builtins-array-gen.cc 130 KB
Newer Older
1 2 3 4
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

5 6
#include "src/builtins/builtins-array-gen.h"

7
#include "src/builtins/builtins-iterator-gen.h"
8
#include "src/builtins/builtins-string-gen.h"
9
#include "src/builtins/builtins-typed-array-gen.h"
10 11 12
#include "src/builtins/builtins-utils-gen.h"
#include "src/builtins/builtins.h"
#include "src/code-stub-assembler.h"
13
#include "src/frame-constants.h"
14
#include "src/heap/factory-inl.h"
15
#include "src/objects/allocation-site-inl.h"
16
#include "src/objects/arguments-inl.h"
17
#include "src/objects/property-cell.h"
18

19 20 21
namespace v8 {
namespace internal {

22
using Node = compiler::Node;
23
using IteratorRecord = IteratorBuiltinsFromDSLAssembler::IteratorRecord;
24

25 26
ArrayBuiltinsAssembler::ArrayBuiltinsAssembler(
    compiler::CodeAssemblerState* state)
27
    : CodeStubAssembler(state),
28 29 30 31
      k_(this, MachineRepresentation::kTagged),
      a_(this, MachineRepresentation::kTagged),
      to_(this, MachineRepresentation::kTagged, SmiConstant(0)),
      fully_spec_compliant_(this, {&k_, &a_, &to_}) {}
32

33 34 35
void ArrayBuiltinsAssembler::FindResultGenerator() {
  a_.Bind(UndefinedConstant());
}
36

37 38 39 40 41 42 43 44 45
Node* ArrayBuiltinsAssembler::FindProcessor(Node* k_value, Node* k) {
  Node* value = CallJS(CodeFactory::Call(isolate()), context(), callbackfn(),
                       this_arg(), k_value, k, o());
  Label false_continue(this), return_true(this);
  BranchIfToBooleanIsTrue(value, &return_true, &false_continue);
  BIND(&return_true);
  ReturnFromBuiltin(k_value);
  BIND(&false_continue);
  return a();
46 47
  }

48 49 50
  void ArrayBuiltinsAssembler::FindIndexResultGenerator() {
    a_.Bind(SmiConstant(-1));
  }
51

52
  Node* ArrayBuiltinsAssembler::FindIndexProcessor(Node* k_value, Node* k) {
53 54 55 56 57 58 59 60 61 62
    Node* value = CallJS(CodeFactory::Call(isolate()), context(), callbackfn(),
                         this_arg(), k_value, k, o());
    Label false_continue(this), return_true(this);
    BranchIfToBooleanIsTrue(value, &return_true, &false_continue);
    BIND(&return_true);
    ReturnFromBuiltin(k);
    BIND(&false_continue);
    return a();
  }

63 64 65
  void ArrayBuiltinsAssembler::ForEachResultGenerator() {
    a_.Bind(UndefinedConstant());
  }
66

67
  Node* ArrayBuiltinsAssembler::ForEachProcessor(Node* k_value, Node* k) {
68 69 70 71 72
    CallJS(CodeFactory::Call(isolate()), context(), callbackfn(), this_arg(),
           k_value, k, o());
    return a();
  }

73 74 75
  void ArrayBuiltinsAssembler::SomeResultGenerator() {
    a_.Bind(FalseConstant());
  }
76

77
  Node* ArrayBuiltinsAssembler::SomeProcessor(Node* k_value, Node* k) {
78 79 80 81
    Node* value = CallJS(CodeFactory::Call(isolate()), context(), callbackfn(),
                         this_arg(), k_value, k, o());
    Label false_continue(this), return_true(this);
    BranchIfToBooleanIsTrue(value, &return_true, &false_continue);
82
    BIND(&return_true);
83
    ReturnFromBuiltin(TrueConstant());
84
    BIND(&false_continue);
85 86 87
    return a();
  }

88 89 90
  void ArrayBuiltinsAssembler::EveryResultGenerator() {
    a_.Bind(TrueConstant());
  }
91

92
  Node* ArrayBuiltinsAssembler::EveryProcessor(Node* k_value, Node* k) {
93 94 95 96
    Node* value = CallJS(CodeFactory::Call(isolate()), context(), callbackfn(),
                         this_arg(), k_value, k, o());
    Label true_continue(this), return_false(this);
    BranchIfToBooleanIsTrue(value, &true_continue, &return_false);
97
    BIND(&return_false);
98
    ReturnFromBuiltin(FalseConstant());
99
    BIND(&true_continue);
100 101 102
    return a();
  }

103 104 105
  void ArrayBuiltinsAssembler::ReduceResultGenerator() {
    return a_.Bind(this_arg());
  }
106

107
  Node* ArrayBuiltinsAssembler::ReduceProcessor(Node* k_value, Node* k) {
108
    VARIABLE(result, MachineRepresentation::kTagged);
109 110 111 112 113 114
    Label done(this, {&result}), initial(this);
    GotoIf(WordEqual(a(), TheHoleConstant()), &initial);
    result.Bind(CallJS(CodeFactory::Call(isolate()), context(), callbackfn(),
                       UndefinedConstant(), a(), k_value, k, o()));
    Goto(&done);

115
    BIND(&initial);
116 117 118
    result.Bind(k_value);
    Goto(&done);

119
    BIND(&done);
120 121 122
    return result.value();
  }

123
  void ArrayBuiltinsAssembler::ReducePostLoopAction() {
124 125
    Label ok(this);
    GotoIf(WordNotEqual(a(), TheHoleConstant()), &ok);
126
    ThrowTypeError(context(), MessageTemplate::kReduceNoInitial);
127
    BIND(&ok);
128 129
  }

130
  void ArrayBuiltinsAssembler::TypedArrayMapResultGenerator() {
131
    // 6. Let A be ? TypedArraySpeciesCreate(O, len).
132 133 134 135 136
    TNode<JSTypedArray> original_array = CAST(o());
    TNode<Smi> length = CAST(len_);
    const char* method_name = "%TypedArray%.prototype.map";

    TypedArrayBuiltinsAssembler typedarray_asm(state());
137
    TNode<JSTypedArray> a = typedarray_asm.TypedArraySpeciesCreateByLength(
138
        context(), original_array, length, method_name);
139
    // In the Spec and our current implementation, the length check is already
140
    // performed in TypedArraySpeciesCreate.
141
    CSA_ASSERT(this, SmiLessThanOrEqual(CAST(len_), LoadJSTypedArrayLength(a)));
142 143 144
    fast_typed_array_target_ =
        Word32Equal(LoadInstanceType(LoadElements(original_array)),
                    LoadInstanceType(LoadElements(a)));
145 146 147 148
    a_.Bind(a);
  }

  // See tc39.github.io/ecma262/#sec-%typedarray%.prototype.map.
149
  Node* ArrayBuiltinsAssembler::TypedArrayMapProcessor(Node* k_value, Node* k) {
150 151 152
    // 8. c. Let mapped_value be ? Call(callbackfn, T, « kValue, k, O »).
    Node* mapped_value = CallJS(CodeFactory::Call(isolate()), context(),
                                callbackfn(), this_arg(), k_value, k, o());
153 154
    Label fast(this), slow(this), done(this), detached(this, Label::kDeferred);

155
    // 8. d. Perform ? Set(A, Pk, mapped_value, true).
156 157 158 159 160 161
    // Since we know that A is a TypedArray, this always ends up in
    // #sec-integer-indexed-exotic-objects-set-p-v-receiver and then
    // tc39.github.io/ecma262/#sec-integerindexedelementset .
    Branch(fast_typed_array_target_, &fast, &slow);

    BIND(&fast);
162 163 164 165 166 167 168 169 170 171 172
    // #sec-integerindexedelementset
    // 5. If arrayTypeName is "BigUint64Array" or "BigInt64Array", let
    // numValue be ? ToBigInt(v).
    // 6. Otherwise, let numValue be ? ToNumber(value).
    Node* num_value;
    if (source_elements_kind_ == BIGINT64_ELEMENTS ||
        source_elements_kind_ == BIGUINT64_ELEMENTS) {
      num_value = ToBigInt(context(), mapped_value);
    } else {
      num_value = ToNumber_Inline(context(), mapped_value);
    }
173
    // The only way how this can bailout is because of a detached buffer.
174
    EmitElementStore(a(), k, num_value, source_elements_kind_,
175 176
                     KeyedAccessStoreMode::STANDARD_STORE, &detached,
                     context());
177 178 179
    Goto(&done);

    BIND(&slow);
180
    SetPropertyStrict(context(), CAST(a()), CAST(k), CAST(mapped_value));
181 182 183
    Goto(&done);

    BIND(&detached);
184
    // tc39.github.io/ecma262/#sec-integerindexedelementset
185
    // 8. If IsDetachedBuffer(buffer) is true, throw a TypeError exception.
186
    ThrowTypeError(context_, MessageTemplate::kDetachedOperation, name_);
187 188 189 190 191

    BIND(&done);
    return a();
  }

192 193
  void ArrayBuiltinsAssembler::NullPostLoopAction() {}

194 195 196 197 198
  void ArrayBuiltinsAssembler::FillFixedArrayWithSmiZero(
      TNode<FixedArray> array, TNode<Smi> smi_length) {
    CSA_ASSERT(this, Word32BinaryNot(IsFixedDoubleArray(array)));

    TNode<IntPtrT> length = SmiToIntPtr(smi_length);
199
    TNode<WordT> byte_length = TimesTaggedSize(length);
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
    CSA_ASSERT(this, UintPtrLessThan(length, byte_length));

    static const int32_t fa_base_data_offset =
        FixedArray::kHeaderSize - kHeapObjectTag;
    TNode<IntPtrT> backing_store = IntPtrAdd(
        BitcastTaggedToWord(array), IntPtrConstant(fa_base_data_offset));

    // Call out to memset to perform initialization.
    TNode<ExternalReference> memset =
        ExternalConstant(ExternalReference::libc_memset_function());
    STATIC_ASSERT(kSizetSize == kIntptrSize);
    CallCFunction3(MachineType::Pointer(), MachineType::Pointer(),
                   MachineType::IntPtr(), MachineType::UintPtr(), memset,
                   backing_store, IntPtrConstant(0), byte_length);
  }

216
  void ArrayBuiltinsAssembler::ReturnFromBuiltin(Node* value) {
217 218 219 220 221 222 223 224 225
    if (argc_ == nullptr) {
      Return(value);
    } else {
      // argc_ doesn't include the receiver, so it has to be added back in
      // manually.
      PopAndReturn(IntPtrAdd(argc_, IntPtrConstant(1)), value);
    }
  }

226
  void ArrayBuiltinsAssembler::InitIteratingArrayBuiltinBody(
227
      TNode<Context> context, TNode<Object> receiver, Node* callbackfn,
228
      Node* this_arg, TNode<IntPtrT> argc) {
229 230 231 232
    context_ = context;
    receiver_ = receiver;
    callbackfn_ = callbackfn;
    this_arg_ = this_arg;
233
    argc_ = argc;
234
  }
235

236
  void ArrayBuiltinsAssembler::GenerateIteratingArrayBuiltinBody(
237 238
      const char* name, const BuiltinResultGenerator& generator,
      const CallResultProcessor& processor, const PostLoopAction& action,
239
      const Callable& slow_case_continuation,
240
      MissingPropertyMode missing_property_mode, ForEachDirection direction) {
241
    Label non_array(this), array_changes(this, {&k_, &a_, &to_});
242 243 244 245

    // TODO(danno): Seriously? Do we really need to throw the exact error
    // message on null and undefined so that the webkit tests pass?
    Label throw_null_undefined_exception(this, Label::kDeferred);
246
    GotoIf(IsNullOrUndefined(receiver()), &throw_null_undefined_exception);
247 248 249 250 251

    // By the book: taken directly from the ECMAScript 2015 specification

    // 1. Let O be ToObject(this value).
    // 2. ReturnIfAbrupt(O)
252
    o_ = ToObject_Inline(context(), receiver());
253 254 255

    // 3. Let len be ToLength(Get(O, "length")).
    // 4. ReturnIfAbrupt(len).
256
    TVARIABLE(Number, merged_length);
257
    Label has_length(this, &merged_length), not_js_array(this);
258
    GotoIf(DoesntHaveInstanceType(o(), JS_ARRAY_TYPE), &not_js_array);
259
    merged_length = LoadJSArrayLength(CAST(o()));
260
    Goto(&has_length);
261

262
    BIND(&not_js_array);
263 264 265 266 267 268
    {
      Node* len_property =
          GetProperty(context(), o(), isolate()->factory()->length_string());
      merged_length = ToLength_Inline(context(), len_property);
      Goto(&has_length);
    }
269
    BIND(&has_length);
270 271
    {
      len_ = merged_length.value();
272

273 274 275 276 277
      // 5. If IsCallable(callbackfn) is false, throw a TypeError exception.
      Label type_exception(this, Label::kDeferred);
      Label done(this);
      GotoIf(TaggedIsSmi(callbackfn()), &type_exception);
      Branch(IsCallableMap(LoadMap(callbackfn())), &done, &type_exception);
278

279 280 281
      BIND(&throw_null_undefined_exception);
      ThrowTypeError(context(), MessageTemplate::kCalledOnNullOrUndefined,
                     name);
282

283 284 285
      BIND(&type_exception);
      ThrowTypeError(context(), MessageTemplate::kCalledNonCallable,
                     callbackfn());
286

287 288
      BIND(&done);
    }
289 290 291 292

    // 6. If thisArg was supplied, let T be thisArg; else let T be undefined.
    // [Already done by the arguments adapter]

293 294 295 296
    if (direction == ForEachDirection::kForward) {
      // 7. Let k be 0.
      k_.Bind(SmiConstant(0));
    } else {
297
      k_.Bind(NumberDec(len()));
298
    }
299

300
    generator(this);
301

302 303
    HandleFastElements(processor, action, &fully_spec_compliant_, direction,
                       missing_property_mode);
304

305
    BIND(&fully_spec_compliant_);
306

307 308 309 310
    Node* result =
        CallStub(slow_case_continuation, context(), receiver(), callbackfn(),
                 this_arg(), a_.value(), o(), k_.value(), len(), to_.value());
    ReturnFromBuiltin(result);
311 312
  }

313
  void ArrayBuiltinsAssembler::InitIteratingArrayBuiltinLoopContinuation(
314
      TNode<Context> context, TNode<Object> receiver, Node* callbackfn,
315 316
      Node* this_arg, Node* a, TNode<JSReceiver> o, Node* initial_k,
      TNode<Number> len, Node* to) {
317 318 319 320 321 322 323
    context_ = context;
    this_arg_ = this_arg;
    callbackfn_ = callbackfn;
    a_.Bind(a);
    k_.Bind(initial_k);
    o_ = o;
    len_ = len;
324
    to_.Bind(to);
325 326
  }

327
  void ArrayBuiltinsAssembler::GenerateIteratingTypedArrayBuiltinBody(
328
      const char* name, const BuiltinResultGenerator& generator,
329
      const CallResultProcessor& processor, const PostLoopAction& action,
330
      ForEachDirection direction) {
331
    name_ = name;
332 333 334

    // ValidateTypedArray: tc39.github.io/ecma262/#sec-validatetypedarray

335
    Label throw_not_typed_array(this, Label::kDeferred);
336 337

    GotoIf(TaggedIsSmi(receiver_), &throw_not_typed_array);
338
    GotoIfNot(HasInstanceType(CAST(receiver_), JS_TYPED_ARRAY_TYPE),
339 340
              &throw_not_typed_array);

341 342 343
    TNode<JSTypedArray> typed_array = CAST(receiver_);
    o_ = typed_array;

344 345
    TNode<JSArrayBuffer> array_buffer =
        LoadJSArrayBufferViewBuffer(typed_array);
346
    ThrowIfArrayBufferIsDetached(context_, array_buffer, name_);
347

348
    len_ = LoadJSTypedArrayLength(typed_array);
349 350 351 352 353 354 355

    Label throw_not_callable(this, Label::kDeferred);
    Label distinguish_types(this);
    GotoIf(TaggedIsSmi(callbackfn_), &throw_not_callable);
    Branch(IsCallableMap(LoadMap(callbackfn_)), &distinguish_types,
           &throw_not_callable);

356
    BIND(&throw_not_typed_array);
357
    ThrowTypeError(context_, MessageTemplate::kNotTypedArray);
358

359
    BIND(&throw_not_callable);
360
    ThrowTypeError(context_, MessageTemplate::kCalledNonCallable, callbackfn_);
361 362

    Label unexpected_instance_type(this);
363
    BIND(&unexpected_instance_type);
364 365 366
    Unreachable();

    std::vector<int32_t> instance_types = {
367
#define INSTANCE_TYPE(Type, type, TYPE, ctype) FIXED_##TYPE##_ARRAY_TYPE,
368 369 370
        TYPED_ARRAYS(INSTANCE_TYPE)
#undef INSTANCE_TYPE
    };
371
    std::list<Label> labels;
372
    for (size_t i = 0; i < instance_types.size(); ++i) {
373
      labels.emplace_back(this);
374 375 376 377 378 379
    }
    std::vector<Label*> label_ptrs;
    for (Label& label : labels) {
      label_ptrs.push_back(&label);
    }

380
    BIND(&distinguish_types);
381

382 383
    generator(this);

384 385 386 387 388
    if (direction == ForEachDirection::kForward) {
      k_.Bind(SmiConstant(0));
    } else {
      k_.Bind(NumberDec(len()));
    }
389
    CSA_ASSERT(this, IsSafeInteger(k()));
390
    Node* instance_type = LoadInstanceType(LoadElements(typed_array));
391
    Switch(instance_type, &unexpected_instance_type, instance_types.data(),
392 393
           label_ptrs.data(), labels.size());

394 395 396
    size_t i = 0;
    for (auto it = labels.begin(); it != labels.end(); ++i, ++it) {
      BIND(&*it);
397
      Label done(this);
398 399
      source_elements_kind_ = ElementsKindForInstanceType(
          static_cast<InstanceType>(instance_types[i]));
400
      // TODO(tebbi): Silently cancelling the loop on buffer detachment is a
401 402
      // spec violation. Should go to &throw_detached and throw a TypeError
      // instead.
403 404
      VisitAllTypedArrayElements(array_buffer, processor, &done, direction,
                                 typed_array);
405 406
      Goto(&done);
      // No exception, return success
407
      BIND(&done);
408
      action(this);
409
      ReturnFromBuiltin(a_.value());
410 411 412
    }
  }

