AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[ptr-compr] Pass Isolate to JSObject::[Try]MigrateInstance()

Browse Source 
Bug: v8:9353
Change-Id: If184e02eef8cda459a3aa02ef8bee5c337177d30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648264
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62088}
This commit is contained in:
Igor Sheludko 2019-06-11 13:15:53 +02:00 committed by Commit Bot
parent e34a236259
commit 4672bea51f
7 changed files with 26 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/compiler/access-info.cc
View File

@ -569,7 +569,7 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
if (map_prototype->map().is_deprecated()) {
// Try to migrate the prototype object so we don't embed the deprecated
// map into the optimized code.
JSObject::TryMigrateInstance(map_prototype);
JSObject::TryMigrateInstance(isolate(), map_prototype);
}
map = handle(map_prototype->map(), isolate());
holder = map_prototype;

5
src/compiler/js-heap-broker.cc
View File

@ -674,14 +674,15 @@ bool IsFastLiteralHelper(Handle<JSObject> boilerplate, int max_depth,
DCHECK_GE(max_depth, 0);
DCHECK_GE(*max_properties, 0);
Isolate* const isolate = boilerplate->GetIsolate();
// Make sure the boilerplate map is not deprecated.
if (!JSObject::TryMigrateInstance(boilerplate)) return false;
if (!JSObject::TryMigrateInstance(isolate, boilerplate)) return false;
// Check for too deep nesting.
if (max_depth == 0) return false;
// Check the elements.
Isolate* const isolate = boilerplate->GetIsolate();
Handle<FixedArrayBase> elements(boilerplate->elements(), isolate);
if (elements->length() > 0 &&
elements->map() != ReadOnlyRoots(isolate).fixed_cow_array_map()) {

21
src/ic/ic.cc
View File

@ -318,14 +318,18 @@ void IC::OnFeedbackChanged(Isolate* isolate, FeedbackVector vector,
isolate->runtime_profiler()->NotifyICChanged();
}
static bool MigrateDeprecated(Handle<Object> object) {
namespace {
bool MigrateDeprecated(Isolate* isolate, Handle<Object> object) {
if (!object->IsJSObject()) return false;
Handle<JSObject> receiver = Handle<JSObject>::cast(object);
if (!receiver->map().is_deprecated()) return false;
JSObject::MigrateInstance(Handle<JSObject>::cast(object));
JSObject::MigrateInstance(isolate, receiver);
return true;
}
} // namespace
bool IC::ConfigureVectorState(IC::State new_state, Handle<Object> key) {
DCHECK_EQ(MEGAMORPHIC, new_state);
DCHECK_IMPLIES(!is_keyed(), key->IsName());
@ -394,7 +398,7 @@ MaybeHandle<Object> LoadIC::Load(Handle<Object> object, Handle<Name> name) {
object, name);
}
if (MigrateDeprecated(object)) use_ic = false;
if (MigrateDeprecated(isolate(), object)) use_ic = false;
if (state() != UNINITIALIZED) {
JSObject::MakePrototypesFast(object, kStartAtReceiver, isolate());
@ -1227,7 +1231,7 @@ MaybeHandle<Object> KeyedLoadIC::RuntimeLoad(Handle<Object> object,
MaybeHandle<Object> KeyedLoadIC::Load(Handle<Object> object,
Handle<Object> key) {
if (MigrateDeprecated(object)) {
if (MigrateDeprecated(isolate(), object)) {
return RuntimeLoad(object, key);
}
@ -1387,7 +1391,7 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
StoreOrigin store_origin) {
// TODO(verwaest): Let SetProperty do the migration, since storing a property
// might deprecate the current map again, if value does not fit.
if (MigrateDeprecated(object)) {
if (MigrateDeprecated(isolate(), object)) {
Handle<Object> result;
ASSIGN_RETURN_ON_EXCEPTION(
isolate(), result, Object::SetProperty(isolate(), object, name, value),
@ -1955,7 +1959,7 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
Handle<Object> value) {
// TODO(verwaest): Let SetProperty do the migration, since storing a property
// might deprecate the current map again, if value does not fit.
if (MigrateDeprecated(object)) {
if (MigrateDeprecated(isolate(), object)) {
Handle<Object> result;
ASSIGN_RETURN_ON_EXCEPTION(
isolate(), result,
@ -2091,7 +2095,8 @@ void StoreInArrayLiteralIC::Store(Handle<JSArray> array, Handle<Object> index,
DCHECK(!array->map().IsMapInArrayPrototypeChain(isolate()));
DCHECK(index->IsNumber());
if (!FLAG_use_ic || state() == NO_FEEDBACK || MigrateDeprecated(array)) {
if (!FLAG_use_ic || state() == NO_FEEDBACK ||
MigrateDeprecated(isolate(), array)) {
StoreOwnElement(isolate(), array, index, value);
TraceIC("StoreInArrayLiteralIC", index);
return;
@ -2598,7 +2603,7 @@ RUNTIME_FUNCTION(Runtime_CloneObjectIC_Miss) {
Handle<Object> source = args.at<Object>(0);
int flags = args.smi_at(1);
if (MigrateDeprecated(source)) {
if (MigrateDeprecated(isolate, source)) {
FeedbackSlot slot = FeedbackVector::ToSlot(args.smi_at(2));
Handle<HeapObject> maybe_vector = args.at<HeapObject>(3);
if (maybe_vector->IsFeedbackVector()) {

11
src/objects/js-objects.cc
View File

@ -194,15 +194,16 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastAssign(
return Just(!source->IsString() || String::cast(*source).length() == 0);
}
Isolate* isolate = target->GetIsolate();
// If the target is deprecated, the object will be updated on first store. If
// the source for that store equals the target, this will invalidate the
// cached representation of the source. Preventively upgrade the target.
// Do this on each iteration since any property load could cause deprecation.
if (target->map().is_deprecated()) {
JSObject::MigrateInstance(Handle<JSObject>::cast(target));
JSObject::MigrateInstance(isolate, Handle<JSObject>::cast(target));
}
Isolate* isolate = target->GetIsolate();
Handle<Map> map(JSReceiver::cast(*source).map(), isolate);
if (!map->IsJSObjectMap()) return Just(false);
@ -3068,8 +3069,7 @@ void JSObject::AllocateStorageForMap(Handle<JSObject> object, Handle<Map> map) {
object->synchronized_set_map(*map);
}
void JSObject::MigrateInstance(Handle<JSObject> object) {
Isolate* isolate = object->GetIsolate();
void JSObject::MigrateInstance(Isolate* isolate, Handle<JSObject> object) {
Handle<Map> original_map(object->map(), isolate);
Handle<Map> map = Map::Update(isolate, original_map);
map->set_is_migration_target(true);
@ -3085,8 +3085,7 @@ void JSObject::MigrateInstance(Handle<JSObject> object) {
}
// static
bool JSObject::TryMigrateInstance(Handle<JSObject> object) {
Isolate* isolate = object->GetIsolate();
bool JSObject::TryMigrateInstance(Isolate* isolate, Handle<JSObject> object) {
DisallowDeoptimization no_deoptimization(isolate);
Handle<Map> original_map(object->map(), isolate);
Handle<Map> new_map;

4
src/objects/js-objects.h
View File

@ -431,11 +431,11 @@ class JSObject : public JSReceiver {
// Migrates the given object to a map whose field representations are the
// lowest upper bound of all known representations for that field.
static void MigrateInstance(Handle<JSObject> instance);
static void MigrateInstance(Isolate* isolate, Handle<JSObject> instance);
// Migrates the given object only if the target map is already available,
// or returns false if such a map is not yet available.
static bool TryMigrateInstance(Handle<JSObject> instance);
static bool TryMigrateInstance(Isolate* isolate, Handle<JSObject> instance);
// Sets the property value in a normalized object given (key, value, details).
// Handles the special representation of JS global objects.

2
src/runtime/runtime-literals.cc
View File

@ -87,7 +87,7 @@ MaybeHandle<JSObject> JSObjectWalkVisitor<ContextObject>::StructureWalk(
}
if (object->map().is_deprecated()) {
JSObject::MigrateInstance(object);
JSObject::MigrateInstance(isolate, object);
}
Handle<JSObject> copy;

2
src/runtime/runtime-object.cc
View File

@ -799,7 +799,7 @@ RUNTIME_FUNCTION(Runtime_TryMigrateInstance) {
// code where we can't handle lazy deopts for lack of a suitable bailout
// ID. So we just try migration and signal failure if necessary,
// which will also trigger a deopt.
if (!JSObject::TryMigrateInstance(js_object)) return Smi::kZero;
if (!JSObject::TryMigrateInstance(isolate, js_object)) return Smi::kZero;
return *object;
}