[turbofan] Serialize array_constructor and string_length protectors.
We forgot to eliminate the read accesses of these two cells. Bug: v8:7790, v8:8315 Change-Id: Id175e4d96461f88759b2d29ab1d407ba4c54e733 Reviewed-on: https://chromium-review.googlesource.com/c/1286680 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#56752}
This commit is contained in:
Georg Neis
Commit Bot
parent
24e50f385e
commit
51688352e5
@ -673,7 +673,10 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) {
|
||||
pretenure = dependencies()->DependOnPretenureMode(*site_ref);
|
||||
dependencies()->DependOnElementsKind(*site_ref);
|
||||
} else {
|
||||
can_inline_call = isolate()->IsArrayConstructorIntact();
|
||||
CellRef array_constructor_protector(
|
||||
broker(), factory()->array_constructor_protector());
|
||||
can_inline_call = array_constructor_protector.value().AsSmi() ==
|
||||
Isolate::kProtectorValid;
|
||||
}
|
||||
|
||||
if (arity == 0) {
|
||||
@ -1356,7 +1359,7 @@ Reduction JSCreateLowering::ReduceJSCreateObject(Node* node) {
|
||||
if (instance_map.is_dictionary_map()) {
|
||||
DCHECK_EQ(prototype_const.map().oddball_type(), OddballType::kNull);
|
||||
// Allocate an empty NameDictionary as backing store for the properties.
|
||||
Handle<Map> map = isolate()->factory()->name_dictionary_map();
|
||||
MapRef map(broker(), factory()->name_dictionary_map());
|
||||
int capacity =
|
||||
NameDictionary::ComputeCapacity(NameDictionary::kInitialCapacity);
|
||||
DCHECK(base::bits::IsPowerOfTwo(capacity));
|
||||
@ -1810,12 +1813,12 @@ Node* JSCreateLowering::AllocateLiteralRegExp(Node* effect, Node* control,
|
||||
return builder.Finish();
|
||||
}
|
||||
|
||||
Factory* JSCreateLowering::factory() const { return isolate()->factory(); }
|
||||
Factory* JSCreateLowering::factory() const {
|
||||
return jsgraph()->isolate()->factory();
|
||||
}
|
||||
|
||||
Graph* JSCreateLowering::graph() const { return jsgraph()->graph(); }
|
||||
|
||||
Isolate* JSCreateLowering::isolate() const { return jsgraph()->isolate(); }
|
||||
|
||||
CommonOperatorBuilder* JSCreateLowering::common() const {
|
||||
return jsgraph()->common();
|
||||
}
|
||||
|
||||
@ -112,7 +112,6 @@ class V8_EXPORT_PRIVATE JSCreateLowering final
|
||||
Factory* factory() const;
|
||||
Graph* graph() const;
|
||||
JSGraph* jsgraph() const { return jsgraph_; }
|
||||
Isolate* isolate() const;
|
||||
NativeContextRef native_context() const;
|
||||
CommonOperatorBuilder* common() const;
|
||||
SimplifiedOperatorBuilder* simplified() const;
|
||||
|
||||
@ -1104,10 +1104,30 @@ void ModuleData::Serialize(JSHeapBroker* broker) {
|
||||
|
||||
class CellData : public HeapObjectData {
|
||||
public:
|
||||
CellData(JSHeapBroker* broker, ObjectData** storage, Handle<Cell> object)
|
||||
: HeapObjectData(broker, storage, object) {}
|
||||
CellData(JSHeapBroker* broker, ObjectData** storage, Handle<Cell> object);
|
||||
|
||||
void Serialize(JSHeapBroker* broker);
|
||||
ObjectData* value() { return value_; }
|
||||
|
||||
private:
|
||||
bool serialized_ = false;
|
||||
ObjectData* value_ = nullptr;
|
||||
};
|
||||
|
||||
CellData::CellData(JSHeapBroker* broker, ObjectData** storage,
|
||||
Handle<Cell> object)
|
||||
: HeapObjectData(broker, storage, object) {}
|
||||
|
||||
void CellData::Serialize(JSHeapBroker* broker) {
|
||||
if (serialized_) return;
|
||||
serialized_ = true;
|
||||
|
||||
TraceScope tracer(broker, this, "CellData::Serialize");
|
||||
auto cell = Handle<Cell>::cast(object());
|
||||
DCHECK_NULL(value_);
|
||||
value_ = broker->GetOrCreateData(cell->value());
|
||||
}
|
||||
|
||||
class JSGlobalProxyData : public JSObjectData {
|
||||
public:
|
||||
JSGlobalProxyData(JSHeapBroker* broker, ObjectData** storage,
|
||||
@ -1602,10 +1622,11 @@ void JSHeapBroker::SerializeStandardObjects() {
|
||||
GetOrCreateData(f->with_context_map());
|
||||
GetOrCreateData(f->zero_string());
