Support fast-path allocation for subclass constructors with correctly initialized initial maps.

src/arm64/builtins-arm64.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_ARM64
 
 #include "src/arm64/frames-arm64.h"
 #include "src/codegen.h"
 #include "src/debug/debug.h"
 #include "src/deoptimizer.h"
@@ skipping 372 matching lines @@
     // Try to allocate the object without transitioning into C code. If any of
     // the preconditions is not met, the code bails out to the runtime call.
     Label rt_call, allocated;
     if (FLAG_inline_new) {
       ExternalReference debug_step_in_fp =
           ExternalReference::debug_step_in_fp_address(isolate);
       __ Mov(x2, Operand(debug_step_in_fp));
       __ Ldr(x2, MemOperand(x2));
       __ Cbnz(x2, &rt_call);
 
-      // Fall back to runtime if the original constructor and function differ.
-      __ Cmp(constructor, original_constructor);
-      __ B(ne, &rt_call);
+      // Verify that the original constructor is a JSFunction.
+      __ JumpIfNotObjectType(original_constructor, x10, x11, JS_FUNCTION_TYPE,
+                             &rt_call);
 
       // Load the initial map and verify that it is in fact a map.
       Register init_map = x2;
       __ Ldr(init_map,
-             FieldMemOperand(constructor,
+             FieldMemOperand(original_constructor,
                              JSFunction::kPrototypeOrInitialMapOffset));
       __ JumpIfSmi(init_map, &rt_call);
       __ JumpIfNotObjectType(init_map, x10, x11, MAP_TYPE, &rt_call);
 
+      // Fall back to runtime if the expected base constructor and base
+      // constructor differ.
+      __ Ldr(x10,
+             FieldMemOperand(init_map, Map::kConstructorOrBackPointerOffset));
+      __ Cmp(constructor, x10);
+      __ B(ne, &rt_call);
+
       // Check that the constructor is not constructing a JSFunction (see
       // comments in Runtime_NewObject in runtime.cc). In which case the initial
       // map's instance type would be JS_FUNCTION_TYPE.
       __ CompareInstanceType(init_map, x10, JS_FUNCTION_TYPE);
       __ B(eq, &rt_call);
 
       Register constructon_count = x14;
       if (!is_api_function) {
         Label allocate;
         MemOperand bit_field3 =
             FieldMemOperand(init_map, Map::kBitField3Offset);
         // Check if slack tracking is enabled.
         __ Ldr(x4, bit_field3);
         __ DecodeField<Map::Counter>(constructon_count, x4);
         __ Cmp(constructon_count, Operand(Map::kSlackTrackingCounterEnd));
         __ B(lt, &allocate);
         // Decrease generous allocation count.
         __ Subs(x4, x4, Operand(1 << Map::Counter::kShift));
         __ Str(x4, bit_field3);
         __ Cmp(constructon_count, Operand(Map::kSlackTrackingCounterEnd));
         __ B(ne, &allocate);
 
-        // Push the constructor and map to the stack, and the constructor again
+        // Push the constructor and map to the stack, and the map again
         // as argument to the runtime call.
-        __ Push(constructor, init_map, constructor);
+        __ Push(constructor, init_map, init_map);
         __ CallRuntime(Runtime::kFinalizeInstanceSize, 1);
         __ Pop(init_map, constructor);
         __ Mov(constructon_count, Operand(Map::kSlackTrackingCounterEnd - 1));
         __ Bind(&allocate);
       }
 
       // Now allocate the JSObject on the heap.
       Label rt_call_reload_new_target;
       Register obj_size = x3;
       Register new_obj = x4;
@@ skipping 1585 matching lines @@
   }
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_ARM