[nojit] Remove IsJSArray parameter from two stubs

In preparation for converting these stubs to builtins. This turns the
compile-time IsJSArray parameter into a runtime check.

Bug: v8:7777
Change-Id: Ief44e7cd77e772809e50618e55f51268e9ac8ad9
Reviewed-on: https://chromium-review.googlesource.com/c/1339868
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57594}

src/builtins/builtins-array-gen.cc

@@ -297,10 +297,9 @@ Node* ArrayBuiltinsAssembler::FindProcessor(Node* k_value, Node* k) {
 
       const ElementsKind kFromKind = HOLEY_SMI_ELEMENTS;
       const ElementsKind kToKind = HOLEY_DOUBLE_ELEMENTS;
-      const bool kIsJSArray = true;
 
       Label transition_in_runtime(this, Label::kDeferred);
-      TransitionElementsKind(a(), double_map, kFromKind, kToKind, kIsJSArray,
+      TransitionElementsKind(a(), double_map, kFromKind, kToKind,
                              &transition_in_runtime);
       Goto(&array_double);
 
@@ -360,7 +359,7 @@ Node* ArrayBuiltinsAssembler::FindProcessor(Node* k_value, Node* k) {
       num_value = ToNumber_Inline(context(), mapped_value);
     }
     // The only way how this can bailout is because of a detached buffer.
-    EmitElementStore(a(), k, num_value, false, source_elements_kind_,
+    EmitElementStore(a(), k, num_value, source_elements_kind_,
                      KeyedAccessStoreMode::STANDARD_STORE, &detached,
                      context());
     Goto(&done);

src/code-stub-assembler.cc

@@ -10339,7 +10339,6 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore(
 }
 
 void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
-                                         bool is_jsarray,
                                          ElementsKind elements_kind,
                                          KeyedAccessStoreMode store_mode,
                                          Label* bailout, Node* context) {
@@ -10409,8 +10408,10 @@ void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
   DCHECK(IsSmiOrObjectElementsKind(elements_kind) ||
          IsDoubleElementsKind(elements_kind));
 
-  Node* length = is_jsarray ? LoadJSArrayLength(object)
-                            : LoadFixedArrayBaseLength(elements);
+  Node* length =
+      SelectImpl(IsJSArray(object), [=]() { return LoadJSArrayLength(object); },
+                 [=]() { return LoadFixedArrayBaseLength(elements); },
+                 MachineRepresentation::kTagged);
   length = TaggedToParameter(length, parameter_mode);
 
   // In case value is stored into a fast smi array, assure that the value is
@@ -10423,9 +10424,8 @@ void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
   }
 
   if (IsGrowStoreMode(store_mode)) {
-    elements = CheckForCapacityGrow(object, elements, elements_kind, store_mode,
-                                    length, intptr_key, parameter_mode,
-                                    is_jsarray, bailout);
+    elements = CheckForCapacityGrow(object, elements, elements_kind, length,
+                                    intptr_key, parameter_mode, bailout);
   } else {
     GotoIfNot(UintPtrLessThan(intptr_key, length), bailout);
   }
@@ -10443,10 +10443,10 @@ void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
   StoreElement(elements, elements_kind, intptr_key, value, parameter_mode);
 }
 
-Node* CodeStubAssembler::CheckForCapacityGrow(
-    Node* object, Node* elements, ElementsKind kind,
-    KeyedAccessStoreMode store_mode, Node* length, Node* key,
-    ParameterMode mode, bool is_js_array, Label* bailout) {
+Node* CodeStubAssembler::CheckForCapacityGrow(Node* object, Node* elements,
+                                              ElementsKind kind, Node* length,
+                                              Node* key, ParameterMode mode,
+                                              Label* bailout) {
   DCHECK(IsFastElementsKind(kind));
   VARIABLE(checked_elements, MachineRepresentation::kTagged);
   Label grow_case(this), no_grow_case(this), done(this),
@@ -10491,11 +10491,11 @@ Node* CodeStubAssembler::CheckForCapacityGrow(
     }
 
     BIND(&fits_capacity);
-    if (is_js_array) {
-      Node* new_length = IntPtrAdd(key, IntPtrOrSmiConstant(1, mode));
-      StoreObjectFieldNoWriteBarrier(object, JSArray::kLengthOffset,
-                                     ParameterToTagged(new_length, mode));
-    }
+    GotoIfNot(IsJSArray(object), &done);
+
+    Node* new_length = IntPtrAdd(key, IntPtrOrSmiConstant(1, mode));
+    StoreObjectFieldNoWriteBarrier(object, JSArray::kLengthOffset,
+                                   ParameterToTagged(new_length, mode));
     Goto(&done);
   }
 
