Bug 1851872 part 2 - Use weak GetterSetter pointer for GuardHasGetterSetter. r=iain

Differential Revision: https://phabricator.services.mozilla.com/D187580
2024-10-08 19:04:45 +00:00 · 2023-09-07 12:29:08 +00:00 · 2023-09-07 12:29:08 +00:00 · e3cea5c34e
commit e3cea5c34e
parent 58cf76e4be
10 changed files with 45 additions and 23 deletions
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@ -198,7 +198,8 @@ Shape* CacheIRCloner::getWeakShapeField(uint32_t stubOffset) {
  // No barrier is required to clone a weak pointer.
  return reinterpret_cast<Shape*>(readStubWord(stubOffset));
 }
-GetterSetter* CacheIRCloner::getGetterSetterField(uint32_t stubOffset) {
+GetterSetter* CacheIRCloner::getWeakGetterSetterField(uint32_t stubOffset) {
+  // No barrier is required to clone a weak pointer.
  return reinterpret_cast<GetterSetter*>(readStubWord(stubOffset));
 }
 JSObject* CacheIRCloner::getObjectField(uint32_t stubOffset) {
--- a/js/src/jit/CacheIR.h
+++ b/js/src/jit/CacheIR.h
@ -236,7 +236,7 @@ class StubField {
    RawPointer,
    Shape,
    WeakShape,
-    GetterSetter,
+    WeakGetterSetter,
    JSObject,
    WeakObject,
    Symbol,
--- a/js/src/jit/CacheIRCloner.h
+++ b/js/src/jit/CacheIRCloner.h
@ -61,7 +61,7 @@ class MOZ_RAII CacheIRCloner {

  Shape* getShapeField(uint32_t stubOffset);
  Shape* getWeakShapeField(uint32_t stubOffset);
-  GetterSetter* getGetterSetterField(uint32_t stubOffset);
+  GetterSetter* getWeakGetterSetterField(uint32_t stubOffset);
  JSObject* getObjectField(uint32_t stubOffset);
  JSObject* getWeakObjectField(uint32_t stubOffset);
  JSString* getStringField(uint32_t stubOffset);
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@ -1146,7 +1146,8 @@ void CacheIRWriter::copyStubData(uint8_t* dest) const {
        // No read barrier required to copy weak pointer.
        InitGCPtr<Shape*>(destWords, field.asWord());
        break;
-      case StubField::Type::GetterSetter:
+      case StubField::Type::WeakGetterSetter:
+        // No read barrier required to copy weak pointer.
        InitGCPtr<GetterSetter*>(destWords, field.asWord());
        break;
      case StubField::Type::JSObject:
@ -1231,9 +1232,12 @@ void jit::TraceCacheIRStub(JSTracer* trc, T* stub,
          }
        }
        break;
-      case StubField::Type::GetterSetter:
-        TraceEdge(trc, &stubInfo->getStubField<T, GetterSetter*>(stub, offset),
-                  "cacheir-getter-setter");
+      case StubField::Type::WeakGetterSetter:
+        if (ShouldTraceWeakEdgeInStub<T>(trc)) {
+          TraceNullableEdge(
+              trc, &stubInfo->getStubField<T, GetterSetter*>(stub, offset),
+              "cacheir-weak-getter-setter");
+        }
        break;
      case StubField::Type::JSObject: {
        TraceEdge(trc, &stubInfo->getStubField<T, JSObject*>(stub, offset),
@ -1329,12 +1333,21 @@ bool jit::TraceWeakCacheIRStub(JSTracer* trc, T* stub,
        }
        break;
      }
+      case StubField::Type::WeakGetterSetter: {
+        GCPtr<GetterSetter*>& getterSetterField =
+            stubInfo->getStubField<T, GetterSetter*>(stub, offset);
+        auto r = TraceWeakEdge(trc, &getterSetterField,
+                               "cacheir-weak-getter-setter");
+        if (r.isDead()) {
+          return false;
+        }
+        break;
+      }
      case StubField::Type::Limit:
        return true;  // Done.
      case StubField::Type::RawInt32:
      case StubField::Type::RawPointer:
      case StubField::Type::Shape:
-      case StubField::Type::GetterSetter:
      case StubField::Type::JSObject:
      case StubField::Type::Symbol:
      case StubField::Type::String:
@ -7568,8 +7581,8 @@ void CacheIRCompiler::emitLoadStubFieldConstant(StubFieldOffset val,
    case StubField::Type::Shape:
      masm.movePtr(ImmGCPtr(shapeStubField(val.getOffset())), dest);
      break;
-    case StubField::Type::GetterSetter:
-      masm.movePtr(ImmGCPtr(getterSetterStubField(val.getOffset())), dest);
+    case StubField::Type::WeakGetterSetter:
+      masm.movePtr(ImmGCPtr(weakGetterSetterStubField(val.getOffset())), dest);
      break;
    case StubField::Type::String:
      masm.movePtr(ImmGCPtr(stringStubField(val.getOffset())), dest);
@ -7609,7 +7622,7 @@ void CacheIRCompiler::emitLoadStubField(StubFieldOffset val, Register dest) {
    switch (val.getStubFieldType()) {
      case StubField::Type::RawPointer:
      case StubField::Type::Shape:
-      case StubField::Type::GetterSetter:
+      case StubField::Type::WeakGetterSetter:
      case StubField::Type::JSObject:
      case StubField::Type::Symbol:
      case StubField::Type::String:
@ -7811,7 +7824,7 @@ bool CacheIRCompiler::emitGuardHasGetterSetter(ObjOperandId objId,

  StubFieldOffset id(idOffset, StubField::Type::Id);
  StubFieldOffset getterSetter(getterSetterOffset,
-                               StubField::Type::GetterSetter);
+                               StubField::Type::WeakGetterSetter);

  AutoScratchRegister scratch1(allocator, masm);
  AutoScratchRegister scratch2(allocator, masm);
--- a/js/src/jit/CacheIRCompiler.h
+++ b/js/src/jit/CacheIRCompiler.h
@ -902,9 +902,12 @@ class MOZ_RAII CacheIRCompiler {
    gc::ReadBarrier(shape);
    return shape;
  }
-  GetterSetter* getterSetterStubField(uint32_t offset) {
+  GetterSetter* weakGetterSetterStubField(uint32_t offset) {
    MOZ_ASSERT(stubFieldPolicy_ == StubFieldPolicy::Constant);
-    return (GetterSetter*)readStubWord(offset, StubField::Type::GetterSetter);
+    GetterSetter* gs =
+        (GetterSetter*)readStubWord(offset, StubField::Type::WeakGetterSetter);
+    gc::ReadBarrier(gs);
+    return gs;
  }
  JSObject* objectStubField(uint32_t offset) {
    MOZ_ASSERT(stubFieldPolicy_ == StubFieldPolicy::Constant);
--- a/js/src/jit/CacheIROps.yaml
+++ b/js/src/jit/CacheIROps.yaml
@ -578,7 +578,7 @@
  args:
    obj: ObjId
    id: IdField
-    getterSetter: GetterSetterField
+    getterSetter: WeakGetterSetterField

