/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
 * vim: set ts=8 sts=4 et sw=4 tw=99:
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "jit/Recover.h"

#include "mozilla/SizePrintfMacros.h"

#include "jsapi.h"
#include "jscntxt.h"
#include "jsmath.h"
#include "jsobj.h"
#include "jsstr.h"

#include "builtin/RegExp.h"
#include "builtin/SIMD.h"
#include "builtin/TypedObject.h"

#include "gc/Heap.h"

#include "jit/JitFrameIterator.h"
#include "jit/JitSpewer.h"
#include "jit/MIR.h"
#include "jit/MIRGraph.h"
#include "jit/VMFunctions.h"
#include "vm/Interpreter.h"
#include "vm/String.h"

#include "vm/Interpreter-inl.h"
#include "vm/NativeObject-inl.h"

using namespace js;
using namespace js::jit;

bool
MNode::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_CRASH("This instruction is not serializable");
}

void
RInstruction::readRecoverData(CompactBufferReader& reader, RInstructionStorage* raw)
{
    uint32_t op = reader.readUnsigned();
    switch (Opcode(op)) {
#   define MATCH_OPCODES_(op)                                           \
      case Recover_##op:                                                \
        static_assert(sizeof(R##op) <= sizeof(RInstructionStorage),     \
                      "Storage space is too small to decode R" #op " instructions."); \
        new (raw->addr()) R##op(reader);                                \
        break;

        RECOVER_OPCODE_LIST(MATCH_OPCODES_)
#   undef MATCH_OPCODES_

      case Recover_Invalid:
      default:
        MOZ_CRASH("Bad decoding of the previous instruction?");
    }
}

bool
MResumePoint::writeRecoverData(CompactBufferWriter& writer) const
{
    writer.writeUnsigned(uint32_t(RInstruction::Recover_ResumePoint));

    MBasicBlock* bb = block();
    JSFunction* fun = bb->info().funMaybeLazy();
    JSScript* script = bb->info().script();
    uint32_t exprStack = stackDepth() - bb->info().ninvoke();

#ifdef DEBUG
    // Ensure that all snapshot which are encoded can safely be used for
    // bailouts.
    if (GetJitContext()->cx) {
        uint32_t stackDepth;
        bool reachablePC;
        jsbytecode* bailPC = pc();

        if (mode() == MResumePoint::ResumeAfter)
            bailPC = GetNextPc(pc());

        if (!ReconstructStackDepth(GetJitContext()->cx, script,
                                   bailPC, &stackDepth, &reachablePC))
        {
            return false;
        }

        if (reachablePC) {
            if (JSOp(*bailPC) == JSOP_FUNCALL) {
                // For fun.call(this, ...); the reconstructStackDepth will
                // include the this. When inlining that is not included.  So the
                // exprStackSlots will be one less.
                MOZ_ASSERT(stackDepth - exprStack <= 1);
            } else if (JSOp(*bailPC) != JSOP_FUNAPPLY &&
                       !IsGetPropPC(bailPC) && !IsSetPropPC(bailPC))
            {
                // For fun.apply({}, arguments) the reconstructStackDepth will
                // have stackdepth 4, but it could be that we inlined the
                // funapply. In that case exprStackSlots, will have the real
                // arguments in the slots and not be 4.

                // With accessors, we have different stack depths depending on
                // whether or not we inlined the accessor, as the inlined stack
                // contains a callee function that should never have been there
                // and we might just be capturing an uneventful property site,
                // in which case there won't have been any violence.
                MOZ_ASSERT(exprStack == stackDepth);
            }
        }
    }
#endif

    // Test if we honor the maximum of arguments at all times.  This is a sanity
    // check and not an algorithm limit. So check might be a bit too loose.  +4
    // to account for scope chain, return value, this value and maybe
    // arguments_object.
    MOZ_ASSERT(CountArgSlots(script, fun) < SNAPSHOT_MAX_NARGS + 4);

#ifdef JS_JITSPEW
    uint32_t implicit = StartArgSlot(script);
#endif
    uint32_t formalArgs = CountArgSlots(script, fun);
    uint32_t nallocs = formalArgs + script->nfixed() + exprStack;

