1676 MOZ_CRASH("No deferred Call stubs")do { do { } while (false); MOZ_ReportCrash("" "No deferred Call stubs"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1676); AnnotateMozCrashReason("MOZ_CRASH(" "No deferred Call stubs"
")"); do { *((volatile int*)__null) = 1676; __attribute__((nomerge
)) ::abort(); } while (false); } while (false);
1677 }
1678 if (!handled) {
1679 stub->trackNotAttached();
1680 }
1681 }
1682
1683 if (constructing) {
1684 if (!ConstructFromStack(cx, callArgs)) {
1685 return false;
1686 }
1687 res.set(callArgs.rval());
1688 } else if ((op == JSOp::Eval || op == JSOp::StrictEval) &&
1689 cx->global()->valueIsEval(callee)) {
1690 if (!DirectEval(cx, callArgs.get(0), res)) {
1691 return false;
1692 }
1693 } else {
1694 MOZ_ASSERT(op == JSOp::Call || op == JSOp::CallContent ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::Call || op == JSOp::CallContent || op ==
JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval)>::isValid,
"invalid assertion condition"); if ((__builtin_expect(!!(!(!
!(op == JSOp::Call || op == JSOp::CallContent || op == JSOp::
CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1697); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
")"); do { *((volatile int*)__null) = 1697; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1695 op == JSOp::CallIgnoresRv || op == JSOp::CallIter ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::Call || op == JSOp::CallContent || op ==
JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval)>::isValid,
"invalid assertion condition"); if ((__builtin_expect(!!(!(!
!(op == JSOp::Call || op == JSOp::CallContent || op == JSOp::
CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1697); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
")"); do { *((volatile int*)__null) = 1697; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1696 op == JSOp::CallContentIter || op == JSOp::Eval ||do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::Call || op == JSOp::CallContent || op ==
JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval)>::isValid,
"invalid assertion condition"); if ((__builtin_expect(!!(!(!
!(op == JSOp::Call || op == JSOp::CallContent || op == JSOp::
CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1697); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
")"); do { *((volatile int*)__null) = 1697; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false)
1697 op == JSOp::StrictEval)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(op == JSOp::Call || op == JSOp::CallContent || op ==
JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval)>::isValid,
"invalid assertion condition"); if ((__builtin_expect(!!(!(!
!(op == JSOp::Call || op == JSOp::CallContent || op == JSOp::
CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter
|| op == JSOp::Eval || op == JSOp::StrictEval))), 0))) { do {
} while (false); MOZ_ReportAssertionFailure("op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1697); AnnotateMozCrashReason("MOZ_ASSERT" "(" "op == JSOp::Call || op == JSOp::CallContent || op == JSOp::CallIgnoresRv || op == JSOp::CallIter || op == JSOp::CallContentIter || op == JSOp::Eval || op == JSOp::StrictEval"
")"); do { *((volatile int*)__null) = 1697; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1698 if ((op == JSOp::CallIter || op == JSOp::CallContentIter) &&
1699 callee.isPrimitive()) {
1700 MOZ_ASSERT(argc == 0, "thisv must be on top of the stack")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(argc == 0)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(argc == 0))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("argc == 0" " (" "thisv must be on top of the stack"
")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1700); AnnotateMozCrashReason("MOZ_ASSERT" "(" "argc == 0" ") ("
"thisv must be on top of the stack" ")"); do { *((volatile int
*)__null) = 1700; __attribute__((nomerge)) ::abort(); } while
(false); } } while (false);
1701 ReportValueError(cx, JSMSG_NOT_ITERABLE, -1, callArgs.thisv(), nullptr);
1702 return false;
1703 }
1704
1705 if (!CallFromStack(cx, callArgs)) {
1706 return false;
1707 }
1708
1709 res.set(callArgs.rval());
1710 }
1711
1712 return true;
1713}
1714
1715bool DoSpreadCallFallback(JSContext* cx, BaselineFrame* frame,
1716 ICFallbackStub* stub, Value* vp,
1717 MutableHandleValue res) {
1718 stub->incrementEnteredCount();
1719 MaybeNotifyWarp(frame->outerScript(), stub);
1720
1721 RootedScript script(cx, frame->script());
1722 jsbytecode* pc = StubOffsetToPc(stub, script);
1723 JSOp op = JSOp(*pc);
1724 bool constructing = (op == JSOp::SpreadNew || op == JSOp::SpreadSuperCall);
1725 FallbackICSpew(cx, stub, "SpreadCall(%s)", CodeName(op));
1726
1727 // Ensure vp array is rooted - we may GC in here.
1728 RootedExternalValueArray vpRoot(cx, 3 + constructing, vp);
1729
1730 RootedValue callee(cx, vp[0]);
1731 RootedValue thisv(cx, vp[1]);
1732 RootedValue arr(cx, vp[2]);
1733 RootedValue newTarget(cx, constructing ? vp[3] : NullValue());
1734
1735 // Transition stub state to megamorphic or generic if warranted.
1736 MaybeTransition(cx, frame, stub);
1737
1738 // Try attaching a call stub.
