Bug 1636869: Disable LoadTypedArrayLengthResult when TI/Ion are enabled. r=evilpie

Differential Revision: https://phabricator.services.mozilla.com/D74604

js/src/jit/BaselineInspector.cpp

@@ -975,7 +975,7 @@ static bool AddCacheIRGetPropFunction(
   //   [..Id Guard..]
   //   [..WindowProxy innerization..]
   //   <GuardReceiver objId>
-  //   Call(Scripted|Native)GetterResult objId
+  //   (Call(Scripted|Native)Getter|TypedArrayLength)Result objId
   //
   // Or a getter on the prototype:
   //
@@ -985,7 +985,7 @@ static bool AddCacheIRGetPropFunction(
   //   <GuardReceiver objId>
   //   LoadObject holderId
   //   GuardShape holderId
-  //   Call(Scripted|Native)GetterResult objId
+  //   (Call(Scripted|Native)Getter|TypedArrayLength)Result objId
   //
   // If |innerized| is true, we replaced a WindowProxy with the Window
   // object and we're only interested in Baseline getter stubs that performed
@@ -1044,7 +1044,8 @@ static bool AddCacheIRGetPropFunction(
   }
 
   if (reader.matchOp(CacheOp::CallScriptedGetterResult, objId) ||
-      reader.matchOp(CacheOp::CallNativeGetterResult, objId)) {
+      reader.matchOp(CacheOp::CallNativeGetterResult, objId) ||
+      reader.matchOp(CacheOp::LoadTypedArrayLengthResult, objId)) {
     // This is an own property getter, the first case.
     MOZ_ASSERT(receiver.getShape());
     MOZ_ASSERT(!receiver.getGroup());
@@ -1081,7 +1082,8 @@ static bool AddCacheIRGetPropFunction(
       stub->stubInfo()->getStubField<Shape*>(stub, reader.stubOffset());
 
   if (!reader.matchOp(CacheOp::CallScriptedGetterResult, objId) &&
-      !reader.matchOp(CacheOp::CallNativeGetterResult, objId)) {
+      !reader.matchOp(CacheOp::CallNativeGetterResult, objId) &&
+      !reader.matchOp(CacheOp::LoadTypedArrayLengthResult, objId)) {
     return false;
   }
 

js/src/jit/CacheIR.cpp

@@ -1814,10 +1814,12 @@ AttachDecision GetPropIRGenerator::tryAttachTypedArrayLength(HandleObject obj,
   }
 
   maybeEmitIdGuard(id);
-  // Emit all the normal guards for calling this native,
-  // but specialize callNativeGetterResult.
+  // Emit all the normal guards for calling this native, but specialize
+  // callNativeGetterResult. Also store the getter itself to enable
+  // AddCacheIRGetPropFunction to read it from the IC stub, which is needed for
+  // Ion-inlining.
   EmitCallGetterResultGuards(writer, obj, holder, shape, objId, mode_);
-  writer.loadTypedArrayLengthResult(objId);
+  writer.loadTypedArrayLengthResult(objId, &fun);
   writer.returnFromIC();
 
   trackAttached("TypedArrayLength");

js/src/jit/CacheIRCompiler.cpp

@@ -3078,7 +3078,8 @@ bool CacheIRCompiler::emitLoadArgumentsObjectLengthResult(ObjOperandId objId) {
   return true;
 }
 
-bool CacheIRCompiler::emitLoadTypedArrayLengthResult(ObjOperandId objId) {
+bool CacheIRCompiler::emitLoadTypedArrayLengthResult(ObjOperandId objId,
+                                                     uint32_t getterOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
   AutoOutputRegister output(*this);
   Register obj = allocator.useRegister(masm, objId);

js/src/jit/CacheIROps.yaml

@@ -912,6 +912,7 @@
   transpile: true
   args:
     obj: ObjId
+    getter: ObjectField
 
 - name: LoadStringCharResult
   shared: true

js/src/jit/WarpCacheIRTranspiler.cpp

@@ -481,7 +481,8 @@ bool WarpCacheIRTranspiler::emitLoadInt32ArrayLengthResult(ObjOperandId objId) {
   return true;
 }
 
-bool WarpCacheIRTranspiler::emitLoadTypedArrayLengthResult(ObjOperandId objId) {
+bool WarpCacheIRTranspiler::emitLoadTypedArrayLengthResult(
+    ObjOperandId objId, uint32_t getterOffset) {
   MDefinition* obj = getOperand(objId);
 
   auto* length = MTypedArrayLength::New(alloc(), obj);