[ptr-compr] Pass Isolate to JSObject::[Try]MigrateInstance()

Bug: v8:9353 Change-Id: If184e02eef8cda459a3aa02ef8bee5c337177d30 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648264Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#62088}

[ptr-compr] Pass Isolate to JSObject::[Try]MigrateInstance()
Bug: v8:9353 Change-Id: If184e02eef8cda459a3aa02ef8bee5c337177d30 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648264Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#62088}
4672bea5 · Igor Sheludko · Commit Bot · e34a2362 · 4672bea5 · 4672bea5
Commit 4672bea5 authored Jun 11, 2019 by Igor Sheludko Committed by Commit Bot Jun 11, 2019
7 changed files
--- a/src/compiler/access-info.cc
+++ b/src/compiler/access-info.cc
@@ -569,7 +569,7 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
    if (map_prototype->map().is_deprecated()) {
      // Try to migrate the prototype object so we don't embed the deprecated
      // map into the optimized code.
-      JSObject::TryMigrateInstance(map_prototype);
+      JSObject::TryMigrateInstance(isolate(), map_prototype);
    }
    map = handle(map_prototype->map(), isolate());
    holder = map_prototype;

--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -674,14 +674,15 @@ bool IsFastLiteralHelper(Handle<JSObject> boilerplate, int max_depth,
  DCHECK_GE(max_depth, 0);
  DCHECK_GE(*max_properties, 0);

+  Isolate* const isolate = boilerplate->GetIsolate();
+
  // Make sure the boilerplate map is not deprecated.
-  if (!JSObject::TryMigrateInstance(boilerplate)) return false;
+  if (!JSObject::TryMigrateInstance(isolate, boilerplate)) return false;

  // Check for too deep nesting.
  if (max_depth == 0) return false;

  // Check the elements.
-  Isolate* const isolate = boilerplate->GetIsolate();
  Handle<FixedArrayBase> elements(boilerplate->elements(), isolate);
  if (elements->length() > 0 &&
      elements->map() != ReadOnlyRoots(isolate).fixed_cow_array_map()) {

--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -318,14 +318,18 @@ void IC::OnFeedbackChanged(Isolate* isolate, FeedbackVector vector,
  isolate->runtime_profiler()->NotifyICChanged();
 }

-static bool MigrateDeprecated(Handle<Object> object) {
+namespace {
+
+bool MigrateDeprecated(Isolate* isolate, Handle<Object> object) {
  if (!object->IsJSObject()) return false;
  Handle<JSObject> receiver = Handle<JSObject>::cast(object);
  if (!receiver->map().is_deprecated()) return false;
-  JSObject::MigrateInstance(Handle<JSObject>::cast(object));
+  JSObject::MigrateInstance(isolate, receiver);
  return true;
 }

+}  // namespace
+
 bool IC::ConfigureVectorState(IC::State new_state, Handle<Object> key) {
  DCHECK_EQ(MEGAMORPHIC, new_state);
  DCHECK_IMPLIES(!is_keyed(), key->IsName());
@@ -394,7 +398,7 @@ MaybeHandle<Object> LoadIC::Load(Handle<Object> object, Handle<Name> name) {
                     object, name);
  }

-  if (MigrateDeprecated(object)) use_ic = false;
+  if (MigrateDeprecated(isolate(), object)) use_ic = false;

  if (state() != UNINITIALIZED) {
    JSObject::MakePrototypesFast(object, kStartAtReceiver, isolate());
@@ -1227,7 +1231,7 @@ MaybeHandle<Object> KeyedLoadIC::RuntimeLoad(Handle<Object> object,

 MaybeHandle<Object> KeyedLoadIC::Load(Handle<Object> object,
                                      Handle<Object> key) {
-  if (MigrateDeprecated(object)) {
+  if (MigrateDeprecated(isolate(), object)) {
    return RuntimeLoad(object, key);
  }

@@ -1387,7 +1391,7 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
                                   StoreOrigin store_origin) {
  // TODO(verwaest): Let SetProperty do the migration, since storing a property
  // might deprecate the current map again, if value does not fit.
-  if (MigrateDeprecated(object)) {
+  if (MigrateDeprecated(isolate(), object)) {
    Handle<Object> result;
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate(), result, Object::SetProperty(isolate(), object, name, value),
@@ -1955,7 +1959,7 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
                                        Handle<Object> value) {
  // TODO(verwaest): Let SetProperty do the migration, since storing a property
  // might deprecate the current map again, if value does not fit.
-  if (MigrateDeprecated(object)) {
+  if (MigrateDeprecated(isolate(), object)) {
    Handle<Object> result;
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate(), result,
@@ -2091,7 +2095,8 @@ void StoreInArrayLiteralIC::Store(Handle<JSArray> array, Handle<Object> index,
  DCHECK(!array->map().IsMapInArrayPrototypeChain(isolate()));
  DCHECK(index->IsNumber());

