Bug 1711414: Don't scalar replace apply when arguments is this r=jandem

I verified that the other "replaceable consumer" instructions are either unary or don't accept objects for their other arguments. This testcase triggers the assertion in a pre-patch debug build, and gives the wrong result in a pre-patch no-debug build. Differential Revision: https://phabricator.services.mozilla.com/D115443
2021-05-25 23:52:12 +00:00 · 2021-05-25 23:52:12 +00:00 · da458b48c7
--- a/js/src/jit-test/tests/arguments/bug1711414.js
+++ b/js/src/jit-test/tests/arguments/bug1711414.js
@ -0,0 +1,11 @@
+function bar() { this[0] = "overwritten"; }
+
+function foo() {
+    bar.apply(arguments, arguments);
+    return arguments[0];
+}
+
+with ({}) {}
+for (var i = 0; i < 100; i++) {
+    assertEq(foo("original"), "overwritten");
+}
--- a/js/src/jit/ScalarReplacement.cpp
+++ b/js/src/jit/ScalarReplacement.cpp
@ -1462,10 +1462,18 @@ bool ArgumentsReplacer::escapes(MInstruction* ins, bool guardedForMapped) {
        return true;
      }

+      case MDefinition::Opcode::ApplyArgsObj: {
+        if (ins == def->toApplyArgsObj()->getThis()) {
+          JitSpew(JitSpew_Escape, "is escaped as |this| arg of ApplyArgsObj\n");
+          return true;
+        }
+        MOZ_ASSERT(ins == def->toApplyArgsObj()->getArgsObj());
+        break;
+      }
+
      // This is a replaceable consumer.
      case MDefinition::Opcode::ArgumentsObjectLength:
      case MDefinition::Opcode::GetArgumentsObjectArg:
-      case MDefinition::Opcode::ApplyArgsObj:
      case MDefinition::Opcode::LoadArgumentsObjectArg:
        break;