Bug 1703469: Use operand for callee in scripted setters r=jandem

iainireland · iainireland · commit f55e9e66da59 · 2025-06-05T20:44:49.000Z
Differential Revision: https://phabricator.services.mozilla.com/D251754
diff --git a/js/src/jit/BaselineCacheIRCompiler.cpp b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -1649,10 +1649,9 @@ bool BaselineCacheIRCompiler::emitCallNativeSetter(
 }
 
 bool BaselineCacheIRCompiler::emitCallScriptedSetterShared(
-    ObjOperandId receiverId, uint32_t setterOffset, ValOperandId rhsId,
+    ObjOperandId receiverId, ObjOperandId calleeId, ValOperandId rhsId,
     bool sameRealm, uint32_t nargsAndFlagsOffset,
     Maybe<uint32_t> icScriptOffset) {
-  AutoScratchRegister callee(allocator, masm);
   AutoScratchRegister scratch(allocator, masm);
 #if defined(JS_CODEGEN_X86)
   Register code = scratch;
@@ -1661,14 +1660,11 @@ bool BaselineCacheIRCompiler::emitCallScriptedSetterShared(
 #endif
 
   Register receiver = allocator.useRegister(masm, receiverId);
-  Address setterAddr(stubAddress(setterOffset));
+  Register callee = allocator.useRegister(masm, calleeId);
   ValueOperand val = allocator.useValueRegister(masm, rhsId);
 
   bool isInlined = icScriptOffset.isSome();
 
-  // First, load the callee.
-  masm.loadPtr(setterAddr, callee);
-
   if (isInlined) {
     // If we are calling a trial-inlined setter, guard that the
     // target has a BaselineScript.
@@ -1750,20 +1746,20 @@ bool BaselineCacheIRCompiler::emitCallScriptedSetterShared(
 }
 
 bool BaselineCacheIRCompiler::emitCallScriptedSetter(
-    ObjOperandId receiverId, uint32_t setterOffset, ValOperandId rhsId,
+    ObjOperandId receiverId, ObjOperandId calleeId, ValOperandId rhsId,
     bool sameRealm, uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
   Maybe<uint32_t> icScriptOffset = mozilla::Nothing();
-  return emitCallScriptedSetterShared(receiverId, setterOffset, rhsId,
+  return emitCallScriptedSetterShared(receiverId, calleeId, rhsId,
                                       sameRealm, nargsAndFlagsOffset,
                                       icScriptOffset);
 }
 
 bool BaselineCacheIRCompiler::emitCallInlinedSetter(
-    ObjOperandId receiverId, uint32_t setterOffset, ValOperandId rhsId,
+    ObjOperandId receiverId, ObjOperandId calleeId, ValOperandId rhsId,
     uint32_t icScriptOffset, bool sameRealm, uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
-  return emitCallScriptedSetterShared(receiverId, setterOffset, rhsId,
+  return emitCallScriptedSetterShared(receiverId, calleeId, rhsId,
                                       sameRealm, nargsAndFlagsOffset,
                                       mozilla::Some(icScriptOffset));
 }
diff --git a/js/src/jit/BaselineCacheIRCompiler.h b/js/src/jit/BaselineCacheIRCompiler.h
@@ -122,7 +122,7 @@ class MOZ_RAII BaselineCacheIRCompiler : public CacheIRCompiler {
                                     uint32_t nargsAndFlagsOffset,
                                     mozilla::Maybe<uint32_t> icScriptOffset);
   bool emitCallScriptedSetterShared(ObjOperandId receiverId,
-                                    uint32_t setterOffset, ValOperandId rhsId,
+                                    ObjOperandId calleeId, ValOperandId rhsId,
                                     bool sameRealm,
                                     uint32_t nargsAndFlagsOffset,
                                     mozilla::Maybe<uint32_t> icScriptOffset);
diff --git a/js/src/jit/CacheIROps.yaml b/js/src/jit/CacheIROps.yaml
@@ -1921,7 +1921,7 @@
   custom_writer: true
   args:
     receiver: ObjId
-    setter: ObjectField
+    callee: ObjId
     rhs: ValId
     sameRealm: BoolImm
     nargsAndFlags: RawInt32Field
@@ -1933,7 +1933,7 @@
   custom_writer: true
   args:
     receiver: ObjId
-    setter: ObjectField
+    callee: ObjId
     rhs: ValId
     icScript: RawPointerField
     sameRealm: BoolImm
diff --git a/js/src/jit/CacheIRWriter.h b/js/src/jit/CacheIRWriter.h
@@ -654,15 +654,17 @@ class MOZ_RAII CacheIRWriter : public JS::CustomAutoRooter {
                           ValOperandId rhs, bool sameRealm) {
     MOZ_ASSERT(setter->hasJitEntry());
     uint32_t nargsAndFlags = setter->flagsAndArgCountRaw();
-    callScriptedSetter_(receiver, setter, rhs, sameRealm, nargsAndFlags);
+    ObjOperandId callee = getterSetterCalleeOperand(setter);
+    callScriptedSetter_(receiver, callee, rhs, sameRealm, nargsAndFlags);
     trialInliningState_ = TrialInliningState::Candidate;
   }
 