413
  void ArrayBuiltinsAssembler::GenerateIteratingArrayBuiltinLoopContinuation(
414
      const CallResultProcessor& processor, const PostLoopAction& action,
415
      MissingPropertyMode missing_property_mode, ForEachDirection direction) {
416
    Label loop(this, {&k_, &a_, &to_});
417 418
    Label after_loop(this);
    Goto(&loop);
419
    BIND(&loop);
420
    {
421 422
      if (direction == ForEachDirection::kForward) {
        // 8. Repeat, while k < len
423
        GotoIfNumberGreaterThanOrEqual(k(), len_, &after_loop);
424 425 426
      } else {
        // OR
        // 10. Repeat, while k >= 0
427
        GotoIfNumberGreaterThanOrEqual(SmiConstant(-1), k(), &after_loop);
428
      }
429

430
      Label done_element(this, &to_);
431
      // a. Let Pk be ToString(k).
432 433 434
      // k() is guaranteed to be a positive integer, hence ToString is
      // side-effect free and HasProperty/GetProperty do the conversion inline.
      CSA_ASSERT(this, IsSafeInteger(k()));
435

436 437 438
      if (missing_property_mode == MissingPropertyMode::kSkip) {
        // b. Let kPresent be HasProperty(O, Pk).
        // c. ReturnIfAbrupt(kPresent).
439
        TNode<Oddball> k_present =
440
            HasProperty(context(), o(), k(), kHasProperty);
441

442
        // d. If kPresent is true, then
443
        GotoIf(IsFalse(k_present), &done_element);
444
      }
445 446 447

      // i. Let kValue be Get(O, Pk).
      // ii. ReturnIfAbrupt(kValue).
448
      Node* k_value = GetProperty(context(), o(), k());
449 450 451

      // iii. Let funcResult be Call(callbackfn, T, «kValue, k, O»).
      // iv. ReturnIfAbrupt(funcResult).
452
      a_.Bind(processor(this, k_value, k()));
453
      Goto(&done_element);
454

455
      BIND(&done_element);
456

457 458 459 460 461 462 463
      if (direction == ForEachDirection::kForward) {
        // e. Increase k by 1.
        k_.Bind(NumberInc(k()));
      } else {
        // e. Decrease k by 1.
        k_.Bind(NumberDec(k()));
      }
464 465
      Goto(&loop);
    }
466
    BIND(&after_loop);
467

468 469
    action(this);
    Return(a_.value());
470 471
  }

472 473
  ElementsKind ArrayBuiltinsAssembler::ElementsKindForInstanceType(
      InstanceType type) {
474
    switch (type) {
475 476
#define INSTANCE_TYPE_TO_ELEMENTS_KIND(Type, type, TYPE, ctype) \
  case FIXED_##TYPE##_ARRAY_TYPE:                               \
477 478 479 480 481 482 483 484 485 486
    return TYPE##_ELEMENTS;

      TYPED_ARRAYS(INSTANCE_TYPE_TO_ELEMENTS_KIND)
#undef INSTANCE_TYPE_TO_ELEMENTS_KIND

      default:
        UNREACHABLE();
    }
  }

487 488
  void ArrayBuiltinsAssembler::VisitAllTypedArrayElements(
      Node* array_buffer, const CallResultProcessor& processor, Label* detached,
489
      ForEachDirection direction, TNode<JSTypedArray> typed_array) {
490 491 492 493
    VariableList list({&a_, &k_, &to_}, zone());

    FastLoopBody body = [&](Node* index) {
      GotoIf(IsDetachedBuffer(array_buffer), detached);
494
      Node* elements = LoadElements(typed_array);
495 496 497 498 499 500
      Node* base_ptr =
          LoadObjectField(elements, FixedTypedArrayBase::kBasePointerOffset);
      Node* external_ptr =
          LoadObjectField(elements, FixedTypedArrayBase::kExternalPointerOffset,
                          MachineType::Pointer());
      Node* data_ptr = IntPtrAdd(BitcastTaggedToWord(base_ptr), external_ptr);
501 502
      Node* value = LoadFixedTypedArrayElementAsTagged(
          data_ptr, index, source_elements_kind_, SMI_PARAMETERS);
503 504 505
      k_.Bind(index);
      a_.Bind(processor(this, value, index));
    };
506 507 508 509 510 511 512 513 514 515 516
    Node* start = SmiConstant(0);
    Node* end = len_;
    IndexAdvanceMode advance_mode = IndexAdvanceMode::kPost;
    int incr = 1;
    if (direction == ForEachDirection::kReverse) {
      std::swap(start, end);
      advance_mode = IndexAdvanceMode::kPre;
      incr = -1;
    }
    BuildFastLoop(list, start, end, body, incr, ParameterMode::SMI_PARAMETERS,
                  advance_mode);
517 518
  }

519 520 521
  void ArrayBuiltinsAssembler::VisitAllFastElementsOneKind(
      ElementsKind kind, const CallResultProcessor& processor,
      Label* array_changed, ParameterMode mode, ForEachDirection direction,
522
      MissingPropertyMode missing_property_mode, TNode<Smi> length) {
523
    Comment("begin VisitAllFastElementsOneKind");
524 525 526
    // We only use this kind of processing if the no-elements protector is
    // in place at the start. We'll continue checking during array iteration.
    CSA_ASSERT(this, Word32BinaryNot(IsNoElementsProtectorCellInvalid()));
527
    VARIABLE(original_map, MachineRepresentation::kTagged);
528 529
    original_map.Bind(LoadMap(o()));
    VariableList list({&original_map, &a_, &k_, &to_}, zone());
530
    Node* start = IntPtrOrSmiConstant(0, mode);
531
    Node* end = TaggedToParameter(length, mode);
532 533 534 535
    IndexAdvanceMode advance_mode = direction == ForEachDirection::kReverse
                                        ? IndexAdvanceMode::kPre
                                        : IndexAdvanceMode::kPost;
    if (direction == ForEachDirection::kReverse) std::swap(start, end);
536
    BuildFastLoop(
537
        list, start, end,
538 539
        [=, &original_map](Node* index) {
          k_.Bind(ParameterToTagged(index, mode));
540 541
          Label one_element_done(this), hole_element(this),
              process_element(this);
542 543 544 545

          // Check if o's map has changed during the callback. If so, we have to
          // fall back to the slower spec implementation for the rest of the
          // iteration.
546
          Node* o_map = LoadMap(o());
547 548
          GotoIf(WordNotEqual(o_map, original_map.value()), array_changed);

549
          TNode<JSArray> o_array = CAST(o());
550 551
          // Check if o's length has changed during the callback and if the
          // index is now out of range of the new length.
552 553
          GotoIf(SmiGreaterThanOrEqual(CAST(k_.value()),
                                       CAST(LoadJSArrayLength(o_array))),
554 555 556
                 array_changed);

          // Re-load the elements array. If may have been resized.
557
          Node* elements = LoadElements(o_array);
558 559 560

          // Fast case: load the element directly from the elements FixedArray
          // and call the callback if the element is not the hole.
561 562
          DCHECK(kind == PACKED_ELEMENTS || kind == PACKED_DOUBLE_ELEMENTS);
          int base_size = kind == PACKED_ELEMENTS
563 564 565
                              ? FixedArray::kHeaderSize
                              : (FixedArray::kHeaderSize - kHeapObjectTag);
          Node* offset = ElementOffsetFromIndex(index, kind, mode, base_size);
566
          VARIABLE(value, MachineRepresentation::kTagged);
567
          if (kind == PACKED_ELEMENTS) {
568 569
            value.Bind(LoadObjectField(elements, offset));
            GotoIf(WordEqual(value.value(), TheHoleConstant()), &hole_element);
570 571 572
          } else {
            Node* double_value =
                LoadDoubleWithHoleCheck(elements, offset, &hole_element);
573
            value.Bind(AllocateHeapNumberWithValue(double_value));
574
          }
575
          Goto(&process_element);
576

577
          BIND(&hole_element);
578
          if (missing_property_mode == MissingPropertyMode::kSkip) {
579 580 581
            // The NoElementsProtectorCell could go invalid during callbacks.
            Branch(IsNoElementsProtectorCellInvalid(), array_changed,
                   &one_element_done);
582 583 584 585 586 587 588 589 590
          } else {
            value.Bind(UndefinedConstant());
            Goto(&process_element);
          }
          BIND(&process_element);
          {
            a_.Bind(processor(this, value.value(), k()));
            Goto(&one_element_done);
          }
591
          BIND(&one_element_done);
592
        },
593
        1, mode, advance_mode);
594 595 596
    Comment("end VisitAllFastElementsOneKind");
  }

597 598 599 600
  void ArrayBuiltinsAssembler::HandleFastElements(
      const CallResultProcessor& processor, const PostLoopAction& action,
      Label* slow, ForEachDirection direction,
      MissingPropertyMode missing_property_mode) {
601 602 603 604 605
    Label switch_on_elements_kind(this), fast_elements(this),
        maybe_double_elements(this), fast_double_elements(this);

    Comment("begin HandleFastElements");
    // Non-smi lengths must use the slow path.
606
    GotoIf(TaggedIsNotSmi(len()), slow);
607

608
    BranchIfFastJSArray(o(), context(),
609 610
                        &switch_on_elements_kind, slow);

611
    BIND(&switch_on_elements_kind);
612
    TNode<Smi> smi_len = CAST(len());
613
    // Select by ElementsKind
614
    Node* kind = LoadElementsKind(o());
615
    Branch(IsElementsKindGreaterThan(kind, HOLEY_ELEMENTS),
616 617 618
           &maybe_double_elements, &fast_elements);

    ParameterMode mode = OptimalParameterMode();
619
    BIND(&fast_elements);
620
    {
621
      VisitAllFastElementsOneKind(PACKED_ELEMENTS, processor, slow, mode,
622
                                  direction, missing_property_mode, smi_len);
623

624
      action(this);
625

626
      // No exception, return success
627
      ReturnFromBuiltin(a_.value());
628 629
    }

630
    BIND(&maybe_double_elements);
631
    Branch(IsElementsKindGreaterThan(kind, HOLEY_DOUBLE_ELEMENTS), slow,
632
           &fast_double_elements);
633

634
    BIND(&fast_double_elements);
635
    {
636
      VisitAllFastElementsOneKind(PACKED_DOUBLE_ELEMENTS, processor, slow, mode,
637
                                  direction, missing_property_mode, smi_len);
638

639
      action(this);
640

641
      // No exception, return success
642
      ReturnFromBuiltin(a_.value());
643 644
    }
  }
645

646
  // Perform ArraySpeciesCreate (ES6 #sec-arrayspeciescreate).
647
  void ArrayBuiltinsAssembler::GenerateArraySpeciesCreate(TNode<Number> len) {
648 649 650
    Label runtime(this, Label::kDeferred), done(this);

    Node* const original_map = LoadMap(o());
651 652 653
    GotoIfNot(
        InstanceTypeEqual(LoadMapInstanceType(original_map), JS_ARRAY_TYPE),
        &runtime);
654

655 656
    GotoIfNot(IsPrototypeInitialArrayPrototype(context(), original_map),
              &runtime);
657

658
    Node* species_protector = ArraySpeciesProtectorConstant();
659 660
    Node* value =
        LoadObjectField(species_protector, PropertyCell::kValueOffset);
661 662 663 664
    Node* const protector_invalid = SmiConstant(Isolate::kProtectorInvalid);
    GotoIf(WordEqual(value, protector_invalid), &runtime);

    GotoIfNot(TaggedIsPositiveSmi(len), &runtime);
665 666 667
    GotoIfNot(
        IsValidFastJSArrayCapacity(len, CodeStubAssembler::SMI_PARAMETERS),
        &runtime);
668

669
    // We need to be conservative and start with holey because the builtins
670
    // that create output arrays aren't guaranteed to be called for every
671
    // element in the input array (maybe the callback deletes an element).
672 673
    const ElementsKind elements_kind =
        GetHoleyElementsKind(GetInitialFastElementsKind());
674
    TNode<Context> native_context = LoadNativeContext(context());
675
    TNode<Map> array_map =
676
        LoadJSArrayElementsMap(elements_kind, native_context);
677
    a_.Bind(AllocateJSArray(PACKED_SMI_ELEMENTS, array_map, len, CAST(len),
678 679
                            nullptr, CodeStubAssembler::SMI_PARAMETERS,
                            kAllowLargeObjectAllocation));
680 681 682 683 684 685

    Goto(&done);

    BIND(&runtime);
    {
      // 5. Let A be ? ArraySpeciesCreate(O, len).
686 687 688
      TNode<JSReceiver> constructor =
          CAST(CallRuntime(Runtime::kArraySpeciesConstructor, context(), o()));
      a_.Bind(Construct(context(), constructor, len));
689 690 691 692 693 694
      Goto(&fully_spec_compliant_);
    }

    BIND(&done);
  }

695
TF_BUILTIN(ArrayPrototypePop, CodeStubAssembler) {
696
  TNode<Int32T> argc =
697 698 699
      UncheckedCast<Int32T>(Parameter(Descriptor::kJSActualArgumentsCount));
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  CSA_ASSERT(this, IsUndefined(Parameter(Descriptor::kJSNewTarget)));
700 701

  CodeStubArguments args(this, ChangeInt32ToIntPtr(argc));
702
  TNode<Object> receiver = args.GetReceiver();
703 704 705 706 707 708 709 710 711 712 713

  Label runtime(this, Label::kDeferred);
  Label fast(this);

  // Only pop in this stub if
  // 1) the array has fast elements
  // 2) the length is writable,
  // 3) the elements backing store isn't copy-on-write,
  // 4) we aren't supposed to shrink the backing store.

  // 1) Check that the array has fast elements.
714
  BranchIfFastJSArray(receiver, context, &fast, &runtime);
715 716 717

  BIND(&fast);
  {
718 719
    TNode<JSArray> array_receiver = CAST(receiver);
    CSA_ASSERT(this, TaggedIsPositiveSmi(LoadJSArrayLength(array_receiver)));
720
    TNode<IntPtrT> length =
721
        LoadAndUntagObjectField(array_receiver, JSArray::kLengthOffset);
722 723 724
    Label return_undefined(this), fast_elements(this);
    GotoIf(IntPtrEqual(length, IntPtrConstant(0)), &return_undefined);

725
    // 2) Ensure that the length is writable.
726
    EnsureArrayLengthWritable(LoadMap(array_receiver), &runtime);
727 728

    // 3) Check that the elements backing store isn't copy-on-write.
729
    TNode<FixedArrayBase> elements = LoadElements(array_receiver);
730
    GotoIf(WordEqual(LoadMap(elements), LoadRoot(RootIndex::kFixedCOWArrayMap)),
731 732
           &runtime);

733
    TNode<IntPtrT> new_length = IntPtrSub(length, IntPtrConstant(1));
734

735 736
    // 4) Check that we're not supposed to shrink the backing store, as
    //    implemented in elements.cc:ElementsAccessorBase::SetLengthImpl.
737
    TNode<IntPtrT> capacity = SmiUntag(LoadFixedArrayBaseLength(elements));
738 739 740 741
    GotoIf(IntPtrLessThan(
               IntPtrAdd(IntPtrAdd(new_length, new_length),
                         IntPtrConstant(JSObject::kMinAddedElementsCapacity)),
               capacity),
742 743
           &runtime);

744
    StoreObjectFieldNoWriteBarrier(array_receiver, JSArray::kLengthOffset,
745 746
                                   SmiTag(new_length));

747
    TNode<Int32T> elements_kind = LoadElementsKind(array_receiver);
748 749 750 751
    GotoIf(Int32LessThanOrEqual(elements_kind,
                                Int32Constant(TERMINAL_FAST_ELEMENTS_KIND)),
           &fast_elements);

752 753 754 755
    Node* value = LoadFixedDoubleArrayElement(CAST(elements), new_length,
                                              &return_undefined);

    StoreFixedDoubleArrayHole(CAST(elements), new_length);
756 757
    args.PopAndReturn(AllocateHeapNumberWithValue(value));

758
    BIND(&fast_elements);
759
    {
760 761
      Node* value = LoadFixedArrayElement(CAST(elements), new_length);
      StoreFixedArrayElement(CAST(elements), new_length, TheHoleConstant());
762 763 764 765 766 767 768 769 770 771
      GotoIf(WordEqual(value, TheHoleConstant()), &return_undefined);
      args.PopAndReturn(value);
    }

    BIND(&return_undefined);
    { args.PopAndReturn(UndefinedConstant()); }
  }

  BIND(&runtime);
  {
772 773 774 775
    // We are not using Parameter(Descriptor::kJSTarget) and loading the value
    // from the current frame here in order to reduce register pressure on the
    // fast path.
    TNode<JSFunction> target = LoadTargetFromFrame();
776 777
    TailCallBuiltin(Builtins::kArrayPop, context, target, UndefinedConstant(),
                    argc);
778 779 780
  }
}

781
TF_BUILTIN(ArrayPrototypePush, CodeStubAssembler) {
782
  TVARIABLE(IntPtrT, arg_index);
783 784 785 786 787 788 789 790
  Label default_label(this, &arg_index);
  Label smi_transition(this);
  Label object_push_pre(this);
  Label object_push(this, &arg_index);
  Label double_push(this, &arg_index);
  Label double_transition(this);
  Label runtime(this, Label::kDeferred);

791 792
  // TODO(ishell): use constants from Descriptor once the JSFunction linkage
  // arguments are reordered.
793
  TNode<Int32T> argc =
794 795 796
      UncheckedCast<Int32T>(Parameter(Descriptor::kJSActualArgumentsCount));
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  CSA_ASSERT(this, IsUndefined(Parameter(Descriptor::kJSNewTarget)));
797 798

  CodeStubArguments args(this, ChangeInt32ToIntPtr(argc));
799 800
  TNode<Object> receiver = args.GetReceiver();
  TNode<JSArray> array_receiver;
801 802 803
  Node* kind = nullptr;

  Label fast(this);
804
  BranchIfFastJSArray(receiver, context, &fast, &runtime);
805

