[ic] Support js accessors on slow-mode objects

BUG=v8:5561

Change-Id: Ib344479dac691bc418fbedffffbfbc1380ddd369
Reviewed-on: https://chromium-review.googlesource.com/455937
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43888}

src/ic/accessor-assembler.cc

@@ -563,7 +563,7 @@ void AccessorAssembler::HandleLoadGlobalICHandlerCase(
   LoadICParameters p = *pp;
   DCHECK_NULL(p.receiver);
   Node* native_context = LoadNativeContext(p.context);
-  p.receiver = LoadContextElement(native_context, Context::EXTENSION_INDEX);
+  p.receiver = LoadContextElement(native_context, Context::GLOBAL_PROXY_INDEX);
 
   Variable var_holder(this, MachineRepresentation::kTagged);
   Variable var_smi_handler(this, MachineRepresentation::kTagged);
@@ -1911,8 +1911,10 @@ void AccessorAssembler::LoadGlobalIC_TryHandlerCase(const LoadICParameters* pp,
     LoadICParameters p = *pp;
     DCHECK_NULL(p.receiver);
     Node* native_context = LoadNativeContext(p.context);
-    p.receiver = LoadContextElement(native_context, Context::EXTENSION_INDEX);
-    HandleLoadICSmiHandlerCase(&p, p.receiver, handler, miss, exit_point,
+    p.receiver =
+        LoadContextElement(native_context, Context::GLOBAL_PROXY_INDEX);
+    Node* holder = LoadContextElement(native_context, Context::EXTENSION_INDEX);
+    HandleLoadICSmiHandlerCase(&p, holder, handler, miss, exit_point,
                                throw_reference_error_if_nonexistent,
                                kOnlyProperties);
   }
@@ -1928,7 +1930,7 @@ void AccessorAssembler::LoadGlobalIC_TryHandlerCase(const LoadICParameters* pp,
     LoadWithVectorDescriptor descriptor(isolate());
     Node* native_context = LoadNativeContext(pp->context);
     Node* receiver =
-        LoadContextElement(native_context, Context::EXTENSION_INDEX);
+        LoadContextElement(native_context, Context::GLOBAL_PROXY_INDEX);
     exit_point->ReturnCallStub(descriptor, handler, pp->context, receiver,
                                pp->name, pp->slot, pp->vector);
   }

src/ic/arm/handler-compiler-arm.cc

@@ -18,10 +18,9 @@ namespace internal {
 
 #define __ ACCESS_MASM(masm)
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   // ----------- S t a t e -------------
   //  -- r0    : receiver
   //  -- r2    : name
@@ -34,15 +33,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(cp);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ ldr(scratch,
-               FieldMemOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ push(receiver);
       __ LoadAccessor(r1, holder, accessor_index, ACCESSOR_GETTER);
       __ mov(r0, Operand(0));

src/ic/arm64/handler-compiler-arm64.cc

@@ -237,10 +237,9 @@ void NamedStoreHandlerCompiler::GenerateStoreViaSetter(
   __ Ret();
 }
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   {
     FrameScope scope(masm, StackFrame::INTERNAL);
 
@@ -248,15 +247,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ Push(cp);
 
     if (accessor_index >= 0) {
-      DCHECK(!AreAliased(holder, scratch));
-      DCHECK(!AreAliased(receiver, scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ Ldr(scratch,
-               FieldMemOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ Push(receiver);
       __ LoadAccessor(x1, holder, accessor_index, ACCESSOR_GETTER);
       __ Mov(x0, 0);

src/ic/handler-compiler.cc

@@ -126,7 +126,7 @@ Handle<Code> NamedLoadHandlerCompiler::CompileLoadViaGetter(
     Handle<Name> name, int accessor_index, int expected_arguments) {
   Register holder = Frontend(name);
   GenerateLoadViaGetter(masm(), map(), receiver(), holder, accessor_index,
-                        expected_arguments, scratch2());
+                        expected_arguments);
   return GetCode(kind(), name);
 }
 

