Reverting r4703.

src/ia32/codegen-ia32.cc

 // Copyright 2010 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 4180 matching lines @@
 
   __ mov(ecx, FieldOperand(ecx, Map::kInstanceDescriptorsOffset));
   // Get the bridge array held in the enumeration index field.
   __ mov(ecx, FieldOperand(ecx, DescriptorArray::kEnumerationIndexOffset));
   // Get the cache from the bridge array.
   __ mov(edx, FieldOperand(ecx, DescriptorArray::kEnumCacheBridgeCacheOffset));
 
   frame_->EmitPush(eax);  // <- slot 3
   frame_->EmitPush(edx);  // <- slot 2
   __ mov(eax, FieldOperand(edx, FixedArray::kLengthOffset));
+  __ SmiTag(eax);
   frame_->EmitPush(eax);  // <- slot 1
   frame_->EmitPush(Immediate(Smi::FromInt(0)));  // <- slot 0
   entry.Jump();
 
   fixed_array.Bind();
   // eax: fixed array (result from call to Runtime::kGetPropertyNamesFast)
   frame_->EmitPush(Immediate(Smi::FromInt(0)));  // <- slot 3
   frame_->EmitPush(eax);  // <- slot 2
 
   // Push the length of the array and the initial index onto the stack.
   __ mov(eax, FieldOperand(eax, FixedArray::kLengthOffset));
+  __ SmiTag(eax);
   frame_->EmitPush(eax);  // <- slot 1
   frame_->EmitPush(Immediate(Smi::FromInt(0)));  // <- slot 0
 
   // Condition.
   entry.Bind();
   // Grab the current frame's height for the break and continue
   // targets only after all the state is pushed on the frame.
   node->break_target()->set_direction(JumpTarget::FORWARD_ONLY);
   node->continue_target()->set_direction(JumpTarget::FORWARD_ONLY);
 
@@ skipping 2369 matching lines @@
 
     // Fill out the elements FixedArray.
     // eax: JSArray.
     // ebx: FixedArray.
     // ecx: Number of elements in array, as smi.
 
     // Set map.
     __ mov(FieldOperand(ebx, HeapObject::kMapOffset),
            Immediate(Factory::fixed_array_map()));
     // Set length.
+    __ SmiUntag(ecx);
     __ mov(FieldOperand(ebx, FixedArray::kLengthOffset), ecx);
     // Fill contents of fixed-array with the-hole.
-    __ SmiUntag(ecx);
     __ mov(edx, Immediate(Factory::the_hole_value()));
     __ lea(ebx, FieldOperand(ebx, FixedArray::kHeaderSize));
     // Fill fixed array elements with hole.
     // eax: JSArray.
     // ecx: Number of elements to fill.
     // ebx: Start of elements in FixedArray.
     // edx: the hole.
     Label loop;
     __ test(ecx, Operand(ecx));
     __ bind(&loop);
@@ skipping 83 matching lines @@
 
   // Find a place to put new cached value into.
   Label add_new_entry, update_cache;
   __ mov(ecx, Operand(esp, kPointerSize));  // restore the cache
   // Possible optimization: cache size is constant for the given cache
   // so technically we could use a constant here.  However, if we have
   // cache miss this optimization would hardly matter much.
 
   // Check if we could add new entry to cache.
   __ mov(ebx, FieldOperand(ecx, FixedArray::kLengthOffset));
+  __ SmiTag(ebx);
   __ cmp(ebx, FieldOperand(ecx, JSFunctionResultCache::kCacheSizeOffset));
   __ j(greater, &add_new_entry);
 
   // Check if we could evict entry after finger.
   __ mov(edx, FieldOperand(ecx, JSFunctionResultCache::kFingerOffset));
   __ add(Operand(edx), Immediate(kEntrySizeSmi));
   __ cmp(ebx, Operand(edx));
   __ j(greater, &update_cache);
 
   // Need to wrap over the cache.
@@ skipping 177 matching lines @@
   __ mov(tmp2.reg(),   Operand(index2.reg(), 0));
   __ mov(Operand(index2.reg(), 0), object.reg());
   __ mov(Operand(index1.reg(), 0), tmp2.reg());
 
   Label done;
   __ InNewSpace(tmp1.reg(), tmp2.reg(), equal, &done);
   // Possible optimization: do a check that both values are Smis
   // (or them and test against Smi mask.)
 
   __ mov(tmp2.reg(), tmp1.reg());
-  __ RecordWriteHelper(tmp2.reg(), index1.reg(), object.reg());
-  __ RecordWriteHelper(tmp1.reg(), index2.reg(), object.reg());
+  RecordWriteStub recordWrite1(tmp2.reg(), index1.reg(), object.reg());
+  __ CallStub(&recordWrite1);
+
+  RecordWriteStub recordWrite2(tmp1.reg(), index2.reg(), object.reg());
+  __ CallStub(&recordWrite2);
+
   __ bind(&done);
 
   deferred->BindExit();
   frame_->Push(Factory::undefined_value());
 }
 
 
 void CodeGenerator::GenerateCallFunction(ZoneList<Expression*>* args) {
   Comment cmnt(masm_, "[ GenerateCallFunction");
 
@@ skipping 1678 matching lines @@
     Result key = frame_->Pop();
     Result receiver = frame_->Pop();
     key.ToRegister();
     receiver.ToRegister();
 
     // Use a fresh temporary to load the elements without destroying
     // the receiver which is needed for the deferred slow case.
     Result elements = allocator()->Allocate();
     ASSERT(elements.is_valid());
 
-    result = elements;
+    // Use a fresh temporary for the index and later the loaded
+    // value.
+    result = allocator()->Allocate();
+    ASSERT(result.is_valid());
 
     DeferredReferenceGetKeyedValue* deferred =
-        new DeferredReferenceGetKeyedValue(elements.reg(),
+        new DeferredReferenceGetKeyedValue(result.reg(),
                                            receiver.reg(),
                                            key.reg());
 
     __ test(receiver.reg(), Immediate(kSmiTagMask));
     deferred->Branch(zero);
 
     // Initially, use an invalid map. The map is patched in the IC
     // initialization code.
     __ bind(deferred->patch_site());
     // Use masm-> here instead of the double underscore macro since extra
@@ skipping 11 matching lines @@
     }
 
     // Get the elements array from the receiver and check that it
     // is not a dictionary.
     __ mov(elements.reg(),
            FieldOperand(receiver.reg(), JSObject::kElementsOffset));
     __ cmp(FieldOperand(elements.reg(), HeapObject::kMapOffset),
            Immediate(Factory::fixed_array_map()));
     deferred->Branch(not_equal);
 
-    // Check that the key is within bounds.
-    __ cmp(key.reg(),
+    // Shift the key to get the actual index value and check that
+    // it is within bounds. Use unsigned comparison to handle negative keys.
+    __ mov(result.reg(), key.reg());
+    __ SmiUntag(result.reg());
+    __ cmp(result.reg(),
            FieldOperand(elements.reg(), FixedArray::kLengthOffset));
     deferred->Branch(above_equal);
 
     // Load and check that the result is not the hole.
-    ASSERT((kSmiTag == 0) && (kSmiTagSize == 1));
     __ mov(result.reg(), Operand(elements.reg(),
-                                 key.reg(),
-                                 times_2,
+                                 result.reg(),
+                                 times_4,
                                  FixedArray::kHeaderSize - kHeapObjectTag));
+    elements.Unuse();
     __ cmp(Operand(result.reg()), Immediate(Factory::the_hole_value()));
     deferred->Branch(equal);
     __ IncrementCounter(&Counters::keyed_load_inline, 1);
 
     deferred->BindExit();
   } else {
     Comment cmnt(masm_, "[ Load from keyed Property");
     result = frame_->CallKeyedLoadIC(RelocInfo::CODE_TARGET);
     // Make sure that we do not have a test instruction after the
     // call.  A test instruction after the call is used to
@@ skipping 64 matching lines @@
            FieldOperand(receiver.reg(), JSArray::kLengthOffset));
     deferred->Branch(above_equal);
 
     // Get the elements array from the receiver and check that it is not a
     // dictionary.
     __ mov(tmp.reg(),
            FieldOperand(receiver.reg(), JSArray::kElementsOffset));
 
     // Check whether it is possible to omit the write barrier. If the elements
     // array is in new space or the value written is a smi we can safely update
-    // the elements array without write barrier.
+    // the elements array without updating the remembered set.
     Label in_new_space;
     __ InNewSpace(tmp.reg(), tmp2.reg(), equal, &in_new_space);
     if (!value_is_constant) {
       __ test(result.reg(), Immediate(kSmiTagMask));
       deferred->Branch(not_zero);
     }
 
     __ bind(&in_new_space);
     // Bind the deferred code patch site to be able to locate the fixed
     // array map comparison.  When debugging, we patch this comparison to
@@ skipping 249 matching lines @@
   Label gc;
   int length = slots_ + Context::MIN_CONTEXT_SLOTS;
   __ AllocateInNewSpace((length * kPointerSize) + FixedArray::kHeaderSize,
                         eax, ebx, ecx, &gc, TAG_OBJECT);
 
   // Get the function from the stack.
   __ mov(ecx, Operand(esp, 1 * kPointerSize));
 
   // Setup the object header.
   __ mov(FieldOperand(eax, HeapObject::kMapOffset), Factory::context_map());
-  __ mov(FieldOperand(eax, Context::kLengthOffset),
-         Immediate(Smi::FromInt(length)));
+  __ mov(FieldOperand(eax, Array::kLengthOffset), Immediate(length));
 
   // Setup the fixed slots.
   __ xor_(ebx, Operand(ebx));  // Set to NULL.
   __ mov(Operand(eax, Context::SlotOffset(Context::CLOSURE_INDEX)), ecx);
   __ mov(Operand(eax, Context::SlotOffset(Context::FCONTEXT_INDEX)), eax);
   __ mov(Operand(eax, Context::SlotOffset(Context::PREVIOUS_INDEX)), ebx);
   __ mov(Operand(eax, Context::SlotOffset(Context::EXTENSION_INDEX)), ebx);
 
   // Copy the global object from the surrounding context. We go through the
   // context in the function (ecx) to match the allocation behavior we have
@@ skipping 1942 matching lines @@
   // Get the length (smi tagged) and set that as an in-object property too.
   ASSERT(Heap::arguments_length_index == 1);
   __ mov(ecx, Operand(esp, 1 * kPointerSize));
   __ mov(FieldOperand(eax, JSObject::kHeaderSize + kPointerSize), ecx);
 
   // If there are no actual arguments, we're done.
   Label done;
   __ test(ecx, Operand(ecx));
   __ j(zero, &done);
 
-  // Get the parameters pointer from the stack.
+  // Get the parameters pointer from the stack and untag the length.
   __ mov(edx, Operand(esp, 2 * kPointerSize));
+  __ SmiUntag(ecx);
 
   // Setup the elements pointer in the allocated arguments object and
   // initialize the header in the elements fixed array.
   __ lea(edi, Operand(eax, Heap::kArgumentsObjectSize));
   __ mov(FieldOperand(eax, JSObject::kElementsOffset), edi);
   __ mov(FieldOperand(edi, FixedArray::kMapOffset),
          Immediate(Factory::fixed_array_map()));
   __ mov(FieldOperand(edi, FixedArray::kLengthOffset), ecx);
-  // Untag the length for the loop below.
-  __ SmiUntag(ecx);
 
   // Copy the fixed array slots.
   Label loop;
   __ bind(&loop);
   __ mov(ebx, Operand(edx, -1 * kPointerSize));  // Skip receiver.
   __ mov(FieldOperand(edi, FixedArray::kHeaderSize), ebx);
   __ add(Operand(edi), Immediate(kPointerSize));
   __ sub(Operand(edx), Immediate(kPointerSize));
   __ dec(ecx);
   __ j(not_zero, &loop);
@@ skipping 108 matching lines @@
   __ CmpObjectType(eax, JS_ARRAY_TYPE, ebx);
   __ j(not_equal, &runtime);
   // Check that the JSArray is in fast case.
   __ mov(ebx, FieldOperand(eax, JSArray::kElementsOffset));
   __ mov(eax, FieldOperand(ebx, HeapObject::kMapOffset));
   __ cmp(eax, Factory::fixed_array_map());
   __ j(not_equal, &runtime);
   // Check that the last match info has space for the capture registers and the
   // additional information.
   __ mov(eax, FieldOperand(ebx, FixedArray::kLengthOffset));
-  __ SmiUntag(eax);
   __ add(Operand(edx), Immediate(RegExpImpl::kLastMatchOverhead));
   __ cmp(edx, Operand(eax));
   __ j(greater, &runtime);
 
   // ecx: RegExp data (FixedArray)
   // Check the representation and encoding of the subject string.
   Label seq_string, seq_two_byte_string, check_code;
   const int kStringRepresentationEncodingMask =
       kIsNotStringMask | kStringRepresentationMask | kStringEncodingMask;
   __ mov(eax, Operand(esp, kSubjectOffset));
@@ skipping 223 matching lines @@
   Register scratch = scratch2;
 
   // Load the number string cache.
   ExternalReference roots_address = ExternalReference::roots_address();
   __ mov(scratch, Immediate(Heap::kNumberStringCacheRootIndex));
   __ mov(number_string_cache,
          Operand::StaticArray(scratch, times_pointer_size, roots_address));
   // Make the hash mask from the length of the number string cache. It
   // contains two elements (number and string) for each cache entry.
   __ mov(mask, FieldOperand(number_string_cache, FixedArray::kLengthOffset));
-  __ shr(mask, kSmiTagSize + 1);  // Untag length and divide it by two.
+  __ shr(mask, 1);  // Divide length by two (length is not a smi).
   __ sub(Operand(mask), Immediate(1));  // Make mask.
 
   // Calculate the entry in the number string cache. The hash value in the
   // number string cache for smis is just the smi value, and the hash for
   // doubles is the xor of the upper and lower words. See
   // Heap::GetNumberStringCache.
   Label smi_hash_calculated;
   Label load_result_from_cache;
   if (object_is_smi) {
     __ mov(scratch, object);
@@ skipping 70 matching lines @@
   // Generate code to lookup number in the number string cache.
   GenerateLookupNumberStringCache(masm, ebx, eax, ecx, edx, false, &runtime);
   __ ret(1 * kPointerSize);
 
   __ bind(&runtime);
   // Handle number to string in the runtime system if not found in the cache.
   __ TailCallRuntime(Runtime::kNumberToStringSkipCache, 1, 1);
 }
 
 
+void RecordWriteStub::Generate(MacroAssembler* masm) {
+  masm->RecordWriteHelper(object_, addr_, scratch_);
+  masm->ret(0);
+}
+
+
 static int NegativeComparisonResult(Condition cc) {
   ASSERT(cc != equal);
   ASSERT((cc == less) || (cc == less_equal)
       || (cc == greater) || (cc == greater_equal));
   return (cc == greater || cc == greater_equal) ? LESS : GREATER;
 }
 
 
 void CompareStub::Generate(MacroAssembler* masm) {
   Label call_builtin, done;
@@ skipping 1816 matching lines @@
   // tagged as a small integer.
   __ bind(&runtime);
   __ TailCallRuntime(Runtime::kStringCompare, 2, 1);
 }
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_IA32