[maglev] Add CheckString for prototype constant loads

For prototype loads from strings, we require an access check, since string maps are shared between native contexts. This makes our prototype constant load optimisation bail out to a generic load. We can, however skip this check given the knowledge that this is a prototype load from a primitive, and instead emit a string check. We can also be a slight bit more tolerant of multiple different string maps, same as TF. Bug: v8:7700 Change-Id: I4ad858cadea68246f903443d19fa6cdd65a14564 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3762576Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#81751}

[maglev] Add CheckString for prototype constant loads
For prototype loads from strings, we require an access check, since string maps are shared between native contexts. This makes our prototype constant load optimisation bail out to a generic load. We can, however skip this check given the knowledge that this is a prototype load from a primitive, and instead emit a string check. We can also be a slight bit more tolerant of multiple different string maps, same as TF. Bug: v8:7700 Change-Id: I4ad858cadea68246f903443d19fa6cdd65a14564 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3762576Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#81751}
c74f34b1 · Leszek Swirski · V8 LUCI CQ · f74d6931 · c74f34b1 · c74f34b1
Commit c74f34b1 authored Jul 15, 2022 by Leszek Swirski Committed by V8 LUCI CQ Jul 15, 2022
4 changed files
--- a/src/maglev/maglev-graph-builder.cc
+++ b/src/maglev/maglev-graph-builder.cc
@@ -855,11 +855,20 @@ bool MaglevGraphBuilder::TryBuildMonomorphicLoadFromLoadHandler(
      LoadHandler::DoAccessCheckOnLookupStartObjectBits::decode(smi_handler);
  bool lookup_on_lookup_start_object =
      LoadHandler::LookupOnLookupStartObjectBits::decode(smi_handler);
-  if (do_access_check_on_lookup_start_object) return false;
  if (lookup_on_lookup_start_object) return false;
  if (kind != LoadHandler::Kind::kConstantFromPrototype) return false;
+  if (map.IsStringMap()) {
+    // Check for string maps before checking if we need to do an access check.
+    // Primitive strings always get the prototype from the native context
+    // they're operated on, so they don't need the access check.
+    AddNewNode<CheckHeapObject>({object});
+    AddNewNode<CheckString>({object});
+  } else if (do_access_check_on_lookup_start_object) {
+    return false;
+  } else {
    BuildMapCheck(object, map);
+  }
  Object validity_cell = handler.validity_cell(local_isolate_);
  if (validity_cell.IsCell(local_isolate_)) {

--- a/src/maglev/maglev-graph-verifier.h
+++ b/src/maglev/maglev-graph-verifier.h
@@ -97,6 +97,7 @@ class MaglevGraphVerifier {
      case Opcode::kCheckMaps:
      case Opcode::kCheckMapsWithMigration:
      case Opcode::kCheckSmi:
+      case Opcode::kCheckString:
      case Opcode::kCheckedInternalizedString:
      // TODO(victorgomes): Can we check that the input is Boolean?
      case Opcode::kBranchIfToBooleanTrue:

--- a/src/maglev/maglev-ir.cc
+++ b/src/maglev/maglev-ir.cc
@@ -748,6 +748,7 @@ void CheckMaps::GenerateCode(MaglevCodeGenState* code_gen_state,
                             const ProcessingState& state) {
  Register object = ToRegister(receiver_input());
+  __ AssertNotSmi(object);
  __ Cmp(FieldOperand(object, HeapObject::kMapOffset), map().object());
  EmitEagerDeoptIf(not_equal, code_gen_state, DeoptimizeReason::kWrongMap,
                   this);
@@ -781,6 +782,21 @@ void CheckHeapObject::GenerateCode(MaglevCodeGenState* code_gen_state,
 void CheckHeapObject::PrintParams(std::ostream& os,
                                  MaglevGraphLabeller* graph_labeller) const {}
+void CheckString::AllocateVreg(MaglevVregAllocationState* vreg_state) {
+  UseRegister(receiver_input());
+}
+void CheckString::GenerateCode(MaglevCodeGenState* code_gen_state,
+                               const ProcessingState& state) {
+  Register object = ToRegister(receiver_input());
+  __ AssertNotSmi(object);
+  __ LoadMap(kScratchRegister, object);
+  __ CmpInstanceTypeRange(kScratchRegister, kScratchRegister, FIRST_STRING_TYPE,
+                          LAST_STRING_TYPE);
+  EmitEagerDeoptIf(above, code_gen_state, DeoptimizeReason::kNotAString, this);
+}
+void CheckString::PrintParams(std::ostream& os,
+                              MaglevGraphLabeller* graph_labeller) const {}
 void CheckMapsWithMigration::AllocateVreg(
    MaglevVregAllocationState* vreg_state) {
  UseRegister(receiver_input());
@@ -789,6 +805,7 @@ void CheckMapsWithMigration::GenerateCode(MaglevCodeGenState* code_gen_state,
                                          const ProcessingState& state) {
  Register object = ToRegister(receiver_input());
+  __ AssertNotSmi(object);
  __ Cmp(FieldOperand(object, HeapObject::kMapOffset), map().object());
  JumpToDeferredIf(

--- a/src/maglev/maglev-ir.h
+++ b/src/maglev/maglev-ir.h
@@ -162,6 +162,7 @@ class CompactInterpreterFrameState;
  V(CheckMaps)                        \
  V(CheckSmi)                         \
  V(CheckHeapObject)                  \
+  V(CheckString)                      \
  V(CheckMapsWithMigration)           \
  V(StoreTaggedFieldNoWriteBarrier)   \
  V(StoreTaggedFieldWithWriteBarrier) \
@@ -1997,6 +1998,22 @@ class CheckHeapObject : public FixedInputNodeT<1, CheckHeapObject> {
  void PrintParams(std::ostream&, MaglevGraphLabeller*) const;
 };
+class CheckString : public FixedInputNodeT<1, CheckString> {
+  using Base = FixedInputNodeT<1, CheckString>;
+ public:
+  explicit CheckString(uint64_t bitfield) : Base(bitfield) {}
+  static constexpr OpProperties kProperties = OpProperties::EagerDeopt();
+  static constexpr int kReceiverIndex = 0;
+  Input& receiver_input() { return input(kReceiverIndex); }
+  void AllocateVreg(MaglevVregAllocationState*);
+  void GenerateCode(MaglevCodeGenState*, const ProcessingState&);
+  void PrintParams(std::ostream&, MaglevGraphLabeller*) const;
+};
 class CheckMapsWithMigration
    : public FixedInputNodeT<1, CheckMapsWithMigration> {
  using Base = FixedInputNodeT<1, CheckMapsWithMigration>;