Bug 1661211 part 3 - Add sameRealm flag to CallNativeGetterResult. r=iain
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 26 Aug 2020 20:00:51 +0000
changeset 546402 e25e289e016c32ea4f81b81e24e8ae944e8bdc59
parent 546401 d01415c7707edaaf119e5e4c76f6b4e3c6a30e13
child 546403 a86d23fda0718026290257b25968d9f5925e1895
push id37735
push userabutkovits@mozilla.com
push dateThu, 27 Aug 2020 21:29:40 +0000
treeherdermozilla-central@109f3a4de567 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersiain
bugs1661211
milestone82.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1661211 part 3 - Add sameRealm flag to CallNativeGetterResult. r=iain Depends on D88265 Differential Revision: https://phabricator.services.mozilla.com/D88266
js/src/jit/BaselineCacheIRCompiler.cpp
js/src/jit/CacheIR.cpp
js/src/jit/CacheIR.h
js/src/jit/CacheIROps.yaml
js/src/jit/IonCacheIRCompiler.cpp
--- a/js/src/jit/BaselineCacheIRCompiler.cpp
+++ b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -554,17 +554,17 @@ bool BaselineCacheIRCompiler::emitCallSc
   if (!sameRealm) {
     masm.switchToBaselineFrameRealm(R1.scratchReg());
   }
 
   return true;
 }
 
 bool BaselineCacheIRCompiler::emitCallNativeGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset,
+    ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
     uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
 
   ValueOperand receiver = allocator.useValueRegister(masm, receiverId);
   Address getterAddr(stubAddress(getterOffset));
 
   AutoScratchRegister scratch(allocator, masm);
 
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -997,26 +997,26 @@ static void EmitReadSlotReturn(CacheIRWr
     writer.returnFromIC();
   }
 }
 
 static void EmitCallGetterResultNoGuards(JSContext* cx, CacheIRWriter& writer,
                                          JSObject* obj, JSObject* holder,
                                          Shape* shape,
                                          ValOperandId receiverId) {
+  JSFunction* target = &shape->getterValue().toObject().as<JSFunction>();
+  bool sameRealm = cx->realm() == target->realm();
+
   switch (IsCacheableGetPropCall(obj, holder, shape)) {
     case CanAttachNativeGetter: {
-      JSFunction* target = &shape->getterValue().toObject().as<JSFunction>();
-      writer.callNativeGetterResult(receiverId, target);
+      writer.callNativeGetterResult(receiverId, target, sameRealm);
       writer.typeMonitorResult();
       break;
     }
     case CanAttachScriptedGetter: {
-      JSFunction* target = &shape->getterValue().toObject().as<JSFunction>();
-      bool sameRealm = cx->realm() == target->realm();
       writer.callScriptedGetterResult(receiverId, target, sameRealm);
       writer.typeMonitorResult();
       break;
     }
     default:
       // CanAttachNativeGetProp guarantees that the getter is either a native or
       // a scripted function.
       MOZ_ASSERT_UNREACHABLE("Can't attach getter");
@@ -1442,17 +1442,19 @@ AttachDecision GetPropIRGenerator::tryAt
     ObjOperandId protoId = writer.loadObject(proto);
     if (JSObject* protoShapeWrapper = prototypeExpandoShapeWrappers[i]) {
       writer.guardXrayExpandoShapeAndDefaultProto(protoId, protoShapeWrapper);
     } else {
       writer.guardXrayNoExpando(protoId);
     }
   }
 
-  writer.callNativeGetterResult(receiverId, &getter->as<JSFunction>());
+  bool sameRealm = cx_->realm() == getter->as<JSFunction>().realm();
+  writer.callNativeGetterResult(receiverId, &getter->as<JSFunction>(),
+                                sameRealm);
   writer.typeMonitorResult();
 
   trackAttached("XrayGetter");
   return AttachDecision::Attach;
 }
 
 AttachDecision GetPropIRGenerator::tryAttachGenericProxy(
     HandleObject obj, ObjOperandId objId, HandleId id, bool handleDOMProxies) {
--- a/js/src/jit/CacheIR.h
+++ b/js/src/jit/CacheIR.h
@@ -914,20 +914,21 @@ class MOZ_RAII CacheIRWriter : public JS
 
   void callScriptedGetterResult(ValOperandId receiver, JSFunction* getter,
                                 bool sameRealm) {
     MOZ_ASSERT(getter->hasJitEntry());
     uint32_t nargsAndFlags = encodeNargsAndFlags(getter);
     callScriptedGetterResult_(receiver, getter, sameRealm, nargsAndFlags);
   }
 
-  void callNativeGetterResult(ValOperandId receiver, JSFunction* getter) {
+  void callNativeGetterResult(ValOperandId receiver, JSFunction* getter,
+                              bool sameRealm) {
     MOZ_ASSERT(getter->isNativeWithoutJitEntry());
     uint32_t nargsAndFlags = encodeNargsAndFlags(getter);
-    callNativeGetterResult_(receiver, getter, nargsAndFlags);
+    callNativeGetterResult_(receiver, getter, sameRealm, nargsAndFlags);
   }
 
   // These generate no code, but save the template object in a stub
   // field for BaselineInspector.
   void metaNativeTemplateObject(JSFunction* callee, JSObject* templateObject) {
     metaTwoByte_(MetaTwoByteKind::NativeTemplateObject, callee, templateObject);
   }
 
--- a/js/src/jit/CacheIROps.yaml
+++ b/js/src/jit/CacheIROps.yaml
@@ -1827,16 +1827,17 @@
 - name: CallNativeGetterResult
   shared: false
   transpile: false
   cost_estimate: 5
   custom_writer: true
   args:
     receiver: ValId
     getter: ObjectField
+    sameRealm: BoolImm
     nargsAndFlags: RawWordField
 
 - name: ProxyGetResult
   shared: false
   transpile: true
   cost_estimate: 5
   args:
     obj: ObjId
--- a/js/src/jit/IonCacheIRCompiler.cpp
+++ b/js/src/jit/IonCacheIRCompiler.cpp
@@ -969,17 +969,17 @@ bool IonCacheIRCompiler::emitCallScripte
   }
 
   masm.storeCallResultValue(output);
   masm.freeStack(masm.framePushed() - framePushedBefore);
   return true;
 }
 
 bool IonCacheIRCompiler::emitCallNativeGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset,
+    ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
     uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
   AutoSaveLiveRegisters save(*this);
   AutoOutputRegister output(*this);
 
   ValueOperand receiver = allocator.useValueRegister(masm, receiverId);
 
   JSFunction* target = &objectStubField(getterOffset)->as<JSFunction>();
@@ -1012,33 +1012,33 @@ bool IonCacheIRCompiler::emitCallNativeG
   masm.Push(argUintN);
   pushStubCodePointer();
 
   if (!masm.icBuildOOLFakeExitFrame(GetReturnAddressToIonCode(cx_), save)) {
     return false;
   }
   masm.enterFakeExitFrame(argJSContext, scratch, ExitFrameType::IonOOLNative);
 
-  if (target->realm() != cx_->realm()) {
+  if (!sameRealm) {
     masm.switchToRealm(target->realm(), scratch);
   }
 
   // Construct and execute call.
   masm.setupUnalignedABICall(scratch);
   masm.passABIArg(argJSContext);
   masm.passABIArg(argUintN);
   masm.passABIArg(argVp);
   masm.callWithABI(JS_FUNC_TO_DATA_PTR(void*, target->native()),
                    MoveOp::GENERAL,
                    CheckUnsafeCallWithABI::DontCheckHasExitFrame);
 
   // Test for failure.
   masm.branchIfFalseBool(ReturnReg, masm.exceptionLabel());
 
-  if (target->realm() != cx_->realm()) {
+  if (!sameRealm) {
     masm.switchToRealm(cx_->realm(), ReturnReg);
   }
 
   // Load the outparam vp[0] into output register(s).
   Address outparam(masm.getStackPointer(),
                    IonOOLNativeExitFrameLayout::offsetOfResult());
   masm.loadValue(outparam, output.valueReg());