AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Canonicalize uses of DependOnProtector

Browse Source 
This merges the check if a protector is intact with the recording of
the dependency on it, at least in many cases.

Also introduce convenience functions to avoid the heap broker clutter.

Change-Id: I35508c4685a2f0df77819bf81075dd14a30e7e4f
Reviewed-on: https://chromium-review.googlesource.com/c/1487491
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59924}
This commit is contained in:
Georg Neis 2019-02-27 19:10:29 +01:00 committed by Commit Bot
parent 9c5cd06611
commit a25279df8b
10 changed files with 140 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
src/compiler/compilation-dependencies.cc
View File

@ -12,8 +12,9 @@ namespace v8 {
namespace internal { namespace internal {
namespace compiler { namespace compiler {
CompilationDependencies::CompilationDependencies(Isolate* isolate, Zone* zone) CompilationDependencies::CompilationDependencies(JSHeapBroker* broker,
: zone_(zone), dependencies_(zone), isolate_(isolate) {} Zone* zone)
: zone_(zone), broker_(broker), dependencies_(zone) {}
class CompilationDependencies::Dependency : public ZoneObject { class CompilationDependencies::Dependency : public ZoneObject {
public: public:
@ -423,8 +424,46 @@ void CompilationDependencies::DependOnGlobalProperty(
GlobalPropertyDependency(cell, type, read_only)); GlobalPropertyDependency(cell, type, read_only));
} }
void CompilationDependencies::DependOnProtector(const PropertyCellRef& cell) { bool CompilationDependencies::DependOnProtector(const PropertyCellRef& cell) {
if (cell.value().AsSmi() != Isolate::kProtectorValid) return false;
dependencies_.push_front(new (zone_) ProtectorDependency(cell)); dependencies_.push_front(new (zone_) ProtectorDependency(cell));
return true;
}
bool CompilationDependencies::DependOnArrayBufferDetachingProtector() {
return DependOnProtector(PropertyCellRef(
broker_,
broker_->isolate()->factory()->array_buffer_detaching_protector()));
}
bool CompilationDependencies::DependOnArrayIteratorProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->array_iterator_protector()));
}
bool CompilationDependencies::DependOnArraySpeciesProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->array_species_protector()));
}
bool CompilationDependencies::DependOnNoElementsProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->no_elements_protector()));
}
bool CompilationDependencies::DependOnPromiseHookProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->promise_hook_protector()));
}
bool CompilationDependencies::DependOnPromiseSpeciesProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->promise_species_protector()));
}
bool CompilationDependencies::DependOnPromiseThenProtector() {
return DependOnProtector(PropertyCellRef(
broker_, broker_->isolate()->factory()->promise_then_protector()));
} }
void CompilationDependencies::DependOnElementsKind( void CompilationDependencies::DependOnElementsKind(
@ -474,7 +513,7 @@ bool CompilationDependencies::Commit(Handle<Code> code) {
// these cases, because once the code gets executed it will do a stack check // these cases, because once the code gets executed it will do a stack check
// that triggers its deoptimization. // that triggers its deoptimization.
if (FLAG_stress_gc_during_compilation) { if (FLAG_stress_gc_during_compilation) {
isolate_->heap()->PreciseCollectAllGarbage( broker_->isolate()->heap()->PreciseCollectAllGarbage(
Heap::kNoGCFlags, GarbageCollectionReason::kTesting, Heap::kNoGCFlags, GarbageCollectionReason::kTesting,
kGCCallbackFlagForced); kGCCallbackFlagForced);
} }
@ -490,8 +529,7 @@ bool CompilationDependencies::Commit(Handle<Code> code) {
namespace { namespace {
// This function expects to never see a JSProxy. // This function expects to never see a JSProxy.
void DependOnStablePrototypeChain(JSHeapBroker* broker, void DependOnStablePrototypeChain(CompilationDependencies* deps, MapRef map,
CompilationDependencies* deps, MapRef map,
const JSObjectRef& last_prototype) { const JSObjectRef& last_prototype) {
while (true) { while (true) {
map.SerializePrototype(); map.SerializePrototype();
@ -504,19 +542,18 @@ void DependOnStablePrototypeChain(JSHeapBroker* broker,
} // namespace } // namespace
void CompilationDependencies::DependOnStablePrototypeChains( void CompilationDependencies::DependOnStablePrototypeChains(
JSHeapBroker* broker, std::vector<Handle<Map>> const& receiver_maps, std::vector<Handle<Map>> const& receiver_maps, const JSObjectRef& holder) {
const JSObjectRef& holder) {
// Determine actual holder and perform prototype chain checks. // Determine actual holder and perform prototype chain checks.
for (auto map : receiver_maps) { for (auto map : receiver_maps) {
MapRef receiver_map(broker, map); MapRef receiver_map(broker_, map);
if (receiver_map.IsPrimitiveMap()) { if (receiver_map.IsPrimitiveMap()) {
// Perform the implicit ToObject for primitives here. // Perform the implicit ToObject for primitives here.
// Implemented according to ES6 section 7.3.2 GetV (V, P). // Implemented according to ES6 section 7.3.2 GetV (V, P).
base::Optional<JSFunctionRef> constructor = base::Optional<JSFunctionRef> constructor =
broker->native_context().GetConstructorFunction(receiver_map); broker_->native_context().GetConstructorFunction(receiver_map);
if (constructor.has_value()) receiver_map = constructor->initial_map(); if (constructor.has_value()) receiver_map = constructor->initial_map();
} }
DependOnStablePrototypeChain(broker, this, receiver_map, holder); DependOnStablePrototypeChain(this, receiver_map, holder);
} }
} }

23
src/compiler/compilation-dependencies.h
View File

@ -28,7 +28,7 @@ class SlackTrackingPrediction {
// Collects and installs dependencies of the code that is being generated. // Collects and installs dependencies of the code that is being generated.
class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject { class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
public: public:
CompilationDependencies(Isolate* isolate, Zone* zone); CompilationDependencies(JSHeapBroker* broker, Zone* zone);
V8_WARN_UNUSED_RESULT bool Commit(Handle<Code> code); V8_WARN_UNUSED_RESULT bool Commit(Handle<Code> code);
@ -68,8 +68,18 @@ class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
// {IsReadOnly()} flag of {cell}'s {PropertyDetails}. // {IsReadOnly()} flag of {cell}'s {PropertyDetails}.
void DependOnGlobalProperty(const PropertyCellRef& cell); void DependOnGlobalProperty(const PropertyCellRef& cell);
// Record the assumption that the protector remains valid. // Return the validity of the given protector and, if true, record the
void DependOnProtector(const PropertyCellRef& cell); // assumption that the protector remains valid.
bool DependOnProtector(const PropertyCellRef& cell);
// Convenience wrappers around {DependOnProtector}.
bool DependOnArrayBufferDetachingProtector();
bool DependOnArrayIteratorProtector();
bool DependOnArraySpeciesProtector();
bool DependOnNoElementsProtector();
bool DependOnPromiseHookProtector();
bool DependOnPromiseSpeciesProtector();
bool DependOnPromiseThenProtector();
// Record the assumption that {site}'s {ElementsKind} doesn't change. // Record the assumption that {site}'s {ElementsKind} doesn't change.
void DependOnElementsKind(const AllocationSiteRef& site); void DependOnElementsKind(const AllocationSiteRef& site);
@ -77,8 +87,7 @@ class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
// Depend on the stability of (the maps of) all prototypes of every class in // Depend on the stability of (the maps of) all prototypes of every class in
// {receiver_type} up to (and including) the {holder}. // {receiver_type} up to (and including) the {holder}.
void DependOnStablePrototypeChains( void DependOnStablePrototypeChains(
JSHeapBroker* broker, std::vector<Handle<Map>> const& receiver_maps, std::vector<Handle<Map>> const& receiver_maps, const JSObjectRef& holder);
const JSObjectRef& holder);
// Like DependOnElementsKind but also applies to all nested allocation sites. // Like DependOnElementsKind but also applies to all nested allocation sites.
void DependOnElementsKinds(const AllocationSiteRef& site); void DependOnElementsKinds(const AllocationSiteRef& site);
@ -98,9 +107,9 @@ class V8_EXPORT_PRIVATE CompilationDependencies : public ZoneObject {
class Dependency; class Dependency;
private: private:
Zone* zone_; Zone* const zone_;
JSHeapBroker* const broker_;
ZoneForwardList<Dependency*> dependencies_; ZoneForwardList<Dependency*> dependencies_;
Isolate* isolate_;
}; };
} // namespace compiler } // namespace compiler

