tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit c6130f91f87041946c92ffbf31aacfef6bf0130a
parent a0c4551d89f168be09eeed5e60367af1ac13174a
Author: Iain Ireland <iireland@mozilla.com>
Date:   Wed,  7 Jan 2026 17:41:36 +0000

Bug 2006476: Bake JitZone into IC code for regexp/concat stubs r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D278056

Diffstat:

Mjs/src/jit/BaselineCacheIRCompiler.cpp | 6++----


Mjs/src/jit/CacheIRCompiler.cpp | 4+---


Mjs/src/jit/CompileWrappers.cpp | 2++


Mjs/src/jit/CompileWrappers.h | 2++


4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/js/src/jit/BaselineCacheIRCompiler.cpp b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -3759,15 +3759,13 @@ bool BaselineCacheIRCompiler::emitCloseIterScriptedResult(
 
 static void CallRegExpStub(MacroAssembler& masm, size_t jitZoneStubOffset,
                            Register temp, Label* vmCall) {
-  // Call cx->zone()->jitZone()->regExpStub. We store a pointer to the RegExp
+  // Call jitZone()->regExpStub. We store a pointer to the RegExp
   // stub in the IC stub to keep it alive, but we shouldn't use it if the stub
   // has been discarded in the meantime (because we might have changed GC string
   // pretenuring heuristics that affect behavior of the stub). This is uncommon
   // but can happen if we discarded all JIT code but had some active (Baseline)
   // scripts on the stack.
-  masm.loadJSContext(temp);
-  masm.loadPtr(Address(temp, JSContext::offsetOfZone()), temp);
-  masm.loadPtr(Address(temp, Zone::offsetOfJitZone()), temp);
+  masm.movePtr(ImmPtr(masm.realm()->zone()->jitZone()), temp);
   masm.loadPtr(Address(temp, jitZoneStubOffset), temp);
   masm.branchTestPtr(Assembler::Zero, temp, temp, vmCall);
   masm.call(Address(temp, JitCode::offsetOfCode()));
diff --git a/js/src/jit/CacheIRCompiler.cpp b/js/src/jit/CacheIRCompiler.cpp
@@ -10307,9 +10307,7 @@ bool CacheIRCompiler::emitConcatStringsResult(StringOperandId lhsId,
     // code in CallRegExpStub.
     Label vmCall;
     Register temp = CallTempReg2;
-    masm.loadJSContext(temp);
-    masm.loadPtr(Address(temp, JSContext::offsetOfZone()), temp);
-    masm.loadPtr(Address(temp, Zone::offsetOfJitZone()), temp);
+    masm.movePtr(ImmPtr(cx_->zone()->jitZone()), temp);
     masm.loadPtr(Address(temp, JitZone::offsetOfStringConcatStub()), temp);
     masm.branchTestPtr(Assembler::Zero, temp, temp, &vmCall);
     masm.call(Address(temp, JitCode::offsetOfCode()));
diff --git a/js/src/jit/CompileWrappers.cpp b/js/src/jit/CompileWrappers.cpp
@@ -178,6 +178,8 @@ void* CompileZone::addressOfNurseryAllocatedSites() {
   return rt->gc.addressOfNurseryAllocatedSites();
 }
 
+void* CompileZone::jitZone() { return zone()->jitZone(); }
+
 bool CompileZone::canNurseryAllocateStrings() {
   return zone()->allocNurseryStrings();
 }
diff --git a/js/src/jit/CompileWrappers.h b/js/src/jit/CompileWrappers.h
@@ -140,6 +140,8 @@ class CompileZone {
                                    gc::CatchAllAllocSite siteKind);
   gc::AllocSite* tenuringAllocSite();
 
+  void* jitZone();
+
   bool hasRealmWithAllocMetadataBuilder();
 };