[builtins] Extend the list of eager builtins

This extends the list by two cases that we currently cannot handle: FunctionPrototypeHasInstance is called directly without going through Call (https://crbug.com/v8/6786). The Proxy constructor uses a custom construct stub (https://crbug.com/v8/6787). Bug: v8:6624,v8:6786,v8:6787 Change-Id: I21b883bf94bfa170d1da7aa812d09f813d881133 Reviewed-on: https://chromium-review.googlesource.com/651424Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47865}

[builtins] Extend the list of eager builtins
This extends the list by two cases that we currently cannot handle: FunctionPrototypeHasInstance is called directly without going through Call (https://crbug.com/v8/6786). The Proxy constructor uses a custom construct stub (https://crbug.com/v8/6787). Bug: v8:6624,v8:6786,v8:6787 Change-Id: I21b883bf94bfa170d1da7aa812d09f813d881133 Reviewed-on: https://chromium-review.googlesource.com/651424Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47865}
ad9640e3 · jgruber · Commit Bot · dbdf487f · ad9640e3 · ad9640e3
Commit ad9640e3 authored Sep 06, 2017 by jgruber Committed by Commit Bot Sep 07, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

builtins.cc src/builtins/builtins.cc +3 -0

code-stub-assembler.cc src/code-stub-assembler.cc +9 -0

objects.cc src/objects.cc +10 -0

No files found.
--- a/src/builtins/builtins.cc
+++ b/src/builtins/builtins.cc
@@ -246,11 +246,14 @@ bool Builtins::IsLazy(int index) {
    case kCheckOptimizationMarker:
    case kCompileLazy:
    case kDeserializeLazy:
+    case kFunctionPrototypeHasInstance:  // https://crbug.com/v8/6786.
    case kHandleApiCall:
    case kIllegal:
    case kInterpreterEnterBytecodeAdvance:
    case kInterpreterEnterBytecodeDispatch:
    case kInterpreterEntryTrampoline:
+    case kProxyConstructor:                   // https://crbug.com/v8/6787.
+    case kProxyConstructor_ConstructStub:     // https://crbug.com/v8/6787.
    case kThrowWasmTrapDivByZero:             // Required by wasm.
    case kThrowWasmTrapDivUnrepresentable:    // Required by wasm.
    case kThrowWasmTrapFloatUnrepresentable:  // Required by wasm.

--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -9241,6 +9241,15 @@ Node* CodeStubAssembler::InstanceOf(Node* object, Node* callable,
  GotoIfNot(WordEqual(inst_of_handler, function_has_instance),
            &if_otherhandler);
  {
+    // TODO(6786): A direct call to a TFJ builtin breaks the lazy
+    // deserialization mechanism in two ways: first, we always pass in a
+    // callable containing the DeserializeLazy code object (assuming that
+    // FunctionPrototypeHasInstance is lazy). Second, a direct call (without
+    // going through CodeFactory::Call) to DeserializeLazy will not initialize
+    // new_target properly. For now we can avoid this by marking
+    // FunctionPrototypeHasInstance as eager, but this should be fixed at some
+    // point.
+    //
    // Call to Function.prototype[@@hasInstance] directly.
    Callable builtin(BUILTIN_CODE(isolate(), FunctionPrototypeHasInstance),
                     CallTrampolineDescriptor(isolate()));

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -13908,6 +13908,16 @@ void SharedFunctionInfo::SetExpectedNofPropertiesFromEstimate(

 void SharedFunctionInfo::SetConstructStub(Code* code) {
  if (code->kind() == Code::BUILTIN) code->set_is_construct_stub(true);
+#ifdef DEBUG
+  if (code->is_builtin()) {
+    // See https://crbug.com/v8/6787. Lazy deserialization currently cannot
+    // handle lazy construct stubs that differ from the code object.
+    int builtin_id = code->builtin_index();
+    DCHECK_NE(Builtins::kDeserializeLazy, builtin_id);
+    DCHECK(builtin_id == Builtins::kJSBuiltinsConstructStub ||
+           this->code() == code || !Builtins::IsLazy(builtin_id));
+  }
+#endif
  set_construct_stub(code);
 }