173
src/compiler/js-call-reducer.cc
View File

@ -1070,10 +1070,7 @@ Reduction JSCallReducer::ReduceArrayForEach(
return NoChange(); return NoChange();
} }
// Install code dependencies on the {receiver} prototype maps and the if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// global array protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
// If we have unreliable maps, we need a map check. // If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) { if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -1257,10 +1254,7 @@ Reduction JSCallReducer::ReduceArrayReduce(
} }
}; };
// Install code dependencies on the {receiver} prototype maps and the if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// global array protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
// If we have unreliable maps, we need a map check. // If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) { if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -1524,12 +1518,9 @@ Reduction JSCallReducer::ReduceArrayMap(Node* node,
} }
if (IsHoleyElementsKind(kind)) { if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
Node* array_constructor = jsgraph()->Constant( Node* array_constructor = jsgraph()->Constant(
native_context().GetInitialJSArrayMap(kind).GetConstructor()); native_context().GetInitialJSArrayMap(kind).GetConstructor());
@ -1727,12 +1718,9 @@ Reduction JSCallReducer::ReduceArrayFilter(
const ElementsKind packed_kind = GetPackedElementsKind(kind); const ElementsKind packed_kind = GetPackedElementsKind(kind);
if (IsHoleyElementsKind(kind)) { if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
MapRef initial_map = native_context().GetInitialJSArrayMap(packed_kind); MapRef initial_map = native_context().GetInitialJSArrayMap(packed_kind);
@ -1995,10 +1983,7 @@ Reduction JSCallReducer::ReduceArrayFind(Node* node, ArrayFindVariant variant,
return NoChange(); return NoChange();
} }
// Install code dependencies on the {receiver} prototype maps and the if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
// global array protector cell.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
// If we have unreliable maps, we need a map check. // If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) { if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -2314,12 +2299,9 @@ Reduction JSCallReducer::ReduceArrayEvery(Node* node,
} }
if (IsHoleyElementsKind(kind)) { if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
// If we have unreliable maps, we need a map check. // If we have unreliable maps, we need a map check.
if (result == NodeProperties::kUnreliableReceiverMaps) { if (result == NodeProperties::kUnreliableReceiverMaps) {
@ -2578,8 +2560,7 @@ Reduction JSCallReducer::ReduceArrayIndexOfIncludes(
} }
if (IsHoleyElementsKind(kind)) { if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
Callable const callable = search_variant == SearchVariant::kIndexOf Callable const callable = search_variant == SearchVariant::kIndexOf
@ -2664,12 +2645,9 @@ Reduction JSCallReducer::ReduceArraySome(Node* node,
} }
if (IsHoleyElementsKind(kind)) { if (IsHoleyElementsKind(kind)) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
Node* k = jsgraph()->ZeroConstant(); Node* k = jsgraph()->ZeroConstant();
@ -3135,8 +3113,7 @@ Reduction JSCallReducer::ReduceCallOrConstructWithArrayLikeOrSpread(
// that no one messed with the %ArrayIteratorPrototype%.next method. // that no one messed with the %ArrayIteratorPrototype%.next method.
if (node->opcode() == IrOpcode::kJSCallWithSpread || if (node->opcode() == IrOpcode::kJSCallWithSpread ||
node->opcode() == IrOpcode::kJSConstructWithSpread) { node->opcode() == IrOpcode::kJSConstructWithSpread) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnArrayIteratorProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->array_iterator_protector()));
} }
// Remove the {arguments_list} input from the {node}. // Remove the {arguments_list} input from the {node}.
@ -4378,8 +4355,7 @@ Reduction JSCallReducer::ReduceArrayPrototypePush(Node* node) {
return NoChange(); return NoChange();
} }
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
// If the {receiver_maps} information is not reliable, we need // If the {receiver_maps} information is not reliable, we need
// to check that the {receiver} still has one of these maps. // to check that the {receiver} still has one of these maps.
@ -4483,8 +4459,7 @@ Reduction JSCallReducer::ReduceArrayPrototypePop(Node* node) {
return NoChange(); return NoChange();
} }
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
// If the {receiver_maps} information is not reliable, we need // If the {receiver_maps} information is not reliable, we need
// to check that the {receiver} still has one of these maps. // to check that the {receiver} still has one of these maps.
@ -4593,8 +4568,7 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) {
return NoChange(); return NoChange();
} }
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
// If the {receiver_maps} information is not reliable, we need // If the {receiver_maps} information is not reliable, we need
// to check that the {receiver} still has one of these maps. // to check that the {receiver} still has one of these maps.
@ -4805,15 +4779,10 @@ Reduction JSCallReducer::ReduceArrayPrototypeSlice(Node* node) {
} }
} }
// Install code dependency on the Array[@@species] protector.
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->array_species_protector()));
