• Jakob Gruber's avatar
    [compiler] Direct heap reads for JSArrayRef · 76a2ab06
    Jakob Gruber authored
    There are two aspects to the non-JSObject parts of JSArrayRef:
    
    - JSArrayRef::length. Relevant only in two spots, 1. when reading
    (immutable) array boilerplates and 2. for GetOwnCowElement.
    
    - JSArrayRef::GetOwnCowElement. May read into a copy-on-write backing
    store. Relies on the invariant that cow backing stores are immutable.
    
    This CL renames the length accessor to length_unsafe to make the
    danger explicit at callsites.
    
    For GetOwnCowElement the refactor is slightly larger, since we now
    need to read into the backing store while keeping full control of
    object reads (e.g. JSArray::length and JSArray::elements_kind). We
    make all reads explicit at the call site by requiring that elements,
    elements kind, and length are passed in as arguments to
    GetOwnCowElement. Inside GetOwnCowElement, consistency between these
    is *not* guaranteed due to concurrency. At runtime, consistency *is*
    guaranteed through the reference-equality check on the elements seen
    during compilation. The actual elements read is implemented in
    ConcurrentLookupIterator::GetOwnCowElement.
    
    Bug: v8:7790
    Change-Id: I9aa169ce4f2b1e2bfe1e9232007669eb7654a995
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2695403
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
    Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#72834}
    76a2ab06
js-heap-broker.cc 206 KB