Bug 1721333 part 8 - Use a reserved slot instead of private slot for PropertyIteratorObject. r=jonco

Depends on D120313 Differential Revision: https://phabricator.services.mozilla.com/D120314
2021-07-20 11:28:47 +00:00 · 2021-07-20 11:28:47 +00:00 · 746328e880
--- a/js/src/jit/BaselineCacheIRCompiler.cpp
+++ b/js/src/jit/BaselineCacheIRCompiler.cpp
@ -1739,8 +1739,9 @@ bool BaselineCacheIRCompiler::emitGuardAndGetIterator(

  // Load our PropertyIteratorObject* and its NativeIterator.
  masm.loadPtr(iterAddr, output);
-  masm.loadObjPrivate(output, PropertyIteratorObject::NUM_FIXED_SLOTS,
-                      niScratch);
+
+  Address slotAddr(output, PropertyIteratorObject::offsetOfIteratorSlot());
+  masm.loadPrivate(slotAddr, niScratch);

  // Ensure the iterator is reusable: see NativeIterator::isReusable.
  masm.branchIfNativeIteratorNotReusable(niScratch, failure->label());
--- a/js/src/jit/IonCacheIRCompiler.cpp
+++ b/js/src/jit/IonCacheIRCompiler.cpp
@ -1708,8 +1708,9 @@ bool IonCacheIRCompiler::emitGuardAndGetIterator(ObjOperandId objId,

  // Load our PropertyIteratorObject* and its NativeIterator.
  masm.movePtr(ImmGCPtr(iterobj), output);
-  masm.loadObjPrivate(output, PropertyIteratorObject::NUM_FIXED_SLOTS,
-                      niScratch);
+
+  Address slotAddr(output, PropertyIteratorObject::offsetOfIteratorSlot());
+  masm.loadPrivate(slotAddr, niScratch);

  // Ensure the iterator is reusable: see NativeIterator::isReusable.
  masm.branchIfNativeIteratorNotReusable(niScratch, failure->label());
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@ -4518,7 +4518,8 @@ static void LoadNativeIterator(MacroAssembler& masm, Register obj,
 #endif

  // Load NativeIterator object.
-  masm.loadObjPrivate(obj, PropertyIteratorObject::NUM_FIXED_SLOTS, dest);
+  Address slotAddr(obj, PropertyIteratorObject::offsetOfIteratorSlot());
+  masm.loadPrivate(slotAddr, dest);
 }

 void MacroAssembler::iteratorMore(Register obj, ValueOperand output,
--- a/js/src/jit/MacroAssembler.h
+++ b/js/src/jit/MacroAssembler.h
@ -4277,10 +4277,6 @@ class MacroAssembler : public MacroAssemblerSpecific {
  template <typename T>
  void storeObjPrivate(T src, const Address& address);

-  void loadObjPrivate(Register obj, uint32_t nfixed, Register dest) {
-    loadPtr(Address(obj, NativeObject::getPrivateDataOffset(nfixed)), dest);
-  }
-
  void loadObjProto(Register obj, Register dest) {
    loadPtr(Address(obj, JSObject::offsetOfShape()), dest);
    loadPtr(Address(dest, Shape::offsetOfBaseShape()), dest);
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@ -598,8 +598,6 @@ static PropertyIteratorObject* NewPropertyIteratorObject(JSContext* cx) {
  // CodeGenerator::visitIteratorStartO assumes the iterator object is not
  // inside the nursery when deciding whether a barrier is necessary.
  MOZ_ASSERT(!js::gc::IsInsideNursery(res));
-
-  MOZ_ASSERT(res->numFixedSlots() == PropertyIteratorObject::NUM_FIXED_SLOTS);
  return res;
 }

@ -716,7 +714,7 @@ NativeIterator::NativeIterator(JSContext* cx,
  //       because it has GCPtr fields whose barriers have already fired; the
  //       store buffer has pointers to them. Only the GC can free `this` (via
  //       PropertyIteratorObject::finalize).
-  propIter->setNativeIterator(this);
+  propIter->initNativeIterator(this);

  // The GC asserts on finalization that `this->allocationSize()` matches the
  // `nbytes` passed to `AddCellMemory`. So once these lines run, we must make
@ -1114,7 +1112,8 @@ const JSClassOps PropertyIteratorObject::classOps_ = {
 };

 const JSClass PropertyIteratorObject::class_ = {
-    "Iterator", JSCLASS_HAS_PRIVATE | JSCLASS_BACKGROUND_FINALIZE,
+    "Iterator",
+    JSCLASS_HAS_RESERVED_SLOTS(SlotCount) | JSCLASS_BACKGROUND_FINALIZE,
    &PropertyIteratorObject::classOps_};

 static const JSClass ArrayIteratorPrototypeClass = {"Array Iterator", 0};
--- a/js/src/vm/Iteration.h
+++ b/js/src/vm/Iteration.h
@ -365,20 +365,24 @@ struct NativeIterator {
 class PropertyIteratorObject : public NativeObject {
  static const JSClassOps classOps_;

+  enum { IteratorSlot, SlotCount };
+
 public:
  static const JSClass class_;

-  // We don't use the fixed slot but the JITs use this constant to load the
-  // private value (the NativeIterator*).
-  static const uint32_t NUM_FIXED_SLOTS = 1;
-
  NativeIterator* getNativeIterator() const {
-    return static_cast<js::NativeIterator*>(getPrivate());
+    return maybePtrFromReservedSlot<NativeIterator>(IteratorSlot);
+  }
+  void initNativeIterator(js::NativeIterator* ni) {
+    initReservedSlot(IteratorSlot, PrivateValue(ni));
  }
-  void setNativeIterator(js::NativeIterator* ni) { setPrivate(ni); }

  size_t sizeOfMisc(mozilla::MallocSizeOf mallocSizeOf) const;

+  static size_t offsetOfIteratorSlot() {
+    return getFixedSlotOffset(IteratorSlot);
+  }
+
 private:
  static void trace(JSTracer* trc, JSObject* obj);
  static void finalize(JSFreeOp* fop, JSObject* obj);