    JitSpew(JitSpew_IonSnapshots, "Starting frame; implicit %u, formals %u, fixed %" PRIuSIZE ", exprs %u",
            implicit, formalArgs - implicit, script->nfixed(), exprStack);

    uint32_t pcoff = script->pcToOffset(pc());
    JitSpew(JitSpew_IonSnapshots, "Writing pc offset %u, nslots %u", pcoff, nallocs);
    writer.writeUnsigned(pcoff);
    writer.writeUnsigned(nallocs);
    return true;
}

RResumePoint::RResumePoint(CompactBufferReader& reader)
{
    pcOffset_ = reader.readUnsigned();
    numOperands_ = reader.readUnsigned();
    JitSpew(JitSpew_IonSnapshots, "Read RResumePoint (pc offset %u, nslots %u)",
            pcOffset_, numOperands_);
}

bool
RResumePoint::recover(JSContext* cx, SnapshotIterator& iter) const
{
    MOZ_CRASH("This instruction is not recoverable.");
}

bool
MBitNot::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_BitNot));
    return true;
}

RBitNot::RBitNot(CompactBufferReader& reader)
{ }

bool
RBitNot::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue operand(cx, iter.read());

    int32_t result;
    if (!js::BitNot(cx, operand, &result))
        return false;

    RootedValue rootedResult(cx, js::Int32Value(result));
    iter.storeInstructionResult(rootedResult);
    return true;
}

bool
MBitAnd::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_BitAnd));
    return true;
}

RBitAnd::RBitAnd(CompactBufferReader& reader)
{ }

bool
RBitAnd::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    int32_t result;
    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());

    if (!js::BitAnd(cx, lhs, rhs, &result))
        return false;

    RootedValue rootedResult(cx, js::Int32Value(result));
    iter.storeInstructionResult(rootedResult);
    return true;
}

bool
MBitOr::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_BitOr));
    return true;
}

RBitOr::RBitOr(CompactBufferReader& reader)
{}

bool
RBitOr::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    int32_t result;
    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());

    if (!js::BitOr(cx, lhs, rhs, &result))
        return false;

    RootedValue asValue(cx, js::Int32Value(result));
    iter.storeInstructionResult(asValue);
    return true;
}

bool
MBitXor::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_BitXor));
    return true;
}

RBitXor::RBitXor(CompactBufferReader& reader)
{ }

bool
RBitXor::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());

    int32_t result;
    if (!js::BitXor(cx, lhs, rhs, &result))
        return false;

    RootedValue rootedResult(cx, js::Int32Value(result));
    iter.storeInstructionResult(rootedResult);
    return true;
}

bool
MLsh::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Lsh));
    return true;
}

RLsh::RLsh(CompactBufferReader& reader)
{}

bool
RLsh::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    int32_t result;
    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());

    if (!js::BitLsh(cx, lhs, rhs, &result))
        return false;

    RootedValue asValue(cx, js::Int32Value(result));
    iter.storeInstructionResult(asValue);
    return true;
}

bool
MRsh::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Rsh));
    return true;
}

RRsh::RRsh(CompactBufferReader& reader)
{ }

bool
RRsh::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());

    int32_t result;
    if (!js::BitRsh(cx, lhs, rhs, &result))
        return false;

    RootedValue rootedResult(cx, js::Int32Value(result));
    iter.storeInstructionResult(rootedResult);
    return true;
}

bool
MUrsh::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Ursh));
    return true;
}

RUrsh::RUrsh(CompactBufferReader& reader)
{ }

bool
RUrsh::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());

    RootedValue result(cx);
    if (!js::UrshOperation(cx, lhs, rhs, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MSignExtend::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_SignExtend));
    MOZ_ASSERT(Mode(uint8_t(mode_)) == mode_);
    writer.writeByte(uint8_t(mode_));
    return true;
}

RSignExtend::RSignExtend(CompactBufferReader& reader)
{
    mode_ = reader.readByte();
}

bool
RSignExtend::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue operand(cx, iter.read());

    int32_t result;
    switch (MSignExtend::Mode(mode_)) {
      case MSignExtend::Byte:
        if (!js::SignExtendOperation<int8_t>(cx, operand, &result))
            return false;
        break;
      case MSignExtend::Half:
        if (!js::SignExtendOperation<int16_t>(cx, operand, &result))
            return false;
        break;
    }

