[runtime] Use range checks for function instance type checks

This allows the JSFunctionOrBoundFunction instance type range to no
longer be stuck at the last of the JSObject instance type range. This
will be useful in the future where we extend the function instance
types and include them in fast protector cell checks.

Bug: v8:11256
Change-Id: I955991576b3cca76b10f76c87748016fe527e3d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595275Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71826}

src/compiler/js-call-reducer.cc

@@ -2613,10 +2613,10 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
     }
 
     // Check for consistency among the {receiver_maps}.
-    STATIC_ASSERT(LAST_TYPE == LAST_FUNCTION_TYPE);
     if (!receiver_map.prototype().equals(prototype) ||
         receiver_map.is_constructor() != is_constructor ||
-        receiver_map.instance_type() < FIRST_FUNCTION_TYPE) {
+        !base::IsInRange(receiver_map.instance_type(), FIRST_FUNCTION_TYPE,
+                         LAST_FUNCTION_TYPE)) {
       return inference.NoChange();
     }
 

src/objects/instance-type.h

@@ -125,10 +125,6 @@ enum InstanceType : uint16_t {
 // - JSSpecialObject and JSCustomElementsObject are aligned with the beginning
 //   of the JSObject range, so that we can use a larger range check from
 //   FIRST_JS_RECEIVER_TYPE to the end of those ranges and include JSProxy too.
-// - JSFunction is last, meaning we can use a single inequality check to
-//   determine whether an instance type is within the range for any class in the
-//   inheritance hierarchy of JSFunction. This includes commonly-checked classes
-//   JSObject and JSReceiver.
 #define MAKE_TORQUE_INSTANCE_TYPE(TYPE, value) TYPE = value,
   TORQUE_ASSIGNED_INSTANCE_TYPES(MAKE_TORQUE_INSTANCE_TYPE)
 #undef MAKE_TORQUE_INSTANCE_TYPE

src/objects/js-function.tq

@@ -4,7 +4,6 @@
 
 @abstract
 @generateCppClass
-@highestInstanceTypeWithinParentClassRange
 extern class JSFunctionOrBoundFunction extends JSObject {
 }
 

src/objects/objects-inl.h

@@ -154,8 +154,8 @@ DEF_GETTER(HeapObject, IsUniqueName, bool) {
 }
 
 DEF_GETTER(HeapObject, IsFunction, bool) {
-  STATIC_ASSERT(LAST_FUNCTION_TYPE == LAST_TYPE);
-  return map(isolate).instance_type() >= FIRST_FUNCTION_TYPE;
+  return base::IsInRange(map(isolate).instance_type(), FIRST_FUNCTION_TYPE,
+                         LAST_FUNCTION_TYPE);
 }
 
 DEF_GETTER(HeapObject, IsCallable, bool) { return map(isolate).is_callable(); }

tools/v8heapconst.py

@@ -177,42 +177,42 @@ INSTANCE_TYPES = {
   1064: "JS_TYPED_ARRAY_TYPE",
   1065: "JS_MAP_TYPE",
   1066: "JS_SET_TYPE",
-  1067: "JS_WEAK_MAP_TYPE",
-  1068: "JS_WEAK_SET_TYPE",
-  1069: "JS_ARRAY_TYPE",
-  1070: "JS_ARRAY_BUFFER_TYPE",
-  1071: "JS_ARRAY_ITERATOR_TYPE",
-  1072: "JS_ASYNC_FROM_SYNC_ITERATOR_TYPE",
-  1073: "JS_COLLATOR_TYPE",
-  1074: "JS_CONTEXT_EXTENSION_OBJECT_TYPE",
-  1075: "JS_DATE_TYPE",
-  1076: "JS_DATE_TIME_FORMAT_TYPE",
-  1077: "JS_DISPLAY_NAMES_TYPE",
-  1078: "JS_ERROR_TYPE",
-  1079: "JS_FINALIZATION_REGISTRY_TYPE",
-  1080: "JS_LIST_FORMAT_TYPE",
-  1081: "JS_LOCALE_TYPE",
-  1082: "JS_MESSAGE_OBJECT_TYPE",
-  1083: "JS_NUMBER_FORMAT_TYPE",
-  1084: "JS_PLURAL_RULES_TYPE",
-  1085: "JS_PROMISE_TYPE",
-  1086: "JS_REG_EXP_TYPE",
-  1087: "JS_REG_EXP_STRING_ITERATOR_TYPE",
-  1088: "JS_RELATIVE_TIME_FORMAT_TYPE",
-  1089: "JS_SEGMENT_ITERATOR_TYPE",
-  1090: "JS_SEGMENTER_TYPE",
-  1091: "JS_SEGMENTS_TYPE",
-  1092: "JS_STRING_ITERATOR_TYPE",
-  1093: "JS_V8_BREAK_ITERATOR_TYPE",
-  1094: "JS_WEAK_REF_TYPE",
-  1095: "WASM_EXCEPTION_OBJECT_TYPE",
-  1096: "WASM_GLOBAL_OBJECT_TYPE",
-  1097: "WASM_INSTANCE_OBJECT_TYPE",
-  1098: "WASM_MEMORY_OBJECT_TYPE",
-  1099: "WASM_MODULE_OBJECT_TYPE",
-  1100: "WASM_TABLE_OBJECT_TYPE",
-  1101: "JS_BOUND_FUNCTION_TYPE",
-  1102: "JS_FUNCTION_TYPE",
+  1067: "JS_BOUND_FUNCTION_TYPE",
+  1068: "JS_FUNCTION_TYPE",
+  1069: "JS_WEAK_MAP_TYPE",
+  1070: "JS_WEAK_SET_TYPE",
+  1071: "JS_ARRAY_TYPE",
+  1072: "JS_ARRAY_BUFFER_TYPE",
+  1073: "JS_ARRAY_ITERATOR_TYPE",
+  1074: "JS_ASYNC_FROM_SYNC_ITERATOR_TYPE",
+  1075: "JS_COLLATOR_TYPE",
+  1076: "JS_CONTEXT_EXTENSION_OBJECT_TYPE",
+  1077: "JS_DATE_TYPE",
+  1078: "JS_DATE_TIME_FORMAT_TYPE",
+  1079: "JS_DISPLAY_NAMES_TYPE",
+  1080: "JS_ERROR_TYPE",
+  1081: "JS_FINALIZATION_REGISTRY_TYPE",
+  1082: "JS_LIST_FORMAT_TYPE",
+  1083: "JS_LOCALE_TYPE",
+  1084: "JS_MESSAGE_OBJECT_TYPE",
+  1085: "JS_NUMBER_FORMAT_TYPE",
+  1086: "JS_PLURAL_RULES_TYPE",
+  1087: "JS_PROMISE_TYPE",
+  1088: "JS_REG_EXP_TYPE",
+  1089: "JS_REG_EXP_STRING_ITERATOR_TYPE",
+  1090: "JS_RELATIVE_TIME_FORMAT_TYPE",
+  1091: "JS_SEGMENT_ITERATOR_TYPE",
+  1092: "JS_SEGMENTER_TYPE",
+  1093: "JS_SEGMENTS_TYPE",
+  1094: "JS_STRING_ITERATOR_TYPE",
+  1095: "JS_V8_BREAK_ITERATOR_TYPE",
+  1096: "JS_WEAK_REF_TYPE",
+  1097: "WASM_EXCEPTION_OBJECT_TYPE",
+  1098: "WASM_GLOBAL_OBJECT_TYPE",
+  1099: "WASM_INSTANCE_OBJECT_TYPE",
+  1100: "WASM_MEMORY_OBJECT_TYPE",
+  1101: "WASM_MODULE_OBJECT_TYPE",
+  1102: "WASM_TABLE_OBJECT_TYPE",
 }
 
 # List of known V8 maps.
@@ -370,7 +370,7 @@ KNOWN_MAPS = {
   ("read_only_space", 0x05d2d): (78, "StoreHandler2Map"),
   ("read_only_space", 0x05d55): (78, "StoreHandler3Map"),
   ("map_space", 0x02115): (1057, "ExternalMap"),
-  ("map_space", 0x0213d): (1082, "JSMessageObjectMap"),
+  ("map_space", 0x0213d): (1084, "JSMessageObjectMap"),
   ("map_space", 0x02165): (182, "WasmRttEqrefMap"),
   ("map_space", 0x0218d): (182, "WasmRttAnyrefMap"),
   ("map_space", 0x021b5): (182, "WasmRttExternrefMap"),