|
||||
|
||||
// Property cells
|
||||
// Protector cells
|
||||
GetOrCreateData(f->array_buffer_neutering_protector())
|
||||
->AsPropertyCell()
|
||||
->Serialize(this);
|
||||
GetOrCreateData(f->array_constructor_protector())->AsCell()->Serialize(this);
|
||||
GetOrCreateData(f->array_iterator_protector())
|
||||
->AsPropertyCell()
|
||||
->Serialize(this);
|
||||
@ -1624,6 +1645,7 @@ void JSHeapBroker::SerializeStandardObjects() {
|
||||
GetOrCreateData(f->promise_then_protector())
|
||||
->AsPropertyCell()
|
||||
->Serialize(this);
|
||||
GetOrCreateData(f->string_length_protector())->AsCell()->Serialize(this);
|
||||
|
||||
// CEntry stub
|
||||
GetOrCreateData(
|
||||
@ -2033,6 +2055,8 @@ BIMODAL_ACCESSOR_C(AllocationSite, PretenureFlag, GetPretenureMode)
|
||||
|
||||
BIMODAL_ACCESSOR_C(BytecodeArray, int, register_count)
|
||||
|
||||
BIMODAL_ACCESSOR(Cell, Object, value)
|
||||
|
||||
BIMODAL_ACCESSOR(HeapObject, Map, map)
|
||||
|
||||
BIMODAL_ACCESSOR(JSArray, Object, length)
|
||||
|
||||
@ -496,6 +496,8 @@ class ModuleRef : public HeapObjectRef {
|
||||
class CellRef : public HeapObjectRef {
|
||||
public:
|
||||
using HeapObjectRef::HeapObjectRef;
|
||||
|
||||
ObjectRef value() const;
|
||||
};
|
||||
|
||||
class JSGlobalProxyRef : public JSObjectRef {
|
||||
|
||||
@ -569,7 +569,9 @@ Reduction JSTypedLowering::ReduceJSAdd(Node* node) {
|
||||
Node* length =
|
||||
graph()->NewNode(simplified()->NumberAdd(), left_length, right_length);
|
||||
|
||||
if (isolate()->IsStringLengthOverflowIntact()) {
|
||||
CellRef string_length_protector(broker(),
|
||||
factory()->string_length_protector());
|
||||
if (string_length_protector.value().AsSmi() == Isolate::kProtectorValid) {
|
||||
// We can just deoptimize if the {length} is out-of-bounds. Besides
|
||||
// generating a shorter code sequence than the version below, this
|
||||
// has the additional benefit of not holding on to the lazy {frame_state}
|
||||
|
||||
@ -258,15 +258,11 @@ Reduction SimplifiedOperatorReducer::ReplaceNumber(int32_t value) {
|
||||
}
|
||||
|
||||
Factory* SimplifiedOperatorReducer::factory() const {
|
||||
return isolate()->factory();
|
||||
return jsgraph()->isolate()->factory();
|
||||
}
|
||||
|
||||
Graph* SimplifiedOperatorReducer::graph() const { return jsgraph()->graph(); }
|
||||
|
||||
Isolate* SimplifiedOperatorReducer::isolate() const {
|
||||
return jsgraph()->isolate();
|
||||
}
|
||||
|
||||
MachineOperatorBuilder* SimplifiedOperatorReducer::machine() const {
|
||||
return jsgraph()->machine();
|
||||
}
|
||||
|
||||
@ -51,7 +51,6 @@ class V8_EXPORT_PRIVATE SimplifiedOperatorReducer final
|
||||
|
||||
Factory* factory() const;
|
||||
Graph* graph() const;
|
||||
Isolate* isolate() const;
|
||||
MachineOperatorBuilder* machine() const;
|
||||
SimplifiedOperatorBuilder* simplified() const;
|
||||
|
||||
|
||||
@ -664,12 +664,12 @@ Reduction TypedOptimization::ReduceToBoolean(Node* node) {
|
||||
return NoChange();
|
||||
}
|
||||
|
||||
Factory* TypedOptimization::factory() const { return isolate()->factory(); }
|
||||
Factory* TypedOptimization::factory() const {
|
||||
return jsgraph()->isolate()->factory();
|
||||
}
|
||||
|
||||
Graph* TypedOptimization::graph() const { return jsgraph()->graph(); }
|
||||
|
||||
Isolate* TypedOptimization::isolate() const { return jsgraph()->isolate(); }
|
||||
|
||||
SimplifiedOperatorBuilder* TypedOptimization::simplified() const {
|
||||
return jsgraph()->simplified();
|
||||
}
|
||||
|
||||
@ -69,7 +69,6 @@ class V8_EXPORT_PRIVATE TypedOptimization final
|
||||
SimplifiedOperatorBuilder* simplified() const;
|
||||
Factory* factory() const;
|
||||
Graph* graph() const;
|
||||
Isolate* isolate() const;
|
||||
|
||||
CompilationDependencies* dependencies() const { return dependencies_; }
|
||||
JSGraph* jsgraph() const { return jsgraph_; }
|
||||
|
||||
Loading…
Reference in New Issue
Block a user