    RootedValue rootedResult(cx, js::Int32Value(result));
    iter.storeInstructionResult(rootedResult);
    return true;
}

bool
MAdd::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Add));
    writer.writeByte(specialization_ == MIRType::Float32);
    return true;
}

RAdd::RAdd(CompactBufferReader& reader)
{
    isFloatOperation_ = reader.readByte();
}

bool
RAdd::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());
    if (!js::AddValues(cx, &lhs, &rhs, &result))
        return false;

    // MIRType::Float32 is a specialization embedding the fact that the result is
    // rounded to a Float32.
    if (isFloatOperation_ && !RoundFloat32(cx, result, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MSub::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Sub));
    writer.writeByte(specialization_ == MIRType::Float32);
    return true;
}

RSub::RSub(CompactBufferReader& reader)
{
    isFloatOperation_ = reader.readByte();
}

bool
RSub::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());
    if (!js::SubValues(cx, &lhs, &rhs, &result))
        return false;

    // MIRType::Float32 is a specialization embedding the fact that the result is
    // rounded to a Float32.
    if (isFloatOperation_ && !RoundFloat32(cx, result, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MMul::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Mul));
    writer.writeByte(specialization_ == MIRType::Float32);
    MOZ_ASSERT(Mode(uint8_t(mode_)) == mode_);
    writer.writeByte(uint8_t(mode_));
    return true;
}

RMul::RMul(CompactBufferReader& reader)
{
    isFloatOperation_ = reader.readByte();
    mode_ = reader.readByte();
}

bool
RMul::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    if (MMul::Mode(mode_) == MMul::Normal) {
        if (!js::MulValues(cx, &lhs, &rhs, &result))
            return false;

        // MIRType::Float32 is a specialization embedding the fact that the
        // result is rounded to a Float32.
        if (isFloatOperation_ && !RoundFloat32(cx, result, &result))
            return false;
    } else {
        MOZ_ASSERT(MMul::Mode(mode_) == MMul::Integer);
        if (!js::math_imul_handle(cx, lhs, rhs, &result))
            return false;
    }

    iter.storeInstructionResult(result);
    return true;
}

bool
MDiv::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Div));
    writer.writeByte(specialization_ == MIRType::Float32);
    return true;
}

RDiv::RDiv(CompactBufferReader& reader)
{
    isFloatOperation_ = reader.readByte();
}

bool
RDiv::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    if (!js::DivValues(cx, &lhs, &rhs, &result))
        return false;

    // MIRType::Float32 is a specialization embedding the fact that the result is
    // rounded to a Float32.
    if (isFloatOperation_ && !RoundFloat32(cx, result, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MMod::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Mod));
    return true;
}

RMod::RMod(CompactBufferReader& reader)
{ }

bool
RMod::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());
    if (!js::ModValues(cx, &lhs, &rhs, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MNot::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Not));
    return true;
}

RNot::RNot(CompactBufferReader& reader)
{ }

bool
RNot::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);

    result.setBoolean(!ToBoolean(v));

    iter.storeInstructionResult(result);
    return true;
}

bool
MConcat::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Concat));
    return true;
}

RConcat::RConcat(CompactBufferReader& reader)
{}

bool
RConcat::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue lhs(cx, iter.read());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!lhs.isObject() && !rhs.isObject());
    if (!js::AddValues(cx, &lhs, &rhs, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

RStringLength::RStringLength(CompactBufferReader& reader)
{}

bool
RStringLength::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue operand(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!operand.isObject());
    if (!js::GetLengthProperty(operand, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MStringLength::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_StringLength));
    return true;
}

bool
MArgumentsLength::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_ArgumentsLength));
    return true;
}

RArgumentsLength::RArgumentsLength(CompactBufferReader& reader)
{ }

bool
RArgumentsLength::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue result(cx);

    result.setInt32(iter.readOuterNumActualArgs());

    iter.storeInstructionResult(result);
    return true;
}

bool
MFloor::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Floor));
    return true;
}

RFloor::RFloor(CompactBufferReader& reader)
{ }

bool RFloor::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);

    if (!js::math_floor_handle(cx, v, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MCeil::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Ceil));
    return true;
}

