Commit e7a33bd7 authored by Georg Neis's avatar Georg Neis Committed by Commit Bot

[turbofan] Collect Array and Object prototypes upfront.

As part of the standard objects serialization, collect the identities of
the Array prototype and the Object prototype from all native contexts.
This information is then be consulted at compile time instead of having
to call Isolate::IsInAnyContext (which accesses the heap).

Bug: v8:7790
Change-Id: I26a8271afadfce243a8032e4a012f249ce3c2a60
Reviewed-on: https://chromium-review.googlesource.com/c/1275815
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56599}
parent ce1ce547
This diff is collapsed.
......@@ -1338,7 +1338,8 @@ JSHeapBroker::JSHeapBroker(Isolate* isolate, Zone* broker_zone)
broker_zone_(broker_zone),
current_zone_(broker_zone),
refs_(new (zone())
RefsMap(kMinimalRefsBucketCount, AddressMatcher(), zone())) {
RefsMap(kMinimalRefsBucketCount, AddressMatcher(), zone())),
array_and_object_prototypes_(zone()) {
// Note that this initialization of the refs_ pointer with the minimal
// initial capacity is redundant in the normal use case (concurrent
// compilation enabled, standard objects to be serialized), as the map
......@@ -1456,6 +1457,37 @@ void JSHeapBroker::SerializeShareableObjects() {
current_zone_ = broker_zone_;
}
void JSHeapBroker::CollectArrayAndObjectPrototypes() {
DisallowHeapAllocation no_gc;
CHECK_EQ(mode(), kSerializing);
CHECK(array_and_object_prototypes_.empty());
Object* maybe_context = isolate()->heap()->native_contexts_list();
while (!maybe_context->IsUndefined(isolate())) {
Context* context = Context::cast(maybe_context);
Object* array_prot = context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX);
Object* object_prot = context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX);
array_and_object_prototypes_.emplace(JSObject::cast(array_prot), isolate());
array_and_object_prototypes_.emplace(JSObject::cast(object_prot),
isolate());
maybe_context = context->next_context_link();
}
CHECK(!array_and_object_prototypes_.empty());
}
bool JSHeapBroker::IsArrayOrObjectPrototype(const JSObjectRef& object) const {
if (mode() == kDisabled) {
return isolate()->IsInAnyContext(*object.object(),
Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ||
isolate()->IsInAnyContext(*object.object(),
Context::INITIAL_OBJECT_PROTOTYPE_INDEX);
}
CHECK(!array_and_object_prototypes_.empty());
return array_and_object_prototypes_.find(object.object<JSObject>()) !=
array_and_object_prototypes_.end();
}
void JSHeapBroker::SerializeStandardObjects() {
if (mode() == kDisabled) return;
CHECK_EQ(mode(), kSerializing);
......@@ -1464,6 +1496,8 @@ void JSHeapBroker::SerializeStandardObjects() {
TraceScope tracer(this, "JSHeapBroker::SerializeStandardObjects");
CollectArrayAndObjectPrototypes();
SetNativeContextRef();
native_context().Serialize();
......
......@@ -512,6 +512,10 @@ class V8_EXPORT_PRIVATE JSHeapBroker : public NON_EXPORTED_BASE(ZoneObject) {
// Like the previous but wraps argument in handle first (for convenience).
ObjectData* GetOrCreateData(Object*);
// Check if {object} is any native context's %ArrayPrototype% or
// %ObjectPrototype%.
bool IsArrayOrObjectPrototype(const JSObjectRef& object) const;
void Trace(const char* format, ...) const;
void IncrementTracingIndentation();
void DecrementTracingIndentation();
......@@ -522,12 +526,16 @@ class V8_EXPORT_PRIVATE JSHeapBroker : public NON_EXPORTED_BASE(ZoneObject) {
friend class ObjectData;
void SerializeShareableObjects();
void CollectArrayAndObjectPrototypes();
Isolate* const isolate_;
Zone* const broker_zone_;
Zone* current_zone_;
base::Optional<NativeContextRef> native_context_;
RefsMap* refs_;
ZoneUnorderedSet<Handle<JSObject>, Handle<JSObject>::hash,
Handle<JSObject>::equal_to>
array_and_object_prototypes_;
BrokerMode mode_ = kDisabled;
unsigned tracing_indentation_ = 0;
......
......@@ -16,10 +16,11 @@ class JSInliningHeuristic final : public AdvancedReducer {
enum Mode { kGeneralInlining, kRestrictedInlining, kStressInlining };
JSInliningHeuristic(Editor* editor, Mode mode, Zone* local_zone,
OptimizedCompilationInfo* info, JSGraph* jsgraph,
JSHeapBroker* broker,
SourcePositionTable* source_positions)
: AdvancedReducer(editor),
mode_(mode),
inliner_(editor, local_zone, info, jsgraph, source_positions),
inliner_(editor, local_zone, info, jsgraph, broker, source_positions),
candidates_(local_zone),
seen_(local_zone),
source_positions_(source_positions),
......