@@ -10534,7 +10534,6 @@ Node* CodeStubAssembler::CopyElementsOnWrite(Node* object, Node* elements,
 void CodeStubAssembler::TransitionElementsKind(Node* object, Node* map,
                                                ElementsKind from_kind,
                                                ElementsKind to_kind,
-                                               bool is_jsarray,
                                                Label* bailout) {
   DCHECK(!IsHoleyElementsKind(from_kind) || IsHoleyElementsKind(to_kind));
   if (AllocationSite::ShouldTrack(from_kind, to_kind)) {
@@ -10551,8 +10550,14 @@ void CodeStubAssembler::TransitionElementsKind(Node* object, Node* map,
     // TODO(ishell): Use OptimalParameterMode().
     ParameterMode mode = INTPTR_PARAMETERS;
     Node* elements_length = SmiUntag(LoadFixedArrayBaseLength(elements));
-    Node* array_length =
-        is_jsarray ? SmiUntag(LoadFastJSArrayLength(object)) : elements_length;
+    Node* array_length = SelectImpl(
+        IsJSArray(object),
+        [=]() {
+          CSA_ASSERT(this, IsFastElementsKind(LoadElementsKind(object)));
+          return SmiUntag(LoadFastJSArrayLength(object));
+        },
+        [=]() { return elements_length; },
+        MachineType::PointerRepresentation());
 
     CSA_ASSERT(this, WordNotEqual(elements_length, IntPtrConstant(0)));
 

src/code-stub-assembler.h

@@ -943,7 +943,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
   TNode<Int32T> LoadMapInstanceType(SloppyTNode<Map> map);
   // Load the ElementsKind of a map.
   TNode<Int32T> LoadMapElementsKind(SloppyTNode<Map> map);
-  TNode<Int32T> LoadElementsKind(SloppyTNode<HeapObject> map);
+  TNode<Int32T> LoadElementsKind(SloppyTNode<HeapObject> object);
   // Load the instance descriptors of a map.
   TNode<DescriptorArray> LoadMapDescriptors(SloppyTNode<Map> map);
   // Load the prototype of a map.
@@ -2862,28 +2862,20 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
   void BigIntToRawBytes(TNode<BigInt> bigint, TVariable<UintPtrT>* var_low,
                         TVariable<UintPtrT>* var_high);
 
-  void EmitElementStore(Node* object, Node* key, Node* value, bool is_jsarray,
+  void EmitElementStore(Node* object, Node* key, Node* value,
                         ElementsKind elements_kind,
                         KeyedAccessStoreMode store_mode, Label* bailout,
                         Node* context);
 
   Node* CheckForCapacityGrow(Node* object, Node* elements, ElementsKind kind,
-                             KeyedAccessStoreMode store_mode, Node* length,
-                             Node* key, ParameterMode mode, bool is_js_array,
+                             Node* length, Node* key, ParameterMode mode,
                              Label* bailout);
 
   Node* CopyElementsOnWrite(Node* object, Node* elements, ElementsKind kind,
                             Node* length, ParameterMode mode, Label* bailout);
 
   void TransitionElementsKind(Node* object, Node* map, ElementsKind from_kind,
-                              ElementsKind to_kind, bool is_jsarray,
-                              Label* bailout);
-
-  void TransitionElementsKind(TNode<JSReceiver> object, TNode<Map> map,
-                              ElementsKind from_kind, ElementsKind to_kind,
-                              Label* bailout) {
-    TransitionElementsKind(object, map, from_kind, to_kind, true, bailout);
-  }
+                              ElementsKind to_kind, Label* bailout);
 
   void TrapAllocationMemento(Node* object, Label* memento_found);
 

src/code-stubs.cc

@@ -276,11 +276,9 @@ TF_STUB(ElementsTransitionAndStoreStub, CodeStubAssembler) {
   Node* context = Parameter(Descriptor::kContext);
 
   Comment(
-      "ElementsTransitionAndStoreStub: from_kind=%s, to_kind=%s,"
-      " is_jsarray=%d, store_mode=%d",
+      "ElementsTransitionAndStoreStub: from_kind=%s, to_kind=%s, store_mode=%d",
       ElementsKindToString(stub->from_kind()),
-      ElementsKindToString(stub->to_kind()), stub->is_jsarray(),
-      stub->store_mode());
+      ElementsKindToString(stub->to_kind()), stub->store_mode());
 
   Label miss(this);
 
@@ -289,9 +287,9 @@ TF_STUB(ElementsTransitionAndStoreStub, CodeStubAssembler) {
     Goto(&miss);
   } else {
     TransitionElementsKind(receiver, map, stub->from_kind(), stub->to_kind(),
-                           stub->is_jsarray(), &miss);
-    EmitElementStore(receiver, key, value, stub->is_jsarray(), stub->to_kind(),
-                     stub->store_mode(), &miss, context);
+                           &miss);
+    EmitElementStore(receiver, key, value, stub->to_kind(), stub->store_mode(),
+                     &miss, context);
     Return(value);
   }
 
@@ -310,9 +308,8 @@ int JSEntryStub::GenerateHandlerTable(MacroAssembler* masm) {
 }
 
 TF_STUB(StoreFastElementStub, CodeStubAssembler) {
-  Comment("StoreFastElementStub: js_array=%d, elements_kind=%s, store_mode=%d",
-          stub->is_js_array(), ElementsKindToString(stub->elements_kind()),
-          stub->store_mode());
+  Comment("StoreFastElementStub: elements_kind=%s, store_mode=%d",
+          ElementsKindToString(stub->elements_kind()), stub->store_mode());
 
   Node* receiver = Parameter(Descriptor::kReceiver);
   Node* key = Parameter(Descriptor::kName);
@@ -323,8 +320,8 @@ TF_STUB(StoreFastElementStub, CodeStubAssembler) {
 
   Label miss(this);
 
-  EmitElementStore(receiver, key, value, stub->is_js_array(),
-                   stub->elements_kind(), stub->store_mode(), &miss, context);
+  EmitElementStore(receiver, key, value, stub->elements_kind(),
+                   stub->store_mode(), &miss, context);
   Return(value);
 
   BIND(&miss);
@@ -337,16 +334,14 @@ TF_STUB(StoreFastElementStub, CodeStubAssembler) {
 
 // static
 void StoreFastElementStub::GenerateAheadOfTime(Isolate* isolate) {
-  StoreFastElementStub(isolate, false, HOLEY_ELEMENTS, STANDARD_STORE)
-      .GetCode();
-  StoreFastElementStub(isolate, false, HOLEY_ELEMENTS,
+  StoreFastElementStub(isolate, HOLEY_ELEMENTS, STANDARD_STORE).GetCode();
+  StoreFastElementStub(isolate, HOLEY_ELEMENTS,
                        STORE_AND_GROW_NO_TRANSITION_HANDLE_COW)
       .GetCode();
   for (int i = FIRST_FAST_ELEMENTS_KIND; i <= LAST_FAST_ELEMENTS_KIND; i++) {
     ElementsKind kind = static_cast<ElementsKind>(i);
-    StoreFastElementStub(isolate, true, kind, STANDARD_STORE).GetCode();
-    StoreFastElementStub(isolate, true, kind,
-                         STORE_AND_GROW_NO_TRANSITION_HANDLE_COW)
+    StoreFastElementStub(isolate, kind, STANDARD_STORE).GetCode();
+    StoreFastElementStub(isolate, kind, STORE_AND_GROW_NO_TRANSITION_HANDLE_COW)
         .GetCode();
   }
 }

src/code-stubs.h

@@ -500,18 +500,15 @@ class JSEntryStub : public PlatformCodeStub {
 
 class StoreFastElementStub : public TurboFanCodeStub {
  public:
-  StoreFastElementStub(Isolate* isolate, bool is_js_array,
-                       ElementsKind elements_kind, KeyedAccessStoreMode mode)
+  StoreFastElementStub(Isolate* isolate, ElementsKind elements_kind,
+                       KeyedAccessStoreMode mode)
       : TurboFanCodeStub(isolate) {
     minor_key_ = CommonStoreModeBits::encode(mode) |
-                 ElementsKindBits::encode(elements_kind) |
-                 IsJSArrayBits::encode(is_js_array);
+                 ElementsKindBits::encode(elements_kind);
   }
 
   static void GenerateAheadOfTime(Isolate* isolate);
 
