diff --git a/src/compiler/js-create-lowering.cc b/src/compiler/js-create-lowering.cc index b43b163661..cd8bd5dd40 100644 --- a/src/compiler/js-create-lowering.cc +++ b/src/compiler/js-create-lowering.cc @@ -673,7 +673,10 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) { pretenure = dependencies()->DependOnPretenureMode(*site_ref); dependencies()->DependOnElementsKind(*site_ref); } else { - can_inline_call = isolate()->IsArrayConstructorIntact(); + CellRef array_constructor_protector( + broker(), factory()->array_constructor_protector()); + can_inline_call = array_constructor_protector.value().AsSmi() == + Isolate::kProtectorValid; } if (arity == 0) { @@ -1356,7 +1359,7 @@ Reduction JSCreateLowering::ReduceJSCreateObject(Node* node) { if (instance_map.is_dictionary_map()) { DCHECK_EQ(prototype_const.map().oddball_type(), OddballType::kNull); // Allocate an empty NameDictionary as backing store for the properties. - Handle map = isolate()->factory()->name_dictionary_map(); + MapRef map(broker(), factory()->name_dictionary_map()); int capacity = NameDictionary::ComputeCapacity(NameDictionary::kInitialCapacity); DCHECK(base::bits::IsPowerOfTwo(capacity)); @@ -1810,12 +1813,12 @@ Node* JSCreateLowering::AllocateLiteralRegExp(Node* effect, Node* control, return builder.Finish(); } -Factory* JSCreateLowering::factory() const { return isolate()->factory(); } +Factory* JSCreateLowering::factory() const { + return jsgraph()->isolate()->factory(); +} Graph* JSCreateLowering::graph() const { return jsgraph()->graph(); } -Isolate* JSCreateLowering::isolate() const { return jsgraph()->isolate(); } - CommonOperatorBuilder* JSCreateLowering::common() const { return jsgraph()->common(); } diff --git a/src/compiler/js-create-lowering.h b/src/compiler/js-create-lowering.h index 05d6c7e0b6..7c4a51afb0 100644 --- a/src/compiler/js-create-lowering.h +++ b/src/compiler/js-create-lowering.h @@ -112,7 +112,6 @@ class V8_EXPORT_PRIVATE JSCreateLowering final Factory* factory() const; Graph* graph() const; JSGraph* jsgraph() const { return jsgraph_; } - Isolate* isolate() const; NativeContextRef native_context() const; CommonOperatorBuilder* common() const; SimplifiedOperatorBuilder* simplified() const; diff --git a/src/compiler/js-heap-broker.cc b/src/compiler/js-heap-broker.cc index decde0b5da..9b5ef1ba1a 100644 --- a/src/compiler/js-heap-broker.cc +++ b/src/compiler/js-heap-broker.cc @@ -1104,10 +1104,30 @@ void ModuleData::Serialize(JSHeapBroker* broker) { class CellData : public HeapObjectData { public: - CellData(JSHeapBroker* broker, ObjectData** storage, Handle object) - : HeapObjectData(broker, storage, object) {} + CellData(JSHeapBroker* broker, ObjectData** storage, Handle object); + + void Serialize(JSHeapBroker* broker); + ObjectData* value() { return value_; } + + private: + bool serialized_ = false; + ObjectData* value_ = nullptr; }; +CellData::CellData(JSHeapBroker* broker, ObjectData** storage, + Handle object) + : HeapObjectData(broker, storage, object) {} + +void CellData::Serialize(JSHeapBroker* broker) { + if (serialized_) return; + serialized_ = true; + + TraceScope tracer(broker, this, "CellData::Serialize"); + auto cell = Handle::cast(object()); + DCHECK_NULL(value_); + value_ = broker->GetOrCreateData(cell->value()); +} + class JSGlobalProxyData : public JSObjectData { public: JSGlobalProxyData(JSHeapBroker* broker, ObjectData** storage, @@ -1602,10 +1622,11 @@ void JSHeapBroker::SerializeStandardObjects() { GetOrCreateData(f->with_context_map()); GetOrCreateData(f->zero_string()); - // Property cells + // Protector cells GetOrCreateData(f->array_buffer_neutering_protector()) ->AsPropertyCell() ->Serialize(this); + GetOrCreateData(f->array_constructor_protector())->AsCell()->Serialize(this); GetOrCreateData(f->array_iterator_protector()) ->AsPropertyCell() ->Serialize(this); @@ -1624,6 +1645,7 @@ void JSHeapBroker::SerializeStandardObjects() { GetOrCreateData(f->promise_then_protector()) ->AsPropertyCell() ->Serialize(this); + GetOrCreateData(f->string_length_protector())->AsCell()->Serialize(this); // CEntry stub GetOrCreateData( @@ -2033,6 +2055,8 @@ BIMODAL_ACCESSOR_C(AllocationSite, PretenureFlag, GetPretenureMode) BIMODAL_ACCESSOR_C(BytecodeArray, int, register_count) +BIMODAL_ACCESSOR(Cell, Object, value) + BIMODAL_ACCESSOR(HeapObject, Map, map) BIMODAL_ACCESSOR(JSArray, Object, length) diff --git a/src/compiler/js-heap-broker.h b/src/compiler/js-heap-broker.h index ed8858597e..7681df1654 100644 --- a/src/compiler/js-heap-broker.h +++ b/src/compiler/js-heap-broker.h @@ -496,6 +496,8 @@ class ModuleRef : public HeapObjectRef { class CellRef : public HeapObjectRef { public: using HeapObjectRef::HeapObjectRef; + + ObjectRef value() const; }; class JSGlobalProxyRef : public JSObjectRef { diff --git a/src/compiler/js-typed-lowering.cc b/src/compiler/js-typed-lowering.cc index 49f516ac41..6d59ca2e13 100644 --- a/src/compiler/js-typed-lowering.cc +++ b/src/compiler/js-typed-lowering.cc @@ -569,7 +569,9 @@ Reduction JSTypedLowering::ReduceJSAdd(Node* node) { Node* length = graph()->NewNode(simplified()->NumberAdd(), left_length, right_length); - if (isolate()->IsStringLengthOverflowIntact()) { + CellRef string_length_protector(broker(), + factory()->string_length_protector()); + if (string_length_protector.value().AsSmi() == Isolate::kProtectorValid) { // We can just deoptimize if the {length} is out-of-bounds. Besides // generating a shorter code sequence than the version below, this // has the additional benefit of not holding on to the lazy {frame_state} diff --git a/src/compiler/simplified-operator-reducer.cc b/src/compiler/simplified-operator-reducer.cc index ab64f74a43..96c434a595 100644 --- a/src/compiler/simplified-operator-reducer.cc +++ b/src/compiler/simplified-operator-reducer.cc @@ -258,15 +258,11 @@ Reduction SimplifiedOperatorReducer::ReplaceNumber(int32_t value) { } Factory* SimplifiedOperatorReducer::factory() const { - return isolate()->factory(); + return jsgraph()->isolate()->factory(); } Graph* SimplifiedOperatorReducer::graph() const { return jsgraph()->graph(); } -Isolate* SimplifiedOperatorReducer::isolate() const { - return jsgraph()->isolate(); -} - MachineOperatorBuilder* SimplifiedOperatorReducer::machine() const { return jsgraph()->machine(); } diff --git a/src/compiler/simplified-operator-reducer.h b/src/compiler/simplified-operator-reducer.h index 8ad51573e7..4024a3e439 100644 --- a/src/compiler/simplified-operator-reducer.h +++ b/src/compiler/simplified-operator-reducer.h @@ -51,7 +51,6 @@ class V8_EXPORT_PRIVATE SimplifiedOperatorReducer final Factory* factory() const; Graph* graph() const; - Isolate* isolate() const; MachineOperatorBuilder* machine() const; SimplifiedOperatorBuilder* simplified() const; diff --git a/src/compiler/typed-optimization.cc b/src/compiler/typed-optimization.cc index 4c83809b57..7c30e338cc 100644 --- a/src/compiler/typed-optimization.cc +++ b/src/compiler/typed-optimization.cc @@ -664,12 +664,12 @@ Reduction TypedOptimization::ReduceToBoolean(Node* node) { return NoChange(); } -Factory* TypedOptimization::factory() const { return isolate()->factory(); } +Factory* TypedOptimization::factory() const { + return jsgraph()->isolate()->factory(); +} Graph* TypedOptimization::graph() const { return jsgraph()->graph(); } -Isolate* TypedOptimization::isolate() const { return jsgraph()->isolate(); } - SimplifiedOperatorBuilder* TypedOptimization::simplified() const { return jsgraph()->simplified(); } diff --git a/src/compiler/typed-optimization.h b/src/compiler/typed-optimization.h index 182fba08bc..0a62dbcb3a 100644 --- a/src/compiler/typed-optimization.h +++ b/src/compiler/typed-optimization.h @@ -69,7 +69,6 @@ class V8_EXPORT_PRIVATE TypedOptimization final SimplifiedOperatorBuilder* simplified() const; Factory* factory() const; Graph* graph() const; - Isolate* isolate() const; CompilationDependencies* dependencies() const { return dependencies_; } JSGraph* jsgraph() const { return jsgraph_; }