Reland Handle non-JSObject heap objects using slow-path IC stub guarded by the map.

R=mstarzinger@chromium.org Review URL: https://chromiumcodereview.appspot.com/23578030 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Reland Handle non-JSObject heap objects using slow-path IC stub guarded by the map.
R=mstarzinger@chromium.org Review URL: https://chromiumcodereview.appspot.com/23578030 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
e9c4a498 · verwaest@chromium.org · 4f09f428 · e9c4a498 · e9c4a498 · e9c4a498
Commit e9c4a498 authored Sep 12, 2013 by verwaest@chromium.org
9 changed files
--- a/src/builtins.h
+++ b/src/builtins.h
@@ -120,7 +120,7 @@ enum BuiltinExtraArguments {
                                    Code::kNoExtraICState)              \
  V(KeyedLoadIC_MissForceGeneric,   BUILTIN, UNINITIALIZED,             \
                                    Code::kNoExtraICState)              \
-  V(KeyedLoadIC_Slow,               BUILTIN, UNINITIALIZED,             \
+  V(KeyedLoadIC_Slow,               STUB, MONOMORPHIC,                  \
                                    Code::kNoExtraICState)              \
  V(StoreIC_Miss,                   BUILTIN, UNINITIALIZED,             \
                                    Code::kNoExtraICState)              \
@@ -142,7 +142,7 @@ enum BuiltinExtraArguments {
                                    Code::kNoExtraICState)              \
  V(LoadIC_Getter_ForDeopt,         LOAD_IC, MONOMORPHIC,               \
                                    Code::kNoExtraICState)              \
-  V(LoadIC_Slow,                    LOAD_IC, GENERIC,                   \
+  V(LoadIC_Slow,                    STUB, MONOMORPHIC,                  \
                                    Code::kNoExtraICState)              \
                                                                        \
  V(KeyedLoadIC_Initialize,         KEYED_LOAD_IC, UNINITIALIZED,       \

--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -4005,7 +4005,9 @@ void HOptimizedGraphBuilder::VisitRegExpLiteral(RegExpLiteral* expr) {


 static bool CanInlinePropertyAccess(Map* type) {
-  return !type->is_dictionary_map() && !type->has_named_interceptor();
+  return type->IsJSObjectMap() &&
+      !type->is_dictionary_map() &&
+      !type->has_named_interceptor();
 }


@@ -5381,6 +5383,7 @@ HInstruction* HOptimizedGraphBuilder::BuildLoadNamedMonomorphic(
  map->LookupDescriptor(NULL, *name, &lookup);
  if (lookup.IsField()) {
    HCheckMaps* checked_object = AddCheckMap(object, map);
+    ASSERT(map->IsJSObjectMap());
    return BuildLoadNamedField(
        checked_object, HObjectAccess::ForField(map, &lookup, name));
  }
@@ -5392,6 +5395,12 @@ HInstruction* HOptimizedGraphBuilder::BuildLoadNamedMonomorphic(
    return New<HConstant>(constant);
  }

+  if (lookup.IsFound()) {
+    // Cannot handle the property, do a generic load instead.
+    HValue* context = environment()->context();
+    return new(zone()) HLoadNamedGeneric(context, object, name);
+  }
+
  // Handle a load from a known field somewhere in the prototype chain.
  LookupInPrototypes(map, name, &lookup);
  if (lookup.IsField()) {
@@ -5484,6 +5493,7 @@ HInstruction* HOptimizedGraphBuilder::TryBuildConsolidatedElementLoad(
  Handle<Map> most_general_consolidated_map;
  for (int i = 0; i < maps->length(); ++i) {
    Handle<Map> map = maps->at(i);
+    if (!map->IsJSObjectMap()) return NULL;
    // Don't allow mixing of JSArrays with JSObjects.
    if (map->instance_type() == JS_ARRAY_TYPE) {
      if (has_non_js_array_access) return NULL;
@@ -5536,7 +5546,7 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
    HValue* object,
    HValue* key,
    HValue* val,
-    Expression* prop,
+    SmallMapList* maps,
    BailoutId ast_id,
    int position,
    bool is_store,
@@ -5544,7 +5554,6 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
    bool* has_side_effects) {
  *has_side_effects = false;
  BuildCheckHeapObject(object);
-  SmallMapList* maps = prop->GetReceiverTypes();

  if (!is_store) {
    HInstruction* consolidated_load =
@@ -5600,7 +5609,8 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
  if (untransitionable_maps.length() == 1) {
    Handle<Map> untransitionable_map = untransitionable_maps[0];
    HInstruction* instr = NULL;
-    if (untransitionable_map->has_slow_elements_kind()) {
+    if (untransitionable_map->has_slow_elements_kind() ||
+        !untransitionable_map->IsJSObjectMap()) {
      instr = AddInstruction(is_store ? BuildStoreKeyedGeneric(object, key, val)
                                      : BuildLoadKeyedGeneric(object, key));
    } else {
@@ -5617,6 +5627,7 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(

  for (int i = 0; i < untransitionable_maps.length(); ++i) {
    Handle<Map> map = untransitionable_maps[i];
+    if (!map->IsJSObjectMap()) continue;
    ElementsKind elements_kind = map->elements_kind();
    HBasicBlock* this_map = graph()->CreateBasicBlock();
    HBasicBlock* other_map = graph()->CreateBasicBlock();
@@ -5689,10 +5700,9 @@ HValue* HOptimizedGraphBuilder::HandleKeyedElementAccess(
      instr = BuildMonomorphicElementAccess(
          obj, key, val, NULL, map, is_store, expr->GetStoreMode());
    }
-  } else if (expr->GetReceiverTypes() != NULL &&
-             !expr->GetReceiverTypes()->is_empty()) {
+  } else if (types != NULL && !types->is_empty()) {
    return HandlePolymorphicElementAccess(
-        obj, key, val, expr, ast_id, position, is_store,
+        obj, key, val, types, ast_id, position, is_store,
        expr->GetStoreMode(), has_side_effects);
  } else {
    if (is_store) {

--- a/src/hydrogen.h
+++ b/src/hydrogen.h
@@ -2008,7 +2008,7 @@ class HOptimizedGraphBuilder V8_FINAL
  HValue* HandlePolymorphicElementAccess(HValue* object,
                                         HValue* key,
                                         HValue* val,
-                                         Expression* prop,
+                                         SmallMapList* maps,
                                         BailoutId ast_id,
                                         int position,
                                         bool is_store,

--- a/src/ic.cc
+++ b/src/ic.cc
@@ -996,7 +996,7 @@ static bool AddOneReceiverMapIfMissing(MapHandleList* receiver_maps,


 bool IC::UpdatePolymorphicIC(State state,
-                             Handle<JSObject> receiver,
+                             Handle<HeapObject> receiver,
                             Handle<String> name,
                             Handle<Code> code,
                             StrictModeFlag strict_mode) {
@@ -1077,44 +1077,44 @@ Handle<Code> StoreIC::ComputePolymorphicIC(MapHandleList* receiver_maps,
 }


-void LoadIC::UpdateMonomorphicIC(Handle<JSObject> receiver,
+void LoadIC::UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                 Handle<Code> handler,
                                 Handle<String> name,
                                 StrictModeFlag strict_mode) {
-  if (handler->type() == Code::NORMAL) return set_target(*handler);
+  if (handler->is_load_stub()) return set_target(*handler);
  Handle<Code> ic = isolate()->stub_cache()->ComputeMonomorphicLoadIC(
      receiver, handler, name);
  set_target(*ic);
 }


-void KeyedLoadIC::UpdateMonomorphicIC(Handle<JSObject> receiver,
+void KeyedLoadIC::UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                      Handle<Code> handler,
                                      Handle<String> name,
                                      StrictModeFlag strict_mode) {
-  if (handler->type() == Code::NORMAL) return set_target(*handler);
+  if (handler->is_keyed_load_stub()) return set_target(*handler);
  Handle<Code> ic = isolate()->stub_cache()->ComputeMonomorphicKeyedLoadIC(
      receiver, handler, name);
  set_target(*ic);
 }


-void StoreIC::UpdateMonomorphicIC(Handle<JSObject> receiver,
+void StoreIC::UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                  Handle<Code> handler,
                                  Handle<String> name,
                                  StrictModeFlag strict_mode) {
-  if (handler->type() == Code::NORMAL) return set_target(*handler);
+  if (handler->is_store_stub()) return set_target(*handler);
  Handle<Code> ic = isolate()->stub_cache()->ComputeMonomorphicStoreIC(
      receiver, handler, name, strict_mode);
  set_target(*ic);
 }


-void KeyedStoreIC::UpdateMonomorphicIC(Handle<JSObject> receiver,
+void KeyedStoreIC::UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                       Handle<Code> handler,
                                       Handle<String> name,
                                       StrictModeFlag strict_mode) {
-  if (handler->type() == Code::NORMAL) return set_target(*handler);
+  if (handler->is_keyed_store_stub()) return set_target(*handler);
  Handle<Code> ic = isolate()->stub_cache()->ComputeMonomorphicKeyedStoreIC(
      receiver, handler, name, strict_mode);
  set_target(*ic);
@@ -1155,7 +1155,7 @@ bool IC::IsTransitionedMapOfMonomorphicTarget(Map* receiver_map) {
 // not necessarily equal to target()->state().
 void IC::PatchCache(State state,
                    StrictModeFlag strict_mode,
-                    Handle<JSObject> receiver,
+                    Handle<HeapObject> receiver,
                    Handle<String> name,
                    Handle<Code> code) {
  switch (state) {
@@ -1265,32 +1265,26 @@ void LoadIC::UpdateCaches(LookupResult* lookup,
                          State state,
                          Handle<Object> object,
                          Handle<String> name) {
-  // Bail out if the result is not cacheable.
-  if (!lookup->IsCacheable()) {
-    set_target(*generic_stub());
-    return;
-  }
+  if (!object->IsHeapObject()) return;

-  // TODO(jkummerow): It would be nice to support non-JSObjects in
-  // UpdateCaches, then we wouldn't need to go generic here.
-  if (!object->IsJSObject()) {
-    set_target(*generic_stub());
-    return;
-  }
+  Handle<HeapObject> receiver = Handle<HeapObject>::cast(object);

-  Handle<JSObject> receiver = Handle<JSObject>::cast(object);
  Handle<Code> code;
  if (state == UNINITIALIZED) {
    // This is the first time we execute this inline cache.
    // Set the target to the pre monomorphic stub to delay
    // setting the monomorphic state.
    code = pre_monomorphic_stub();
+  } else if (!lookup->IsCacheable()) {
+    // Bail out if the result is not cacheable.
+    code = slow_stub();
+  } else if (!object->IsJSObject()) {
+    // TODO(jkummerow): It would be nice to support non-JSObjects in
+    // ComputeLoadHandler, then we wouldn't need to go generic here.
+    code = slow_stub();
  } else {
-    code = ComputeLoadHandler(lookup, receiver, name);
-    if (code.is_null()) {
-      set_target(*generic_stub());
-      return;
-    }
+    code = ComputeLoadHandler(lookup, Handle<JSObject>::cast(receiver), name);
+    if (code.is_null()) code = slow_stub();
  }

  PatchCache(state, kNonStrictMode, receiver, name, code);

--- a/src/ic.h
+++ b/src/ic.h
@@ -167,14 +167,14 @@ class IC {
  static inline void SetTargetAtAddress(Address address, Code* target);
  static void PostPatching(Address address, Code* target, Code* old_target);

-  virtual void UpdateMonomorphicIC(Handle<JSObject> receiver,
+  virtual void UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                   Handle<Code> handler,
                                   Handle<String> name,
                                   StrictModeFlag strict_mode) {
    set_target(*handler);
  }
  bool UpdatePolymorphicIC(State state,
-                           Handle<JSObject> receiver,
+                           Handle<HeapObject> receiver,
                           Handle<String> name,
                           Handle<Code> code,
                           StrictModeFlag strict_mode);
@@ -192,7 +192,7 @@ class IC {
  bool IsTransitionedMapOfMonomorphicTarget(Map* receiver_map);
  void PatchCache(State state,
                  StrictModeFlag strict_mode,
-                  Handle<JSObject> receiver,
+                  Handle<HeapObject> receiver,
                  Handle<String> name,
                  Handle<Code> code);
  virtual void UpdateMegamorphicCache(Map* map, Name* name, Code* code);
@@ -388,7 +388,7 @@ class LoadIC: public IC {
 protected:
  virtual Code::Kind kind() const { return Code::LOAD_IC; }

-  virtual Handle<Code> generic_stub() const {
+  virtual Handle<Code> slow_stub() const {
    return isolate()->builtins()->LoadIC_Slow();
  }

@@ -403,7 +403,7 @@ class LoadIC: public IC {
                    Handle<Object> object,
                    Handle<String> name);

-  virtual void UpdateMonomorphicIC(Handle<JSObject> receiver,
+  virtual void UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                   Handle<Code> handler,
                                   Handle<String> name,
                                   StrictModeFlag strict_mode);
@@ -483,9 +483,12 @@ class KeyedLoadIC: public LoadIC {
  virtual Handle<Code> generic_stub() const {
    return isolate()->builtins()->KeyedLoadIC_Generic();
  }
+  virtual Handle<Code> slow_stub() const {
+    return isolate()->builtins()->KeyedLoadIC_Slow();
+  }

  // Update the inline cache.
-  virtual void UpdateMonomorphicIC(Handle<JSObject> receiver,
+  virtual void UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                   Handle<Code> handler,
                                   Handle<String> name,
                                   StrictModeFlag strict_mode);
@@ -574,7 +577,7 @@ class StoreIC: public IC {
    return isolate()->builtins()->StoreIC_GlobalProxy_Strict();
  }

-  virtual void UpdateMonomorphicIC(Handle<JSObject> receiver,
+  virtual void UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                   Handle<Code> handler,
                                   Handle<String> name,
                                   StrictModeFlag strict_mode);
@@ -689,7 +692,7 @@ class KeyedStoreIC: public StoreIC {
                                KeyedAccessStoreMode store_mode,
                                StrictModeFlag strict_mode);

-  virtual void UpdateMonomorphicIC(Handle<JSObject> receiver,
+  virtual void UpdateMonomorphicIC(Handle<HeapObject> receiver,
                                   Handle<Code> handler,
                                   Handle<String> name,
                                   StrictModeFlag strict_mode);

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4479,18 +4479,19 @@ void NormalizedMapCache::Clear() {
 }


-void JSObject::UpdateMapCodeCache(Handle<JSObject> object,
-                                  Handle<Name> name,
-                                  Handle<Code> code) {
+void HeapObject::UpdateMapCodeCache(Handle<HeapObject> object,
+                                    Handle<Name> name,
+                                    Handle<Code> code) {
  Handle<Map> map(object->map());
  if (map->is_shared()) {
+    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
    // Fast case maps are never marked as shared.
-    ASSERT(!object->HasFastProperties());
+    ASSERT(!receiver->HasFastProperties());
    // Replace the map with an identical copy that can be safely modified.
    map = Map::CopyNormalized(map, KEEP_INOBJECT_PROPERTIES,
                              UNIQUE_NORMALIZED_MAP);
-    object->GetIsolate()->counters()->normalized_maps()->Increment();
-    object->set_map(*map);
+    receiver->GetIsolate()->counters()->normalized_maps()->Increment();
+    receiver->set_map(*map);
  }
  Map::UpdateCodeCache(map, name, code);
 }

--- a/src/objects.h
+++ b/src/objects.h
@@ -1758,6 +1758,13 @@ class HeapObject: public Object {
  // during marking GC.
  static inline Object** RawField(HeapObject* obj, int offset);

+  // Adds the |code| object related to |name| to the code cache of this map. If
+  // this map is a dictionary map that is shared, the map copied and installed
+  // onto the object.
+  static void UpdateMapCodeCache(Handle<HeapObject> object,
+                                 Handle<Name> name,
+                                 Handle<Code> code);
+
  // Casting.
  static inline HeapObject* cast(Object* obj);

@@ -2569,10 +2576,6 @@ class JSObject: public JSReceiver {

  MUST_USE_RESULT MaybeObject* NormalizeElements();

-  static void UpdateMapCodeCache(Handle<JSObject> object,
-                                 Handle<Name> name,
-                                 Handle<Code> code);
-
  // Transform slow named properties to fast variants.
  // Returns failure if allocation failed.
  static void TransformToFastProperties(Handle<JSObject> object,
@@ -5923,6 +5926,10 @@ class Map: public HeapObject {
    return instance_type() >= FIRST_JS_OBJECT_TYPE;
  }

+  bool IsJSObjectMap() {
+    return instance_type() >= FIRST_JS_OBJECT_TYPE;
+  }
+
  // Fires when the layout of an object with a leaf map changes.
  // This includes adding transitions to the leaf map or changing
  // the descriptor array.

--- a/src/stub-cache.cc
+++ b/src/stub-cache.cc
--- a/src/stub-cache.h
+++ b/src/stub-cache.h
@@ -104,20 +104,20 @@ class StubCache {
                                Code::StubType type,
                                StrictModeFlag strict_mode);

-  Handle<Code> ComputeMonomorphicLoadIC(Handle<JSObject> receiver,
+  Handle<Code> ComputeMonomorphicLoadIC(Handle<HeapObject> receiver,
                                        Handle<Code> handler,
                                        Handle<Name> name);

-  Handle<Code> ComputeMonomorphicKeyedLoadIC(Handle<JSObject> receiver,
+  Handle<Code> ComputeMonomorphicKeyedLoadIC(Handle<HeapObject> receiver,
                                             Handle<Code> handler,
                                             Handle<Name> name);

-  Handle<Code> ComputeMonomorphicStoreIC(Handle<JSObject> receiver,
+  Handle<Code> ComputeMonomorphicStoreIC(Handle<HeapObject> receiver,
                                         Handle<Code> handler,
                                         Handle<Name> name,
                                         StrictModeFlag strict_mode);

-  Handle<Code> ComputeMonomorphicKeyedStoreIC(Handle<JSObject> receiver,
+  Handle<Code> ComputeMonomorphicKeyedStoreIC(Handle<HeapObject> receiver,
                                              Handle<Code> handler,
                                              Handle<Name> name,
                                              StrictModeFlag strict_mode);