[turbofan] Properly type field access to stable heap object maps.

src/compiler/typer.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/typer.h"
 
 #include "src/base/flags.h"
 #include "src/base/lazy-instance.h"
 #include "src/bootstrapper.h"
+#include "src/compilation-dependencies.h"
 #include "src/compiler/common-operator.h"
 #include "src/compiler/graph-reducer.h"
 #include "src/compiler/js-operator.h"
 #include "src/compiler/node.h"
 #include "src/compiler/node-properties.h"
 #include "src/compiler/simplified-operator.h"
 #include "src/objects-inl.h"
 #include "src/zone-type-cache.h"
 
 namespace v8 {
@@ skipping 10 matching lines @@
 class Typer::Decorator final : public GraphDecorator {
  public:
   explicit Decorator(Typer* typer) : typer_(typer) {}
   void Decorate(Node* node) final;
 
  private:
   Typer* const typer_;
 };
 
 
-Typer::Typer(Isolate* isolate, Graph* graph, Type::FunctionType* function_type)
+Typer::Typer(Isolate* isolate, Graph* graph, Flags flags,
+             CompilationDependencies* dependencies,
+             Type::FunctionType* function_type)
     : isolate_(isolate),
       graph_(graph),
+      flags_(flags),
+      dependencies_(dependencies),
       function_type_(function_type),
       decorator_(nullptr),
       cache_(kCache.Get()) {
   Zone* zone = this->zone();
   Factory* const factory = isolate->factory();
 
   Type* infinity = Type::Constant(factory->infinity_value(), zone);
   Type* minus_infinity = Type::Constant(factory->minus_infinity_value(), zone);
   // TODO(neis): Unfortunately, the infinities created in other places might
   // be different ones (eg the result of NewNumber in TypeNumberConstant).
@@ skipping 144 matching lines @@
     Node* operand_node = NodeProperties::GetValueInput(node, i);
     return TypeOrNone(operand_node);
   }
 
   Type* WrapContextTypeForInput(Node* node);
   Type* Weaken(Node* node, Type* current_type, Type* previous_type);
 
   Zone* zone() { return typer_->zone(); }
   Isolate* isolate() { return typer_->isolate(); }
   Graph* graph() { return typer_->graph(); }
+  Typer::Flags flags() const { return typer_->flags(); }
+  CompilationDependencies* dependencies() const {
+    return typer_->dependencies();
+  }
 
   void SetWeakened(NodeId node_id) { weakened_nodes_.insert(node_id); }
   bool IsWeakened(NodeId node_id) {
     return weakened_nodes_.find(node_id) != weakened_nodes_.end();
   }
 
   typedef Type* (*UnaryTyperFun)(Type*, Typer* t);
   typedef Type* (*BinaryTyperFun)(Type*, Type*, Typer* t);
 
   Type* TypeUnaryOp(Node* node, UnaryTyperFun);
@@ skipping 28 matching lines @@
 
 #define DECLARE_METHOD(x) static Type* x##Typer(Type*, Type*, Typer*);
   JS_SIMPLE_BINOP_LIST(DECLARE_METHOD)
 #undef DECLARE_METHOD
 
   static Type* JSUnaryNotTyper(Type*, Typer*);
   static Type* JSTypeOfTyper(Type*, Typer*);
   static Type* JSLoadPropertyTyper(Type*, Type*, Typer*);
   static Type* JSCallFunctionTyper(Type*, Typer*);
 
+  static Type* ReferenceEqualTyper(Type*, Type*, Typer*);
+
   Reduction UpdateType(Node* node, Type* current) {
     if (NodeProperties::IsTyped(node)) {
       // Widen the type of a previously typed node.
       Type* previous = NodeProperties::GetType(node);
       if (node->opcode() == IrOpcode::kPhi) {
         // Speed up termination in the presence of range types:
         current = Weaken(node, current, previous);
       }
 