806
  BIND(&fast);
807
  {
808
    array_receiver = CAST(receiver);
809
    arg_index = IntPtrConstant(0);
810
    kind = EnsureArrayPushable(LoadMap(array_receiver), &runtime);
811
    GotoIf(IsElementsKindGreaterThan(kind, HOLEY_SMI_ELEMENTS),
812 813
           &object_push_pre);

814 815
    Node* new_length = BuildAppendJSArray(PACKED_SMI_ELEMENTS, array_receiver,
                                          &args, &arg_index, &smi_transition);
816 817 818 819 820 821 822
    args.PopAndReturn(new_length);
  }

  // If the argument is not a smi, then use a heavyweight SetProperty to
  // transition the array for only the single next element. If the argument is
  // a smi, the failure is due to some other reason and we should fall back on
  // the most generic implementation for the rest of the array.
823
  BIND(&smi_transition);
824
  {
825
    Node* arg = args.AtIndex(arg_index.value());
826
    GotoIf(TaggedIsSmi(arg), &default_label);
827
    Node* length = LoadJSArrayLength(array_receiver);
828 829
    // TODO(danno): Use the KeyedStoreGeneric stub here when possible,
    // calling into the runtime to do the elements transition is overkill.
830
    SetPropertyStrict(context, array_receiver, CAST(length), CAST(arg));
831
    Increment(&arg_index);
832 833
    // The runtime SetProperty call could have converted the array to dictionary
    // mode, which must be detected to abort the fast-path.
834
    Node* kind = LoadElementsKind(array_receiver);
835 836 837 838 839 840 841
    GotoIf(Word32Equal(kind, Int32Constant(DICTIONARY_ELEMENTS)),
           &default_label);

    GotoIfNotNumber(arg, &object_push);
    Goto(&double_push);
  }

842
  BIND(&object_push_pre);
843
  {
844
    Branch(IsElementsKindGreaterThan(kind, HOLEY_ELEMENTS), &double_push,
845
           &object_push);
846 847
  }

848
  BIND(&object_push);
849
  {
850 851
    Node* new_length = BuildAppendJSArray(PACKED_ELEMENTS, array_receiver,
                                          &args, &arg_index, &default_label);
852 853 854
    args.PopAndReturn(new_length);
  }

855
  BIND(&double_push);
856
  {
857
    Node* new_length =
858 859
        BuildAppendJSArray(PACKED_DOUBLE_ELEMENTS, array_receiver, &args,
                           &arg_index, &double_transition);
860 861 862 863 864 865 866
    args.PopAndReturn(new_length);
  }

  // If the argument is not a double, then use a heavyweight SetProperty to
  // transition the array for only the single next element. If the argument is
  // a double, the failure is due to some other reason and we should fall back
  // on the most generic implementation for the rest of the array.
867
  BIND(&double_transition);
868
  {
869
    Node* arg = args.AtIndex(arg_index.value());
870
    GotoIfNumber(arg, &default_label);
871
    Node* length = LoadJSArrayLength(array_receiver);
872 873
    // TODO(danno): Use the KeyedStoreGeneric stub here when possible,
    // calling into the runtime to do the elements transition is overkill.
874
    SetPropertyStrict(context, array_receiver, CAST(length), CAST(arg));
875
    Increment(&arg_index);
876 877
    // The runtime SetProperty call could have converted the array to dictionary
    // mode, which must be detected to abort the fast-path.
878
    Node* kind = LoadElementsKind(array_receiver);
879 880 881 882 883 884 885
    GotoIf(Word32Equal(kind, Int32Constant(DICTIONARY_ELEMENTS)),
           &default_label);
    Goto(&object_push);
  }

  // Fallback that stores un-processed arguments using the full, heavyweight
  // SetProperty machinery.
886
  BIND(&default_label);
887 888
  {
    args.ForEach(
889 890
        [this, array_receiver, context](Node* arg) {
          Node* length = LoadJSArrayLength(array_receiver);
891
          SetPropertyStrict(context, array_receiver, CAST(length), CAST(arg));
892
        },
893
        arg_index.value());
894
    args.PopAndReturn(LoadJSArrayLength(array_receiver));
895 896
  }

897
  BIND(&runtime);
898
  {
899 900 901 902
    // We are not using Parameter(Descriptor::kJSTarget) and loading the value
    // from the current frame here in order to reduce register pressure on the
    // fast path.
    TNode<JSFunction> target = LoadTargetFromFrame();
903 904
    TailCallBuiltin(Builtins::kArrayPush, context, target, UndefinedConstant(),
                    argc);
905 906 907
  }
}

908 909 910 911 912 913 914 915 916 917 918
TF_BUILTIN(ArrayPrototypeShift, CodeStubAssembler) {
  TNode<Int32T> argc =
      UncheckedCast<Int32T>(Parameter(Descriptor::kJSActualArgumentsCount));
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  CSA_ASSERT(this, IsUndefined(Parameter(Descriptor::kJSNewTarget)));

  CodeStubArguments args(this, ChangeInt32ToIntPtr(argc));
  TNode<Object> receiver = args.GetReceiver();

  Label runtime(this, Label::kDeferred);
  Label fast(this);
919 920 921 922 923 924 925 926 927

  // Only shift in this stub if
  // 1) the array has fast elements
  // 2) the length is writable,
  // 3) the elements backing store isn't copy-on-write,
  // 4) we aren't supposed to shrink the backing store,
  // 5) we aren't supposed to left-trim the backing store.

  // 1) Check that the array has fast elements.
928
  BranchIfFastJSArray(receiver, context, &fast, &runtime);
929 930 931

  BIND(&fast);
  {
932 933
    TNode<JSArray> array_receiver = CAST(receiver);
    CSA_ASSERT(this, TaggedIsPositiveSmi(LoadJSArrayLength(array_receiver)));
934 935 936 937 938 939 940 941

    // 2) Ensure that the length is writable.
    //    This check needs to happen before the check for length zero.
    //    The spec requires a "SetProperty(array, 'length', 0)" call when
    //    the length is zero. This must throw an exception in the case of a
    //    read-only length.
    EnsureArrayLengthWritable(LoadMap(array_receiver), &runtime);

942
    TNode<IntPtrT> length =
943
        LoadAndUntagObjectField(array_receiver, JSArray::kLengthOffset);
944
    Label return_undefined(this), fast_elements_tagged(this),
945
        fast_elements_smi(this);
946 947 948
    GotoIf(IntPtrEqual(length, IntPtrConstant(0)), &return_undefined);

    // 3) Check that the elements backing store isn't copy-on-write.
949
    TNode<FixedArrayBase> elements = LoadElements(array_receiver);
950
    GotoIf(WordEqual(LoadMap(elements), LoadRoot(RootIndex::kFixedCOWArrayMap)),
951
           &runtime);
952

953
    TNode<IntPtrT> new_length = IntPtrSub(length, IntPtrConstant(1));
954 955 956 957 958 959 960 961

    // 4) Check that we're not supposed to right-trim the backing store, as
    //    implemented in elements.cc:ElementsAccessorBase::SetLengthImpl.
    Node* capacity = SmiUntag(LoadFixedArrayBaseLength(elements));
    GotoIf(IntPtrLessThan(
               IntPtrAdd(IntPtrAdd(new_length, new_length),
                         IntPtrConstant(JSObject::kMinAddedElementsCapacity)),
               capacity),
962
           &runtime);
963 964 965 966 967

    // 5) Check that we're not supposed to left-trim the backing store, as
    //    implemented in elements.cc:FastElementsAccessor::MoveElements.
    GotoIf(IntPtrGreaterThan(new_length,
                             IntPtrConstant(JSArray::kMaxCopyElements)),
968
           &runtime);
969

970
    StoreObjectFieldNoWriteBarrier(array_receiver, JSArray::kLengthOffset,
971 972
                                   SmiTag(new_length));

973 974
    TNode<IntPtrT> element_zero = IntPtrConstant(0);
    TNode<IntPtrT> element_one = IntPtrConstant(1);
975
    TNode<Int32T> elements_kind = LoadElementsKind(array_receiver);
976 977
    GotoIf(
        Int32LessThanOrEqual(elements_kind, Int32Constant(HOLEY_SMI_ELEMENTS)),
978 979
        &fast_elements_smi);
    GotoIf(Int32LessThanOrEqual(elements_kind, Int32Constant(HOLEY_ELEMENTS)),
980 981
           &fast_elements_tagged);

982 983 984 985 986 987
    // Fast double elements kind:
    {
      CSA_ASSERT(this,
                 Int32LessThanOrEqual(elements_kind,
                                      Int32Constant(HOLEY_DOUBLE_ELEMENTS)));

988 989
      VARIABLE(result, MachineRepresentation::kTagged, UndefinedConstant());

990
      Label move_elements(this);
991
      result.Bind(AllocateHeapNumberWithValue(LoadFixedDoubleArrayElement(
992
          CAST(elements), element_zero, &move_elements)));
993 994 995
      Goto(&move_elements);
      BIND(&move_elements);

996 997 998
      MoveElements(HOLEY_DOUBLE_ELEMENTS, elements, element_zero, element_one,
                   new_length);
      StoreFixedDoubleArrayHole(CAST(elements), new_length);
999
      args.PopAndReturn(result.value());
1000 1001
    }

1002
    BIND(&fast_elements_tagged);
1003
    {
1004
      TNode<FixedArray> elements_fixed_array = CAST(elements);
1005
      Node* value = LoadFixedArrayElement(elements_fixed_array, 0);
1006 1007
      MoveElements(HOLEY_ELEMENTS, elements, element_zero, element_one,
                   new_length);
1008 1009
      StoreFixedArrayElement(elements_fixed_array, new_length,
                             TheHoleConstant());
1010
      GotoIf(WordEqual(value, TheHoleConstant()), &return_undefined);
1011
      args.PopAndReturn(value);
1012 1013
    }

1014
    BIND(&fast_elements_smi);
1015
    {
1016
      TNode<FixedArray> elements_fixed_array = CAST(elements);
1017
      Node* value = LoadFixedArrayElement(elements_fixed_array, 0);
1018 1019
      MoveElements(HOLEY_SMI_ELEMENTS, elements, element_zero, element_one,
                   new_length);
1020 1021
      StoreFixedArrayElement(elements_fixed_array, new_length,
                             TheHoleConstant());
1022
      GotoIf(WordEqual(value, TheHoleConstant()), &return_undefined);
1023
      args.PopAndReturn(value);
1024 1025 1026
    }

    BIND(&return_undefined);
1027 1028
    { args.PopAndReturn(UndefinedConstant()); }
  }
1029

1030 1031 1032 1033 1034 1035 1036 1037
  BIND(&runtime);
  {
    // We are not using Parameter(Descriptor::kJSTarget) and loading the value
    // from the current frame here in order to reduce register pressure on the
    // fast path.
    TNode<JSFunction> target = LoadTargetFromFrame();
    TailCallBuiltin(Builtins::kArrayShift, context, target, UndefinedConstant(),
                    argc);
1038 1039 1040
  }
}

1041
TF_BUILTIN(ExtractFastJSArray, ArrayBuiltinsAssembler) {
1042
  ParameterMode mode = OptimalParameterMode();
1043
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1044 1045 1046 1047 1048
  Node* array = Parameter(Descriptor::kSource);
  Node* begin = TaggedToParameter(Parameter(Descriptor::kBegin), mode);
  Node* count = TaggedToParameter(Parameter(Descriptor::kCount), mode);

  CSA_ASSERT(this, IsJSArray(array));
1049
  CSA_ASSERT(this, Word32BinaryNot(IsNoElementsProtectorCellInvalid()));
1050 1051 1052 1053

  Return(ExtractFastJSArray(context, array, begin, count, mode));
}

1054
TF_BUILTIN(CloneFastJSArray, ArrayBuiltinsAssembler) {
1055
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1056
  TNode<JSArray> array = CAST(Parameter(Descriptor::kSource));
1057

1058
  CSA_ASSERT(this,
1059 1060
             Word32Or(Word32BinaryNot(
                          IsHoleyFastElementsKind(LoadElementsKind(array))),
1061
                      Word32BinaryNot(IsNoElementsProtectorCellInvalid())));
1062 1063 1064 1065 1066

  ParameterMode mode = OptimalParameterMode();
  Return(CloneFastJSArray(context, array, mode));
}

1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078
// This builtin copies the backing store of fast arrays, while converting any
// holes to undefined.
// - If there are no holes in the source, its ElementsKind will be preserved. In
// that case, this builtin should perform as fast as CloneFastJSArray. (In fact,
// for fast packed arrays, the behavior is equivalent to CloneFastJSArray.)
// - If there are holes in the source, the ElementsKind of the "copy" will be
// PACKED_ELEMENTS (such that undefined can be stored).
TF_BUILTIN(CloneFastJSArrayFillingHoles, ArrayBuiltinsAssembler) {
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<JSArray> array = CAST(Parameter(Descriptor::kSource));

  CSA_ASSERT(this,
1079 1080
             Word32Or(Word32BinaryNot(
                          IsHoleyFastElementsKind(LoadElementsKind(array))),
1081 1082 1083 1084 1085 1086 1087
                      Word32BinaryNot(IsNoElementsProtectorCellInvalid())));

  ParameterMode mode = OptimalParameterMode();
  Return(CloneFastJSArray(context, array, mode, nullptr,
                          HoleConversionMode::kConvertToUndefined));
}

1088
TF_BUILTIN(ArrayFindLoopContinuation, ArrayBuiltinsAssembler) {
1089 1090
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1091 1092 1093
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* array = Parameter(Descriptor::kArray);
1094
  TNode<JSReceiver> object = CAST(Parameter(Descriptor::kObject));
1095
  Node* initial_k = Parameter(Descriptor::kInitialK);
1096
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1097 1098 1099 1100 1101 1102 1103
  Node* to = Parameter(Descriptor::kTo);

  InitIteratingArrayBuiltinLoopContinuation(context, receiver, callbackfn,
                                            this_arg, array, object, initial_k,
                                            len, to);

  GenerateIteratingArrayBuiltinLoopContinuation(
1104 1105
      &ArrayBuiltinsAssembler::FindProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction,
1106 1107 1108
      MissingPropertyMode::kUseUndefined, ForEachDirection::kForward);
}

1109 1110
// Continuation that is called after an eager deoptimization from TF (ex. the
// array changes during iteration).
1111
TF_BUILTIN(ArrayFindLoopEagerDeoptContinuation, ArrayBuiltinsAssembler) {
1112 1113
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1114 1115 1116
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1117
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1118

1119 1120 1121
  Return(CallBuiltin(Builtins::kArrayFindLoopContinuation, context, receiver,
                     callbackfn, this_arg, UndefinedConstant(), receiver,
                     initial_k, len, UndefinedConstant()));
1122 1123
}

1124 1125
// Continuation that is called after a lazy deoptimization from TF (ex. the
// callback function is no longer callable).
1126
TF_BUILTIN(ArrayFindLoopLazyDeoptContinuation, ArrayBuiltinsAssembler) {
1127 1128
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1129 1130 1131
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1132
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1133

1134 1135 1136
  Return(CallBuiltin(Builtins::kArrayFindLoopContinuation, context, receiver,
                     callbackfn, this_arg, UndefinedConstant(), receiver,
                     initial_k, len, UndefinedConstant()));
1137 1138
}

1139 1140 1141
// Continuation that is called after a lazy deoptimization from TF that happens
// right after the callback and it's returned value must be handled before
// iteration continues.
1142
TF_BUILTIN(ArrayFindLoopAfterCallbackLazyDeoptContinuation,
1143
           ArrayBuiltinsAssembler) {
1144 1145
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1146 1147 1148
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1149
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1150 1151
  Node* found_value = Parameter(Descriptor::kFoundValue);
  Node* is_found = Parameter(Descriptor::kIsFound);
1152 1153 1154 1155 1156 1157

  // This custom lazy deopt point is right after the callback. find() needs
  // to pick up at the next step, which is returning the element if the callback
  // value is truthy.  Otherwise, continue the search by calling the
  // continuation.
  Label if_true(this), if_false(this);
1158
  BranchIfToBooleanIsTrue(is_found, &if_true, &if_false);
1159
  BIND(&if_true);
1160
  Return(found_value);
1161
  BIND(&if_false);
1162 1163 1164
  Return(CallBuiltin(Builtins::kArrayFindLoopContinuation, context, receiver,
                     callbackfn, this_arg, UndefinedConstant(), receiver,
                     initial_k, len, UndefinedConstant()));
1165 1166
}

1167
// ES #sec-get-%typedarray%.prototype.find
1168
TF_BUILTIN(ArrayPrototypeFind, ArrayBuiltinsAssembler) {
1169
  TNode<IntPtrT> argc =
1170
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1171
  CodeStubArguments args(this, argc);
1172
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1173
  TNode<Object> receiver = args.GetReceiver();
1174 1175 1176
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);

1177
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1178 1179

  GenerateIteratingArrayBuiltinBody(
1180 1181 1182
      "Array.prototype.find", &ArrayBuiltinsAssembler::FindResultGenerator,
      &ArrayBuiltinsAssembler::FindProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction,
1183 1184 1185 1186
      Builtins::CallableFor(isolate(), Builtins::kArrayFindLoopContinuation),
      MissingPropertyMode::kUseUndefined, ForEachDirection::kForward);
}

1187
TF_BUILTIN(ArrayFindIndexLoopContinuation, ArrayBuiltinsAssembler) {
1188 1189
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1190 1191 1192
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* array = Parameter(Descriptor::kArray);
1193
  TNode<JSReceiver> object = CAST(Parameter(Descriptor::kObject));
1194
  Node* initial_k = Parameter(Descriptor::kInitialK);
1195
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1196 1197 1198 1199 1200 1201 1202
  Node* to = Parameter(Descriptor::kTo);

  InitIteratingArrayBuiltinLoopContinuation(context, receiver, callbackfn,
                                            this_arg, array, object, initial_k,
                                            len, to);

  GenerateIteratingArrayBuiltinLoopContinuation(
1203 1204
      &ArrayBuiltinsAssembler::FindIndexProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction,
1205 1206 1207
      MissingPropertyMode::kUseUndefined, ForEachDirection::kForward);
}

1208
TF_BUILTIN(ArrayFindIndexLoopEagerDeoptContinuation, ArrayBuiltinsAssembler) {
1209 1210
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1211 1212 1213
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1214
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1215 1216 1217 1218 1219 1220

