Bug 1705113 - Fix NewPlainObject stub to not use AutoCallVM for conditinal VM call r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D112338
2021-04-21 08:25:39 +00:00 · 2021-04-21 08:25:39 +00:00 · af6c652f89
--- a/js/src/jit/BaselineCacheIRCompiler.cpp
+++ b/js/src/jit/BaselineCacheIRCompiler.cpp
@ -2990,3 +2990,54 @@ bool BaselineCacheIRCompiler::emitNewArrayObjectResult(uint32_t arrayLength,
  masm.tagValue(JSVAL_TYPE_OBJECT, result, output.valueReg());
  return true;
 }
+
+bool BaselineCacheIRCompiler::emitNewPlainObjectResult(uint32_t numFixedSlots,
+                                                       uint32_t numDynamicSlots,
+                                                       gc::AllocKind allocKind,
+                                                       uint32_t shapeOffset) {
+  JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
+
+  AutoOutputRegister output(*this);
+  AutoScratchRegister obj(allocator, masm);
+  AutoScratchRegister scratch(allocator, masm);
+  AutoScratchRegisterMaybeOutput shape(allocator, masm, output);
+
+  Address shapeAddr(stubAddress(shapeOffset));
+  masm.loadPtr(shapeAddr, shape);
+
+  allocator.discardStack(masm);
+
+  Label done;
+  Label fail;
+
+  masm.createPlainGCObject(obj, shape, scratch, shape, numFixedSlots,
+                           numDynamicSlots, allocKind, gc::DefaultHeap, &fail);
+  masm.jump(&done);
+
+  {
+    masm.bind(&fail);
+
+    // We get here if the nursery is full (unlikely) but also for tenured
+    // allocations if the current arena is full and we need to allocate a new
+    // one (fairly common).
+
+    AutoStubFrame stubFrame(*this);
+    stubFrame.enter(masm, scratch);
+
+    masm.Push(Imm32(gc::DefaultHeap));
+    masm.Push(Imm32(int32_t(allocKind)));
+    masm.loadPtr(shapeAddr, shape);  // This might have been overwritten.
+    masm.Push(shape);
+
+    using Fn =
+        JSObject* (*)(JSContext*, HandleShape, gc::AllocKind, gc::InitialHeap);
+    callVM<Fn, NewPlainObject>(masm);
+
+    stubFrame.leave(masm);
+    masm.mov(ReturnReg, obj);
+  }
+
+  masm.bind(&done);
+  masm.tagValue(JSVAL_TYPE_OBJECT, obj, output.valueReg());
+  return true;
+}
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@ -6086,46 +6086,6 @@ bool CacheIRCompiler::emitLoadValueTruthyResult(ValOperandId inputId) {
  return true;
 }

-bool CacheIRCompiler::emitNewPlainObjectResult(uint32_t numFixedSlots,
-                                               uint32_t numDynamicSlots,
-                                               gc::AllocKind allocKind,
-                                               uint32_t shapeOffset) {
-  JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
-  AutoCallVM callvm(masm, this, allocator);
-  AutoScratchRegister obj(allocator, masm);
-  AutoScratchRegister scratch(allocator, masm);
-  AutoScratchRegisterMaybeOutput shape(allocator, masm, callvm.output());
-
-  StubFieldOffset shapeSlot(shapeOffset, StubField::Type::Shape);
-
-  Label success;
-  Label fail;
-
-  emitLoadStubField(shapeSlot, shape);
-  masm.createPlainGCObject(obj, shape, scratch, shape, numFixedSlots,
-                           numDynamicSlots, allocKind, gc::DefaultHeap, &fail);
-  masm.tagValue(JSVAL_TYPE_OBJECT, obj, callvm.output().valueReg());
-  masm.jump(&success);
-
-  masm.bind(&fail);
-
-  // We get here if the nursery is full (unlikely) but also if the current arena
-  // is full and we need to allocate a new one (fairly common).
-
-  callvm.prepare();
-  masm.Push(Imm32(gc::DefaultHeap));
-  masm.Push(Imm32(int32_t(allocKind)));
-  emitLoadStubField(shapeSlot, shape);  // This might have been overwritten.
-  masm.Push(shape);
-
-  using Fn =
-      JSObject* (*)(JSContext*, HandleShape, gc::AllocKind, gc::InitialHeap);
-  callvm.call<Fn, NewPlainObject>();
-
-  masm.bind(&success);
-  return true;
-}
-
 bool CacheIRCompiler::emitComparePointerResultShared(JSOp op,
                                                     TypedOperandId lhsId,
                                                     TypedOperandId rhsId) {
--- a/js/src/jit/CacheIROps.yaml
+++ b/js/src/jit/CacheIROps.yaml
@ -2461,7 +2461,7 @@
    val: ValueField

 - name: NewPlainObjectResult
-  shared: true
+  shared: false
  transpile: false
  cost_estimate: 4
  args:
--- a/js/src/jit/IonCacheIRCompiler.cpp
+++ b/js/src/jit/IonCacheIRCompiler.cpp
@ -2033,3 +2033,10 @@ bool IonCacheIRCompiler::emitNewArrayObjectResult(uint32_t arrayLength,
                                                  uint32_t shapeOffset) {
  MOZ_CRASH("NewArray ICs not used in ion");
 }
+
+bool IonCacheIRCompiler::emitNewPlainObjectResult(uint32_t numFixedSlots,
+                                                  uint32_t numDynamicSlots,
+                                                  gc::AllocKind allocKind,
+                                                  uint32_t shapeOffset) {
+  MOZ_CRASH("NewObject ICs not used in ion");
+}