Bug 1467142 - Fix MacroAssembler::branchTestObjCompartment to guard on realm->compartment instead of realm. r=tcampbell
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 06 Jun 2018 17:09:17 +0200
changeset 421589 7b760c430347f138d9c5105e70a67a56a3b595a8
parent 421588 5fd3144d5d009fdac3fae2ee33143901164e0d12
child 421590 e9b4f255a1160eb87c44bb04ff1b22240165d7e2
push id104071
push userjandemooij@gmail.com
push dateWed, 06 Jun 2018 15:10:07 +0000
treeherdermozilla-inbound@7b760c430347 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1467142
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1467142 - Fix MacroAssembler::branchTestObjCompartment to guard on realm->compartment instead of realm. r=tcampbell
js/src/jit/CacheIR.cpp
js/src/jit/CacheIR.h
js/src/jit/MacroAssembler.cpp
js/src/vm/JSCompartment.h
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -1109,17 +1109,17 @@ GetPropIRGenerator::tryAttachCrossCompar
     RootedObject wrappedTargetGlobal(cx_, &unwrapped->global());
     if (!cx_->compartment()->wrap(cx_, &wrappedTargetGlobal))
         return false;
 
     bool isWindowProxy = false;
     RootedShape shape(cx_);
     RootedNativeObject holder(cx_);
 
-    // Enter compartment of target since some checks have side-effects
+    // Enter realm of target since some checks have side-effects
     // such as de-lazifying type info.
     {
         AutoRealm ar(cx_, unwrapped);
 
         // The first CCW for iframes is almost always wrapping another WindowProxy
         // so we optimize for that case as well.
         isWindowProxy = IsWindowProxy(unwrapped);
         if (isWindowProxy) {
--- a/js/src/jit/CacheIR.h
+++ b/js/src/jit/CacheIR.h
@@ -681,17 +681,17 @@ class MOZ_RAII CacheIRWriter : public JS
     }
     void guardMagicValue(ValOperandId val, JSWhyMagic magic) {
         writeOpWithOperandId(CacheOp::GuardMagicValue, val);
         buffer_.writeByte(uint32_t(magic));
     }
     void guardCompartment(ObjOperandId obj, JSObject* global, JSCompartment* compartment) {
         assertSameCompartment(global);
         writeOpWithOperandId(CacheOp::GuardCompartment, obj);
-        // Add a reference to the compartment's global to keep it alive.
+        // Add a reference to a global in the compartment to keep it alive.
         addStubField(uintptr_t(global), StubField::Type::JSObject);
         // Use RawWord, because compartments never move and it can't be GCed.
         addStubField(uintptr_t(compartment), StubField::Type::RawWord);
     }
     void guardNoDetachedTypedObjects() {
         writeOp(CacheOp::GuardNoDetachedTypedObjects);
     }
     void guardFrameHasNoArgumentsObject() {
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -3272,27 +3272,29 @@ MacroAssembler::branchTestObjGroup(Condi
 
 void
 MacroAssembler::branchTestObjCompartment(Condition cond, Register obj, const Address& compartment,
                                          Register scratch, Label* label)
 {
     MOZ_ASSERT(obj != scratch);
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
     loadPtr(Address(scratch, ObjectGroup::offsetOfRealm()), scratch);
+    loadPtr(Address(scratch, Realm::offsetOfCompartment()), scratch);
     branchPtr(cond, compartment, scratch, label);
 }
 
 void
 MacroAssembler::branchTestObjCompartment(Condition cond, Register obj,
                                          const JSCompartment* compartment, Register scratch,
                                          Label* label)
 {
     MOZ_ASSERT(obj != scratch);
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
     loadPtr(Address(scratch, ObjectGroup::offsetOfRealm()), scratch);
+    loadPtr(Address(scratch, Realm::offsetOfCompartment()), scratch);
     branchPtr(cond, scratch, ImmPtr(compartment), label);
 }
 
 void
 MacroAssembler::branchIfObjGroupHasNoAddendum(Register obj, Register scratch, Label* label)
 {
     MOZ_ASSERT(obj != scratch);
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
--- a/js/src/vm/JSCompartment.h
+++ b/js/src/vm/JSCompartment.h
@@ -1284,16 +1284,19 @@ class JS::Realm : public JS::shadow::Rea
     // allocation. We consult the probabilities requested by the Debugger
     // instances observing us, if any.
     void chooseAllocationSamplingProbability() {
         savedStacks_.chooseSamplingProbability(this);
     }
 
     void sweepSavedStacks();
 
+    static constexpr size_t offsetOfCompartment() {
+        return offsetof(JS::Realm, compartment_);
+    }
     static constexpr size_t offsetOfRegExps() {
         return offsetof(JS::Realm, regExps);
     }
 };
 
 namespace js {
 
 // We only set the maybeAlive flag for objects and scripts. It's assumed that,