Bug 1851416 - Properly guard that the proxy hasn't been revoked r=iain

Maybe a little bit alarming how simple this testcase is. Differential Revision: https://phabricator.services.mozilla.com/D187511
2024-10-08 19:04:45 +00:00 · 2023-09-06 16:06:25 +00:00 · 2023-09-06 16:06:25 +00:00 · 3b66ad25bb
commit 3b66ad25bb
parent 61aca7cda4
5 changed files with 33 additions and 8 deletions
--- a/js/src/jit-test/tests/proxy/testDirectProxyGet14.js
+++ b/js/src/jit-test/tests/proxy/testDirectProxyGet14.js
@ -0,0 +1,22 @@
+load(libdir + "asserts.js");
+
+var target = {x: 5};
+var returnValue = 42;
+var handler = {
+  get(t, p) {
+    return returnValue;
+  }
+};
+var {proxy, revoke} = Proxy.revocable(target, handler);
+
+function testGet(p) {
+  return p.x;
+}
+
+for (i = 0; i < 200; i++) {
+  assertEq(testGet(proxy), returnValue);
+}
+
+assertEq(testGet(proxy), returnValue);
+revoke();
+assertThrowsInstanceOf(function () { testGet(proxy) }, TypeError);
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@ -1560,7 +1560,8 @@ AttachDecision GetPropIRGenerator::tryAttachScriptedProxy(

  writer.guardIsProxy(objId);
  writer.guardHasProxyHandler(objId, &ScriptedProxyHandler::singleton);
-  ObjOperandId handlerObjId = writer.loadScriptedProxyHandler(objId);
+  ValOperandId handlerValId = writer.loadScriptedProxyHandler(objId);
+  ObjOperandId handlerObjId = writer.guardToObject(handlerValId);
  ObjOperandId targetObjId = writer.loadWrapperTarget(objId);

  if (trapKind == NativeGetPropKind::Missing) {
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@ -2253,17 +2253,19 @@ bool CacheIRCompiler::emitGuardDynamicSlotValue(ObjOperandId objId,
  return true;
 }

-bool CacheIRCompiler::emitLoadScriptedProxyHandler(ObjOperandId resultId,
+bool CacheIRCompiler::emitLoadScriptedProxyHandler(ValOperandId resultId,
                                                   ObjOperandId objId) {
  JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);

  Register obj = allocator.useRegister(masm, objId);
-  Register output = allocator.defineRegister(masm, resultId);
+  ValueOperand output = allocator.defineValueRegister(masm, resultId);

-  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), output);
-  masm.unboxObject(Address(output, js::detail::ProxyReservedSlots::offsetOfSlot(
+  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()),
+               output.scratchReg());
+  masm.loadValue(
+      Address(output.scratchReg(), js::detail::ProxyReservedSlots::offsetOfSlot(
                                       ScriptedProxyHandler::HANDLER_EXTRA)),
-                   output);
+      output);
  return true;
 }

--- a/js/src/jit/CacheIROps.yaml
+++ b/js/src/jit/CacheIROps.yaml
@ -668,7 +668,7 @@
  transpile: true
  cost_estimate: 1
  args:
-    result: ObjId
+    result: ValId
    obj: ObjId

 - name: IdToStringOrSymbol
--- a/js/src/jit/WarpCacheIRTranspiler.cpp
+++ b/js/src/jit/WarpCacheIRTranspiler.cpp
@ -912,7 +912,7 @@ bool WarpCacheIRTranspiler::emitGuardDynamicSlotValue(ObjOperandId objId,
  return true;
 }

-bool WarpCacheIRTranspiler::emitLoadScriptedProxyHandler(ObjOperandId resultId,
+bool WarpCacheIRTranspiler::emitLoadScriptedProxyHandler(ValOperandId resultId,
                                                         ObjOperandId objId) {
  MDefinition* obj = getOperand(objId);