// Install code dependency on the array protector for holey arrays.
if (can_be_holey) { if (can_be_holey) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
if (!dependencies()->DependOnArraySpeciesProtector()) UNREACHABLE();
// If we have unreliable maps, we need a map check, as there might be // If we have unreliable maps, we need a map check, as there might be
// side-effects caused by the evaluation of the {node}s parameters. // side-effects caused by the evaluation of the {node}s parameters.
@ -4966,8 +4935,7 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
// Install code dependency on the array protector for holey arrays. // Install code dependency on the array protector for holey arrays.
if (IsHoleyElementsKind(elements_kind)) { if (IsHoleyElementsKind(elements_kind)) {
dependencies()->DependOnProtector( if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
PropertyCellRef(broker(), factory()->no_elements_protector()));
} }
// Load the (current) {iterated_object} from the {iterator}. // Load the (current) {iterated_object} from the {iterator}.
@ -4984,12 +4952,7 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
if (IsFixedTypedArrayElementsKind(elements_kind)) { if (IsFixedTypedArrayElementsKind(elements_kind)) {
// See if we can skip the detaching check. // See if we can skip the detaching check.
if (isolate()->IsArrayBufferDetachingIntact()) { if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
// Bail out if the {iterated_object}s JSArrayBuffer was detached. // Bail out if the {iterated_object}s JSArrayBuffer was detached.
Node* buffer = effect = graph()->NewNode( Node* buffer = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()), simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
@ -5525,13 +5488,11 @@ Reduction JSCallReducer::ReducePromiseConstructor(Node* node) {
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
if (!FLAG_experimental_inline_promise_constructor) return NoChange(); if (!FLAG_experimental_inline_promise_constructor) return NoChange();
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Only handle builtins Promises, not subclasses. // Only handle builtins Promises, not subclasses.
if (target != new_target) return NoChange(); if (target != new_target) return NoChange();
dependencies()->DependOnProtector( if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
PropertyCellRef(broker(), factory()->promise_hook_protector()));
SharedFunctionInfoRef promise_shared = SharedFunctionInfoRef promise_shared =
native_context().promise_function().shared(); native_context().promise_function().shared();
@ -5683,10 +5644,7 @@ Reduction JSCallReducer::ReducePromiseInternalConstructor(Node* node) {
Node* effect = NodeProperties::GetEffectInput(node); Node* effect = NodeProperties::GetEffectInput(node);
// Check that promises aren't being observed through (debug) hooks. // Check that promises aren't being observed through (debug) hooks.
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange(); if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
// Create a new pending promise. // Create a new pending promise.
Node* value = effect = Node* value = effect =
@ -5755,12 +5713,6 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) {
Node* effect = NodeProperties::GetEffectInput(node); Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
// Check that the Promise.then protector is intact. This protector guards
// that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!isolate()->IsPromiseThenLookupChainIntact()) return NoChange();
// Check if we know something about {receiver} already. // Check if we know something about {receiver} already.
ZoneHandleSet<Map> receiver_maps; ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result = NodeProperties::InferReceiverMapsResult result =
@ -5781,8 +5733,11 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) {
} }
} }
dependencies()->DependOnProtector( // Check that the Promise.then protector is intact. This protector guards
PropertyCellRef(broker(), factory()->promise_then_protector())); // that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!dependencies()->DependOnPromiseThenProtector()) return NoChange();
// If the {receiver_maps} aren't reliable, we need to repeat the // If the {receiver_maps} aren't reliable, we need to repeat the
// map check here, guarded by the CALL_IC. // map check here, guarded by the CALL_IC.
@ -5825,21 +5780,6 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) {
return NoChange(); return NoChange();
} }
// Check that promises aren't being observed through (debug) hooks.
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Check that the Promise#then protector is intact. This protector guards
// that all JSPromise instances whose [[Prototype]] is the initial
// %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!isolate()->IsPromiseThenLookupChainIntact()) return NoChange();
// Also check that the @@species protector is intact, which guards the
// lookup of "constructor" on JSPromise instances, whoch [[Prototype]] is
// the initial %PromisePrototype%, and the Symbol.species lookup on the
// %PromisePrototype%.
if (!isolate()->IsPromiseSpeciesLookupChainIntact()) return NoChange();
// Check if we know something about {receiver} already. // Check if we know something about {receiver} already.
ZoneHandleSet<Map> receiver_maps; ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult result = NodeProperties::InferReceiverMapsResult result =
