Bug 1876425 part 1 - Stop using trial inlined ICScripts during bailou…

…t if needed. r=iain, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D201213

js/src/jit/BaselineBailouts.cpp

@@ -125,6 +125,8 @@ class MOZ_STACK_CLASS BaselineStackBuilder {
 
   BailoutKind bailoutKind_;
 
+  bool canUseTrialInlinedICScripts_ = true;
+
   // The baseline frames we will reconstruct on the heap are not
   // rooted, so GC must be suppressed.
   gc::AutoSuppressGC suppress_;
@@ -486,7 +488,8 @@ void BaselineStackBuilder::setNextCallee(
     JSFunction* nextCallee, TrialInliningState trialInliningState) {
   nextCallee_ = nextCallee;
 
-  if (trialInliningState == TrialInliningState::Inlined) {
+  if (trialInliningState == TrialInliningState::Inlined &&
+      canUseTrialInlinedICScripts_) {
     // Update icScript_ to point to the icScript of nextCallee
     const uint32_t pcOff = script_->pcToOffset(pc_);
     icScript_ = icScript_->findInlinedChild(pcOff);
@@ -496,6 +499,9 @@ void BaselineStackBuilder::setNextCallee(
     // inlined ICScript available, but we also could not if we transitioned
     // to TrialInliningState::Failure after being monomorphic inlined.
     icScript_ = nextCallee->nonLazyScript()->jitScript()->icScript();
+    if (trialInliningState != TrialInliningState::MonomorphicInlined) {
+      canUseTrialInlinedICScripts_ = false;
+    }
   }
 }