From d1b5c9f2c385834bab36af4ca8990718a633c644 Mon Sep 17 00:00:00 2001
From: Yusuke Suzuki <ysuzuki@apple.com>
Date: Tue, 16 Jul 2024 16:03:42 -0700
Subject: [PATCH] InById / InByVal should reset SP too in Baseline
 https://bugs.webkit.org/show_bug.cgi?id=276688 rdar://131869701

Reviewed by Keith Miller.

Now InById / InByVal can call ProxyObject handlers and they get inlined in DFG.
Thus we should adjust stack pointer after the calls as the same to GetById / GetByVal.

* Source/JavaScriptCore/jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitHasPrivate):

Canonical link: https://commits.webkit.org/281024@main
---
 Source/JavaScriptCore/jit/JITPropertyAccess.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
index 5ae8f2c732f7f..5d6b2e1f0421b 100644
--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
@@ -1273,6 +1273,7 @@ void JIT::emit_op_in_by_id(const JSInstruction* currentInstruction)
     addSlowCase();
     m_inByIds.append(gen);
 
+    resetSP(); // We might OSR exit here, so we need to conservatively reset SP
     setFastPathResumePoint();
     emitPutVirtualRegister(resultVReg, resultJSR);
 }
@@ -1333,6 +1334,7 @@ void JIT::emit_op_in_by_val(const JSInstruction* currentInstruction)
     addSlowCase();
     m_inByVals.append(gen);
 
+    resetSP(); // We might OSR exit here, so we need to conservatively reset SP
     setFastPathResumePoint();
     emitPutVirtualRegister(dst, resultJSR);
 }
@@ -1385,6 +1387,7 @@ void JIT::emitHasPrivate(VirtualRegister dst, VirtualRegister base, VirtualRegis
     addSlowCase();
     m_inByVals.append(gen);
 
+    resetSP(); // We might OSR exit here, so we need to conservatively reset SP
     setFastPathResumePoint();
     emitPutVirtualRegister(dst, resultJSR);
 }