Bug 866888 part 4 - Move bailout tail code to its own stub. r=h4writer

js/src/ion/Ion.cpp

@@ -171,6 +171,7 @@ ion::InitializeIon()
 IonRuntime::IonRuntime()
   : execAlloc_(NULL),
     exceptionTail_(NULL),
+    bailoutTail_(NULL),
     enterJIT_(NULL),
     bailoutHandler_(NULL),
     argumentsRectifier_(NULL),
@@ -214,6 +215,10 @@ IonRuntime::initialize(JSContext *cx)
     if (!exceptionTail_)
         return false;
 
+    bailoutTail_ = generateBailoutTailStub(cx);
+    if (!bailoutTail_)
+        return false;
+
     if (cx->runtime()->jitSupportsFloatingPoint) {
         // Initialize some Ion-only stubs that require floating-point support.
         if (!bailoutTables_.reserve(FrameSizeClass::ClassLimit().classId()))

js/src/ion/IonCompartment.h

@@ -129,6 +129,9 @@ class IonRuntime
     // Shared post-exception-handler tail
     IonCode *exceptionTail_;
 
+    // Shared post-bailout-handler tail.
+    IonCode *bailoutTail_;
+
     // Trampoline for entering JIT code. Contains OSR prologue.
     IonCode *enterJIT_;
 
@@ -173,6 +176,7 @@ class IonRuntime
 
   private:
     IonCode *generateExceptionTailStub(JSContext *cx);
+    IonCode *generateBailoutTailStub(JSContext *cx);
     IonCode *generateEnterJIT(JSContext *cx, EnterJitType type);
     IonCode *generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut);
     IonCode *generateBailoutTable(JSContext *cx, uint32_t frameClass);
@@ -292,6 +296,10 @@ class IonCompartment
         return rt->exceptionTail_;
     }
 
+    IonCode *getBailoutTail() {
+        return rt->bailoutTail_;
+    }
+
     IonCode *getBailoutTable(const FrameSizeClass &frameClass);
 
     IonCode *getArgumentsRectifier(ExecutionMode mode) {

js/src/ion/arm/Trampoline-arm.cpp

@@ -346,7 +346,11 @@ IonRuntime::generateInvalidator(JSContext *cx)
     // remove the space that this frame was using before the bailout
     // (computed by InvalidationBailout)
     masm.ma_add(sp, r1, sp);
-    masm.generateBailoutTail(r1, r2);
+
+    // Jump to shared bailout tail. The BailoutInfo pointer has to be in r2.
+    IonCode *bailoutTail = cx->compartment()->ionCompartment()->getBailoutTail();
+    masm.branch(bailoutTail);
+
     Linker linker(masm);
     IonCode *code = linker.newCode(cx, JSC::OTHER_CODE);
     IonSpew(IonSpew_Invalidate, "   invalidation thunk created at %p", (void *) code->raw());
@@ -456,7 +460,7 @@ IonRuntime::generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void *
 }
 
 static void
-GenerateBailoutThunk(MacroAssembler &masm, uint32_t frameClass)
+GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
 {
     // the stack should look like:
     // [IonFrame]
@@ -510,10 +514,6 @@ GenerateBailoutThunk(MacroAssembler &masm, uint32_t frameClass)
     masm.mov(sp, r1);
     masm.setupAlignedABICall(2);
 
-    // Copy the present stack pointer into a temp register (it happens to be the
-    // argument register)
-    //masm.as_mov(r0, O2Reg(sp));
-
     // Decrement sp by another 4, so we keep alignment
     // Not Anymore!  pushing both the snapshotoffset as well as the
     // masm.as_sub(sp, sp, Imm8(4));
@@ -550,7 +550,10 @@ GenerateBailoutThunk(MacroAssembler &masm, uint32_t frameClass)
                           + bailoutFrameSize) // everything else that was pushed on the stack
                     , sp);
     }
-    masm.generateBailoutTail(r1, r2);
+
+    // Jump to shared bailout tail. The BailoutInfo pointer has to be in r2.
+    IonCode *bailoutTail = cx->compartment()->ionCompartment()->getBailoutTail();
+    masm.branch(bailoutTail);
 }
 
 IonCode *
@@ -563,7 +566,7 @@ IonRuntime::generateBailoutTable(JSContext *cx, uint32_t frameClass)
         masm.ma_bl(&bailout);
     masm.bind(&bailout);
 
-    GenerateBailoutThunk(masm, frameClass);
+    GenerateBailoutThunk(cx, masm, frameClass);
 
     Linker linker(masm);
     return linker.newCode(cx, JSC::OTHER_CODE);
@@ -573,7 +576,7 @@ IonCode *
 IonRuntime::generateBailoutHandler(JSContext *cx)
 {
     MacroAssembler masm(cx);
-    GenerateBailoutThunk(masm, NO_FRAME_SIZE_CLASS_ID);
+    GenerateBailoutThunk(cx, masm, NO_FRAME_SIZE_CLASS_ID);
 
     Linker linker(masm);
     return linker.newCode(cx, JSC::OTHER_CODE);
@@ -835,3 +838,14 @@ IonRuntime::generateExceptionTailStub(JSContext *cx)
     Linker linker(masm);
     return linker.newCode(cx, JSC::OTHER_CODE);
 }
+
+IonCode *
+IonRuntime::generateBailoutTailStub(JSContext *cx)
+{
+    MacroAssembler masm;
+
+    masm.generateBailoutTail(r1, r2);
+
+    Linker linker(masm);
+    return linker.newCode(cx, JSC::OTHER_CODE);
+}

js/src/ion/x64/Trampoline-x64.cpp

@@ -310,7 +310,9 @@ IonRuntime::generateInvalidator(JSContext *cx)
     // Pop the machine state and the dead frame.
     masm.lea(Operand(rsp, rbx, TimesOne, sizeof(InvalidationBailoutStack)), rsp);
 
-    masm.generateBailoutTail(rdx, r9);
+    // Jump to shared bailout tail. The BailoutInfo pointer has to be in r9.
+    IonCode *bailoutTail = cx->compartment()->ionCompartment()->getBailoutTail();
+    masm.jmp(bailoutTail);
 
     Linker linker(masm);
     return linker.newCode(cx, JSC::OTHER_CODE);
@@ -442,7 +444,9 @@ GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
     masm.pop(rcx);
     masm.lea(Operand(rsp, rcx, TimesOne, sizeof(void *)), rsp);
 
-    masm.generateBailoutTail(rdx, r9);
+    // Jump to shared bailout tail. The BailoutInfo pointer has to be in r9.
+    IonCode *bailoutTail = cx->compartment()->ionCompartment()->getBailoutTail();
+    masm.jmp(bailoutTail);
 }
 
 IonCode *
@@ -726,3 +730,14 @@ IonRuntime::generateExceptionTailStub(JSContext *cx)
     Linker linker(masm);
     return linker.newCode(cx, JSC::OTHER_CODE);
 }
+
+IonCode *
+IonRuntime::generateBailoutTailStub(JSContext *cx)
+{
+    MacroAssembler masm;
+
+    masm.generateBailoutTail(rdx, r9);
+
+    Linker linker(masm);
+    return linker.newCode(cx, JSC::OTHER_CODE);
+}

js/src/ion/x86/Trampoline-x86.cpp

@@ -296,7 +296,9 @@ IonRuntime::generateInvalidator(JSContext *cx)
     // Pop the machine state and the dead frame.
     masm.lea(Operand(esp, ebx, TimesOne, sizeof(InvalidationBailoutStack)), esp);
 
-    masm.generateBailoutTail(edx, ecx);
+    // Jump to shared bailout tail. The BailoutInfo pointer has to be in ecx.
+    IonCode *bailoutTail = cx->compartment()->ionCompartment()->getBailoutTail();
+    masm.jmp(bailoutTail);
 
     Linker linker(masm);
     IonCode *code = linker.newCode(cx, JSC::OTHER_CODE);
@@ -430,7 +432,7 @@ GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
     masm.passABIArg(ebx);
     masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, Bailout));
 
-    masm.pop(ebx); // Get bailoutInfo outparam.
+    masm.pop(ecx); // Get bailoutInfo outparam.
 
     // Common size of stuff we've pushed.
     const uint32_t BailoutDataSize = sizeof(void *) + // frameClass
@@ -445,9 +447,9 @@ GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
         //    frameSize
         //    ... bailoutFrame ...
         masm.addl(Imm32(BailoutDataSize), esp);
-        masm.pop(ecx);
+        masm.pop(ebx);
         masm.addl(Imm32(sizeof(uint32_t)), esp);
-        masm.addl(ecx, esp);
+        masm.addl(ebx, esp);
     } else {
         // Stack is:
         //    ... frame ...
@@ -457,7 +459,9 @@ GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
         masm.addl(Imm32(BailoutDataSize + sizeof(void *) + frameSize), esp);
     }
 
-    masm.generateBailoutTail(edx, ebx);
+    // Jump to shared bailout tail. The BailoutInfo pointer has to be in ecx.
+    IonCode *bailoutTail = cx->compartment()->ionCompartment()->getBailoutTail();
+    masm.jmp(bailoutTail);
 }
 
 IonCode *
@@ -752,3 +756,14 @@ IonRuntime::generateExceptionTailStub(JSContext *cx)
     Linker linker(masm);
     return linker.newCode(cx, JSC::OTHER_CODE);
 }
+
+IonCode *
+IonRuntime::generateBailoutTailStub(JSContext *cx)
+{
+    MacroAssembler masm;
+
+    masm.generateBailoutTail(edx, ecx);
+
+    Linker linker(masm);
+    return linker.newCode(cx, JSC::OTHER_CODE);
+}