AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Serialize array_constructor and string_length protectors.

Browse Source 
We forgot to eliminate the read accesses of these two cells.

Bug: v8:7790, v8:8315
Change-Id: Id175e4d96461f88759b2d29ab1d407ba4c54e733
Reviewed-on: https://chromium-review.googlesource.com/c/1286680
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56752}
This commit is contained in:
Georg Neis 2018-10-17 15:59:55 +02:00 committed by Commit Bot
parent 24e50f385e
commit 51688352e5
9 changed files with 44 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/compiler/js-create-lowering.cc
View File

@ -673,7 +673,10 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) {
pretenure = dependencies()->DependOnPretenureMode(*site_ref); pretenure = dependencies()->DependOnPretenureMode(*site_ref);
dependencies()->DependOnElementsKind(*site_ref); dependencies()->DependOnElementsKind(*site_ref);
} else { } else {
can_inline_call = isolate()->IsArrayConstructorIntact(); CellRef array_constructor_protector(
broker(), factory()->array_constructor_protector());
can_inline_call = array_constructor_protector.value().AsSmi() ==
Isolate::kProtectorValid;
} }
if (arity == 0) { if (arity == 0) {
@ -1356,7 +1359,7 @@ Reduction JSCreateLowering::ReduceJSCreateObject(Node* node) {
if (instance_map.is_dictionary_map()) { if (instance_map.is_dictionary_map()) {
DCHECK_EQ(prototype_const.map().oddball_type(), OddballType::kNull); DCHECK_EQ(prototype_const.map().oddball_type(), OddballType::kNull);
// Allocate an empty NameDictionary as backing store for the properties. // Allocate an empty NameDictionary as backing store for the properties.
Handle<Map> map = isolate()->factory()->name_dictionary_map(); MapRef map(broker(), factory()->name_dictionary_map());
int capacity = int capacity =
NameDictionary::ComputeCapacity(NameDictionary::kInitialCapacity); NameDictionary::ComputeCapacity(NameDictionary::kInitialCapacity);
DCHECK(base::bits::IsPowerOfTwo(capacity)); DCHECK(base::bits::IsPowerOfTwo(capacity));
@ -1810,12 +1813,12 @@ Node* JSCreateLowering::AllocateLiteralRegExp(Node* effect, Node* control,
return builder.Finish(); return builder.Finish();
} }
Factory* JSCreateLowering::factory() const { return isolate()->factory(); } Factory* JSCreateLowering::factory() const {
return jsgraph()->isolate()->factory();
}
Graph* JSCreateLowering::graph() const { return jsgraph()->graph(); } Graph* JSCreateLowering::graph() const { return jsgraph()->graph(); }
Isolate* JSCreateLowering::isolate() const { return jsgraph()->isolate(); }
CommonOperatorBuilder* JSCreateLowering::common() const { CommonOperatorBuilder* JSCreateLowering::common() const {
return jsgraph()->common(); return jsgraph()->common();
} }

1
src/compiler/js-create-lowering.h
View File

@ -112,7 +112,6 @@ class V8_EXPORT_PRIVATE JSCreateLowering final
Factory* factory() const; Factory* factory() const;
Graph* graph() const; Graph* graph() const;
JSGraph* jsgraph() const { return jsgraph_; } JSGraph* jsgraph() const { return jsgraph_; }
Isolate* isolate() const;
NativeContextRef native_context() const; NativeContextRef native_context() const;
CommonOperatorBuilder* common() const; CommonOperatorBuilder* common() const;
SimplifiedOperatorBuilder* simplified() const; SimplifiedOperatorBuilder* simplified() const;

30
src/compiler/js-heap-broker.cc
View File

@ -1104,10 +1104,30 @@ void ModuleData::Serialize(JSHeapBroker* broker) {
class CellData : public HeapObjectData { class CellData : public HeapObjectData {
public: public:
CellData(JSHeapBroker* broker, ObjectData** storage, Handle<Cell> object) CellData(JSHeapBroker* broker, ObjectData** storage, Handle<Cell> object);
: HeapObjectData(broker, storage, object) {}
void Serialize(JSHeapBroker* broker);
ObjectData* value() { return value_; }
private:
bool serialized_ = false;
ObjectData* value_ = nullptr;
}; };
CellData::CellData(JSHeapBroker* broker, ObjectData** storage,
Handle<Cell> object)
: HeapObjectData(broker, storage, object) {}
void CellData::Serialize(JSHeapBroker* broker) {
if (serialized_) return;
serialized_ = true;
TraceScope tracer(broker, this, "CellData::Serialize");
auto cell = Handle<Cell>::cast(object());
DCHECK_NULL(value_);
value_ = broker->GetOrCreateData(cell->value());
}
class JSGlobalProxyData : public JSObjectData { class JSGlobalProxyData : public JSObjectData {
public: public:
JSGlobalProxyData(JSHeapBroker* broker, ObjectData** storage, JSGlobalProxyData(JSHeapBroker* broker, ObjectData** storage,
@ -1602,10 +1622,11 @@ void JSHeapBroker::SerializeStandardObjects() {
GetOrCreateData(f->with_context_map()); GetOrCreateData(f->with_context_map());
GetOrCreateData(f->zero_string()); GetOrCreateData(f->zero_string());
// Property cells // Protector cells
GetOrCreateData(f->array_buffer_neutering_protector()) GetOrCreateData(f->array_buffer_neutering_protector())
->AsPropertyCell() ->AsPropertyCell()
->Serialize(this); ->Serialize(this);
GetOrCreateData(f->array_constructor_protector())->AsCell()->Serialize(this);
GetOrCreateData(f->array_iterator_protector()) GetOrCreateData(f->array_iterator_protector())
->AsPropertyCell() ->AsPropertyCell()
->Serialize(this); ->Serialize(this);
@ -1624,6 +1645,7 @@ void JSHeapBroker::SerializeStandardObjects() {
GetOrCreateData(f->promise_then_protector()) GetOrCreateData(f->promise_then_protector())
->AsPropertyCell() ->AsPropertyCell()
->Serialize(this); ->Serialize(this);
GetOrCreateData(f->string_length_protector())->AsCell()->Serialize(this);
// CEntry stub // CEntry stub
GetOrCreateData( GetOrCreateData(
@ -2033,6 +2055,8 @@ BIMODAL_ACCESSOR_C(AllocationSite, PretenureFlag, GetPretenureMode)
BIMODAL_ACCESSOR_C(BytecodeArray, int, register_count) BIMODAL_ACCESSOR_C(BytecodeArray, int, register_count)
BIMODAL_ACCESSOR(Cell, Object, value)
BIMODAL_ACCESSOR(HeapObject, Map, map) BIMODAL_ACCESSOR(HeapObject, Map, map)
BIMODAL_ACCESSOR(JSArray, Object, length) BIMODAL_ACCESSOR(JSArray, Object, length)

2
src/compiler/js-heap-broker.h
View File

@ -496,6 +496,8 @@ class ModuleRef : public HeapObjectRef {
class CellRef : public HeapObjectRef { class CellRef : public HeapObjectRef {
public: public:
using HeapObjectRef::HeapObjectRef; using HeapObjectRef::HeapObjectRef;
ObjectRef value() const;
}; };
class JSGlobalProxyRef : public JSObjectRef { class JSGlobalProxyRef : public JSObjectRef {

4
src/compiler/js-typed-lowering.cc
View File

@ -569,7 +569,9 @@ Reduction JSTypedLowering::ReduceJSAdd(Node* node) {
Node* length = Node* length =
graph()->NewNode(simplified()->NumberAdd(), left_length, right_length); graph()->NewNode(simplified()->NumberAdd(), left_length, right_length);
if (isolate()->IsStringLengthOverflowIntact()) { CellRef string_length_protector(broker(),
factory()->string_length_protector());
if (string_length_protector.value().AsSmi() == Isolate::kProtectorValid) {
// We can just deoptimize if the {length} is out-of-bounds. Besides // We can just deoptimize if the {length} is out-of-bounds. Besides
// generating a shorter code sequence than the version below, this // generating a shorter code sequence than the version below, this
// has the additional benefit of not holding on to the lazy {frame_state} // has the additional benefit of not holding on to the lazy {frame_state}

6
src/compiler/simplified-operator-reducer.cc
View File

@ -258,15 +258,11 @@ Reduction SimplifiedOperatorReducer::ReplaceNumber(int32_t value) {
} }
Factory* SimplifiedOperatorReducer::factory() const { Factory* SimplifiedOperatorReducer::factory() const {
return isolate()->factory(); return jsgraph()->isolate()->factory();
} }
Graph* SimplifiedOperatorReducer::graph() const { return jsgraph()->graph(); } Graph* SimplifiedOperatorReducer::graph() const { return jsgraph()->graph(); }
Isolate* SimplifiedOperatorReducer::isolate() const {
return jsgraph()->isolate();
}
MachineOperatorBuilder* SimplifiedOperatorReducer::machine() const { MachineOperatorBuilder* SimplifiedOperatorReducer::machine() const {
return jsgraph()->machine(); return jsgraph()->machine();
} }

1
src/compiler/simplified-operator-reducer.h
View File

@ -51,7 +51,6 @@ class V8_EXPORT_PRIVATE SimplifiedOperatorReducer final
Factory* factory() const; Factory* factory() const;
Graph* graph() const; Graph* graph() const;
Isolate* isolate() const;
MachineOperatorBuilder* machine() const; MachineOperatorBuilder* machine() const;
SimplifiedOperatorBuilder* simplified() const; SimplifiedOperatorBuilder* simplified() const;

6
src/compiler/typed-optimization.cc
View File

@ -664,12 +664,12 @@ Reduction TypedOptimization::ReduceToBoolean(Node* node) {
return NoChange(); return NoChange();
} }
Factory* TypedOptimization::factory() const { return isolate()->factory(); } Factory* TypedOptimization::factory() const {
return jsgraph()->isolate()->factory();
}
Graph* TypedOptimization::graph() const { return jsgraph()->graph(); } Graph* TypedOptimization::graph() const { return jsgraph()->graph(); }
Isolate* TypedOptimization::isolate() const { return jsgraph()->isolate(); }
SimplifiedOperatorBuilder* TypedOptimization::simplified() const { SimplifiedOperatorBuilder* TypedOptimization::simplified() const {
return jsgraph()->simplified(); return jsgraph()->simplified();
} }

1
src/compiler/typed-optimization.h
View File

@ -69,7 +69,6 @@ class V8_EXPORT_PRIVATE TypedOptimization final
SimplifiedOperatorBuilder* simplified() const; SimplifiedOperatorBuilder* simplified() const;
Factory* factory() const; Factory* factory() const;
Graph* graph() const; Graph* graph() const;
Isolate* isolate() const;
CompilationDependencies* dependencies() const { return dependencies_; } CompilationDependencies* dependencies() const { return dependencies_; }
JSGraph* jsgraph() const { return jsgraph_; } JSGraph* jsgraph() const { return jsgraph_; }