-  void callInlinedSetter(ObjOperandId receiver, JSFunction* setter,
-                         ValOperandId rhs, ICScript* icScript, bool sameRealm) {
+  void callInlinedSetter(ObjOperandId receiver, ObjOperandId callee,
+                         JSFunction* setter, ValOperandId rhs,
+                         ICScript* icScript, bool sameRealm) {
     MOZ_ASSERT(setter->hasJitEntry());
     uint32_t nargsAndFlags = setter->flagsAndArgCountRaw();
-    callInlinedSetter_(receiver, setter, rhs, icScript, sameRealm,
+    callInlinedSetter_(receiver, callee, rhs, icScript, sameRealm,
                        nargsAndFlags);
     trialInliningState_ = TrialInliningState::Inlined;
   }
diff --git a/js/src/jit/IonCacheIRCompiler.cpp b/js/src/jit/IonCacheIRCompiler.cpp
@@ -1672,18 +1672,19 @@ bool IonCacheIRCompiler::emitCallNativeSetter(ObjOperandId receiverId,
 }
 
 bool IonCacheIRCompiler::emitCallScriptedSetter(ObjOperandId receiverId,
-                                                uint32_t setterOffset,
+                                                ObjOperandId calleeId,
                                                 ValOperandId rhsId,
                                                 bool sameRealm,
                                                 uint32_t nargsAndFlagsOffset) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
   AutoSaveLiveRegisters save(*this);
 
   Register receiver = allocator.useRegister(masm, receiverId);
-  JSFunction* target = &objectStubField(setterOffset)->as<JSFunction>();
+  Register callee = allocator.useRegister(masm, calleeId);
   ConstantOrRegister val = allocator.useConstantOrRegister(masm, rhsId);
 
-  MOZ_ASSERT(sameRealm == (cx_->realm() == target->realm()));
+  int32_t nargsAndFlags = int32StubField(nargsAndFlagsOffset);
+  size_t nargs = nargsAndFlags >> JSFunction::ArgCountShift;
 
   AutoScratchRegister scratch(allocator, masm);
 
@@ -1696,36 +1697,33 @@ bool IonCacheIRCompiler::emitCallScriptedSetter(ObjOperandId receiverId,
   // The JitFrameLayout pushed below will be aligned to JitStackAlignment,
   // so we just have to make sure the stack is aligned after we push the
   // |this| + argument Values.
-  size_t numArgs = std::max<size_t>(1, target->nargs());
-  uint32_t argSize = (numArgs + 1) * sizeof(Value);
+  size_t numPushedArgs = std::max<size_t>(1, nargs);
+  uint32_t argSize = (numPushedArgs + 1) * sizeof(Value);
   uint32_t padding =
       ComputeByteAlignment(masm.framePushed() + argSize, JitStackAlignment);
   MOZ_ASSERT(padding % sizeof(uintptr_t) == 0);
   MOZ_ASSERT(padding < JitStackAlignment);
   masm.reserveStack(padding);
 
-  for (size_t i = 1; i < target->nargs(); i++) {
+  for (size_t i = 1; i < nargs; i++) {
     masm.Push(UndefinedValue());
   }
   masm.Push(val);
   masm.Push(TypedOrValueRegister(MIRType::Object, AnyRegister(receiver)));
 
   if (!sameRealm) {
-    masm.switchToRealm(target->realm(), scratch);
+    masm.switchToObjectRealm(callee, scratch);
   }
 
-  masm.movePtr(ImmGCPtr(target), scratch);
-
-  masm.Push(scratch);
+  masm.Push(callee);
   masm.PushFrameDescriptorForJitCall(FrameType::IonICCall, /* argc = */ 1);
 
   // Check stack alignment. Add 2 * sizeof(uintptr_t) for the return address and
   // frame pointer pushed by the call/callee.
   MOZ_ASSERT(
       ((masm.framePushed() + 2 * sizeof(uintptr_t)) % JitStackAlignment) == 0);
 
