[cleanup] Make StringLengthProtector into a Cell.

There's no need to have the StringLengthProtector as a PropertyCell, since it's only used to guard against deoptimization loops. This also allows us to remove the use of the CompilationDependencies from the JSTypedLowering. R=jarin@chromium.org Bug: v8:6759 Change-Id: I54a37be6b8064ca3475e3b321f928b6a9903f209 Tbr: mstarzinger@chromium.org Reviewed-on: https://chromium-review.googlesource.com/637303 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47633}

[cleanup] Make StringLengthProtector into a Cell.
There's no need to have the StringLengthProtector as a PropertyCell, since it's only used to guard against deoptimization loops. This also allows us to remove the use of the CompilationDependencies from the JSTypedLowering. R=jarin@chromium.org Bug: v8:6759 Change-Id: I54a37be6b8064ca3475e3b321f928b6a9903f209 Tbr: mstarzinger@chromium.org Reviewed-on: https://chromium-review.googlesource.com/637303 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47633}
9be4b610 · Benedikt Meurer · Commit Bot · 06753c64 · 9be4b610 · 9be4b610
Commit 9be4b610 authored Aug 28, 2017 by Benedikt Meurer Committed by Commit Bot Aug 28, 2017
10 changed files
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@@ -7,7 +7,6 @@
 #include "src/ast/modules.h"
 #include "src/builtins/builtins-utils.h"
 #include "src/code-factory.h"
-#include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
 #include "src/compiler/js-graph.h"
 #include "src/compiler/linkage.h"
@@ -399,10 +398,8 @@ class JSBinopReduction final {
 // - relax effects from generic but not-side-effecting operations

 JSTypedLowering::JSTypedLowering(Editor* editor,
-                                 CompilationDependencies* dependencies,
                                 JSGraph* jsgraph, Zone* zone)
    : AdvancedReducer(editor),
-      dependencies_(dependencies),
      jsgraph_(jsgraph),
      empty_string_type_(
          Type::HeapConstant(factory()->empty_string(), graph()->zone())),
@@ -566,19 +563,20 @@ Reduction JSTypedLowering::ReduceCreateConsString(Node* node) {
  Node* length =
      graph()->NewNode(simplified()->NumberAdd(), first_length, second_length);

-  // Check if we would overflow the allowed maximum string length.
-  Node* check = graph()->NewNode(simplified()->NumberLessThanOrEqual(), length,
-                                 jsgraph()->Constant(String::kMaxLength));
  if (isolate()->IsStringLengthOverflowIntact()) {
-    // Add a code dependency on the string length overflow protector.
-    dependencies()->AssumePropertyCell(factory()->string_length_protector());
-
-    // We can just deoptimize if the {check} fails. Besides generating a
-    // shorter code sequence than the version below, this has the additional
-    // benefit of not holding on to the lazy {frame_state} and thus potentially
-    // reduces the number of live ranges and allows for more truncations.
-    effect = graph()->NewNode(simplified()->CheckIf(), check, effect, control);
+    // We can just deoptimize if the {length} is out-of-bounds. Besides
+    // generating a shorter code sequence than the version below, this
+    // has the additional benefit of not holding on to the lazy {frame_state}
+    // and thus potentially reduces the number of live ranges and allows for
+    // more truncations.
+    length = effect = graph()->NewNode(simplified()->CheckBounds(), length,
+                                       jsgraph()->Constant(String::kMaxLength),
+                                       effect, control);
  } else {
+    // Check if we would overflow the allowed maximum string length.
+    Node* check =
+        graph()->NewNode(simplified()->NumberLessThanOrEqual(), length,
+                         jsgraph()->Constant(String::kMaxLength));
    Node* branch =
        graph()->NewNode(common()->Branch(BranchHint::kTrue), check, control);
    Node* if_false = graph()->NewNode(common()->IfFalse(), branch);
@@ -2196,11 +2194,6 @@ SimplifiedOperatorBuilder* JSTypedLowering::simplified() const {
  return jsgraph()->simplified();
 }

-
-CompilationDependencies* JSTypedLowering::dependencies() const {
-  return dependencies_;
-}
-
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8
--- a/src/compiler/js-typed-lowering.h
+++ b/src/compiler/js-typed-lowering.h
@@ -14,7 +14,6 @@ namespace v8 {
 namespace internal {

