[ic] Inline cache: Prevent deopt loop for keyed store on undefined

Change-Id: I83b2181323b311fb6994c6d2bed731357079ec1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892060 Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83223}

[ic] Inline cache: Prevent deopt loop for keyed store on undefined
Change-Id: I83b2181323b311fb6994c6d2bed731357079ec1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892060 Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83223}
604db85e · Matthias Liedtke · V8 LUCI CQ · caa087bb · 604db85e · 604db85e
Commit 604db85e authored Sep 15, 2022 by Matthias Liedtke Committed by V8 LUCI CQ Sep 15, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 72 additions and 7 deletions

ic.cc src/ic/ic.cc +11 -7

misc-ensure-no-deopt.js test/mjsunit/compiler/misc-ensure-no-deopt.js +61 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -19,6 +19,7 @@
 #include "src/execution/protectors-inl.h"
 #include "src/execution/tiering-manager.h"
 #include "src/handles/handles-inl.h"
+#include "src/handles/maybe-handles.h"
 #include "src/ic/call-optimization.h"
 #include "src/ic/handler-configuration-inl.h"
 #include "src/ic/ic-inl.h"
@@ -2571,16 +2572,19 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  }

  DCHECK(store_handle.is_null());
-  ASSIGN_RETURN_ON_EXCEPTION(
-      isolate(), store_handle,
-      // TODO(v8:12548): refactor DefineKeyedOwnIC as a subclass of StoreIC
-      // so the logic doesn't get mixed here.
+  // TODO(v8:12548): refactor DefineKeyedOwnIC as a subclass of StoreIC
+  // so the logic doesn't get mixed here.
+  MaybeHandle<Object> result =
      IsDefineKeyedOwnIC()
          ? Runtime::DefineObjectOwnProperty(isolate(), object, key, value,
                                             StoreOrigin::kMaybeKeyed)
          : Runtime::SetObjectProperty(isolate(), object, key, value,
-                                       StoreOrigin::kMaybeKeyed),
-      Object);
+                                       StoreOrigin::kMaybeKeyed);
+  if (result.is_null()) {
+    DCHECK(isolate()->has_pending_exception());
+    set_slow_stub_reason("failed to set property");
+    use_ic = false;
+  }
  if (use_ic) {
    if (!old_receiver_map.is_null()) {
      if (is_arguments) {
@@ -2624,7 +2628,7 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  }
  TraceIC("StoreIC", key);

-  return store_handle;
+  return result;
 }

 namespace {

--- a/test/mjsunit/compiler/get-iterator-deopt.js
+++ b/test/mjsunit/compiler/get-iterator-deopt.js
@@ -4,13 +4,15 @@

 // Flags: --allow-natives-syntax

-function throwsRepeated(fn, ErrorType) {
-  // Collect type feedback.
-  %PrepareFunctionForOptimization(fn);
-  for (let i = 0; i < 5; i++) assertThrows(fn, ErrorType);
-  // Force compilation and run.
-  %OptimizeFunctionOnNextCall(fn);
-  assertThrows(fn, ErrorType);
+function throwsRepeated(fn, ErrorType, required_compilation_count) {
+  for (let j = 0; j < (required_compilation_count ?? 1); j++) {
+    // Collect type feedback.
+    %PrepareFunctionForOptimization(fn);
+    for (let i = 0; i < 5; i++) assertThrows(fn, ErrorType);
+    // Force compilation and run.
+    %OptimizeFunctionOnNextCall(fn);
+    assertThrows(fn, ErrorType);
+  }
  // If the function isn't optimized / turbofan tier not available,
  // a deopt happened on the call above.
  assertEquals(%IsTurbofanEnabled(), %ActiveTierIsTurbofan(fn));
@@ -19,7 +21,7 @@ function throwsRepeated(fn, ErrorType) {
 function repeated(fn) {
  // Collect type feedback.
  %PrepareFunctionForOptimization(fn);
-  for (let i = 0; i < 5; i++) fn();
+  for (let i = 0; i < 2; i++) fn();
  // Force compilation and run.
  %OptimizeFunctionOnNextCall(fn);
  fn();
@@ -37,6 +39,23 @@ throwsRepeated(() => { for (let p of 5) { } }, TypeError);
 throwsRepeated(() => { for (let p of new Number(5)) { } }, TypeError);
 throwsRepeated(() => { for (let p of true) { } }, TypeError);
 throwsRepeated(() => { for (let p of new BigInt(123)) { } }, TypeError);
-throwsRepeated(() => { for (let p of new Symbol("symbol")) { } }, TypeError);
-throwsRepeated(function testUndef() { for (let p of undefined) { } }, TypeError);
+throwsRepeated(() => { for (let p of Symbol("symbol")) { } }, TypeError);
+throwsRepeated(() => { for (let p of undefined) { } }, TypeError);
 throwsRepeated(() => { for (let p of null) { } }, TypeError);
+
+throwsRepeated(() => (undefined).val = undefined, TypeError);
+throwsRepeated(() => (undefined)["test"] = undefined, TypeError);
+throwsRepeated(() => (undefined)[Symbol("test")] = undefined, TypeError);
+throwsRepeated(() => (undefined)[null] = undefined, TypeError);
+throwsRepeated(() => (undefined)[undefined] = undefined, TypeError);
+throwsRepeated(() => (undefined)[0] = undefined, TypeError);
+throwsRepeated(() => (undefined)[NaN] = undefined, TypeError);
+throwsRepeated(() => (null)[0] = undefined, TypeError);
+// BigInt.asIntN() deopts once but provides a better suitable compile result
+// on the second compilation which doesn't deopt any more.
+let compiles = 2;
+throwsRepeated(() => BigInt.asIntN(2, 2), TypeError, compiles);
+throwsRepeated(() => BigInt.asIntN(2, () => {}), SyntaxError, compiles);
+throwsRepeated(() => BigInt.asIntN(2, {some: Object}), SyntaxError, compiles);
+throwsRepeated(() => BigInt.asIntN(2, Symbol("test")), TypeError, compiles);
+throwsRepeated(() => BigInt.asIntN(2, null), TypeError, compiles);