1739 bool handled = false;
1740 if (op != JSOp::SpreadEval && op != JSOp::StrictSpreadEval &&
1741 stub->state().canAttachStub()) {
1742 // Try CacheIR first:
1743 Rooted<ArrayObject*> aobj(cx, &arr.toObject().as<ArrayObject>());
1744 MOZ_ASSERT(IsPackedArray(aobj))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(IsPackedArray(aobj))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(IsPackedArray(aobj)))), 0)))
{ do { } while (false); MOZ_ReportAssertionFailure("IsPackedArray(aobj)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1744); AnnotateMozCrashReason("MOZ_ASSERT" "(" "IsPackedArray(aobj)"
")"); do { *((volatile int*)__null) = 1744; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1745
1746 HandleValueArray args = HandleValueArray::fromMarkedLocation(
1747 aobj->length(), aobj->getDenseElements());
1748 CallIRGenerator gen(cx, script, pc, op, stub->state(), frame, 1, callee,
1749 thisv, newTarget, args);
1750 switch (gen.tryAttachStub()) {
1751 case AttachDecision::NoAction:
1752 break;
1753 case AttachDecision::Attach: {
1754 ICScript* icScript = frame->icScript();
1755 ICAttachResult result =
1756 AttachBaselineCacheIRStub(cx, gen.writerRef(), gen.cacheKind(),
1757 script, icScript, stub, gen.stubName());
1758
1759 if (result == ICAttachResult::Attached) {
1760 handled = true;
1761 JitSpew(JitSpew_BaselineIC, " Attached Spread Call CacheIR stub");
1762 }
1763 } break;
1764 case AttachDecision::TemporarilyUnoptimizable:
1765 handled = true;
1766 break;
1767 case AttachDecision::Deferred:
1768 MOZ_ASSERT_UNREACHABLE("No deferred optimizations for spread calls")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(false)>::isValid, "invalid assertion condition");
if ((__builtin_expect(!!(!(!!(false))), 0))) { do { } while (
false); MOZ_ReportAssertionFailure("false" " (" "MOZ_ASSERT_UNREACHABLE: "
"No deferred optimizations for spread calls" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1768); AnnotateMozCrashReason("MOZ_ASSERT" "(" "false" ") ("
"MOZ_ASSERT_UNREACHABLE: " "No deferred optimizations for spread calls"
")"); do { *((volatile int*)__null) = 1768; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1769 break;
1770 }
1771 if (!handled) {
1772 stub->trackNotAttached();
1773 }
1774 }
1775
1776 return SpreadCallOperation(cx, script, pc, thisv, callee, arr, newTarget,
1777 res);
1778}
1779
1780void FallbackICCodeCompiler::pushCallArguments(
1781 MacroAssembler& masm, AllocatableGeneralRegisterSet regs, Register argcReg,
1782 bool isConstructing) {
1783 MOZ_ASSERT(!regs.has(argcReg))do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!regs.has(argcReg))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!regs.has(argcReg)))), 0))) {
do { } while (false); MOZ_ReportAssertionFailure("!regs.has(argcReg)"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1783); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!regs.has(argcReg)"
")"); do { *((volatile int*)__null) = 1783; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1784
1785 // argPtr initially points to the last argument.
1786 Register argPtr = regs.takeAny();
1787 masm.mov(FramePointer, argPtr);
1788
1789 // Skip 3 pointers pushed on top of the arguments: the frame descriptor,
1790 // return address, and old frame pointer.
1791 size_t valueOffset = BaselineStubFrameLayout::Size();
1792
1793 // We have to push |this|, callee, new.target (if constructing) and argc
1794 // arguments. Handle the number of Values we know statically first.
1795
1796 size_t numNonArgValues = 2 + isConstructing;
1797 for (size_t i = 0; i < numNonArgValues; i++) {
1798 masm.pushValue(Address(argPtr, valueOffset));
1799 valueOffset += sizeof(Value);
1800 }
1801
1802 // If there are no arguments we're done.
1803 Label done;
1804 masm.branchTest32(Assembler::Zero, argcReg, argcReg, &done);
1805
1806 // Push argc Values.
1807 Label loop;
1808 Register count = regs.takeAny();
1809 masm.addPtr(Imm32(valueOffset), argPtr);
1810 masm.move32(argcReg, count);
1811 masm.bind(&loop);
1812 {
1813 masm.pushValue(Address(argPtr, 0));
1814 masm.addPtr(Imm32(sizeof(Value)), argPtr);
1815
1816 masm.branchSub32(Assembler::NonZero, Imm32(1), count, &loop);
1817 }
1818 masm.bind(&done);
1819}
1820
1821bool FallbackICCodeCompiler::emitCall(bool isSpread, bool isConstructing) {
1822 static_assert(R0 == JSReturnOperand);
1823
1824 // Values are on the stack left-to-right. Calling convention wants them
1825 // right-to-left so duplicate them on the stack in reverse order.
1826 // |this| and callee are pushed last.
1827
1828 AllocatableGeneralRegisterSet regs = BaselineICAvailableGeneralRegs(0);
1829
1830 if (MOZ_UNLIKELY(isSpread)(__builtin_expect(!!(isSpread), 0))) {
1831 // Push a stub frame so that we can perform a non-tail call.
1832 enterStubFrame(masm, R1.scratchReg());
1833
1834 // Use FramePointer instead of StackPointer because it's not affected by
1835 // the stack pushes below.
1836
1837 // newTarget
1838 uint32_t valueOffset = BaselineStubFrameLayout::Size();
1839 if (isConstructing) {
1840 masm.pushValue(Address(FramePointer, valueOffset));
1841 valueOffset += sizeof(Value);
1842 }
1843
1844 // array
1845 masm.pushValue(Address(FramePointer, valueOffset));
1846 valueOffset += sizeof(Value);
1847
1848 // this
1849 masm.pushValue(Address(FramePointer, valueOffset));
1850 valueOffset += sizeof(Value);
1851
1852 // callee
1853 masm.pushValue(Address(FramePointer, valueOffset));
1854 valueOffset += sizeof(Value);
Value stored to 'valueOffset' is never read
1855
1856 masm.push(masm.getStackPointer());
1857 masm.push(ICStubReg);
1858
1859 PushStubPayload(masm, R0.scratchReg());
1860
1861 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, Value*,
1862 MutableHandleValue);
1863 if (!callVM<Fn, DoSpreadCallFallback>(masm)) {
1864 return false;
1865 }
1866
1867 leaveStubFrame(masm);
1868 EmitReturnFromIC(masm);
1869
1870 // SpreadCall is not yet supported in Ion, so do not generate asmcode for
1871 // bailout.
1872 return true;
1873 }
1874
1875 // Push a stub frame so that we can perform a non-tail call.
1876 enterStubFrame(masm, R1.scratchReg());
1877
1878 regs.take(R0.scratchReg()); // argc.
1879
1880 pushCallArguments(masm, regs, R0.scratchReg(), isConstructing);
1881
1882 masm.push(masm.getStackPointer());
1883 masm.push(R0.scratchReg());
1884 masm.push(ICStubReg);
1885
1886 PushStubPayload(masm, R0.scratchReg());
1887
1888 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, uint32_t,
1889 Value*, MutableHandleValue);
1890 if (!callVM<Fn, DoCallFallback>(masm)) {
1891 return false;
1892 }
1893
1894 leaveStubFrame(masm);
1895 EmitReturnFromIC(masm);
1896
1897 // This is the resume point used when bailout rewrites call stack to undo
1898 // Ion inlined frames. The return address pushed onto reconstructed stack
1899 // will point here.
1900 assumeStubFrame();
1901
1902 MOZ_ASSERT(!isSpread)do { static_assert( mozilla::detail::AssertionConditionType<
decltype(!isSpread)>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(!isSpread))), 0))) { do { } while
(false); MOZ_ReportAssertionFailure("!isSpread", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 1902); AnnotateMozCrashReason("MOZ_ASSERT" "(" "!isSpread" ")"
); do { *((volatile int*)__null) = 1902; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
1903
1904 if (isConstructing) {
1905 code.initBailoutReturnOffset(BailoutReturnKind::New, masm.currentOffset());
1906 } else {
1907 code.initBailoutReturnOffset(BailoutReturnKind::Call, masm.currentOffset());
1908 }
1909
1910 // Load passed-in ThisV into R1 just in case it's needed. Need to do this
1911 // before we leave the stub frame since that info will be lost.
1912 // Current stack: [...., ThisV, CalleeToken, Descriptor ]
1913 size_t thisvOffset =
1914 JitFrameLayout::offsetOfThis() - JitFrameLayout::bytesPoppedAfterCall();
1915 masm.loadValue(Address(masm.getStackPointer(), thisvOffset), R1);
1916
1917 leaveStubFrame(masm);
1918
1919 // If this is a |constructing| call, if the callee returns a non-object, we
1920 // replace it with the |this| object passed in.
1921 if (isConstructing) {
1922 static_assert(JSReturnOperand == R0);
1923 Label skipThisReplace;
1924
1925 masm.branchTestObject(Assembler::Equal, JSReturnOperand, &skipThisReplace);
1926 masm.moveValue(R1, R0);
1927#ifdef DEBUG1
1928 masm.branchTestObject(Assembler::Equal, JSReturnOperand, &skipThisReplace);
1929 masm.assumeUnreachable("Failed to return object in constructing call.");
1930#endif
1931 masm.bind(&skipThisReplace);
1932 }
1933
1934 EmitReturnFromIC(masm);
1935 return true;
1936}
1937
1938bool FallbackICCodeCompiler::emit_Call() {
1939 return emitCall(/* isSpread = */ false, /* isConstructing = */ false);
1940}
1941
1942bool FallbackICCodeCompiler::emit_CallConstructing() {
1943 return emitCall(/* isSpread = */ false, /* isConstructing = */ true);
1944}
1945
1946bool FallbackICCodeCompiler::emit_SpreadCall() {
1947 return emitCall(/* isSpread = */ true, /* isConstructing = */ false);
1948}
1949
1950bool FallbackICCodeCompiler::emit_SpreadCallConstructing() {
1951 return emitCall(/* isSpread = */ true, /* isConstructing = */ true);
1952}
1953
1954//
1955// GetIterator_Fallback
1956//
1957
1958bool DoGetIteratorFallback(JSContext* cx, BaselineFrame* frame,
1959 ICFallbackStub* stub, HandleValue value,
1960 MutableHandleValue res) {
1961 stub->incrementEnteredCount();
1962 MaybeNotifyWarp(frame->outerScript(), stub);
1963 FallbackICSpew(cx, stub, "GetIterator");
1964
1965 TryAttachStub<GetIteratorIRGenerator>("GetIterator", cx, frame, stub, value);
1966
1967 PropertyIteratorObject* iterObj = ValueToIterator(cx, value);
1968 if (!iterObj) {
1969 return false;
1970 }
1971
1972 res.setObject(*iterObj);
1973 return true;
1974}
1975
1976bool FallbackICCodeCompiler::emit_GetIterator() {
1977 EmitRestoreTailCallReg(masm);
1978
1979 // Sync stack for the decompiler.
1980 masm.pushValue(R0);
1981
1982 masm.pushValue(R0);
1983 masm.push(ICStubReg);
1984 pushStubPayload(masm, R0.scratchReg());
1985
1986 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
1987 MutableHandleValue);
1988 return tailCallVM<Fn, DoGetIteratorFallback>(masm);
1989}
1990
1991//
1992// OptimizeSpreadCall_Fallback
1993//
1994
1995bool DoOptimizeSpreadCallFallback(JSContext* cx, BaselineFrame* frame,
1996 ICFallbackStub* stub, HandleValue value,
1997 MutableHandleValue res) {
1998 stub->incrementEnteredCount();
1999 MaybeNotifyWarp(frame->outerScript(), stub);
2000 FallbackICSpew(cx, stub, "OptimizeSpreadCall");
2001
2002 TryAttachStub<OptimizeSpreadCallIRGenerator>("OptimizeSpreadCall", cx, frame,
2003 stub, value);
2004
2005 return OptimizeSpreadCall(cx, value, res);
2006}
2007
2008bool FallbackICCodeCompiler::emit_OptimizeSpreadCall() {
2009 EmitRestoreTailCallReg(masm);
2010
2011 masm.pushValue(R0);
2012 masm.push(ICStubReg);
2013 pushStubPayload(masm, R0.scratchReg());
2014
2015 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2016 MutableHandleValue);
2017 return tailCallVM<Fn, DoOptimizeSpreadCallFallback>(masm);
2018}
2019
2020//
2021// InstanceOf_Fallback
2022//
2023
2024bool DoInstanceOfFallback(JSContext* cx, BaselineFrame* frame,
2025 ICFallbackStub* stub, HandleValue lhs,
2026 HandleValue rhs, MutableHandleValue res) {
2027 stub->incrementEnteredCount();
2028 MaybeNotifyWarp(frame->outerScript(), stub);
2029 FallbackICSpew(cx, stub, "InstanceOf");
2030
2031 if (!rhs.isObject()) {
2032 ReportValueError(cx, JSMSG_BAD_INSTANCEOF_RHS, -1, rhs, nullptr);
2033 return false;
2034 }
2035
2036 RootedObject obj(cx, &rhs.toObject());
2037 bool cond = false;
2038 if (!InstanceofOperator(cx, obj, lhs, &cond)) {
2039 return false;
2040 }
2041
2042 res.setBoolean(cond);
2043
2044 if (!obj->is<JSFunction>()) {
2045 // ensure we've recorded at least one failure, so we can detect there was a
2046 // non-optimizable case
2047 if (!stub->state().hasFailures()) {
2048 stub->trackNotAttached();
2049 }
2050 return true;
2051 }
2052
2053 TryAttachStub<InstanceOfIRGenerator>("InstanceOf", cx, frame, stub, lhs, obj);
2054 return true;
2055}
2056
2057bool FallbackICCodeCompiler::emit_InstanceOf() {
2058 EmitRestoreTailCallReg(masm);
2059
2060 // Sync stack for the decompiler.
2061 masm.pushValue(R0);
2062 masm.pushValue(R1);
2063
2064 masm.pushValue(R1);
2065 masm.pushValue(R0);
2066 masm.push(ICStubReg);
2067 pushStubPayload(masm, R0.scratchReg());
2068
2069 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2070 HandleValue, MutableHandleValue);
2071 return tailCallVM<Fn, DoInstanceOfFallback>(masm);
2072}
2073
2074//
2075// TypeOf_Fallback
2076//
2077
2078bool DoTypeOfFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
2079 HandleValue val, MutableHandleValue res) {
2080 stub->incrementEnteredCount();
2081 MaybeNotifyWarp(frame->outerScript(), stub);
2082 FallbackICSpew(cx, stub, "TypeOf");
2083
2084 TryAttachStub<TypeOfIRGenerator>("TypeOf", cx, frame, stub, val);
2085
2086 JSType type = js::TypeOfValue(val);
2087 RootedString string(cx, TypeName(type, cx->names()));
2088 res.setString(string);
2089 return true;
2090}
2091
2092bool FallbackICCodeCompiler::emit_TypeOf() {
2093 EmitRestoreTailCallReg(masm);
2094
2095 masm.pushValue(R0);
2096 masm.push(ICStubReg);
2097 pushStubPayload(masm, R0.scratchReg());
2098
2099 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2100 MutableHandleValue);
2101 return tailCallVM<Fn, DoTypeOfFallback>(masm);
2102}
2103
2104//
2105// TypeOfEq_Fallback
2106//
2107
2108bool DoTypeOfEqFallback(JSContext* cx, BaselineFrame* frame,
2109 ICFallbackStub* stub, HandleValue val,
2110 MutableHandleValue res) {
2111 stub->incrementEnteredCount();
2112 MaybeNotifyWarp(frame->outerScript(), stub);
2113 FallbackICSpew(cx, stub, "TypeOfEq");
2114
2115 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2116 auto operand = TypeofEqOperand::fromRawValue(GET_UINT8(pc));
2117 JSType type = operand.type();
2118 JSOp compareOp = operand.compareOp();
2119
2120 TryAttachStub<TypeOfEqIRGenerator>("TypeOfEq", cx, frame, stub, val, type,
2121 compareOp);
2122
2123 bool result = js::TypeOfValue(val) == type;
2124 if (compareOp == JSOp::Ne) {
2125 result = !result;
2126 }
2127 res.setBoolean(result);
2128 return true;
2129}
2130
2131bool FallbackICCodeCompiler::emit_TypeOfEq() {
2132 EmitRestoreTailCallReg(masm);
2133
2134 masm.pushValue(R0);
2135 masm.push(ICStubReg);
2136 pushStubPayload(masm, R0.scratchReg());
2137
2138 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2139 MutableHandleValue);
2140 return tailCallVM<Fn, DoTypeOfEqFallback>(masm);
2141}
2142
2143//
2144// ToPropertyKey_Fallback
2145//
2146
2147bool DoToPropertyKeyFallback(JSContext* cx, BaselineFrame* frame,
2148 ICFallbackStub* stub, HandleValue val,
2149 MutableHandleValue res) {
2150 stub->incrementEnteredCount();
2151 MaybeNotifyWarp(frame->outerScript(), stub);
2152 FallbackICSpew(cx, stub, "ToPropertyKey");
2153
2154 TryAttachStub<ToPropertyKeyIRGenerator>("ToPropertyKey", cx, frame, stub,
2155 val);
2156
2157 return ToPropertyKeyOperation(cx, val, res);
2158}
2159
2160bool FallbackICCodeCompiler::emit_ToPropertyKey() {
2161 EmitRestoreTailCallReg(masm);
2162
2163 masm.pushValue(R0);
2164 masm.push(ICStubReg);
2165 pushStubPayload(masm, R0.scratchReg());
2166
2167 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2168 MutableHandleValue);
2169 return tailCallVM<Fn, DoToPropertyKeyFallback>(masm);
2170}
2171
2172//
2173// Rest_Fallback
2174//
2175
2176bool DoRestFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
2177 MutableHandleValue res) {
2178 unsigned numFormals = frame->numFormalArgs() - 1;
2179 unsigned numActuals = frame->numActualArgs();
2180 unsigned numRest = numActuals > numFormals ? numActuals - numFormals : 0;
2181 Value* rest = frame->argv() + numFormals;
2182
2183 ArrayObject* obj = NewDenseCopiedArray(cx, numRest, rest);
2184 if (!obj) {
2185 return false;
2186 }
2187 res.setObject(*obj);
2188 return true;
2189}
2190
2191bool FallbackICCodeCompiler::emit_Rest() {
2192 EmitRestoreTailCallReg(masm);
2193
2194 masm.push(ICStubReg);
2195 pushStubPayload(masm, R0.scratchReg());
2196
2197 using Fn =
2198 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, MutableHandleValue);
2199 return tailCallVM<Fn, DoRestFallback>(masm);
2200}
2201
2202//
2203// UnaryArith_Fallback
2204//
2205
2206bool DoUnaryArithFallback(JSContext* cx, BaselineFrame* frame,
2207 ICFallbackStub* stub, HandleValue val,
2208 MutableHandleValue res) {
2209 stub->incrementEnteredCount();
2210 MaybeNotifyWarp(frame->outerScript(), stub);
2211
2212 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2213 JSOp op = JSOp(*pc);
2214 FallbackICSpew(cx, stub, "UnaryArith(%s)", CodeName(op));
2215
2216 switch (op) {
2217 case JSOp::BitNot: {
2218 res.set(val);
2219 if (!BitNot(cx, res, res)) {
2220 return false;
2221 }
2222 break;
2223 }
2224 case JSOp::Pos: {
2225 res.set(val);
2226 if (!ToNumber(cx, res)) {
2227 return false;
2228 }
2229 break;
2230 }
2231 case JSOp::Neg: {
2232 res.set(val);
2233 if (!NegOperation(cx, res, res)) {
2234 return false;
2235 }
2236 break;
2237 }
2238 case JSOp::Inc: {
2239 if (!IncOperation(cx, val, res)) {
2240 return false;
2241 }
2242 break;
2243 }
2244 case JSOp::Dec: {
2245 if (!DecOperation(cx, val, res)) {
2246 return false;
2247 }
2248 break;
2249 }
2250 case JSOp::ToNumeric: {
2251 res.set(val);
2252 if (!ToNumeric(cx, res)) {
2253 return false;
2254 }
2255 break;
2256 }
2257 default:
2258 MOZ_CRASH("Unexpected op")do { do { } while (false); MOZ_ReportCrash("" "Unexpected op"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2258); AnnotateMozCrashReason("MOZ_CRASH(" "Unexpected op" ")"
); do { *((volatile int*)__null) = 2258; __attribute__((nomerge
)) ::abort(); } while (false); } while (false);
2259 }
2260 MOZ_ASSERT(res.isNumeric())do { static_assert( mozilla::detail::AssertionConditionType<
decltype(res.isNumeric())>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(res.isNumeric()))), 0))) { do
{ } while (false); MOZ_ReportAssertionFailure("res.isNumeric()"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2260); AnnotateMozCrashReason("MOZ_ASSERT" "(" "res.isNumeric()"
")"); do { *((volatile int*)__null) = 2260; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
2261
2262 TryAttachStub<UnaryArithIRGenerator>("UnaryArith", cx, frame, stub, op, val,
2263 res);
2264 return true;
2265}
2266
2267bool FallbackICCodeCompiler::emit_UnaryArith() {
2268 static_assert(R0 == JSReturnOperand);
2269
2270 // Restore the tail call register.
2271 EmitRestoreTailCallReg(masm);
2272
2273 // Ensure stack is fully synced for the expression decompiler.
2274 masm.pushValue(R0);
2275
2276 // Push arguments.
2277 masm.pushValue(R0);
2278 masm.push(ICStubReg);
2279 pushStubPayload(masm, R0.scratchReg());
2280
2281 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2282 MutableHandleValue);
2283 return tailCallVM<Fn, DoUnaryArithFallback>(masm);
2284}
2285
2286//
2287// BinaryArith_Fallback
2288//
2289
2290bool DoBinaryArithFallback(JSContext* cx, BaselineFrame* frame,
2291 ICFallbackStub* stub, HandleValue lhs,
2292 HandleValue rhs, MutableHandleValue ret) {
2293 stub->incrementEnteredCount();
2294 MaybeNotifyWarp(frame->outerScript(), stub);
2295
2296 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2297 JSOp op = JSOp(*pc);
2298 FallbackICSpew(
2299 cx, stub, "CacheIRBinaryArith(%s,%d,%d)", CodeName(op),
2300 int(lhs.isDouble() ? JSVAL_TYPE_DOUBLE : lhs.extractNonDoubleType()),
2301 int(rhs.isDouble() ? JSVAL_TYPE_DOUBLE : rhs.extractNonDoubleType()));
2302
2303 // Don't pass lhs/rhs directly, we need the original values when
2304 // generating stubs.
2305 RootedValue lhsCopy(cx, lhs);
2306 RootedValue rhsCopy(cx, rhs);
2307
2308 // Perform the arith operation.
2309 switch (op) {
2310 case JSOp::Add:
2311 // Do an add.
2312 if (!AddValues(cx, &lhsCopy, &rhsCopy, ret)) {
2313 return false;
2314 }
2315 break;
2316 case JSOp::Sub:
2317 if (!SubValues(cx, &lhsCopy, &rhsCopy, ret)) {
2318 return false;
2319 }
2320 break;
2321 case JSOp::Mul:
2322 if (!MulValues(cx, &lhsCopy, &rhsCopy, ret)) {
2323 return false;
2324 }
2325 break;
2326 case JSOp::Div:
2327 if (!DivValues(cx, &lhsCopy, &rhsCopy, ret)) {
2328 return false;
2329 }
2330 break;
2331 case JSOp::Mod:
2332 if (!ModValues(cx, &lhsCopy, &rhsCopy, ret)) {
2333 return false;
2334 }
2335 break;
2336 case JSOp::Pow:
2337 if (!PowValues(cx, &lhsCopy, &rhsCopy, ret)) {
2338 return false;
2339 }
2340 break;
2341 case JSOp::BitOr: {
2342 if (!BitOr(cx, &lhsCopy, &rhsCopy, ret)) {
2343 return false;
2344 }
2345 break;
2346 }
2347 case JSOp::BitXor: {
2348 if (!BitXor(cx, &lhsCopy, &rhsCopy, ret)) {
2349 return false;
2350 }
2351 break;
2352 }
2353 case JSOp::BitAnd: {
2354 if (!BitAnd(cx, &lhsCopy, &rhsCopy, ret)) {
2355 return false;
2356 }
2357 break;
2358 }
2359 case JSOp::Lsh: {
2360 if (!BitLsh(cx, &lhsCopy, &rhsCopy, ret)) {
2361 return false;
2362 }
2363 break;
2364 }
2365 case JSOp::Rsh: {
2366 if (!BitRsh(cx, &lhsCopy, &rhsCopy, ret)) {
2367 return false;
2368 }
2369 break;
2370 }
2371 case JSOp::Ursh: {
2372 if (!UrshValues(cx, &lhsCopy, &rhsCopy, ret)) {
2373 return false;
2374 }
2375 break;
2376 }
2377 default:
2378 MOZ_CRASH("Unhandled baseline arith op")do { do { } while (false); MOZ_ReportCrash("" "Unhandled baseline arith op"
, "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2378); AnnotateMozCrashReason("MOZ_CRASH(" "Unhandled baseline arith op"
")"); do { *((volatile int*)__null) = 2378; __attribute__((nomerge
)) ::abort(); } while (false); } while (false);
2379 }
2380
2381 TryAttachStub<BinaryArithIRGenerator>("BinaryArith", cx, frame, stub, op, lhs,
2382 rhs, ret);
2383 return true;
2384}
2385
2386bool FallbackICCodeCompiler::emit_BinaryArith() {
2387 static_assert(R0 == JSReturnOperand);
2388
2389 // Restore the tail call register.
2390 EmitRestoreTailCallReg(masm);
2391
2392 // Ensure stack is fully synced for the expression decompiler.
2393 masm.pushValue(R0);
2394 masm.pushValue(R1);
2395
2396 // Push arguments.
2397 masm.pushValue(R1);
2398 masm.pushValue(R0);
2399 masm.push(ICStubReg);
2400 pushStubPayload(masm, R0.scratchReg());
2401
2402 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2403 HandleValue, MutableHandleValue);
2404 return tailCallVM<Fn, DoBinaryArithFallback>(masm);
2405}
2406
2407//
2408// Compare_Fallback
2409//
2410bool DoCompareFallback(JSContext* cx, BaselineFrame* frame,
2411 ICFallbackStub* stub, HandleValue lhs, HandleValue rhs,
2412 MutableHandleValue ret) {
2413 stub->incrementEnteredCount();
2414 MaybeNotifyWarp(frame->outerScript(), stub);
2415
2416 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2417 JSOp op = JSOp(*pc);
2418
2419 FallbackICSpew(cx, stub, "Compare(%s)", CodeName(op));
2420
2421 // Don't pass lhs/rhs directly, we need the original values when
2422 // generating stubs.
2423 RootedValue lhsCopy(cx, lhs);
2424 RootedValue rhsCopy(cx, rhs);
2425
2426 // Perform the compare operation.
2427 bool out;
2428 switch (op) {
2429 case JSOp::Lt:
2430 if (!LessThan(cx, &lhsCopy, &rhsCopy, &out)) {
2431 return false;
2432 }
2433 break;
2434 case JSOp::Le:
2435 if (!LessThanOrEqual(cx, &lhsCopy, &rhsCopy, &out)) {
2436 return false;
2437 }
2438 break;
2439 case JSOp::Gt:
2440 if (!GreaterThan(cx, &lhsCopy, &rhsCopy, &out)) {
2441 return false;
2442 }
2443 break;
2444 case JSOp::Ge:
2445 if (!GreaterThanOrEqual(cx, &lhsCopy, &rhsCopy, &out)) {
2446 return false;
2447 }
2448 break;
2449 case JSOp::Eq:
2450 if (!js::LooselyEqual(cx, lhsCopy, rhsCopy, &out)) {
2451 return false;
2452 }
2453 break;
2454 case JSOp::Ne:
2455 if (!js::LooselyEqual(cx, lhsCopy, rhsCopy, &out)) {
2456 return false;
2457 }
2458 out = !out;
2459 break;
2460 case JSOp::StrictEq:
2461 if (!js::StrictlyEqual(cx, lhsCopy, rhsCopy, &out)) {
2462 return false;
2463 }
2464 break;
2465 case JSOp::StrictNe:
2466 if (!js::StrictlyEqual(cx, lhsCopy, rhsCopy, &out)) {
2467 return false;
2468 }
2469 out = !out;
2470 break;
2471 default:
2472 MOZ_ASSERT_UNREACHABLE("Unhandled baseline compare op")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(false)>::isValid, "invalid assertion condition");
if ((__builtin_expect(!!(!(!!(false))), 0))) { do { } while (
false); MOZ_ReportAssertionFailure("false" " (" "MOZ_ASSERT_UNREACHABLE: "
"Unhandled baseline compare op" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2472); AnnotateMozCrashReason("MOZ_ASSERT" "(" "false" ") ("
"MOZ_ASSERT_UNREACHABLE: " "Unhandled baseline compare op" ")"
); do { *((volatile int*)__null) = 2472; __attribute__((nomerge
)) ::abort(); } while (false); } } while (false);
2473 return false;
2474 }
2475
2476 ret.setBoolean(out);
2477
2478 TryAttachStub<CompareIRGenerator>("Compare", cx, frame, stub, op, lhs, rhs);
2479 return true;
2480}
2481
2482bool FallbackICCodeCompiler::emit_Compare() {
2483 static_assert(R0 == JSReturnOperand);
2484
2485 // Restore the tail call register.
2486 EmitRestoreTailCallReg(masm);
2487
2488 // Ensure stack is fully synced for the expression decompiler.
2489 masm.pushValue(R0);
2490 masm.pushValue(R1);
2491
2492 // Push arguments.
2493 masm.pushValue(R1);
2494 masm.pushValue(R0);
2495 masm.push(ICStubReg);
2496 pushStubPayload(masm, R0.scratchReg());
2497
2498 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2499 HandleValue, MutableHandleValue);
2500 return tailCallVM<Fn, DoCompareFallback>(masm);
2501}
2502
2503//
2504// NewArray_Fallback
2505//
2506
2507bool DoNewArrayFallback(JSContext* cx, BaselineFrame* frame,
2508 ICFallbackStub* stub, MutableHandleValue res) {
2509 stub->incrementEnteredCount();
2510 MaybeNotifyWarp(frame->outerScript(), stub);
2511 FallbackICSpew(cx, stub, "NewArray");
2512
2513 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2514
2515 uint32_t length = GET_UINT32(pc);
2516 MOZ_ASSERT(length <= INT32_MAX,do { static_assert( mozilla::detail::AssertionConditionType<
decltype(length <= (2147483647))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(length <= (2147483647))))
, 0))) { do { } while (false); MOZ_ReportAssertionFailure("length <= (2147483647)"
" (" "the bytecode emitter must fail to compile code that would "
"produce a length exceeding int32_t range" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2518); AnnotateMozCrashReason("MOZ_ASSERT" "(" "length <= (2147483647)"
") (" "the bytecode emitter must fail to compile code that would "
"produce a length exceeding int32_t range" ")"); do { *((volatile
int*)__null) = 2518; __attribute__((nomerge)) ::abort(); } while
(false); } } while (false)
2517 "the bytecode emitter must fail to compile code that would "do { static_assert( mozilla::detail::AssertionConditionType<
decltype(length <= (2147483647))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(length <= (2147483647))))
, 0))) { do { } while (false); MOZ_ReportAssertionFailure("length <= (2147483647)"
" (" "the bytecode emitter must fail to compile code that would "
"produce a length exceeding int32_t range" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2518); AnnotateMozCrashReason("MOZ_ASSERT" "(" "length <= (2147483647)"
") (" "the bytecode emitter must fail to compile code that would "
"produce a length exceeding int32_t range" ")"); do { *((volatile
int*)__null) = 2518; __attribute__((nomerge)) ::abort(); } while
(false); } } while (false)
2518 "produce a length exceeding int32_t range")do { static_assert( mozilla::detail::AssertionConditionType<
decltype(length <= (2147483647))>::isValid, "invalid assertion condition"
); if ((__builtin_expect(!!(!(!!(length <= (2147483647))))
, 0))) { do { } while (false); MOZ_ReportAssertionFailure("length <= (2147483647)"
" (" "the bytecode emitter must fail to compile code that would "
"produce a length exceeding int32_t range" ")", "/var/lib/jenkins/workspace/firefox-scan-build/js/src/jit/BaselineIC.cpp"
, 2518); AnnotateMozCrashReason("MOZ_ASSERT" "(" "length <= (2147483647)"
") (" "the bytecode emitter must fail to compile code that would "
"produce a length exceeding int32_t range" ")"); do { *((volatile
int*)__null) = 2518; __attribute__((nomerge)) ::abort(); } while
(false); } } while (false);
2519
2520 Rooted<ArrayObject*> array(cx, NewArrayOperation(cx, length));
2521 if (!array) {
2522 return false;
2523 }
2524
2525 TryAttachStub<NewArrayIRGenerator>("NewArray", cx, frame, stub, JSOp(*pc),
2526 array, frame);
2527
2528 res.setObject(*array);
2529 return true;
2530}
2531
2532bool FallbackICCodeCompiler::emit_NewArray() {
2533 EmitRestoreTailCallReg(masm);
2534
2535 masm.push(ICStubReg); // stub.
2536 masm.pushBaselineFramePtr(FramePointer, R0.scratchReg());
2537
2538 using Fn =
2539 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, MutableHandleValue);
2540 return tailCallVM<Fn, DoNewArrayFallback>(masm);
2541}
2542
2543//
2544// NewObject_Fallback
2545//
2546bool DoNewObjectFallback(JSContext* cx, BaselineFrame* frame,
2547 ICFallbackStub* stub, MutableHandleValue res) {
2548 stub->incrementEnteredCount();
2549 MaybeNotifyWarp(frame->outerScript(), stub);
2550 FallbackICSpew(cx, stub, "NewObject");
2551
2552 RootedScript script(cx, frame->script());
2553 jsbytecode* pc = StubOffsetToPc(stub, script);
2554
2555 RootedObject obj(cx, NewObjectOperation(cx, script, pc));
2556 if (!obj) {
2557 return false;
2558 }
2559
2560 TryAttachStub<NewObjectIRGenerator>("NewObject", cx, frame, stub, JSOp(*pc),
2561 obj, frame);
2562
2563 res.setObject(*obj);
2564 return true;
2565}
2566
2567bool FallbackICCodeCompiler::emit_NewObject() {
2568 EmitRestoreTailCallReg(masm);
2569
2570 masm.push(ICStubReg); // stub.
2571 pushStubPayload(masm, R0.scratchReg());
2572
2573 using Fn =
2574 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, MutableHandleValue);
2575 return tailCallVM<Fn, DoNewObjectFallback>(masm);
2576}
2577
2578//
2579// Lambda_Fallback
2580//
2581
2582bool DoLambdaFallback(JSContext* cx, BaselineFrame* frame, ICFallbackStub* stub,
2583 MutableHandleValue res) {
2584 stub->incrementEnteredCount();
2585 MaybeNotifyWarp(frame->outerScript(), stub);
2586 FallbackICSpew(cx, stub, "Lambda");
2587
2588 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2589
2590 Rooted<JSFunction*> fun(cx, frame->script()->getFunction(pc));
2591 Rooted<JSObject*> env(cx, frame->environmentChain());
2592
2593 TryAttachStub<LambdaIRGenerator>("Lambda", cx, frame, stub, JSOp(*pc), fun,
2594 frame);
2595
2596 JSObject* clone = Lambda(cx, fun, env);
2597 if (!clone) {
2598 return false;
2599 }
2600
2601 res.setObject(*clone);
2602 return true;
2603}
2604
2605bool FallbackICCodeCompiler::emit_Lambda() {
2606 EmitRestoreTailCallReg(masm);
2607
2608 masm.push(ICStubReg);
2609 masm.pushBaselineFramePtr(FramePointer, R0.scratchReg());
2610
2611 using Fn =
2612 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, MutableHandleValue);
2613 return tailCallVM<Fn, DoLambdaFallback>(masm);
2614}
2615
2616//
2617// CloseIter_Fallback
2618//
2619
2620bool DoCloseIterFallback(JSContext* cx, BaselineFrame* frame,
2621 ICFallbackStub* stub, HandleObject iter) {
2622 stub->incrementEnteredCount();
2623 MaybeNotifyWarp(frame->outerScript(), stub);
2624 FallbackICSpew(cx, stub, "CloseIter");
2625
2626 jsbytecode* pc = StubOffsetToPc(stub, frame->script());
2627 CompletionKind kind = CompletionKind(GET_UINT8(pc));
2628
2629 TryAttachStub<CloseIterIRGenerator>("CloseIter", cx, frame, stub, iter, kind);
2630
2631 return CloseIterOperation(cx, iter, kind);
2632}
2633
2634bool FallbackICCodeCompiler::emit_CloseIter() {
2635 EmitRestoreTailCallReg(masm);
2636
2637 masm.push(R0.scratchReg());
2638 masm.push(ICStubReg);
2639 pushStubPayload(masm, R0.scratchReg());
2640
2641 using Fn =
2642 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleObject);
2643 return tailCallVM<Fn, DoCloseIterFallback>(masm);
2644}
2645
2646//
2647// OptimizeGetIterator_Fallback
2648//
2649
2650bool DoOptimizeGetIteratorFallback(JSContext* cx, BaselineFrame* frame,
2651 ICFallbackStub* stub, HandleValue value,
2652 MutableHandleValue res) {
2653 stub->incrementEnteredCount();
2654 MaybeNotifyWarp(frame->outerScript(), stub);
2655 FallbackICSpew(cx, stub, "OptimizeGetIterator");
2656
2657 TryAttachStub<OptimizeGetIteratorIRGenerator>("OptimizeGetIterator", cx,
2658 frame, stub, value);
2659
2660 bool result;
2661 if (!OptimizeGetIterator(cx, value, &result)) {
2662 return false;
2663 }
2664 res.setBoolean(result);
2665 return true;
2666}
2667
2668bool FallbackICCodeCompiler::emit_OptimizeGetIterator() {
2669 EmitRestoreTailCallReg(masm);
2670
2671 masm.pushValue(R0);
2672 masm.push(ICStubReg);
2673 pushStubPayload(masm, R0.scratchReg());
2674
2675 using Fn = bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, HandleValue,
2676 MutableHandleValue);
2677 return tailCallVM<Fn, DoOptimizeGetIteratorFallback>(masm);
2678}
2679
2680//
2681// GetImport_Fallback
2682//
2683
2684bool DoGetImportFallback(JSContext* cx, BaselineFrame* frame,
2685 ICFallbackStub* stub, MutableHandleValue res) {
2686 stub->incrementEnteredCount();
2687 MaybeNotifyWarp(frame->outerScript(), stub);
2688 FallbackICSpew(cx, stub, "GetImport");
2689
2690 RootedObject envChain(cx, frame->environmentChain());
2691 RootedScript script(cx, frame->script());
2692 jsbytecode* pc = StubOffsetToPc(stub, script);
2693
2694 TryAttachStub<GetImportIRGenerator>("GetImport", cx, frame, stub);
2695
2696 return GetImportOperation(cx, envChain, script, pc, res);
2697}
2698
2699bool FallbackICCodeCompiler::emit_GetImport() {
2700 EmitRestoreTailCallReg(masm);
2701
2702 masm.push(ICStubReg);
2703 pushStubPayload(masm, R0.scratchReg());
2704
2705 using Fn =
2706 bool (*)(JSContext*, BaselineFrame*, ICFallbackStub*, MutableHandleValue);
2707 return tailCallVM<Fn, DoGetImportFallback>(masm);
2708}
2709
2710bool JitRuntime::generateBaselineICFallbackCode(JSContext* cx) {
2711 TempAllocator temp(&cx->tempLifoAlloc());
2712 StackMacroAssembler masm(cx, temp);
2713 PerfSpewerRangeRecorder rangeRecorder(masm);
2714 AutoCreatedBy acb(masm, "JitRuntime::generateBaselineICFallbackCode");
2715
2716 BaselineICFallbackCode& fallbackCode = baselineICFallbackCode_.ref();
2717 FallbackICCodeCompiler compiler(cx, fallbackCode, masm);
2718
2719 JitSpew(JitSpew_Codegen, "# Emitting Baseline IC fallback code");
2720
2721#define EMIT_CODE(kind) \
2722 { \
2723 AutoCreatedBy acb(masm, "kind=" #kind); \
2724 uint32_t offset = startTrampolineCode(masm); \
2725 InitMacroAssemblerForICStub(masm); \
2726 if (!compiler.emit_##kind()) { \
2727 return false; \
2728 } \
2729 fallbackCode.initOffset(BaselineICFallbackKind::kind, offset); \
2730 rangeRecorder.recordOffset("BaselineICFallback: " #kind); \
2731 }
2732 IC_BASELINE_FALLBACK_CODE_KIND_LIST(EMIT_CODE)EMIT_CODE(NewArray) EMIT_CODE(NewObject) EMIT_CODE(Lambda) EMIT_CODE
(ToBool) EMIT_CODE(UnaryArith) EMIT_CODE(Call) EMIT_CODE(CallConstructing
) EMIT_CODE(SpreadCall) EMIT_CODE(SpreadCallConstructing) EMIT_CODE
(GetElem) EMIT_CODE(GetElemSuper) EMIT_CODE(SetElem) EMIT_CODE
(In) EMIT_CODE(HasOwn) EMIT_CODE(CheckPrivateField) EMIT_CODE
(GetName) EMIT_CODE(BindName) EMIT_CODE(LazyConstant) EMIT_CODE
(SetProp) EMIT_CODE(GetIterator) EMIT_CODE(OptimizeSpreadCall
) EMIT_CODE(InstanceOf) EMIT_CODE(TypeOf) EMIT_CODE(TypeOfEq)
EMIT_CODE(ToPropertyKey) EMIT_CODE(Rest) EMIT_CODE(BinaryArith
) EMIT_CODE(Compare) EMIT_CODE(GetProp) EMIT_CODE(GetPropSuper
) EMIT_CODE(CloseIter) EMIT_CODE(OptimizeGetIterator) EMIT_CODE
(GetImport)
2733#undef EMIT_CODE
2734
2735 Linker linker(masm);
2736 JitCode* code = linker.newCode(cx, CodeKind::Other);
2737 if (!code) {
2738 return false;
2739 }
2740
2741 rangeRecorder.collectRangesForJitCode(code);
2742
2743#ifdef MOZ_VTUNE1
2744 vtune::MarkStub(code, "BaselineICFallback");
2745#endif
2746
2747 fallbackCode.initCode(code);
2748 return true;
2749}
2750
2751} // namespace jit
2752} // namespace js