[super IC] Fix API getter related bugs and re-enable super IC

Bug: chromium:1308360,chromium:1309467,v8:9237
Change-Id: I2923e3ee60b4b30c4e2b57b9c8569a030fc7bfbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3550588
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79676}
This commit is contained in:
Marja Hölttä 2022-03-30 11:40:43 +02:00 committed by V8 LUCI CQ
parent 3eb8671edb
commit 185d6116ae
5 changed files with 35 additions and 28 deletions

View File

@ -2142,9 +2142,10 @@ Reduction JSNativeContextSpecialization::ReduceJSDefineKeyedOwnProperty(
}
Node* JSNativeContextSpecialization::InlinePropertyGetterCall(
Node* receiver, ConvertReceiverMode receiver_mode, Node* context,
Node* frame_state, Node** effect, Node** control,
ZoneVector<Node*>* if_exceptions, PropertyAccessInfo const& access_info) {
Node* receiver, ConvertReceiverMode receiver_mode,
Node* lookup_start_object, Node* context, Node* frame_state, Node** effect,
Node** control, ZoneVector<Node*>* if_exceptions,
PropertyAccessInfo const& access_info) {
ObjectRef constant = access_info.constant().value();
if (access_info.IsDictionaryProtoAccessorConstant()) {
@ -2166,6 +2167,11 @@ Node* JSNativeContextSpecialization::InlinePropertyGetterCall(
receiver_mode),
target, receiver, feedback, context, frame_state, *effect, *control);
} else {
// Disable optimizations for super ICs using API getters, so that we get
// the correct receiver checks.
if (receiver != lookup_start_object) {
return nullptr;
}
Node* holder = access_info.holder().has_value()
? jsgraph()->Constant(access_info.holder().value())
: receiver;
@ -2289,8 +2295,8 @@ JSNativeContextSpecialization::BuildPropertyLoad(
receiver == lookup_start_object
? ConvertReceiverMode::kNotNullOrUndefined
: ConvertReceiverMode::kAny;
value =
InlinePropertyGetterCall(receiver, receiver_mode, context, frame_state,
value = InlinePropertyGetterCall(
receiver, receiver_mode, lookup_start_object, context, frame_state,
&effect, &control, if_exceptions, access_info);
} else if (access_info.IsModuleExport()) {
Node* cell = jsgraph()->Constant(access_info.constant().value().AsCell());
@ -2314,9 +2320,11 @@ JSNativeContextSpecialization::BuildPropertyLoad(
name, access_info, lookup_start_object, &effect, &control);
}
}
if (value != nullptr) {
return ValueEffectControl(value, effect, control);
}
return base::Optional<ValueEffectControl>();
}
JSNativeContextSpecialization::ValueEffectControl
JSNativeContextSpecialization::BuildPropertyTest(

View File

@ -170,8 +170,9 @@ class V8_EXPORT_PRIVATE JSNativeContextSpecialization final
// Helpers for accessor inlining.
Node* InlinePropertyGetterCall(Node* receiver,
ConvertReceiverMode receiver_mode,
Node* context, Node* frame_state,
Node** effect, Node** control,
Node* lookup_start_object, Node* context,
Node* frame_state, Node** effect,
Node** control,
ZoneVector<Node*>* if_exceptions,
PropertyAccessInfo const& access_info);
void InlinePropertySetterCall(Node* receiver, Node* value, Node* context,

View File

@ -1669,7 +1669,7 @@ DEFINE_INT(max_valid_polymorphic_map_count, 4,
DEFINE_BOOL(native_code_counters, DEBUG_BOOL,
"generate extra code for manipulating stats counters")
DEFINE_BOOL(super_ic, false, "use an IC for super property loads")
DEFINE_BOOL(super_ic, true, "use an IC for super property loads")
DEFINE_BOOL(enable_mega_dom_ic, false, "use MegaDOM IC state for API objects")

View File

@ -751,10 +751,16 @@ void AccessorAssembler::HandleLoadICSmiHandlerLoadNamedCase(
BIND(&api_getter);
{
if (p->receiver() != p->lookup_start_object()) {
// Force super ICs using API getters into the slow path, so that we get
// the correct receiver checks.
Goto(&slow);
} else {
GotoIf(IsSideEffectFreeDebuggingActive(), &slow);
HandleLoadAccessor(p, CAST(holder), handler_word, CAST(handler),
handler_kind, exit_point);
}
}
BIND(&proxy);
{

View File

@ -20,18 +20,14 @@ snippet: "
test();
})();
"
frame size: 5
frame size: 1
parameter count: 1
bytecode array length: 24
bytecode array length: 16
bytecodes: [
/* 104 S> */ B(LdaImmutableCurrentContextSlot), U8(2),
B(Star3),
B(LdaConstant), U8(0),
B(Star4),
B(Mov), R(this), R(2),
/* 117 E> */ B(CallRuntime), U16(Runtime::kLoadFromSuper), R(2), U8(3),
/* 117 E> */ B(GetNamedPropertyFromSuper), R(this), U8(0), U8(1),
B(Star0),
/* 117 E> */ B(CallAnyReceiver), R(0), R(this), U8(1), U8(1),
/* 117 E> */ B(CallAnyReceiver), R(0), R(this), U8(1), U8(3),
/* 126 E> */ B(AddSmi), I8(1), U8(0),
/* 130 S> */ B(Return),
]
@ -58,7 +54,7 @@ snippet: "
"
frame size: 4
parameter count: 1
bytecode array length: 32
bytecode array length: 24
bytecodes: [
/* 130 S> */ B(LdaImmutableCurrentContextSlot), U8(2),
B(Star1),
@ -69,11 +65,7 @@ bytecodes: [
B(Mov), R(this), R(0),
/* 138 E> */ B(CallRuntime), U16(Runtime::kStoreToSuper), R(0), U8(4),
/* 143 S> */ B(LdaImmutableCurrentContextSlot), U8(2),
B(Star1),
B(LdaConstant), U8(0),
B(Star2),
B(Mov), R(this), R(0),
/* 156 E> */ B(CallRuntime), U16(Runtime::kLoadFromSuper), R(0), U8(3),
/* 156 E> */ B(GetNamedPropertyFromSuper), R(this), U8(0), U8(0),
/* 158 S> */ B(Return),
]
constant pool: [