This change allows generating call-stubs for objects with normal (non-fast) o...

src/ic.cc

 // Copyright 2006-2009 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 116 matching lines @@
   Address addr = pc() - Assembler::kCallTargetAddressOffset;
   // Return the address in the original code. This is the place where
   // the call which has been overwritten by the DebugBreakXXX resides
   // and the place where the inline cache system should look.
   intptr_t delta =
       original_code->instruction_start() - code->instruction_start();
   return addr + delta;
 }
 #endif
 
+
+static bool HasNormalObjectsInPrototypeChain(LookupResult* lookup,
+                                             Object* receiver) {
+  Object* end = lookup->IsProperty() ? lookup->holder() : Heap::null_value();
+  for (Object* current = receiver;
+       current != end;
+       current = current->GetPrototype()) {
+    if (current->IsJSObject() &&
+        !JSObject::cast(current)->HasFastProperties() &&
+        !current->IsJSGlobalProxy() &&
+        !current->IsJSGlobalObject()) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+
 IC::State IC::StateFrom(Code* target, Object* receiver, Object* name) {
   IC::State state = target->ic_state();
 
   if (state != MONOMORPHIC) return state;
   if (receiver->IsUndefined() || receiver->IsNull()) return state;
 
-  Map* map = GetCodeCacheMapForObject(receiver);
+  InlineCacheHolderFlag cache_holder =
+      Code::ExtractCacheHolderFromFlags(target->flags());
+
+
+  if (cache_holder == OWN_MAP && !receiver->IsJSObject()) {
+    // The stub was generated for JSObject but called for non-JSObject.
+    // IC::GetCodeCacheMap is not applicable.
+    return MONOMORPHIC;
+  } else if (cache_holder == PROTOTYPE_MAP &&
+             receiver->GetPrototype()->IsNull()) {
+    // IC::GetCodeCacheMap is not applicable.
+    return MONOMORPHIC;
+  }
+  Map* map = IC::GetCodeCacheMap(receiver, cache_holder);
 
   // Decide whether the inline cache failed because of changes to the
   // receiver itself or changes to one of its prototypes.
   //
   // If there are changes to the receiver itself, the map of the
   // receiver will have changed and the current target will not be in
   // the receiver map's code cache.  Therefore, if the current target
   // is in the receiver map's code cache, the inline cache failed due
   // to prototype check failure.
   int index = map->IndexInCodeCache(name, target);
@@ skipping 326 matching lines @@
   }
 
   // Try to find a suitable function delegate for the object at hand.
   result = TryCallAsFunction(result);
   return result->IsJSFunction() ?
       result : TypeError("property_not_function", object, name);
 }
 
 
 void CallICBase::UpdateCaches(LookupResult* lookup,
-                          State state,
-                          Handle<Object> object,
-                          Handle<String> name) {
+                              State state,
+                              Handle<Object> object,
+                              Handle<String> name) {
   // Bail out if we didn't find a result.
   if (!lookup->IsProperty() || !lookup->IsCacheable()) return;
 
+#ifndef V8_TARGET_ARCH_IA32
+  // Normal objects only implemented for IA32 by now.
+  if (HasNormalObjectsInPrototypeChain(lookup, *object)) return;
+#else
+  if (lookup->holder() != *object &&
+      HasNormalObjectsInPrototypeChain(lookup, object->GetPrototype())) {
+    // Suppress optimization for prototype chains with slow properties objects
+    // in the middle.
+    return;
+  }
+#endif
+
   // Compute the number of arguments.
   int argc = target()->arguments_count();
   InLoopFlag in_loop = target()->ic_in_loop();
   Object* code = NULL;
 
   if (state == UNINITIALIZED) {
     // This is the first time we execute this inline cache.
     // Set the target to the pre monomorphic stub to delay
     // setting the monomorphic state.
     code = StubCache::ComputeCallPreMonomorphic(argc, in_loop, kind_);
@@ skipping 77 matching lines @@
   // simply avoid updating the caches.
   if (code == NULL || code->IsFailure()) return;
 
   // Patch the call site depending on the state of the cache.
   if (state == UNINITIALIZED ||
       state == PREMONOMORPHIC ||
       state == MONOMORPHIC ||
       state == MONOMORPHIC_PROTOTYPE_FAILURE) {
     set_target(Code::cast(code));
   } else if (state == MEGAMORPHIC) {
+    // Cache code holding map should be consistent with
+    // GenerateMonomorphicCacheProbe. It is not the map which holds the stub.
+    Map* map = JSObject::cast(object->IsJSObject() ? *object :
+                              object->GetPrototype())->map();
+
     // Update the stub cache.
-    StubCache::Set(*name, GetCodeCacheMapForObject(*object), Code::cast(code));
+    StubCache::Set(*name, map, Code::cast(code));
   }
 
 #ifdef DEBUG
   TraceIC(kind_ == Code::CALL_IC ? "CallIC" : "KeyedCallIC",
       name, state, target(), in_loop ? " (in-loop)" : "");
 #endif
 }
 
 
 Object* KeyedCallIC::LoadFunction(State state,
@@ skipping 183 matching lines @@
                           Handle<Object> object,
                           Handle<String> name) {
   // Bail out if the result is not cacheable.
   if (!lookup->IsCacheable()) return;
 
   // Loading properties from values is not common, so don't try to
   // deal with non-JS objects here.
   if (!object->IsJSObject()) return;
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);
 
+  if (HasNormalObjectsInPrototypeChain(lookup, *object)) return;
+
   // Compute the code stub for this load.
   Object* code = NULL;
   if (state == UNINITIALIZED) {
     // This is the first time we execute this inline cache.
     // Set the target to the pre monomorphic stub to delay
     // setting the monomorphic state.
     code = pre_monomorphic_stub();
   } else if (!lookup->IsProperty()) {
     // Nonexistent property. The result is undefined.
     code = StubCache::ComputeLoadNonexistent(*name, *receiver);
@@ skipping 56 matching lines @@
   // simply avoid updating the caches.
   if (code == NULL || code->IsFailure()) return;
 
   // Patch the call site depending on the state of the cache.
   if (state == UNINITIALIZED || state == PREMONOMORPHIC ||
       state == MONOMORPHIC_PROTOTYPE_FAILURE) {
     set_target(Code::cast(code));
   } else if (state == MONOMORPHIC) {
     set_target(megamorphic_stub());
   } else if (state == MEGAMORPHIC) {
-    // Update the stub cache.
-    StubCache::Set(*name, GetCodeCacheMapForObject(*object), Code::cast(code));
+    // Cache code holding map should be consistent with
+    // GenerateMonomorphicCacheProbe.
+    Map* map = JSObject::cast(object->IsJSObject() ? *object :
+                              object->GetPrototype())->map();
+
+    StubCache::Set(*name, map, Code::cast(code));
   }
 
 #ifdef DEBUG
   TraceIC("LoadIC", name, state, target());
 #endif
 }
 
 
 Object* KeyedLoadIC::Load(State state,
                           Handle<Object> object,
@@ skipping 125 matching lines @@
 
 
 void KeyedLoadIC::UpdateCaches(LookupResult* lookup, State state,
                                Handle<Object> object, Handle<String> name) {
   // Bail out if we didn't find a result.
   if (!lookup->IsProperty() || !lookup->IsCacheable()) return;
 
   if (!object->IsJSObject()) return;
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);
 
+  if (HasNormalObjectsInPrototypeChain(lookup, *object)) return;
+
   // Compute the code stub for this load.
   Object* code = NULL;
 
   if (state == UNINITIALIZED) {
     // This is the first time we execute this inline cache.
     // Set the target to the pre monomorphic stub to delay
     // setting the monomorphic state.
     code = pre_monomorphic_stub();
   } else {
     // Compute a monomorphic stub.
@@ skipping 590 matching lines @@
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) {
   return IC_utilities[id];
 }
 
 
 } }  // namespace v8::internal