RCeil::RCeil(CompactBufferReader& reader)
{ }


bool
RCeil::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);

    if (!js::math_ceil_handle(cx, v, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MRound::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Round));
    return true;
}

RRound::RRound(CompactBufferReader& reader)
{}

bool
RRound::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue arg(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!arg.isObject());
    if(!js::math_round_handle(cx, arg, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MCharCodeAt::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_CharCodeAt));
    return true;
}

RCharCodeAt::RCharCodeAt(CompactBufferReader& reader)
{}

bool
RCharCodeAt::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedString lhs(cx, iter.read().toString());
    RootedValue rhs(cx, iter.read());
    RootedValue result(cx);

    if (!js::str_charCodeAt_impl(cx, lhs, rhs, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MFromCharCode::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_FromCharCode));
    return true;
}

RFromCharCode::RFromCharCode(CompactBufferReader& reader)
{}

bool
RFromCharCode::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue operand(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!operand.isObject());
    if (!js::str_fromCharCode_one_arg(cx, operand, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MPow::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Pow));
    return true;
}

RPow::RPow(CompactBufferReader& reader)
{ }

bool
RPow::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue base(cx, iter.read());
    RootedValue power(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(base.isNumber() && power.isNumber());
    if (!js::math_pow_handle(cx, base, power, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MPowHalf::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_PowHalf));
    return true;
}

RPowHalf::RPowHalf(CompactBufferReader& reader)
{ }

bool
RPowHalf::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue base(cx, iter.read());
    RootedValue power(cx);
    RootedValue result(cx);
    power.setNumber(0.5);

    MOZ_ASSERT(base.isNumber());
    if (!js::math_pow_handle(cx, base, power, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MMinMax::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_MinMax));
    writer.writeByte(isMax_);
    return true;
}

RMinMax::RMinMax(CompactBufferReader& reader)
{
    isMax_ = reader.readByte();
}

bool
RMinMax::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue a(cx, iter.read());
    RootedValue b(cx, iter.read());
    RootedValue result(cx);

    if (!js::minmax_impl(cx, isMax_, a, b, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MAbs::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Abs));
    return true;
}

RAbs::RAbs(CompactBufferReader& reader)
{ }

bool
RAbs::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);

    if (!js::math_abs_handle(cx, v, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MSqrt::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Sqrt));
    writer.writeByte(type() == MIRType::Float32);
    return true;
}

RSqrt::RSqrt(CompactBufferReader& reader)
{
    isFloatOperation_ = reader.readByte();
}

bool
RSqrt::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue num(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(num.isNumber());
    if (!math_sqrt_handle(cx, num, &result))
        return false;

    // MIRType::Float32 is a specialization embedding the fact that the result is
    // rounded to a Float32.
    if (isFloatOperation_ && !RoundFloat32(cx, result, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MAtan2::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Atan2));
    return true;
}

RAtan2::RAtan2(CompactBufferReader& reader)
{ }

bool
RAtan2::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue y(cx, iter.read());
    RootedValue x(cx, iter.read());
    RootedValue result(cx);

    if(!math_atan2_handle(cx, y, x, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MHypot::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Hypot));
    writer.writeUnsigned(uint32_t(numOperands()));
    return true;
}

RHypot::RHypot(CompactBufferReader& reader)
    : numOperands_(reader.readUnsigned())
{ }

bool
RHypot::recover(JSContext* cx, SnapshotIterator& iter) const
{
    JS::AutoValueVector vec(cx);

    if (!vec.reserve(numOperands_))
        return false;

    for (uint32_t i = 0 ; i < numOperands_ ; ++i)
       vec.infallibleAppend(iter.read());

    RootedValue result(cx);

    if(!js::math_hypot_handle(cx, vec, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MMathFunction::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    switch (function_) {
      case Round:
        writer.writeUnsigned(uint32_t(RInstruction::Recover_Round));
        return true;
      case Sin:
      case Log:
        writer.writeUnsigned(uint32_t(RInstruction::Recover_MathFunction));
        writer.writeByte(function_);
        return true;
      default:
        MOZ_CRASH("Unknown math function.");
    }
}

