Implement KeyedStoreICs to grow arrays on out-of-bound stores.

src/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 63 matching lines @@
       Isolate* isolate = new_target->GetIsolate();
       Code* apply_builtin = isolate->builtins()->builtin(
           Builtins::kFunctionApply);
       if (raw_frame->unchecked_code() == apply_builtin) {
         PrintF("apply from ");
         it.Advance();
         raw_frame = it.frame();
       }
     }
     JavaScriptFrame::PrintTop(stdout, false, true);
-    PrintF(" (%c->%c)",
+    bool new_can_grow =
+        Code::GetKeyedAccessGrowMode(new_target->extra_ic_state()) ==
+        ALLOW_JSARRAY_GROWTH;
+    PrintF(" (%c->%c%s)",
            TransitionMarkFromState(old_state),
-           TransitionMarkFromState(new_state));
+           TransitionMarkFromState(new_state),
+           new_can_grow ? ".GROW" : "");
     name->Print();
     PrintF("]\n");
   }
 }
 
 #define TRACE_GENERIC_IC(type, reason)                          \
   do {                                                          \
     if (FLAG_trace_ic) {                                        \
       PrintF("[%s patching generic stub in ", type);            \
       JavaScriptFrame::PrintTop(stdout, false, true);           \
@@ skipping 246 matching lines @@
 
 void LoadIC::Clear(Address address, Code* target) {
   if (target->ic_state() == UNINITIALIZED) return;
   SetTargetAtAddress(address, initialize_stub());
 }
 
 
 void StoreIC::Clear(Address address, Code* target) {
   if (target->ic_state() == UNINITIALIZED) return;
   SetTargetAtAddress(address,
-      (target->extra_ic_state() == kStrictMode)
+      (Code::GetStrictMode(target->extra_ic_state()) == kStrictMode)
         ? initialize_stub_strict()
         : initialize_stub());
 }
 
 
 void KeyedStoreIC::Clear(Address address, Code* target) {
   if (target->ic_state() == UNINITIALIZED) return;
   SetTargetAtAddress(address,
-      (target->extra_ic_state() == kStrictMode)
+      (Code::GetStrictMode(target->extra_ic_state()) == kStrictMode)
         ? initialize_stub_strict()
         : initialize_stub());
 }
 
 
 static bool HasInterceptorGetter(JSObject* object) {
   return !object->GetNamedInterceptor()->getter()->IsUndefined();
 }
 
 
@@ skipping 591 matching lines @@
     // GenerateMonomorphicCacheProbe.
     isolate()->stub_cache()->Set(*name, receiver->map(), *code);
   }
 
   TRACE_IC("LoadIC", name, state, target());
 }
 
 
 Handle<Code> KeyedLoadIC::GetElementStubWithoutMapCheck(
     bool is_js_array,
-    ElementsKind elements_kind) {
+    ElementsKind elements_kind,
+    KeyedAccessGrowMode grow_mode) {
+  ASSERT(grow_mode == DO_NOT_ALLOW_JSARRAY_GROWTH);
   return KeyedLoadElementStub(elements_kind).GetCode();
 }
 
 
 Handle<Code> KeyedLoadIC::ComputePolymorphicStub(
     MapHandleList* receiver_maps,
-    StrictModeFlag strict_mode) {
+    StrictModeFlag strict_mode,
+    KeyedAccessGrowMode growth_mode) {
   CodeHandleList handler_ics(receiver_maps->length());
   for (int i = 0; i < receiver_maps->length(); ++i) {
     Handle<Map> receiver_map = receiver_maps->at(i);
     Handle<Code> cached_stub = ComputeMonomorphicStubWithoutMapCheck(
-        receiver_map, strict_mode);
+        receiver_map, strict_mode, growth_mode);
     handler_ics.Add(cached_stub);
   }
   KeyedLoadStubCompiler compiler(isolate());
   Handle<Code> code = compiler.CompileLoadPolymorphic(
       receiver_maps, &handler_ics);
   isolate()->counters()->keyed_load_polymorphic_stubs()->Increment();
   PROFILE(isolate(),
           CodeCreateEvent(Logger::KEYED_LOAD_MEGAMORPHIC_IC_TAG, *code, 0));
   return code;
 }
@@ skipping 464 matching lines @@
     }
   }
 }
 
 
 Handle<Code> KeyedIC::ComputeStub(Handle<JSObject> receiver,
                                   StubKind stub_kind,
                                   StrictModeFlag strict_mode,
                                   Handle<Code> generic_stub) {
   State ic_state = target()->ic_state();
+  KeyedAccessGrowMode grow_mode = IsGrowStubKind(stub_kind)
+      ? ALLOW_JSARRAY_GROWTH
+      : DO_NOT_ALLOW_JSARRAY_GROWTH;
   if ((ic_state == UNINITIALIZED || ic_state == PREMONOMORPHIC) &&
       !IsTransitionStubKind(stub_kind)) {
     return ComputeMonomorphicStub(
         receiver, stub_kind, strict_mode, generic_stub);
   }
   ASSERT(target() != *generic_stub);
 
