[crankshaft] No need to rely on the @@hasInstance protector.

In Crankshaft we can actually do an abstract interpretation of the @@hasInstance lookup when optimizing instanceof and then use the normal machinery to protect the result instead of relying on the global @@hasInstance protector cell for optimizations. This recovers the 100x performance drop in Node.js v7 reported in https://github.com/nodejs/node/issues/9634. This patch should be easily back-mergable to Node.js v7. BUG=v8:5640 R=yangguo@chromium.org,franzih@chromium.org Review-Url: https://codereview.chromium.org/2504263004 Cr-Commit-Position: refs/heads/master@{#41059}

[crankshaft] No need to rely on the @@hasInstance protector.
In Crankshaft we can actually do an abstract interpretation of the @@hasInstance lookup when optimizing instanceof and then use the normal machinery to protect the result instead of relying on the global @@hasInstance protector cell for optimizations. This recovers the 100x performance drop in Node.js v7 reported in https://github.com/nodejs/node/issues/9634. This patch should be easily back-mergable to Node.js v7. BUG=v8:5640 R=yangguo@chromium.org,franzih@chromium.org Review-Url: https://codereview.chromium.org/2504263004 Cr-Commit-Position: refs/heads/master@{#41059}
08377af9 · bmeurer · Commit bot · b8c2035f · 08377af9 · 08377af9
Commit 08377af9 authored Nov 17, 2016 by bmeurer Committed by Commit bot Nov 17, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 18 deletions

bootstrapper.cc src/bootstrapper.cc +1 -0

contexts.h src/contexts.h +1 -0

hydrogen.cc src/crankshaft/hydrogen.cc +31 -18

No files found.
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1257,6 +1257,7 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
        JSObject::kHeaderSize, MaybeHandle<JSObject>(),
        Builtins::kFunctionPrototypeHasInstance,
        static_cast<PropertyAttributes>(DONT_ENUM | DONT_DELETE | READ_ONLY));
+    native_context()->set_function_has_instance(*has_instance);

    // Set the expected parameters for @@hasInstance to 1; required by builtin.
    has_instance->shared()->set_internal_formal_parameter_count(1);

--- a/src/contexts.h
+++ b/src/contexts.h
@@ -88,6 +88,7 @@ enum ContextLookupFlags {
  V(MAP_GET_METHOD_INDEX, JSFunction, map_get)                            \
  V(MAP_HAS_METHOD_INDEX, JSFunction, map_has)                            \
  V(MAP_SET_METHOD_INDEX, JSFunction, map_set)                            \
+  V(FUNCTION_HAS_INSTANCE_INDEX, JSFunction, function_has_instance)       \
  V(OBJECT_VALUE_OF, JSFunction, object_value_of)                         \
  V(OBJECT_TO_STRING, JSFunction, object_to_string)                       \
  V(PROMISE_CATCH_INDEX, JSFunction, promise_catch)                       \

--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -11207,24 +11207,37 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) {
        HConstant::cast(right)->handle(isolate())->IsJSFunction()) {
      Handle<JSFunction> function =
          Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
-      // Make sure the prototype of {function} is the %FunctionPrototype%, and
-      // it already has a meaningful initial map (i.e. we constructed at least
-      // one instance using the constructor {function}).
-      // We can only use the fast case if @@hasInstance was not used so far.
-      if (function->has_initial_map() &&
-          function->map()->prototype() ==
-              function->native_context()->closure() &&
-          !function->map()->has_non_instance_prototype() &&
-          isolate()->IsHasInstanceLookupChainIntact()) {
-        Handle<Map> initial_map(function->initial_map(), isolate());
-        top_info()->dependencies()->AssumeInitialMapCantChange(initial_map);
-        top_info()->dependencies()->AssumePropertyCell(
-            isolate()->factory()->has_instance_protector());
-        HInstruction* prototype =
-            Add<HConstant>(handle(initial_map->prototype(), isolate()));
-        HHasInPrototypeChainAndBranch* result =
-            New<HHasInPrototypeChainAndBranch>(left, prototype);
-        return ast_context()->ReturnControl(result, expr->id());
+      // Make sure that the {function} already has a meaningful initial map
+      // (i.e. we constructed at least one instance using the constructor
+      // {function}).
+      if (function->has_initial_map()) {
+        // Lookup @@hasInstance on the {function}.
+        Handle<Map> function_map(function->map(), isolate());
+        PropertyAccessInfo has_instance(
+            this, LOAD, function_map,
+            isolate()->factory()->has_instance_symbol());
+        // Check if we are using the Function.prototype[@@hasInstance].
+        if (has_instance.CanAccessMonomorphic() &&
+            has_instance.IsDataConstant() &&
+            has_instance.constant().is_identical_to(
+                isolate()->function_has_instance())) {
+          // Add appropriate receiver map check and prototype chain
+          // checks to guard the @@hasInstance lookup chain.
+          AddCheckMap(right, function_map);
+          if (has_instance.has_holder()) {
+            Handle<JSObject> prototype(
+                JSObject::cast(has_instance.map()->prototype()), isolate());
+            BuildCheckPrototypeMaps(prototype, has_instance.holder());
+          }
+          // Perform the prototype chain walk.
+          Handle<Map> initial_map(function->initial_map(), isolate());
+          top_info()->dependencies()->AssumeInitialMapCantChange(initial_map);
+          HInstruction* prototype =
+              Add<HConstant>(handle(initial_map->prototype(), isolate()));
+          HHasInPrototypeChainAndBranch* result =
+              New<HHasInPrototypeChainAndBranch>(left, prototype);
+          return ast_context()->ReturnControl(result, expr->id());
+        }
      }
    }