[turbofan] Fix overly aggressive keyed access lowering.

The keyed load/store lowering is too aggressive when it comes to element vs. property access. If we cannot find a cached name on the IC we automatically assume that it's an element access, i.e. we assume that the key that is passed to the keyed access must be a valid array index then. But this is not true for megamorphic keyed load/store ICs, which do not have a cached name (because the IC saw different names), and thus use a different mechanism to indicate that it's a non-element access. Review-Url: https://codereview.chromium.org/2195583002 Cr-Commit-Position: refs/heads/master@{#38155}

[turbofan] Fix overly aggressive keyed access lowering.
The keyed load/store lowering is too aggressive when it comes to element vs. property access. If we cannot find a cached name on the IC we automatically assume that it's an element access, i.e. we assume that the key that is passed to the keyed access must be a valid array index then. But this is not true for megamorphic keyed load/store ICs, which do not have a cached name (because the IC saw different names), and thus use a different mechanism to indicate that it's a non-element access. Review-Url: https://codereview.chromium.org/2195583002 Cr-Commit-Position: refs/heads/master@{#38155}
c987284a · bmeurer · Commit bot · a661f611 · c987284a · c987284a
Commit c987284a authored Jul 29, 2016 by bmeurer Committed by Commit bot Jul 29, 2016
Showing with 9 additions and 4 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +7 -2

js-native-context-specialization.h src/compiler/js-native-context-specialization.h +2 -2

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -571,9 +571,9 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
  return Replace(value);
 }

-
+template <typename KeyedICNexus>
 Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
-    Node* node, Node* index, Node* value, FeedbackNexus const& nexus,
+    Node* node, Node* index, Node* value, KeyedICNexus const& nexus,
    AccessMode access_mode, LanguageMode language_mode,
    KeyedAccessStoreMode store_mode) {
  DCHECK(node->opcode() == IrOpcode::kJSLoadProperty ||
@@ -632,6 +632,11 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
    return ReduceNamedAccess(node, value, receiver_maps,
                             handle(name, isolate()), access_mode,
                             language_mode, index);
+  } else if (nexus.GetKeyType() != ELEMENT) {
+    // The KeyedLoad/StoreIC has seen non-element accesses, so we cannot assume
+    // that the {index} is a valid array index, thus we just let the IC continue
+    // to deal with this load/store.
+    return NoChange();
  }

  // Try to lower the element access based on the {receiver_maps}.

--- a/src/compiler/js-native-context-specialization.h
+++ b/src/compiler/js-native-context-specialization.h
@@ -65,9 +65,9 @@ class JSNativeContextSpecialization final : public AdvancedReducer {
                                AccessMode access_mode,
                                LanguageMode language_mode,
                                KeyedAccessStoreMode store_mode);
+  template <typename KeyedICNexus>
  Reduction ReduceKeyedAccess(Node* node, Node* index, Node* value,
-                              FeedbackNexus const& nexus,
-                              AccessMode access_mode,
+                              KeyedICNexus const& nexus, AccessMode access_mode,
                              LanguageMode language_mode,
                              KeyedAccessStoreMode store_mode);
  Reduction ReduceNamedAccess(Node* node, Node* value,