Bug 1461938 part 31 - Move detachedTypedObjects flag to JS::Zone. r=jwalden

js/src/gc/Zone.h

@@ -698,6 +698,13 @@ struct Zone : public JS::shadow::Zone,
         return p;
     }
 
+    // Non-zero if the storage underlying any typed object in this zone might
+    // be detached. This is stored in Zone because IC stubs bake in a pointer
+    // to this field and Baseline IC code is shared across realms within a
+    // Zone. Furthermore, it's not entirely clear if this flag is ever set to
+    // a non-zero value since bug 1458011.
+    uint32_t detachedTypedObjects = 0;
+
   private:
     js::ZoneData<js::jit::JitZone*> jitZone_;
 

js/src/jit/CacheIR.cpp

@@ -1604,7 +1604,7 @@ GetPropIRGenerator::tryAttachTypedObject(HandleObject obj, ObjOperandId objId, H
     if (!obj->is<TypedObject>())
         return false;
 
-    if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->compartment()->detachedTypedObjects)
+    if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->zone()->detachedTypedObjects)
         return false;
 
     TypedObject* typedObj = &obj->as<TypedObject>();
@@ -2070,7 +2070,7 @@ GetPropIRGenerator::tryAttachTypedElement(HandleObject obj, ObjOperandId objId,
 
     // Don't attach typed object stubs if the underlying storage could be
     // detached, as the stub will always bail out.
-    if (IsPrimitiveArrayTypedObject(obj) && cx_->compartment()->detachedTypedObjects)
+    if (IsPrimitiveArrayTypedObject(obj) && cx_->zone()->detachedTypedObjects)
         return false;
 
     TypedThingLayout layout = GetTypedThingLayout(obj->getClass());
@@ -3296,7 +3296,7 @@ SetPropIRGenerator::tryAttachTypedObjectProperty(HandleObject obj, ObjOperandId
     if (!obj->is<TypedObject>())
         return false;
 
-    if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->compartment()->detachedTypedObjects)
+    if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->zone()->detachedTypedObjects)
         return false;
 
     if (!obj->as<TypedObject>().typeDescr().is<StructTypeDescr>())
@@ -3690,9 +3690,8 @@ SetPropIRGenerator::tryAttachSetTypedElement(HandleObject obj, ObjOperandId objI
             return false;
 
         // Don't attach stubs if the underlying storage for typed objects
-        // in the compartment could be detached, as the stub will always
-        // bail out.
-        if (cx_->compartment()->detachedTypedObjects)
+        // in the zone could be detached, as the stub will always bail out.
+        if (cx_->zone()->detachedTypedObjects)
             return false;
     }
 

js/src/jit/CacheIRCompiler.cpp

@@ -1648,10 +1648,10 @@ CacheIRCompiler::emitGuardNoDetachedTypedObjects()
     if (!addFailurePath(&failure))
         return false;
 
-    // All stubs manipulating typed objects must check the compartment-wide
-    // flag indicating whether their underlying storage might be detached, to
-    // bail out if needed.
-    int32_t* address = &cx_->compartment()->detachedTypedObjects;
+    // All stubs manipulating typed objects must check the zone-wide flag
+    // indicating whether their underlying storage might be detached, to bail
+    // out if needed.
+    uint32_t* address = &cx_->zone()->detachedTypedObjects;
     masm.branch32(Assembler::NotEqual, AbsoluteAddress(address), Imm32(0), failure->label());
     return true;
 }
@@ -3142,4 +3142,4 @@ CacheIRCompiler::emitLoadObject()
     StubFieldOffset obj(reader.stubOffset(), StubField::Type::JSObject);
     emitLoadStubField(obj, reg);
     return true;
-}
+}

js/src/vm/ArrayBufferObject.cpp

@@ -492,8 +492,8 @@ ArrayBufferObject::detach(JSContext* cx, Handle<ArrayBufferObject*> buffer,
 
     // When detaching a buffer with typed object views, any jitcode accessing
     // such views must be deoptimized so that detachment checks are performed.
-    // This is done by setting a compartment-wide flag indicating that buffers
-    // with typed object views have been detached.
+    // This is done by setting a zone-wide flag indicating that buffers with
+    // typed object views have been detached.
     if (buffer->hasTypedObjectViews()) {
         // Make sure the global object's group has been instantiated, so the
         // flag change will be observed.
@@ -501,7 +501,7 @@ ArrayBufferObject::detach(JSContext* cx, Handle<ArrayBufferObject*> buffer,
         if (!JSObject::getGroup(cx, cx->global()))
             oomUnsafe.crash("ArrayBufferObject::detach");
         MarkObjectGroupFlags(cx, cx->global(), OBJECT_FLAG_TYPED_OBJECT_HAS_DETACHED_BUFFER);
-        cx->compartment()->detachedTypedObjects = 1;
+        cx->zone()->detachedTypedObjects = 1;
     }
 
     // Update all views of the buffer to account for the buffer having been

js/src/vm/JSCompartment.cpp

@@ -46,7 +46,6 @@ JSCompartment::JSCompartment(Zone* zone)
     runtime_(zone->runtimeFromAnyThread()),
     data(nullptr),
     regExps(),
-    detachedTypedObjects(0),
     innerViews(zone),
     gcIncomingGrayPointers(nullptr),
     enumerators(nullptr)

js/src/vm/JSCompartment.h

@@ -597,10 +597,6 @@ struct JSCompartment
                                       js::SystemAllocPolicy>;
     IteratorCache iteratorCache;
 
-    // Non-zero if the storage underlying any typed object in this compartment
-    // might be detached.
-    int32_t                      detachedTypedObjects;
-
     // Recompute the probability with which this compartment should record
     // profiling data (stack traces, allocations log, etc.) about each
     // allocation. We consult the probabilities requested by the Debugger