src/ic/handler-compiler.h

@@ -128,12 +128,10 @@ class NamedLoadHandlerCompiler : public PropertyHandlerCompiler {
 
   static void GenerateLoadViaGetter(MacroAssembler* masm, Handle<Map> map,
                                     Register receiver, Register holder,
-                                    int accessor_index, int expected_arguments,
-                                    Register scratch);
+                                    int accessor_index, int expected_arguments);
 
   static void GenerateLoadViaGetterForDeopt(MacroAssembler* masm) {
-    GenerateLoadViaGetter(masm, Handle<Map>::null(), no_reg, no_reg, -1, -1,
-                          no_reg);
+    GenerateLoadViaGetter(masm, Handle<Map>::null(), no_reg, no_reg, -1, -1);
   }
 
  protected:

src/ic/ia32/handler-compiler-ia32.cc

@@ -17,10 +17,9 @@ namespace internal {
 
 #define __ ACCESS_MASM(masm)
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   {
     FrameScope scope(masm, StackFrame::INTERNAL);
 
@@ -28,15 +27,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(esi);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ mov(scratch,
-               FieldOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ push(receiver);
       __ LoadAccessor(edi, holder, accessor_index, ACCESSOR_GETTER);
       __ Set(eax, 0);

src/ic/ic.cc

@@ -891,7 +891,10 @@ int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map,
     }
     checks_count++;
 
-  } else if (receiver_map->IsJSGlobalObjectMap()) {
+  } else if (receiver_map->IsJSGlobalObjectMap() &&
+             (holder.is_null() || holder->map() != *receiver_map)) {
+    // If we are creating a handler for [Load/Store]GlobalIC then we need to
+    // check that the property did not appear in the global object.
     if (fill_array) {
       Handle<JSGlobalObject> global = isolate->global_object();
       Handle<PropertyCell> cell = JSGlobalObject::EnsureEmptyPropertyCell(
@@ -1258,6 +1261,7 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) {
       }
 
       if (receiver_is_holder) {
+        DCHECK(map->has_named_interceptor());
         TRACE_HANDLER_STATS(isolate(), LoadIC_LoadInterceptorDH);
         return smi_handler;
       }
@@ -1284,13 +1288,32 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) {
           return ComputeHandler(lookup);
         }
 
-        if (!holder->HasFastProperties() ||
-            // When debugging we need to go the slow path to flood the accessor.
-            GetHostFunction()->shared()->HasDebugInfo()) {
+        // When debugging we need to go the slow path to flood the accessor.
+        if (GetHostFunction()->shared()->HasDebugInfo()) {
           TRACE_HANDLER_STATS(isolate(), LoadIC_SlowStub);
           return slow_stub();
         }
 
+        if (!holder->HasFastProperties()) {
+          // Global loads always need the extended data handler since it embeds
+          // the PropertyCell.
+          if (receiver_is_holder && !holder->IsJSGlobalObject()) {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
+            return LoadHandler::LoadNormal(isolate());
+          }
+
+          Handle<Smi> smi_handler;
+          if (holder->IsJSGlobalObject()) {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadGlobalFromPrototypeDH);
+            smi_handler = LoadHandler::LoadGlobal(isolate());
+          } else {
+            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalFromPrototypeDH);
+            smi_handler = LoadHandler::LoadNormal(isolate());
+          }
+
+          return LoadFromPrototype(map, holder, lookup->name(), smi_handler);
+        }
+
         Handle<Object> getter(AccessorPair::cast(*accessors)->getter(),
                               isolate());
         if (getter->IsJSFunction()) {
@@ -2490,7 +2513,8 @@ RUNTIME_FUNCTION(Runtime_LoadIC_Miss) {
     RETURN_RESULT_OR_FAILURE(isolate, ic.Load(receiver, key));
 