   // Don't handle megamorphic property accesses for INTERCEPTORS or CALLBACKS
   // via megamorphic stubs, since they don't have a map in their relocation info
   // and so the stubs can't be harvested for the object needed for a map check.
@@ skipping 24 matching lines @@
     return generic_stub;
   }
 
   // If the maximum number of receiver maps has been exceeded, use the generic
   // version of the IC.
   if (target_receiver_maps.length() > kMaxKeyedPolymorphism) {
     TRACE_GENERIC_IC("KeyedIC", "max polymorph exceeded");
     return generic_stub;
   }
 
+  if ((Code::GetKeyedAccessGrowMode(target()->extra_ic_state()) ==
+       ALLOW_JSARRAY_GROWTH)) {
+    grow_mode = ALLOW_JSARRAY_GROWTH;
+  }
+
   Handle<PolymorphicCodeCache> cache =
       isolate()->factory()->polymorphic_code_cache();
-  Code::Flags flags = Code::ComputeFlags(kind(), MEGAMORPHIC, strict_mode);
+  Code::ExtraICState extra_state = Code::ComputeExtraICState(grow_mode,
+                                                             strict_mode);
+  Code::Flags flags = Code::ComputeFlags(kind(), MEGAMORPHIC, extra_state);
   Handle<Object> probe = cache->Lookup(&target_receiver_maps, flags);
   if (probe->IsCode()) return Handle<Code>::cast(probe);
 
   Handle<Code> stub =
-      ComputePolymorphicStub(&target_receiver_maps, strict_mode);
+      ComputePolymorphicStub(&target_receiver_maps, strict_mode, grow_mode);
   PolymorphicCodeCache::Update(cache, &target_receiver_maps, flags, stub);
   return stub;
 }
 
 
 Handle<Code> KeyedIC::ComputeMonomorphicStubWithoutMapCheck(
     Handle<Map> receiver_map,
-    StrictModeFlag strict_mode) {
+    StrictModeFlag strict_mode,
+    KeyedAccessGrowMode grow_mode) {
   if ((receiver_map->instance_type() & kNotStringTag) == 0) {
     ASSERT(!string_stub().is_null());
     return string_stub();
   } else {
     ASSERT(receiver_map->has_dictionary_elements() ||
            receiver_map->has_fast_elements() ||
            receiver_map->has_fast_smi_only_elements() ||
            receiver_map->has_fast_double_elements() ||
            receiver_map->has_external_array_elements());
     bool is_js_array = receiver_map->instance_type() == JS_ARRAY_TYPE;
     return GetElementStubWithoutMapCheck(is_js_array,
-                                         receiver_map->elements_kind());
+                                         receiver_map->elements_kind(),
+                                         grow_mode);
   }
 }
 
 
 Handle<Code> KeyedIC::ComputeMonomorphicStub(Handle<JSObject> receiver,
                                              StubKind stub_kind,
                                              StrictModeFlag strict_mode,
                                              Handle<Code> generic_stub) {
   if (receiver->HasFastElements() ||
       receiver->HasFastSmiOnlyElements() ||
       receiver->HasExternalArrayElements() ||
       receiver->HasFastDoubleElements() ||
       receiver->HasDictionaryElements()) {
     return isolate()->stub_cache()->ComputeKeyedLoadOrStoreElement(
         receiver, stub_kind, strict_mode);
   } else {
     return generic_stub;
   }
 }
 
 
 Handle<Map> KeyedIC::ComputeTransitionedMap(Handle<JSObject> receiver,
                                             StubKind stub_kind) {
   switch (stub_kind) {
     case KeyedIC::STORE_TRANSITION_SMI_TO_OBJECT:
     case KeyedIC::STORE_TRANSITION_DOUBLE_TO_OBJECT:
+    case KeyedIC::STORE_AND_GROW_TRANSITION_SMI_TO_OBJECT:
+    case KeyedIC::STORE_AND_GROW_TRANSITION_DOUBLE_TO_OBJECT:
       return JSObject::GetElementsTransitionMap(receiver, FAST_ELEMENTS);
       break;
     case KeyedIC::STORE_TRANSITION_SMI_TO_DOUBLE:
+    case KeyedIC::STORE_AND_GROW_TRANSITION_SMI_TO_DOUBLE:
       return JSObject::GetElementsTransitionMap(receiver, FAST_DOUBLE_ELEMENTS);
       break;
     default:
       UNREACHABLE();
       return Handle<Map>::null();
   }
 }
 