-  bool is_js_array() const { return IsJSArrayBits::decode(minor_key_); }
-
   ElementsKind elements_kind() const {
     return ElementsKindBits::decode(minor_key_);
   }
@@ -523,7 +520,6 @@ class StoreFastElementStub : public TurboFanCodeStub {
  private:
   class ElementsKindBits
       : public BitField<ElementsKind, CommonStoreModeBits::kNext, 8> {};
-  class IsJSArrayBits : public BitField<bool, ElementsKindBits::kNext, 1> {};
 
   DEFINE_CALL_INTERFACE_DESCRIPTOR(StoreWithVector);
   DEFINE_TURBOFAN_CODE_STUB(StoreFastElement, TurboFanCodeStub);
@@ -532,17 +528,15 @@ class StoreFastElementStub : public TurboFanCodeStub {
 class ElementsTransitionAndStoreStub : public TurboFanCodeStub {
  public:
   ElementsTransitionAndStoreStub(Isolate* isolate, ElementsKind from_kind,
-                                 ElementsKind to_kind, bool is_jsarray,
+                                 ElementsKind to_kind,
                                  KeyedAccessStoreMode store_mode)
       : TurboFanCodeStub(isolate) {
     minor_key_ = CommonStoreModeBits::encode(store_mode) |
-                 FromBits::encode(from_kind) | ToBits::encode(to_kind) |
-                 IsJSArrayBits::encode(is_jsarray);
+                 FromBits::encode(from_kind) | ToBits::encode(to_kind);
   }
 
   ElementsKind from_kind() const { return FromBits::decode(minor_key_); }
   ElementsKind to_kind() const { return ToBits::decode(minor_key_); }
-  bool is_jsarray() const { return IsJSArrayBits::decode(minor_key_); }
   KeyedAccessStoreMode store_mode() const {
     return CommonStoreModeBits::decode(minor_key_);
   }
@@ -551,7 +545,6 @@ class ElementsTransitionAndStoreStub : public TurboFanCodeStub {
   class FromBits
       : public BitField<ElementsKind, CommonStoreModeBits::kNext, 8> {};
   class ToBits : public BitField<ElementsKind, 11, 8> {};
-  class IsJSArrayBits : public BitField<bool, 19, 1> {};
 
   DEFINE_CALL_INTERFACE_DESCRIPTOR(StoreTransition);
   DEFINE_TURBOFAN_CODE_STUB(ElementsTransitionAndStore, TurboFanCodeStub);

src/ic/handler-configuration.cc

@@ -182,12 +182,11 @@ KeyedAccessLoadMode LoadHandler::GetKeyedAccessLoadMode(MaybeObject handler) {
 Handle<Object> StoreHandler::StoreElementTransition(
     Isolate* isolate, Handle<Map> receiver_map, Handle<Map> transition,
     KeyedAccessStoreMode store_mode) {
-  bool is_js_array = receiver_map->instance_type() == JS_ARRAY_TYPE;
   ElementsKind elements_kind = receiver_map->elements_kind();
-  Handle<Code> stub = ElementsTransitionAndStoreStub(
-                          isolate, elements_kind, transition->elements_kind(),
-                          is_js_array, store_mode)
-                          .GetCode();
+  Handle<Code> stub =
+      ElementsTransitionAndStoreStub(isolate, elements_kind,
+                                     transition->elements_kind(), store_mode)
+          .GetCode();
   Handle<Object> validity_cell =
       Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate);
   Handle<StoreHandler> handler = isolate->factory()->NewStoreHandler(1);

src/ic/ic.cc

@@ -1842,7 +1842,6 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
 
   // TODO(ishell): move to StoreHandler::StoreElement().
   ElementsKind elements_kind = receiver_map->elements_kind();
-  bool is_jsarray = receiver_map->instance_type() == JS_ARRAY_TYPE;
   Handle<Code> stub;
   if (receiver_map->has_sloppy_arguments_elements()) {
     // TODO(jgruber): Update counter name.
@@ -1852,9 +1851,7 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
   } else if (receiver_map->has_fast_elements() ||
              receiver_map->has_fixed_typed_array_elements()) {
     TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_StoreFastElementStub);
-    stub =
-        StoreFastElementStub(isolate(), is_jsarray, elements_kind, store_mode)
-            .GetCode();
+    stub = StoreFastElementStub(isolate(), elements_kind, store_mode).GetCode();
     if (receiver_map->has_fixed_typed_array_elements()) return stub;
   } else if (IsStoreInArrayLiteralICKind(kind())) {
     // TODO(jgruber): Update counter name.