[turbofan] Encapsulate some heap accesses.

This encapuslates some of the heap accesses done by JSNativeContextSpecialization::ReduceJSLoadGlobal and JSNativeContextSpecialization::ReduceJSStoreGlobal. Bug: v8:7790 Change-Id: Ib6c63903809927d6094af22519285cb9d0bbff7a Reviewed-on: https://chromium-review.googlesource.com/1106141Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#53845}

[turbofan] Encapsulate some heap accesses.
This encapuslates some of the heap accesses done by JSNativeContextSpecialization::ReduceJSLoadGlobal and JSNativeContextSpecialization::ReduceJSStoreGlobal. Bug: v8:7790 Change-Id: Ib6c63903809927d6094af22519285cb9d0bbff7a Reviewed-on: https://chromium-review.googlesource.com/1106141Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#53845}
78b5b32f · Georg Neis · Commit Bot · b78763a1 · 78b5b32f · 78b5b32f
Commit 78b5b32f authored Jun 19, 2018 by Georg Neis Committed by Commit Bot Jun 19, 2018
5 changed files
--- a/src/compiler/js-graph.h
+++ b/src/compiler/js-graph.h
@@ -56,6 +56,7 @@ class V8_EXPORT_PRIVATE JSGraph : public MachineGraph {
  Node* Constant(Handle<Object> value);

  // Like above, but doesn't access the heap directly.
+  // TODO(neis): Make the broker a member of JSGraph.
  Node* Constant(const JSHeapBroker* broker, const ObjectRef& value);

  // Creates a NumberConstant node, usually canonicalized.

--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -29,6 +29,11 @@ ContextRef::ContextRef(Handle<Object> object) : HeapObjectRef(object) {
  SLOW_DCHECK(object->IsContext());
 }

+NativeContextRef::NativeContextRef(Handle<Object> object) : ContextRef(object) {
+  AllowHandleDereference handle_dereference;
+  SLOW_DCHECK(object->IsNativeContext());
+}
+
 bool ObjectRef::IsSmi() const {
  AllowHandleDereference allow_handle_dereference;
  return object_->IsSmi();
@@ -49,8 +54,7 @@ base::Optional<ContextRef> ContextRef::previous(
  return ContextRef(handle(previous, broker->isolate()));
 }

-base::Optional<ObjectRef> ContextRef::get(const JSHeapBroker* broker,
-                                          int index) const {
+ObjectRef ContextRef::get(const JSHeapBroker* broker, int index) const {
  AllowHandleAllocation handle_allocation;
  AllowHandleDereference handle_dereference;
  Handle<Object> value(object<Context>()->get(index), broker->isolate());
@@ -131,6 +135,42 @@ BuiltinFunctionId JSFunctionRef::GetBuiltinFunctionId() const {
  return object<JSFunction>()->shared()->builtin_function_id();
 }

+NameRef::NameRef(Handle<Object> object) : HeapObjectRef(object) {
+  AllowHandleDereference handle_dereference;
+  SLOW_DCHECK(object->IsName());
+}
+
+ScriptContextTableRef::ScriptContextTableRef(Handle<Object> object)
+    : HeapObjectRef(object) {
+  AllowHandleDereference handle_dereference;
+  SLOW_DCHECK(object->IsScriptContextTable());
+}
+
+base::Optional<ScriptContextTableRef::LookupResult>
+ScriptContextTableRef::lookup(const NameRef& name) const {
+  AllowHandleDereference handle_dereference;
+  if (!name.IsString()) return {};
+  ScriptContextTable::LookupResult lookup_result;
+  auto table = object<ScriptContextTable>();
+  if (!ScriptContextTable::Lookup(table, name.object<String>(),
+                                  &lookup_result)) {
+    return {};
+  }
+  Handle<Context> script_context =
+      ScriptContextTable::GetContext(table, lookup_result.context_index);
+  LookupResult result{ContextRef(script_context),
+                      lookup_result.mode == VariableMode::kConst,
+                      lookup_result.slot_index};
+  return result;
+}
+
+ScriptContextTableRef NativeContextRef::script_context_table(
+    const JSHeapBroker* broker) const {
+  AllowHandleDereference handle_dereference;
+  return ScriptContextTableRef(
+      handle(object<Context>()->script_context_table(), broker->isolate()));
+}
+
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8
--- a/src/compiler/js-heap-broker.h
+++ b/src/compiler/js-heap-broker.h
@@ -53,7 +53,11 @@ class HeapObjectType {
 #define HEAP_BROKER_DATA_LIST(V) \
  V(Context)                     \
  V(HeapNumber)                  \
-  V(JSFunction)
+  V(HeapObject)                  \
+  V(JSFunction)                  \
+  V(Name)                        \
+  V(NativeContext)               \
+  V(ScriptContextTable)

