Probe keyed load cache in generic keyed load stub....

src/ia32/ic-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 32 matching lines @@
 #define __ ACCESS_MASM(masm)
 
 
 // Helper function used to load a property from a dictionary backing storage.
 // This function may return false negatives, so miss_label
 // must always call a backup property load that is complete.
 // This function is safe to call if the receiver has fast properties,
 // or if name is not a symbol, and will jump to the miss_label in that case.
 static void GenerateDictionaryLoad(MacroAssembler* masm, Label* miss_label,
                                    Register r0, Register r1, Register r2,
-                                   Register name) {
+                                   Register name, bool check_dictionary) {

[Erik Corry, 2009/12/09 10:43:40]

This should be an enum with CHECK_DICTIONARY and DICTIONARY_CHECK_DONE

[Mads Ager (chromium), 2009/12/10 09:18:18]

Done.

   // Register use:
   //
   // r0   - used to hold the property dictionary.
   //
   // r1   - initially the receiver
   //      - used for the index into the property dictionary
   //      - holds the result on exit.
   //
   // r2   - used to hold the capacity of the property dictionary.
   //
   // name - holds the name of the property and is unchanged.
 
   Label done;
 
   // Check for the absence of an interceptor.
   // Load the map into r0.
   __ mov(r0, FieldOperand(r1, JSObject::kMapOffset));
   // Test the has_named_interceptor bit in the map.
   __ test(FieldOperand(r0, Map::kInstanceAttributesOffset),
           Immediate(1 << (Map::kHasNamedInterceptor + (3 * 8))));
 
   // Jump to miss if the interceptor bit is set.
   __ j(not_zero, miss_label, not_taken);
 
   // Bail out if we have a JS global proxy object.
   __ movzx_b(r0, FieldOperand(r0, Map::kInstanceTypeOffset));
   __ cmp(r0, JS_GLOBAL_PROXY_TYPE);
   __ j(equal, miss_label, not_taken);
 
   // Possible work-around for http://crbug.com/16276.

[Erik Corry, 2009/12/09 10:43:40]

Hmmm.  Did this work?

[Mads Ager (chromium), 2009/12/10 09:18:18]

I don't know, but you are right that we should check.

   __ cmp(r0, JS_GLOBAL_OBJECT_TYPE);
   __ j(equal, miss_label, not_taken);
   __ cmp(r0, JS_BUILTINS_OBJECT_TYPE);
   __ j(equal, miss_label, not_taken);
 
+  // Load properties array.
+  __ mov(r0, FieldOperand(r1, JSObject::kPropertiesOffset));
+
   // Check that the properties array is a dictionary.
-  __ mov(r0, FieldOperand(r1, JSObject::kPropertiesOffset));
-  __ cmp(FieldOperand(r0, HeapObject::kMapOffset),
-         Immediate(Factory::hash_table_map()));
-  __ j(not_equal, miss_label);
+  if (check_dictionary) {
+    __ cmp(FieldOperand(r0, HeapObject::kMapOffset),
+           Immediate(Factory::hash_table_map()));
+    __ j(not_equal, miss_label);
+  }
 
   // Compute the capacity mask.
   const int kCapacityOffset =
       StringDictionary::kHeaderSize +
       StringDictionary::kCapacityIndex * kPointerSize;
   __ mov(r2, FieldOperand(r0, kCapacityOffset));
   __ shr(r2, kSmiTagSize);  // convert smi to int
   __ dec(r2);
 
   // Generate an unrolled loop that performs a few probes before
@@ skipping 112 matching lines @@
   StubCompiler::GenerateLoadMiss(masm, Code::LOAD_IC);
 }
 
 
 void KeyedLoadIC::GenerateGeneric(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- esp[0] : return address
   //  -- esp[4] : name
   //  -- esp[8] : receiver
   // -----------------------------------
-  Label slow, check_string, index_int, index_string, check_pixel_array;
+  Label slow, check_string, index_int, index_string;
+  Label check_pixel_array, probe_dictionary;
 
   // Load name and receiver.
   __ mov(eax, Operand(esp, kPointerSize));
   __ mov(ecx, Operand(esp, 2 * kPointerSize));
 
   // Check that the object isn't a smi.
   __ test(ecx, Immediate(kSmiTagMask));
   __ j(zero, &slow, not_taken);
 
