Bug 1851416 - Properly guard that the proxy hasn't been revoked r=iain

Maybe a little bit alarming how simple this testcase is. Differential Revision: https://phabricator.services.mozilla.com/D187511
dothq · Sep 7, 2023 · fd2c6e6 · fd2c6e6
1 parent 83f8a62
commit fd2c6e6
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 15 deletions.
diff --git a/js/src/jit-test/tests/proxy/testDirectProxyGet14.js b/js/src/jit-test/tests/proxy/testDirectProxyGet14.js
@@ -0,0 +1,22 @@
+load(libdir + "asserts.js");
+
+var target = {x: 5};
+var returnValue = 42;
+var handler = {
+  get(t, p) {
+    return returnValue;
+  }
+};
+var {proxy, revoke} = Proxy.revocable(target, handler);
+
+function testGet(p) {
+  return p.x;
+}
+
+for (i = 0; i < 200; i++) {
+  assertEq(testGet(proxy), returnValue);
+}
+
+assertEq(testGet(proxy), returnValue);
+revoke();
+assertThrowsInstanceOf(function () { testGet(proxy) }, TypeError);
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
@@ -1560,7 +1560,8 @@ AttachDecision GetPropIRGenerator::tryAttachScriptedProxy(
 
   writer.guardIsProxy(objId);
   writer.guardHasProxyHandler(objId, &ScriptedProxyHandler::singleton);
-  ObjOperandId handlerObjId = writer.loadScriptedProxyHandler(objId);
+  ValOperandId handlerValId = writer.loadScriptedProxyHandler(objId);
+  ObjOperandId handlerObjId = writer.guardToObject(handlerValId);
   ObjOperandId targetObjId = writer.loadWrapperTarget(objId);
 
   if (trapKind == NativeGetPropKind::Missing) {

diff --git a/js/src/jit/CacheIRCompiler.cpp b/js/src/jit/CacheIRCompiler.cpp
@@ -2253,17 +2253,19 @@ bool CacheIRCompiler::emitGuardDynamicSlotValue(ObjOperandId objId,
   return true;
 }
 
-bool CacheIRCompiler::emitLoadScriptedProxyHandler(ObjOperandId resultId,
+bool CacheIRCompiler::emitLoadScriptedProxyHandler(ValOperandId resultId,
                                                    ObjOperandId objId) {
   JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
 
   Register obj = allocator.useRegister(masm, objId);
-  Register output = allocator.defineRegister(masm, resultId);
+  ValueOperand output = allocator.defineValueRegister(masm, resultId);
 
-  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), output);
-  masm.unboxObject(Address(output, js::detail::ProxyReservedSlots::offsetOfSlot(
+  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()),
+               output.scratchReg());
+  masm.loadValue(
+      Address(output.scratchReg(), js::detail::ProxyReservedSlots::offsetOfSlot(
                                        ScriptedProxyHandler::HANDLER_EXTRA)),
-                   output);
+      output);
   return true;
 }
 

diff --git a/js/src/jit/CacheIROps.yaml b/js/src/jit/CacheIROps.yaml
@@ -668,7 +668,7 @@
   transpile: true
   cost_estimate: 1
   args:
-    result: ObjId
+    result: ValId
     obj: ObjId
 
 - name: IdToStringOrSymbol

diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
@@ -14563,12 +14563,14 @@ void CodeGenerator::visitMegamorphicSetElement(LMegamorphicSetElement* lir) {
 void CodeGenerator::visitLoadScriptedProxyHandler(
     LLoadScriptedProxyHandler* ins) {
   const Register obj = ToRegister(ins->getOperand(0));
-  Register output = ToRegister(ins->output());
+  ValueOperand output = ToOutValue(ins);
 
-  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), output);
-  masm.unboxObject(Address(output, js::detail::ProxyReservedSlots::offsetOfSlot(
+  masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()),
+               output.scratchReg());
+  masm.loadValue(
+      Address(output.scratchReg(), js::detail::ProxyReservedSlots::offsetOfSlot(
                                        ScriptedProxyHandler::HANDLER_EXTRA)),
-                   output);
+      output);
 }
 
 #ifdef JS_PUNBOX64

diff --git a/js/src/jit/LIROps.yaml b/js/src/jit/LIROps.yaml
@@ -1977,7 +1977,7 @@
   mir_op: ClampToUint8
 
 - name: LoadScriptedProxyHandler
-  result_type: WordSized
+  result_type: BoxedValue
   operands:
     object: WordSized
   mir_op: true

diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
@@ -4426,7 +4426,7 @@ void LIRGenerator::visitLoadScriptedProxyHandler(
     MLoadScriptedProxyHandler* ins) {
   LLoadScriptedProxyHandler* lir = new (alloc())
       LLoadScriptedProxyHandler(useRegisterAtStart(ins->object()));
-  define(lir, ins);
+  defineBox(lir, ins);
 }
 
 void LIRGenerator::visitIdToStringOrSymbol(MIdToStringOrSymbol* ins) {

diff --git a/js/src/jit/MIROps.yaml b/js/src/jit/MIROps.yaml
@@ -525,7 +525,7 @@
 - name: LoadScriptedProxyHandler
   operands:
     object: Object
-  result_type: Object
+  result_type: Value
   congruent_to: if_operands_equal
   alias_set: none
 

diff --git a/js/src/jit/WarpCacheIRTranspiler.cpp b/js/src/jit/WarpCacheIRTranspiler.cpp
@@ -912,7 +912,7 @@ bool WarpCacheIRTranspiler::emitGuardDynamicSlotValue(ObjOperandId objId,
   return true;
 }
 
-bool WarpCacheIRTranspiler::emitLoadScriptedProxyHandler(ObjOperandId resultId,
+bool WarpCacheIRTranspiler::emitLoadScriptedProxyHandler(ValOperandId resultId,
                                                          ObjOperandId objId) {
   MDefinition* obj = getOperand(objId);