Support fast-path allocation for subclass constructors with correctly initialized initial maps.

src/ia32/builtins-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_IA32
 
 #include "src/code-factory.h"
 #include "src/codegen.h"
 #include "src/deoptimizer.h"
 #include "src/full-codegen/full-codegen.h"
@@ skipping 133 matching lines @@
 
     // Try to allocate the object without transitioning into C code. If any of
     // the preconditions is not met, the code bails out to the runtime call.
     Label rt_call, allocated;
     if (FLAG_inline_new) {
       ExternalReference debug_step_in_fp =
           ExternalReference::debug_step_in_fp_address(masm->isolate());
       __ cmp(Operand::StaticVariable(debug_step_in_fp), Immediate(0));
       __ j(not_equal, &rt_call);
 
-      // Fall back to runtime if the original constructor and function differ.
-      __ cmp(edx, edi);
+      // Verify that the original constructor is a JSFunction.
+      __ CmpObjectType(edx, JS_FUNCTION_TYPE, ebx);
       __ j(not_equal, &rt_call);
 
-      // Verified that the constructor is a JSFunction.
       // Load the initial map and verify that it is in fact a map.
-      // edi: constructor
-      __ mov(eax, FieldOperand(edi, JSFunction::kPrototypeOrInitialMapOffset));
+      // edx: original constructor
+      __ mov(eax, FieldOperand(edx, JSFunction::kPrototypeOrInitialMapOffset));
       // Will both indicate a NULL and a Smi
       __ JumpIfSmi(eax, &rt_call);
       // edi: constructor
       // eax: initial map (if proven valid below)
       __ CmpObjectType(eax, MAP_TYPE, ebx);
       __ j(not_equal, &rt_call);
 
+      // Fall back to runtime if the expected base constructor and base
+      // constructor differ.
+      __ cmp(edi, FieldOperand(eax, Map::kConstructorOrBackPointerOffset));
+      __ j(not_equal, &rt_call);
+
       // Check that the constructor is not constructing a JSFunction (see
       // comments in Runtime_NewObject in runtime.cc). In which case the
       // initial map's instance type would be JS_FUNCTION_TYPE.
       // edi: constructor
       // eax: initial map
       __ CmpInstanceType(eax, JS_FUNCTION_TYPE);
       __ j(equal, &rt_call);
 
       if (!is_api_function) {
         Label allocate;
         // The code below relies on these assumptions.
         STATIC_ASSERT(Map::Counter::kShift + Map::Counter::kSize == 32);
         // Check if slack tracking is enabled.
         __ mov(esi, FieldOperand(eax, Map::kBitField3Offset));
         __ shr(esi, Map::Counter::kShift);
         __ cmp(esi, Map::kSlackTrackingCounterEnd);
         __ j(less, &allocate);
         // Decrease generous allocation count.
         __ sub(FieldOperand(eax, Map::kBitField3Offset),
                Immediate(1 << Map::Counter::kShift));
 
         __ cmp(esi, Map::kSlackTrackingCounterEnd);
         __ j(not_equal, &allocate);
 
         __ push(eax);
         __ push(edx);
         __ push(edi);
 
-        __ push(edi);  // constructor
+        __ push(eax);  // initial map
         __ CallRuntime(Runtime::kFinalizeInstanceSize, 1);
 
         __ pop(edi);
         __ pop(edx);
         __ pop(eax);
         __ mov(esi, Map::kSlackTrackingCounterEnd - 1);
 
         __ bind(&allocate);
       }
 
@@ skipping 1733 matching lines @@
 
   __ bind(&ok);
   __ ret(0);
 }
 
 #undef __
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_IA32