[turbofan] Serialize receiver prototypes more often.

This just adds calls to SerializePrototype right before we access the serialized prototype. Eventually we need to do this earlier. Bug: v8:7790, chromium:899115 Change-Id: I597e95f5f6df8aae608ee295fe9550e7c2a45e6d Reviewed-on: https://chromium-review.googlesource.com/c/1301475Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57034}

[turbofan] Serialize receiver prototypes more often.
This just adds calls to SerializePrototype right before we access the serialized prototype. Eventually we need to do this earlier. Bug: v8:7790, chromium:899115 Change-Id: I597e95f5f6df8aae608ee295fe9550e7c2a45e6d Reviewed-on: https://chromium-review.googlesource.com/c/1301475Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57034}
cd629c01 · Georg Neis · Commit Bot · 459c4d24 · cd629c01 · cd629c01
Commit cd629c01 authored Oct 26, 2018 by Georg Neis Committed by Commit Bot Oct 26, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 5 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +11 -5

regress-899115.js test/mjsunit/regress/regress-899115.js +13 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -412,14 +412,16 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
                                        &receiver_maps);
  if (result == NodeProperties::kNoReceiverMaps) return NoChange();
  DCHECK_NE(0, receiver_maps.size());
-  MapRef const first_receiver_map(broker(), receiver_maps[0]);
+  MapRef first_receiver_map(broker(), receiver_maps[0]);
  bool const is_constructor = first_receiver_map.is_constructor();
+  first_receiver_map.SerializePrototype();
  ObjectRef const prototype = first_receiver_map.prototype();
  for (Handle<Map> const map : receiver_maps) {
    MapRef receiver_map(broker(), map);

    // Check for consistency among the {receiver_maps}.
    STATIC_ASSERT(LAST_TYPE == LAST_FUNCTION_TYPE);
+    receiver_map.SerializePrototype();
    if (!receiver_map.prototype().equals(prototype) ||
        receiver_map.is_constructor() != is_constructor ||
        receiver_map.instance_type() < FIRST_FUNCTION_TYPE) {
@@ -461,6 +463,7 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
  MapRef map = is_constructor
                   ? native_context().bound_function_with_constructor_map()
                   : native_context().bound_function_without_constructor_map();
+  map.SerializePrototype();
  if (!map.prototype().equals(prototype)) return NoChange();

  // Make sure we can rely on the {receiver_maps}.
@@ -974,8 +977,8 @@ Reduction JSCallReducer::ReduceReflectHas(Node* node) {
  return Changed(vtrue);
 }

-bool CanInlineArrayIteratingBuiltin(Isolate* isolate,
-                                    const MapRef& receiver_map) {
+bool CanInlineArrayIteratingBuiltin(Isolate* isolate, MapRef& receiver_map) {
+  receiver_map.SerializePrototype();
  if (!receiver_map.prototype().IsJSArray()) return false;
  JSArrayRef receiver_prototype = receiver_map.prototype().AsJSArray();
  return receiver_map.instance_type() == JS_ARRAY_TYPE &&
@@ -4324,8 +4327,8 @@ bool IsReadOnlyLengthDescriptor(Isolate* isolate, Handle<Map> jsarray_map) {
 }

 // TODO(turbofan): This was copied from old compiler, might be too restrictive.
-bool CanInlineArrayResizeOperation(Isolate* isolate,
-                                   const MapRef& receiver_map) {
+bool CanInlineArrayResizeOperation(Isolate* isolate, MapRef& receiver_map) {
+  receiver_map.SerializePrototype();
  if (!receiver_map.prototype().IsJSArray()) return false;
  JSArrayRef receiver_prototype = receiver_map.prototype().AsJSArray();
  return receiver_map.instance_type() == JS_ARRAY_TYPE &&
@@ -5784,6 +5787,7 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) {
  for (Handle<Map> map : receiver_maps) {
    MapRef receiver_map(broker(), map);
    if (!receiver_map.IsJSPromiseMap()) return NoChange();
+    receiver_map.SerializePrototype();
    if (!receiver_map.prototype().equals(
            native_context().promise_prototype())) {
      return NoChange();
@@ -5862,6 +5866,7 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) {
  for (Handle<Map> map : receiver_maps) {
    MapRef receiver_map(broker(), map);
    if (!receiver_map.IsJSPromiseMap()) return NoChange();
+    receiver_map.SerializePrototype();
    if (!receiver_map.prototype().equals(
            native_context().promise_prototype())) {
      return NoChange();
@@ -6018,6 +6023,7 @@ Reduction JSCallReducer::ReducePromisePrototypeThen(Node* node) {
  for (Handle<Map> map : receiver_maps) {
    MapRef receiver_map(broker(), map);
    if (!receiver_map.IsJSPromiseMap()) return NoChange();
+    receiver_map.SerializePrototype();
    if (!receiver_map.prototype().equals(
            native_context().promise_prototype())) {
      return NoChange();

--- a/test/mjsunit/regress/regress-899115.js
+++ b/test/mjsunit/regress/regress-899115.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  Object.getPrototypeOf([]).includes();
+}
+
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();