 
 Handle<Code> KeyedStoreIC::GetElementStubWithoutMapCheck(
     bool is_js_array,
-    ElementsKind elements_kind) {
-  return KeyedStoreElementStub(is_js_array, elements_kind).GetCode();
+    ElementsKind elements_kind,
+    KeyedAccessGrowMode grow_mode) {
+  return KeyedStoreElementStub(is_js_array, elements_kind, grow_mode).GetCode();
 }
 
 
-Handle<Code> KeyedStoreIC::ComputePolymorphicStub(MapHandleList* receiver_maps,
-                                                  StrictModeFlag strict_mode) {
+Handle<Code> KeyedStoreIC::ComputePolymorphicStub(
+    MapHandleList* receiver_maps,
+    StrictModeFlag strict_mode,
+    KeyedAccessGrowMode grow_mode) {
   // Collect MONOMORPHIC stubs for all target_receiver_maps.
   CodeHandleList handler_ics(receiver_maps->length());
   MapHandleList transitioned_maps(receiver_maps->length());
   for (int i = 0; i < receiver_maps->length(); ++i) {
     Handle<Map> receiver_map(receiver_maps->at(i));
     Handle<Code> cached_stub;
     Handle<Map> transitioned_map =
         receiver_map->FindTransitionedMap(receiver_maps);
     if (!transitioned_map.is_null()) {
       cached_stub = ElementsTransitionAndStoreStub(
           receiver_map->elements_kind(),  // original elements_kind
           transitioned_map->elements_kind(),
           receiver_map->instance_type() == JS_ARRAY_TYPE,  // is_js_array
-          strict_mode).GetCode();
+          strict_mode, grow_mode).GetCode();
     } else {
       cached_stub = ComputeMonomorphicStubWithoutMapCheck(receiver_map,
-                                                          strict_mode);
+                                                          strict_mode,
+                                                          grow_mode);
     }
     ASSERT(!cached_stub.is_null());
     handler_ics.Add(cached_stub);
     transitioned_maps.Add(transitioned_map);
   }
-  KeyedStoreStubCompiler compiler(isolate(), strict_mode);
+  KeyedStoreStubCompiler compiler(isolate(), strict_mode, grow_mode);
   Handle<Code> code = compiler.CompileStorePolymorphic(
       receiver_maps, &handler_ics, &transitioned_maps);
   isolate()->counters()->keyed_store_polymorphic_stubs()->Increment();
   PROFILE(isolate(),
           CodeCreateEvent(Logger::KEYED_STORE_MEGAMORPHIC_IC_TAG, *code, 0));
   return code;
 }
 
 
+KeyedIC::StubKind KeyedStoreIC::GetStubKind(Handle<JSObject> receiver,
+                                            Handle<Object> key,
+                                            Handle<Object> value) {
+  ASSERT(key->IsSmi());
+  int index = Smi::cast(*key)->value();
+  bool allow_growth = receiver->IsJSArray() &&
+      JSArray::cast(*receiver)->length()->IsSmi() &&
+      index >= Smi::cast(JSArray::cast(*receiver)->length())->value();
+  if (allow_growth) {
+    // Handle growing array in stub if necessary.
+    if (receiver->HasFastSmiOnlyElements()) {
+      if (value->IsHeapNumber()) {
+        return STORE_AND_GROW_TRANSITION_SMI_TO_DOUBLE;
+      }
+      if (value->IsHeapObject()) {
+        return STORE_AND_GROW_TRANSITION_SMI_TO_OBJECT;
+      }
+    } else if (receiver->HasFastDoubleElements()) {
+      if (!value->IsSmi() && !value->IsHeapNumber()) {
+        return STORE_AND_GROW_TRANSITION_DOUBLE_TO_OBJECT;
+      }
+    }
+    return STORE_AND_GROW_NO_TRANSITION;
+  } else {
+    // Handle only in-bounds elements accesses.
+    if (receiver->HasFastSmiOnlyElements()) {
+      if (value->IsHeapNumber()) {
+        return STORE_TRANSITION_SMI_TO_DOUBLE;
+      } else if (value->IsHeapObject()) {
+        return STORE_TRANSITION_SMI_TO_OBJECT;
+      }
+    } else if (receiver->HasFastDoubleElements()) {
+      if (!value->IsSmi() && !value->IsHeapNumber()) {
+        return STORE_TRANSITION_DOUBLE_TO_OBJECT;
+      }
+    }
+    return STORE_NO_TRANSITION;
+  }
+}
+
+
 MaybeObject* KeyedStoreIC::Store(State state,
                                  StrictModeFlag strict_mode,
                                  Handle<Object> object,
                                  Handle<Object> key,
                                  Handle<Object> value,
                                  bool force_generic) {
   if (key->IsSymbol()) {
     Handle<String> name = Handle<String>::cast(key);
 