RMathFunction::RMathFunction(CompactBufferReader& reader)
{
    function_ = reader.readByte();
}

bool
RMathFunction::recover(JSContext* cx, SnapshotIterator& iter) const
{
    switch (function_) {
      case MMathFunction::Sin: {
        RootedValue arg(cx, iter.read());
        RootedValue result(cx);

        if (!js::math_sin_handle(cx, arg, &result))
            return false;

        iter.storeInstructionResult(result);
        return true;
      }
      case MMathFunction::Log: {
        RootedValue arg(cx, iter.read());
        RootedValue result(cx);

        if (!js::math_log_handle(cx, arg, &result))
            return false;

        iter.storeInstructionResult(result);
        return true;
      }
      default:
        MOZ_CRASH("Unknown math function.");
    }
}

bool
MRandom::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(this->canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Random));
    return true;
}

RRandom::RRandom(CompactBufferReader& reader)
{}

bool
RRandom::recover(JSContext* cx, SnapshotIterator& iter) const
{
    iter.storeInstructionResult(DoubleValue(math_random_impl(cx)));
    return true;
}

bool
MStringSplit::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_StringSplit));
    return true;
}

RStringSplit::RStringSplit(CompactBufferReader& reader)
{}

bool
RStringSplit::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedString str(cx, iter.read().toString());
    RootedString sep(cx, iter.read().toString());
    RootedObjectGroup group(cx, iter.read().toObject().group());
    RootedValue result(cx);

    JSObject* res = str_split_string(cx, group, str, sep, INT32_MAX);
    if (!res)
        return false;

    result.setObject(*res);
    iter.storeInstructionResult(result);
    return true;
}

bool
MNaNToZero::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_NaNToZero));
    return true;
}

RNaNToZero::RNaNToZero(CompactBufferReader& reader)
{ }


bool
RNaNToZero::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);
    MOZ_ASSERT(v.isDouble() || v.isInt32());

    // x ? x : 0.0
    if (ToBoolean(v))
        result = v;
    else
        result.setDouble(0.0);

    iter.storeInstructionResult(result);
    return true;
}

bool
MRegExpMatcher::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_RegExpMatcher));
    return true;
}

RRegExpMatcher::RRegExpMatcher(CompactBufferReader& reader)
{}

bool
RRegExpMatcher::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject regexp(cx, &iter.read().toObject());
    RootedString input(cx, iter.read().toString());
    int32_t lastIndex = iter.read().toInt32();

    RootedValue result(cx);
    if (!RegExpMatcherRaw(cx, regexp, input, lastIndex, nullptr, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MRegExpSearcher::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_RegExpSearcher));
    return true;
}

RRegExpSearcher::RRegExpSearcher(CompactBufferReader& reader)
{}

bool
RRegExpSearcher::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject regexp(cx, &iter.read().toObject());
    RootedString input(cx, iter.read().toString());
    int32_t lastIndex = iter.read().toInt32();

    int32_t result;
    if (!RegExpSearcherRaw(cx, regexp, input, lastIndex, nullptr, &result))
        return false;

    RootedValue resultVal(cx);
    resultVal.setInt32(result);
    iter.storeInstructionResult(resultVal);
    return true;
}

bool
MRegExpTester::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_RegExpTester));
    return true;
}

RRegExpTester::RRegExpTester(CompactBufferReader& reader)
{ }

bool
RRegExpTester::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedString string(cx, iter.read().toString());
    RootedObject regexp(cx, &iter.read().toObject());
    int32_t lastIndex = iter.read().toInt32();
    int32_t endIndex;

    if (!js::RegExpTesterRaw(cx, regexp, string, lastIndex, &endIndex))
        return false;

    RootedValue result(cx);
    result.setInt32(endIndex);
    iter.storeInstructionResult(result);
    return true;
}

bool
MTypeOf::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_TypeOf));
    return true;
}

RTypeOf::RTypeOf(CompactBufferReader& reader)
{ }

bool
RTypeOf::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());

    RootedValue result(cx, StringValue(TypeOfOperation(v, cx->runtime())));
    iter.storeInstructionResult(result);
    return true;
}

bool
MToDouble::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_ToDouble));
    return true;
}

RToDouble::RToDouble(CompactBufferReader& reader)
{ }

bool
RToDouble::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!v.isObject());
    MOZ_ASSERT(!v.isSymbol());

    double dbl;
    if (!ToNumber(cx, v, &dbl))
        return false;

    result.setDouble(dbl);
    iter.storeInstructionResult(result);
    return true;
}

bool
MToFloat32::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_ToFloat32));
    return true;
}

RToFloat32::RToFloat32(CompactBufferReader& reader)
{ }

bool
RToFloat32::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue v(cx, iter.read());
    RootedValue result(cx);

    MOZ_ASSERT(!v.isObject());
    if (!RoundFloat32(cx, v, &result))
        return false;

    iter.storeInstructionResult(result);
    return true;
}

bool
MTruncateToInt32::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_TruncateToInt32));
    return true;
}

RTruncateToInt32::RTruncateToInt32(CompactBufferReader& reader)
{ }

bool
RTruncateToInt32::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue value(cx, iter.read());
    RootedValue result(cx);

    int32_t trunc;
    if (!JS::ToInt32(cx, value, &trunc))
        return false;

    result.setInt32(trunc);
    iter.storeInstructionResult(result);
    return true;
}

bool
MNewObject::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_NewObject));
    MOZ_ASSERT(Mode(uint8_t(mode_)) == mode_);
    writer.writeByte(uint8_t(mode_));
    return true;
}

RNewObject::RNewObject(CompactBufferReader& reader)
{
    mode_ = MNewObject::Mode(reader.readByte());
}

bool
RNewObject::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject templateObject(cx, &iter.read().toObject());
    RootedValue result(cx);
    JSObject* resultObject = nullptr;

    // See CodeGenerator::visitNewObjectVMCall
    switch (mode_) {
      case MNewObject::ObjectLiteral:
        resultObject = NewObjectOperationWithTemplate(cx, templateObject);
        break;
      case MNewObject::ObjectCreate:
        resultObject = ObjectCreateWithTemplate(cx, templateObject.as<PlainObject>());
        break;
    }

    if (!resultObject)
        return false;

    result.setObject(*resultObject);
    iter.storeInstructionResult(result);
    return true;
}

bool
MNewTypedArray::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_NewTypedArray));
    return true;
}

RNewTypedArray::RNewTypedArray(CompactBufferReader& reader)
{
}

bool
RNewTypedArray::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject templateObject(cx, &iter.read().toObject());
    RootedValue result(cx);

    uint32_t length = templateObject.as<TypedArrayObject>()->length();
    JSObject* resultObject = TypedArrayCreateWithTemplate(cx, templateObject, length);
    if (!resultObject)
        return false;

    result.setObject(*resultObject);
    iter.storeInstructionResult(result);
    return true;
}

bool
MNewArray::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_NewArray));
    writer.writeUnsigned(length());
    return true;
}

RNewArray::RNewArray(CompactBufferReader& reader)
{
    count_ = reader.readUnsigned();
}

bool
RNewArray::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject templateObject(cx, &iter.read().toObject());
    RootedValue result(cx);
    RootedObjectGroup group(cx, templateObject->group());

    JSObject* resultObject = NewFullyAllocatedArrayTryUseGroup(cx, group, count_);
    if (!resultObject)
        return false;

    result.setObject(*resultObject);
    iter.storeInstructionResult(result);
    return true;
}

bool
MNewDerivedTypedObject::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_NewDerivedTypedObject));
    return true;
}

RNewDerivedTypedObject::RNewDerivedTypedObject(CompactBufferReader& reader)
{ }

bool
RNewDerivedTypedObject::recover(JSContext* cx, SnapshotIterator& iter) const
{
    Rooted<TypeDescr*> descr(cx, &iter.read().toObject().as<TypeDescr>());
    Rooted<TypedObject*> owner(cx, &iter.read().toObject().as<TypedObject>());
    int32_t offset = iter.read().toInt32();

    JSObject* obj = OutlineTypedObject::createDerived(cx, descr, owner, offset);
    if (!obj)
        return false;

    RootedValue result(cx, ObjectValue(*obj));
    iter.storeInstructionResult(result);
    return true;
}

bool
MCreateThisWithTemplate::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_CreateThisWithTemplate));
    return true;
}

RCreateThisWithTemplate::RCreateThisWithTemplate(CompactBufferReader& reader)
{
}

bool
RCreateThisWithTemplate::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject templateObject(cx, &iter.read().toObject());

    // See CodeGenerator::visitCreateThisWithTemplate
    JSObject* resultObject = NewObjectOperationWithTemplate(cx, templateObject);
    if (!resultObject)
        return false;

    RootedValue result(cx);
    result.setObject(*resultObject);
    iter.storeInstructionResult(result);
    return true;
}

bool
MLambda::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_Lambda));
    return true;
}

RLambda::RLambda(CompactBufferReader& reader)
{
}

bool
RLambda::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject scopeChain(cx, &iter.read().toObject());
    RootedFunction fun(cx, &iter.read().toObject().as<JSFunction>());

    JSObject* resultObject = js::Lambda(cx, fun, scopeChain);
    if (!resultObject)
        return false;

    RootedValue result(cx);
    result.setObject(*resultObject);
    iter.storeInstructionResult(result);
    return true;
}

bool
MSimdBox::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_SimdBox));
    static_assert(unsigned(SimdType::Count) < 0x100, "assuming SimdType fits in 8 bits");
    writer.writeByte(uint8_t(simdType()));
    return true;
}

RSimdBox::RSimdBox(CompactBufferReader& reader)
{
    type_ = reader.readByte();
}

bool
RSimdBox::recover(JSContext* cx, SnapshotIterator& iter) const
{
    JSObject* resultObject = nullptr;
    RValueAllocation a = iter.readAllocation();
    MOZ_ASSERT(iter.allocationReadable(a));
    MOZ_ASSERT_IF(a.mode() == RValueAllocation::ANY_FLOAT_REG, a.fpuReg().isSimd128());
    const FloatRegisters::RegisterContent* raw = iter.floatAllocationPointer(a);
    switch (SimdType(type_)) {
      case SimdType::Bool8x16:
        resultObject = js::CreateSimd<Bool8x16>(cx, (const Bool8x16::Elem*) raw);
        break;
      case SimdType::Int8x16:
        resultObject = js::CreateSimd<Int8x16>(cx, (const Int8x16::Elem*) raw);
        break;
      case SimdType::Uint8x16:
        resultObject = js::CreateSimd<Uint8x16>(cx, (const Uint8x16::Elem*) raw);
        break;
      case SimdType::Bool16x8:
        resultObject = js::CreateSimd<Bool16x8>(cx, (const Bool16x8::Elem*) raw);
        break;
      case SimdType::Int16x8:
        resultObject = js::CreateSimd<Int16x8>(cx, (const Int16x8::Elem*) raw);
        break;
      case SimdType::Uint16x8:
        resultObject = js::CreateSimd<Uint16x8>(cx, (const Uint16x8::Elem*) raw);
        break;
      case SimdType::Bool32x4:
        resultObject = js::CreateSimd<Bool32x4>(cx, (const Bool32x4::Elem*) raw);
        break;
      case SimdType::Int32x4:
        resultObject = js::CreateSimd<Int32x4>(cx, (const Int32x4::Elem*) raw);
        break;
      case SimdType::Uint32x4:
        resultObject = js::CreateSimd<Uint32x4>(cx, (const Uint32x4::Elem*) raw);
        break;
      case SimdType::Float32x4:
        resultObject = js::CreateSimd<Float32x4>(cx, (const Float32x4::Elem*) raw);
        break;
      case SimdType::Float64x2:
        MOZ_CRASH("NYI, RSimdBox of Float64x2");
        break;
      case SimdType::Bool64x2:
        MOZ_CRASH("NYI, RSimdBox of Bool64x2");
        break;
      case SimdType::Count:
        MOZ_CRASH("RSimdBox of Count is unreachable");
    }

    if (!resultObject)
        return false;

    RootedValue result(cx);
    result.setObject(*resultObject);
    iter.storeInstructionResult(result);
    return true;
}

bool
MObjectState::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_ObjectState));
    writer.writeUnsigned(numSlots());
    return true;
}

RObjectState::RObjectState(CompactBufferReader& reader)
{
    numSlots_ = reader.readUnsigned();
}

bool
RObjectState::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedObject object(cx, &iter.read().toObject());
    RootedValue val(cx);

    if (object->is<UnboxedPlainObject>()) {
        const UnboxedLayout& layout = object->as<UnboxedPlainObject>().layout();

        RootedId id(cx);
        RootedValue receiver(cx, ObjectValue(*object));
        const UnboxedLayout::PropertyVector& properties = layout.properties();
        for (size_t i = 0; i < properties.length(); i++) {
            val = iter.read();

            // This is the default placeholder value of MObjectState, when no
            // properties are defined yet.
            if (val.isUndefined())
                continue;

            id = NameToId(properties[i].name);
            ObjectOpResult result;

            // SetProperty can only fail due to OOM.
            if (!SetProperty(cx, object, id, val, receiver, result))
                return false;
            if (!result)
                return result.reportError(cx, object, id);
        }
    } else {
        RootedNativeObject nativeObject(cx, &object->as<NativeObject>());
        MOZ_ASSERT(nativeObject->slotSpan() == numSlots());

        for (size_t i = 0; i < numSlots(); i++) {
            val = iter.read();
            nativeObject->setSlot(i, val);
        }
    }

    val.setObject(*object);
    iter.storeInstructionResult(val);
    return true;
}

bool
MArrayState::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_ArrayState));
    writer.writeUnsigned(numElements());
    return true;
}

RArrayState::RArrayState(CompactBufferReader& reader)
{
    numElements_ = reader.readUnsigned();
}

bool
RArrayState::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue result(cx);
    ArrayObject* object = &iter.read().toObject().as<ArrayObject>();
    uint32_t initLength = iter.read().toInt32();

    object->setDenseInitializedLength(initLength);
    for (size_t index = 0; index < numElements(); index++) {
        Value val = iter.read();

        if (index >= initLength) {
            MOZ_ASSERT(val.isUndefined());
            continue;
        }

        object->initDenseElement(index, val);
    }

    result.setObject(*object);
    iter.storeInstructionResult(result);
    return true;
}

bool
MAssertRecoveredOnBailout::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    MOZ_RELEASE_ASSERT(input()->isRecoveredOnBailout() == mustBeRecovered_,
        "assertRecoveredOnBailout failed during compilation");
    writer.writeUnsigned(uint32_t(RInstruction::Recover_AssertRecoveredOnBailout));
    return true;
}

RAssertRecoveredOnBailout::RAssertRecoveredOnBailout(CompactBufferReader& reader)
{ }

bool RAssertRecoveredOnBailout::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue result(cx);
    iter.read(); // skip the unused operand.
    result.setUndefined();
    iter.storeInstructionResult(result);
    return true;
}

bool
MStringReplace::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_StringReplace));
    writer.writeByte(isFlatReplacement_);
    return true;
}

RStringReplace::RStringReplace(CompactBufferReader& reader)
{
    isFlatReplacement_ = reader.readByte();
}

bool RStringReplace::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedString string(cx, iter.read().toString());
    RootedString pattern(cx, iter.read().toString());
    RootedString replace(cx, iter.read().toString());

    JSString* result = isFlatReplacement_ ? js::str_flat_replace_string(cx, string, pattern, replace) :
                                            js::str_replace_string_raw(cx, string, pattern, replace);

    if (!result)
        return false;

    iter.storeInstructionResult(StringValue(result));
    return true;
}

bool
MAtomicIsLockFree::writeRecoverData(CompactBufferWriter& writer) const
{
    MOZ_ASSERT(canRecoverOnBailout());
    writer.writeUnsigned(uint32_t(RInstruction::Recover_AtomicIsLockFree));
    return true;
}

RAtomicIsLockFree::RAtomicIsLockFree(CompactBufferReader& reader)
{ }

bool
RAtomicIsLockFree::recover(JSContext* cx, SnapshotIterator& iter) const
{
    RootedValue operand(cx, iter.read());
    MOZ_ASSERT(operand.isInt32());

    int32_t result;
    if (!js::AtomicIsLockFree(cx, operand, &result))
        return false;

    RootedValue rootedResult(cx, js::Int32Value(result));
    iter.storeInstructionResult(rootedResult);
    return true;
}