   // Get the map of the receiver.
@@ skipping 55 matching lines @@
   __ IncrementCounter(&Counters::keyed_load_generic_slow, 1);
   Generate(masm, ExternalReference(Runtime::kKeyedGetProperty));
 
   __ bind(&check_string);
   // The key is not a smi.
   // Is it a string?
   __ CmpObjectType(eax, FIRST_NONSTRING_TYPE, edx);
   __ j(above_equal, &slow);
   // Is the string an array index, with cached numeric value?
   __ mov(ebx, FieldOperand(eax, String::kHashFieldOffset));
   __ test(ebx, Immediate(String::kIsArrayIndexMask));

[Erik Corry, 2009/12/09 10:43:40]

Can't we do this with a single test instruction instead of loading into a
register first?

[Mads Ager (chromium), 2009/12/10 09:18:18]

No. If we jump, we use the fact that the hash field is in ebx.

   __ j(not_zero, &index_string, not_taken);
 
-  // If the string is a symbol, do a quick inline probe of the receiver's
-  // dictionary, if it exists.
+  // Is the string a symbol?
   __ movzx_b(ebx, FieldOperand(edx, Map::kInstanceTypeOffset));
   __ test(ebx, Immediate(kIsSymbolMask));

[Erik Corry, 2009/12/09 10:43:40]

And here?

[Mads Ager (chromium), 2009/12/10 09:18:18]

No, because we are not looking at a word, but only at a byte.

   __ j(zero, &slow, not_taken);
-  // Probe the dictionary leaving result in ecx.
-  GenerateDictionaryLoad(masm, &slow, ebx, ecx, edx, eax);
+
+  // If the receiver is a fast-case object, check the keyed lookup
+  // cache. Otherwise probe the dictionary leaving result in ecx.
+  __ mov(ebx, FieldOperand(ecx, JSObject::kPropertiesOffset));
+  __ cmp(FieldOperand(ebx, HeapObject::kMapOffset),
+         Immediate(Factory::hash_table_map()));
+  __ j(equal, &probe_dictionary);
+
+  // Load the map of the receiver, compute the keyed lookup cache hash

[Erik Corry, 2009/12/09 10:43:40]

Don't we need to check the interceptor bit here or check for the global proxy
object?

[Mads Ager (chromium), 2009/12/10 09:18:18]

No. I those cases we will never put the map-name pair in the cache.

+  // based on 32 bits of the map pointer and the string hash.
+  __ mov(ebx, FieldOperand(ecx, HeapObject::kMapOffset));
+  __ mov(edx, ebx);
+  __ shr(edx, KeyedLookupCache::kMapHashShift);
+  __ mov(eax, FieldOperand(eax, String::kHashFieldOffset));
+  __ shr(eax, String::kHashShift);
+  __ xor_(edx, Operand(eax));
+  __ and_(edx, KeyedLookupCache::kCapacityMask);
+
+  // Load the key (consisting of map and symbol) from the cache and
+  // check for match.
+  ExternalReference cache_keys
+      = ExternalReference::keyed_lookup_cache_keys();
+  __ mov(edi, edx);
+  __ shl(edi, kPointerSizeLog2 + 1);

[Erik Corry, 2009/12/09 10:43:40]

You can combine this mov-shl-mov-cmp combination into the operand of a single
cmp I think.

[Mads Ager (chromium), 2009/12/10 09:18:18]

Done in the ia32 version.  Can't do a times_16 scale factor so I can't do it in
the x64 version.

+  __ mov(eax, Operand::StaticArray(edi, times_1, cache_keys));
+  __ cmp(ebx, Operand(eax));
+  __ j(not_equal, &slow);
+  __ mov(eax, Operand(esp, kPointerSize));
+  __ add(Operand(edi), Immediate(kPointerSize));
+  __ mov(edi, Operand::StaticArray(edi, times_1, cache_keys));
+  __ cmp(eax, Operand(edi));

[Erik Corry, 2009/12/09 10:43:40]

And this cmp could just take the operand instead of using eax as a temp.

[Mads Ager (chromium), 2009/12/10 09:18:18]

Done.

+  __ j(not_equal, &slow);
+
+  // Get field offset and check that it is an in-object property.

[Erik Corry, 2009/12/09 10:43:40]

In a later change we could handle out-of-object fast case properties here,
right?

[Mads Ager (chromium), 2009/12/10 09:18:18]

Yes, we can and we probably should.

+  ExternalReference cache_field_offsets
+      = ExternalReference::keyed_lookup_cache_field_offsets();
+  __ mov(eax,
+         Operand::StaticArray(edx, times_pointer_size, cache_field_offsets));
+  __ movzx_b(edx, FieldOperand(ebx, Map::kInObjectPropertiesOffset));
+  __ cmp(eax, Operand(edx));
+  __ j(above_equal, &slow);
+
+  // Load in-object property.
+  __ sub(eax, Operand(edx));
+  __ movzx_b(edx, FieldOperand(ebx, Map::kInstanceSizeOffset));
+  __ add(eax, Operand(edx));
+  __ mov(eax, FieldOperand(ecx, eax, times_pointer_size, 0));
+  __ ret(0);
+
+  // Do a quick inline probe of the receiver's dictionary, if it
+  // exists.
+  __ bind(&probe_dictionary);
+  GenerateDictionaryLoad(masm, &slow, ebx, ecx, edx, eax, false);
   GenerateCheckNonObjectOrLoaded(masm, &slow, ecx, edx);
   __ mov(eax, Operand(ecx));
   __ IncrementCounter(&Counters::keyed_load_generic_symbol, 1);
   __ ret(0);
+
   // If the hash field contains an array index pick it out. The assert checks
   // that the constants for the maximum number of digits for an array index
   // cached in the hash field and the number of bits reserved for it does not
   // conflict.
   ASSERT(TenToThe(String::kMaxCachedArrayIndexLength) <
          (1 << String::kArrayIndexValueBits));
   __ bind(&index_string);
   __ mov(eax, Operand(ebx));
   __ and_(eax, String::kArrayIndexHashMask);
   __ shr(eax, String::kHashShift);
@@ skipping 552 matching lines @@
   __ bind(&miss);
   Generate(masm, argc, ExternalReference(IC_Utility(kCallIC_Miss)));
 }
 
 
 static void GenerateNormalHelper(MacroAssembler* masm,
                                  int argc,
                                  bool is_global_object,
                                  Label* miss) {
   // Search dictionary - put result in register edx.
-  GenerateDictionaryLoad(masm, miss, eax, edx, ebx, ecx);
+  GenerateDictionaryLoad(masm, miss, eax, edx, ebx, ecx, true);
 
   // Move the result to register edi and check that it isn't a smi.
   __ mov(edi, Operand(edx));
   __ test(edx, Immediate(kSmiTagMask));
   __ j(zero, miss, not_taken);
 
   // Check that the value is a JavaScript function.
   __ CmpObjectType(edx, JS_FUNCTION_TYPE, edx);
   __ j(not_equal, miss, not_taken);
 
@@ skipping 182 matching lines @@
   __ cmp(edx, JS_GLOBAL_PROXY_TYPE);
   __ j(equal, &global, not_taken);
 
   // Check for non-global object that requires access check.
   __ movzx_b(ebx, FieldOperand(ebx, Map::kBitFieldOffset));
   __ test(ebx, Immediate(1 << Map::kIsAccessCheckNeeded));
   __ j(not_zero, &miss, not_taken);
 
   // Search the dictionary placing the result in eax.
   __ bind(&probe);
-  GenerateDictionaryLoad(masm, &miss, edx, eax, ebx, ecx);
+  GenerateDictionaryLoad(masm, &miss, edx, eax, ebx, ecx, true);
   GenerateCheckNonObjectOrLoaded(masm, &miss, eax, edx);
   __ ret(0);
 
   // Global object access: Check access rights.
   __ bind(&global);
   __ CheckAccessGlobalProxy(eax, edx, &miss);
   __ jmp(&probe);
 
   // Cache miss: Restore receiver from stack and jump to runtime.
   __ bind(&miss);
@@ skipping 260 matching lines @@
 
   // Do tail-call to runtime routine.
   __ TailCallRuntime(
       ExternalReference(IC_Utility(kSharedStoreIC_ExtendStorage)), 3, 1);
 }
 
 #undef __
 
 
 } }  // namespace v8::internal