Commit 38b48918 authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[ic] Transition to MEGAMORPHIC when (map, handler) stays the same.

THe change in https://chromium-review.googlesource.com/695108 flushed
out an issue with the IC::UpdatePolymorphicIC logic, where we'd try to
stay MONOMORPHIC or POLYMORPHIC as long as the internalized name doesn't
change. But the calling code already does the internalization for keyed
accesses with Strings, so we need to double check that the same
combination of (map, handler) is not already in the list, and properly
go to MEGAMORPHIC state if there's such a pair already.

This seriously tanked the six-speed-object-literals-ext-es5.js benchmark
on AWFY.

Bug: v8:6367, v8:6278, v8:6344
Change-Id: I90ea88d1fe61c165990c0a10d4a8687ffe351986
Reviewed-on: https://chromium-review.googlesource.com/695307Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48268}
parent 0c93ef35
...@@ -512,6 +512,7 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) { ...@@ -512,6 +512,7 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) {
int number_of_maps = static_cast<int>(maps.size()); int number_of_maps = static_cast<int>(maps.size());
int deprecated_maps = 0; int deprecated_maps = 0;
int handler_to_overwrite = -1; int handler_to_overwrite = -1;
if (!nexus()->FindHandlers(&handlers, number_of_maps)) return false;
for (int i = 0; i < number_of_maps; i++) { for (int i = 0; i < number_of_maps; i++) {
Handle<Map> current_map = maps.at(i); Handle<Map> current_map = maps.at(i);
...@@ -519,6 +520,10 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) { ...@@ -519,6 +520,10 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) {
// Filter out deprecated maps to ensure their instances get migrated. // Filter out deprecated maps to ensure their instances get migrated.
++deprecated_maps; ++deprecated_maps;
} else if (map.is_identical_to(current_map)) { } else if (map.is_identical_to(current_map)) {
// If both map and handler stayed the same (and the name is also the
// same as checked above, for keyed accesses), we're not progressing
// in the lattice and need to go MEGAMORPHIC instead.
if (handler.is_identical_to(handlers[i])) return false;
// If the receiver type is already in the polymorphic IC, this indicates // If the receiver type is already in the polymorphic IC, this indicates
// there was a prototoype chain failure. In that case, just overwrite the // there was a prototoype chain failure. In that case, just overwrite the
// handler. // handler.
...@@ -536,9 +541,6 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) { ...@@ -536,9 +541,6 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) {
if (number_of_maps == 0 && state() != MONOMORPHIC && state() != POLYMORPHIC) { if (number_of_maps == 0 && state() != MONOMORPHIC && state() != POLYMORPHIC) {
return false; return false;
} }
if (!nexus()->FindHandlers(&handlers, static_cast<int>(maps.size()))) {
return false;
}
number_of_valid_maps++; number_of_valid_maps++;
if (number_of_valid_maps == 1) { if (number_of_valid_maps == 1) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment