Bug 1688828 part 10 - Replace loadArrayBuffer*Int32 with guardNonNegativeIntPtrToInt32. r=anba

This is simpler and shorter, and it's now easier to see that CacheIR and Warp do
the same thing because they call the same MacroAssembler methods.

On 64-bit platforms, IC code now checks for large lengths also when large ArrayBuffers
are disabled. Warp is already doing that for MNonNegativeIntPtrToInt32.

Depends on D105003

Differential Revision: https://phabricator.services.mozilla.com/D105004

js/src/jit/CacheIRCompiler.cpp

@@ -3166,7 +3166,8 @@ bool CacheIRCompiler::emitLoadArrayBufferByteLengthInt32Result(
     return false;
   }
 
-  masm.loadArrayBufferByteLengthInt32(obj, scratch, failure->label());
+  masm.loadArrayBufferByteLengthIntPtr(obj, scratch);
+  masm.guardNonNegativeIntPtrToInt32(scratch, failure->label());
   masm.tagValue(JSVAL_TYPE_INT32, scratch, output.valueReg());
   return true;
 }
@@ -3196,7 +3197,8 @@ bool CacheIRCompiler::emitLoadTypedArrayLengthInt32Result(ObjOperandId objId) {
     return false;
   }
 
-  masm.loadArrayBufferViewLengthInt32(obj, scratch, failure->label());
+  masm.loadArrayBufferViewLengthIntPtr(obj, scratch);
+  masm.guardNonNegativeIntPtrToInt32(scratch, failure->label());
   masm.tagValue(JSVAL_TYPE_INT32, scratch, output.valueReg());
   return true;
 }
@@ -3990,7 +3992,8 @@ bool CacheIRCompiler::emitTypedArrayByteOffsetInt32Result(ObjOperandId objId) {
     return false;
   }
 
-  masm.loadArrayBufferViewByteOffsetInt32(obj, scratch, failure->label());
+  masm.loadArrayBufferViewByteOffsetIntPtr(obj, scratch);
+  masm.guardNonNegativeIntPtrToInt32(scratch, failure->label());
   masm.tagValue(JSVAL_TYPE_INT32, scratch, output.valueReg());
   return true;
 }

js/src/jit/CodeGenerator.cpp

@@ -1269,15 +1269,8 @@ void CodeGenerator::visitNonNegativeIntPtrToInt32(
   Register output = ToRegister(lir->output());
   MOZ_ASSERT(ToRegister(lir->input()) == output);
 
-#  ifdef DEBUG
-  Label ok;
-  masm.branchPtr(Assembler::NotSigned, output, output, &ok);
-  masm.assumeUnreachable("Unexpected negative value");
-  masm.bind(&ok);
-#  endif
-
   Label bail;
-  masm.branchPtr(Assembler::Above, output, Imm32(INT32_MAX), &bail);
+  masm.guardNonNegativeIntPtrToInt32(output, &bail);
   bailoutFrom(&bail, lir->snapshot());
 #else
   MOZ_CRASH("Not used on 32-bit platforms");

js/src/jit/MacroAssembler.cpp

@@ -1741,57 +1741,16 @@ void MacroAssembler::setIsDefinitelyTypedArrayConstructor(Register obj,
   bind(&done);
 }
 
-void MacroAssembler::loadArrayBufferByteLengthInt32(Register obj,
-                                                    Register output,
-                                                    Label* fail) {
-  loadArrayBufferByteLengthIntPtr(obj, output);
-
-  if (fail && ArrayBufferObject::maxBufferByteLength() > INT32_MAX) {
-    branchPtr(Assembler::Above, output, Imm32(INT32_MAX), fail);
-    return;
-  }
-
+void MacroAssembler::guardNonNegativeIntPtrToInt32(Register reg, Label* fail) {
 #ifdef DEBUG
   Label ok;
-  branchPtr(Assembler::BelowOrEqual, output, Imm32(INT32_MAX), &ok);
-  assumeUnreachable("Expecting length to fit in int32");
+  branchPtr(Assembler::NotSigned, reg, reg, &ok);
+  assumeUnreachable("Unexpected negative value");
   bind(&ok);
 #endif
-}
 
-void MacroAssembler::loadArrayBufferViewByteOffsetInt32(Register obj,
-                                                        Register output,
-                                                        Label* fail) {
-  loadArrayBufferViewByteOffsetIntPtr(obj, output);
-
-  if (fail && ArrayBufferObject::maxBufferByteLength() > INT32_MAX) {
-    branchPtr(Assembler::Above, output, Imm32(INT32_MAX), fail);
-    return;
-  }
-
-#ifdef DEBUG
-  Label ok;
-  branchPtr(Assembler::BelowOrEqual, output, Imm32(INT32_MAX), &ok);
-  assumeUnreachable("Expecting offset to fit in int32");
-  bind(&ok);
-#endif
-}
-
-void MacroAssembler::loadArrayBufferViewLengthInt32(Register obj,
-                                                    Register output,
-                                                    Label* fail) {
-  loadArrayBufferViewLengthIntPtr(obj, output);
-
-  if (fail && ArrayBufferObject::maxBufferByteLength() > INT32_MAX) {
-    branchPtr(Assembler::Above, output, Imm32(INT32_MAX), fail);
-    return;
-  }
-
-#ifdef DEBUG
-  Label ok;
-  branchPtr(Assembler::BelowOrEqual, output, Imm32(INT32_MAX), &ok);
-  assumeUnreachable("Expecting length to fit in int32");
-  bind(&ok);
+#ifdef JS_64BIT
+  branchPtr(Assembler::Above, reg, Imm32(INT32_MAX), fail);
 #endif
 }
 

js/src/jit/MacroAssembler.h

@@ -4332,12 +4332,7 @@ class MacroAssembler : public MacroAssemblerSpecific {
       JS::ExpandoAndGeneration* expandoAndGeneration, uint64_t generation,
       Label* fail);
 
-  void loadArrayBufferByteLengthInt32(Register obj, Register output,
-                                      Label* fail);
-  void loadArrayBufferViewByteOffsetInt32(Register obj, Register output,
-                                          Label* fail);
-  void loadArrayBufferViewLengthInt32(Register obj, Register output,
-                                      Label* fail);
+  void guardNonNegativeIntPtrToInt32(Register reg, Label* fail);
 
   void loadArrayBufferByteLengthIntPtr(Register obj, Register output);
   void loadArrayBufferViewByteOffsetIntPtr(Register obj, Register output);