[turbofan] Store native_context rather than global_proxy for JSFunction.

This will also be useful for JSCallReducer. In order to avoid extra work, the CL restricts one path of the JSCall lowering to functions from the own native context. Bug: v8:7790 Change-Id: I9f3a478969d641da59661ff196fdedae8195d680 Reviewed-on: https://chromium-review.googlesource.com/c/1286335 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#56733}
2018-10-17 10:59:30 +02:00 · 2018-10-17 10:59:30 +02:00 · 9bd4ee795b
commit 9bd4ee795b
parent 4c0b56af2b
3 changed files with 21 additions and 15 deletions
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@ -284,7 +284,7 @@ class JSFunctionData : public JSObjectData {

  void Serialize(JSHeapBroker* broker);

-  JSGlobalProxyData* global_proxy() const { return global_proxy_; }
+  NativeContextData* native_context() const { return native_context_; }
  MapData* initial_map() const { return initial_map_; }
  ObjectData* prototype() const { return prototype_; }
  SharedFunctionInfoData* shared() const { return shared_; }
@ -300,7 +300,7 @@ class JSFunctionData : public JSObjectData {

  bool serialized_ = false;

-  JSGlobalProxyData* global_proxy_ = nullptr;
+  NativeContextData* native_context_ = nullptr;
  MapData* initial_map_ = nullptr;
  ObjectData* prototype_ = nullptr;
  SharedFunctionInfoData* shared_ = nullptr;
@ -749,13 +749,13 @@ void JSFunctionData::Serialize(JSHeapBroker* broker) {
  TraceScope tracer(broker, this, "JSFunctionData::Serialize");
  Handle<JSFunction> function = Handle<JSFunction>::cast(object());

-  DCHECK_NULL(global_proxy_);
+  DCHECK_NULL(native_context_);
  DCHECK_NULL(initial_map_);
  DCHECK_NULL(prototype_);
  DCHECK_NULL(shared_);

-  global_proxy_ =
-      broker->GetOrCreateData(function->global_proxy())->AsJSGlobalProxy();
+  native_context_ =
+      broker->GetOrCreateData(function->native_context())->AsNativeContext();
  shared_ = broker->GetOrCreateData(function->shared())->AsSharedFunctionInfo();
  initial_map_ = has_initial_map()
                     ? broker->GetOrCreateData(function->initial_map())->AsMap()
@ -2040,7 +2040,7 @@ BIMODAL_ACCESSOR(JSArray, Object, length)
 BIMODAL_ACCESSOR_C(JSFunction, bool, has_prototype)
 BIMODAL_ACCESSOR_C(JSFunction, bool, has_initial_map)
 BIMODAL_ACCESSOR_C(JSFunction, bool, PrototypeRequiresRuntimeLookup)
-BIMODAL_ACCESSOR(JSFunction, JSGlobalProxy, global_proxy)
+BIMODAL_ACCESSOR(JSFunction, NativeContext, native_context)
 BIMODAL_ACCESSOR(JSFunction, Map, initial_map)
 BIMODAL_ACCESSOR(JSFunction, Object, prototype)
 BIMODAL_ACCESSOR(JSFunction, SharedFunctionInfo, shared)
--- a/src/compiler/js-heap-broker.h
+++ b/src/compiler/js-heap-broker.h
@ -199,7 +199,7 @@ class JSFunctionRef : public JSObjectRef {
  // The following are available only after calling Serialize().
  ObjectRef prototype() const;
  MapRef initial_map() const;
-  JSGlobalProxyRef global_proxy() const;
+  NativeContextRef native_context() const;
  SharedFunctionInfoRef shared() const;
  int InitialMapInstanceSizeWithMinSlack() const;
 };
@ -247,6 +247,7 @@ class ContextRef : public HeapObjectRef {
  V(JSFunction, promise_function)                  \
  V(JSFunction, string_function)                   \
  V(JSFunction, symbol_function)                   \
+  V(JSGlobalProxy, global_proxy_object)            \
  V(Map, fast_aliased_arguments_map)               \
  V(Map, initial_array_iterator_map)               \
  V(Map, initial_string_iterator_map)              \
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@ -1625,22 +1625,27 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
    // See ES6 section 9.2.1 [[Call]] ( thisArgument, argumentsList ).
    if (IsClassConstructor(shared.kind())) return NoChange();

-    // Load the context from the {target}.
-    Node* context = effect = graph()->NewNode(
-        simplified()->LoadField(AccessBuilder::ForJSFunctionContext()), target,
-        effect, control);
-    NodeProperties::ReplaceContextInput(node, context);
-
-    // Check if we need to convert the {receiver}.
+    // Check if we need to convert the {receiver}, but bailout if it would
+    // require data from a foreign native context.
    if (is_sloppy(shared.language_mode()) && !shared.native() &&
        !receiver_type.Is(Type::Receiver())) {
-      Node* global_proxy = jsgraph()->Constant(function.global_proxy());
+      if (!function.native_context().equals(broker()->native_context())) {
+        return NoChange();
+      }
+      Node* global_proxy =
+          jsgraph()->Constant(function.native_context().global_proxy_object());
      receiver = effect =
          graph()->NewNode(simplified()->ConvertReceiver(convert_mode),
                           receiver, global_proxy, effect, control);
      NodeProperties::ReplaceValueInput(node, receiver, 1);
    }

+    // Load the context from the {target}.
+    Node* context = effect = graph()->NewNode(
+        simplified()->LoadField(AccessBuilder::ForJSFunctionContext()), target,
+        effect, control);
+    NodeProperties::ReplaceContextInput(node, context);
+
    // Update the effect dependency for the {node}.
    NodeProperties::ReplaceEffectInput(node, effect);