[runtime][ic] Add CopyMutableHeapNumbersInObject helper

Factor out common loop for copying MutableHeapNumbers in newly copied
objects.

Bug: v8:10763
Change-Id: I6cf2fc52c9ac72253dceaba518deacfde9905a9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2402035
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69825}

src/builtins/builtins-constructor-gen.cc

@@ -589,29 +589,7 @@ TNode<HeapObject> ConstructorBuiltinsAssembler::CreateShallowObjectLiteral(
             StoreObjectFieldNoWriteBarrier(copy, offset, field);
           },
           kTaggedSize, IndexAdvanceMode::kPost);
-      Comment("Copy mutable HeapNumber values");
-      BuildFastLoop<IntPtrT>(
-          offset.value(), instance_size,
-          [=](TNode<IntPtrT> offset) {
-            TNode<Object> field = LoadObjectField(copy, offset);
-            Label copy_heap_number(this, Label::kDeferred), continue_loop(this);
-            // We only have to clone complex field values.
-            GotoIf(TaggedIsSmi(field), &continue_loop);
-            // TODO(leszeks): Read the field descriptor to decide if this heap
-            // number is mutable or not.
-            Branch(IsHeapNumber(CAST(field)), &copy_heap_number,
-                   &continue_loop);
-            BIND(&copy_heap_number);
-            {
-              TNode<Float64T> double_value = LoadHeapNumberValue(CAST(field));
-              TNode<HeapNumber> heap_number =
-                  AllocateHeapNumberWithValue(double_value);
-              StoreObjectField(copy, offset, heap_number);
-              Goto(&continue_loop);
-            }
-            BIND(&continue_loop);
-          },
-          kTaggedSize, IndexAdvanceMode::kPost);
+      CopyMutableHeapNumbersInObject(copy, offset.value(), instance_size);
       Goto(&done_init);
     }
     BIND(&done_init);
@@ -634,5 +612,35 @@ TNode<JSObject> ConstructorBuiltinsAssembler::CreateEmptyObjectLiteral(
   return result;
 }
 
+void ConstructorBuiltinsAssembler::CopyMutableHeapNumbersInObject(
+    TNode<HeapObject> copy, TNode<IntPtrT> start_offset,
+    TNode<IntPtrT> end_offset) {
+  // Iterate over all object properties of a freshly copied object and
+  // duplicate mutable heap numbers.
+  if (FLAG_unbox_double_fields) return;
+  Comment("Copy mutable HeapNumber values");
+  BuildFastLoop<IntPtrT>(
+      start_offset, end_offset,
+      [=](TNode<IntPtrT> offset) {
+        TNode<Object> field = LoadObjectField(copy, offset);
+        Label copy_heap_number(this, Label::kDeferred), continue_loop(this);
+        // We only have to clone complex field values.
+        GotoIf(TaggedIsSmi(field), &continue_loop);
+        // TODO(leszeks): Read the field descriptor to decide if this heap
+        // number is mutable or not.
+        Branch(IsHeapNumber(CAST(field)), &copy_heap_number, &continue_loop);
+        BIND(&copy_heap_number);
+        {
+          TNode<Float64T> double_value = LoadHeapNumberValue(CAST(field));
+          TNode<HeapNumber> heap_number =
+              AllocateHeapNumberWithValue(double_value);
+          StoreObjectField(copy, offset, heap_number);
+          Goto(&continue_loop);
+        }
+        BIND(&continue_loop);
+      },
+      kTaggedSize, IndexAdvanceMode::kPost);
+}
+
 }  // namespace internal
 }  // namespace v8

src/builtins/builtins-constructor-gen.h

@@ -47,6 +47,10 @@ class ConstructorBuiltinsAssembler : public CodeStubAssembler {
                                 TNode<JSFunction> target,
                                 TNode<JSReceiver> new_target,
                                 Label* call_runtime);
+
+  void CopyMutableHeapNumbersInObject(TNode<HeapObject> copy,
+                                      TNode<IntPtrT> start_offset,
+                                      TNode<IntPtrT> instance_size);
 };
 
 }  // namespace internal

src/ic/accessor-assembler.cc

@@ -6,6 +6,7 @@
 
 #include "src/ast/ast.h"
 #include "src/base/optional.h"
+#include "src/builtins/builtins-constructor-gen.h"
 #include "src/codegen/code-factory.h"
 #include "src/ic/handler-configuration.h"
 #include "src/ic/ic.h"
@@ -4206,25 +4207,11 @@ void AccessorAssembler::GenerateCloneObjectIC() {
     // ensure that the GC (and heap verifier) always sees properly initialized
     // objects, i.e. never hits undefined values in double fields.
     if (!FLAG_unbox_double_fields) {
-      BuildFastLoop<IntPtrT>(
-          source_start, source_size,
-          [=](TNode<IntPtrT> field_index) {
-            TNode<IntPtrT> result_offset = IntPtrAdd(
-                TimesTaggedSize(field_index), field_offset_difference);
-            TNode<Object> field = LoadObjectField(object, result_offset);
-            Label if_done(this), if_mutableheapnumber(this, Label::kDeferred);
-            GotoIf(TaggedIsSmi(field), &if_done);
-            Branch(IsHeapNumber(CAST(field)), &if_mutableheapnumber, &if_done);
-            BIND(&if_mutableheapnumber);
-            {
-              TNode<HeapNumber> value = AllocateHeapNumberWithValue(
-                  LoadHeapNumberValue(UncheckedCast<HeapNumber>(field)));
-              StoreObjectField(object, result_offset, value);
-              Goto(&if_done);
-            }
-            BIND(&if_done);
-          },
-          1, IndexAdvanceMode::kPost);
+      TNode<IntPtrT> start_offset = TimesTaggedSize(result_start);
+      TNode<IntPtrT> end_offset =
+          IntPtrAdd(TimesTaggedSize(source_size), field_offset_difference);
+      ConstructorBuiltinsAssembler(state()).CopyMutableHeapNumbersInObject(
+          object, start_offset, end_offset);
     }
 
     Return(object);

test/mjsunit/mjsunit.status

@@ -132,6 +132,7 @@
   'harmony/futex': [PASS, SLOW],
   'harmony/regexp-property-script-extensions': [PASS, SLOW],
   'ignition/regress-672027': [PASS, SLOW],
+  'math-floor-of-div': [PASS, SLOW],
   'md5': [PASS, SLOW],
   'readonly': [PASS, SLOW],
   'regress/regress-1122': [PASS, SLOW],
@@ -279,7 +280,7 @@
   'regress/regress-91008': [PASS, NO_VARIANTS],
   'regress/regress-transcendental': [PASS, ['arch == arm64', NO_VARIANTS]],
   'compiler/osr-regress-max-locals': [PASS, NO_VARIANTS],
-  'math-floor-of-div': [PASS, NO_VARIANTS],
+  'math-floor-of-div': [PASS, SLOW, NO_VARIANTS],
   'unicodelctest': [PASS, NO_VARIANTS],
   'unicodelctest-no-optimization': [PASS, NO_VARIANTS],
 
@@ -512,7 +513,6 @@
   'generated-transition-stub': [PASS, SLOW],
   'json2': [PASS, SLOW],
   'math-floor-of-div-nosudiv': [PASS, SLOW],
-  'math-floor-of-div': [PASS, SLOW],
   'messages': [PASS, SLOW],
   'regress/regress-2790': [PASS, SLOW],
   'regress/regress-331444': [PASS, SLOW],
@@ -549,7 +549,6 @@
   # Pass but take too long with the simulator in debug mode.
   'array-sort': [PASS, SLOW],
   'regexp-global': [SKIP],
-  'math-floor-of-div': [PASS, SLOW],
   'math-floor-of-div-nosudiv': [PASS, SLOW],
   'unicodelctest': [PASS, SLOW],
   'unicodelctest-no-optimization': [PASS, SLOW],