 - name: GuardInt32IsNonNegative
  shared: true
--- a/js/src/jit/CacheIRWriter.h
+++ b/js/src/jit/CacheIRWriter.h
@ -198,9 +198,9 @@ class MOZ_RAII CacheIRWriter : public JS::CustomAutoRooter {
    assertSameZone(shape);
    addStubField(uintptr_t(shape), StubField::Type::WeakShape);
  }
-  void writeGetterSetterField(GetterSetter* gs) {
+  void writeWeakGetterSetterField(GetterSetter* gs) {
    MOZ_ASSERT(gs);
-    addStubField(uintptr_t(gs), StubField::Type::GetterSetter);
+    addStubField(uintptr_t(gs), StubField::Type::WeakGetterSetter);
  }
  void writeObjectField(JSObject* obj) {
    MOZ_ASSERT(obj);
--- a/js/src/jit/GenerateCacheIRFiles.py
+++ b/js/src/jit/GenerateCacheIRFiles.py
@ -78,7 +78,7 @@ arg_writer_info = {
    "RawId": ("OperandId", "writeOperandId"),
    "ShapeField": ("Shape*", "writeShapeField"),
    "WeakShapeField": ("Shape*", "writeWeakShapeField"),
-    "GetterSetterField": ("GetterSetter*", "writeGetterSetterField"),
+    "WeakGetterSetterField": ("GetterSetter*", "writeWeakGetterSetterField"),
    "ObjectField": ("JSObject*", "writeObjectField"),
    "WeakObjectField": ("JSObject*", "writeWeakObjectField"),
    "StringField": ("JSString*", "writeStringField"),
@ -179,7 +179,7 @@ arg_reader_info = {
    "RawId": ("uint32_t", "Id", "reader.rawOperandId()"),
    "ShapeField": ("uint32_t", "Offset", "reader.stubOffset()"),
    "WeakShapeField": ("uint32_t", "Offset", "reader.stubOffset()"),
-    "GetterSetterField": ("uint32_t", "Offset", "reader.stubOffset()"),
+    "WeakGetterSetterField": ("uint32_t", "Offset", "reader.stubOffset()"),
    "ObjectField": ("uint32_t", "Offset", "reader.stubOffset()"),
    "WeakObjectField": ("uint32_t", "Offset", "reader.stubOffset()"),
    "StringField": ("uint32_t", "Offset", "reader.stubOffset()"),
@ -266,7 +266,7 @@ arg_spewer_method = {
    "RawId": "spewRawOperandId",
    "ShapeField": "spewField",
    "WeakShapeField": "spewField",
-    "GetterSetterField": "spewField",
+    "WeakGetterSetterField": "spewField",
    "ObjectField": "spewField",
    "WeakObjectField": "spewField",
    "StringField": "spewField",
@ -404,7 +404,7 @@ arg_length = {
    "RawId": 1,
    "ShapeField": 1,
    "WeakShapeField": 1,
-    "GetterSetterField": 1,
+    "WeakGetterSetterField": 1,
    "ObjectField": 1,
    "WeakObjectField": 1,
    "StringField": 1,
--- a/js/src/jit/WarpOracle.cpp
+++ b/js/src/jit/WarpOracle.cpp
@ -1177,10 +1177,14 @@ bool WarpScriptOracle::replaceNurseryAndAllocSitePointers(
        gc::ExposeGCThingToActiveJS(JS::GCCellPtr(shape));
        break;
      }
-      case StubField::Type::GetterSetter:
+      case StubField::Type::WeakGetterSetter: {
        static_assert(std::is_convertible_v<GetterSetter*, gc::TenuredCell*>,
                      "Code assumes GetterSetters are tenured");
+        GetterSetter* gs =
+            stubInfo->getStubField<ICCacheIRStub, GetterSetter*>(stub, offset);
+        gc::ExposeGCThingToActiveJS(JS::GCCellPtr(gs));
        break;
+      }
      case StubField::Type::Symbol:
        static_assert(std::is_convertible_v<JS::Symbol*, gc::TenuredCell*>,
                      "Code assumes symbols are tenured");
--- a/js/src/jit/WarpSnapshot.cpp
+++ b/js/src/jit/WarpSnapshot.cpp
@ -342,7 +342,8 @@ void WarpCacheIR::traceData(JSTracer* trc) {
          TraceWarpStubPtr<Shape>(trc, word, "warp-cacheir-shape");
          break;
        }
-        case StubField::Type::GetterSetter: {
+        case StubField::Type::WeakGetterSetter: {
+          // WeakGetterSetter pointers are traced strongly in this context.
          uintptr_t word = stubInfo_->getStubRawWord(stubData_, offset);
          TraceWarpStubPtr<GetterSetter>(trc, word,
                                         "warp-cacheir-getter-setter");