 // Forward declarations.
-class CompilationDependencies;
 class Factory;

 namespace compiler {
@@ -30,8 +29,7 @@ class TypeCache;
 class V8_EXPORT_PRIVATE JSTypedLowering final
    : public NON_EXPORTED_BASE(AdvancedReducer) {
 public:
-  JSTypedLowering(Editor* editor, CompilationDependencies* dependencies,
-                  JSGraph* jsgraph, Zone* zone);
+  JSTypedLowering(Editor* editor, JSGraph* jsgraph, Zone* zone);
  ~JSTypedLowering() final {}

  const char* reducer_name() const override { return "JSTypedLowering"; }
@@ -95,9 +93,7 @@ class V8_EXPORT_PRIVATE JSTypedLowering final
  JSOperatorBuilder* javascript() const;
  CommonOperatorBuilder* common() const;
  SimplifiedOperatorBuilder* simplified() const;
-  CompilationDependencies* dependencies() const;

-  CompilationDependencies* dependencies_;
  JSGraph* jsgraph_;
  Type* empty_string_type_;
  Type* pointer_comparable_type_;

--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -1033,8 +1033,7 @@ struct TypedLoweringPhase {
    JSCreateLowering create_lowering(
        &graph_reducer, data->info()->dependencies(), data->jsgraph(),
        feedback_vector, data->native_context(), temp_zone);
-    JSTypedLowering typed_lowering(&graph_reducer, data->info()->dependencies(),
-                                   data->jsgraph(), temp_zone);
+    JSTypedLowering typed_lowering(&graph_reducer, data->jsgraph(), temp_zone);
    TypedOptimization typed_optimization(
        &graph_reducer, data->info()->dependencies(), data->jsgraph());
    SimplifiedOperatorReducer simple_reducer(&graph_reducer, data->jsgraph());

--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3039,9 +3039,9 @@ void Heap::CreateInitialObjects() {
  cell->set_value(Smi::FromInt(Isolate::kProtectorValid));
  set_species_protector(*cell);

-  cell = factory->NewPropertyCell(factory->empty_string());
-  cell->set_value(Smi::FromInt(Isolate::kProtectorValid));
-  set_string_length_protector(*cell);
+  Handle<Cell> string_length_overflow_cell = factory->NewCell(
+      handle(Smi::FromInt(Isolate::kProtectorValid), isolate()));
+  set_string_length_protector(*string_length_overflow_cell);

  Handle<Cell> fast_array_iteration_cell = factory->NewCell(
      handle(Smi::FromInt(Isolate::kProtectorValid), isolate()));

--- a/src/heap/heap.h
+++ b/src/heap/heap.h
@@ -182,7 +182,7 @@ using v8::MemoryPressureLevel;
  V(PropertyCell, array_protector, ArrayProtector)                             \
  V(Cell, is_concat_spreadable_protector, IsConcatSpreadableProtector)         \
  V(PropertyCell, species_protector, SpeciesProtector)                         \
-  V(PropertyCell, string_length_protector, StringLengthProtector)              \
+  V(Cell, string_length_protector, StringLengthProtector)                      \
  V(Cell, fast_array_iteration_protector, FastArrayIterationProtector)         \
  V(PropertyCell, array_iterator_protector, ArrayIteratorProtector)            \
  V(PropertyCell, array_buffer_neutering_protector,                            \

--- a/src/isolate-inl.h
+++ b/src/isolate-inl.h
@@ -150,7 +150,7 @@ bool Isolate::IsArraySpeciesLookupChainIntact() {
 }

 bool Isolate::IsStringLengthOverflowIntact() {
-  PropertyCell* string_length_cell = heap()->string_length_protector();
+  Cell* string_length_cell = heap()->string_length_protector();
  return string_length_cell->value() == Smi::FromInt(kProtectorValid);
 }


--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -3147,9 +3147,8 @@ void Isolate::InvalidateArraySpeciesProtector() {
 void Isolate::InvalidateStringLengthOverflowProtector() {
  DCHECK(factory()->string_length_protector()->value()->IsSmi());
  DCHECK(IsStringLengthOverflowIntact());
-  PropertyCell::SetValueWithInvalidation(
-      factory()->string_length_protector(),
-      handle(Smi::FromInt(kProtectorInvalid), this));
+  factory()->string_length_protector()->set_value(
+      Smi::FromInt(kProtectorInvalid));
  DCHECK(!IsStringLengthOverflowIntact());
 }


--- a/test/cctest/compiler/test-js-typed-lowering.cc
+++ b/test/cctest/compiler/test-js-typed-lowering.cc
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#include "src/compilation-dependencies.h"
 #include "src/compiler/js-graph.h"
 #include "src/compiler/js-typed-lowering.h"
 #include "src/compiler/machine-operator.h"
@@ -34,7 +33,6 @@ class JSTypedLoweringTester : public HandleAndZoneScope {
        machine(main_zone()),
        simplified(main_zone()),
        common(main_zone()),
-        deps(main_isolate(), main_zone()),
        graph(main_zone()),
        typer(main_isolate(), Typer::kNoFlags, &graph),
        context_node(NULL) {
@@ -50,7 +48,6 @@ class JSTypedLoweringTester : public HandleAndZoneScope {
  MachineOperatorBuilder machine;
  SimplifiedOperatorBuilder simplified;
  CommonOperatorBuilder common;
-  CompilationDependencies deps;
  Graph graph;
  Typer typer;
  Node* context_node;
@@ -93,7 +90,7 @@ class JSTypedLoweringTester : public HandleAndZoneScope {
                    &machine);
    // TODO(titzer): mock the GraphReducer here for better unit testing.
    GraphReducer graph_reducer(main_zone(), &graph);
-    JSTypedLowering reducer(&graph_reducer, &deps, &jsgraph, main_zone());
+    JSTypedLowering reducer(&graph_reducer, &jsgraph, main_zone());
    Reduction reduction = reducer.Reduce(node);
    if (reduction.Changed()) return reduction.replacement();
    return node;

--- a/test/unittests/compiler/js-typed-lowering-unittest.cc
+++ b/test/unittests/compiler/js-typed-lowering-unittest.cc
@@ -4,7 +4,6 @@

 #include "src/compiler/js-typed-lowering.h"
 #include "src/code-factory.h"
-#include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
 #include "src/compiler/js-graph.h"
 #include "src/compiler/js-operator.h"
@@ -38,8 +37,7 @@ Type* const kJSTypes[] = {Type::Undefined(), Type::Null(),   Type::Boolean(),

 class JSTypedLoweringTest : public TypedGraphTest {
 public:
-  JSTypedLoweringTest()
-      : TypedGraphTest(3), javascript_(zone()), deps_(isolate(), zone()) {}
+  JSTypedLoweringTest() : TypedGraphTest(3), javascript_(zone()) {}
  ~JSTypedLoweringTest() override {}

 protected:
@@ -50,7 +48,7 @@ class JSTypedLoweringTest : public TypedGraphTest {
                    &machine);
    // TODO(titzer): mock the GraphReducer here for better unit testing.
    GraphReducer graph_reducer(zone(), graph());
-    JSTypedLowering reducer(&graph_reducer, &deps_, &jsgraph, zone());
+    JSTypedLowering reducer(&graph_reducer, &jsgraph, zone());
    return reducer.Reduce(node);
  }

@@ -64,7 +62,6 @@ class JSTypedLoweringTest : public TypedGraphTest {

 private:
  JSOperatorBuilder javascript_;
-  CompilationDependencies deps_;
 };



--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@@ -309,12 +309,12 @@ KNOWN_OBJECTS = {
  ("OLD_SPACE", 0x028a1): "IsConcatSpreadableProtector",
  ("OLD_SPACE", 0x028b1): "SpeciesProtector",
  ("OLD_SPACE", 0x028d9): "StringLengthProtector",
-  ("OLD_SPACE", 0x02901): "FastArrayIterationProtector",
-  ("OLD_SPACE", 0x02911): "ArrayIteratorProtector",
-  ("OLD_SPACE", 0x02939): "ArrayBufferNeuteringProtector",
-  ("OLD_SPACE", 0x02961): "InfinityValue",
-  ("OLD_SPACE", 0x02971): "MinusZeroValue",
-  ("OLD_SPACE", 0x02981): "MinusInfinityValue",
+  ("OLD_SPACE", 0x028e9): "FastArrayIterationProtector",
+  ("OLD_SPACE", 0x028f9): "ArrayIteratorProtector",
+  ("OLD_SPACE", 0x02921): "ArrayBufferNeuteringProtector",
+  ("OLD_SPACE", 0x02949): "InfinityValue",
+  ("OLD_SPACE", 0x02959): "MinusZeroValue",
+  ("OLD_SPACE", 0x02969): "MinusInfinityValue",
 }

 # List of known V8 Frame Markers.