......@@ -606,7 +606,8 @@ Reduction JSInliner::ReduceJSCall(Node* node) {
if (node->opcode() == IrOpcode::kJSCall &&
is_sloppy(shared_info->language_mode()) && !shared_info->native()) {
Node* effect = NodeProperties::GetEffectInput(node);
if (NodeProperties::CanBePrimitive(isolate(), call.receiver(), effect)) {
if (NodeProperties::CanBePrimitive(js_heap_broker(), call.receiver(),
effect)) {
CallParameters const& p = CallParametersOf(node->op());
Node* global_proxy = jsgraph()->HeapConstant(
handle(info_->native_context()->global_proxy(), isolate()));
......
......@@ -24,11 +24,13 @@ class SourcePositionTable;
class JSInliner final : public AdvancedReducer {
public:
JSInliner(Editor* editor, Zone* local_zone, OptimizedCompilationInfo* info,
JSGraph* jsgraph, SourcePositionTable* source_positions)
JSGraph* jsgraph, JSHeapBroker* js_heap_broker,
SourcePositionTable* source_positions)
: AdvancedReducer(editor),
local_zone_(local_zone),
info_(info),
jsgraph_(jsgraph),
js_heap_broker_(js_heap_broker),
source_positions_(source_positions) {}
const char* reducer_name() const override { return "JSInliner"; }
......@@ -47,12 +49,15 @@ class JSInliner final : public AdvancedReducer {
SimplifiedOperatorBuilder* simplified() const;
Graph* graph() const;
JSGraph* jsgraph() const { return jsgraph_; }
// TODO(neis): Make heap broker a component of JSGraph?
JSHeapBroker* js_heap_broker() const { return js_heap_broker_; }
Isolate* isolate() const { return jsgraph_->isolate(); }
Handle<Context> native_context() const;
Zone* const local_zone_;
OptimizedCompilationInfo* info_;
JSGraph* const jsgraph_;
JSHeapBroker* const js_heap_broker_;
SourcePositionTable* const source_positions_;
bool DetermineCallTarget(Node* node,
......
......@@ -517,7 +517,7 @@ JSNativeContextSpecialization::InferHasInPrototypeChain(
Node* receiver, Node* effect, Handle<HeapObject> prototype) {
ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate(), receiver, effect,
NodeProperties::InferReceiverMaps(js_heap_broker(), receiver, effect,
&receiver_maps);
if (result == NodeProperties::kNoReceiverMaps) return kMayBeInPrototypeChain;
......@@ -660,7 +660,8 @@ Reduction JSNativeContextSpecialization::ReduceJSPromiseResolve(Node* node) {
// Check if we know something about the {value}.
ZoneHandleSet<Map> value_maps;
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate(), value, effect, &value_maps);
NodeProperties::InferReceiverMaps(js_heap_broker(), value, effect,
&value_maps);
if (result == NodeProperties::kNoReceiverMaps) return NoChange();
DCHECK_NE(0, value_maps.size());
......@@ -690,7 +691,7 @@ Reduction JSNativeContextSpecialization::ReduceJSResolvePromise(Node* node) {
// Check if we know something about the {resolution}.
ZoneHandleSet<Map> resolution_maps;
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate(), resolution, effect,
NodeProperties::InferReceiverMaps(js_heap_broker(), resolution, effect,
&resolution_maps);
if (result != NodeProperties::kReliableReceiverMaps) return NoChange();
DCHECK_NE(0, resolution_maps.size());
......@@ -2413,7 +2414,7 @@ Reduction JSNativeContextSpecialization::ReduceJSToObject(Node* node) {
ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate(), receiver, effect,
NodeProperties::InferReceiverMaps(js_heap_broker(), receiver, effect,
&receiver_maps);
if (result == NodeProperties::kNoReceiverMaps) return NoChange();
......@@ -3072,13 +3073,15 @@ bool JSNativeContextSpecialization::CanTreatHoleAsUndefined(
// Check if all {receiver_maps} either have one of the initial Array.prototype
// or Object.prototype objects as their prototype (in any of the current
// native contexts, as the global Array protector works isolate-wide).
