From b54321eac97ed852efde1edb943acf69163ea004 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Fri, 9 Feb 2024 12:37:33 +0000
Subject: [PATCH] Bug 1876425 part 1 - Stop using trial inlined ICScripts
 during bailout if needed. r=iain, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D201213
---
 js/src/jit/BaselineBailouts.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index c82a05d0ea2f1..c13bddf97be44 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -125,6 +125,8 @@ class MOZ_STACK_CLASS BaselineStackBuilder {
 
   BailoutKind bailoutKind_;
 
+  bool canUseTrialInlinedICScripts_ = true;
+
   // The baseline frames we will reconstruct on the heap are not
   // rooted, so GC must be suppressed.
   gc::AutoSuppressGC suppress_;
@@ -486,7 +488,8 @@ void BaselineStackBuilder::setNextCallee(
     JSFunction* nextCallee, TrialInliningState trialInliningState) {
   nextCallee_ = nextCallee;
 
-  if (trialInliningState == TrialInliningState::Inlined) {
+  if (trialInliningState == TrialInliningState::Inlined &&
+      canUseTrialInlinedICScripts_) {
     // Update icScript_ to point to the icScript of nextCallee
     const uint32_t pcOff = script_->pcToOffset(pc_);
     icScript_ = icScript_->findInlinedChild(pcOff);
@@ -496,6 +499,9 @@ void BaselineStackBuilder::setNextCallee(
     // inlined ICScript available, but we also could not if we transitioned
     // to TrialInliningState::Failure after being monomorphic inlined.
     icScript_ = nextCallee->nonLazyScript()->jitScript()->icScript();
+    if (trialInliningState != TrialInliningState::MonomorphicInlined) {
+      canUseTrialInlinedICScripts_ = false;
+    }
   }
 }
 
-- 
GitLab