@ -5860,12 +5800,20 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) {
} }
} }
dependencies()->DependOnProtector( // Check that promises aren't being observed through (debug) hooks.
PropertyCellRef(broker(), factory()->promise_hook_protector())); if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_then_protector())); // Check that the Promise#then protector is intact. This protector guards
dependencies()->DependOnProtector( // that all JSPromise instances whose [[Prototype]] is the initial
PropertyCellRef(broker(), factory()->promise_species_protector())); // %PromisePrototype% yield the initial %PromisePrototype%.then method
// when looking up "then".
if (!dependencies()->DependOnPromiseThenProtector()) return NoChange();
// Also check that the @@species protector is intact, which guards the
// lookup of "constructor" on JSPromise instances, whoch [[Prototype]] is
// the initial %PromisePrototype%, and the Symbol.species lookup on the
// %PromisePrototype%.
if (!dependencies()->DependOnPromiseSpeciesProtector()) return NoChange();
// If the {receiver_maps} aren't reliable, we need to repeat the // If the {receiver_maps} aren't reliable, we need to repeat the
// map check here, guarded by the CALL_IC. // map check here, guarded by the CALL_IC.
@ -5986,15 +5934,6 @@ Reduction JSCallReducer::ReducePromisePrototypeThen(Node* node) {
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
Node* frame_state = NodeProperties::GetFrameStateInput(node); Node* frame_state = NodeProperties::GetFrameStateInput(node);
// Check that promises aren't being observed through (debug) hooks.
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Check if the @@species protector is intact. The @@species protector
// guards the "constructor" lookup on all JSPromise instances and the
// initial Promise.prototype, as well as the Symbol.species lookup on
// the Promise constructor.
if (!isolate()->IsPromiseSpeciesLookupChainIntact()) return NoChange();
// Check if we know something about {receiver} already. // Check if we know something about {receiver} already.
ZoneHandleSet<Map> receiver_maps; ZoneHandleSet<Map> receiver_maps;
NodeProperties::InferReceiverMapsResult infer_receiver_maps_result = NodeProperties::InferReceiverMapsResult infer_receiver_maps_result =
@ -6017,10 +5956,14 @@ Reduction JSCallReducer::ReducePromisePrototypeThen(Node* node) {
} }
} }
dependencies()->DependOnProtector( // Check that promises aren't being observed through (debug) hooks.
PropertyCellRef(broker(), factory()->promise_hook_protector())); if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_species_protector())); // Check if the @@species protector is intact. The @@species protector
// guards the "constructor" lookup on all JSPromise instances and the
// initial Promise.prototype, as well as the Symbol.species lookup on
// the Promise constructor.
if (!dependencies()->DependOnPromiseSpeciesProtector()) return NoChange();
// If the {receiver_maps} aren't reliable, we need to repeat the // If the {receiver_maps} aren't reliable, we need to repeat the
// map check here, guarded by the CALL_IC. // map check here, guarded by the CALL_IC.
@ -6711,12 +6654,7 @@ Reduction JSCallReducer::ReduceArrayBufferViewAccessor(
receiver, effect, control); receiver, effect, control);
// See if we can skip the detaching check. // See if we can skip the detaching check.
if (isolate()->IsArrayBufferDetachingIntact()) { if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
// Check whether {receiver}s JSArrayBuffer was detached. // Check whether {receiver}s JSArrayBuffer was detached.
Node* buffer = effect = graph()->NewNode( Node* buffer = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()), simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
@ -6860,12 +6798,7 @@ Reduction JSCallReducer::ReduceDataViewAccess(Node* node, DataViewAccess access,
simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()), simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
receiver, effect, control); receiver, effect, control);
if (isolate()->IsArrayBufferDetachingIntact()) { if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
// Bail out if the {buffer} was detached. // Bail out if the {buffer} was detached.
Node* buffer_bit_field = effect = graph()->NewNode( Node* buffer_bit_field = effect = graph()->NewNode(
simplified()->LoadField(AccessBuilder::ForJSArrayBufferBitField()), simplified()->LoadField(AccessBuilder::ForJSArrayBufferBitField()),
@ -7079,7 +7012,7 @@ Reduction JSCallReducer::ReduceRegExpPrototypeTest(Node* node) {
// Protect the prototype chain from changes. // Protect the prototype chain from changes.
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), ai_exec.receiver_maps(), JSObjectRef(broker(), holder)); ai_exec.receiver_maps(), JSObjectRef(broker(), holder));
// Protect the exec method change in the holder. // Protect the exec method change in the holder.
Handle<Object> exec_on_proto; Handle<Object> exec_on_proto;
@ -7102,7 +7035,7 @@ Reduction JSCallReducer::ReduceRegExpPrototypeTest(Node* node) {
Handle<JSObject> holder; Handle<JSObject> holder;
if (ai_exec.holder().ToHandle(&holder)) { if (ai_exec.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), ai_exec.receiver_maps(), JSObjectRef(broker(), holder)); ai_exec.receiver_maps(), JSObjectRef(broker(), holder));
} }
if (need_map_check) { if (need_map_check) {

51
src/compiler/js-native-context-specialization.cc
View File

@ -219,11 +219,8 @@ Reduction JSNativeContextSpecialization::ReduceJSAsyncFunctionEnter(
Node* frame_state = NodeProperties::GetFrameStateInput(node); Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* effect = NodeProperties::GetEffectInput(node); Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Install a code dependency on the promise hook protector cell. if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
// Create the promise for the async function. // Create the promise for the async function.
Node* promise = effect = Node* promise = effect =
@ -252,11 +249,8 @@ Reduction JSNativeContextSpecialization::ReduceJSAsyncFunctionReject(
Node* frame_state = NodeProperties::GetFrameStateInput(node); Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* effect = NodeProperties::GetEffectInput(node); Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Install a code dependency on the promise hook protector cell. if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
// Load the promise from the {async_function_object}. // Load the promise from the {async_function_object}.
Node* promise = effect = graph()->NewNode( Node* promise = effect = graph()->NewNode(
@ -291,11 +285,8 @@ Reduction JSNativeContextSpecialization::ReduceJSAsyncFunctionResolve(
Node* frame_state = NodeProperties::GetFrameStateInput(node); Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* effect = NodeProperties::GetEffectInput(node); Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) return NoChange();
// Install a code dependency on the promise hook protector cell. if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
// Load the promise from the {async_function_object}. // Load the promise from the {async_function_object}.
Node* promise = effect = graph()->NewNode( Node* promise = effect = graph()->NewNode(
@ -426,7 +417,7 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
Handle<JSObject> holder; Handle<JSObject> holder;
if (access_info.holder().ToHandle(&holder)) { if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder)); access_info.receiver_maps(), JSObjectRef(broker(), holder));
} }
// Monomorphic property access. // Monomorphic property access.
@ -481,7 +472,7 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
if (found_on_proto) { if (found_on_proto) {
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder)); access_info.receiver_maps(), JSObjectRef(broker(), holder));
} }
DCHECK(constant->IsCallable()); DCHECK(constant->IsCallable());
@ -665,10 +656,6 @@ Reduction JSNativeContextSpecialization::ReduceJSPromiseResolve(Node* node) {
Node* effect = NodeProperties::GetEffectInput(node); Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
if (!isolate()->IsPromiseHookProtectorIntact()) {
return NoChange();
}
// Check if the {constructor} is the %Promise% function. // Check if the {constructor} is the %Promise% function.
HeapObjectMatcher m(constructor); HeapObjectMatcher m(constructor);
if (!m.HasValue() || if (!m.HasValue() ||
@ -688,9 +675,7 @@ Reduction JSNativeContextSpecialization::ReduceJSPromiseResolve(Node* node) {
if (value_map->IsJSPromiseMap()) return NoChange(); if (value_map->IsJSPromiseMap()) return NoChange();
} }
// Install a code dependency on the promise hook protector cell. if (!dependencies()->DependOnPromiseHookProtector()) return NoChange();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->promise_hook_protector()));
// Create a %Promise% instance and resolve it with {value}. // Create a %Promise% instance and resolve it with {value}.
Node* promise = effect = Node* promise = effect =
@ -745,7 +730,7 @@ Reduction JSNativeContextSpecialization::ReduceJSResolvePromise(Node* node) {
Handle<JSObject> holder; Handle<JSObject> holder;
if (access_info.holder().ToHandle(&holder)) { if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder)); access_info.receiver_maps(), JSObjectRef(broker(), holder));
} }
// Add stability dependencies on the {resolution_maps}. // Add stability dependencies on the {resolution_maps}.
@ -2159,7 +2144,7 @@ JSNativeContextSpecialization::BuildPropertyLoad(
PropertyAccessBuilder access_builder(jsgraph(), broker(), dependencies()); PropertyAccessBuilder access_builder(jsgraph(), broker(), dependencies());
if (access_info.holder().ToHandle(&holder)) { if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder)); access_info.receiver_maps(), JSObjectRef(broker(), holder));
} }
// Generate the actual property access. // Generate the actual property access.
@ -2218,7 +2203,7 @@ JSNativeContextSpecialization::BuildPropertyStore(
if (access_info.holder().ToHandle(&holder)) { if (access_info.holder().ToHandle(&holder)) {
DCHECK_NE(AccessMode::kStoreInLiteral, access_mode); DCHECK_NE(AccessMode::kStoreInLiteral, access_mode);
dependencies()->DependOnStablePrototypeChains( dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder)); access_info.receiver_maps(), JSObjectRef(broker(), holder));
} }
DCHECK(!access_info.IsNotFound()); DCHECK(!access_info.IsNotFound());
@ -2636,12 +2621,7 @@ JSNativeContextSpecialization::BuildElementAccess(
} }
// See if we can skip the detaching check. // See if we can skip the detaching check.
if (isolate()->IsArrayBufferDetachingIntact()) { if (!dependencies()->DependOnArrayBufferDetachingProtector()) {
// Add a code dependency so we are deoptimized in case an ArrayBuffer
// gets detached.
dependencies()->DependOnProtector(PropertyCellRef(
broker(), factory()->array_buffer_detaching_protector()));
} else {
// Deopt if the {buffer} was detached. // Deopt if the {buffer} was detached.
// Note: A detached buffer leads to megamorphic feedback. // Note: A detached buffer leads to megamorphic feedback.
Node* buffer_bit_field = effect = graph()->NewNode( Node* buffer_bit_field = effect = graph()->NewNode(
@ -3050,10 +3030,7 @@ Node* JSNativeContextSpecialization::BuildIndexedStringLoad(
Node* receiver, Node* index, Node* length, Node** effect, Node** control, Node* receiver, Node* index, Node* length, Node** effect, Node** control,
KeyedAccessLoadMode load_mode) { KeyedAccessLoadMode load_mode) {
if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS && if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS &&
isolate()->IsNoElementsProtectorIntact()) { dependencies()->DependOnNoElementsProtector()) {
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
// Ensure that the {index} is a valid String length. // Ensure that the {index} is a valid String length.
index = *effect = graph()->NewNode( index = *effect = graph()->NewNode(
simplified()->CheckBounds(VectorSlotPair()), index, simplified()->CheckBounds(VectorSlotPair()), index,
@ -3200,11 +3177,7 @@ bool JSNativeContextSpecialization::CanTreatHoleAsUndefined(
} }
// Check if the array prototype chain is intact. // Check if the array prototype chain is intact.
if (!isolate()->IsNoElementsProtectorIntact()) return false; return dependencies()->DependOnNoElementsProtector();
dependencies()->DependOnProtector(
PropertyCellRef(broker(), factory()->no_elements_protector()));
return true;
} }
namespace { namespace {

2
src/compiler/pipeline.cc
View File

@ -136,7 +136,7 @@ class PipelineData {
JSGraph(isolate_, graph_, common_, javascript_, simplified_, machine_); JSGraph(isolate_, graph_, common_, javascript_, simplified_, machine_);
broker_ = new (info_->zone()) JSHeapBroker(isolate_, info_->zone()); broker_ = new (info_->zone()) JSHeapBroker(isolate_, info_->zone());
dependencies_ = dependencies_ =
new (info_->zone()) CompilationDependencies(isolate_, info_->zone()); new (info_->zone()) CompilationDependencies(broker_, info_->zone());
} }
// For WebAssembly compile entry point. // For WebAssembly compile entry point.

10
test/cctest/test-field-type-tracking.cc
View File

@ -664,7 +664,7 @@ static void TestGeneralizeField(int detach_property_at_index,
// Create new maps by generalizing representation of propX field. // Create new maps by generalizing representation of propX field.
CanonicalHandleScope canonical(isolate); CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone); JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone); CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map); MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors(); map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, property_index); dependencies.DependOnFieldType(map_ref, property_index);
@ -1041,7 +1041,7 @@ static void TestReconfigureDataFieldAttribute_GeneralizeField(
Zone zone(isolate->allocator(), ZONE_NAME); Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate); CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone); JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone); CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map); MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors(); map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, kSplitProp); dependencies.DependOnFieldType(map_ref, kSplitProp);
@ -1128,7 +1128,7 @@ static void TestReconfigureDataFieldAttribute_GeneralizeFieldTrivial(
Zone zone(isolate->allocator(), ZONE_NAME); Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate); CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone); JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone); CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map); MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors(); map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, kSplitProp); dependencies.DependOnFieldType(map_ref, kSplitProp);
@ -1813,7 +1813,7 @@ static void TestReconfigureElementsKind_GeneralizeField(
Zone zone(isolate->allocator(), ZONE_NAME); Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate); CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone); JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone); CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map); MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors(); map_ref.SerializeOwnDescriptors();
dependencies.DependOnFieldType(map_ref, kDiffProp); dependencies.DependOnFieldType(map_ref, kDiffProp);
@ -1911,7 +1911,7 @@ static void TestReconfigureElementsKind_GeneralizeFieldTrivial(
Zone zone(isolate->allocator(), ZONE_NAME); Zone zone(isolate->allocator(), ZONE_NAME);
CanonicalHandleScope canonical(isolate); CanonicalHandleScope canonical(isolate);
JSHeapBroker broker(isolate, &zone); JSHeapBroker broker(isolate, &zone);
CompilationDependencies dependencies(isolate, &zone); CompilationDependencies dependencies(&broker, &zone);
MapRef map_ref(&broker, map); MapRef map_ref(&broker, map);
map_ref.SerializeOwnDescriptors(); map_ref.SerializeOwnDescriptors();

2
test/unittests/compiler/constant-folding-reducer-unittest.cc
View File

@ -65,7 +65,7 @@ class ConstantFoldingReducerTest : public TypedGraphTest {
: TypedGraphTest(3), : TypedGraphTest(3),
broker_(isolate(), zone()), broker_(isolate(), zone()),
simplified_(zone()), simplified_(zone()),
deps_(isolate(), zone()) {} deps_(&broker_, zone()) {}
~ConstantFoldingReducerTest() override = default; ~ConstantFoldingReducerTest() override = default;
protected: protected:

2
test/unittests/compiler/js-call-reducer-unittest.cc
View File

@ -21,7 +21,7 @@ namespace compiler {
class JSCallReducerTest : public TypedGraphTest { class JSCallReducerTest : public TypedGraphTest {
public: public:
JSCallReducerTest() JSCallReducerTest()
: TypedGraphTest(3), javascript_(zone()), deps_(isolate(), zone()) { : TypedGraphTest(3), javascript_(zone()), deps_(broker(), zone()) {
broker()->SerializeStandardObjects(); broker()->SerializeStandardObjects();
} }
~JSCallReducerTest() override = default; ~JSCallReducerTest() override = default;

5
test/unittests/compiler/js-create-lowering-unittest.cc
View File

@ -32,9 +32,8 @@ class JSCreateLoweringTest : public TypedGraphTest {
JSCreateLoweringTest() JSCreateLoweringTest()
: TypedGraphTest(3), : TypedGraphTest(3),
javascript_(zone()), javascript_(zone()),
deps_(isolate(), zone()), deps_(broker(), zone()),
handle_scope_(isolate()) { handle_scope_(isolate()) {}
}
~JSCreateLoweringTest() override = default; ~JSCreateLoweringTest() override = default;
protected: protected:

2
test/unittests/compiler/typed-optimization-unittest.cc
View File

@ -27,7 +27,7 @@ namespace typed_optimization_unittest {
class TypedOptimizationTest : public TypedGraphTest { class TypedOptimizationTest : public TypedGraphTest {
public: public:
TypedOptimizationTest() TypedOptimizationTest()
: TypedGraphTest(3), simplified_(zone()), deps_(isolate(), zone()) {} : TypedGraphTest(3), simplified_(zone()), deps_(broker(), zone()) {}
~TypedOptimizationTest() override = default; ~TypedOptimizationTest() override = default;
protected: protected: