Commit 9ae3e619 authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[turbofan] Make use of the neutering protector for DataViews.

The DataView access methods can use the neutering protector to avoid
introducing an explicit check into the optimized code to see if the
backing store was neutered. Instead the optimized code has an implicit
dependency on the global neutering protector which gets invalidated
when the first array buffer is neutered (globally). We use the same
trick for typed arrays already.

Bug: chromium:225811
Change-Id: I9b3c95b3113b8fa00dcbba216ef29c84c0056951
Reviewed-on: https://chromium-review.googlesource.com/1172779
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55097}
parent 572c7527
...@@ -6695,16 +6695,22 @@ Reduction JSCallReducer::ReduceDataViewPrototypeGet( ...@@ -6695,16 +6695,22 @@ Reduction JSCallReducer::ReduceDataViewPrototypeGet(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()), simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
receiver, effect, control); receiver, effect, control);
Node* check_neutered = effect = graph()->NewNode( if (isolate()->IsArrayBufferNeuteringIntact()) {
simplified()->ArrayBufferWasNeutered(), buffer, effect, control); // Add a code dependency so we are deoptimized in case an ArrayBuffer
check_neutered = // gets neutered.
graph()->NewNode(simplified()->BooleanNot(), check_neutered); dependencies()->DependOnProtector(PropertyCellRef(
js_heap_broker(), factory()->array_buffer_neutering_protector()));
// If the buffer was neutered, deopt and let the unoptimized code throw. } else {
effect = graph()->NewNode( // If the buffer was neutered, deopt and let the unoptimized code throw.
simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasNeutered, Node* check_neutered = effect = graph()->NewNode(
p.feedback()), simplified()->ArrayBufferWasNeutered(), buffer, effect, control);
check_neutered, effect, control); check_neutered =
graph()->NewNode(simplified()->BooleanNot(), check_neutered);
effect = graph()->NewNode(
simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasNeutered,
p.feedback()),
check_neutered, effect, control);
}
// Get the byte offset and byte length of the {receiver}, // Get the byte offset and byte length of the {receiver},
// and deopt if they aren't Smis. // and deopt if they aren't Smis.
...@@ -6823,16 +6829,22 @@ Reduction JSCallReducer::ReduceDataViewPrototypeSet( ...@@ -6823,16 +6829,22 @@ Reduction JSCallReducer::ReduceDataViewPrototypeSet(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()), simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
receiver, effect, control); receiver, effect, control);
Node* check_neutered = effect = graph()->NewNode( if (isolate()->IsArrayBufferNeuteringIntact()) {
simplified()->ArrayBufferWasNeutered(), buffer, effect, control); // Add a code dependency so we are deoptimized in case an ArrayBuffer
check_neutered = // gets neutered.
graph()->NewNode(simplified()->BooleanNot(), check_neutered); dependencies()->DependOnProtector(PropertyCellRef(
js_heap_broker(), factory()->array_buffer_neutering_protector()));
// If the buffer was neutered, deopt and let the unoptimized code throw. } else {
effect = graph()->NewNode( // If the buffer was neutered, deopt and let the unoptimized code throw.
simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasNeutered, Node* check_neutered = effect = graph()->NewNode(
p.feedback()), simplified()->ArrayBufferWasNeutered(), buffer, effect, control);
check_neutered, effect, control); check_neutered =
graph()->NewNode(simplified()->BooleanNot(), check_neutered);
effect = graph()->NewNode(
simplified()->CheckIf(DeoptimizeReason::kArrayBufferWasNeutered,
p.feedback()),
check_neutered, effect, control);
}
// Get the byte offset and byte length of the {receiver}, // Get the byte offset and byte length of the {receiver},
// and deopt if they aren't Smis. // and deopt if they aren't Smis.
......
...@@ -179,8 +179,8 @@ assertUnoptimized(readFloat64); ...@@ -179,8 +179,8 @@ assertUnoptimized(readFloat64);
try { return dataview.getInt8(offset); } catch (e) { return e; } try { return dataview.getInt8(offset); } catch (e) { return e; }
} }
warmup(readInt8Handled); warmup(readInt8Handled);
%ArrayBufferNeuter(buffer);
assertOptimized(readInt8Handled); assertOptimized(readInt8Handled);
%ArrayBufferNeuter(buffer);
assertInstanceof(readInt8Handled(0), TypeError); assertInstanceof(readInt8Handled(0), TypeError);
assertUnoptimized(readInt8Handled); assertUnoptimized(readInt8Handled);
})(); })();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment