Upgrade V8 to version 4.9.385.28
https://chromium.googlesource.com/v8/v8/+/4.9.385.28
FPIIM-449
Change-Id: I4b2e74289d4bf3667f2f3dc8aa2e541f63e26eb4
diff --git a/src/ic/handler-compiler.cc b/src/ic/handler-compiler.cc
index ae977c3..b353628 100644
--- a/src/ic/handler-compiler.cc
+++ b/src/ic/handler-compiler.cc
@@ -2,12 +2,13 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "src/v8.h"
+#include "src/ic/handler-compiler.h"
#include "src/ic/call-optimization.h"
-#include "src/ic/handler-compiler.h"
#include "src/ic/ic.h"
#include "src/ic/ic-inl.h"
+#include "src/isolate-inl.h"
+#include "src/profiler/cpu-profiler.h"
namespace v8 {
namespace internal {
@@ -26,9 +27,8 @@
Handle<Code> NamedLoadHandlerCompiler::ComputeLoadNonexistent(
- Handle<Name> name, Handle<HeapType> type) {
+ Handle<Name> name, Handle<Map> receiver_map) {
Isolate* isolate = name->GetIsolate();
- Handle<Map> receiver_map = IC::TypeToMap(*type, isolate);
if (receiver_map->prototype()->IsNull()) {
// TODO(jkummerow/verwaest): If there is no prototype and the property
// is nonexistent, introduce a builtin to handle this (fast properties
@@ -37,7 +37,7 @@
}
CacheHolderFlag flag;
Handle<Map> stub_holder_map =
- IC::GetHandlerCacheHolder(*type, false, isolate, &flag);
+ IC::GetHandlerCacheHolder(receiver_map, false, isolate, &flag);
// If no dictionary mode objects are present in the prototype chain, the load
// nonexistent IC stub can be shared for all names for a given map and we use
@@ -53,6 +53,16 @@
while (true) {
if (current_map->is_dictionary_map()) cache_name = name;
if (current_map->prototype()->IsNull()) break;
+ if (name->IsPrivate()) {
+ // TODO(verwaest): Use nonexistent_private_symbol.
+ cache_name = name;
+ JSReceiver* prototype = JSReceiver::cast(current_map->prototype());
+ if (!prototype->map()->is_hidden_prototype() &&
+ !prototype->map()->IsJSGlobalObjectMap()) {
+ break;
+ }
+ }
+
last = handle(JSObject::cast(current_map->prototype()));
current_map = handle(last->map());
}
@@ -62,7 +72,7 @@
cache_name, stub_holder_map, Code::LOAD_IC, flag, Code::FAST);
if (!handler.is_null()) return handler;
- NamedLoadHandlerCompiler compiler(isolate, type, last, flag);
+ NamedLoadHandlerCompiler compiler(isolate, receiver_map, last, flag);
handler = compiler.CompileLoadNonexistent(cache_name);
Map::UpdateCodeCache(stub_holder_map, cache_name, handler);
return handler;
@@ -74,48 +84,39 @@
Handle<Name> name) {
Code::Flags flags = Code::ComputeHandlerFlags(kind, type, cache_holder());
Handle<Code> code = GetCodeWithFlags(flags, name);
- PROFILE(isolate(), CodeCreateEvent(Logger::STUB_TAG, *code, *name));
+ PROFILE(isolate(), CodeCreateEvent(Logger::HANDLER_TAG, *code, *name));
+#ifdef DEBUG
+ code->VerifyEmbeddedObjects();
+#endif
return code;
}
-void PropertyHandlerCompiler::set_type_for_object(Handle<Object> object) {
- type_ = IC::CurrentTypeOf(object, isolate());
-}
-
-
#define __ ACCESS_MASM(masm())
Register NamedLoadHandlerCompiler::FrontendHeader(Register object_reg,
Handle<Name> name,
- Label* miss) {
- PrototypeCheckType check_type = CHECK_ALL_MAPS;
- int function_index = -1;
- if (type()->Is(HeapType::String())) {
- function_index = Context::STRING_FUNCTION_INDEX;
- } else if (type()->Is(HeapType::Symbol())) {
- function_index = Context::SYMBOL_FUNCTION_INDEX;
- } else if (type()->Is(HeapType::Number())) {
- function_index = Context::NUMBER_FUNCTION_INDEX;
- } else if (type()->Is(HeapType::Boolean())) {
- function_index = Context::BOOLEAN_FUNCTION_INDEX;
- } else {
- check_type = SKIP_RECEIVER;
- }
-
- if (check_type == CHECK_ALL_MAPS) {
+ Label* miss,
+ ReturnHolder return_what) {
+ PrototypeCheckType check_type = SKIP_RECEIVER;
+ int function_index = map()->IsPrimitiveMap()
+ ? map()->GetConstructorFunctionIndex()
+ : Map::kNoConstructorFunctionIndex;
+ if (function_index != Map::kNoConstructorFunctionIndex) {
GenerateDirectLoadGlobalFunctionPrototype(masm(), function_index,
scratch1(), miss);
Object* function = isolate()->native_context()->get(function_index);
Object* prototype = JSFunction::cast(function)->instance_prototype();
- set_type_for_object(handle(prototype, isolate()));
+ Handle<Map> map(JSObject::cast(prototype)->map());
+ set_map(map);
object_reg = scratch1();
+ check_type = CHECK_ALL_MAPS;
}
// Check that the maps starting from the prototype haven't changed.
return CheckPrototypes(object_reg, scratch1(), scratch2(), scratch3(), name,
- miss, check_type);
+ miss, check_type, return_what);
}
@@ -123,9 +124,10 @@
// miss.
Register NamedStoreHandlerCompiler::FrontendHeader(Register object_reg,
Handle<Name> name,
- Label* miss) {
+ Label* miss,
+ ReturnHolder return_what) {
return CheckPrototypes(object_reg, this->name(), scratch1(), scratch2(), name,
- miss, SKIP_RECEIVER);
+ miss, SKIP_RECEIVER, return_what);
}
@@ -134,7 +136,7 @@
if (IC::ICUseVector(kind())) {
PushVectorAndSlot();
}
- Register reg = FrontendHeader(receiver(), name, &miss);
+ Register reg = FrontendHeader(receiver(), name, &miss, RETURN_HOLDER);
FrontendFooter(name, &miss);
// The footer consumes the vector and slot from the stack if miss occurs.
if (IC::ICUseVector(kind())) {
@@ -152,20 +154,25 @@
Handle<Map> last_map;
if (holder().is_null()) {
holder_reg = receiver();
- last_map = IC::TypeToMap(*type(), isolate());
+ last_map = map();
// If |type| has null as its prototype, |holder()| is
// Handle<JSObject>::null().
DCHECK(last_map->prototype() == isolate()->heap()->null_value());
} else {
- holder_reg = FrontendHeader(receiver(), name, miss);
last_map = handle(holder()->map());
+ // This condition matches the branches below.
+ bool need_holder =
+ last_map->is_dictionary_map() && !last_map->IsJSGlobalObjectMap();
+ holder_reg =
+ FrontendHeader(receiver(), name, miss,
+ need_holder ? RETURN_HOLDER : DONT_RETURN_ANYTHING);
}
if (last_map->is_dictionary_map()) {
if (last_map->IsJSGlobalObjectMap()) {
Handle<JSGlobalObject> global =
holder().is_null()
- ? Handle<JSGlobalObject>::cast(type()->AsConstant()->Value())
+ ? Handle<JSGlobalObject>::cast(isolate()->global_object())
: Handle<JSGlobalObject>::cast(holder());
GenerateCheckPropertyCell(masm(), global, name, scratch1, miss);
} else {
@@ -229,12 +236,12 @@
Handle<Code> NamedLoadHandlerCompiler::CompileLoadCallback(
- Handle<Name> name, const CallOptimization& call_optimization) {
+ Handle<Name> name, const CallOptimization& call_optimization,
+ int accessor_index) {
DCHECK(call_optimization.is_simple_api_call());
- Frontend(name);
- Handle<Map> receiver_map = IC::TypeToMap(*type(), isolate());
- GenerateFastApiCall(masm(), call_optimization, receiver_map, receiver(),
- scratch1(), false, 0, NULL);
+ Register holder = Frontend(name);
+ GenerateApiAccessorCall(masm(), call_optimization, map(), receiver(),
+ scratch2(), false, no_reg, holder, accessor_index);
return GetCode(kind(), Code::FAST, name);
}
@@ -270,7 +277,7 @@
Handle<Code> NamedLoadHandlerCompiler::CompileLoadInterceptor(
LookupIterator* it) {
- // So far the most popular follow ups for interceptor loads are FIELD and
+ // So far the most popular follow ups for interceptor loads are DATA and
// ExecutableAccessorInfo, so inline only them. Other cases may be added
// later.
bool inline_followup = false;
@@ -281,29 +288,71 @@
case LookupIterator::INTERCEPTOR:
case LookupIterator::JSPROXY:
case LookupIterator::NOT_FOUND:
+ case LookupIterator::INTEGER_INDEXED_EXOTIC:
break;
case LookupIterator::DATA:
inline_followup =
- it->property_details().type() == FIELD && !it->is_dictionary_holder();
+ it->property_details().type() == DATA && !it->is_dictionary_holder();
break;
case LookupIterator::ACCESSOR: {
Handle<Object> accessors = it->GetAccessors();
- inline_followup = accessors->IsExecutableAccessorInfo();
- if (!inline_followup) break;
- Handle<ExecutableAccessorInfo> info =
- Handle<ExecutableAccessorInfo>::cast(accessors);
- inline_followup = info->getter() != NULL &&
- ExecutableAccessorInfo::IsCompatibleReceiverType(
- isolate(), info, type());
+ if (accessors->IsExecutableAccessorInfo()) {
+ Handle<ExecutableAccessorInfo> info =
+ Handle<ExecutableAccessorInfo>::cast(accessors);
+ inline_followup = info->getter() != NULL &&
+ ExecutableAccessorInfo::IsCompatibleReceiverMap(
+ isolate(), info, map());
+ } else if (accessors->IsAccessorPair()) {
+ Handle<JSObject> property_holder(it->GetHolder<JSObject>());
+ Handle<Object> getter(Handle<AccessorPair>::cast(accessors)->getter(),
+ isolate());
+ if (!getter->IsJSFunction()) break;
+ if (!property_holder->HasFastProperties()) break;
+ auto function = Handle<JSFunction>::cast(getter);
+ CallOptimization call_optimization(function);
+ Handle<Map> receiver_map = map();
+ inline_followup = call_optimization.is_simple_api_call() &&
+ call_optimization.IsCompatibleReceiverMap(
+ receiver_map, property_holder);
+ }
}
}
Label miss;
InterceptorVectorSlotPush(receiver());
- Register reg = FrontendHeader(receiver(), it->name(), &miss);
+ bool lost_holder_register = false;
+ auto holder_orig = holder();
+ // non masking interceptors must check the entire chain, so temporarily reset
+ // the holder to be that last element for the FrontendHeader call.
+ if (holder()->GetNamedInterceptor()->non_masking()) {
+ DCHECK(!inline_followup);
+ JSObject* last = *holder();
+ PrototypeIterator iter(isolate(), last);
+ while (!iter.IsAtEnd()) {
+ lost_holder_register = true;
+ // Casting to JSObject is fine here. The LookupIterator makes sure to
+ // look behind non-masking interceptors during the original lookup, and
+ // we wouldn't try to compile a handler if there was a Proxy anywhere.
+ last = iter.GetCurrent<JSObject>();
+ iter.Advance();
+ }
+ auto last_handle = handle(last);
+ set_holder(last_handle);
+ }
+ Register reg = FrontendHeader(receiver(), it->name(), &miss, RETURN_HOLDER);
+ // Reset the holder so further calculations are correct.
+ set_holder(holder_orig);
+ if (lost_holder_register) {
+ if (*it->GetReceiver() == *holder()) {
+ reg = receiver();
+ } else {
+ // Reload lost holder register.
+ auto cell = isolate()->factory()->NewWeakCell(holder());
+ __ LoadWeakValue(reg, cell, &miss);
+ }
+ }
FrontendFooter(it->name(), &miss);
InterceptorVectorSlotPop(reg);
-
if (inline_followup) {
// TODO(368): Compile in the whole chain: all the interceptors in
// prototypes and ultimate answer.
@@ -319,12 +368,14 @@
LookupIterator* it, Register interceptor_reg) {
Handle<JSObject> real_named_property_holder(it->GetHolder<JSObject>());
- set_type_for_object(holder());
+ Handle<Map> holder_map(holder()->map());
+ set_map(holder_map);
set_holder(real_named_property_holder);
Label miss;
InterceptorVectorSlotPush(interceptor_reg);
- Register reg = FrontendHeader(interceptor_reg, it->name(), &miss);
+ Register reg =
+ FrontendHeader(interceptor_reg, it->name(), &miss, RETURN_HOLDER);
FrontendFooter(it->name(), &miss);
// We discard the vector and slot now because we don't miss below this point.
InterceptorVectorSlotPop(reg, DISCARD);
@@ -334,28 +385,39 @@
case LookupIterator::INTERCEPTOR:
case LookupIterator::JSPROXY:
case LookupIterator::NOT_FOUND:
+ case LookupIterator::INTEGER_INDEXED_EXOTIC:
case LookupIterator::TRANSITION:
UNREACHABLE();
case LookupIterator::DATA: {
- DCHECK_EQ(FIELD, it->property_details().type());
+ DCHECK_EQ(DATA, it->property_details().type());
__ Move(receiver(), reg);
LoadFieldStub stub(isolate(), it->GetFieldIndex());
GenerateTailCall(masm(), stub.GetCode());
break;
}
case LookupIterator::ACCESSOR:
- Handle<ExecutableAccessorInfo> info =
- Handle<ExecutableAccessorInfo>::cast(it->GetAccessors());
- DCHECK_NE(NULL, info->getter());
- GenerateLoadCallback(reg, info);
+ if (it->GetAccessors()->IsExecutableAccessorInfo()) {
+ Handle<ExecutableAccessorInfo> info =
+ Handle<ExecutableAccessorInfo>::cast(it->GetAccessors());
+ DCHECK_NOT_NULL(info->getter());
+ GenerateLoadCallback(reg, info);
+ } else {
+ auto function = handle(JSFunction::cast(
+ AccessorPair::cast(*it->GetAccessors())->getter()));
+ CallOptimization call_optimization(function);
+ GenerateApiAccessorCall(masm(), call_optimization, holder_map,
+ receiver(), scratch2(), false, no_reg, reg,
+ it->GetAccessorIndex());
+ }
}
}
Handle<Code> NamedLoadHandlerCompiler::CompileLoadViaGetter(
- Handle<Name> name, Handle<JSFunction> getter) {
- Frontend(name);
- GenerateLoadViaGetter(masm(), type(), receiver(), getter);
+ Handle<Name> name, int accessor_index, int expected_arguments) {
+ Register holder = Frontend(name);
+ GenerateLoadViaGetter(masm(), map(), receiver(), holder, accessor_index,
+ expected_arguments, scratch2());
return GetCode(kind(), Code::FAST, name);
}
@@ -365,20 +427,25 @@
Handle<Map> transition, Handle<Name> name) {
Label miss;
+ PushVectorAndSlot();
+
// Check that we are allowed to write this.
bool is_nonexistent = holder()->map() == transition->GetBackPointer();
if (is_nonexistent) {
// Find the top object.
Handle<JSObject> last;
+ PrototypeIterator::WhereToEnd end =
+ name->IsPrivate() ? PrototypeIterator::END_AT_NON_HIDDEN
+ : PrototypeIterator::END_AT_NULL;
PrototypeIterator iter(isolate(), holder());
- while (!iter.IsAtEnd()) {
- last = Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
+ while (!iter.IsAtEnd(end)) {
+ last = PrototypeIterator::GetCurrent<JSObject>(iter);
iter.Advance();
}
if (!last.is_null()) set_holder(last);
NonexistentFrontendHeader(name, &miss, scratch1(), scratch2());
} else {
- FrontendHeader(receiver(), name, &miss);
+ FrontendHeader(receiver(), name, &miss, DONT_RETURN_ANYTHING);
DCHECK(holder()->HasFastProperties());
}
@@ -392,11 +459,21 @@
DCHECK(!transition->is_access_check_needed());
// Call to respective StoreTransitionStub.
- if (details.type() == CONSTANT) {
- GenerateRestoreMap(transition, scratch2(), &miss);
+ bool virtual_args = StoreTransitionHelper::HasVirtualSlotArg();
+ Register map_reg = StoreTransitionHelper::MapRegister();
+
+ if (details.type() == DATA_CONSTANT) {
DCHECK(descriptors->GetValue(descriptor)->IsJSFunction());
- Register map_reg = StoreTransitionDescriptor::MapRegister();
- GenerateConstantCheck(map_reg, descriptor, value(), scratch2(), &miss);
+ Register tmp =
+ virtual_args ? VectorStoreICDescriptor::VectorRegister() : map_reg;
+ GenerateRestoreMap(transition, tmp, scratch2(), &miss);
+ GenerateConstantCheck(tmp, descriptor, value(), scratch2(), &miss);
+ if (virtual_args) {
+ // This will move the map from tmp into map_reg.
+ RearrangeVectorAndSlot(tmp, map_reg);
+ } else {
+ PopVectorAndSlot();
+ }
GenerateRestoreName(name);
StoreTransitionStub stub(isolate());
GenerateTailCall(masm(), stub.GetCode());
@@ -411,7 +488,14 @@
? StoreTransitionStub::ExtendStorageAndStoreMapAndValue
: StoreTransitionStub::StoreMapAndValue;
- GenerateRestoreMap(transition, scratch2(), &miss);
+ Register tmp =
+ virtual_args ? VectorStoreICDescriptor::VectorRegister() : map_reg;
+ GenerateRestoreMap(transition, tmp, scratch2(), &miss);
+ if (virtual_args) {
+ RearrangeVectorAndSlot(tmp, map_reg);
+ } else {
+ PopVectorAndSlot();
+ }
GenerateRestoreName(name);
StoreTransitionStub stub(isolate(),
FieldIndex::ForDescriptor(*transition, descriptor),
@@ -420,30 +504,48 @@
}
GenerateRestoreName(&miss, name);
+ PopVectorAndSlot();
TailCallBuiltin(masm(), MissBuiltin(kind()));
return GetCode(kind(), Code::FAST, name);
}
+bool NamedStoreHandlerCompiler::RequiresFieldTypeChecks(
+ HeapType* field_type) const {
+ return !field_type->Classes().Done();
+}
+
+
Handle<Code> NamedStoreHandlerCompiler::CompileStoreField(LookupIterator* it) {
Label miss;
DCHECK(it->representation().IsHeapObject());
- GenerateFieldTypeChecks(*it->GetFieldType(), value(), &miss);
+ HeapType* field_type = *it->GetFieldType();
+ bool need_save_restore = false;
+ if (RequiresFieldTypeChecks(field_type)) {
+ need_save_restore = IC::ICUseVector(kind());
+ if (need_save_restore) PushVectorAndSlot();
+ GenerateFieldTypeChecks(field_type, value(), &miss);
+ if (need_save_restore) PopVectorAndSlot();
+ }
+
StoreFieldStub stub(isolate(), it->GetFieldIndex(), it->representation());
GenerateTailCall(masm(), stub.GetCode());
__ bind(&miss);
+ if (need_save_restore) PopVectorAndSlot();
TailCallBuiltin(masm(), MissBuiltin(kind()));
return GetCode(kind(), Code::FAST, it->name());
}
Handle<Code> NamedStoreHandlerCompiler::CompileStoreViaSetter(
- Handle<JSObject> object, Handle<Name> name, Handle<JSFunction> setter) {
- Frontend(name);
- GenerateStoreViaSetter(masm(), type(), receiver(), setter);
+ Handle<JSObject> object, Handle<Name> name, int accessor_index,
+ int expected_arguments) {
+ Register holder = Frontend(name);
+ GenerateStoreViaSetter(masm(), map(), receiver(), holder, accessor_index,
+ expected_arguments, scratch2());
return GetCode(kind(), Code::FAST, name);
}
@@ -451,11 +553,11 @@
Handle<Code> NamedStoreHandlerCompiler::CompileStoreCallback(
Handle<JSObject> object, Handle<Name> name,
- const CallOptimization& call_optimization) {
- Frontend(name);
- Register values[] = {value()};
- GenerateFastApiCall(masm(), call_optimization, handle(object->map()),
- receiver(), scratch1(), true, 1, values);
+ const CallOptimization& call_optimization, int accessor_index) {
+ Register holder = Frontend(name);
+ GenerateApiAccessorCall(masm(), call_optimization, handle(object->map()),
+ receiver(), scratch2(), true, value(), holder,
+ accessor_index);
return GetCode(kind(), Code::FAST, name);
}
@@ -464,7 +566,8 @@
void ElementHandlerCompiler::CompileElementHandlers(
- MapHandleList* receiver_maps, CodeHandleList* handlers) {
+ MapHandleList* receiver_maps, CodeHandleList* handlers,
+ LanguageMode language_mode) {
for (int i = 0; i < receiver_maps->length(); ++i) {
Handle<Map> receiver_map = receiver_maps->at(i);
Handle<Code> cached_stub;
@@ -472,27 +575,40 @@
if (receiver_map->IsStringMap()) {
cached_stub = LoadIndexedStringStub(isolate()).GetCode();
} else if (receiver_map->instance_type() < FIRST_JS_RECEIVER_TYPE) {
- cached_stub = isolate()->builtins()->KeyedLoadIC_Slow();
+ cached_stub = is_strong(language_mode)
+ ? isolate()->builtins()->KeyedLoadIC_Slow_Strong()
+ : isolate()->builtins()->KeyedLoadIC_Slow();
} else {
bool is_js_array = receiver_map->instance_type() == JS_ARRAY_TYPE;
ElementsKind elements_kind = receiver_map->elements_kind();
+
+ // No need to check for an elements-free prototype chain here, the
+ // generated stub code needs to check that dynamically anyway.
+ bool convert_hole_to_undefined =
+ (is_js_array && elements_kind == FAST_HOLEY_ELEMENTS &&
+ *receiver_map ==
+ isolate()->get_initial_js_array_map(elements_kind)) &&
+ !is_strong(language_mode);
+
if (receiver_map->has_indexed_interceptor()) {
cached_stub = LoadIndexedInterceptorStub(isolate()).GetCode();
} else if (IsSloppyArgumentsElements(elements_kind)) {
cached_stub = KeyedLoadSloppyArgumentsStub(isolate()).GetCode();
} else if (IsFastElementsKind(elements_kind) ||
- IsExternalArrayElementsKind(elements_kind) ||
IsFixedTypedArrayElementsKind(elements_kind)) {
- cached_stub = LoadFastElementStub(isolate(), is_js_array, elements_kind)
- .GetCode();
+ cached_stub = LoadFastElementStub(isolate(), is_js_array, elements_kind,
+ convert_hole_to_undefined).GetCode();
} else {
DCHECK(elements_kind == DICTIONARY_ELEMENTS);
- cached_stub = LoadDictionaryElementStub(isolate()).GetCode();
+ LoadICState state =
+ LoadICState(is_strong(language_mode) ? LoadICState::kStrongModeState
+ : kNoExtraICState);
+ cached_stub = LoadDictionaryElementStub(isolate(), state).GetCode();
}
}
handlers->Add(cached_stub);
}
}
-}
-} // namespace v8::internal
+} // namespace internal
+} // namespace v8