From 746328e8809e5f9434dd928178c532a4dd87a110 Mon Sep 17 00:00:00 2001 From: Jan de Mooij Date: Tue, 20 Jul 2021 11:28:47 +0000 Subject: [PATCH] Bug 1721333 part 8 - Use a reserved slot instead of private slot for PropertyIteratorObject. r=jonco Depends on D120313 Differential Revision: https://phabricator.services.mozilla.com/D120314 --- js/src/jit/BaselineCacheIRCompiler.cpp | 5 +++-- js/src/jit/IonCacheIRCompiler.cpp | 5 +++-- js/src/jit/MacroAssembler.cpp | 3 ++- js/src/jit/MacroAssembler.h | 4 ---- js/src/vm/Iteration.cpp | 7 +++---- js/src/vm/Iteration.h | 16 ++++++++++------ 6 files changed, 21 insertions(+), 19 deletions(-) diff --git a/js/src/jit/BaselineCacheIRCompiler.cpp b/js/src/jit/BaselineCacheIRCompiler.cpp index 303b7d82fd71..13f1d2d22c58 100644 --- a/js/src/jit/BaselineCacheIRCompiler.cpp +++ b/js/src/jit/BaselineCacheIRCompiler.cpp @@ -1739,8 +1739,9 @@ bool BaselineCacheIRCompiler::emitGuardAndGetIterator( // Load our PropertyIteratorObject* and its NativeIterator. masm.loadPtr(iterAddr, output); - masm.loadObjPrivate(output, PropertyIteratorObject::NUM_FIXED_SLOTS, - niScratch); + + Address slotAddr(output, PropertyIteratorObject::offsetOfIteratorSlot()); + masm.loadPrivate(slotAddr, niScratch); // Ensure the iterator is reusable: see NativeIterator::isReusable. masm.branchIfNativeIteratorNotReusable(niScratch, failure->label()); diff --git a/js/src/jit/IonCacheIRCompiler.cpp b/js/src/jit/IonCacheIRCompiler.cpp index 0ff8caa030fe..ac0e43a4b4af 100644 --- a/js/src/jit/IonCacheIRCompiler.cpp +++ b/js/src/jit/IonCacheIRCompiler.cpp @@ -1708,8 +1708,9 @@ bool IonCacheIRCompiler::emitGuardAndGetIterator(ObjOperandId objId, // Load our PropertyIteratorObject* and its NativeIterator. masm.movePtr(ImmGCPtr(iterobj), output); - masm.loadObjPrivate(output, PropertyIteratorObject::NUM_FIXED_SLOTS, - niScratch); + + Address slotAddr(output, PropertyIteratorObject::offsetOfIteratorSlot()); + masm.loadPrivate(slotAddr, niScratch); // Ensure the iterator is reusable: see NativeIterator::isReusable. masm.branchIfNativeIteratorNotReusable(niScratch, failure->label()); diff --git a/js/src/jit/MacroAssembler.cpp b/js/src/jit/MacroAssembler.cpp index 7c0a428761dc..4f7828815a3a 100644 --- a/js/src/jit/MacroAssembler.cpp +++ b/js/src/jit/MacroAssembler.cpp @@ -4518,7 +4518,8 @@ static void LoadNativeIterator(MacroAssembler& masm, Register obj, #endif // Load NativeIterator object. - masm.loadObjPrivate(obj, PropertyIteratorObject::NUM_FIXED_SLOTS, dest); + Address slotAddr(obj, PropertyIteratorObject::offsetOfIteratorSlot()); + masm.loadPrivate(slotAddr, dest); } void MacroAssembler::iteratorMore(Register obj, ValueOperand output, diff --git a/js/src/jit/MacroAssembler.h b/js/src/jit/MacroAssembler.h index 99a8460d911a..8aab2e4f60f3 100644 --- a/js/src/jit/MacroAssembler.h +++ b/js/src/jit/MacroAssembler.h @@ -4277,10 +4277,6 @@ class MacroAssembler : public MacroAssemblerSpecific { template void storeObjPrivate(T src, const Address& address); - void loadObjPrivate(Register obj, uint32_t nfixed, Register dest) { - loadPtr(Address(obj, NativeObject::getPrivateDataOffset(nfixed)), dest); - } - void loadObjProto(Register obj, Register dest) { loadPtr(Address(obj, JSObject::offsetOfShape()), dest); loadPtr(Address(dest, Shape::offsetOfBaseShape()), dest); diff --git a/js/src/vm/Iteration.cpp b/js/src/vm/Iteration.cpp index b552e9225851..48b8b80f1509 100644 --- a/js/src/vm/Iteration.cpp +++ b/js/src/vm/Iteration.cpp @@ -598,8 +598,6 @@ static PropertyIteratorObject* NewPropertyIteratorObject(JSContext* cx) { // CodeGenerator::visitIteratorStartO assumes the iterator object is not // inside the nursery when deciding whether a barrier is necessary. MOZ_ASSERT(!js::gc::IsInsideNursery(res)); - - MOZ_ASSERT(res->numFixedSlots() == PropertyIteratorObject::NUM_FIXED_SLOTS); return res; } @@ -716,7 +714,7 @@ NativeIterator::NativeIterator(JSContext* cx, // because it has GCPtr fields whose barriers have already fired; the // store buffer has pointers to them. Only the GC can free `this` (via // PropertyIteratorObject::finalize). - propIter->setNativeIterator(this); + propIter->initNativeIterator(this); // The GC asserts on finalization that `this->allocationSize()` matches the // `nbytes` passed to `AddCellMemory`. So once these lines run, we must make @@ -1114,7 +1112,8 @@ const JSClassOps PropertyIteratorObject::classOps_ = { }; const JSClass PropertyIteratorObject::class_ = { - "Iterator", JSCLASS_HAS_PRIVATE | JSCLASS_BACKGROUND_FINALIZE, + "Iterator", + JSCLASS_HAS_RESERVED_SLOTS(SlotCount) | JSCLASS_BACKGROUND_FINALIZE, &PropertyIteratorObject::classOps_}; static const JSClass ArrayIteratorPrototypeClass = {"Array Iterator", 0}; diff --git a/js/src/vm/Iteration.h b/js/src/vm/Iteration.h index 80b28816f00c..b4bd8bf4baa9 100644 --- a/js/src/vm/Iteration.h +++ b/js/src/vm/Iteration.h @@ -365,20 +365,24 @@ struct NativeIterator { class PropertyIteratorObject : public NativeObject { static const JSClassOps classOps_; + enum { IteratorSlot, SlotCount }; + public: static const JSClass class_; - // We don't use the fixed slot but the JITs use this constant to load the - // private value (the NativeIterator*). - static const uint32_t NUM_FIXED_SLOTS = 1; - NativeIterator* getNativeIterator() const { - return static_cast(getPrivate()); + return maybePtrFromReservedSlot(IteratorSlot); + } + void initNativeIterator(js::NativeIterator* ni) { + initReservedSlot(IteratorSlot, PrivateValue(ni)); } - void setNativeIterator(js::NativeIterator* ni) { setPrivate(ni); } size_t sizeOfMisc(mozilla::MallocSizeOf mallocSizeOf) const; + static size_t offsetOfIteratorSlot() { + return getFixedSlotOffset(IteratorSlot); + } + private: static void trace(JSTracer* trc, JSObject* obj); static void finalize(JSFreeOp* fop, JSObject* obj);