ia32: Fuse map and type checks in call ICs for API functions.

This uses the fact that if a map stayed the same then the object still passes the type check. A new builtin is added to handle the API call in this case. Review URL: http://codereview.chromium.org/573003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3825 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

ia32: Fuse map and type checks in call ICs for API functions.
This uses the fact that if a map stayed the same then the object still passes the type check. A new builtin is added to handle the API call in this case. Review URL: http://codereview.chromium.org/573003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3825 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
d1d56d98 · vitalyr@chromium.org · ad83e411 · d1d56d98 · d1d56d98 · d1d56d98
Commit d1d56d98 authored Feb 09, 2010 by vitalyr@chromium.org
13 changed files
--- a/src/arm/stub-cache-arm.cc
+++ b/src/arm/stub-cache-arm.cc
@@ -737,7 +737,11 @@ Register StubCompiler::CheckPrototypes(JSObject* object,
                                       Register holder_reg,
                                       Register scratch,
                                       String* name,
+                                       int save_at_depth,
                                       Label* miss) {
+  // TODO(602): support object saving.
+  ASSERT(save_at_depth == kInvalidProtoDepth);
  // Check that the maps haven't changed.
  Register result =
      masm()->CheckMaps(object, object_reg, holder, holder_reg, scratch, miss);

--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -474,6 +474,76 @@ BUILTIN(HandleApiCallConstruct) {
 }
+#ifdef DEBUG
+static void VerifyTypeCheck(Handle<JSObject> object,
+                            Handle<JSFunction> function) {
+  FunctionTemplateInfo* info =
+      FunctionTemplateInfo::cast(function->shared()->function_data());
+  if (info->signature()->IsUndefined()) return;
+  SignatureInfo* signature = SignatureInfo::cast(info->signature());
+  Object* receiver_type = signature->receiver();
+  if (receiver_type->IsUndefined()) return;
+  FunctionTemplateInfo* type = FunctionTemplateInfo::cast(receiver_type);
+  ASSERT(object->IsInstanceOf(type));
+}
+#endif
+BUILTIN(FastHandleApiCall) {
+  ASSERT(!CalledAsConstructor());
+  const bool is_construct = false;
+  // We expect four more arguments: function, callback, call data, and holder.
+  const int args_length = args.length() - 4;
+  ASSERT(args_length >= 0);
+  Handle<JSFunction> function = args.at<JSFunction>(args_length);
+  Object* callback_obj = args[args_length + 1];
+  Handle<Object> data_handle = args.at<Object>(args_length + 2);
+  Handle<JSObject> checked_holder = args.at<JSObject>(args_length + 3);
+#ifdef DEBUG
+  VerifyTypeCheck(checked_holder, function);
+#endif
+  v8::Local<v8::Object> holder = v8::Utils::ToLocal(checked_holder);
+  v8::Local<v8::Function> callee = v8::Utils::ToLocal(function);
+  v8::InvocationCallback callback =
+      v8::ToCData<v8::InvocationCallback>(callback_obj);
+  v8::Local<v8::Value> data = v8::Utils::ToLocal(data_handle);
+  v8::Arguments new_args = v8::ImplementationUtilities::NewArguments(
+      data,
+      holder,
+      callee,
+      is_construct,
+      reinterpret_cast<void**>(&args[0] - 1),
+      args_length - 1);
+  HandleScope scope;
+  Object* result;
+  v8::Handle<v8::Value> value;
+  {
+    // Leaving JavaScript.
+    VMState state(EXTERNAL);
+#ifdef ENABLE_LOGGING_AND_PROFILING
+    state.set_external_callback(v8::ToCData<Address>(callback_obj));
+#endif
+    value = callback(new_args);
+  }
+  if (value.IsEmpty()) {
+    result = Heap::undefined_value();
+  } else {
+    result = *reinterpret_cast<Object**>(*value);
+  }
+  RETURN_IF_SCHEDULED_EXCEPTION();
+  return result;
+}
 // Helper function to handle calls to non-function objects created through the
 // API. The object can be called as either a constructor (using new) or just as
 // a function (without new).

--- a/src/builtins.h
+++ b/src/builtins.h
@@ -50,6 +50,7 @@ enum BuiltinExtraArguments {
  V(ArrayPop, NO_EXTRA_ARGUMENTS)                                   \
                                                                    \
  V(HandleApiCall, NEEDS_CALLED_FUNCTION)                           \
+  V(FastHandleApiCall, NO_EXTRA_ARGUMENTS)                          \
  V(HandleApiCallConstruct, NEEDS_CALLED_FUNCTION)                  \
  V(HandleApiCallAsFunction, NO_EXTRA_ARGUMENTS)                    \
  V(HandleApiCallAsConstructor, NO_EXTRA_ARGUMENTS)

--- a/src/ia32/macro-assembler-ia32.cc
+++ b/src/ia32/macro-assembler-ia32.cc
@@ -554,6 +554,7 @@ void MacroAssembler::PopTryHandler() {
 Register MacroAssembler::CheckMaps(JSObject* object, Register object_reg,
                                   JSObject* holder, Register holder_reg,
                                   Register scratch,
+                                   int save_at_depth,
                                   Label* miss) {
  // Make sure there's no overlap between scratch and the other
  // registers.
@@ -561,7 +562,11 @@ Register MacroAssembler::CheckMaps(JSObject* object, Register object_reg,
  // Keep track of the current object in register reg.
  Register reg = object_reg;
-  int depth = 1;
+  int depth = 0;
+  if (save_at_depth == depth) {
+    mov(Operand(esp, kPointerSize), object_reg);
+  }
  // Check the maps in the prototype chain.
  // Traverse the prototype chain from the object and do map checks.
@@ -593,7 +598,6 @@ Register MacroAssembler::CheckMaps(JSObject* object, Register object_reg,
      // to it in the code. Load it from the map.
      reg = holder_reg;  // from now the object is in holder_reg
      mov(reg, FieldOperand(scratch, Map::kPrototypeOffset));
    } else {
      // Check the map of the current object.
      cmp(FieldOperand(reg, HeapObject::kMapOffset),
@@ -611,6 +615,10 @@ Register MacroAssembler::CheckMaps(JSObject* object, Register object_reg,
      mov(reg, Handle<JSObject>(prototype));
    }
+    if (save_at_depth == depth) {
+      mov(Operand(esp, kPointerSize), reg);
+    }
    // Go to the next object in the prototype chain.
    object = prototype;
  }
@@ -621,7 +629,7 @@ Register MacroAssembler::CheckMaps(JSObject* object, Register object_reg,
  j(not_equal, miss, not_taken);
  // Log the check depth.
-  LOG(IntEvent("check-maps-depth", depth));
+  LOG(IntEvent("check-maps-depth", depth + 1));
  // Perform security check for access to the global object and return
  // the holder register.

--- a/src/ia32/macro-assembler-ia32.h
+++ b/src/ia32/macro-assembler-ia32.h
@@ -194,9 +194,14 @@ class MacroAssembler: public Assembler {
  // clobbered if it the same as the holder register. The function
  // returns a register containing the holder - either object_reg or
  // holder_reg.
+  // The function can optionally (when save_at_depth !=
+  // kInvalidProtoDepth) save the object at the given depth by moving
+  // it to [esp + kPointerSize].
  Register CheckMaps(JSObject* object, Register object_reg,
                     JSObject* holder, Register holder_reg,
-                     Register scratch, Label* miss);
+                     Register scratch,
+                     int save_at_depth,
+                     Label* miss);
  // Generate code for checking access rights - used for security checks
  // on access to global objects across environments. The holder register

--- a/src/ia32/stub-cache-ia32.cc
+++ b/src/ia32/stub-cache-ia32.cc
--- a/src/macro-assembler.h
+++ b/src/macro-assembler.h
@@ -61,6 +61,8 @@ enum AllocationFlags {
  RESULT_CONTAINS_TOP = 1 << 1
 };
+// Invalid depth in prototype chain.
+const int kInvalidProtoDepth = -1;
 #if V8_TARGET_ARCH_IA32
 #include "assembler.h"

--- a/src/stub-cache.h
+++ b/src/stub-cache.h
@@ -381,12 +381,25 @@ class StubCompiler BASE_EMBEDDED {
  // Check the integrity of the prototype chain to make sure that the
  // current IC is still valid.
+  Register CheckPrototypes(JSObject* object,
+                           Register object_reg,
+                           JSObject* holder,
+                           Register holder_reg,
+                           Register scratch,
+                           String* name,
+                           Label* miss) {
+    return CheckPrototypes(object, object_reg, holder, holder_reg, scratch,
+                           name, kInvalidProtoDepth, miss);
+  }
  Register CheckPrototypes(JSObject* object,
                           Register object_reg,
                           JSObject* holder,
                           Register holder_reg,
                           Register scratch,
                           String* name,
+                           int save_at_depth,
                           Label* miss);
 protected:

--- a/src/top.cc
+++ b/src/top.cc
@@ -949,10 +949,15 @@ Handle<Context> Top::GetCallingGlobalContext() {
 }
+bool Top::CanHaveSpecialFunctions(JSObject* object) {
+  return object->IsJSArray();
+}
 Object* Top::LookupSpecialFunction(JSObject* receiver,
                                   JSObject* prototype,
                                   JSFunction* function) {
-  if (receiver->IsJSArray()) {
+  if (CanHaveSpecialFunctions(receiver)) {
    FixedArray* table = context()->global_context()->special_function_table();
    for (int index = 0; index < table->length(); index +=3) {
      if ((prototype == table->get(index)) &&

--- a/src/top.h
+++ b/src/top.h
@@ -342,6 +342,7 @@ class Top {
    return Handle<JSBuiltinsObject>(thread_local_.context_->builtins());
  }
+  static bool CanHaveSpecialFunctions(JSObject* object);
  static Object* LookupSpecialFunction(JSObject* receiver,
                                       JSObject* prototype,
                                       JSFunction* value);

--- a/src/v8-counters.h
+++ b/src/v8-counters.h
@@ -140,6 +140,10 @@ namespace internal {
  SC(keyed_store_inline_miss, V8.KeyedStoreInlineMiss)                \
  SC(named_store_global_inline, V8.NamedStoreGlobalInline)            \
  SC(named_store_global_inline_miss, V8.NamedStoreGlobalInlineMiss)   \
+  SC(call_const, V8.CallConst)                                        \
+  SC(call_const_fast_api, V8.CallConstFastApi)                        \
+  SC(call_const_interceptor, V8.CallConstInterceptor)                 \
+  SC(call_const_interceptor_fast_api, V8.CallConstInterceptorFastApi) \
  SC(call_global_inline, V8.CallGlobalInline)                         \
  SC(call_global_inline_miss, V8.CallGlobalInlineMiss)                \
  SC(constructed_objects, V8.ConstructedObjects)                      \

--- a/src/x64/stub-cache-x64.cc
+++ b/src/x64/stub-cache-x64.cc
@@ -1669,7 +1669,11 @@ Register StubCompiler::CheckPrototypes(JSObject* object,
                                       Register holder_reg,
                                       Register scratch,
                                       String* name,
+                                       int save_at_depth,
                                       Label* miss) {
+  // TODO(602): support object saving.
+  ASSERT(save_at_depth == kInvalidProtoDepth);
  // Check that the maps haven't changed.
  Register result =
      __ CheckMaps(object, object_reg, holder, holder_reg, scratch, miss);

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc