AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Canonicalize uses of DependOnProtector

Browse Source 
This merges the check if a protector is intact with the recording of
the dependency on it, at least in many cases.

Also introduce convenience functions to avoid the heap broker clutter.

Change-Id: I35508c4685a2f0df77819bf81075dd14a30e7e4f
Reviewed-on: https://chromium-review.googlesource.com/c/1487491
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59924}
This commit is contained in:
Georg Neis 2019-02-27 19:10:29 +01:00 committed by Commit Bot
parent 9c5cd06611
commit a25279df8b
10 changed files with 140 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
src/compiler/compilation-dependencies.cc
View File

@ -12,8 +12,9 @@ namespace v8 {
namespace internal {
namespace compiler {
CompilationDependencies::CompilationDependencies(Isolate* isolate, Zone* zone)
: zone_(zone), dependencies_(zone), isolate_(isolate) {}
CompilationDependencies::CompilationDependencies(JSHeapBroker* broker,
Zone* zone)
: zone_(zone), broker_(broker), dependencies_(zone) {}
class CompilationDependencies::Dependency : public ZoneObject {
public:
@ -423,8 +424,46 @@ void CompilationDependencies::DependOnGlobalProperty(
GlobalPropertyDependency(cell, type, read_only));
}
void CompilationDependencies::DependOnProtector(const PropertyCellRef& cell) {
bool CompilationDependencies::DependOnProtector(const PropertyCellRef& cell) {
if (cell.value().AsSmi() != Isolate::kProtectorValid) return false;
dependencies_.push_front(new (zone_) ProtectorDependency(cell));
return true;
}
bool CompilationDependencies::DependOnArrayBufferDetachingProtector() {
return DependOnProtector(PropertyCellRef(
broker_,
broker_->isolate()->factory()->array_buffer_detaching_protector()));
}
bool CompilationDependencies::DependOnArrayIteratorProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->array_iterator_protector()));
}
bool CompilationDependencies::DependOnArraySpeciesProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->array_species_protector()));
}
bool CompilationDependencies::DependOnNoElementsProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->no_elements_protector()));
}
bool CompilationDependencies::DependOnPromiseHookProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->promise_hook_protector()));
}
bool CompilationDependencies::DependOnPromiseSpeciesProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->promise_species_protector()));
}
bool CompilationDependencies::DependOnPromiseThenProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->promise_then_protector()));
}
void CompilationDependencies::DependOnElementsKind(
@ -474,7 +513,7 @@ bool CompilationDependencies::Commit(Handle<Code> code) {
// these cases, because once the code gets executed it will do a stack check
// that triggers its deoptimization.
if (FLAG_stress_gc_during_compilation) {
isolate_->heap()->PreciseCollectAllGarbage(
broker_->isolate()->heap()->PreciseCollectAllGarbage(
Heap::kNoGCFlags, GarbageCollectionReason::kTesting,
kGCCallbackFlagForced);
}
@ -490,8 +529,7 @@ bool CompilationDependencies::Commit(Handle<Code> code) {
namespace {
// This function expects to never see a JSProxy.
void DependOnStablePrototypeChain(JSHeapBroker* broker,
CompilationDependencies* deps, MapRef map,
void DependOnStablePrototypeChain(CompilationDependencies* deps, MapRef map,
const JSObjectRef& last_prototype) {
while (true) {
map.SerializePrototype();
@ -504,19 +542,18 @@ void DependOnStablePrototypeChain(JSHeapBroker* broker,
} // namespace
void CompilationDependencies::DependOnStablePrototypeChains(
JSHeapBroker* broker, std::vector<Handle<Map>> const& receiver_maps,
const JSObjectRef& holder) {
std::vector<Handle<Map>> const& receiver_maps, const JSObjectRef& holder) {
// Determine actual holder and perform prototype chain checks.
for (auto map : receiver_maps) {
MapRef receiver_map(broker, map);
MapRef receiver_map(broker_, map);
if (receiver_map.IsPrimitiveMap()) {
// Perform the implicit ToObject for primitives here.
// Implemented according to ES6 section 7.3.2 GetV (V, P).
base::Optional<JSFunctionRef> constructor =
broker->native_context().GetConstructorFunction(receiver_map);
broker_->native_context().GetConstructorFunction(receiver_map);
if (constructor.has_value()) receiver_map = constructor->initial_map();
}
DependOnStablePrototypeChain(broker, this, receiver_map, holder);
DependOnStablePrototypeChain(this, receiver_map, holder);
}
}

23
src/compiler/compilation-dependencies.h
View File

@ -28,7 +28,7 @@ class SlackTrackingPrediction {
// Collects and installs dependencies of the code that is being generated.
class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
public:
CompilationDependencies(Isolate* isolate, Zone* zone);
CompilationDependencies(JSHeapBroker* broker, Zone* zone);
V8_WARN_UNUSED_RESULT bool Commit(Handle<Code> code);
@ -68,8 +68,18 @@ class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
// {IsReadOnly()} flag of {cell}'s {PropertyDetails}.
void DependOnGlobalProperty(const PropertyCellRef& cell);
// Record the assumption that the protector remains valid.
void DependOnProtector(const PropertyCellRef& cell);
// Return the validity of the given protector and, if true, record the
// assumption that the protector remains valid.
bool DependOnProtector(const PropertyCellRef& cell);
// Convenience wrappers around {DependOnProtector}.
bool DependOnArrayBufferDetachingProtector();
bool DependOnArrayIteratorProtector();
bool DependOnArraySpeciesProtector();
bool DependOnNoElementsProtector();
bool DependOnPromiseHookProtector();
bool DependOnPromiseSpeciesProtector();
bool DependOnPromiseThenProtector();
// Record the assumption that {site}'s {ElementsKind} doesn't change.
void DependOnElementsKind(const AllocationSiteRef& site);
@ -77,8 +87,7 @@ class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
// Depend on the stability of (the maps of) all prototypes of every class in
// {receiver_type} up to (and including) the {holder}.
void DependOnStablePrototypeChains(
JSHeapBroker* broker, std::vector<Handle<Map>> const& receiver_maps,
const JSObjectRef& holder);
std::vector<Handle<Map>> const& receiver_maps, const JSObjectRef& holder);
// Like DependOnElementsKind but also applies to all nested allocation sites.
void DependOnElementsKinds(const AllocationSiteRef& site);
@ -98,9 +107,9 @@ class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
class Dependency;
private:
Zone* zone_;
Zone* const zone_;
JSHeapBroker* const broker_;
ZoneForwardList<Dependency*> dependencies_;
Isolate* isolate_;
};
} // namespace compiler

173
src/compiler/js-call-reducer.cc
View File

@ -1070,10 +1070,7 @@ Reduction JSCallReducer::ReduceArrayForEach(
return NoChange();
}
// Install code dependencies on the {receiver} prototype maps and the
// global array protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -1257,10 +1254,7 @@ Reduction JSCallReducer::ReduceArrayReduce(
}
};
// Install code dependencies on the {receiver} prototype maps and the
// global array protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -1524,12 +1518,9 @@ Reduction JSCallReducer::ReduceArrayMap(Node* node,
}
if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
Node* array_constructor = jsgraph()->Constant(
native_context().GetInitialJSArrayMap(kind).GetConstructor());
@ -1727,12 +1718,9 @@ Reduction JSCallReducer::ReduceArrayFilter(
const ElementsKind packed_kind = GetPackedElementsKind(kind);
if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
MapRef initial_map = native_context().GetInitialJSArrayMap(packed_kind);
@ -1995,10 +1983,7 @@ Reduction JSCallReducer::ReduceArrayFind(Node* node, ArrayFindVariant variant,
return NoChange();
}
// Install code dependencies on the {receiver} prototype maps and the
// global array protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -2314,12 +2299,9 @@ Reduction JSCallReducer::ReduceArrayEvery(Node* node,
}
if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
// If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -2578,8 +2560,7 @@ Reduction JSCallReducer::ReduceArrayIndexOfIncludes(
}
if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
Callable const callable = search_variant == SearchVariant::kIndexOf
@ -2664,12 +2645,9 @@ Reduction JSCallReducer::ReduceArraySome(Node* node,
}
if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
Node* k = jsgraph()->ZeroConstant();
@ -3135,8 +3113,7 @@ Reduction JSCallReducer::ReduceCallOrConstructWithArrayLikeOrSpread(
// that no one messed with the %ArrayIteratorPrototype%.next method.
if (node->opcode() == IrOpcode::kJSCallWithSpread ||
node->opcode() == IrOpcode::kJSConstructWithSpread) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_iterator_protector()));
if (!dependencies()->DependOnArrayIteratorProtector()) UNREACHABLE();
}
// Remove the {arguments_list} input from the {node}.
@ -4378,8 +4355,7 @@ Reduction JSCallReducer::ReduceArrayPrototypePush(Node* node) {
return NoChange();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// If the {receiver_maps} information is not reliable, we need
// to check that the {receiver} still has one of these maps.
@ -4483,8 +4459,7 @@ Reduction JSCallReducer::ReduceArrayPrototypePop(Node* node) {
return NoChange();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// If the {receiver_maps} information is not reliable, we need
// to check that the {receiver} still has one of these maps.
@ -4593,8 +4568,7 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) {
return NoChange();
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// If the {receiver_maps} information is not reliable, we need
// to check that the {receiver} still has one of these maps.
@ -4805,15 +4779,10 @@ Reduction JSCallReducer::ReduceArrayPrototypeSlice(Node* node) {
}
}
// Install code dependency on the Array[@@species] protector.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
// Install code dependency on the array protector for holey arrays.
if (can_be_holey) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
// If we have unreliable maps, we need a map check, as there might be
// side-effects caused by the evaluation of the {node}s parameters.
@ -4966,8 +4935,7 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
// Install code dependency on the array protector for holey arrays.
if (IsHoleyElementsKind(elements_kind)) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
}
// Load the (current) {iterated_object} from the {iterator}.
@ -4984,12 +4952,7 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
if (IsFixedTypedArrayElementsKind(elements_kind)) {
// See if we can skip the detaching check.
if (isolate()->IsArrayBufferDetachingIntact()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Bail out if the {iterated_object}s JSArrayBuffer was detached.
Node* buffer = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
@ -5525,13 +5488,11 @@ Reduction JSCallReducer::ReducePromiseConstructor(Node* node) {
Node* control = NodeProperties::GetControlInput(node);
if (!FLAG_experimental_inline_promise_constructor) return NoChange();
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Only handle builtins Promises, not subclasses.
if (target != new_target) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
SharedFunctionInfoRef promise_shared =
native_context().promise_function().shared();
@ -5683,10 +5644,7 @@ Reduction JSCallReducer::ReducePromiseInternalConstructor(Node* node) {
Node* effect = NodeProperties::GetEffectInput(node);
// Check that promises aren't being observed through (debug) hooks.
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Create a new pending promise.
Node* value = effect =
@ -5755,12 +5713,6 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) {
Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node);
// Check that the Promise.then protector is intact. This protector guards
// that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!isolate()->IsPromiseThenLookupChainIntact()) return NoChange();
// Check if we know something about {receiver} already.
ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result =
@ -5781,8 +5733,11 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) {
}
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_then_protector()));
// Check that the Promise.then protector is intact. This protector guards
// that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!dependencies()->DependOnPromiseThenProtector()) return NoChange();
// If the {receiver_maps} aren't reliable, we need to repeat the
// map check here, guarded by the CALL_IC.
@ -5825,21 +5780,6 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) {
return NoChange();
}
// Check that promises aren't being observed through (debug) hooks.
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Check that the Promise#then protector is intact. This protector guards
// that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!isolate()->IsPromiseThenLookupChainIntact()) return NoChange();
// Also check that the @@species protector is intact, which guards the
// lookup of "constructor" on JSPromise instances, whoch [[Prototype]] is
// the initial %PromisePrototype%, and the Symbol.species lookup on the
// %PromisePrototype%.
if (!isolate()->IsPromiseSpeciesLookupChainIntact()) return NoChange();
// Check if we know something about {receiver} already.
ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result =
@ -5860,12 +5800,20 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) {
}
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_then_protector()));
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_species_protector()));
// Check that promises aren't being observed through (debug) hooks.
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Check that the Promise#then protector is intact. This protector guards
// that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!dependencies()->DependOnPromiseThenProtector()) return NoChange();
// Also check that the @@species protector is intact, which guards the
// lookup of "constructor" on JSPromise instances, whoch [[Prototype]] is
// the initial %PromisePrototype%, and the Symbol.species lookup on the
// %PromisePrototype%.
if (!dependencies()->DependOnPromiseSpeciesProtector()) return NoChange();
// If the {receiver_maps} aren't reliable, we need to repeat the
// map check here, guarded by the CALL_IC.
@ -5986,15 +5934,6 @@ Reduction JSCallReducer::ReducePromisePrototypeThen(Node* node) {
Node* control = NodeProperties::GetControlInput(node);
Node* frame_state = NodeProperties::GetFrameStateInput(node);
// Check that promises aren't being observed through (debug) hooks.
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Check if the @@species protector is intact. The @@species protector
// guards the "constructor" lookup on all JSPromise instances and the
// initial Promise.prototype, as well as the Symbol.species lookup on
// the Promise constructor.
if (!isolate()->IsPromiseSpeciesLookupChainIntact()) return NoChange();
// Check if we know something about {receiver} already.
ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult infer_receiver_maps_result =
@ -6017,10 +5956,14 @@ Reduction JSCallReducer::ReducePromisePrototypeThen(Node* node) {
}
}
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_species_protector()));
// Check that promises aren't being observed through (debug) hooks.
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Check if the @@species protector is intact. The @@species protector
// guards the "constructor" lookup on all JSPromise instances and the
// initial Promise.prototype, as well as the Symbol.species lookup on
// the Promise constructor.
if (!dependencies()->DependOnPromiseSpeciesProtector()) return NoChange();
// If the {receiver_maps} aren't reliable, we need to repeat the
// map check here, guarded by the CALL_IC.
@ -6711,12 +6654,7 @@ Reduction JSCallReducer::ReduceArrayBufferViewAccessor(
receiver, effect, control);
// See if we can skip the detaching check.
if (isolate()->IsArrayBufferDetachingIntact()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Check whether {receiver}s JSArrayBuffer was detached.
Node* buffer = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
@ -6860,12 +6798,7 @@ Reduction JSCallReducer::ReduceDataViewAccess(Node* node, DataViewAccess access,
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
receiver, effect, control);
if (isolate()->IsArrayBufferDetachingIntact()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Bail out if the {buffer} was detached.
Node* buffer_bit_field = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferBitField()),
@ -7079,7 +7012,7 @@ Reduction JSCallReducer::ReduceRegExpPrototypeTest(Node* node) {
// Protect the prototype chain from changes.
dependencies()->DependOnStablePrototypeChains(
broker(), ai_exec.receiver_maps(), JSObjectRef(broker(), holder));
ai_exec.receiver_maps(), JSObjectRef(broker(), holder));
// Protect the exec method change in the holder.
Handle<Object> exec_on_proto;
@ -7102,7 +7035,7 @@ Reduction JSCallReducer::ReduceRegExpPrototypeTest(Node* node) {
Handle<JSObject> holder;
if (ai_exec.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains(
broker(), ai_exec.receiver_maps(), JSObjectRef(broker(), holder));
ai_exec.receiver_maps(), JSObjectRef(broker(), holder));
}
if (need_map_check) {

51
src/compiler/js-native-context-specialization.cc
View File

@ -219,11 +219,8 @@ Reduction JSNativeContextSpecialization::ReduceJSAsyncFunctionEnter(
Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Install a code dependency on the promise hook protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Create the promise for the async function.
Node* promise = effect =
@ -252,11 +249,8 @@ Reduction JSNativeContextSpecialization::ReduceJSAsyncFunctionReject(
Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Install a code dependency on the promise hook protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Load the promise from the {async_function_object}.
Node* promise = effect = graph()->NewNode(
@ -291,11 +285,8 @@ Reduction JSNativeContextSpecialization::ReduceJSAsyncFunctionResolve(
Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Install a code dependency on the promise hook protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Load the promise from the {async_function_object}.
Node* promise = effect = graph()->NewNode(
@ -426,7 +417,7 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
Handle<JSObject> holder;
if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
access_info.receiver_maps(), JSObjectRef(broker(), holder));
}
// Monomorphic property access.
@ -481,7 +472,7 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
if (found_on_proto) {
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
access_info.receiver_maps(), JSObjectRef(broker(), holder));
}
DCHECK(constant->IsCallable());
@ -665,10 +656,6 @@ Reduction JSNativeContextSpecialization::ReduceJSPromiseResolve(Node* node) {
Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) {
return NoChange();
}
// Check if the {constructor} is the %Promise% function.
HeapObjectMatcher m(constructor);
if (!m.HasValue() ||
@ -688,9 +675,7 @@ Reduction JSNativeContextSpecialization::ReduceJSPromiseResolve(Node* node) {
if (value_map->IsJSPromiseMap()) return NoChange();
}
// Install a code dependency on the promise hook protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
// Create a %Promise% instance and resolve it with {value}.
Node* promise = effect =
@ -745,7 +730,7 @@ Reduction JSNativeContextSpecialization::ReduceJSResolvePromise(Node* node) {
Handle<JSObject> holder;
if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
access_info.receiver_maps(), JSObjectRef(broker(), holder));
}
// Add stability dependencies on the {resolution_maps}.
@ -2159,7 +2144,7 @@ JSNativeContextSpecialization::BuildPropertyLoad(
PropertyAccessBuilder access_builder(jsgraph(), broker(), dependencies());
if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
access_info.receiver_maps(), JSObjectRef(broker(), holder));
}
// Generate the actual property access.
@ -2218,7 +2203,7 @@ JSNativeContextSpecialization::BuildPropertyStore(
if (access_info.holder().ToHandle(&holder)) {
DCHECK_NE(AccessMode::kStoreInLiteral, access_mode);
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
access_info.receiver_maps(), JSObjectRef(broker(), holder));
}
DCHECK(!access_info.IsNotFound());
@ -2636,12 +2621,7 @@ JSNativeContextSpecialization::BuildElementAccess(
}
// See if we can skip the detaching check.
if (isolate()->IsArrayBufferDetachingIntact()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Deopt if the {buffer} was detached.
// Note: A detached buffer leads to megamorphic feedback.
Node* buffer_bit_field = effect = graph()->NewNode(
@ -3050,10 +3030,7 @@ Node* JSNativeContextSpecialization::BuildIndexedStringLoad(
Node* receiver, Node* index, Node* length, Node** effect, Node** control,
KeyedAccessLoadMode load_mode) {
if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS &&
isolate()->IsNoElementsProtectorIntact()) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
dependencies()->DependOnNoElementsProtector()) {
// Ensure that the {index} is a valid String length.
index = *effect = graph()->NewNode(
simplified()->CheckBounds(VectorSlotPair()), index,
@ -3200,11 +3177,7 @@ bool JSNativeContextSpecialization::CanTreatHoleAsUndefined(
}
// Check if the array prototype chain is intact.
if (!isolate()->IsNoElementsProtectorIntact()) return false;
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
return true;
return dependencies()->DependOnNoElementsProtector();
}
namespace {

2
src/compiler/pipeline.cc
View File

@ -136,7 +136,7 @@ class PipelineData {
JSGraph(isolate_, graph_, common_, javascript_, simplified_, machine_);
broker_ = new (info_->zone()) JSHeapBroker(isolate_, info_->zone());
dependencies_ =
new (info_->zone()) CompilationDependencies(isolate_, info_->zone());
new (info_->zone()) CompilationDependencies(broker_, info_->zone());
}
// For WebAssembly compile entry point.

10
test/cctest/test-field-type-tracking.cc
View File

@ -664,7 +664,7 @@ static void TestGeneralizeField(int detach_property_at_index,
// Create new maps by generalizing representation of propX field.
CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone);
CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, property_index);
@ -1041,7 +1041,7 @@ static void TestReconfigureDataFieldAttribute_GeneralizeField(
Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone);
CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, kSplitProp);
@ -1128,7 +1128,7 @@ static void TestReconfigureDataFieldAttribute_GeneralizeFieldTrivial(
Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone);
CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, kSplitProp);
@ -1813,7 +1813,7 @@ static void TestReconfigureElementsKind_GeneralizeField(
Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone);
CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, kDiffProp);
@ -1911,7 +1911,7 @@ static void TestReconfigureElementsKind_GeneralizeFieldTrivial(
Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone);
CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors();

2
test/unittests/compiler/constant-folding-reducer-unittest.cc
View File

@ -65,7 +65,7 @@ class ConstantFoldingReducerTest : public TypedGraphTest {
: TypedGraphTest(3),
broker_(isolate(), zone()),
simplified_(zone()),
deps_(isolate(), zone()) {}
deps_(&broker_, zone()) {}
~ConstantFoldingReducerTest() override = default;
protected:

2
test/unittests/compiler/js-call-reducer-unittest.cc
View File

@ -21,7 +21,7 @@ namespace compiler {
class JSCallReducerTest : public TypedGraphTest {
public:
JSCallReducerTest()
: TypedGraphTest(3), javascript_(zone()), deps_(isolate(), zone()) {
: TypedGraphTest(3), javascript_(zone()), deps_(broker(), zone()) {
broker()->SerializeStandardObjects();
}
~JSCallReducerTest() override = default;

5
test/unittests/compiler/js-create-lowering-unittest.cc
View File

@ -32,9 +32,8 @@ class JSCreateLoweringTest : public TypedGraphTest {
JSCreateLoweringTest()
: TypedGraphTest(3),
javascript_(zone()),
deps_(isolate(), zone()),
handle_scope_(isolate()) {
}
deps_(broker(), zone()),
handle_scope_(isolate()) {}
~JSCreateLoweringTest() override = default;
protected:

2
test/unittests/compiler/typed-optimization-unittest.cc
View File

@ -27,7 +27,7 @@ namespace typed_optimization_unittest {
class TypedOptimizationTest : public TypedGraphTest {
public:
TypedOptimizationTest()
: TypedGraphTest(3), simplified_(zone()), deps_(isolate(), zone()) {}
: TypedGraphTest(3), simplified_(zone()), deps_(broker(), zone()) {}
~TypedOptimizationTest() override = default;
protected: