[builtins][turbofan] Support huge TypedArrays in %ArrayIteratorPrototype%.next()

Bug: v8:4153 Change-Id: Ieea327828a364ae1934f1a342f361dc68d7bbab6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903433Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#64857}

[builtins][turbofan] Support huge TypedArrays in %ArrayIteratorPrototype%.next()
Bug: v8:4153 Change-Id: Ieea327828a364ae1934f1a342f361dc68d7bbab6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903433Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#64857}
e465a152 · Igor Sheludko · Commit Bot · 50173924 · e465a152 · e465a152
Commit e465a152 authored Nov 07, 2019 by Igor Sheludko Committed by Commit Bot Nov 08, 2019
4 changed files
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@@ -3833,6 +3833,7 @@ macro ChangeUintPtrNumberToUintPtr(value: Number): uintptr {
  }
 }

+@export
 macro ChangeSafeIntegerNumberToUintPtr(value: Number):
    uintptr labels IfUIntPtrOverflow {
  try {

--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@@ -1414,12 +1414,10 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
  TNode<JSArrayIterator> iterator = CAST(maybe_iterator);

  // Let a be O.[[IteratedObject]].
-  TNode<JSReceiver> array =
-      CAST(LoadObjectField(iterator, JSArrayIterator::kIteratedObjectOffset));
+  TNode<JSReceiver> array = LoadJSArrayIteratorIteratedObject(iterator);

  // Let index be O.[[ArrayIteratorNextIndex]].
-  TNode<Number> index =
-      CAST(LoadObjectField(iterator, JSArrayIterator::kNextIndexOffset));
+  TNode<Number> index = LoadJSArrayIteratorNextIndex(iterator);
  CSA_ASSERT(this, IsNumberNonNegativeSafeInteger(index));

  // Dispatch based on the type of the {array}.
@@ -1440,9 +1438,8 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
    TNode<Uint32T> length32 =
        ChangeNumberToUint32(LoadJSArrayLength(CAST(array)));
    GotoIfNot(Uint32LessThan(index32, length32), &set_done);
-    StoreObjectField(
-        iterator, JSArrayIterator::kNextIndexOffset,
-        ChangeUint32ToTagged(Unsigned(Int32Add(index32, Int32Constant(1)))));
+    StoreJSArrayIteratorNextIndex(
+        iterator, ChangeUint32ToTagged(Uint32Add(index32, Uint32Constant(1))));

    var_done = FalseConstant();
    var_value = index;
@@ -1482,8 +1479,7 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
        CallBuiltin(Builtins::kToLength, context,
                    GetProperty(context, array, factory()->length_string())));
    GotoIfNumberGreaterThanOrEqual(index, length, &set_done);
-    StoreObjectField(iterator, JSArrayIterator::kNextIndexOffset,
-                     NumberInc(index));
+    StoreJSArrayIteratorNextIndex(iterator, NumberInc(index));

    var_done = FalseConstant();
    var_value = index;
@@ -1516,7 +1512,7 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
    TNode<Number> max_length =
        SelectConstant(IsJSArray(array), NumberConstant(kMaxUInt32),
                       NumberConstant(kMaxSafeInteger));
-    StoreObjectField(iterator, JSArrayIterator::kNextIndexOffset, max_length);
+    StoreJSArrayIteratorNextIndex(iterator, max_length);
    Goto(&allocate_iterator_result);
  }

@@ -1528,9 +1524,9 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {

  BIND(&if_typedarray);
  {
-    // If {array} is a JSTypedArray, the {index} must always be a Smi.
-    // TODO(v8:4153): Update this and the relevant TurboFan code.
-    TNode<UintPtrT> index_uintptr = Unsigned(SmiUntag(CAST(index)));
+    // Overflowing uintptr range also means end of iteration.
+    TNode<UintPtrT> index_uintptr =
+        ChangeSafeIntegerNumberToUintPtr(index, &allocate_iterator_result);

    // Check that the {array}s buffer wasn't detached.
    ThrowIfArrayBufferViewBufferIsDetached(context, CAST(array), method_name);
@@ -1544,8 +1540,9 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
              &allocate_iterator_result);
    // TODO(v8:4153): Consider storing next index as uintptr. Update this and
    // the relevant TurboFan code.
-    StoreObjectFieldNoWriteBarrier(iterator, JSArrayIterator::kNextIndexOffset,
-                                   SmiInc(CAST(index)));
+    StoreJSArrayIteratorNextIndex(
+        iterator,
+        ChangeUintPtrToTagged(UintPtrAdd(index_uintptr, UintPtrConstant(1))));

    var_done = FalseConstant();
    var_value = index;

--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@@ -639,7 +639,6 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
  SMI_ARITHMETIC_BINOP(SmiAnd, WordAnd, Word32And)
  SMI_ARITHMETIC_BINOP(SmiOr, WordOr, Word32Or)
 #undef SMI_ARITHMETIC_BINOP
-  TNode<Smi> SmiInc(TNode<Smi> value) { return SmiAdd(value, SmiConstant(1)); }

  TNode<IntPtrT> TryIntPtrAdd(TNode<IntPtrT> a, TNode<IntPtrT> b,
                              Label* if_overflow);

--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -5120,8 +5120,6 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
  FieldAccess index_access = AccessBuilder::ForJSArrayIteratorNextIndex();
  if (IsTypedArrayElementsKind(elements_kind)) {
    index_access.type = TypeCache::Get()->kJSTypedArrayLengthType;
-    index_access.machine_type = MachineType::TaggedSigned();
-    index_access.write_barrier_kind = kNoWriteBarrier;
  } else {
    index_access.type = TypeCache::Get()->kJSArrayLengthType;
  }