  Return(CallBuiltin(Builtins::kArrayFindIndexLoopContinuation, context,
                     receiver, callbackfn, this_arg, SmiConstant(-1), receiver,
                     initial_k, len, UndefinedConstant()));
}

1221
TF_BUILTIN(ArrayFindIndexLoopLazyDeoptContinuation, ArrayBuiltinsAssembler) {
1222 1223
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1224 1225 1226
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1227
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1228 1229 1230 1231 1232 1233 1234

  Return(CallBuiltin(Builtins::kArrayFindIndexLoopContinuation, context,
                     receiver, callbackfn, this_arg, SmiConstant(-1), receiver,
                     initial_k, len, UndefinedConstant()));
}

TF_BUILTIN(ArrayFindIndexLoopAfterCallbackLazyDeoptContinuation,
1235
           ArrayBuiltinsAssembler) {
1236 1237
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1238 1239 1240
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1241
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258
  Node* found_value = Parameter(Descriptor::kFoundValue);
  Node* is_found = Parameter(Descriptor::kIsFound);

  // This custom lazy deopt point is right after the callback. find() needs
  // to pick up at the next step, which is returning the element if the callback
  // value is truthy.  Otherwise, continue the search by calling the
  // continuation.
  Label if_true(this), if_false(this);
  BranchIfToBooleanIsTrue(is_found, &if_true, &if_false);
  BIND(&if_true);
  Return(found_value);
  BIND(&if_false);
  Return(CallBuiltin(Builtins::kArrayFindIndexLoopContinuation, context,
                     receiver, callbackfn, this_arg, SmiConstant(-1), receiver,
                     initial_k, len, UndefinedConstant()));
}

1259
// ES #sec-get-%typedarray%.prototype.findIndex
1260
TF_BUILTIN(ArrayPrototypeFindIndex, ArrayBuiltinsAssembler) {
1261
  TNode<IntPtrT> argc =
1262
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1263
  CodeStubArguments args(this, argc);
1264
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1265
  TNode<Object> receiver = args.GetReceiver();
1266 1267 1268
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);

1269
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1270 1271 1272

  GenerateIteratingArrayBuiltinBody(
      "Array.prototype.findIndex",
1273 1274 1275
      &ArrayBuiltinsAssembler::FindIndexResultGenerator,
      &ArrayBuiltinsAssembler::FindIndexProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction,
1276 1277 1278 1279 1280
      Builtins::CallableFor(isolate(),
                            Builtins::kArrayFindIndexLoopContinuation),
      MissingPropertyMode::kUseUndefined, ForEachDirection::kForward);
}

1281
class ArrayPopulatorAssembler : public CodeStubAssembler {
1282 1283
 public:
  explicit ArrayPopulatorAssembler(compiler::CodeAssemblerState* state)
1284
      : CodeStubAssembler(state) {}
1285

1286 1287 1288 1289 1290
  TNode<Object> ConstructArrayLike(TNode<Context> context,
                                   TNode<Object> receiver) {
    TVARIABLE(Object, array);
    Label is_constructor(this), is_not_constructor(this), done(this);
    GotoIf(TaggedIsSmi(receiver), &is_not_constructor);
1291
    Branch(IsConstructor(CAST(receiver)), &is_constructor, &is_not_constructor);
1292

1293 1294
    BIND(&is_constructor);
    {
1295
      array = Construct(context, CAST(receiver));
1296 1297
      Goto(&done);
    }
1298

1299 1300 1301 1302 1303 1304 1305
    BIND(&is_not_constructor);
    {
      Label allocate_js_array(this);

      TNode<Map> array_map = CAST(LoadContextElement(
          context, Context::JS_ARRAY_PACKED_SMI_ELEMENTS_MAP_INDEX));

1306 1307 1308
      array = AllocateJSArray(PACKED_SMI_ELEMENTS, array_map, SmiConstant(0),
                              SmiConstant(0), nullptr,
                              ParameterMode::SMI_PARAMETERS);
1309 1310 1311 1312
      Goto(&done);
    }

    BIND(&done);
1313
    return array.value();
1314 1315 1316 1317 1318 1319 1320 1321
  }

  TNode<Object> ConstructArrayLike(TNode<Context> context,
                                   TNode<Object> receiver,
                                   TNode<Number> length) {
    TVARIABLE(Object, array);
    Label is_constructor(this), is_not_constructor(this), done(this);
    CSA_ASSERT(this, IsNumberNormalized(length));
1322
    GotoIf(TaggedIsSmi(receiver), &is_not_constructor);
1323
    Branch(IsConstructor(CAST(receiver)), &is_constructor, &is_not_constructor);
1324 1325 1326

    BIND(&is_constructor);
    {
1327
      array = Construct(context, CAST(receiver), length);
1328
      Goto(&done);
1329 1330 1331 1332
    }

    BIND(&is_not_constructor);
    {
1333
      array = ArrayCreate(context, length);
1334
      Goto(&done);
1335 1336
    }

1337
    BIND(&done);
1338
    return array.value();
1339
  }
1340 1341 1342 1343
};

// ES #sec-array.from
TF_BUILTIN(ArrayFrom, ArrayPopulatorAssembler) {
1344
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1345
  TNode<Int32T> argc =
1346
      UncheckedCast<Int32T>(Parameter(Descriptor::kJSActualArgumentsCount));
1347 1348

  CodeStubArguments args(this, ChangeInt32ToIntPtr(argc));
1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360
  TNode<Object> items = args.GetOptionalArgumentValue(0);
  TNode<Object> receiver = args.GetReceiver();

  Label fast_iterate(this), normal_iterate(this);

  // Use fast path if:
  // * |items| is the only argument, and
  // * the receiver is the Array function.
  GotoIfNot(Word32Equal(argc, Int32Constant(1)), &normal_iterate);
  TNode<Object> array_function = LoadContextElement(
      LoadNativeContext(context), Context::ARRAY_FUNCTION_INDEX);
  Branch(WordEqual(array_function, receiver), &fast_iterate, &normal_iterate);
1361

1362 1363 1364 1365 1366 1367 1368 1369 1370 1371
  BIND(&fast_iterate);
  {
    IteratorBuiltinsAssembler iterator_assembler(state());
    TVARIABLE(Object, var_fast_result);
    iterator_assembler.FastIterableToList(context, items, &var_fast_result,
                                          &normal_iterate);
    args.PopAndReturn(var_fast_result.value());
  }

  BIND(&normal_iterate);
1372 1373 1374 1375 1376 1377 1378
  TNode<Object> map_function = args.GetOptionalArgumentValue(1);

  // If map_function is not undefined, then ensure it's callable else throw.
  {
    Label no_error(this), error(this);
    GotoIf(IsUndefined(map_function), &no_error);
    GotoIf(TaggedIsSmi(map_function), &error);
1379
    Branch(IsCallable(CAST(map_function)), &no_error, &error);
1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391

    BIND(&error);
    ThrowTypeError(context, MessageTemplate::kCalledNonCallable, map_function);

    BIND(&no_error);
  }

  Label iterable(this), not_iterable(this), finished(this), if_exception(this);

  TNode<Object> this_arg = args.GetOptionalArgumentValue(2);
  // The spec doesn't require ToObject to be called directly on the iterable
  // branch, but it's part of GetMethod that is in the spec.
1392
  TNode<JSReceiver> array_like = ToObject_Inline(context, items);
1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414

  TVARIABLE(Object, array);
  TVARIABLE(Number, length);

  // Determine whether items[Symbol.iterator] is defined:
  IteratorBuiltinsAssembler iterator_assembler(state());
  Node* iterator_method =
      iterator_assembler.GetIteratorMethod(context, array_like);
  Branch(IsNullOrUndefined(iterator_method), &not_iterable, &iterable);

  BIND(&iterable);
  {
    TVARIABLE(Number, index, SmiConstant(0));
    TVARIABLE(Object, var_exception);
    Label loop(this, &index), loop_done(this),
        on_exception(this, Label::kDeferred),
        index_overflow(this, Label::kDeferred);

    // Check that the method is callable.
    {
      Label get_method_not_callable(this, Label::kDeferred), next(this);
      GotoIf(TaggedIsSmi(iterator_method), &get_method_not_callable);
1415
      GotoIfNot(IsCallable(CAST(iterator_method)), &get_method_not_callable);
1416
      Goto(&next);
1417 1418 1419 1420 1421 1422

      BIND(&get_method_not_callable);
      ThrowTypeError(context, MessageTemplate::kCalledNonCallable,
                     iterator_method);

      BIND(&next);
1423 1424
    }

1425
    // Construct the output array with empty length.
1426
    array = ConstructArrayLike(context, receiver);
1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441

    // Actually get the iterator and throw if the iterator method does not yield
    // one.
    IteratorRecord iterator_record =
        iterator_assembler.GetIterator(context, items, iterator_method);

    TNode<Context> native_context = LoadNativeContext(context);
    TNode<Object> fast_iterator_result_map =
        LoadContextElement(native_context, Context::ITERATOR_RESULT_MAP_INDEX);

    Goto(&loop);

    BIND(&loop);
    {
      // Loop while iterator is not done.
1442 1443
      TNode<Object> next = iterator_assembler.IteratorStep(
          context, iterator_record, &loop_done, fast_iterator_result_map);
1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454
      TVARIABLE(Object, value,
                CAST(iterator_assembler.IteratorValue(
                    context, next, fast_iterator_result_map)));

      // If a map_function is supplied then call it (using this_arg as
      // receiver), on the value returned from the iterator. Exceptions are
      // caught so the iterator can be closed.
      {
        Label next(this);
        GotoIf(IsUndefined(map_function), &next);

1455
        CSA_ASSERT(this, IsCallable(CAST(map_function)));
1456
        Node* v = CallJS(CodeFactory::Call(isolate()), context, map_function,
1457
                         this_arg, value.value(), index.value());
1458 1459 1460 1461 1462 1463 1464 1465
        GotoIfException(v, &on_exception, &var_exception);
        value = CAST(v);
        Goto(&next);
        BIND(&next);
      }

      // Store the result in the output object (catching any exceptions so the
      // iterator can be closed).
1466 1467 1468
      Node* define_status =
          CallRuntime(Runtime::kCreateDataProperty, context, array.value(),
                      index.value(), value.value());
1469 1470
      GotoIfException(define_status, &on_exception, &var_exception);

1471
      index = NumberInc(index.value());
1472 1473 1474 1475 1476 1477 1478 1479

      // The spec requires that we throw an exception if index reaches 2^53-1,
      // but an empty loop would take >100 days to do this many iterations. To
      // actually run for that long would require an iterator that never set
      // done to true and a target array which somehow never ran out of memory,
      // e.g. a proxy that discarded the values. Ignoring this case just means
      // we would repeatedly call CreateDataProperty with index = 2^53.
      CSA_ASSERT_BRANCH(this, [&](Label* ok, Label* not_ok) {
1480
        BranchIfNumberRelationalComparison(Operation::kLessThan, index.value(),
1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497
                                           NumberConstant(kMaxSafeInteger), ok,
                                           not_ok);
      });
      Goto(&loop);
    }

    BIND(&loop_done);
    {
      length = index;
      Goto(&finished);
    }

    BIND(&on_exception);
    {
      // Close the iterator, rethrowing either the passed exception or
      // exceptions thrown during the close.
      iterator_assembler.IteratorCloseOnException(context, iterator_record,
1498
                                                  var_exception.value());
1499
    }
1500
  }
1501 1502 1503 1504

  BIND(&not_iterable);
  {
    // Treat array_like as an array and try to get its length.
1505 1506
    length = ToLength_Inline(
        context, GetProperty(context, array_like, factory()->length_string()));
1507 1508 1509

    // Construct an array using the receiver as constructor with the same length
    // as the input array.
1510
    array = ConstructArrayLike(context, receiver, length.value());
1511 1512 1513

    TVARIABLE(Number, index, SmiConstant(0));

1514 1515 1516
    // TODO(ishell): remove <Object, Object>
    GotoIf(WordEqual<Object, Object>(length.value(), SmiConstant(0)),
           &finished);
1517 1518 1519 1520 1521 1522 1523 1524

    // Loop from 0 to length-1.
    {
      Label loop(this, &index);
      Goto(&loop);
      BIND(&loop);
      TVARIABLE(Object, value);

1525
      value = GetProperty(context, array_like, index.value());
1526 1527 1528 1529 1530 1531 1532

      // If a map_function is supplied then call it (using this_arg as
      // receiver), on the value retrieved from the array.
      {
        Label next(this);
        GotoIf(IsUndefined(map_function), &next);

1533
        CSA_ASSERT(this, IsCallable(CAST(map_function)));
1534
        value = CAST(CallJS(CodeFactory::Call(isolate()), context, map_function,
1535
                            this_arg, value.value(), index.value()));
1536 1537 1538 1539 1540
        Goto(&next);
        BIND(&next);
      }

      // Store the result in the output object.
1541 1542
      CallRuntime(Runtime::kCreateDataProperty, context, array.value(),
                  index.value(), value.value());
1543
      index = NumberInc(index.value());
1544 1545
      BranchIfNumberRelationalComparison(Operation::kLessThan, index.value(),
                                         length.value(), &loop, &finished);
1546 1547 1548 1549 1550 1551
    }
  }

  BIND(&finished);

  // Finally set the length on the output and return it.
1552
  SetPropertyLength(context, array.value(), length.value());
1553
  args.PopAndReturn(array.value());
1554 1555
}

1556
// ES #sec-get-%typedarray%.prototype.find
1557
TF_BUILTIN(TypedArrayPrototypeFind, ArrayBuiltinsAssembler) {
1558
  TNode<IntPtrT> argc =
1559
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1560
  CodeStubArguments args(this, argc);
1561
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1562
  TNode<Object> receiver = args.GetReceiver();
1563 1564 1565
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);

1566
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1567 1568 1569

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.find",
1570 1571 1572
      &ArrayBuiltinsAssembler::FindResultGenerator,
      &ArrayBuiltinsAssembler::FindProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction);
1573 1574
}

1575
// ES #sec-get-%typedarray%.prototype.findIndex
1576
TF_BUILTIN(TypedArrayPrototypeFindIndex, ArrayBuiltinsAssembler) {
1577
  TNode<IntPtrT> argc =
1578
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1579
  CodeStubArguments args(this, argc);
1580
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1581
  TNode<Object> receiver = args.GetReceiver();
1582 1583 1584
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);

1585
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1586 1587 1588

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.findIndex",
1589 1590 1591
      &ArrayBuiltinsAssembler::FindIndexResultGenerator,
      &ArrayBuiltinsAssembler::FindIndexProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction);
1592 1593
}

1594
TF_BUILTIN(TypedArrayPrototypeForEach, ArrayBuiltinsAssembler) {
1595
  TNode<IntPtrT> argc =
1596
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1597
  CodeStubArguments args(this, argc);
1598
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1599
  TNode<Object> receiver = args.GetReceiver();
1600 1601
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);
1602

1603
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1604 1605 1606

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.forEach",
1607 1608 1609
      &ArrayBuiltinsAssembler::ForEachResultGenerator,
      &ArrayBuiltinsAssembler::ForEachProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction);
1610 1611
}

1612
TF_BUILTIN(TypedArrayPrototypeSome, ArrayBuiltinsAssembler) {
1613
  TNode<IntPtrT> argc =
1614
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1615
  CodeStubArguments args(this, argc);
1616
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1617
  TNode<Object> receiver = args.GetReceiver();
1618 1619
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);
1620

1621
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1622 1623 1624

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.some",
1625 1626 1627
      &ArrayBuiltinsAssembler::SomeResultGenerator,
      &ArrayBuiltinsAssembler::SomeProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction);
1628 1629
}

1630
TF_BUILTIN(TypedArrayPrototypeEvery, ArrayBuiltinsAssembler) {
1631
  TNode<IntPtrT> argc =
1632
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1633
  CodeStubArguments args(this, argc);
1634
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1635
  TNode<Object> receiver = args.GetReceiver();
1636 1637
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);
1638

1639
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1640 1641 1642

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.every",
1643 1644 1645
      &ArrayBuiltinsAssembler::EveryResultGenerator,
      &ArrayBuiltinsAssembler::EveryProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction);
1646 1647
}

1648
TF_BUILTIN(ArrayReduceLoopContinuation, ArrayBuiltinsAssembler) {
1649 1650
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1651 1652 1653
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* accumulator = Parameter(Descriptor::kAccumulator);
1654
  TNode<JSReceiver> object = CAST(Parameter(Descriptor::kObject));
1655
  Node* initial_k = Parameter(Descriptor::kInitialK);
1656
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1657
  Node* to = Parameter(Descriptor::kTo);
1658 1659 1660

  InitIteratingArrayBuiltinLoopContinuation(context, receiver, callbackfn,
                                            this_arg, accumulator, object,
1661
                                            initial_k, len, to);
1662

1663
  GenerateIteratingArrayBuiltinLoopContinuation(
1664 1665
      &ArrayBuiltinsAssembler::ReduceProcessor,
      &ArrayBuiltinsAssembler::ReducePostLoopAction,
1666
      MissingPropertyMode::kSkip);
1667 1668
}

1669
TF_BUILTIN(ArrayReducePreLoopEagerDeoptContinuation, ArrayBuiltinsAssembler) {
1670 1671
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1672
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
1673
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1674 1675 1676 1677

  // Simulate starting the loop at 0, but ensuring that the accumulator is
  // the hole. The continuation stub will search for the initial non-hole
  // element, rightly throwing an exception if not found.
1678 1679 1680
  Return(CallBuiltin(Builtins::kArrayReduceLoopContinuation, context, receiver,
                     callbackfn, UndefinedConstant(), TheHoleConstant(),
                     receiver, SmiConstant(0), len, UndefinedConstant()));
1681 1682
}

1683
TF_BUILTIN(ArrayReduceLoopEagerDeoptContinuation, ArrayBuiltinsAssembler) {
1684 1685
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1686 1687 1688
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* accumulator = Parameter(Descriptor::kAccumulator);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1689
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1690

1691 1692 1693
  Return(CallBuiltin(Builtins::kArrayReduceLoopContinuation, context, receiver,
                     callbackfn, UndefinedConstant(), accumulator, receiver,
                     initial_k, len, UndefinedConstant()));
1694 1695
}

1696
TF_BUILTIN(ArrayReduceLoopLazyDeoptContinuation, ArrayBuiltinsAssembler) {
1697 1698
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1699 1700
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1701
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1702 1703
  Node* result = Parameter(Descriptor::kResult);

1704 1705 1706
  Return(CallBuiltin(Builtins::kArrayReduceLoopContinuation, context, receiver,
                     callbackfn, UndefinedConstant(), result, receiver,
                     initial_k, len, UndefinedConstant()));
1707 1708
}

1709
TF_BUILTIN(ArrayReduce, ArrayBuiltinsAssembler) {
1710
  TNode<IntPtrT> argc =
1711
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1712
  CodeStubArguments args(this, argc);
1713
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1714
  TNode<Object> receiver = args.GetReceiver();
1715
  Node* callbackfn = args.GetOptionalArgumentValue(0);
1716
  Node* initial_value = args.GetOptionalArgumentValue(1, TheHoleConstant());
1717 1718

  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, initial_value,
1719
                                argc);
1720

1721
  GenerateIteratingArrayBuiltinBody(
1722 1723 1724
      "Array.prototype.reduce", &ArrayBuiltinsAssembler::ReduceResultGenerator,
      &ArrayBuiltinsAssembler::ReduceProcessor,
      &ArrayBuiltinsAssembler::ReducePostLoopAction,
1725 1726
      Builtins::CallableFor(isolate(), Builtins::kArrayReduceLoopContinuation),
      MissingPropertyMode::kSkip);
1727 1728
}

1729
TF_BUILTIN(TypedArrayPrototypeReduce, ArrayBuiltinsAssembler) {
1730
  TNode<IntPtrT> argc =
1731
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1732
  CodeStubArguments args(this, argc);
1733
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1734
  TNode<Object> receiver = args.GetReceiver();
1735
  Node* callbackfn = args.GetOptionalArgumentValue(0);
1736
  Node* initial_value = args.GetOptionalArgumentValue(1, TheHoleConstant());
1737 1738

  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, initial_value,
1739
                                argc);
1740 1741 1742

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.reduce",
1743 1744 1745
      &ArrayBuiltinsAssembler::ReduceResultGenerator,
      &ArrayBuiltinsAssembler::ReduceProcessor,
      &ArrayBuiltinsAssembler::ReducePostLoopAction);
1746 1747
}

1748
TF_BUILTIN(ArrayReduceRightLoopContinuation, ArrayBuiltinsAssembler) {
1749 1750
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1751 1752 1753
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* this_arg = Parameter(Descriptor::kThisArg);
  Node* accumulator = Parameter(Descriptor::kAccumulator);
1754
  TNode<JSReceiver> object = CAST(Parameter(Descriptor::kObject));
1755
  Node* initial_k = Parameter(Descriptor::kInitialK);
1756
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1757 1758 1759 1760 1761 1762 1763
  Node* to = Parameter(Descriptor::kTo);

  InitIteratingArrayBuiltinLoopContinuation(context, receiver, callbackfn,
                                            this_arg, accumulator, object,
                                            initial_k, len, to);

  GenerateIteratingArrayBuiltinLoopContinuation(
1764 1765 1766
      &ArrayBuiltinsAssembler::ReduceProcessor,
      &ArrayBuiltinsAssembler::ReducePostLoopAction, MissingPropertyMode::kSkip,
      ForEachDirection::kReverse);
1767 1768
}

1769 1770
TF_BUILTIN(ArrayReduceRightPreLoopEagerDeoptContinuation,
           ArrayBuiltinsAssembler) {
1771 1772
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1773
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
1774
  TNode<Smi> len = CAST(Parameter(Descriptor::kLength));
1775 1776 1777 1778

  // Simulate starting the loop at 0, but ensuring that the accumulator is
  // the hole. The continuation stub will search for the initial non-hole
  // element, rightly throwing an exception if not found.
1779 1780 1781 1782
  Return(CallBuiltin(Builtins::kArrayReduceRightLoopContinuation, context,
                     receiver, callbackfn, UndefinedConstant(),
                     TheHoleConstant(), receiver, SmiSub(len, SmiConstant(1)),
                     len, UndefinedConstant()));
1783 1784
}

1785
TF_BUILTIN(ArrayReduceRightLoopEagerDeoptContinuation, ArrayBuiltinsAssembler) {
1786 1787
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1788 1789 1790
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* accumulator = Parameter(Descriptor::kAccumulator);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1791
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1792

1793 1794 1795
  Return(CallBuiltin(Builtins::kArrayReduceRightLoopContinuation, context,
                     receiver, callbackfn, UndefinedConstant(), accumulator,
                     receiver, initial_k, len, UndefinedConstant()));
1796 1797
}

1798
TF_BUILTIN(ArrayReduceRightLoopLazyDeoptContinuation, ArrayBuiltinsAssembler) {
1799 1800
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
1801 1802
  Node* callbackfn = Parameter(Descriptor::kCallbackFn);
  Node* initial_k = Parameter(Descriptor::kInitialK);
1803
  TNode<Number> len = CAST(Parameter(Descriptor::kLength));
1804 1805
  Node* result = Parameter(Descriptor::kResult);

1806 1807 1808
  Return(CallBuiltin(Builtins::kArrayReduceRightLoopContinuation, context,
                     receiver, callbackfn, UndefinedConstant(), result,
                     receiver, initial_k, len, UndefinedConstant()));
1809 1810
}

1811
TF_BUILTIN(ArrayReduceRight, ArrayBuiltinsAssembler) {
1812
  TNode<IntPtrT> argc =
1813
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1814
  CodeStubArguments args(this, argc);
1815
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1816
  TNode<Object> receiver = args.GetReceiver();
1817
  Node* callbackfn = args.GetOptionalArgumentValue(0);
1818
  Node* initial_value = args.GetOptionalArgumentValue(1, TheHoleConstant());
1819 1820

  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, initial_value,
1821
                                argc);
1822 1823 1824

  GenerateIteratingArrayBuiltinBody(
      "Array.prototype.reduceRight",
1825 1826 1827
      &ArrayBuiltinsAssembler::ReduceResultGenerator,
      &ArrayBuiltinsAssembler::ReduceProcessor,
      &ArrayBuiltinsAssembler::ReducePostLoopAction,
1828 1829
      Builtins::CallableFor(isolate(),
                            Builtins::kArrayReduceRightLoopContinuation),
1830
      MissingPropertyMode::kSkip, ForEachDirection::kReverse);
1831 1832
}

1833
TF_BUILTIN(TypedArrayPrototypeReduceRight, ArrayBuiltinsAssembler) {
1834
  TNode<IntPtrT> argc =
1835
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1836
  CodeStubArguments args(this, argc);
1837
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1838
  TNode<Object> receiver = args.GetReceiver();
1839
  Node* callbackfn = args.GetOptionalArgumentValue(0);
1840
  Node* initial_value = args.GetOptionalArgumentValue(1, TheHoleConstant());
1841 1842

  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, initial_value,
1843
                                argc);
1844 1845 1846

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.reduceRight",
1847 1848 1849
      &ArrayBuiltinsAssembler::ReduceResultGenerator,
      &ArrayBuiltinsAssembler::ReduceProcessor,
      &ArrayBuiltinsAssembler::ReducePostLoopAction,
1850 1851 1852
      ForEachDirection::kReverse);
}

1853
TF_BUILTIN(TypedArrayPrototypeMap, ArrayBuiltinsAssembler) {
1854
  TNode<IntPtrT> argc =
1855
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
1856
  CodeStubArguments args(this, argc);
1857
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1858
  TNode<Object> receiver = args.GetReceiver();
1859 1860
  Node* callbackfn = args.GetOptionalArgumentValue(0);
  Node* this_arg = args.GetOptionalArgumentValue(1);
1861

1862
  InitIteratingArrayBuiltinBody(context, receiver, callbackfn, this_arg, argc);
1863 1864 1865

  GenerateIteratingTypedArrayBuiltinBody(
      "%TypedArray%.prototype.map",
1866 1867 1868
      &ArrayBuiltinsAssembler::TypedArrayMapResultGenerator,
      &ArrayBuiltinsAssembler::TypedArrayMapProcessor,
      &ArrayBuiltinsAssembler::NullPostLoopAction);
1869 1870
}

1871
TF_BUILTIN(ArrayIsArray, CodeStubAssembler) {
1872 1873
  TNode<Object> object = CAST(Parameter(Descriptor::kArg));
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
1874 1875 1876 1877

  Label call_runtime(this), return_true(this), return_false(this);

  GotoIf(TaggedIsSmi(object), &return_false);
1878
  TNode<Int32T> instance_type = LoadInstanceType(CAST(object));
1879

1880
  GotoIf(InstanceTypeEqual(instance_type, JS_ARRAY_TYPE), &return_true);
1881 1882

  // TODO(verwaest): Handle proxies in-place.
1883 1884
  Branch(InstanceTypeEqual(instance_type, JS_PROXY_TYPE), &call_runtime,
         &return_false);
1885

1886
  BIND(&return_true);
1887
  Return(TrueConstant());
1888

1889
  BIND(&return_false);
1890
  Return(FalseConstant());
1891

1892
  BIND(&call_runtime);
1893 1894 1895
  Return(CallRuntime(Runtime::kArrayIsArray, context, object));
}

1896 1897 1898 1899
class ArrayIncludesIndexofAssembler : public CodeStubAssembler {
 public:
  explicit ArrayIncludesIndexofAssembler(compiler::CodeAssemblerState* state)
      : CodeStubAssembler(state) {}
1900

1901
  enum SearchVariant { kIncludes, kIndexOf };
1902

1903 1904
  void Generate(SearchVariant variant, TNode<IntPtrT> argc,
                TNode<Context> context);
1905 1906 1907 1908 1909 1910 1911 1912 1913
  void GenerateSmiOrObject(SearchVariant variant, Node* context, Node* elements,
                           Node* search_element, Node* array_length,
                           Node* from_index);
  void GeneratePackedDoubles(SearchVariant variant, Node* elements,
                             Node* search_element, Node* array_length,
                             Node* from_index);
  void GenerateHoleyDoubles(SearchVariant variant, Node* elements,
                            Node* search_element, Node* array_length,
                            Node* from_index);
1914
};
1915

1916 1917 1918
void ArrayIncludesIndexofAssembler::Generate(SearchVariant variant,
                                             TNode<IntPtrT> argc,
                                             TNode<Context> context) {
1919 1920 1921 1922 1923
  const int kSearchElementArg = 0;
  const int kFromIndexArg = 1;

  CodeStubArguments args(this, argc);

1924 1925 1926
  TNode<Object> receiver = args.GetReceiver();
  TNode<Object> search_element =
      args.GetOptionalArgumentValue(kSearchElementArg);
1927 1928 1929

  Node* intptr_zero = IntPtrConstant(0);

1930
  Label init_index(this), return_not_found(this), call_runtime(this);
1931 1932 1933

  // Take slow path if not a JSArray, if retrieving elements requires
  // traversing prototype, or if access checks are required.
1934
  BranchIfFastJSArray(receiver, context, &init_index, &call_runtime);
1935

1936 1937
  BIND(&init_index);
  VARIABLE(index_var, MachineType::PointerRepresentation(), intptr_zero);
1938
  TNode<JSArray> array = CAST(receiver);
1939

1940 1941
  // JSArray length is always a positive Smi for fast arrays.
  CSA_ASSERT(this, TaggedIsPositiveSmi(LoadJSArrayLength(array)));
1942 1943
  Node* array_length = LoadFastJSArrayLength(array);
  Node* array_length_untagged = SmiUntag(array_length);
1944 1945

  {
1946 1947
    // Initialize fromIndex.
    Label is_smi(this), is_nonsmi(this), done(this);
1948

1949 1950
    // If no fromIndex was passed, default to 0.
    GotoIf(IntPtrLessThanOrEqual(argc, IntPtrConstant(kFromIndexArg)), &done);
1951

1952
    Node* start_from = args.AtIndex(kFromIndexArg);
1953 1954 1955 1956 1957
    // Handle Smis and undefined here and everything else in runtime.
    // We must be very careful with side effects from the ToInteger conversion,
    // as the side effects might render previously checked assumptions about
    // the receiver being a fast JSArray and its length invalid.
    Branch(TaggedIsSmi(start_from), &is_smi, &is_nonsmi);
1958

1959
    BIND(&is_nonsmi);
1960
    {
1961 1962 1963 1964 1965 1966 1967 1968 1969 1970
      GotoIfNot(IsUndefined(start_from), &call_runtime);
      Goto(&done);
    }
    BIND(&is_smi);
    {
      Node* intptr_start_from = SmiUntag(start_from);
      index_var.Bind(intptr_start_from);

      GotoIf(IntPtrGreaterThanOrEqual(index_var.value(), intptr_zero), &done);
      // The fromIndex is negative: add it to the array's length.
1971
      index_var.Bind(IntPtrAdd(array_length_untagged, index_var.value()));
1972 1973 1974
      // Clamp negative results at zero.
      GotoIf(IntPtrGreaterThanOrEqual(index_var.value(), intptr_zero), &done);
      index_var.Bind(intptr_zero);
1975
      Goto(&done);
1976
    }
1977
    BIND(&done);
1978 1979
  }

1980
  // Fail early if startIndex >= array.length.
1981
  GotoIf(IntPtrGreaterThanOrEqual(index_var.value(), array_length_untagged),
1982 1983
         &return_not_found);

1984 1985
  Label if_smiorobjects(this), if_packed_doubles(this), if_holey_doubles(this);

1986
  TNode<Int32T> elements_kind = LoadElementsKind(array);
1987
  Node* elements = LoadElements(array);
1988 1989 1990 1991 1992 1993 1994
  STATIC_ASSERT(PACKED_SMI_ELEMENTS == 0);
  STATIC_ASSERT(HOLEY_SMI_ELEMENTS == 1);
  STATIC_ASSERT(PACKED_ELEMENTS == 2);
  STATIC_ASSERT(HOLEY_ELEMENTS == 3);
  GotoIf(Uint32LessThanOrEqual(elements_kind, Int32Constant(HOLEY_ELEMENTS)),
         &if_smiorobjects);
  GotoIf(Word32Equal(elements_kind, Int32Constant(PACKED_DOUBLE_ELEMENTS)),
1995
         &if_packed_doubles);
1996
  GotoIf(Word32Equal(elements_kind, Int32Constant(HOLEY_DOUBLE_ELEMENTS)),
1997 1998
         &if_holey_doubles);
  Goto(&return_not_found);
1999

2000
  BIND(&if_smiorobjects);
2001
  {
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
    Callable callable =
        (variant == kIncludes)
            ? Builtins::CallableFor(isolate(),
                                    Builtins::kArrayIncludesSmiOrObject)
            : Builtins::CallableFor(isolate(),
                                    Builtins::kArrayIndexOfSmiOrObject);
    Node* result = CallStub(callable, context, elements, search_element,
                            array_length, SmiTag(index_var.value()));
    args.PopAndReturn(result);
  }
2012

2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
  BIND(&if_packed_doubles);
  {
    Callable callable =
        (variant == kIncludes)
            ? Builtins::CallableFor(isolate(),
                                    Builtins::kArrayIncludesPackedDoubles)
            : Builtins::CallableFor(isolate(),
                                    Builtins::kArrayIndexOfPackedDoubles);
    Node* result = CallStub(callable, context, elements, search_element,
                            array_length, SmiTag(index_var.value()));
    args.PopAndReturn(result);
  }
2025

2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037
  BIND(&if_holey_doubles);
  {
    Callable callable =
        (variant == kIncludes)
            ? Builtins::CallableFor(isolate(),
                                    Builtins::kArrayIncludesHoleyDoubles)
            : Builtins::CallableFor(isolate(),
                                    Builtins::kArrayIndexOfHoleyDoubles);
    Node* result = CallStub(callable, context, elements, search_element,
                            array_length, SmiTag(index_var.value()));
    args.PopAndReturn(result);
  }
2038

2039 2040 2041 2042 2043 2044
  BIND(&return_not_found);
  if (variant == kIncludes) {
    args.PopAndReturn(FalseConstant());
  } else {
    args.PopAndReturn(NumberConstant(-1));
  }
2045

2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056
  BIND(&call_runtime);
  {
    Node* start_from =
        args.GetOptionalArgumentValue(kFromIndexArg, UndefinedConstant());
    Runtime::FunctionId function = variant == kIncludes
                                       ? Runtime::kArrayIncludes_Slow
                                       : Runtime::kArrayIndexOf;
    args.PopAndReturn(
        CallRuntime(function, context, array, search_element, start_from));
  }
}
2057

2058 2059 2060 2061 2062 2063 2064
void ArrayIncludesIndexofAssembler::GenerateSmiOrObject(
    SearchVariant variant, Node* context, Node* elements, Node* search_element,
    Node* array_length, Node* from_index) {
  VARIABLE(index_var, MachineType::PointerRepresentation(),
           SmiUntag(from_index));
  VARIABLE(search_num, MachineRepresentation::kFloat64);
  Node* array_length_untagged = SmiUntag(array_length);
2065

2066 2067 2068 2069
  Label ident_loop(this, &index_var), heap_num_loop(this, &search_num),
      string_loop(this), bigint_loop(this, &index_var),
      undef_loop(this, &index_var), not_smi(this), not_heap_num(this),
      return_found(this), return_not_found(this);
2070

2071 2072 2073
  GotoIfNot(TaggedIsSmi(search_element), &not_smi);
  search_num.Bind(SmiToFloat64(search_element));
  Goto(&heap_num_loop);
2074

2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093
  BIND(&not_smi);
  if (variant == kIncludes) {
    GotoIf(IsUndefined(search_element), &undef_loop);
  }
  Node* map = LoadMap(search_element);
  GotoIfNot(IsHeapNumberMap(map), &not_heap_num);
  search_num.Bind(LoadHeapNumberValue(search_element));
  Goto(&heap_num_loop);

  BIND(&not_heap_num);
  Node* search_type = LoadMapInstanceType(map);
  GotoIf(IsStringInstanceType(search_type), &string_loop);
  GotoIf(IsBigIntInstanceType(search_type), &bigint_loop);
  Goto(&ident_loop);

  BIND(&ident_loop);
  {
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);
2094 2095
    Node* element_k =
        UnsafeLoadFixedArrayElement(CAST(elements), index_var.value());
2096
    GotoIf(WordEqual(element_k, search_element), &return_found);
2097