for (Handle<Map> receiver_map : receiver_maps) {
DisallowHeapAllocation no_gc;
Object* const receiver_prototype = receiver_map->prototype();
if (!isolate()->IsInAnyContext(receiver_prototype,
Context::INITIAL_ARRAY_PROTOTYPE_INDEX) &&
!isolate()->IsInAnyContext(receiver_prototype,
Context::INITIAL_OBJECT_PROTOTYPE_INDEX)) {
for (Handle<Map> map : receiver_maps) {
MapRef receiver_map(js_heap_broker(), map);
// TODO(neis): Remove SerializePrototype call once brokerization is
// complete.
receiver_map.SerializePrototype();
ObjectRef receiver_prototype = receiver_map.prototype();
if (!receiver_prototype.IsJSObject() ||
!js_heap_broker()->IsArrayOrObjectPrototype(
receiver_prototype.AsJSObject())) {
return false;
}
}
......@@ -3135,7 +3138,8 @@ bool JSNativeContextSpecialization::InferReceiverMaps(
Node* receiver, Node* effect, MapHandles* receiver_maps) {
ZoneHandleSet<Map> maps;
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate(), receiver, effect, &maps);
NodeProperties::InferReceiverMaps(js_heap_broker(), receiver, effect,
&maps);
if (result == NodeProperties::kReliableReceiverMaps) {
for (size_t i = 0; i < maps.size(); ++i) {
receiver_maps->push_back(maps[i]);
......
......@@ -364,11 +364,11 @@ bool NodeProperties::IsSame(Node* a, Node* b) {
// static
NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
Isolate* isolate, Node* receiver, Node* effect,
JSHeapBroker* broker, Node* receiver, Node* effect,
ZoneHandleSet<Map>* maps_return) {
HeapObjectMatcher m(receiver);
if (m.HasValue()) {
Handle<HeapObject> receiver = m.Value();
HeapObjectRef receiver = m.Ref(broker).AsHeapObject();
// We don't use ICs for the Array.prototype and the Object.prototype
// because the runtime has to be able to intercept them properly, so
// we better make sure that TurboFan doesn't outsmart the system here
......@@ -376,15 +376,12 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
//
// TODO(bmeurer): This can be removed once the Array.prototype and
// Object.prototype have NO_ELEMENTS elements kind.
if (!isolate->IsInAnyContext(*receiver,
Context::INITIAL_ARRAY_PROTOTYPE_INDEX) &&
!isolate->IsInAnyContext(*receiver,
Context::INITIAL_OBJECT_PROTOTYPE_INDEX)) {
Handle<Map> receiver_map(receiver->map(), isolate);
if (receiver_map->is_stable()) {
if (!receiver.IsJSObject() ||
!broker->IsArrayOrObjectPrototype(receiver.AsJSObject())) {
if (receiver.map().is_stable()) {
// The {receiver_map} is only reliable when we install a stability
// code dependency.
*maps_return = ZoneHandleSet<Map>(receiver_map);
*maps_return = ZoneHandleSet<Map>(receiver.map().object<Map>());
return kUnreliableReceiverMaps;
}
}
......@@ -418,7 +415,7 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
Handle<JSFunction>::cast(mnewtarget.Value());
if (original_constructor->has_initial_map()) {
Handle<Map> initial_map(original_constructor->initial_map(),
isolate);
broker->isolate());
if (initial_map->constructor_or_backpointer() ==
*mtarget.Value()) {
*maps_return = ZoneHandleSet<Map>(initial_map);
......@@ -505,12 +502,13 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
}
// static
MaybeHandle<Map> NodeProperties::GetMapWitness(Isolate* isolate, Node* node) {
MaybeHandle<Map> NodeProperties::GetMapWitness(JSHeapBroker* broker,
Node* node) {
ZoneHandleSet<Map> maps;
Node* receiver = NodeProperties::GetValueInput(node, 1);
Node* effect = NodeProperties::GetEffectInput(node);
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate, receiver, effect, &maps);
NodeProperties::InferReceiverMaps(broker, receiver, effect, &maps);
if (result == NodeProperties::kReliableReceiverMaps && maps.size() == 1) {
return maps[0];
}
......@@ -518,12 +516,12 @@ MaybeHandle<Map> NodeProperties::GetMapWitness(Isolate* isolate, Node* node) {
}
// static
bool NodeProperties::HasInstanceTypeWitness(Isolate* isolate, Node* receiver,
Node* effect,
bool NodeProperties::HasInstanceTypeWitness(JSHeapBroker* broker,
Node* receiver, Node* effect,
InstanceType instance_type) {
ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result =
NodeProperties::InferReceiverMaps(isolate, receiver, effect,
NodeProperties::InferReceiverMaps(broker, receiver, effect,
&receiver_maps);
switch (result) {
case NodeProperties::kUnreliableReceiverMaps:
......@@ -555,7 +553,7 @@ bool NodeProperties::NoObservableSideEffectBetween(Node* effect,
}
// static
bool NodeProperties::CanBePrimitive(Isolate* isolate, Node* receiver,
bool NodeProperties::CanBePrimitive(JSHeapBroker* broker, Node* receiver,
Node* effect) {
switch (receiver->opcode()) {
#define CASE(Opcode) case IrOpcode::k##Opcode:
......@@ -576,7 +574,7 @@ bool NodeProperties::CanBePrimitive(Isolate* isolate, Node* receiver,
// just the instance types, which don't change
// across potential side-effecting operations.
ZoneHandleSet<Map> maps;
if (InferReceiverMaps(isolate, receiver, effect, &maps) !=
if (InferReceiverMaps(broker, receiver, effect, &maps) !=
kNoReceiverMaps) {
// Check if all {maps} are actually JSReceiver maps.
for (size_t i = 0; i < maps.size(); ++i) {
......@@ -590,9 +588,9 @@ bool NodeProperties::CanBePrimitive(Isolate* isolate, Node* receiver,
}
// static
bool NodeProperties::CanBeNullOrUndefined(Isolate* isolate, Node* receiver,
bool NodeProperties::CanBeNullOrUndefined(JSHeapBroker* broker, Node* receiver,
Node* effect) {
if (CanBePrimitive(isolate, receiver, effect)) {
if (CanBePrimitive(broker, receiver, effect)) {
switch (receiver->opcode()) {
case IrOpcode::kCheckInternalizedString:
case IrOpcode::kCheckNumber:
......@@ -609,7 +607,7 @@ bool NodeProperties::CanBeNullOrUndefined(Isolate* isolate, Node* receiver,
return false;
case IrOpcode::kHeapConstant: {
Handle<HeapObject> value = HeapObjectMatcher(receiver).Value();
return value->IsNullOrUndefined(isolate);
return value->IsNullOrUndefined(broker->isolate());
}
default:
return true;
......
......@@ -152,11 +152,11 @@ class V8_EXPORT_PRIVATE NodeProperties final {
// but instance type is reliable.
};
static InferReceiverMapsResult InferReceiverMaps(
Isolate* isolate, Node* receiver, Node* effect,
JSHeapBroker* broker, Node* receiver, Node* effect,
ZoneHandleSet<Map>* maps_return);
static MaybeHandle<Map> GetMapWitness(Isolate* isolate, Node* node);
static bool HasInstanceTypeWitness(Isolate* isolate, Node* receiver,
static MaybeHandle<Map> GetMapWitness(JSHeapBroker* broker, Node* node);
static bool HasInstanceTypeWitness(JSHeapBroker* broker, Node* receiver,
Node* effect, InstanceType instance_type);
// Walks up the {effect} chain to check that there's no observable side-effect
......@@ -167,11 +167,12 @@ class V8_EXPORT_PRIVATE NodeProperties final {
// Returns true if the {receiver} can be a primitive value (i.e. is not
// definitely a JavaScript object); might walk up the {effect} chain to
// find map checks on {receiver}.
static bool CanBePrimitive(Isolate* isolate, Node* receiver, Node* effect);
static bool CanBePrimitive(JSHeapBroker* broker, Node* receiver,
Node* effect);
// Returns true if the {receiver} can be null or undefined. Might walk
// up the {effect} chain to find map checks for {receiver}.
static bool CanBeNullOrUndefined(Isolate* isolate, Node* receiver,
static bool CanBeNullOrUndefined(JSHeapBroker* broker, Node* receiver,
Node* effect);
// ---------------------------------------------------------------------------
......
......@@ -1235,11 +1235,13 @@ struct InliningPhase {
JSNativeContextSpecialization native_context_specialization(
&graph_reducer, data->jsgraph(), data->js_heap_broker(), flags,
data->native_context(), data->dependencies(), temp_zone, info->zone());
JSInliningHeuristic inlining(
&graph_reducer, data->info()->is_inlining_enabled()
? JSInliningHeuristic::kGeneralInlining
: JSInliningHeuristic::kRestrictedInlining,
temp_zone, data->info(), data->jsgraph(), data->source_positions());
JSInliningHeuristic inlining(&graph_reducer,
data->info()->is_inlining_enabled()
? JSInliningHeuristic::kGeneralInlining
: JSInliningHeuristic::kRestrictedInlining,
temp_zone, data->info(), data->jsgraph(),
data->js_heap_broker(),
data->source_positions());
JSIntrinsicLowering intrinsic_lowering(&graph_reducer, data->jsgraph());
AddReducer(data, &graph_reducer, &dead_code_elimination);
AddReducer(data, &graph_reducer, &checkpoint_elimination);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment