Insert a ByteCodeUses instr for arguments when inlining apply target

Author: Kevin Smith

lib/Backend/Inline.cpp

@@ -3088,15 +3088,23 @@ bool Inline::InlineApplyScriptTarget(IR::Instr *callInstr, const FunctionJITTime
         // set src1 to avoid CSE on BailOnNotStackArgs for different arguments object
         bailOutOnNotStackArgs->SetSrc1(argumentsObjArgOut->GetSrc1()->Copy(this->topFunc));
         argumentsObjArgOut->InsertBefore(bailOutOnNotStackArgs);
+
+        // Insert ByteCodeUses instr to ensure that arguments object is available on bailout
+        IR::ByteCodeUsesInstr* bytecodeUses = IR::ByteCodeUsesInstr::New(callInstr);
+        IR::Opnd* argSrc1 = argObjByteCodeArgoutCapture->GetSrc1();
+        bytecodeUses->SetRemovedOpndSymbol(argSrc1->GetIsJITOptimizedReg(), argSrc1->GetStackSym()->m_id);
+        callInstr->InsertBefore(bytecodeUses);
     }
 
     IR::Instr* byteCodeArgOutUse = IR::Instr::New(Js::OpCode::BytecodeArgOutUse, callInstr->m_func);
     byteCodeArgOutUse->SetSrc1(implicitThisArgOut->GetSrc1());
+    callInstr->InsertBefore(byteCodeArgOutUse);
     if (argumentsObjArgOut)
     {
-        byteCodeArgOutUse->SetSrc2(argumentsObjArgOut->GetSrc1());
+        byteCodeArgOutUse = IR::Instr::New(Js::OpCode::BytecodeArgOutUse, callInstr->m_func);
+        byteCodeArgOutUse->SetSrc1(argumentsObjArgOut->GetSrc1());
+        callInstr->InsertBefore(byteCodeArgOutUse);
     }
-    callInstr->InsertBefore(byteCodeArgOutUse);
 
     // don't need the implicit "this" anymore
     explicitThisArgOut->ReplaceSrc2(startCall->GetDst());

lib/Backend/Sym.cpp

@@ -48,6 +48,7 @@ StackSym::New(SymID id, IRType type, Js::RegSlot byteCodeRegSlot, Func *func)
     stackSym->m_isTypeSpec = false;
     stackSym->m_isArgSlotSym = false;
     stackSym->m_isArgSlotRegSym = false;
+    stackSym->m_nonEscapingArgObjAlias = false;
     stackSym->m_isParamSym = false;
     stackSym->m_isImplicitParamSym = false;
     stackSym->m_isBailOutReferenced = false;

test/inlining/applyBailoutArgs.js

@@ -0,0 +1,27 @@
+var hasArgs = true;
+
+function method0() {}
+
+function f1(a = (hasArgs = false)) {}
+  
+function f2() {
+  this.method0.apply(this, arguments);
+}
+
+function test0() {
+  var obj1 = {};
+  obj1.method0 = f1;
+  obj1.method1 = f2;
+  obj1.method1.call(undefined);
+  obj1.method1(1);
+}
+
+test0();
+test0();
+test0();
+
+if (hasArgs) {
+  WScript.Echo('Passed');
+} else {
+  WScript.Echo('Arguments not passed to inlinee on bailout');
+}

test/inlining/rlexe.xml

@@ -107,6 +107,11 @@
       <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:0</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>applyBailoutArgs.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>bugs.js</files>