       DCHECK(previous->Is(current));
@@ skipping 1303 matching lines @@
 Type* Typer::Visitor::TypeNumberToUint32(Node* node) {
   return TypeUnaryOp(node, NumberToUint32);
 }
 
 
 Type* Typer::Visitor::TypePlainPrimitiveToNumber(Node* node) {
   return TypeUnaryOp(node, ToNumber);
 }
 
 
+// static
+Type* Typer::Visitor::ReferenceEqualTyper(Type* lhs, Type* rhs, Typer* t) {
+  if (lhs->Is(rhs) && rhs->Is(lhs)) return t->singleton_true_;

[rossberg, 2015/10/26 11:44:19]

I don't understand. This seems to say that if the types are the same, we know
that the values are the same? That only holds if the types are Constants.

[Benedikt Meurer, 2015/10/26 11:46:39]

Of course (similar to JSStrictEqualTyper). Thanks for catching.

+  return Type::Boolean();
+}
+
+
 Type* Typer::Visitor::TypeReferenceEqual(Node* node) {
-  return Type::Boolean(zone());
+  return TypeBinaryOp(node, ReferenceEqualTyper);
 }
 
 
 Type* Typer::Visitor::TypeStringEqual(Node* node) {
   return Type::Boolean(zone());
 }
 
 
 Type* Typer::Visitor::TypeStringLessThan(Node* node) {
   return Type::Boolean(zone());
@@ skipping 70 matching lines @@
   Type* arg = Operand(node, 0);
   // TODO(neis): DCHECK(arg.upper->Is(Type::Boolean()));
   return ChangeRepresentation(arg, Type::TaggedPointer(), zone());
 }
 
 
 Type* Typer::Visitor::TypeAllocate(Node* node) { return Type::TaggedPointer(); }
 
 
 Type* Typer::Visitor::TypeLoadField(Node* node) {
-  return FieldAccessOf(node->op()).type;
+  FieldAccess const& access = FieldAccessOf(node->op());
+  if (access.base_is_tagged == kTaggedBase &&
+      access.offset == HeapObject::kMapOffset) {
+    // The type of LoadField[Map](o) is Constant(map) if map is stable and
+    // either
+    //  (a) o has type Constant(object) and map == object->map, or
+    //  (b) o has type Class(map),
+    // and either
+    //  (1) map cannot transition further, or
+    //  (2) deoptimization is enabled and we can add a code dependency on the
+    //      stability of map (to guard the Constant type information).
+    DCHECK(Type::Internal()->Is(access.type));
+    Type* const object = Operand(node, 0);
+    Handle<Map> object_map;
+    if (object->IsConstant() && object->AsConstant()->Value()->IsHeapObject()) {
+      object_map =
+          handle(Handle<HeapObject>::cast(object->AsConstant()->Value())->map(),
+                 isolate());
+    } else if (object->IsClass()) {
+      object_map = object->AsClass()->Map();
+    } else {
+      return access.type;
+    }
+    if (object_map->is_stable()) {
+      if (!object_map->CanTransition()) {
+        return Type::Constant(object_map, zone());
+      }
+      if (flags() & kDeoptimizationEnabled) {
+        dependencies()->AssumeMapStable(object_map);
+        return Type::Constant(object_map, zone());
+      }
+    }
+  }
+  return access.type;
 }
 
 
 Type* Typer::Visitor::TypeLoadBuffer(Node* node) {
   // TODO(bmeurer): This typing is not yet correct. Since we can still access
   // out of bounds, the type in the general case has to include Undefined.
   switch (BufferAccessOf(node->op()).external_array_type()) {
 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \
   case kExternal##Type##Array:                          \
     return typer_->cache_.k##Type;
@@ skipping 425 matching lines @@
   }
   if (Type::IsInteger(*value)) {
     return Type::Range(value->Number(), value->Number(), zone());
   }
   return Type::Constant(value, zone());
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8