Bug 1658882 part 2 - Support GuardIsNotDOMProxy in the transpiler. r=anba

Depends on D86920 Differential Revision: https://phabricator.services.mozilla.com/D86921
2020-08-13 09:10:34 +00:00 · 2020-08-13 09:10:34 +00:00 · f552f0c1db
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@ -2030,6 +2030,7 @@ bool jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfoArg) {
    case BailoutKind::ProtoGuard:
    case BailoutKind::ProxyGuard:
    case BailoutKind::NotProxyGuard:
+    case BailoutKind::NotDOMProxyGuard:
    case BailoutKind::NotArrayBufferMaybeSharedGuard:
    case BailoutKind::ArrayPopShift:
    case BailoutKind::ArraySlice:
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@ -1500,7 +1500,7 @@ AttachDecision GetPropIRGenerator::tryAttachGenericProxy(
  if (!handleDOMProxies) {
    // Ensure that the incoming object is not a DOM proxy, so that we can get to
    // the specialized stubs
-    writer.guardNotDOMProxy(objId);
+    writer.guardIsNotDOMProxy(objId);
  }

  if (cacheKind_ == CacheKind::GetProp || mode_ == ICState::Mode::Specialized) {
@ -4293,7 +4293,7 @@ AttachDecision SetPropIRGenerator::tryAttachGenericProxy(
    // get to the specialized stubs. If handleDOMProxies is true, we were
    // unable to attach a specialized DOM stub, so we just handle all
    // proxies here.
-    writer.guardNotDOMProxy(objId);
+    writer.guardIsNotDOMProxy(objId);
  }

  if (cacheKind_ == CacheKind::SetProp || mode_ == ICState::Mode::Specialized) {
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@ -2091,7 +2091,7 @@ bool CacheIRCompiler::emitGuardIsNotArrayBufferMaybeShared(ObjOperandId objId) {
  return true;
 }

-bool CacheIRCompiler::emitGuardNotDOMProxy(ObjOperandId objId) {
+bool CacheIRCompiler::emitGuardIsNotDOMProxy(ObjOperandId objId) {
  JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
  Register obj = allocator.useRegister(masm, objId);
  AutoScratchRegister scratch(allocator, masm);
--- a/js/src/jit/CacheIROps.yaml
+++ b/js/src/jit/CacheIROps.yaml
@ -407,9 +407,9 @@
    obj: ObjId
    handler: RawPointerField

- name: GuardNotDOMProxy
+- name: GuardIsNotDOMProxy
  shared: true
-  transpile: false
+  transpile: true
  cost_estimate: 1
  args:
    obj: ObjId
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@ -4487,6 +4487,16 @@ void CodeGenerator::visitGuardIsNotProxy(LGuardIsNotProxy* guard) {
  bailoutFrom(&bail, guard->snapshot());
 }

+void CodeGenerator::visitGuardIsNotDOMProxy(LGuardIsNotDOMProxy* guard) {
+  Register proxy = ToRegister(guard->proxy());
+  Register temp = ToRegister(guard->temp());
+
+  Label bail;
+  masm.branchTestProxyHandlerFamily(Assembler::Equal, proxy, temp,
+                                    GetDOMProxyHandlerFamily(), &bail);
+  bailoutFrom(&bail, guard->snapshot());
+}
+
 void CodeGenerator::visitGuardIsNotArrayBufferMaybeShared(
    LGuardIsNotArrayBufferMaybeShared* guard) {
  Register obj = ToRegister(guard->input());
--- a/js/src/jit/IonTypes.h
+++ b/js/src/jit/IonTypes.h
@ -176,6 +176,9 @@ enum class BailoutKind : uint8_t {
  // Bailout triggered by MGuardIsNotProxy.
  NotProxyGuard,

+  // Bailout triggered by MGuardIsNotDOMProxy.
+  NotDOMProxyGuard,
+
  // Bailout triggered by MGuardIsNotArrayBufferMaybeShared.
  NotArrayBufferMaybeSharedGuard,

@ -281,6 +284,8 @@ inline const char* BailoutKindString(BailoutKind kind) {
      return "BailoutKind::ProxyGuard";
    case BailoutKind::NotProxyGuard:
      return "BailoutKind::NotProxyGuard";
+    case BailoutKind::NotDOMProxyGuard:
+      return "BailoutKind::NotDOMProxyGuard";
    case BailoutKind::NotArrayBufferMaybeSharedGuard:
      return "BailoutKind::NotArrayBufferMaybeSharedGuard";
    case BailoutKind::ArrayPopShift:
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@ -4155,6 +4155,16 @@ void LIRGenerator::visitGuardIsNotProxy(MGuardIsNotProxy* ins) {
  redefine(ins, ins->object());
 }

+void LIRGenerator::visitGuardIsNotDOMProxy(MGuardIsNotDOMProxy* ins) {
+  MOZ_ASSERT(ins->proxy()->type() == MIRType::Object);
+
+  auto* lir =
+      new (alloc()) LGuardIsNotDOMProxy(useRegister(ins->proxy()), temp());
+  assignSnapshot(lir, BailoutKind::NotDOMProxyGuard);
+  add(lir, ins);
+  redefine(ins, ins->proxy());
+}
+
 void LIRGenerator::visitGuardIsNotArrayBufferMaybeShared(
    MGuardIsNotArrayBufferMaybeShared* ins) {
  MOZ_ASSERT(ins->object()->type() == MIRType::Object);
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@ -9172,6 +9172,28 @@ class MGuardIsNotProxy : public MUnaryInstruction,
  AliasSet getAliasSet() const override { return AliasSet::None(); }
 };

+// Guard the proxy is not a DOM proxy.
+class MGuardIsNotDOMProxy : public MUnaryInstruction,
+                            public SingleObjectPolicy::Data {
+  explicit MGuardIsNotDOMProxy(MDefinition* proxy)
+      : MUnaryInstruction(classOpcode, proxy) {
+    setGuard();
+    setMovable();
+    setResultType(MIRType::Object);
+    setResultTypeSet(proxy->resultTypeSet());
+  }
+
+ public:
+  INSTRUCTION_HEADER(GuardIsNotDOMProxy)
+  TRIVIAL_NEW_WRAPPERS
+  NAMED_OPERANDS((0, proxy))
+
+  bool congruentTo(const MDefinition* ins) const override {
+    return congruentIfOperandsEqual(ins);
+  }
+  AliasSet getAliasSet() const override { return AliasSet::None(); }
+};
+
 // Guard the object is not an ArrayBufferObject or SharedArrayBufferObject.
 class MGuardIsNotArrayBufferMaybeShared : public MUnaryInstruction,
                                          public SingleObjectPolicy::Data {
--- a/js/src/jit/MacroAssembler-inl.h
+++ b/js/src/jit/MacroAssembler-inl.h
@ -627,6 +627,14 @@ void MacroAssembler::branchTestProxyHandlerFamily(Condition cond,
                                                  Register scratch,
                                                  const void* handlerp,
                                                  Label* label) {
+#ifdef DEBUG
+  Label ok;
+  loadObjClassUnsafe(proxy, scratch);
+  branchTestClassIsProxy(true, scratch, &ok);
+  assumeUnreachable("Expected ProxyObject in branchTestProxyHandlerFamily");
+  bind(&ok);
+#endif
+
  Address handlerAddr(proxy, ProxyObject::offsetOfHandler());
  loadPtr(handlerAddr, scratch);
  Address familyAddr(scratch, BaseProxyHandler::offsetOfFamily());
--- a/js/src/jit/WarpCacheIRTranspiler.cpp
+++ b/js/src/jit/WarpCacheIRTranspiler.cpp
@ -304,6 +304,16 @@ bool WarpCacheIRTranspiler::emitGuardIsNotProxy(ObjOperandId objId) {
  return true;
 }

+bool WarpCacheIRTranspiler::emitGuardIsNotDOMProxy(ObjOperandId objId) {
+  MDefinition* obj = getOperand(objId);
+
+  auto* ins = MGuardIsNotDOMProxy::New(alloc(), obj);
+  add(ins);
+
+  setOperand(objId, ins);
+  return true;
+}
+
 bool WarpCacheIRTranspiler::emitGuardIsNotArrayBufferMaybeShared(
    ObjOperandId objId) {
  MDefinition* obj = getOperand(objId);
--- a/js/src/jit/shared/LIR-shared.h
+++ b/js/src/jit/shared/LIR-shared.h
@ -6191,6 +6191,20 @@ class LGuardIsNotProxy : public LInstructionHelper<0, 1, 1> {
  const LDefinition* temp() { return getTemp(0); }
 };

+class LGuardIsNotDOMProxy : public LInstructionHelper<0, 1, 1> {
+ public:
+  LIR_HEADER(GuardIsNotDOMProxy)
+
+  LGuardIsNotDOMProxy(const LAllocation& proxy, const LDefinition& temp)
+      : LInstructionHelper(classOpcode) {
+    setOperand(0, proxy);
+    setTemp(0, temp);
+  }
+
+  const LAllocation* proxy() { return getOperand(0); }
+  const LDefinition* temp() { return getTemp(0); }
+};
+
 class LGuardIsNotArrayBufferMaybeShared : public LInstructionHelper<0, 1, 1> {
 public:
  LIR_HEADER(GuardIsNotArrayBufferMaybeShared)