2098 2099 2100
    Increment(&index_var);
    Goto(&ident_loop);
  }
2101

2102 2103
  if (variant == kIncludes) {
    BIND(&undef_loop);
2104

2105 2106
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);
2107 2108
    Node* element_k =
        UnsafeLoadFixedArrayElement(CAST(elements), index_var.value());
2109 2110
    GotoIf(IsUndefined(element_k), &return_found);
    GotoIf(IsTheHole(element_k), &return_found);
2111

2112 2113
    Increment(&index_var);
    Goto(&undef_loop);
2114 2115
  }

2116
  BIND(&heap_num_loop);
2117
  {
2118
    Label nan_loop(this, &index_var), not_nan_loop(this, &index_var);
2119 2120
    Label* nan_handling = variant == kIncludes ? &nan_loop : &return_not_found;
    BranchIfFloat64IsNaN(search_num.value(), nan_handling, &not_nan_loop);
2121

2122
    BIND(&not_nan_loop);
2123
    {
2124 2125
      Label continue_loop(this), not_smi(this);
      GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
2126
                &return_not_found);
2127
      Node* element_k =
2128
          UnsafeLoadFixedArrayElement(CAST(elements), index_var.value());
2129 2130 2131 2132 2133 2134 2135 2136 2137
      GotoIfNot(TaggedIsSmi(element_k), &not_smi);
      Branch(Float64Equal(search_num.value(), SmiToFloat64(element_k)),
             &return_found, &continue_loop);

      BIND(&not_smi);
      GotoIfNot(IsHeapNumber(element_k), &continue_loop);
      Branch(Float64Equal(search_num.value(), LoadHeapNumberValue(element_k)),
             &return_found, &continue_loop);

2138
      BIND(&continue_loop);
2139
      Increment(&index_var);
2140 2141
      Goto(&not_nan_loop);
    }
2142 2143 2144 2145 2146

    // Array.p.includes uses SameValueZero comparisons, where NaN == NaN.
    if (variant == kIncludes) {
      BIND(&nan_loop);
      Label continue_loop(this);
2147
      GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
2148
                &return_not_found);
2149
      Node* element_k =
2150
          UnsafeLoadFixedArrayElement(CAST(elements), index_var.value());
2151
      GotoIf(TaggedIsSmi(element_k), &continue_loop);
2152
      GotoIfNot(IsHeapNumber(CAST(element_k)), &continue_loop);
2153 2154 2155
      BranchIfFloat64IsNaN(LoadHeapNumberValue(element_k), &return_found,
                           &continue_loop);

2156
      BIND(&continue_loop);
2157
      Increment(&index_var);
2158 2159
      Goto(&nan_loop);
    }
2160 2161
  }

2162
  BIND(&string_loop);
2163
  {
2164 2165 2166 2167 2168 2169 2170 2171 2172
    TNode<String> search_element_string = CAST(search_element);
    Label continue_loop(this), next_iteration(this, &index_var),
        slow_compare(this), runtime(this, Label::kDeferred);
    TNode<IntPtrT> search_length =
        LoadStringLengthAsWord(search_element_string);
    Goto(&next_iteration);
    BIND(&next_iteration);
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);
2173 2174
    Node* element_k =
        UnsafeLoadFixedArrayElement(CAST(elements), index_var.value());
2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190
    GotoIf(TaggedIsSmi(element_k), &continue_loop);
    GotoIf(WordEqual(search_element_string, element_k), &return_found);
    Node* element_k_type = LoadInstanceType(element_k);
    GotoIfNot(IsStringInstanceType(element_k_type), &continue_loop);
    Branch(WordEqual(search_length, LoadStringLengthAsWord(element_k)),
           &slow_compare, &continue_loop);

    BIND(&slow_compare);
    StringBuiltinsAssembler string_asm(state());
    string_asm.StringEqual_Core(context, search_element_string, search_type,
                                element_k, element_k_type, search_length,
                                &return_found, &continue_loop, &runtime);
    BIND(&runtime);
    TNode<Object> result = CallRuntime(Runtime::kStringEqual, context,
                                       search_element_string, element_k);
    Branch(WordEqual(result, TrueConstant()), &return_found, &continue_loop);
2191

2192 2193 2194 2195
    BIND(&continue_loop);
    Increment(&index_var);
    Goto(&next_iteration);
  }
2196

2197 2198 2199 2200 2201
  BIND(&bigint_loop);
  {
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);

2202 2203
    Node* element_k =
        UnsafeLoadFixedArrayElement(CAST(elements), index_var.value());
2204 2205
    Label continue_loop(this);
    GotoIf(TaggedIsSmi(element_k), &continue_loop);
2206
    GotoIfNot(IsBigInt(CAST(element_k)), &continue_loop);
2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220
    TNode<Object> result = CallRuntime(Runtime::kBigIntEqualToBigInt, context,
                                       search_element, element_k);
    Branch(WordEqual(result, TrueConstant()), &return_found, &continue_loop);

    BIND(&continue_loop);
    Increment(&index_var);
    Goto(&bigint_loop);
  }
  BIND(&return_found);
  if (variant == kIncludes) {
    Return(TrueConstant());
  } else {
    Return(SmiTag(index_var.value()));
  }
2221

2222 2223 2224 2225 2226 2227 2228
  BIND(&return_not_found);
  if (variant == kIncludes) {
    Return(FalseConstant());
  } else {
    Return(NumberConstant(-1));
  }
}
2229

2230 2231 2232 2233 2234 2235 2236 2237
void ArrayIncludesIndexofAssembler::GeneratePackedDoubles(SearchVariant variant,
                                                          Node* elements,
                                                          Node* search_element,
                                                          Node* array_length,
                                                          Node* from_index) {
  VARIABLE(index_var, MachineType::PointerRepresentation(),
           SmiUntag(from_index));
  Node* array_length_untagged = SmiUntag(array_length);
2238

2239 2240 2241 2242 2243
  Label nan_loop(this, &index_var), not_nan_loop(this, &index_var),
      hole_loop(this, &index_var), search_notnan(this), return_found(this),
      return_not_found(this);
  VARIABLE(search_num, MachineRepresentation::kFloat64);
  search_num.Bind(Float64Constant(0));
2244

2245 2246 2247
  GotoIfNot(TaggedIsSmi(search_element), &search_notnan);
  search_num.Bind(SmiToFloat64(search_element));
  Goto(&not_nan_loop);
2248

2249 2250
  BIND(&search_notnan);
  GotoIfNot(IsHeapNumber(search_element), &return_not_found);
2251

2252
  search_num.Bind(LoadHeapNumberValue(search_element));
2253

2254 2255
  Label* nan_handling = variant == kIncludes ? &nan_loop : &return_not_found;
  BranchIfFloat64IsNaN(search_num.value(), nan_handling, &not_nan_loop);
2256

2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269
  BIND(&not_nan_loop);
  {
    Label continue_loop(this);
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);
    Node* element_k = LoadFixedDoubleArrayElement(elements, index_var.value(),
                                                  MachineType::Float64());
    Branch(Float64Equal(element_k, search_num.value()), &return_found,
           &continue_loop);
    BIND(&continue_loop);
    Increment(&index_var);
    Goto(&not_nan_loop);
  }
2270

2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282
  // Array.p.includes uses SameValueZero comparisons, where NaN == NaN.
  if (variant == kIncludes) {
    BIND(&nan_loop);
    Label continue_loop(this);
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);
    Node* element_k = LoadFixedDoubleArrayElement(elements, index_var.value(),
                                                  MachineType::Float64());
    BranchIfFloat64IsNaN(element_k, &return_found, &continue_loop);
    BIND(&continue_loop);
    Increment(&index_var);
    Goto(&nan_loop);
2283 2284
  }

2285
  BIND(&return_found);
2286
  if (variant == kIncludes) {
2287
    Return(TrueConstant());
2288
  } else {
2289
    Return(SmiTag(index_var.value()));
2290
  }
2291

2292
  BIND(&return_not_found);
2293
  if (variant == kIncludes) {
2294
    Return(FalseConstant());
2295
  } else {
2296
    Return(NumberConstant(-1));
2297
  }
2298
}
2299

2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330
void ArrayIncludesIndexofAssembler::GenerateHoleyDoubles(SearchVariant variant,
                                                         Node* elements,
                                                         Node* search_element,
                                                         Node* array_length,
                                                         Node* from_index) {
  VARIABLE(index_var, MachineType::PointerRepresentation(),
           SmiUntag(from_index));
  Node* array_length_untagged = SmiUntag(array_length);

  Label nan_loop(this, &index_var), not_nan_loop(this, &index_var),
      hole_loop(this, &index_var), search_notnan(this), return_found(this),
      return_not_found(this);
  VARIABLE(search_num, MachineRepresentation::kFloat64);
  search_num.Bind(Float64Constant(0));

  GotoIfNot(TaggedIsSmi(search_element), &search_notnan);
  search_num.Bind(SmiToFloat64(search_element));
  Goto(&not_nan_loop);

  BIND(&search_notnan);
  if (variant == kIncludes) {
    GotoIf(IsUndefined(search_element), &hole_loop);
  }
  GotoIfNot(IsHeapNumber(search_element), &return_not_found);

  search_num.Bind(LoadHeapNumberValue(search_element));

  Label* nan_handling = variant == kIncludes ? &nan_loop : &return_not_found;
  BranchIfFloat64IsNaN(search_num.value(), nan_handling, &not_nan_loop);

  BIND(&not_nan_loop);
2331
  {
2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392
    Label continue_loop(this);
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);

    // No need for hole checking here; the following Float64Equal will
    // return 'not equal' for holes anyway.
    Node* element_k = LoadFixedDoubleArrayElement(elements, index_var.value(),
                                                  MachineType::Float64());

    Branch(Float64Equal(element_k, search_num.value()), &return_found,
           &continue_loop);
    BIND(&continue_loop);
    Increment(&index_var);
    Goto(&not_nan_loop);
  }

  // Array.p.includes uses SameValueZero comparisons, where NaN == NaN.
  if (variant == kIncludes) {
    BIND(&nan_loop);
    Label continue_loop(this);
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);

    // Load double value or continue if it's the hole NaN.
    Node* element_k = LoadFixedDoubleArrayElement(
        elements, index_var.value(), MachineType::Float64(), 0,
        INTPTR_PARAMETERS, &continue_loop);

    BranchIfFloat64IsNaN(element_k, &return_found, &continue_loop);
    BIND(&continue_loop);
    Increment(&index_var);
    Goto(&nan_loop);
  }

  // Array.p.includes treats the hole as undefined.
  if (variant == kIncludes) {
    BIND(&hole_loop);
    GotoIfNot(UintPtrLessThan(index_var.value(), array_length_untagged),
              &return_not_found);

    // Check if the element is a double hole, but don't load it.
    LoadFixedDoubleArrayElement(elements, index_var.value(),
                                MachineType::None(), 0, INTPTR_PARAMETERS,
                                &return_found);

    Increment(&index_var);
    Goto(&hole_loop);
  }

  BIND(&return_found);
  if (variant == kIncludes) {
    Return(TrueConstant());
  } else {
    Return(SmiTag(index_var.value()));
  }

  BIND(&return_not_found);
  if (variant == kIncludes) {
    Return(FalseConstant());
  } else {
    Return(NumberConstant(-1));
2393
  }
2394 2395
}

2396
TF_BUILTIN(ArrayIncludes, ArrayIncludesIndexofAssembler) {
2397
  TNode<IntPtrT> argc =
2398 2399
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
2400 2401

  Generate(kIncludes, argc, context);
2402 2403
}

2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434
TF_BUILTIN(ArrayIncludesSmiOrObject, ArrayIncludesIndexofAssembler) {
  Node* context = Parameter(Descriptor::kContext);
  Node* elements = Parameter(Descriptor::kElements);
  Node* search_element = Parameter(Descriptor::kSearchElement);
  Node* array_length = Parameter(Descriptor::kLength);
  Node* from_index = Parameter(Descriptor::kFromIndex);

  GenerateSmiOrObject(kIncludes, context, elements, search_element,
                      array_length, from_index);
}

TF_BUILTIN(ArrayIncludesPackedDoubles, ArrayIncludesIndexofAssembler) {
  Node* elements = Parameter(Descriptor::kElements);
  Node* search_element = Parameter(Descriptor::kSearchElement);
  Node* array_length = Parameter(Descriptor::kLength);
  Node* from_index = Parameter(Descriptor::kFromIndex);

  GeneratePackedDoubles(kIncludes, elements, search_element, array_length,
                        from_index);
}

TF_BUILTIN(ArrayIncludesHoleyDoubles, ArrayIncludesIndexofAssembler) {
  Node* elements = Parameter(Descriptor::kElements);
  Node* search_element = Parameter(Descriptor::kSearchElement);
  Node* array_length = Parameter(Descriptor::kLength);
  Node* from_index = Parameter(Descriptor::kFromIndex);

  GenerateHoleyDoubles(kIncludes, elements, search_element, array_length,
                       from_index);
}

2435 2436
TF_BUILTIN(ArrayIndexOf, ArrayIncludesIndexofAssembler) {
  TNode<IntPtrT> argc =
2437 2438
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
2439 2440 2441

  Generate(kIndexOf, argc, context);
}
2442

2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473
TF_BUILTIN(ArrayIndexOfSmiOrObject, ArrayIncludesIndexofAssembler) {
  Node* context = Parameter(Descriptor::kContext);
  Node* elements = Parameter(Descriptor::kElements);
  Node* search_element = Parameter(Descriptor::kSearchElement);
  Node* array_length = Parameter(Descriptor::kLength);
  Node* from_index = Parameter(Descriptor::kFromIndex);

  GenerateSmiOrObject(kIndexOf, context, elements, search_element, array_length,
                      from_index);
}

TF_BUILTIN(ArrayIndexOfPackedDoubles, ArrayIncludesIndexofAssembler) {
  Node* elements = Parameter(Descriptor::kElements);
  Node* search_element = Parameter(Descriptor::kSearchElement);
  Node* array_length = Parameter(Descriptor::kLength);
  Node* from_index = Parameter(Descriptor::kFromIndex);

  GeneratePackedDoubles(kIndexOf, elements, search_element, array_length,
                        from_index);
}

TF_BUILTIN(ArrayIndexOfHoleyDoubles, ArrayIncludesIndexofAssembler) {
  Node* elements = Parameter(Descriptor::kElements);
  Node* search_element = Parameter(Descriptor::kSearchElement);
  Node* array_length = Parameter(Descriptor::kLength);
  Node* from_index = Parameter(Descriptor::kFromIndex);

  GenerateHoleyDoubles(kIndexOf, elements, search_element, array_length,
                       from_index);
}

2474 2475
// ES #sec-array.prototype.values
TF_BUILTIN(ArrayPrototypeValues, CodeStubAssembler) {
2476 2477
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
2478
  Return(CreateArrayIterator(context, ToObject_Inline(context, receiver),
2479
                             IterationKind::kValues));
2480 2481
}

2482 2483
// ES #sec-array.prototype.entries
TF_BUILTIN(ArrayPrototypeEntries, CodeStubAssembler) {
2484 2485
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
2486
  Return(CreateArrayIterator(context, ToObject_Inline(context, receiver),
2487
                             IterationKind::kEntries));
2488 2489
}

2490 2491
// ES #sec-array.prototype.keys
TF_BUILTIN(ArrayPrototypeKeys, CodeStubAssembler) {
2492 2493
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
2494
  Return(CreateArrayIterator(context, ToObject_Inline(context, receiver),
2495
                             IterationKind::kKeys));
2496 2497
}

2498
// ES #sec-%arrayiteratorprototype%.next
2499
TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
2500
  const char* method_name = "Array Iterator.prototype.next";
2501

2502
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
2503
  Node* iterator = Parameter(Descriptor::kReceiver);
2504

2505 2506
  VARIABLE(var_done, MachineRepresentation::kTagged, TrueConstant());
  VARIABLE(var_value, MachineRepresentation::kTagged, UndefinedConstant());
2507 2508 2509

  Label allocate_entry_if_needed(this);
  Label allocate_iterator_result(this);
2510 2511 2512
  Label if_typedarray(this), if_other(this, Label::kDeferred), if_array(this),
      if_generic(this, Label::kDeferred);
  Label set_done(this, Label::kDeferred);
2513 2514 2515

  // If O does not have all of the internal slots of an Array Iterator Instance
  // (22.1.5.3), throw a TypeError exception
2516 2517
  ThrowIfNotInstanceType(context, iterator, JS_ARRAY_ITERATOR_TYPE,
                         method_name);
2518 2519

  // Let a be O.[[IteratedObject]].
2520 2521
  TNode<JSReceiver> array =
      CAST(LoadObjectField(iterator, JSArrayIterator::kIteratedObjectOffset));
2522 2523

  // Let index be O.[[ArrayIteratorNextIndex]].
2524 2525 2526 2527 2528 2529 2530
  TNode<Number> index =
      CAST(LoadObjectField(iterator, JSArrayIterator::kNextIndexOffset));
  CSA_ASSERT(this, IsNumberNonNegativeSafeInteger(index));

  // Dispatch based on the type of the {array}.
  TNode<Map> array_map = LoadMap(array);
  TNode<Int32T> array_type = LoadMapInstanceType(array_map);
2531 2532 2533
  GotoIf(InstanceTypeEqual(array_type, JS_ARRAY_TYPE), &if_array);
  Branch(InstanceTypeEqual(array_type, JS_TYPED_ARRAY_TYPE), &if_typedarray,
         &if_other);
2534

2535
  BIND(&if_array);
2536
  {
2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548
    // If {array} is a JSArray, then the {index} must be in Unsigned32 range.
    CSA_ASSERT(this, IsNumberArrayIndex(index));

    // Check that the {index} is within range for the {array}. We handle all
    // kinds of JSArray's here, so we do the computation on Uint32.
    TNode<Uint32T> index32 = ChangeNumberToUint32(index);
    TNode<Uint32T> length32 =
        ChangeNumberToUint32(LoadJSArrayLength(CAST(array)));
    GotoIfNot(Uint32LessThan(index32, length32), &set_done);
    StoreObjectField(
        iterator, JSArrayIterator::kNextIndexOffset,
        ChangeUint32ToTagged(Unsigned(Int32Add(index32, Int32Constant(1)))));
2549

2550
    var_done.Bind(FalseConstant());
2551
    var_value.Bind(index);
2552

2553 2554 2555 2556
    GotoIf(Word32Equal(LoadAndUntagToWord32ObjectField(
                           iterator, JSArrayIterator::kKindOffset),
                       Int32Constant(static_cast<int>(IterationKind::kKeys))),
           &allocate_iterator_result);
2557

2558 2559 2560
    Label if_hole(this, Label::kDeferred);
    TNode<Int32T> elements_kind = LoadMapElementsKind(array_map);
    TNode<FixedArrayBase> elements = LoadElements(CAST(array));
2561
    GotoIfForceSlowPath(&if_generic);
2562
    var_value.Bind(LoadFixedArrayBaseElementAsTagged(
2563 2564
        elements, Signed(ChangeUint32ToWord(index32)), elements_kind,
        &if_generic, &if_hole));
2565
    Goto(&allocate_entry_if_needed);
2566

2567
    BIND(&if_hole);
2568
    {
2569
      GotoIf(IsNoElementsProtectorCellInvalid(), &if_generic);
2570 2571
      GotoIfNot(IsPrototypeInitialArrayPrototype(context, array_map),
                &if_generic);
2572 2573
      var_value.Bind(UndefinedConstant());
      Goto(&allocate_entry_if_needed);
2574 2575 2576
    }
  }

2577
  BIND(&if_other);
2578
  {
2579 2580
    // We cannot enter here with either JSArray's or JSTypedArray's.
    CSA_ASSERT(this, Word32BinaryNot(IsJSArray(array)));
2581 2582 2583 2584
    CSA_ASSERT(this, Word32BinaryNot(IsJSTypedArray(array)));

    // Check that the {index} is within the bounds of the {array}s "length".
    TNode<Number> length = CAST(
2585
        CallBuiltin(Builtins::kToLength, context,
2586
                    GetProperty(context, array, factory()->length_string())));
2587 2588 2589
    GotoIfNumberGreaterThanOrEqual(index, length, &set_done);
    StoreObjectField(iterator, JSArrayIterator::kNextIndexOffset,
                     NumberInc(index));
2590

2591
    var_done.Bind(FalseConstant());
2592
    var_value.Bind(index);
2593

2594
    Branch(Word32Equal(LoadAndUntagToWord32ObjectField(
2595 2596
                           iterator, JSArrayIterator::kKindOffset),
                       Int32Constant(static_cast<int>(IterationKind::kKeys))),
2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623
           &allocate_iterator_result, &if_generic);
  }

  BIND(&set_done);
  {
    // Change the [[ArrayIteratorNextIndex]] such that the {iterator} will
    // never produce values anymore, because it will always fail the bounds
    // check. Note that this is different from what the specification does,
    // which is changing the [[IteratedObject]] to undefined, because leaving
    // [[IteratedObject]] alone helps TurboFan to generate better code with
    // the inlining in JSCallReducer::ReduceArrayIteratorPrototypeNext().
    //
    // The terminal value we chose here depends on the type of the {array},
    // for JSArray's we use kMaxUInt32 so that TurboFan can always use
    // Word32 representation for fast-path indices (and this is safe since
    // the "length" of JSArray's is limited to Unsigned32 range). For other
    // JSReceiver's we have to use kMaxSafeInteger, since the "length" can
    // be any arbitrary value in the safe integer range.
    //
    // Note specifically that JSTypedArray's will never take this path, so
    // we don't need to worry about their maximum value.
    CSA_ASSERT(this, Word32BinaryNot(IsJSTypedArray(array)));
    TNode<Number> max_length =
        SelectConstant(IsJSArray(array), NumberConstant(kMaxUInt32),
                       NumberConstant(kMaxSafeInteger));
    StoreObjectField(iterator, JSArrayIterator::kNextIndexOffset, max_length);
    Goto(&allocate_iterator_result);
2624
  }
2625

2626 2627 2628 2629 2630
  BIND(&if_generic);
  {
    var_value.Bind(GetProperty(context, array, index));
    Goto(&allocate_entry_if_needed);
  }
2631

2632 2633
  BIND(&if_typedarray);
  {
2634 2635 2636
    // If {array} is a JSTypedArray, the {index} must always be a Smi.
    CSA_ASSERT(this, TaggedIsSmi(index));

2637
    // Check that the {array}s buffer wasn't detached.
2638
    ThrowIfArrayBufferViewBufferIsDetached(context, CAST(array), method_name);
2639

2640 2641 2642 2643
    // If we go outside of the {length}, we don't need to update the
    // [[ArrayIteratorNextIndex]] anymore, since a JSTypedArray's
    // length cannot change anymore, so this {iterator} will never
    // produce values again anyways.
2644
    TNode<Smi> length = LoadJSTypedArrayLength(CAST(array));
2645
    GotoIfNot(SmiBelow(CAST(index), length), &allocate_iterator_result);
2646
    StoreObjectFieldNoWriteBarrier(iterator, JSArrayIterator::kNextIndexOffset,
2647 2648
                                   SmiInc(CAST(index)));

2649
    var_done.Bind(FalseConstant());
2650
    var_value.Bind(index);
2651

2652 2653 2654 2655
    GotoIf(Word32Equal(LoadAndUntagToWord32ObjectField(
                           iterator, JSArrayIterator::kKindOffset),
                       Int32Constant(static_cast<int>(IterationKind::kKeys))),
           &allocate_iterator_result);
2656

2657 2658
    TNode<Int32T> elements_kind = LoadMapElementsKind(array_map);
    Node* elements = LoadElements(CAST(array));
2659 2660 2661 2662 2663
    Node* base_ptr =
        LoadObjectField(elements, FixedTypedArrayBase::kBasePointerOffset);
    Node* external_ptr =
        LoadObjectField(elements, FixedTypedArrayBase::kExternalPointerOffset,
                        MachineType::Pointer());
2664 2665 2666 2667 2668
    TNode<WordT> data_ptr =
        IntPtrAdd(BitcastTaggedToWord(base_ptr), external_ptr);
    var_value.Bind(LoadFixedTypedArrayElementAsTagged(data_ptr, CAST(index),
                                                      elements_kind));
    Goto(&allocate_entry_if_needed);
2669 2670
  }

2671
  BIND(&allocate_entry_if_needed);
2672
  {
2673 2674 2675
    GotoIf(Word32Equal(LoadAndUntagToWord32ObjectField(
                           iterator, JSArrayIterator::kKindOffset),
                       Int32Constant(static_cast<int>(IterationKind::kValues))),
2676 2677
           &allocate_iterator_result);

2678 2679 2680
    Node* result =
        AllocateJSIteratorResultForEntry(context, index, var_value.value());
    Return(result);
2681 2682
  }

2683
  BIND(&allocate_iterator_result);
2684
  {
2685 2686
    Node* result =
        AllocateJSIteratorResult(context, var_value.value(), var_done.value());
2687 2688 2689 2690
    Return(result);
  }
}

2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725
class ArrayFlattenAssembler : public CodeStubAssembler {
 public:
  explicit ArrayFlattenAssembler(compiler::CodeAssemblerState* state)
      : CodeStubAssembler(state) {}

  // https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
  Node* FlattenIntoArray(Node* context, Node* target, Node* source,
                         Node* source_length, Node* start, Node* depth,
                         Node* mapper_function = nullptr,
                         Node* this_arg = nullptr) {
    CSA_ASSERT(this, IsJSReceiver(target));
    CSA_ASSERT(this, IsJSReceiver(source));
    CSA_ASSERT(this, IsNumberPositive(source_length));
    CSA_ASSERT(this, IsNumberPositive(start));
    CSA_ASSERT(this, IsNumber(depth));

    // 1. Let targetIndex be start.
    VARIABLE(var_target_index, MachineRepresentation::kTagged, start);

    // 2. Let sourceIndex be 0.
    VARIABLE(var_source_index, MachineRepresentation::kTagged, SmiConstant(0));

    // 3. Repeat...
    Label loop(this, {&var_target_index, &var_source_index}), done_loop(this);
    Goto(&loop);
    BIND(&loop);
    {
      Node* const source_index = var_source_index.value();
      Node* const target_index = var_target_index.value();

      // ...while sourceIndex < sourceLen
      GotoIfNumberGreaterThanOrEqual(source_index, source_length, &done_loop);

      // a. Let P be ! ToString(sourceIndex).
      // b. Let exists be ? HasProperty(source, P).
2726 2727
      CSA_ASSERT(this,
                 SmiGreaterThanOrEqual(CAST(source_index), SmiConstant(0)));
2728
      Node* const exists =
2729
          HasProperty(context, source, source_index, kHasProperty);
2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839

      // c. If exists is true, then
      Label next(this);
      GotoIfNot(IsTrue(exists), &next);
      {
        // i. Let element be ? Get(source, P).
        Node* element = GetProperty(context, source, source_index);

        // ii. If mapperFunction is present, then
        if (mapper_function != nullptr) {
          CSA_ASSERT(this, Word32Or(IsUndefined(mapper_function),
                                    IsCallable(mapper_function)));
          DCHECK_NOT_NULL(this_arg);

          // 1. Set element to ? Call(mapperFunction, thisArg , « element,
          //                          sourceIndex, source »).
          element =
              CallJS(CodeFactory::Call(isolate()), context, mapper_function,
                     this_arg, element, source_index, source);
        }

        // iii. Let shouldFlatten be false.
        Label if_flatten_array(this), if_flatten_proxy(this, Label::kDeferred),
            if_noflatten(this);
        // iv. If depth > 0, then
        GotoIfNumberGreaterThanOrEqual(SmiConstant(0), depth, &if_noflatten);
        // 1. Set shouldFlatten to ? IsArray(element).
        GotoIf(TaggedIsSmi(element), &if_noflatten);
        GotoIf(IsJSArray(element), &if_flatten_array);
        GotoIfNot(IsJSProxy(element), &if_noflatten);
        Branch(IsTrue(CallRuntime(Runtime::kArrayIsArray, context, element)),
               &if_flatten_proxy, &if_noflatten);

        BIND(&if_flatten_array);
        {
          CSA_ASSERT(this, IsJSArray(element));

          // 1. Let elementLen be ? ToLength(? Get(element, "length")).
          Node* const element_length =
              LoadObjectField(element, JSArray::kLengthOffset);

          // 2. Set targetIndex to ? FlattenIntoArray(target, element,
          //                                          elementLen, targetIndex,
          //                                          depth - 1).
          var_target_index.Bind(
              CallBuiltin(Builtins::kFlattenIntoArray, context, target, element,
                          element_length, target_index, NumberDec(depth)));
          Goto(&next);
        }

        BIND(&if_flatten_proxy);
        {
          CSA_ASSERT(this, IsJSProxy(element));

          // 1. Let elementLen be ? ToLength(? Get(element, "length")).
          Node* const element_length = ToLength_Inline(
              context, GetProperty(context, element, LengthStringConstant()));

          // 2. Set targetIndex to ? FlattenIntoArray(target, element,
          //                                          elementLen, targetIndex,
          //                                          depth - 1).
          var_target_index.Bind(
              CallBuiltin(Builtins::kFlattenIntoArray, context, target, element,
                          element_length, target_index, NumberDec(depth)));
          Goto(&next);
        }

        BIND(&if_noflatten);
        {
          // 1. If targetIndex >= 2^53-1, throw a TypeError exception.
          Label throw_error(this, Label::kDeferred);
          GotoIfNumberGreaterThanOrEqual(
              target_index, NumberConstant(kMaxSafeInteger), &throw_error);

          // 2. Perform ? CreateDataPropertyOrThrow(target,
          //                                        ! ToString(targetIndex),
          //                                        element).
          CallRuntime(Runtime::kCreateDataProperty, context, target,
                      target_index, element);

          // 3. Increase targetIndex by 1.
          var_target_index.Bind(NumberInc(target_index));
          Goto(&next);

          BIND(&throw_error);
          ThrowTypeError(context, MessageTemplate::kFlattenPastSafeLength,
                         source_length, target_index);
        }
      }
      BIND(&next);

      // d. Increase sourceIndex by 1.
      var_source_index.Bind(NumberInc(source_index));
      Goto(&loop);
    }

    BIND(&done_loop);
    return var_target_index.value();
  }
};

// https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
TF_BUILTIN(FlattenIntoArray, ArrayFlattenAssembler) {
  Node* const context = Parameter(Descriptor::kContext);
  Node* const target = Parameter(Descriptor::kTarget);
  Node* const source = Parameter(Descriptor::kSource);
  Node* const source_length = Parameter(Descriptor::kSourceLength);
  Node* const start = Parameter(Descriptor::kStart);
  Node* const depth = Parameter(Descriptor::kDepth);

2840 2841 2842 2843
  // FlattenIntoArray might get called recursively, check stack for overflow
  // manually as it has stub linkage.
  PerformStackCheck(CAST(context));

2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862
  Return(
      FlattenIntoArray(context, target, source, source_length, start, depth));
}

// https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
TF_BUILTIN(FlatMapIntoArray, ArrayFlattenAssembler) {
  Node* const context = Parameter(Descriptor::kContext);
  Node* const target = Parameter(Descriptor::kTarget);
  Node* const source = Parameter(Descriptor::kSource);
  Node* const source_length = Parameter(Descriptor::kSourceLength);
  Node* const start = Parameter(Descriptor::kStart);
  Node* const depth = Parameter(Descriptor::kDepth);
  Node* const mapper_function = Parameter(Descriptor::kMapperFunction);
  Node* const this_arg = Parameter(Descriptor::kThisArg);

  Return(FlattenIntoArray(context, target, source, source_length, start, depth,
                          mapper_function, this_arg));
}

2863 2864
// https://tc39.github.io/proposal-flatMap/#sec-Array.prototype.flat
TF_BUILTIN(ArrayPrototypeFlat, CodeStubAssembler) {
2865
  TNode<IntPtrT> const argc =
2866
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
2867
  CodeStubArguments args(this, argc);
2868 2869 2870
  TNode<Context> const context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> const receiver = args.GetReceiver();
  TNode<Object> const depth = args.GetOptionalArgumentValue(0);
2871 2872

  // 1. Let O be ? ToObject(this value).
2873
  TNode<JSReceiver> const o = ToObject_Inline(context, receiver);
2874 2875

  // 2. Let sourceLen be ? ToLength(? Get(O, "length")).
2876
  TNode<Number> const source_length =
2877 2878 2879
      ToLength_Inline(context, GetProperty(context, o, LengthStringConstant()));

  // 3. Let depthNum be 1.
2880
  TVARIABLE(Number, var_depth_num, SmiConstant(1));
2881 2882 2883 2884 2885 2886

  // 4. If depth is not undefined, then
  Label done(this);
  GotoIf(IsUndefined(depth), &done);
  {
    // a. Set depthNum to ? ToInteger(depth).
2887
    var_depth_num = ToInteger_Inline(context, depth);
2888 2889 2890 2891 2892
    Goto(&done);
  }
  BIND(&done);

  // 5. Let A be ? ArraySpeciesCreate(O, 0).
2893 2894 2895
  TNode<JSReceiver> const constructor =
      CAST(CallRuntime(Runtime::kArraySpeciesConstructor, context, o));
  Node* const a = Construct(context, constructor, SmiConstant(0));
2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906

  // 6. Perform ? FlattenIntoArray(A, O, sourceLen, 0, depthNum).
  CallBuiltin(Builtins::kFlattenIntoArray, context, a, o, source_length,
              SmiConstant(0), var_depth_num.value());

  // 7. Return A.
  args.PopAndReturn(a);
}

// https://tc39.github.io/proposal-flatMap/#sec-Array.prototype.flatMap
TF_BUILTIN(ArrayPrototypeFlatMap, CodeStubAssembler) {
2907
  TNode<IntPtrT> const argc =
2908
      ChangeInt32ToIntPtr(Parameter(Descriptor::kJSActualArgumentsCount));
2909
  CodeStubArguments args(this, argc);
2910 2911 2912
  TNode<Context> const context = CAST(Parameter(Descriptor::kContext));
  TNode<Object> const receiver = args.GetReceiver();
  TNode<Object> const mapper_function = args.GetOptionalArgumentValue(0);
2913 2914

  // 1. Let O be ? ToObject(this value).
2915
  TNode<JSReceiver> const o = ToObject_Inline(context, receiver);
2916 2917

  // 2. Let sourceLen be ? ToLength(? Get(O, "length")).
2918
  TNode<Number> const source_length =
2919 2920 2921 2922 2923
      ToLength_Inline(context, GetProperty(context, o, LengthStringConstant()));

  // 3. If IsCallable(mapperFunction) is false, throw a TypeError exception.
  Label if_not_callable(this, Label::kDeferred);
  GotoIf(TaggedIsSmi(mapper_function), &if_not_callable);
2924
  GotoIfNot(IsCallable(CAST(mapper_function)), &if_not_callable);
2925 2926

  // 4. If thisArg is present, let T be thisArg; else let T be undefined.
2927
  TNode<Object> const t = args.GetOptionalArgumentValue(1);
2928 2929

  // 5. Let A be ? ArraySpeciesCreate(O, 0).
2930 2931 2932
  TNode<JSReceiver> const constructor =
      CAST(CallRuntime(Runtime::kArraySpeciesConstructor, context, o));
  TNode<JSReceiver> const a = Construct(context, constructor, SmiConstant(0));
2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944

  // 6. Perform ? FlattenIntoArray(A, O, sourceLen, 0, 1, mapperFunction, T).
  CallBuiltin(Builtins::kFlatMapIntoArray, context, a, o, source_length,
              SmiConstant(0), SmiConstant(1), mapper_function, t);

  // 7. Return A.
  args.PopAndReturn(a);

  BIND(&if_not_callable);
  { ThrowTypeError(context, MessageTemplate::kMapperFunctionNonCallable); }
}

2945 2946 2947 2948
TF_BUILTIN(ArrayConstructor, ArrayBuiltinsAssembler) {
  // This is a trampoline to ArrayConstructorImpl which just adds
  // allocation_site parameter value and sets new_target if necessary.
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
2949
  TNode<JSFunction> function = CAST(Parameter(Descriptor::kTarget));
2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960
  TNode<Object> new_target = CAST(Parameter(Descriptor::kNewTarget));
  TNode<Int32T> argc =
      UncheckedCast<Int32T>(Parameter(Descriptor::kActualArgumentsCount));

  // If new_target is undefined, then this is the 'Call' case, so set new_target
  // to function.
  new_target =
      SelectConstant<Object>(IsUndefined(new_target), function, new_target);

  // Run the native code for the Array function called as a normal function.
  TNode<Object> no_allocation_site = UndefinedConstant();
2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983
  TailCallBuiltin(Builtins::kArrayConstructorImpl, context, function,
                  new_target, argc, no_allocation_site);
}

void ArrayBuiltinsAssembler::TailCallArrayConstructorStub(
    const Callable& callable, TNode<Context> context, TNode<JSFunction> target,
    TNode<HeapObject> allocation_site_or_undefined, TNode<Int32T> argc) {
  TNode<Code> code = HeapConstant(callable.code());

  // We are going to call here ArrayNoArgumentsConstructor or
  // ArraySingleArgumentsConstructor which in addition to the register arguments
  // also expect some number of arguments on the expression stack.
  // Since
  // 1) incoming JS arguments are still on the stack,
  // 2) the ArrayNoArgumentsConstructor, ArraySingleArgumentsConstructor and
  //    ArrayNArgumentsConstructor are defined so that the register arguments
  //    are passed on the same registers,
  // in order to be able to generate a tail call to those builtins we do the
  // following trick here: we tail call to the constructor builtin using
  // ArrayNArgumentsConstructorDescriptor, so the tail call instruction
  // pops the current frame but leaves all the incoming JS arguments on the
  // expression stack so that the target builtin can still find them where it
  // expects.
2984 2985
  TailCallStub(ArrayNArgumentsConstructorDescriptor{}, code, context, target,
               allocation_site_or_undefined, argc);
2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146
}

void ArrayBuiltinsAssembler::CreateArrayDispatchNoArgument(
    TNode<Context> context, TNode<JSFunction> target, TNode<Int32T> argc,
    AllocationSiteOverrideMode mode, TNode<AllocationSite> allocation_site) {
  if (mode == DISABLE_ALLOCATION_SITES) {
    Callable callable = CodeFactory::ArrayNoArgumentConstructor(
        isolate(), GetInitialFastElementsKind(), mode);

    TailCallArrayConstructorStub(callable, context, target, UndefinedConstant(),
                                 argc);
  } else {
    DCHECK_EQ(mode, DONT_OVERRIDE);
    TNode<Int32T> elements_kind = LoadElementsKind(allocation_site);

    // TODO(ishell): Compute the builtin index dynamically instead of
    // iterating over all expected elements kinds.
    int last_index =
        GetSequenceIndexFromFastElementsKind(TERMINAL_FAST_ELEMENTS_KIND);
    for (int i = 0; i <= last_index; ++i) {
      Label next(this);
      ElementsKind kind = GetFastElementsKindFromSequenceIndex(i);
      GotoIfNot(Word32Equal(elements_kind, Int32Constant(kind)), &next);

      Callable callable =
          CodeFactory::ArrayNoArgumentConstructor(isolate(), kind, mode);

      TailCallArrayConstructorStub(callable, context, target, allocation_site,
                                   argc);

      BIND(&next);
    }

    // If we reached this point there is a problem.
    Abort(AbortReason::kUnexpectedElementsKindInArrayConstructor);
  }
}

void ArrayBuiltinsAssembler::CreateArrayDispatchSingleArgument(
    TNode<Context> context, TNode<JSFunction> target, TNode<Int32T> argc,
    AllocationSiteOverrideMode mode, TNode<AllocationSite> allocation_site) {
  if (mode == DISABLE_ALLOCATION_SITES) {
    ElementsKind initial = GetInitialFastElementsKind();
    ElementsKind holey_initial = GetHoleyElementsKind(initial);
    Callable callable = CodeFactory::ArraySingleArgumentConstructor(
        isolate(), holey_initial, mode);

    TailCallArrayConstructorStub(callable, context, target, UndefinedConstant(),
                                 argc);
  } else {
    DCHECK_EQ(mode, DONT_OVERRIDE);
    TNode<Smi> transition_info = LoadTransitionInfo(allocation_site);

    // Least significant bit in fast array elements kind means holeyness.
    STATIC_ASSERT(PACKED_SMI_ELEMENTS == 0);
    STATIC_ASSERT(HOLEY_SMI_ELEMENTS == 1);
    STATIC_ASSERT(PACKED_ELEMENTS == 2);
    STATIC_ASSERT(HOLEY_ELEMENTS == 3);
    STATIC_ASSERT(PACKED_DOUBLE_ELEMENTS == 4);
    STATIC_ASSERT(HOLEY_DOUBLE_ELEMENTS == 5);

    Label normal_sequence(this);
    TVARIABLE(Int32T, var_elements_kind,
              Signed(DecodeWord32<AllocationSite::ElementsKindBits>(
                  SmiToInt32(transition_info))));
    // Is the low bit set? If so, we are holey and that is good.
    int fast_elements_kind_holey_mask =
        AllocationSite::ElementsKindBits::encode(static_cast<ElementsKind>(1));
    GotoIf(IsSetSmi(transition_info, fast_elements_kind_holey_mask),
           &normal_sequence);
    {
      // Make elements kind holey and update elements kind in the type info.
      var_elements_kind =
          Signed(Word32Or(var_elements_kind.value(), Int32Constant(1)));
      StoreObjectFieldNoWriteBarrier(
          allocation_site, AllocationSite::kTransitionInfoOrBoilerplateOffset,
          SmiOr(transition_info, SmiConstant(fast_elements_kind_holey_mask)));
      Goto(&normal_sequence);
    }
    BIND(&normal_sequence);

    // TODO(ishell): Compute the builtin index dynamically instead of
    // iterating over all expected elements kinds.
    // TODO(ishell): Given that the code above ensures that the elements kind
    // is holey we can skip checking with non-holey elements kinds.
    int last_index =
        GetSequenceIndexFromFastElementsKind(TERMINAL_FAST_ELEMENTS_KIND);
    for (int i = 0; i <= last_index; ++i) {
      Label next(this);
      ElementsKind kind = GetFastElementsKindFromSequenceIndex(i);
      GotoIfNot(Word32Equal(var_elements_kind.value(), Int32Constant(kind)),
                &next);

      Callable callable =
          CodeFactory::ArraySingleArgumentConstructor(isolate(), kind, mode);

      TailCallArrayConstructorStub(callable, context, target, allocation_site,
                                   argc);

      BIND(&next);
    }

    // If we reached this point there is a problem.
    Abort(AbortReason::kUnexpectedElementsKindInArrayConstructor);
  }
}

void ArrayBuiltinsAssembler::GenerateDispatchToArrayStub(
    TNode<Context> context, TNode<JSFunction> target, TNode<Int32T> argc,
    AllocationSiteOverrideMode mode, TNode<AllocationSite> allocation_site) {
  Label check_one_case(this), fallthrough(this);
  GotoIfNot(Word32Equal(argc, Int32Constant(0)), &check_one_case);
  CreateArrayDispatchNoArgument(context, target, argc, mode, allocation_site);

  BIND(&check_one_case);
  GotoIfNot(Word32Equal(argc, Int32Constant(1)), &fallthrough);
  CreateArrayDispatchSingleArgument(context, target, argc, mode,
                                    allocation_site);

  BIND(&fallthrough);
}

TF_BUILTIN(ArrayConstructorImpl, ArrayBuiltinsAssembler) {
  TNode<JSFunction> target = CAST(Parameter(Descriptor::kTarget));
  TNode<Object> new_target = CAST(Parameter(Descriptor::kNewTarget));
  TNode<Int32T> argc =
      UncheckedCast<Int32T>(Parameter(Descriptor::kActualArgumentsCount));
  TNode<HeapObject> maybe_allocation_site =
      CAST(Parameter(Descriptor::kAllocationSite));

  // Initial map for the builtin Array functions should be Map.
  CSA_ASSERT(this, IsMap(CAST(LoadObjectField(
                       target, JSFunction::kPrototypeOrInitialMapOffset))));

  // We should either have undefined or a valid AllocationSite
  CSA_ASSERT(this, Word32Or(IsUndefined(maybe_allocation_site),
                            IsAllocationSite(maybe_allocation_site)));

  // "Enter" the context of the Array function.
  TNode<Context> context =
      CAST(LoadObjectField(target, JSFunction::kContextOffset));

  Label runtime(this, Label::kDeferred);
  GotoIf(WordNotEqual(target, new_target), &runtime);

  Label no_info(this);
  // If the feedback vector is the undefined value call an array constructor
  // that doesn't use AllocationSites.
  GotoIf(IsUndefined(maybe_allocation_site), &no_info);

  GenerateDispatchToArrayStub(context, target, argc, DONT_OVERRIDE,
                              CAST(maybe_allocation_site));
  Goto(&runtime);

  BIND(&no_info);
  GenerateDispatchToArrayStub(context, target, argc, DISABLE_ALLOCATION_SITES);
  Goto(&runtime);

  BIND(&runtime);
  GenerateArrayNArgumentsConstructor(context, target, new_target, argc,
                                     maybe_allocation_site);
3147 3148
}

3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170
void ArrayBuiltinsAssembler::GenerateConstructor(
    Node* context, Node* array_function, Node* array_map, Node* array_size,
    Node* allocation_site, ElementsKind elements_kind,
    AllocationSiteMode mode) {
  Label ok(this);
  Label smi_size(this);
  Label small_smi_size(this);
  Label call_runtime(this, Label::kDeferred);

  Branch(TaggedIsSmi(array_size), &smi_size, &call_runtime);

  BIND(&smi_size);

  if (IsFastPackedElementsKind(elements_kind)) {
    Label abort(this, Label::kDeferred);
    Branch(SmiEqual(CAST(array_size), SmiConstant(0)), &small_smi_size, &abort);

    BIND(&abort);
    Node* reason = SmiConstant(AbortReason::kAllocatingNonEmptyPackedArray);
    TailCallRuntime(Runtime::kAbort, context, reason);
  } else {
    int element_size =
3171
        IsDoubleElementsKind(elements_kind) ? kDoubleSize : kTaggedSize;
3172 3173 3174 3175 3176 3177 3178 3179 3180 3181
    int max_fast_elements =
        (kMaxRegularHeapObjectSize - FixedArray::kHeaderSize - JSArray::kSize -
         AllocationMemento::kSize) /
        element_size;
    Branch(SmiAboveOrEqual(CAST(array_size), SmiConstant(max_fast_elements)),
           &call_runtime, &small_smi_size);
  }

  BIND(&small_smi_size);
  {
3182 3183
    TNode<JSArray> array = AllocateJSArray(
        elements_kind, CAST(array_map), array_size, CAST(array_size),
3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204
        mode == DONT_TRACK_ALLOCATION_SITE ? nullptr : allocation_site,
        CodeStubAssembler::SMI_PARAMETERS);
    Return(array);
  }

  BIND(&call_runtime);
  {
    TailCallRuntime(Runtime::kNewArray, context, array_function, array_size,
                    array_function, allocation_site);
  }
}

void ArrayBuiltinsAssembler::GenerateArrayNoArgumentConstructor(
    ElementsKind kind, AllocationSiteOverrideMode mode) {
  typedef ArrayNoArgumentConstructorDescriptor Descriptor;
  Node* native_context = LoadObjectField(Parameter(Descriptor::kFunction),
                                         JSFunction::kContextOffset);
  bool track_allocation_site =
      AllocationSite::ShouldTrack(kind) && mode != DISABLE_ALLOCATION_SITES;
  Node* allocation_site =
      track_allocation_site ? Parameter(Descriptor::kAllocationSite) : nullptr;
3205 3206
  TNode<Map> array_map = LoadJSArrayElementsMap(kind, native_context);
  TNode<JSArray> array = AllocateJSArray(
3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233
      kind, array_map, IntPtrConstant(JSArray::kPreallocatedArrayElements),
      SmiConstant(0), allocation_site);
  Return(array);
}

void ArrayBuiltinsAssembler::GenerateArraySingleArgumentConstructor(
    ElementsKind kind, AllocationSiteOverrideMode mode) {
  typedef ArraySingleArgumentConstructorDescriptor Descriptor;
  Node* context = Parameter(Descriptor::kContext);
  Node* function = Parameter(Descriptor::kFunction);
  Node* native_context = LoadObjectField(function, JSFunction::kContextOffset);
  Node* array_map = LoadJSArrayElementsMap(kind, native_context);

  AllocationSiteMode allocation_site_mode = DONT_TRACK_ALLOCATION_SITE;
  if (mode == DONT_OVERRIDE) {
    allocation_site_mode = AllocationSite::ShouldTrack(kind)
                               ? TRACK_ALLOCATION_SITE
                               : DONT_TRACK_ALLOCATION_SITE;
  }

  Node* array_size = Parameter(Descriptor::kArraySizeSmiParameter);
  Node* allocation_site = Parameter(Descriptor::kAllocationSite);

  GenerateConstructor(context, function, array_map, array_size, allocation_site,
                      kind, allocation_site_mode);
}

3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261
void ArrayBuiltinsAssembler::GenerateArrayNArgumentsConstructor(
    TNode<Context> context, TNode<JSFunction> target, TNode<Object> new_target,
    TNode<Int32T> argc, TNode<HeapObject> maybe_allocation_site) {
  // Replace incoming JS receiver argument with the target.
  // TODO(ishell): Avoid replacing the target on the stack and just add it
  // as another additional parameter for Runtime::kNewArray.
  CodeStubArguments args(this, ChangeInt32ToIntPtr(argc));
  args.SetReceiver(target);

  // Adjust arguments count for the runtime call: +1 for implicit receiver
  // and +2 for new_target and maybe_allocation_site.
  argc = Int32Add(argc, Int32Constant(3));
  TailCallRuntime(Runtime::kNewArray, argc, context, new_target,
                  maybe_allocation_site);
}

TF_BUILTIN(ArrayNArgumentsConstructor, ArrayBuiltinsAssembler) {
  TNode<Context> context = CAST(Parameter(Descriptor::kContext));
  TNode<JSFunction> target = CAST(Parameter(Descriptor::kFunction));
  TNode<Int32T> argc =
      UncheckedCast<Int32T>(Parameter(Descriptor::kActualArgumentsCount));
  TNode<HeapObject> maybe_allocation_site =
      CAST(Parameter(Descriptor::kAllocationSite));

  GenerateArrayNArgumentsConstructor(context, target, target, argc,
                                     maybe_allocation_site);
}

3262 3263 3264 3265 3266 3267 3268 3269 3270
#define GENERATE_ARRAY_CTOR(name, kind_camel, kind_caps, mode_camel, \
                            mode_caps)                               \
  TF_BUILTIN(Array##name##Constructor_##kind_camel##_##mode_camel,   \
             ArrayBuiltinsAssembler) {                               \
    GenerateArray##name##Constructor(kind_caps, mode_caps);          \
  }

// The ArrayNoArgumentConstructor builtin family.
GENERATE_ARRAY_CTOR(NoArgument, PackedSmi, PACKED_SMI_ELEMENTS, DontOverride,
3271
                    DONT_OVERRIDE)
3272
GENERATE_ARRAY_CTOR(NoArgument, HoleySmi, HOLEY_SMI_ELEMENTS, DontOverride,
3273
                    DONT_OVERRIDE)
3274
GENERATE_ARRAY_CTOR(NoArgument, PackedSmi, PACKED_SMI_ELEMENTS,
3275
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3276
GENERATE_ARRAY_CTOR(NoArgument, HoleySmi, HOLEY_SMI_ELEMENTS,
3277
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3278
GENERATE_ARRAY_CTOR(NoArgument, Packed, PACKED_ELEMENTS, DisableAllocationSites,
3279
                    DISABLE_ALLOCATION_SITES)
3280
GENERATE_ARRAY_CTOR(NoArgument, Holey, HOLEY_ELEMENTS, DisableAllocationSites,
3281
                    DISABLE_ALLOCATION_SITES)
3282
GENERATE_ARRAY_CTOR(NoArgument, PackedDouble, PACKED_DOUBLE_ELEMENTS,
3283
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3284
GENERATE_ARRAY_CTOR(NoArgument, HoleyDouble, HOLEY_DOUBLE_ELEMENTS,
3285
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3286 3287 3288

// The ArraySingleArgumentConstructor builtin family.
GENERATE_ARRAY_CTOR(SingleArgument, PackedSmi, PACKED_SMI_ELEMENTS,
3289
                    DontOverride, DONT_OVERRIDE)
3290
GENERATE_ARRAY_CTOR(SingleArgument, HoleySmi, HOLEY_SMI_ELEMENTS, DontOverride,
3291
                    DONT_OVERRIDE)
3292
GENERATE_ARRAY_CTOR(SingleArgument, PackedSmi, PACKED_SMI_ELEMENTS,
3293
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3294
GENERATE_ARRAY_CTOR(SingleArgument, HoleySmi, HOLEY_SMI_ELEMENTS,
3295
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3296
GENERATE_ARRAY_CTOR(SingleArgument, Packed, PACKED_ELEMENTS,
3297
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3298
GENERATE_ARRAY_CTOR(SingleArgument, Holey, HOLEY_ELEMENTS,
3299
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3300
GENERATE_ARRAY_CTOR(SingleArgument, PackedDouble, PACKED_DOUBLE_ELEMENTS,
3301
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3302
GENERATE_ARRAY_CTOR(SingleArgument, HoleyDouble, HOLEY_DOUBLE_ELEMENTS,
3303
                    DisableAllocationSites, DISABLE_ALLOCATION_SITES)
3304 3305 3306

#undef GENERATE_ARRAY_CTOR

3307 3308 3309 3310 3311 3312 3313 3314 3315 3316
TF_BUILTIN(InternalArrayNoArgumentConstructor_Packed, ArrayBuiltinsAssembler) {
  typedef ArrayNoArgumentConstructorDescriptor Descriptor;
  TNode<Map> array_map =
      CAST(LoadObjectField(Parameter(Descriptor::kFunction),
                           JSFunction::kPrototypeOrInitialMapOffset));
  TNode<JSArray> array = AllocateJSArray(
      PACKED_ELEMENTS, array_map,
      IntPtrConstant(JSArray::kPreallocatedArrayElements), SmiConstant(0));
  Return(array);
}
3317

3318 3319
}  // namespace internal
}  // namespace v8