-  if (!FLAG_use_ic || state() == NO_FEEDBACK || MigrateDeprecated(array)) {
+  if (!FLAG_use_ic || state() == NO_FEEDBACK ||
+      MigrateDeprecated(isolate(), array)) {
    StoreOwnElement(isolate(), array, index, value);
    TraceIC("StoreInArrayLiteralIC", index);
    return;
@@ -2598,7 +2603,7 @@ RUNTIME_FUNCTION(Runtime_CloneObjectIC_Miss) {
  Handle<Object> source = args.at<Object>(0);
  int flags = args.smi_at(1);

-  if (MigrateDeprecated(source)) {
+  if (MigrateDeprecated(isolate, source)) {
    FeedbackSlot slot = FeedbackVector::ToSlot(args.smi_at(2));
    Handle<HeapObject> maybe_vector = args.at<HeapObject>(3);
    if (maybe_vector->IsFeedbackVector()) {

--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -194,15 +194,16 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastAssign(
    return Just(!source->IsString() || String::cast(*source).length() == 0);
  }

+  Isolate* isolate = target->GetIsolate();
+
  // If the target is deprecated, the object will be updated on first store. If
  // the source for that store equals the target, this will invalidate the
  // cached representation of the source. Preventively upgrade the target.
  // Do this on each iteration since any property load could cause deprecation.
  if (target->map().is_deprecated()) {
-    JSObject::MigrateInstance(Handle<JSObject>::cast(target));
+    JSObject::MigrateInstance(isolate, Handle<JSObject>::cast(target));
  }

-  Isolate* isolate = target->GetIsolate();
  Handle<Map> map(JSReceiver::cast(*source).map(), isolate);

  if (!map->IsJSObjectMap()) return Just(false);
@@ -3068,8 +3069,7 @@ void JSObject::AllocateStorageForMap(Handle<JSObject> object, Handle<Map> map) {
  object->synchronized_set_map(*map);
 }

-void JSObject::MigrateInstance(Handle<JSObject> object) {
-  Isolate* isolate = object->GetIsolate();
+void JSObject::MigrateInstance(Isolate* isolate, Handle<JSObject> object) {
  Handle<Map> original_map(object->map(), isolate);
  Handle<Map> map = Map::Update(isolate, original_map);
  map->set_is_migration_target(true);
@@ -3085,8 +3085,7 @@ void JSObject::MigrateInstance(Handle<JSObject> object) {
 }

 // static
-bool JSObject::TryMigrateInstance(Handle<JSObject> object) {
-  Isolate* isolate = object->GetIsolate();
+bool JSObject::TryMigrateInstance(Isolate* isolate, Handle<JSObject> object) {
  DisallowDeoptimization no_deoptimization(isolate);
  Handle<Map> original_map(object->map(), isolate);
  Handle<Map> new_map;

--- a/src/objects/js-objects.h
+++ b/src/objects/js-objects.h
@@ -431,11 +431,11 @@ class JSObject : public JSReceiver {

  // Migrates the given object to a map whose field representations are the
  // lowest upper bound of all known representations for that field.
-  static void MigrateInstance(Handle<JSObject> instance);
+  static void MigrateInstance(Isolate* isolate, Handle<JSObject> instance);

  // Migrates the given object only if the target map is already available,
  // or returns false if such a map is not yet available.
-  static bool TryMigrateInstance(Handle<JSObject> instance);
+  static bool TryMigrateInstance(Isolate* isolate, Handle<JSObject> instance);

  // Sets the property value in a normalized object given (key, value, details).
  // Handles the special representation of JS global objects.

--- a/src/runtime/runtime-literals.cc
+++ b/src/runtime/runtime-literals.cc
@@ -87,7 +87,7 @@ MaybeHandle<JSObject> JSObjectWalkVisitor<ContextObject>::StructureWalk(
  }

  if (object->map().is_deprecated()) {
-    JSObject::MigrateInstance(object);
+    JSObject::MigrateInstance(isolate, object);
  }

  Handle<JSObject> copy;

--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@@ -799,7 +799,7 @@ RUNTIME_FUNCTION(Runtime_TryMigrateInstance) {
  // code where we can't handle lazy deopts for lack of a suitable bailout
  // ID. So we just try migration and signal failure if necessary,
  // which will also trigger a deopt.
-  if (!JSObject::TryMigrateInstance(js_object)) return Smi::kZero;
+  if (!JSObject::TryMigrateInstance(isolate, js_object)) return Smi::kZero;
  return *object;
 }