AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[ic] Transition to MEGAMORPHIC when (map, handler) stays the same.

Browse Source 
THe change in https://chromium-review.googlesource.com/695108 flushed
out an issue with the IC::UpdatePolymorphicIC logic, where we'd try to
stay MONOMORPHIC or POLYMORPHIC as long as the internalized name doesn't
change. But the calling code already does the internalization for keyed
accesses with Strings, so we need to double check that the same
combination of (map, handler) is not already in the list, and properly
go to MEGAMORPHIC state if there's such a pair already.

This seriously tanked the six-speed-object-literals-ext-es5.js benchmark
on AWFY.

Bug: v8:6367, v8:6278, v8:6344
Change-Id: I90ea88d1fe61c165990c0a10d4a8687ffe351986
Reviewed-on: https://chromium-review.googlesource.com/695307
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48268}
This commit is contained in:
Benedikt Meurer 2017-10-02 21:01:28 +02:00 committed by Commit Bot
parent 0c93ef357d
commit 38b489186b
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ic/ic.cc
View File

@ -512,6 +512,7 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) {
int number_of_maps = static_cast<int>(maps.size());
int deprecated_maps = 0;
int handler_to_overwrite = -1;
if (!nexus()->FindHandlers(&handlers, number_of_maps)) return false;
for (int i = 0; i < number_of_maps; i++) {
Handle<Map> current_map = maps.at(i);
@ -519,6 +520,10 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) {
// Filter out deprecated maps to ensure their instances get migrated.
++deprecated_maps;
} else if (map.is_identical_to(current_map)) {
// If both map and handler stayed the same (and the name is also the
// same as checked above, for keyed accesses), we're not progressing
// in the lattice and need to go MEGAMORPHIC instead.
if (handler.is_identical_to(handlers[i])) return false;
// If the receiver type is already in the polymorphic IC, this indicates
// there was a prototoype chain failure. In that case, just overwrite the
// handler.
@ -536,9 +541,6 @@ bool IC::UpdatePolymorphicIC(Handle<Name> name, Handle<Object> handler) {
if (number_of_maps == 0 && state() != MONOMORPHIC && state() != POLYMORPHIC) {
return false;
}
if (!nexus()->FindHandlers(&handlers, static_cast<int>(maps.size()))) {
return false;
}
number_of_valid_maps++;
if (number_of_valid_maps == 1) {