-  MOZ_ASSERT(target->hasJitEntry());
-  masm.loadJitCodeRaw(scratch, scratch);
+  masm.loadJitCodeRaw(callee, scratch);
   masm.callJit(scratch);
 
   if (!sameRealm) {
@@ -1739,7 +1737,7 @@ bool IonCacheIRCompiler::emitCallScriptedSetter(ObjOperandId receiverId,
 }
 
 bool IonCacheIRCompiler::emitCallInlinedSetter(
-    ObjOperandId receiverId, uint32_t setterOffset, ValOperandId rhsId,
+    ObjOperandId receiverId, ObjOperandId calleeId, ValOperandId rhsId,
     uint32_t icScriptOffset, bool sameRealm, uint32_t nargsAndFlagsOffset) {
   MOZ_CRASH("Trial inlining not supported in Ion");
 }
diff --git a/js/src/jit/TrialInlining.cpp b/js/src/jit/TrialInlining.cpp
@@ -383,6 +383,9 @@ Maybe<InlinableSetterData> FindInlinableSetterData(ICCacheIRStub* stub) {
   const CacheIRStubInfo* stubInfo = stub->stubInfo();
   const uint8_t* stubData = stub->stubDataStart();
 
+  ObjOperandId maybeCalleeOperand;
+  uintptr_t maybeRawCallee = 0;
+
   CacheIRReader reader(stubInfo);
   while (reader.more()) {
     const uint8_t* opStart = reader.currentPosition();
@@ -393,40 +396,51 @@ Maybe<InlinableSetterData> FindInlinableSetterData(ICCacheIRStub* stub) {
     mozilla::DebugOnly<const uint8_t*> argStart = reader.currentPosition();
 
     switch (op) {
+      case CacheOp::LoadObject: {
+        // If we load a constant object, remember it in case it's the callee.
+        maybeCalleeOperand = reader.objOperandId();
+        uint32_t maybeCalleeOffset = reader.stubOffset();
+        maybeRawCallee = stubInfo->getStubRawWord(stubData, maybeCalleeOffset);
+        break;
+      }
       case CacheOp::CallScriptedSetter: {
-        data.emplace();
-        data->receiverOperand = reader.objOperandId();
-
-        uint32_t setterOffset = reader.stubOffset();
-        uintptr_t rawTarget = stubInfo->getStubRawWord(stubData, setterOffset);
-        data->target = reinterpret_cast<JSFunction*>(rawTarget);
-
-        data->rhsOperand = reader.valOperandId();
-        data->sameRealm = reader.readBool();
+        ObjOperandId receiverOperand = reader.objOperandId();
+        ObjOperandId calleeOperand = reader.objOperandId();
+        ValOperandId rhsOperand = reader.valOperandId();
+        bool sameRealm = reader.readBool();
         (void)reader.stubOffset();  // nargsAndFlags
 
-        data->endOfSharedPrefix = opStart;
+        if (maybeCalleeOperand == calleeOperand) {
+          data.emplace();
+          data->target = reinterpret_cast<JSFunction*>(maybeRawCallee);
+          data->receiverOperand = receiverOperand;
+          data->calleeOperand = calleeOperand;
+          data->rhsOperand = rhsOperand;
+          data->sameRealm = sameRealm;
+          data->endOfSharedPrefix = opStart;
+        }
         break;
       }
       case CacheOp::CallInlinedSetter: {
-        data.emplace();
-        data->receiverOperand = reader.objOperandId();
-
-        uint32_t setterOffset = reader.stubOffset();
-        uintptr_t rawTarget = stubInfo->getStubRawWord(stubData, setterOffset);
-        data->target = reinterpret_cast<JSFunction*>(rawTarget);
-
-        data->rhsOperand = reader.valOperandId();
-
+        ObjOperandId receiverOperand = reader.objOperandId();
+        ObjOperandId calleeOperand = reader.objOperandId();
+        ValOperandId rhsOperand = reader.valOperandId();
         uint32_t icScriptOffset = reader.stubOffset();
         uintptr_t rawICScript =
             stubInfo->getStubRawWord(stubData, icScriptOffset);
-        data->icScript = reinterpret_cast<ICScript*>(rawICScript);
-
-        data->sameRealm = reader.readBool();
+        bool sameRealm = reader.readBool();
         (void)reader.stubOffset();  // nargsAndFlags
 
-        data->endOfSharedPrefix = opStart;
+        if (maybeCalleeOperand == calleeOperand) {
+          data.emplace();
+          data->target = reinterpret_cast<JSFunction*>(maybeRawCallee);
+          data->receiverOperand = receiverOperand;
+          data->calleeOperand = calleeOperand;
+          data->rhsOperand = rhsOperand;
+          data->icScript = reinterpret_cast<ICScript*>(rawICScript);
+          data->sameRealm = sameRealm;
+          data->endOfSharedPrefix = opStart;
+        }
         break;
       }
       default:
@@ -886,8 +900,9 @@ bool TrialInliner::maybeInlineSetter(ICEntry& entry, ICFallbackStub* fallback,
   ValOperandId rhsValId(writer.setInputOperandId(1));
   cloneSharedPrefix(stub, data->endOfSharedPrefix, writer);
 
