Bug 1850744 - Actually use the result of EmitReadSlotGuard r=iain

So, I wasn't handling traps on the proto chain correctly. As far as I can tell
though this should generally just be resulting in us failing to perform
optimally, as we should usually just load garbage out of the handler object
and then fail in guardSpecificFunction. The only way this could deviate from
that that I can think of is us segfaulting trying to load a bad slot from the
object.

Differential Revision: https://phabricator.services.mozilla.com/D188107

js/src/jit-test/tests/proxy/testDirectProxyGet15.js

@@ -0,0 +1,25 @@
+var target = {x: 5};
+var returnValue = 42;
+var handlerProto = {};
+var handler = {};
+handlerProto.get = function(t, p) {
+  return returnValue;
+}
+handler.foo = handlerProto.get;
+handler.__proto__ = handlerProto;
+
+var proxy = new Proxy(target, handler);
+
+function testGet(p) {
+  return p.x;
+}
+
+for (i = 0; i < 500; i++) {
+  assertEq(testGet(proxy), returnValue);
+}
+
+handlerProto.get = function() {
+  return returnValue - 1;
+}
+
+assertEq(testGet(proxy), returnValue - 1);

js/src/jit/CacheIR.cpp

@@ -1578,10 +1578,11 @@ AttachDecision GetPropIRGenerator::tryAttachScriptedProxy(
     const Value& trapVal = trapHolder->getSlot(trapSlot);
     JSObject* trapObj = &trapVal.toObject();
     JSFunction* trapFn = &trapObj->as<JSFunction>();
-    EmitReadSlotGuard(writer, nHandlerObj, trapHolder, handlerObjId);
+    ObjOperandId trapHolderId =
+        EmitReadSlotGuard(writer, nHandlerObj, trapHolder, handlerObjId);
 
     ValOperandId fnValId =
-        EmitLoadSlot(writer, trapHolder, handlerObjId, trapSlot);
+        EmitLoadSlot(writer, trapHolder, trapHolderId, trapSlot);
     ObjOperandId fnObjId = writer.guardToObject(fnValId);
     writer.guardSpecificFunction(fnObjId, trapFn);
     ValOperandId targetValId = writer.boxObject(targetObjId);