Bug 1885774: Check for revoked proxies inside LoadScriptedProxyHandler r=jandem

This is an optional patch. I wrote it before I realized that it didn't fix the bug. I think it might still be a tiny improvement, because we can unbox directly from memory instead of loading the value into a register first. Differential Revision: https://phabricator.services.mozilla.com/D205655
2024-11-23 21:01:08 +00:00 · 2024-03-27 19:20:30 +00:00 · 2024-03-27 19:20:30 +00:00 · 014783e7a9
commit 014783e7a9
parent c37e2efc87
8 changed files with 29 additions and 23 deletions
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@ -1581,8 +1581,7 @@ AttachDecision GetPropIRGenerator::tryAttachScriptedProxy(

  writer.guardIsProxy(objId);
  writer.guardHasProxyHandler(objId, &ScriptedProxyHandler::singleton);
-  ValOperandId handlerValId = writer.loadScriptedProxyHandler(objId);
-  ObjOperandId handlerObjId = writer.guardToObject(handlerValId);
+  ObjOperandId handlerObjId = writer.loadScriptedProxyHandler(objId);
  ObjOperandId targetObjId =
      writer.loadWrapperTarget(objId, /*fallible =*/true);

--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@ -2376,19 +2376,23 @@ bool CacheIRCompiler::emitGuardDynamicSlotValue(ObjOperandId objId,
  return true;
 }

-bool CacheIRCompiler::emitLoadScriptedProxyHandler(ValOperandId resultId,
+bool CacheIRCompiler::emitLoadScriptedProxyHandler(ObjOperandId resultId,
                                                   ObjOperandId objId) {
  JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);

  Register obj = allocator.useRegister(masm, objId);
-  ValueOperand output = allocator.defineValueRegister(masm, resultId);
+  Register output = allocator.defineRegister(masm, resultId);
+
+  FailurePath* failure;
+  if (!addFailurePath(&failure)) {
+    return false;
+  }
+
+  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), output);
+  Address handlerAddr(output, js::detail::ProxyReservedSlots::offsetOfSlot(
+                                  ScriptedProxyHandler::HANDLER_EXTRA));
+  masm.fallibleUnboxObject(handlerAddr, output, failure->label());

-  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()),
-               output.scratchReg());
-  masm.loadValue(
-      Address(output.scratchReg(), js::detail::ProxyReservedSlots::offsetOfSlot(
-                                       ScriptedProxyHandler::HANDLER_EXTRA)),
-      output);
  return true;
 }

--- a/js/src/jit/CacheIROps.yaml
+++ b/js/src/jit/CacheIROps.yaml
@ -708,7 +708,7 @@
  transpile: true
  cost_estimate: 1
  args:
-    result: ValId
+    result: ObjId
    obj: ObjId

 - name: IdToStringOrSymbol
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@ -15857,15 +15857,16 @@ void CodeGenerator::visitMegamorphicSetElement(LMegamorphicSetElement* lir) {

 void CodeGenerator::visitLoadScriptedProxyHandler(
    LLoadScriptedProxyHandler* ins) {
-  const Register obj = ToRegister(ins->getOperand(0));
-  ValueOperand output = ToOutValue(ins);
+  Register obj = ToRegister(ins->getOperand(0));
+  Register output = ToRegister(ins->output());

-  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()),
-               output.scratchReg());
-  masm.loadValue(
-      Address(output.scratchReg(), js::detail::ProxyReservedSlots::offsetOfSlot(
-                                       ScriptedProxyHandler::HANDLER_EXTRA)),
-      output);
+  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), output);
+
+  Label bail;
+  Address handlerAddr(output, js::detail::ProxyReservedSlots::offsetOfSlot(
+                                  ScriptedProxyHandler::HANDLER_EXTRA));
+  masm.fallibleUnboxObject(handlerAddr, output, &bail);
+  bailoutFrom(&bail, ins->snapshot());
 }

 #ifdef JS_PUNBOX64
--- a/js/src/jit/LIROps.yaml
+++ b/js/src/jit/LIROps.yaml
@ -2189,7 +2189,7 @@
  mir_op: ClampToUint8

 - name: LoadScriptedProxyHandler
-  result_type: BoxedValue
+  result_type: WordSized
  operands:
    object: WordSized
  mir_op: true
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@ -4688,7 +4688,8 @@ void LIRGenerator::visitLoadScriptedProxyHandler(
    MLoadScriptedProxyHandler* ins) {
  LLoadScriptedProxyHandler* lir = new (alloc())
      LLoadScriptedProxyHandler(useRegisterAtStart(ins->object()));
-  defineBox(lir, ins);
+  assignSnapshot(lir, ins->bailoutKind());
+  define(lir, ins);
 }

 void LIRGenerator::visitIdToStringOrSymbol(MIdToStringOrSymbol* ins) {
--- a/js/src/jit/MIROps.yaml
+++ b/js/src/jit/MIROps.yaml
@ -539,7 +539,8 @@
 - name: LoadScriptedProxyHandler
  operands:
    object: Object
-  result_type: Value
+  result_type: Object
+  guard: true
  congruent_to: if_operands_equal
  alias_set: none

--- a/js/src/jit/WarpCacheIRTranspiler.cpp
+++ b/js/src/jit/WarpCacheIRTranspiler.cpp
@ -977,7 +977,7 @@ bool WarpCacheIRTranspiler::emitGuardDynamicSlotValue(ObjOperandId objId,
  return true;
 }

-bool WarpCacheIRTranspiler::emitLoadScriptedProxyHandler(ValOperandId resultId,
+bool WarpCacheIRTranspiler::emitLoadScriptedProxyHandler(ObjOperandId resultId,
                                                         ObjOperandId objId) {
  MDefinition* obj = getOperand(objId);