-  writer.callInlinedSetter(data->receiverOperand, data->target,
-                           data->rhsOperand, newICScript, data->sameRealm);
+  writer.callInlinedSetter(data->receiverOperand, data->calleeOperand,
+                           data->target, data->rhsOperand, newICScript,
+                           data->sameRealm);
   writer.returnFromIC();
 
   return replaceICStub(entry, fallback, writer, kind);
diff --git a/js/src/jit/TrialInlining.h b/js/src/jit/TrialInlining.h
@@ -133,6 +133,7 @@ class InlinableGetterData : public InlinableOpData {
 class InlinableSetterData : public InlinableOpData {
  public:
   ObjOperandId receiverOperand;
+  ObjOperandId calleeOperand;
   ValOperandId rhsOperand;
   bool sameRealm = false;
 };
diff --git a/js/src/jit/WarpCacheIRTranspiler.cpp b/js/src/jit/WarpCacheIRTranspiler.cpp
@@ -305,7 +305,7 @@ class MOZ_RAII WarpCacheIRTranspiler : public WarpBuilderShared {
                                           MDefinition* getter, bool sameRealm,
                                           uint32_t nargsAndFlagsOffset);
   [[nodiscard]] bool emitCallSetter(CallKind kind, ObjOperandId receiverId,
-                                    uint32_t setterOffset, ValOperandId rhsId,
+                                    MDefinition* setter, ValOperandId rhsId,
                                     bool sameRealm,
                                     uint32_t nargsAndFlagsOffset);
 
@@ -6688,11 +6688,10 @@ bool WarpCacheIRTranspiler::emitCallNativeGetterResult(
 
 bool WarpCacheIRTranspiler::emitCallSetter(CallKind kind,
                                            ObjOperandId receiverId,
-                                           uint32_t setterOffset,
+                                           MDefinition* setter,
                                            ValOperandId rhsId, bool sameRealm,
                                            uint32_t nargsAndFlagsOffset) {
   MDefinition* receiver = getOperand(receiverId);
-  MDefinition* setter = objectStubField(setterOffset);
   MDefinition* rhs = getOperand(rhsId);
   if (kind == CallKind::Scripted && callInfo_ && callInfo_->isInlined()) {
     // We are transpiling to generate the correct guards. We also update the
@@ -6733,16 +6732,18 @@ bool WarpCacheIRTranspiler::emitCallSetter(CallKind kind,
 }
 
 bool WarpCacheIRTranspiler::emitCallScriptedSetter(
-    ObjOperandId receiverId, uint32_t setterOffset, ValOperandId rhsId,
+    ObjOperandId receiverId, ObjOperandId calleeId, ValOperandId rhsId,
     bool sameRealm, uint32_t nargsAndFlagsOffset) {
-  return emitCallSetter(CallKind::Scripted, receiverId, setterOffset, rhsId,
+  MDefinition* setter = getOperand(calleeId);
+  return emitCallSetter(CallKind::Scripted, receiverId, setter, rhsId,
                         sameRealm, nargsAndFlagsOffset);
 }
 
 bool WarpCacheIRTranspiler::emitCallInlinedSetter(
-    ObjOperandId receiverId, uint32_t setterOffset, ValOperandId rhsId,
+    ObjOperandId receiverId, ObjOperandId calleeId, ValOperandId rhsId,
     uint32_t icScriptOffset, bool sameRealm, uint32_t nargsAndFlagsOffset) {
-  return emitCallSetter(CallKind::Scripted, receiverId, setterOffset, rhsId,
+  MDefinition* setter = getOperand(calleeId);
+  return emitCallSetter(CallKind::Scripted, receiverId, setter, rhsId,
                         sameRealm, nargsAndFlagsOffset);
 }
 
@@ -6751,7 +6752,8 @@ bool WarpCacheIRTranspiler::emitCallNativeSetter(ObjOperandId receiverId,
                                                  ValOperandId rhsId,
                                                  bool sameRealm,
                                                  uint32_t nargsAndFlagsOffset) {
-  return emitCallSetter(CallKind::Native, receiverId, setterOffset, rhsId,
+  MDefinition* setter = objectStubField(setterOffset);
+  return emitCallSetter(CallKind::Native, receiverId, setter, rhsId,
                         sameRealm, nargsAndFlagsOffset);
 }
 