     // Handle proxies.
@@ skipping 42 matching lines @@
     Handle<Code> stub = (strict_mode == kStrictMode)
         ? generic_stub_strict()
         : generic_stub();
     if (object->IsJSObject()) {
       Handle<JSObject> receiver = Handle<JSObject>::cast(object);
       if (receiver->elements()->map() ==
           isolate()->heap()->non_strict_arguments_elements_map()) {
         stub = non_strict_arguments_stub();
       } else if (!force_generic) {
         if (key->IsSmi() && (target() != *non_strict_arguments_stub())) {
-          StubKind stub_kind = STORE_NO_TRANSITION;
-          if (receiver->GetElementsKind() == FAST_SMI_ONLY_ELEMENTS) {
-            if (value->IsHeapNumber()) {
-              stub_kind = STORE_TRANSITION_SMI_TO_DOUBLE;
-            } else if (value->IsHeapObject()) {
-              stub_kind = STORE_TRANSITION_SMI_TO_OBJECT;
-            }
-          } else if (receiver->GetElementsKind() == FAST_DOUBLE_ELEMENTS) {
-            if (!value->IsSmi() && !value->IsHeapNumber()) {
-              stub_kind = STORE_TRANSITION_DOUBLE_TO_OBJECT;
-            }
-          }
+          StubKind stub_kind = GetStubKind(receiver, key, value);
           stub = ComputeStub(receiver, stub_kind, strict_mode, stub);
         }
       } else {
         TRACE_GENERIC_IC("KeyedStoreIC", "force generic");
       }
     }
     if (!stub.is_null()) set_target(*stub);
   }
 
   TRACE_IC("KeyedStoreIC", key, state, target());
@@ skipping 162 matching lines @@
 
 
 // Used from ic-<arch>.cc.
 RUNTIME_FUNCTION(MaybeObject*, StoreIC_Miss) {
   HandleScope scope;
   ASSERT(args.length() == 3);
   StoreIC ic(isolate);
   IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
   Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
   return ic.Store(state,
-                  static_cast<StrictModeFlag>(extra_ic_state & kStrictMode),
+                  Code::GetStrictMode(extra_ic_state),
                   args.at<Object>(0),
                   args.at<String>(1),
                   args.at<Object>(2));
 }
 
 
 RUNTIME_FUNCTION(MaybeObject*, StoreIC_ArrayLength) {
   NoHandleAllocation nha;
 
   ASSERT(args.length() == 2);
@@ skipping 55 matching lines @@
 
 
 // Used from ic-<arch>.cc.
 RUNTIME_FUNCTION(MaybeObject*, KeyedStoreIC_Miss) {
   HandleScope scope(isolate);
   ASSERT(args.length() == 3);
   KeyedStoreIC ic(isolate);
   IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
   Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
   return ic.Store(state,
-                  static_cast<StrictModeFlag>(extra_ic_state & kStrictMode),
+                  Code::GetStrictMode(extra_ic_state),
                   args.at<Object>(0),
                   args.at<Object>(1),
                   args.at<Object>(2),
                   false);
 }
 
 
 RUNTIME_FUNCTION(MaybeObject*, KeyedStoreIC_Slow) {
   NoHandleAllocation na;
   ASSERT(args.length() == 3);
   KeyedStoreIC ic(isolate);
   Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
   Handle<Object> object = args.at<Object>(0);
   Handle<Object> key = args.at<Object>(1);
   Handle<Object> value = args.at<Object>(2);
-  StrictModeFlag strict_mode =
-      static_cast<StrictModeFlag>(extra_ic_state & kStrictMode);
+  StrictModeFlag strict_mode = Code::GetStrictMode(extra_ic_state);
   return Runtime::SetObjectProperty(isolate,
                                     object,
                                     key,
                                     value,
                                     NONE,
                                     strict_mode);
 }
 
 
 RUNTIME_FUNCTION(MaybeObject*, KeyedStoreIC_MissForceGeneric) {
   HandleScope scope(isolate);
   ASSERT(args.length() == 3);
   KeyedStoreIC ic(isolate);
   IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
   Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
   return ic.Store(state,
-                  static_cast<StrictModeFlag>(extra_ic_state & kStrictMode),
+                  Code::GetStrictMode(extra_ic_state),
                   args.at<Object>(0),
                   args.at<Object>(1),
                   args.at<Object>(2),
                   true);
 }
 
 
 void UnaryOpIC::patch(Code* code) {
   set_target(code);
 }
@@ skipping 428 matching lines @@
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) {
   return IC_utilities[id];
 }
 
 
 } }  // namespace v8::internal