X87: Use Cells to check prototype chain validity (disabled by default).

port 0179ec5797 (r27846).

original commit message:

 The cells are stored on prototypes (in their map's PrototypeInfo). When a
 prototype object changes its map, then both its own validity cell and those
 of all "downsstream" prototypes are invalidated; handlers for a given receiver
 embed the currently valid cell for that receiver's prototype during their
 compilation and check it on execution.

BUG=

Review URL: https://codereview.chromium.org/1090803002

Cr-Commit-Position: refs/heads/master@{#27877}

src/ic/x87/handler-compiler-x87.cc

@@ -414,8 +414,8 @@ void NamedStoreHandlerCompiler::GenerateFieldTypeChecks(HeapType* field_type,
 
 Register PropertyHandlerCompiler::CheckPrototypes(
     Register object_reg, Register holder_reg, Register scratch1,
-    Register scratch2, Handle<Name> name, Label* miss,
-    PrototypeCheckType check) {
+    Register scratch2, Handle<Name> name, Label* miss, PrototypeCheckType check,
+    ReturnHolder return_what) {
   Handle<Map> receiver_map = map();
 
   // Make sure there's no overlap between holder and object registers.
@@ -423,6 +423,30 @@ Register PropertyHandlerCompiler::CheckPrototypes(
   DCHECK(!scratch2.is(object_reg) && !scratch2.is(holder_reg) &&
          !scratch2.is(scratch1));
 
+  if (FLAG_eliminate_prototype_chain_checks) {
+    Handle<Cell> validity_cell =
+        Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate());
+    if (!validity_cell.is_null()) {
+      DCHECK_EQ(Smi::FromInt(Map::kPrototypeChainValid),
+                validity_cell->value());
+      // Operand::ForCell(...) points to the cell's payload!
+      __ cmp(Operand::ForCell(validity_cell),
+             Immediate(Smi::FromInt(Map::kPrototypeChainValid)));
+      __ j(not_equal, miss);
+    }
+
+    // The prototype chain of primitives (and their JSValue wrappers) depends
+    // on the native context, which can't be guarded by validity cells.
+    // |object_reg| holds the native context specific prototype in this case;
+    // we need to check its map.
+    if (check == CHECK_ALL_MAPS) {
+      __ mov(scratch1, FieldOperand(object_reg, HeapObject::kMapOffset));
+      Handle<WeakCell> cell = Map::WeakCellForMap(receiver_map);
+      __ CmpWeakValue(scratch1, cell, scratch2);
+      __ j(not_equal, miss);
+    }
+  }
+
   // Keep track of the current object in register reg.
   Register reg = object_reg;
   int depth = 0;
@@ -467,28 +491,37 @@ Register PropertyHandlerCompiler::CheckPrototypes(
              current->property_dictionary()->FindEntry(name) ==
                  NameDictionary::kNotFound);
 
+      if (FLAG_eliminate_prototype_chain_checks && depth > 1) {
+        // TODO(jkummerow): Cache and re-use weak cell.
+        __ LoadWeakValue(reg, isolate()->factory()->NewWeakCell(current), miss);
+      }
       GenerateDictionaryNegativeLookup(masm(), miss, reg, name, scratch1,
                                        scratch2);
 
-      __ mov(scratch1, FieldOperand(reg, HeapObject::kMapOffset));
-      reg = holder_reg;  // From now on the object will be in holder_reg.
-      __ mov(reg, FieldOperand(scratch1, Map::kPrototypeOffset));
+      if (!FLAG_eliminate_prototype_chain_checks) {
+        __ mov(scratch1, FieldOperand(reg, HeapObject::kMapOffset));
+        __ mov(holder_reg, FieldOperand(scratch1, Map::kPrototypeOffset));
+      }
     } else {
       Register map_reg = scratch1;
-      __ mov(map_reg, FieldOperand(reg, HeapObject::kMapOffset));
+      if (!FLAG_eliminate_prototype_chain_checks) {
+        __ mov(map_reg, FieldOperand(reg, HeapObject::kMapOffset));
+      }
       if (current_map->IsJSGlobalObjectMap()) {
         GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current),
                                   name, scratch2, miss);
-      } else if (depth != 1 || check == CHECK_ALL_MAPS) {
+      } else if (!FLAG_eliminate_prototype_chain_checks &&
+                 (depth != 1 || check == CHECK_ALL_MAPS)) {
         Handle<WeakCell> cell = Map::WeakCellForMap(current_map);
         __ CmpWeakValue(map_reg, cell, scratch2);
         __ j(not_equal, miss);
       }
-
-      reg = holder_reg;  // From now on the object will be in holder_reg.
-      __ mov(reg, FieldOperand(map_reg, Map::kPrototypeOffset));
+      if (!FLAG_eliminate_prototype_chain_checks) {
+        __ mov(holder_reg, FieldOperand(map_reg, Map::kPrototypeOffset));
+      }
     }
 
+    reg = holder_reg;  // From now on the object will be in holder_reg.
     // Go to the next object in the prototype chain.
     current = prototype;
     current_map = handle(current->map());
@@ -499,7 +532,8 @@ Register PropertyHandlerCompiler::CheckPrototypes(
   // Log the check depth.
   LOG(isolate(), IntEvent("check-maps-depth", depth + 1));
 
-  if (depth != 0 || check == CHECK_ALL_MAPS) {
+  if (!FLAG_eliminate_prototype_chain_checks &&
+      (depth != 0 || check == CHECK_ALL_MAPS)) {
     // Check the holder map.
     __ mov(scratch1, FieldOperand(reg, HeapObject::kMapOffset));
     Handle<WeakCell> cell = Map::WeakCellForMap(current_map);
@@ -507,8 +541,13 @@ Register PropertyHandlerCompiler::CheckPrototypes(
     __ j(not_equal, miss);
   }
 
+  bool return_holder = return_what == RETURN_HOLDER;
+  if (FLAG_eliminate_prototype_chain_checks && return_holder && depth != 0) {
+    __ LoadWeakValue(reg, isolate()->factory()->NewWeakCell(current), miss);
+  }
+
   // Return the register containing the holder.
-  return reg;
+  return return_holder ? reg : no_reg;
 }
 
 
@@ -738,7 +777,7 @@ Handle<Code> NamedLoadHandlerCompiler::CompileLoadGlobal(
   if (IC::ICUseVector(kind())) {
     PushVectorAndSlot();
   }
-  FrontendHeader(receiver(), name, &miss);
+  FrontendHeader(receiver(), name, &miss, DONT_RETURN_ANYTHING);
   // Get the value from the cell.
   Register result = StoreDescriptor::ValueRegister();
   Handle<WeakCell> weak_cell = factory()->NewWeakCell(cell);