[MERGE #6142 @pleath] OSG:20015601 Do not clear inlinee callinfo prior to a bailout, as we need the callinfo to help us box stack args and set up the interpreter instance

pleath · pleath · commit 79adb492a9e1 · 2019-06-06T15:11:39.000-07:00
Merge pull request #6142 from pleath:20015601
diff --git a/lib/Backend/BailOut.cpp b/lib/Backend/BailOut.cpp
@@ -1258,6 +1258,8 @@ BailOutRecord::BailOutInlinedHelper(Js::JavascriptCallStackLayout * layout, Bail
     }
 
     // Let's restore the inline stack - so that in case of a stack walk we have it available
+    InlinedFrameLayout *inlinedFrameToRestore = nullptr;
+    Js::ArgSlot clearedCallInfoCount = 0;
     if (entryPointInfo->HasInlinees())
     {
         InlineeFrameRecord* inlineeFrameRecord = entryPointInfo->FindInlineeFrame(returnAddress);
@@ -1267,14 +1269,20 @@ BailOutRecord::BailOutInlinedHelper(Js::JavascriptCallStackLayout * layout, Bail
             // object, the cached version (that was previously boxed) will be reused to maintain pointer identity and correctness
             // after the transition to the interpreter.
             InlinedFrameLayout* outerMostFrame = (InlinedFrameLayout *)(((uint8 *)Js::JavascriptCallStackLayout::ToFramePointer(layout)) - entryPointInfo->GetFrameHeight());
-            inlineeFrameRecord->RestoreFrames(functionBody, outerMostFrame, layout, true /* boxArgs */);
+            inlineeFrameRecord->RestoreFrames(functionBody, outerMostFrame, layout, true /*boxArgs*/, &inlinedFrameToRestore, &clearedCallInfoCount);
         }
     }
 
     do
     {
         InlinedFrameLayout *inlinedFrame = (InlinedFrameLayout *)(((char *)layout) + currentBailOutRecord->globalBailOutRecordTable->firstActualStackOffset);
         Js::InlineeCallInfo inlineeCallInfo = inlinedFrame->callInfo;
+        if (inlinedFrameToRestore == inlinedFrame)
+        {
+            // Restore the frame's callinfo count prior to using it to create an interpreter instance
+            Assert(inlineeCallInfo.Count == 0);
+            inlineeCallInfo.Count = clearedCallInfoCount;
+        }
         Assert((Js::ArgSlot)inlineeCallInfo.Count == currentBailOutRecord->actualCount);
 
         Js::CallFlags callFlags = Js::CallFlags_Value;
diff --git a/lib/Backend/InlineeFrameInfo.cpp b/lib/Backend/InlineeFrameInfo.cpp
@@ -243,7 +243,7 @@ void InlineeFrameRecord::Restore(Js::FunctionBody* functionBody, InlinedFrameLay
 // Note: the boxValues parameter should be true when this is called from a Bailout codepath to ensure that multiple vars to
 // the same object reuse the cached value during the transition to the interpreter.
 // Otherwise, this parameter should be false as the values are not required to be moved to the heap to restore the frame.
-void InlineeFrameRecord::RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostFrame, Js::JavascriptCallStackLayout* callstack, bool boxValues)
+void InlineeFrameRecord::RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostFrame, Js::JavascriptCallStackLayout* callstack, bool boxValues, InlinedFrameLayout **ppInlinedFrameToRestore, Js::ArgSlot *pClearedCallInfoCount)
 {
     InlineeFrameRecord* innerMostRecord = this;
     class AutoReverse
@@ -287,6 +287,12 @@ void InlineeFrameRecord::RestoreFrames(Js::FunctionBody* functionBody, InlinedFr
     }
 
     // Terminate the inlined stack
+    if (ppInlinedFrameToRestore)
+    {
+        // Tell the caller that we need to restore this frame's callinfo count before using it to create an interpreter instance
+        *ppInlinedFrameToRestore = currentFrame;
+        *pClearedCallInfoCount = currentFrame->callInfo.Count;
+    }
     currentFrame->callInfo.Count = 0;
 }
 
diff --git a/lib/Backend/InlineeFrameInfo.h b/lib/Backend/InlineeFrameInfo.h
@@ -110,7 +110,7 @@ struct InlineeFrameRecord
     }
 
     void PopulateParent(Func* func);
-    void RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostInlinee, Js::JavascriptCallStackLayout* callstack, bool boxValues);
+    void RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostInlinee, Js::JavascriptCallStackLayout* callstack, bool boxValues, InlinedFrameLayout ** ppInlinedFrameToRestore = nullptr, Js::ArgSlot *pClearedCallInfoCount = nullptr);
     void Finalize(Func* inlinee, uint currentOffset);
 #if DBG_DUMP
     void Dump() const;
diff --git a/test/Function/rlexe.xml b/test/Function/rlexe.xml
@@ -453,6 +453,11 @@
       <baseline>stackArgsLenConstOpt.baseline</baseline>
     </default>
   </test>
+  <test>
+    <default>
+      <files>stackArgsWithInlineeBailOut.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>childCallsEvalJitLoopBody.js</files>
diff --git a/test/Function/stackArgsWithInlineeBailOut.js b/test/Function/stackArgsWithInlineeBailOut.js
@@ -0,0 +1,15 @@
+var gi = 3;
+var bigArray = new Array(50);
+bigArray.fill(42);
+function foo() {
+return arguments[gi];
+}
+function bar() {
+bigArray.every(function (x) {
+foo();
+});
+}
+for (var i = 0; i < 3; ++i) {
+bar();
+}
+WScript.Echo('pass');

Original file line number	Diff line number	Diff line change
`@@ -1258,6 +1258,8 @@ BailOutRecord::BailOutInlinedHelper(Js::JavascriptCallStackLayout * layout, Bail`
`1258`	`1258`	`}`
`1259`	`1259`
`1260`	`1260`	`// Let's restore the inline stack - so that in case of a stack walk we have it available`
	`1261`	`+ InlinedFrameLayout *inlinedFrameToRestore = nullptr;`
	`1262`	`+ Js::ArgSlot clearedCallInfoCount = 0;`
`1261`	`1263`	`if (entryPointInfo->HasInlinees())`
`1262`	`1264`	`{`
`1263`	`1265`	`InlineeFrameRecord* inlineeFrameRecord = entryPointInfo->FindInlineeFrame(returnAddress);`
`@@ -1267,14 +1269,20 @@ BailOutRecord::BailOutInlinedHelper(Js::JavascriptCallStackLayout * layout, Bail`
`1267`	`1269`	`// object, the cached version (that was previously boxed) will be reused to maintain pointer identity and correctness`
`1268`	`1270`	`// after the transition to the interpreter.`
`1269`	`1271`	`InlinedFrameLayout* outerMostFrame = (InlinedFrameLayout )(((uint8 )Js::JavascriptCallStackLayout::ToFramePointer(layout)) - entryPointInfo->GetFrameHeight());`
`1270`		`- inlineeFrameRecord->RestoreFrames(functionBody, outerMostFrame, layout, true /* boxArgs */);`
	`1272`	`+ inlineeFrameRecord->RestoreFrames(functionBody, outerMostFrame, layout, true /boxArgs/, &inlinedFrameToRestore, &clearedCallInfoCount);`
`1271`	`1273`	`}`
`1272`	`1274`	`}`
`1273`	`1275`
`1274`	`1276`	`do`
`1275`	`1277`	`{`
`1276`	`1278`	`InlinedFrameLayout inlinedFrame = (InlinedFrameLayout )(((char *)layout) + currentBailOutRecord->globalBailOutRecordTable->firstActualStackOffset);`
`1277`	`1279`	`Js::InlineeCallInfo inlineeCallInfo = inlinedFrame->callInfo;`
	`1280`	`+ if (inlinedFrameToRestore == inlinedFrame)`
	`1281`	`+ {`
	`1282`	`+ // Restore the frame's callinfo count prior to using it to create an interpreter instance`
	`1283`	`+ Assert(inlineeCallInfo.Count == 0);`
	`1284`	`+ inlineeCallInfo.Count = clearedCallInfoCount;`
	`1285`	`+ }`
`1278`	`1286`	`Assert((Js::ArgSlot)inlineeCallInfo.Count == currentBailOutRecord->actualCount);`
`1279`	`1287`
`1280`	`1288`	`Js::CallFlags callFlags = Js::CallFlags_Value;`
Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,7 @@ void InlineeFrameRecord::Restore(Js::FunctionBody* functionBody, InlinedFrameLay`
`243`	`243`	`// Note: the boxValues parameter should be true when this is called from a Bailout codepath to ensure that multiple vars to`
`244`	`244`	`// the same object reuse the cached value during the transition to the interpreter.`
`245`	`245`	`// Otherwise, this parameter should be false as the values are not required to be moved to the heap to restore the frame.`
`246`		`-void InlineeFrameRecord::RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostFrame, Js::JavascriptCallStackLayout* callstack, bool boxValues)`
	`246`	`+void InlineeFrameRecord::RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostFrame, Js::JavascriptCallStackLayout* callstack, bool boxValues, InlinedFrameLayout *ppInlinedFrameToRestore, Js::ArgSlot pClearedCallInfoCount)`
`247`	`247`	`{`
`248`	`248`	`InlineeFrameRecord* innerMostRecord = this;`
`249`	`249`	`class AutoReverse`
`@@ -287,6 +287,12 @@ void InlineeFrameRecord::RestoreFrames(Js::FunctionBody* functionBody, InlinedFr`
`287`	`287`	`}`
`288`	`288`
`289`	`289`	`// Terminate the inlined stack`
	`290`	`+ if (ppInlinedFrameToRestore)`
	`291`	`+ {`
	`292`	`+ // Tell the caller that we need to restore this frame's callinfo count before using it to create an interpreter instance`
	`293`	`+ *ppInlinedFrameToRestore = currentFrame;`
	`294`	`+ *pClearedCallInfoCount = currentFrame->callInfo.Count;`
	`295`	`+ }`
`290`	`296`	`currentFrame->callInfo.Count = 0;`
`291`	`297`	`}`
`292`	`298`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ struct InlineeFrameRecord`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`void PopulateParent(Func* func);`
`113`		`- void RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostInlinee, Js::JavascriptCallStackLayout* callstack, bool boxValues);`
	`113`	`+ void RestoreFrames(Js::FunctionBody* functionBody, InlinedFrameLayout* outerMostInlinee, Js::JavascriptCallStackLayout* callstack, bool boxValues, InlinedFrameLayout ** ppInlinedFrameToRestore = nullptr, Js::ArgSlot *pClearedCallInfoCount = nullptr);`
`114`	`114`	`void Finalize(Func* inlinee, uint currentOffset);`
`115`	`115`	`#if DBG_DUMP`
`116`	`116`	`void Dump() const;`