Bug 1703469: Use operand for callee in scripted getters r=jandem

iainireland · iainireland · commit f4f5b7d47d29 · 2025-06-05T20:44:46.000Z
This should generate roughly the same code as before. The one exception is in the Ion CacheIR compiler, where we no longer have direct access to the callee, so if it's a cross-realm getter, we have to load the correct realm out of the callee using switchToObjectRealm (instead of baking it in with switchToRealm). It didn't seem worth adding an entire extra operand to make that particular case a bit faster. (The same comment applies to the next patch, which does the same as this one, but for setters.) Differential Revision: https://phabricator.services.mozilla.com/D251753
diff --git a/js/src/jit/BaselineCacheIRCompiler.cpp b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -544,19 +544,17 @@ bool BaselineCacheIRCompiler::emitLoadDynamicSlotResult(ObjOperandId objId,
 }
 
 bool BaselineCacheIRCompiler::emitCallScriptedGetterShared(
-    ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
+    ValOperandId receiverId, ObjOperandId calleeId, bool sameRealm,
     uint32_t nargsAndFlagsOffset, Maybe<uint32_t> icScriptOffset) {
   ValueOperand receiver = allocator.useValueRegister(masm, receiverId);
-  Address getterAddr(stubAddress(getterOffset));
+  Register callee = allocator.useRegister(masm, calleeId);
 
   AutoScratchRegister code(allocator, masm);
-  AutoScratchRegister callee(allocator, masm);
   AutoScratchRegister scratch(allocator, masm);
 
   bool isInlined = icScriptOffset.isSome();
 
   // First, retrieve raw jitcode for getter.
-  masm.loadPtr(getterAddr, callee);
   if (isInlined) {
     FailurePath* failure;
     if (!addFailurePath(&failure)) {
@@ -621,19 +619,19 @@ bool BaselineCacheIRCompiler::emitCallScriptedGetterShared(
 }
 
 bool BaselineCacheIRCompiler::emitCallScriptedGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
+    ValOperandId receiverId, ObjOperandId calleeId, bool sameRealm,
     uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
   Maybe<uint32_t> icScriptOffset = mozilla::Nothing();
-  return emitCallScriptedGetterShared(receiverId, getterOffset, sameRealm,
+  return emitCallScriptedGetterShared(receiverId, calleeId, sameRealm,
                                       nargsAndFlagsOffset, icScriptOffset);
 }
 
 bool BaselineCacheIRCompiler::emitCallInlinedGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset, uint32_t icScriptOffset,
+    ValOperandId receiverId, ObjOperandId calleeId, uint32_t icScriptOffset,
     bool sameRealm, uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
-  return emitCallScriptedGetterShared(receiverId, getterOffset, sameRealm,
+  return emitCallScriptedGetterShared(receiverId, calleeId, sameRealm,
                                       nargsAndFlagsOffset,
                                       mozilla::Some(icScriptOffset));
 }
diff --git a/js/src/jit/BaselineCacheIRCompiler.h b/js/src/jit/BaselineCacheIRCompiler.h
@@ -118,7 +118,7 @@ class MOZ_RAII BaselineCacheIRCompiler : public CacheIRCompiler {
   void emitAtomizeString(Register str, Register temp, Label* failure);
 
   bool emitCallScriptedGetterShared(ValOperandId receiverId,
-                                    uint32_t getterOffset, bool sameRealm,
+                                    ObjOperandId calleeId, bool sameRealm,
                                     uint32_t nargsAndFlagsOffset,
                                     mozilla::Maybe<uint32_t> icScriptOffset);
   bool emitCallScriptedSetterShared(ObjOperandId receiverId,
diff --git a/js/src/jit/CacheIROps.yaml b/js/src/jit/CacheIROps.yaml
@@ -2550,7 +2550,7 @@
   custom_writer: true
   args:
     receiver: ValId
-    getter: ObjectField
+    callee: ObjId
     sameRealm: BoolImm
     nargsAndFlags: RawInt32Field
 
@@ -2561,7 +2561,7 @@
   custom_writer: true
   args:
     receiver: ValId
-    getter: ObjectField
+    callee: ObjId
     icScript: RawPointerField
     sameRealm: BoolImm
     nargsAndFlags: RawInt32Field
diff --git a/js/src/jit/CacheIRWriter.h b/js/src/jit/CacheIRWriter.h
@@ -618,19 +618,27 @@ class MOZ_RAII CacheIRWriter : public JS::CustomAutoRooter {
     callClassHook_(calleeId, argc, flags, argcFixed, target);
   }
 
+ private:
+  ObjOperandId getterSetterCalleeOperand(JSFunction* target) {
+    return loadObject(target);
+  }
+ public:
+
   void callScriptedGetterResult(ValOperandId receiver, JSFunction* getter,
                                 bool sameRealm) {
     MOZ_ASSERT(getter->hasJitEntry());
     uint32_t nargsAndFlags = getter->flagsAndArgCountRaw();
-    callScriptedGetterResult_(receiver, getter, sameRealm, nargsAndFlags);
+    ObjOperandId callee = getterSetterCalleeOperand(getter);
+    callScriptedGetterResult_(receiver, callee, sameRealm, nargsAndFlags);
     trialInliningState_ = TrialInliningState::Candidate;
   }
 
-  void callInlinedGetterResult(ValOperandId receiver, JSFunction* getter,
-                               ICScript* icScript, bool sameRealm) {
+  void callInlinedGetterResult(ValOperandId receiver, ObjOperandId callee,
+                               JSFunction* getter, ICScript* icScript,
+                               bool sameRealm) {
     MOZ_ASSERT(getter->hasJitEntry());
     uint32_t nargsAndFlags = getter->flagsAndArgCountRaw();
-    callInlinedGetterResult_(receiver, getter, icScript, sameRealm,
+    callInlinedGetterResult_(receiver, callee, icScript, sameRealm,
                              nargsAndFlags);
     trialInliningState_ = TrialInliningState::Inlined;
   }
diff --git a/js/src/jit/IonCacheIRCompiler.cpp b/js/src/jit/IonCacheIRCompiler.cpp
@@ -924,18 +924,18 @@ bool IonCacheIRCompiler::emitLoadDynamicSlotResult(ObjOperandId objId,
 }
 
 bool IonCacheIRCompiler::emitCallScriptedGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
-    uint32_t nargsAndFlagsOffset) {
+    ValOperandId receiverId, ObjOperandId calleeId,
+    bool sameRealm, uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
   AutoSaveLiveRegisters save(*this);
   AutoOutputRegister output(*this);
 
   ValueOperand receiver = allocator.useValueRegister(masm, receiverId);
-
-  JSFunction* target = &objectStubField(getterOffset)->as<JSFunction>();
+  Register callee = allocator.useRegister(masm, calleeId);
   AutoScratchRegister scratch(allocator, masm);
 
-  MOZ_ASSERT(sameRealm == (cx_->realm() == target->realm()));
+  int32_t nargsAndFlags = int32StubField(nargsAndFlagsOffset);
+  size_t nargs = nargsAndFlags >> JSFunction::ArgCountShift;
 
   allocator.discardStack(masm);
 
@@ -946,34 +946,31 @@ bool IonCacheIRCompiler::emitCallScriptedGetterResult(
   // The JitFrameLayout pushed below will be aligned to JitStackAlignment,
   // so we just have to make sure the stack is aligned after we push the
   // |this| + argument Values.
-  uint32_t argSize = (target->nargs() + 1) * sizeof(Value);
+  uint32_t argSize = (nargs + 1) * sizeof(Value);
   uint32_t padding =
       ComputeByteAlignment(masm.framePushed() + argSize, JitStackAlignment);
   MOZ_ASSERT(padding % sizeof(uintptr_t) == 0);
   MOZ_ASSERT(padding < JitStackAlignment);
   masm.reserveStack(padding);
 
-  for (size_t i = 0; i < target->nargs(); i++) {
+  for (size_t i = 0; i < nargs; i++) {
     masm.Push(UndefinedValue());
   }
   masm.Push(receiver);
 
   if (!sameRealm) {
-    masm.switchToRealm(target->realm(), scratch);
+    masm.switchToObjectRealm(callee, scratch);
   }
 
-  masm.movePtr(ImmGCPtr(target), scratch);
-
-  masm.Push(scratch);
+  masm.Push(callee);
   masm.PushFrameDescriptorForJitCall(FrameType::IonICCall, /* argc = */ 0);
 
   // Check stack alignment. Add 2 * sizeof(uintptr_t) for the return address and
   // frame pointer pushed by the call/callee.
   MOZ_ASSERT(
       ((masm.framePushed() + 2 * sizeof(uintptr_t)) % JitStackAlignment) == 0);
 
-  MOZ_ASSERT(target->hasJitEntry());
-  masm.loadJitCodeRaw(scratch, scratch);
+  masm.loadJitCodeRaw(callee, scratch);
   masm.callJit(scratch);
 
   if (!sameRealm) {
@@ -1126,7 +1123,7 @@ bool IonCacheIRCompiler::emitCallScriptedProxyGetByValueResult(
 #endif
 
 bool IonCacheIRCompiler::emitCallInlinedGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset, uint32_t icScriptOffset,
+    ValOperandId receiverId, ObjOperandId calleeId, uint32_t icScriptOffset,
     bool sameRealm, uint32_t nargsAndFlagsOffset) {
   MOZ_CRASH("Trial inlining not supported in Ion");
 }
diff --git a/js/src/jit/TrialInlining.cpp b/js/src/jit/TrialInlining.cpp
@@ -305,6 +305,9 @@ Maybe<InlinableGetterData> FindInlinableGetterData(ICCacheIRStub* stub) {
   const CacheIRStubInfo* stubInfo = stub->stubInfo();
   const uint8_t* stubData = stub->stubDataStart();
 
+  ObjOperandId maybeCalleeOperand;
+  uintptr_t maybeRawCallee = 0;
+
   CacheIRReader reader(stubInfo);
   while (reader.more()) {
     const uint8_t* opStart = reader.currentPosition();
@@ -315,37 +318,47 @@ Maybe<InlinableGetterData> FindInlinableGetterData(ICCacheIRStub* stub) {
     mozilla::DebugOnly<const uint8_t*> argStart = reader.currentPosition();
 
     switch (op) {
+      case CacheOp::LoadObject: {
+        // If we load a constant object, remember it in case it's the callee.
+        maybeCalleeOperand = reader.objOperandId();
+        uint32_t maybeCalleeOffset = reader.stubOffset();
+        maybeRawCallee = stubInfo->getStubRawWord(stubData, maybeCalleeOffset);
+        break;
+      }
       case CacheOp::CallScriptedGetterResult: {
-        data.emplace();
-        data->receiverOperand = reader.valOperandId();
-
-        uint32_t getterOffset = reader.stubOffset();
-        uintptr_t rawTarget = stubInfo->getStubRawWord(stubData, getterOffset);
-        data->target = reinterpret_cast<JSFunction*>(rawTarget);
-
-        data->sameRealm = reader.readBool();
+        ValOperandId receiverOperand = reader.valOperandId();
+        ObjOperandId calleeOperand = reader.objOperandId();
+        bool sameRealm = reader.readBool();
         (void)reader.stubOffset();  // nargsAndFlags
 
-        data->endOfSharedPrefix = opStart;
+        if (maybeCalleeOperand == calleeOperand) {
+          data.emplace();
+          data->target = reinterpret_cast<JSFunction*>(maybeRawCallee);
+          data->receiverOperand = receiverOperand;
+          data->calleeOperand = calleeOperand;
+          data->sameRealm = sameRealm;
+          data->endOfSharedPrefix = opStart;
+        }
         break;
       }
       case CacheOp::CallInlinedGetterResult: {
-        data.emplace();
-        data->receiverOperand = reader.valOperandId();
-
-        uint32_t getterOffset = reader.stubOffset();
-        uintptr_t rawTarget = stubInfo->getStubRawWord(stubData, getterOffset);
-        data->target = reinterpret_cast<JSFunction*>(rawTarget);
-
+        ValOperandId receiverOperand = reader.valOperandId();
+        ObjOperandId calleeOperand = reader.objOperandId();
         uint32_t icScriptOffset = reader.stubOffset();
         uintptr_t rawICScript =
             stubInfo->getStubRawWord(stubData, icScriptOffset);
-        data->icScript = reinterpret_cast<ICScript*>(rawICScript);
-
-        data->sameRealm = reader.readBool();
+        bool sameRealm = reader.readBool();
         (void)reader.stubOffset();  // nargsAndFlags
 
-        data->endOfSharedPrefix = opStart;
+        if (maybeCalleeOperand == calleeOperand) {
+          data.emplace();
+          data->target = reinterpret_cast<JSFunction*>(maybeRawCallee);
+          data->receiverOperand = receiverOperand;
+          data->calleeOperand = calleeOperand;
+          data->icScript = reinterpret_cast<ICScript*>(rawICScript);
+          data->sameRealm = sameRealm;
+          data->endOfSharedPrefix = opStart;
+        }
         break;
       }
       default:
@@ -829,8 +842,8 @@ bool TrialInliner::maybeInlineGetter(ICEntry& entry, ICFallbackStub* fallback,
   }
   cloneSharedPrefix(stub, data->endOfSharedPrefix, writer);
 
-  writer.callInlinedGetterResult(data->receiverOperand, data->target,
-                                 newICScript, data->sameRealm);
+  writer.callInlinedGetterResult(data->receiverOperand, data->calleeOperand,
+                                 data->target, newICScript, data->sameRealm);
   writer.returnFromIC();
 
   return replaceICStub(entry, fallback, writer, kind);
diff --git a/js/src/jit/TrialInlining.h b/js/src/jit/TrialInlining.h
@@ -126,6 +126,7 @@ class InlinableCallData : public InlinableOpData {
 class InlinableGetterData : public InlinableOpData {
  public:
   ValOperandId receiverOperand;
+  ObjOperandId calleeOperand;
   bool sameRealm = false;
 };
 
diff --git a/js/src/jit/WarpCacheIRTranspiler.cpp b/js/src/jit/WarpCacheIRTranspiler.cpp
@@ -302,7 +302,7 @@ class MOZ_RAII WarpCacheIRTranspiler : public WarpBuilderShared {
 
   [[nodiscard]] bool emitCallGetterResult(CallKind kind,
                                           ValOperandId receiverId,
-                                          uint32_t getterOffset, bool sameRealm,
+                                          MDefinition* getter, bool sameRealm,
                                           uint32_t nargsAndFlagsOffset);
   [[nodiscard]] bool emitCallSetter(CallKind kind, ObjOperandId receiverId,
                                     uint32_t setterOffset, ValOperandId rhsId,
@@ -6618,11 +6618,10 @@ bool WarpCacheIRTranspiler::emitGuardWasmArg(ValOperandId argId,
 
 bool WarpCacheIRTranspiler::emitCallGetterResult(CallKind kind,
                                                  ValOperandId receiverId,
-                                                 uint32_t getterOffset,
+                                                 MDefinition* getter,
                                                  bool sameRealm,
                                                  uint32_t nargsAndFlagsOffset) {
   MDefinition* receiver = getOperand(receiverId);
-  MDefinition* getter = objectStubField(getterOffset);
   if (kind == CallKind::Scripted && callInfo_ && callInfo_->isInlined()) {
     // We are transpiling to generate the correct guards. We also update the
     // CallInfo to use the correct arguments. Code for the inlined getter
@@ -6664,23 +6663,26 @@ bool WarpCacheIRTranspiler::emitCallGetterResult(CallKind kind,
 }
 
 bool WarpCacheIRTranspiler::emitCallScriptedGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
+    ValOperandId receiverId, ObjOperandId calleeId, bool sameRealm,
     uint32_t nargsAndFlagsOffset) {
-  return emitCallGetterResult(CallKind::Scripted, receiverId, getterOffset,
+  MDefinition* getter = getOperand(calleeId);
+  return emitCallGetterResult(CallKind::Scripted, receiverId, getter,
                               sameRealm, nargsAndFlagsOffset);
 }
 
 bool WarpCacheIRTranspiler::emitCallInlinedGetterResult(
-    ValOperandId receiverId, uint32_t getterOffset, uint32_t icScriptOffset,
+    ValOperandId receiverId, ObjOperandId calleeId, uint32_t icScriptOffset,
     bool sameRealm, uint32_t nargsAndFlagsOffset) {
-  return emitCallGetterResult(CallKind::Scripted, receiverId, getterOffset,
+  MDefinition* getter = getOperand(calleeId);
+  return emitCallGetterResult(CallKind::Scripted, receiverId, getter,
                               sameRealm, nargsAndFlagsOffset);
 }
 
 bool WarpCacheIRTranspiler::emitCallNativeGetterResult(
     ValOperandId receiverId, uint32_t getterOffset, bool sameRealm,
     uint32_t nargsAndFlagsOffset) {
-  return emitCallGetterResult(CallKind::Native, receiverId, getterOffset,
+  MDefinition* getter = objectStubField(getterOffset);
+  return emitCallGetterResult(CallKind::Native, receiverId, getter,
                               sameRealm, nargsAndFlagsOffset);
 }
 