 #define HEAP_BROKER_KIND_LIST(V) \
  HEAP_BROKER_DATA_LIST(V)       \
@@ -97,6 +101,9 @@ class HeapObjectRef : public ObjectRef {
 public:
  explicit HeapObjectRef(Handle<Object> object);
  HeapObjectType type(const JSHeapBroker* broker) const;
+  HeapObjectType::OddballType oddball_type(const JSHeapBroker* broker) const {
+    return type(broker).oddball_type();
+  }

 private:
  friend class JSHeapBroker;
@@ -139,7 +146,31 @@ class ContextRef : public HeapObjectRef {
 public:
  explicit ContextRef(Handle<Object> object);
  base::Optional<ContextRef> previous(const JSHeapBroker* broker) const;
-  base::Optional<ObjectRef> get(const JSHeapBroker* broker, int index) const;
+  ObjectRef get(const JSHeapBroker* broker, int index) const;
+};
+
+class NativeContextRef : public ContextRef {
+ public:
+  explicit NativeContextRef(Handle<Object> object);
+  ScriptContextTableRef script_context_table(const JSHeapBroker* broker) const;
+};
+
+class NameRef : public HeapObjectRef {
+ public:
+  explicit NameRef(Handle<Object> object);
+};
+
+class ScriptContextTableRef : public HeapObjectRef {
+ public:
+  explicit ScriptContextTableRef(Handle<Object> object);
+
+  struct LookupResult {
+    ContextRef context;
+    bool immutable;
+    int index;
+  };
+
+  base::Optional<LookupResult> lookup(const NameRef& name) const;
 };

 }  // namespace compiler

--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -192,7 +192,8 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
  // Compute property access info for @@hasInstance on {receiver}.
  PropertyAccessInfo access_info;
  AccessInfoFactory access_info_factory(dependencies(), js_heap_broker(),
-                                        native_context(), graph()->zone());
+                                        native_context().object<Context>(),
+                                        graph()->zone());
  if (!access_info_factory.ComputePropertyAccessInfo(
          receiver_map, factory()->has_instance_symbol(), AccessMode::kLoad,
          &access_info)) {
@@ -209,7 +210,8 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
      Handle<JSObject> holder;
      if (access_info.holder().ToHandle(&holder)) {
        access_builder.AssumePrototypesStable(
-            native_context(), access_info.receiver_maps(), holder);
+            native_context().object<Context>(), access_info.receiver_maps(),
+            holder);
      }

      // Check that {constructor} is actually {receiver}.
@@ -233,8 +235,9 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
    // Determine actual holder and perform prototype chain checks.
    Handle<JSObject> holder;
    if (access_info.holder().ToHandle(&holder)) {
-      access_builder.AssumePrototypesStable(
-          native_context(), access_info.receiver_maps(), holder);
+      access_builder.AssumePrototypesStable(native_context().object<Context>(),
+                                            access_info.receiver_maps(),
+                                            holder);
    } else {
      holder = receiver;
    }
@@ -438,7 +441,8 @@ Reduction JSNativeContextSpecialization::ReduceJSPromiseResolve(Node* node) {

  // Check if the {constructor} is the %Promise% function.
  HeapObjectMatcher m(constructor);
-  if (!m.Is(handle(native_context()->promise_function(), isolate())))
+  if (!m.Is(handle(native_context().object<Context>()->promise_function(),
+                   isolate())))
    return NoChange();

  // Check if we know something about the {value}.
@@ -482,7 +486,8 @@ Reduction JSNativeContextSpecialization::ReduceJSResolvePromise(Node* node) {
  // Compute property access info for "then" on {resolution}.
  PropertyAccessInfo access_info;
  AccessInfoFactory access_info_factory(dependencies(), js_heap_broker(),
-                                        native_context(), graph()->zone());
+                                        native_context().object<Context>(),
+                                        graph()->zone());
  if (!access_info_factory.ComputePropertyAccessInfo(
          MapHandles(resolution_maps.begin(), resolution_maps.end()),
          factory()->then_string(), AccessMode::kLoad, &access_info)) {
@@ -497,7 +502,7 @@ Reduction JSNativeContextSpecialization::ReduceJSResolvePromise(Node* node) {
  // Add proper dependencies on the {resolution}s [[Prototype]]s.
  Handle<JSObject> holder;
  if (access_info.holder().ToHandle(&holder)) {
-    access_builder.AssumePrototypesStable(native_context(),
+    access_builder.AssumePrototypesStable(native_context().object<Context>(),
                                          access_info.receiver_maps(), holder);
  }

@@ -516,7 +521,7 @@ Reduction JSNativeContextSpecialization::ReduceJSLoadContext(Node* node) {
  // context (if any), so we can constant-fold those fields, which is
  // safe, since the NATIVE_CONTEXT_INDEX slot is always immutable.
  if (access.index() == Context::NATIVE_CONTEXT_INDEX) {
-    Node* value = jsgraph()->HeapConstant(native_context());
+    Node* value = jsgraph()->Constant(js_heap_broker(), native_context());
    ReplaceWithValue(node, value);
    return Replace(value);
  }
@@ -728,46 +733,60 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(

 Reduction JSNativeContextSpecialization::ReduceJSLoadGlobal(Node* node) {
  DCHECK_EQ(IrOpcode::kJSLoadGlobal, node->opcode());
-  Handle<Name> name = LoadGlobalParametersOf(node->op()).name();
+  NameRef name(LoadGlobalParametersOf(node->op()).name());
  Node* effect = NodeProperties::GetEffectInput(node);

  // Try to lookup the name on the script context table first (lexical scoping).
-  ScriptContextTableLookupResult result;
-  if (LookupInScriptContextTable(name, &result)) {
-    if (result.context->is_the_hole(isolate(), result.index)) return NoChange();
-    Node* context = jsgraph()->HeapConstant(result.context);
+  base::Optional<ScriptContextTableRef::LookupResult> result =
+      native_context().script_context_table(js_heap_broker()).lookup(name);
+  if (result) {
+    ObjectRef contents = result->context.get(js_heap_broker(), result->index);
+    if (contents.IsHeapObject() &&
+        contents.AsHeapObject().oddball_type(js_heap_broker()) ==
+            HeapObjectType::kHole) {
+      return NoChange();
+    }
+    Node* context = jsgraph()->Constant(js_heap_broker(), result->context);
    Node* value = effect = graph()->NewNode(
-        javascript()->LoadContext(0, result.index, result.immutable), context,
+        javascript()->LoadContext(0, result->index, result->immutable), context,
        effect);
    ReplaceWithValue(node, value, effect);
    return Replace(value);
  }

  // Lookup the {name} on the global object instead.
-  return ReduceGlobalAccess(node, nullptr, nullptr, name, AccessMode::kLoad);
+  return ReduceGlobalAccess(node, nullptr, nullptr, name.object<Name>(),
+                            AccessMode::kLoad);
 }

 Reduction JSNativeContextSpecialization::ReduceJSStoreGlobal(Node* node) {
  DCHECK_EQ(IrOpcode::kJSStoreGlobal, node->opcode());
-  Handle<Name> name = StoreGlobalParametersOf(node->op()).name();
+  NameRef name(StoreGlobalParametersOf(node->op()).name());
  Node* value = NodeProperties::GetValueInput(node, 0);
  Node* effect = NodeProperties::GetEffectInput(node);
  Node* control = NodeProperties::GetControlInput(node);

  // Try to lookup the name on the script context table first (lexical scoping).
-  ScriptContextTableLookupResult result;
-  if (LookupInScriptContextTable(name, &result)) {
-    if (result.context->is_the_hole(isolate(), result.index)) return NoChange();
-    if (result.immutable) return NoChange();
-    Node* context = jsgraph()->HeapConstant(result.context);
-    effect = graph()->NewNode(javascript()->StoreContext(0, result.index),
+  base::Optional<ScriptContextTableRef::LookupResult> result =
+      native_context().script_context_table(js_heap_broker()).lookup(name);
+  if (result) {
+    ObjectRef contents = result->context.get(js_heap_broker(), result->index);
+    if (contents.IsHeapObject() &&
+        contents.AsHeapObject().oddball_type(js_heap_broker()) ==
+            HeapObjectType::kHole) {
+      return NoChange();
+    }
+    if (result->immutable) return NoChange();
+    Node* context = jsgraph()->Constant(js_heap_broker(), result->context);
+    effect = graph()->NewNode(javascript()->StoreContext(0, result->index),
                              value, context, effect, control);
    ReplaceWithValue(node, value, effect, control);
    return Replace(value);
  }

  // Lookup the {name} on the global object instead.
-  return ReduceGlobalAccess(node, nullptr, value, name, AccessMode::kStore);
+  return ReduceGlobalAccess(node, nullptr, value, name.object<Name>(),
+                            AccessMode::kStore);
 }

 Reduction JSNativeContextSpecialization::ReduceNamedAccess(
@@ -794,7 +813,7 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
      // Detached global proxies have |null| as their constructor.
      if (maybe_constructor->IsJSFunction() &&
          JSFunction::cast(maybe_constructor)->native_context() ==
-              *native_context()) {
+              *native_context().object<Context>()) {
        return ReduceGlobalAccess(node, receiver, value, name, access_mode,
                                  index);
      }
@@ -803,7 +822,8 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(

  // Compute property access infos for the receiver maps.
  AccessInfoFactory access_info_factory(dependencies(), js_heap_broker(),
-                                        native_context(), graph()->zone());
+                                        native_context().object<Context>(),
+                                        graph()->zone());
  ZoneVector<PropertyAccessInfo> access_infos(zone());
  if (!access_info_factory.ComputePropertyAccessInfos(
          receiver_maps, name, access_mode, &access_infos)) {
@@ -1167,7 +1187,8 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
    // Retrieve the native context from the given {node}.
    // Compute element access infos for the receiver maps.
    AccessInfoFactory access_info_factory(dependencies(), js_heap_broker(),
-                                          native_context(), graph()->zone());
+                                          native_context().object<Context>(),
+                                          graph()->zone());
    ZoneVector<ElementAccessInfo> access_infos(zone());
    if (!access_info_factory.ComputeElementAccessInfos(
            receiver_maps, access_mode, &access_infos)) {
@@ -1759,7 +1780,7 @@ Node* JSNativeContextSpecialization::InlineApiCall(
  Node* code = jsgraph()->HeapConstant(call_api_callback.code());

  // Add CallApiCallbackStub's register argument as well.
-  Node* context = jsgraph()->Constant(native_context());
+  Node* context = jsgraph()->Constant(js_heap_broker(), native_context());
  Node* inputs[10] = {code,    context, data, holder, function_reference,
                      receiver};
  int index = 6 + argc;
@@ -1785,7 +1806,7 @@ JSNativeContextSpecialization::BuildPropertyLoad(
  Handle<JSObject> holder;
  PropertyAccessBuilder access_builder(jsgraph(), dependencies());
  if (access_info.holder().ToHandle(&holder)) {
-    access_builder.AssumePrototypesStable(native_context(),
+    access_builder.AssumePrototypesStable(native_context().object<Context>(),
                                          access_info.receiver_maps(), holder);
  }

@@ -1842,7 +1863,7 @@ JSNativeContextSpecialization::BuildPropertyStore(
  PropertyAccessBuilder access_builder(jsgraph(), dependencies());
  if (access_info.holder().ToHandle(&holder)) {
    DCHECK_NE(AccessMode::kStoreInLiteral, access_mode);
-    access_builder.AssumePrototypesStable(native_context(),
+    access_builder.AssumePrototypesStable(native_context().object<Context>(),
                                          access_info.receiver_maps(), holder);
  }

@@ -2066,7 +2087,8 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreDataPropertyInLiteral(

  PropertyAccessInfo access_info;
  AccessInfoFactory access_info_factory(dependencies(), js_heap_broker(),
-                                        native_context(), graph()->zone());
+                                        native_context().object<Context>(),
+                                        graph()->zone());
  if (!access_info_factory.ComputePropertyAccessInfo(
          receiver_map, cached_name, AccessMode::kStoreInLiteral,
          &access_info)) {
@@ -2883,24 +2905,6 @@ MaybeHandle<Map> JSNativeContextSpecialization::InferReceiverRootMap(
  return MaybeHandle<Map>();
 }

-bool JSNativeContextSpecialization::LookupInScriptContextTable(
-    Handle<Name> name, ScriptContextTableLookupResult* result) {
-  if (!name->IsString()) return false;
-  Handle<ScriptContextTable> script_context_table(
-      global_object()->native_context()->script_context_table(), isolate());
-  ScriptContextTable::LookupResult lookup_result;
-  if (!ScriptContextTable::Lookup(script_context_table,
-                                  Handle<String>::cast(name), &lookup_result)) {
-    return false;
-  }
-  Handle<Context> script_context = ScriptContextTable::GetContext(
-      script_context_table, lookup_result.context_index);
-  result->context = script_context;
-  result->immutable = lookup_result.mode == VariableMode::kConst;
-  result->index = lookup_result.slot_index;
-  return true;
-}
-
 Graph* JSNativeContextSpecialization::graph() const {
  return jsgraph()->graph();
 }

--- a/src/compiler/js-native-context-specialization.h
+++ b/src/compiler/js-native-context-specialization.h
@@ -226,7 +226,7 @@ class JSNativeContextSpecialization final : public AdvancedReducer {
  Flags flags() const { return flags_; }
  Handle<JSGlobalObject> global_object() const { return global_object_; }
  Handle<JSGlobalProxy> global_proxy() const { return global_proxy_; }
-  Handle<Context> native_context() const { return native_context_; }
+  const NativeContextRef& native_context() const { return native_context_; }
  CompilationDependencies* dependencies() const { return dependencies_; }
  Zone* zone() const { return zone_; }

@@ -235,7 +235,7 @@ class JSNativeContextSpecialization final : public AdvancedReducer {
  Flags const flags_;
  Handle<JSGlobalObject> global_object_;
  Handle<JSGlobalProxy> global_proxy_;
-  Handle<Context> native_context_;
+  NativeContextRef native_context_;
  CompilationDependencies* const dependencies_;
  Zone* const zone_;
  TypeCache const& type_cache_;