   } else if (IsLoadGlobalICKind(kind)) {
-    DCHECK_EQ(*isolate->global_object(), *receiver);
+    DCHECK_EQ(isolate->native_context()->global_proxy(), *receiver);
+    receiver = isolate->global_object();
     LoadGlobalICNexus nexus(vector, vector_slot);
     LoadGlobalIC ic(isolate, &nexus);
     ic.UpdateState(receiver, key);

src/ic/mips/handler-compiler-mips.cc

@@ -17,10 +17,9 @@ namespace internal {
 
 #define __ ACCESS_MASM(masm)
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   // ----------- S t a t e -------------
   //  -- a0    : receiver
   //  -- a2    : name
@@ -33,15 +32,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(cp);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ lw(scratch,
-              FieldMemOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ push(receiver);
       __ LoadAccessor(a1, holder, accessor_index, ACCESSOR_GETTER);
       __ li(a0, Operand(0));

src/ic/mips64/handler-compiler-mips64.cc

@@ -17,10 +17,9 @@ namespace internal {
 
 #define __ ACCESS_MASM(masm)
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   // ----------- S t a t e -------------
   //  -- a0    : receiver
   //  -- a2    : name
@@ -33,15 +32,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(cp);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ ld(scratch,
-              FieldMemOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ push(receiver);
       __ LoadAccessor(a1, holder, accessor_index, ACCESSOR_GETTER);
       __ li(a0, Operand(V8_INT64_C(0)));

src/ic/ppc/handler-compiler-ppc.cc

@@ -17,10 +17,9 @@ namespace internal {
 
 #define __ ACCESS_MASM(masm)
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   // ----------- S t a t e -------------
   //  -- r3    : receiver
   //  -- r5    : name
@@ -33,15 +32,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(cp);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ LoadP(scratch,
-                 FieldMemOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ push(receiver);
       __ LoadAccessor(r4, holder, accessor_index, ACCESSOR_GETTER);
       __ li(r3, Operand::Zero());

src/ic/s390/handler-compiler-s390.cc

@@ -19,7 +19,7 @@ namespace internal {
 
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   // ----------- S t a t e -------------
   //  -- r2    : receiver
   //  -- r4    : name
@@ -32,15 +32,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(cp);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ LoadP(scratch,
-                 FieldMemOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ Push(receiver);
       __ LoadAccessor(r3, holder, accessor_index, ACCESSOR_GETTER);
       __ LoadImmP(r2, Operand::Zero());

src/ic/x64/handler-compiler-x64.cc

@@ -232,10 +232,9 @@ void NamedStoreHandlerCompiler::GenerateStoreViaSetter(
   __ ret(0);
 }
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   // ----------- S t a t e -------------
   //  -- rax    : receiver
   //  -- rcx    : name
@@ -248,15 +247,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ pushq(rsi);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ movp(scratch,
-                FieldOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ Push(receiver);
       __ LoadAccessor(rdi, holder, accessor_index, ACCESSOR_GETTER);
       __ Set(rax, 0);

src/ic/x87/handler-compiler-x87.cc

@@ -17,10 +17,9 @@ namespace internal {
 
 #define __ ACCESS_MASM(masm)
 
-
 void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     MacroAssembler* masm, Handle<Map> map, Register receiver, Register holder,
-    int accessor_index, int expected_arguments, Register scratch) {
+    int accessor_index, int expected_arguments) {
   {
     FrameScope scope(masm, StackFrame::INTERNAL);
 
@@ -28,15 +27,6 @@ void NamedLoadHandlerCompiler::GenerateLoadViaGetter(
     __ push(esi);
 
     if (accessor_index >= 0) {
-      DCHECK(!holder.is(scratch));
-      DCHECK(!receiver.is(scratch));
-      // Call the JavaScript getter with the receiver on the stack.
-      if (map->IsJSGlobalObjectMap()) {
-        // Swap in the global receiver.
-        __ mov(scratch,
-               FieldOperand(receiver, JSGlobalObject::kGlobalProxyOffset));
-        receiver = scratch;
-      }
       __ push(receiver);
       __ LoadAccessor(edi, holder, accessor_index, ACCESSOR_GETTER);
       __ Set(eax, 0);