From eee4e46aea64fbf882cb9dda2088a8a1082ed208 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 04:42:18 +0200
Subject: Merging upstream version 115.10.0esr.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 js/src/jit/CacheIR.cpp        | 11 ++++++++---
 js/src/jit/IonAnalysis.cpp    |  4 ++--
 js/src/jit/JitFrames.cpp      | 20 ++++++++++----------
 js/src/vm/BigIntType.h        |  1 +
 js/src/vm/StructuredClone.cpp |  2 +-
 5 files changed, 22 insertions(+), 16 deletions(-)

(limited to 'js/src')

diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
index 68163e7d6c..2a7c72abe4 100644
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -498,9 +498,14 @@ enum class NativeGetPropKind {
 
 static NativeGetPropKind IsCacheableGetPropCall(NativeObject* obj,
                                                 NativeObject* holder,
-                                                PropertyInfo prop) {
+                                                PropertyInfo prop,
+                                                jsbytecode* pc = nullptr) {
   MOZ_ASSERT(IsCacheableProtoChain(obj, holder));
 
+  if (pc && JSOp(*pc) == JSOp::GetBoundName) {
+    return NativeGetPropKind::None;
+  }
+
   if (!prop.isAccessorProperty()) {
     return NativeGetPropKind::None;
   }
@@ -593,7 +598,7 @@ static NativeGetPropKind CanAttachNativeGetProp(JSContext* cx, JSObject* obj,
       return NativeGetPropKind::Slot;
     }
 
-    return IsCacheableGetPropCall(nobj, *holder, propInfo->ref());
+    return IsCacheableGetPropCall(nobj, *holder, propInfo->ref(), pc);
   }
 
   if (!prop.isFound()) {
@@ -3130,7 +3135,7 @@ AttachDecision GetNameIRGenerator::tryAttachGlobalNameGetter(ObjOperandId objId,
 
   GlobalObject* global = &globalLexical->global();
 
-  NativeGetPropKind kind = IsCacheableGetPropCall(global, holder, *prop);
+  NativeGetPropKind kind = IsCacheableGetPropCall(global, holder, *prop, pc_);
   if (kind != NativeGetPropKind::NativeGetter &&
       kind != NativeGetPropKind::ScriptedGetter) {
     return AttachDecision::NoAction;
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index d15c0d5df0..77b166af04 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -747,13 +747,13 @@ static bool IsDiamondPattern(MBasicBlock* initialBlock) {
   MTest* initialTest = ins->toTest();
 
   MBasicBlock* trueBranch = initialTest->ifTrue();
-  if (trueBranch->numPredecessors() != 1 || trueBranch->numSuccessors() != 1) {
+  if (trueBranch->numPredecessors() != 1 || !trueBranch->lastIns()->isGoto()) {
     return false;
   }
 
   MBasicBlock* falseBranch = initialTest->ifFalse();
   if (falseBranch->numPredecessors() != 1 ||
-      falseBranch->numSuccessors() != 1) {
+      !falseBranch->lastIns()->isGoto()) {
     return false;
   }
 
diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
index fd65289e61..5e723041cd 100644
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -897,32 +897,32 @@ static void TraceThisAndArguments(JSTracer* trc, const JSJitFrameIter& frame,
     return;
   }
 
-  size_t nargs = layout->numActualArgs();
-  size_t nformals = 0;
-
   JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+
+  size_t numFormals = fun->nargs();
+  size_t numArgs = std::max(layout->numActualArgs(), numFormals);
+  size_t firstArg = 0;
+
   if (frame.type() != FrameType::JSJitToWasm &&
       !frame.isExitFrameLayout<CalledFromJitExitFrameLayout>() &&
       !fun->nonLazyScript()->mayReadFrameArgsDirectly()) {
-    nformals = fun->nargs();
+    firstArg = numFormals;
   }
 
-  size_t newTargetOffset = std::max(nargs, fun->nargs());
-
   Value* argv = layout->thisAndActualArgs();
 
   // Trace |this|.
   TraceRoot(trc, argv, "ion-thisv");
 
-  // Trace actual arguments beyond the formals. Note + 1 for thisv.
-  for (size_t i = nformals + 1; i < nargs + 1; i++) {
-    TraceRoot(trc, &argv[i], "ion-argv");
+  // Trace arguments. Note + 1 for thisv.
+  for (size_t i = firstArg; i < numArgs; i++) {
+    TraceRoot(trc, &argv[i + 1], "ion-argv");
   }
 
   // Always trace the new.target from the frame. It's not in the snapshots.
   // +1 to pass |this|
   if (CalleeTokenIsConstructing(layout->calleeToken())) {
-    TraceRoot(trc, &argv[1 + newTargetOffset], "ion-newTarget");
+    TraceRoot(trc, &argv[1 + numArgs], "ion-newTarget");
   }
 }
 
diff --git a/js/src/vm/BigIntType.h b/js/src/vm/BigIntType.h
index c8e264b20b..fe70d0cf69 100644
--- a/js/src/vm/BigIntType.h
+++ b/js/src/vm/BigIntType.h
@@ -398,6 +398,7 @@ class BigInt final : public js::gc::CellWithLengthAndFlags {
   static JSLinearString* toStringGeneric(JSContext* cx, Handle<BigInt*>,
                                          unsigned radix);
 
+  friend struct ::JSStructuredCloneReader; // So it can call the following:
   static BigInt* destructivelyTrimHighZeroDigits(JSContext* cx, BigInt* x);
 
   bool absFitsInUint64() const { return digitLength() <= 64 / DigitBits; }
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index 7eafc89113..1ba63c7fee 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -2489,7 +2489,7 @@ BigInt* JSStructuredCloneReader::readBigInt(uint32_t data) {
   if (!in.readArray(result->digits().data(), length)) {
     return nullptr;
   }
-  return result;
+  return JS::BigInt::destructivelyTrimHighZeroDigits(context(), result);
 }
 
 static uint32_t TagToV1ArrayType(uint32_t tag) {
-- 
cgit v1.2.3