[maglev] Depend on stable protos up to validity cell

Inline DependOnStablePrototypeChain to iterate only those maps which share a validity cell with the receiver map. This resolves an issue where maps after the holder object violate the stability invariants, but doesn't require looking up what the actual holder is. Bug: v8:7700 Change-Id: Id06f0d13660f547e14dd25085799c0e6223c34b9 Fixed: chromium:1359215 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871298 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#82964}

[maglev] Depend on stable protos up to validity cell
Inline DependOnStablePrototypeChain to iterate only those maps which share a validity cell with the receiver map. This resolves an issue where maps after the holder object violate the stability invariants, but doesn't require looking up what the actual holder is. Bug: v8:7700 Change-Id: Id06f0d13660f547e14dd25085799c0e6223c34b9 Fixed: chromium:1359215 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871298 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#82964}
3f9f1eee · Leszek Swirski · V8 LUCI CQ · 271bd086 · 3f9f1eee · 3f9f1eee
Commit 3f9f1eee authored Sep 02, 2022 by Leszek Swirski Committed by V8 LUCI CQ Sep 05, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 2 deletions

maglev-graph-builder.cc src/maglev/maglev-graph-builder.cc +17 -2

constant-in-proto-proxy-after-holder.js test/mjsunit/maglev/constant-in-proto-proxy-after-holder.js +36 -0

No files found.
--- a/src/maglev/maglev-graph-builder.cc
+++ b/src/maglev/maglev-graph-builder.cc
@@ -1057,8 +1057,23 @@ bool MaglevGraphBuilder::TryBuildMonomorphicLoadFromLoadHandler(

  Object validity_cell = handler.validity_cell(local_isolate_);
  if (validity_cell.IsCell(local_isolate_)) {
-    broker()->dependencies()->DependOnStablePrototypeChain(
-        map, kStartAtPrototype, base::nullopt);
+    compiler::MapRef receiver_map = map;
+    if (receiver_map.IsPrimitiveMap()) {
+      // Perform the implicit ToObject for primitives here.
+      // Implemented according to ES6 section 7.3.2 GetV (V, P).
+      // Note: Keep sync'd with AccessInfoFactory::ComputePropertyAccessInfo.
+      base::Optional<compiler::JSFunctionRef> constructor =
+          broker()->target_native_context().GetConstructorFunction(
+              receiver_map);
+      receiver_map = constructor.value().initial_map(broker()->dependencies());
+    }
+
+    compiler::MapRef proto_map = receiver_map.prototype().map();
+    while (proto_map.object()->prototype_validity_cell(local_isolate_) ==
+           validity_cell) {
+      broker()->dependencies()->DependOnStableMap(proto_map);
+      proto_map = proto_map.prototype().map();
+    }
  } else {
    DCHECK_EQ(Smi::ToInt(validity_cell), Map::kPrototypeChainValid);
  }

--- a/test/mjsunit/maglev/constant-in-proto-proxy-after-holder.js
+++ b/test/mjsunit/maglev/constant-in-proto-proxy-after-holder.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --maglev --allow-natives-syntax
+
+function foo(bar) {
+  return bar.func();
+}
+class Bar {
+  func() {}
+}
+Bar.prototype.__proto__ = new Proxy(Bar.prototype.__proto__, {
+  get() {;
+    return "42";
+  }
+});
+%PrepareFunctionForOptimization(foo);
+foo(new Bar());
+foo(new Bar());
+%OptimizeMaglevOnNextCall(foo);
+foo(new Bar());
+
+function foo_primitive(s) {
+  return s.substring();
+}
+String.prototype.__proto__ = new Proxy(String.prototype.__proto__, {
+  get() {;
+    return "42";
+  }
+});
+%PrepareFunctionForOptimization(foo_primitive);
+foo_primitive("");
+foo_primitive("");
+%OptimizeMaglevOnNextCall(foo_primitive);
+foo_primitive("");