Track representations of fields

src/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 164 matching lines @@
   intptr_t delta =
       original_code->instruction_start() - code->instruction_start();
   return addr + delta;
 }
 #endif
 
 
 static bool TryRemoveInvalidPrototypeDependentStub(Code* target,
                                                    Object* receiver,
                                                    Object* name) {
+  if (target->type() != Code::NORMAL) {

[danno, 2013/04/24 15:23:00]

Can you please add a comment here why this compare is relevant?

[Toon Verwaest, 2013/04/25 10:59:38]

Done.

+    Map* map = target->FindFirstMap();
+    if (map != NULL && map->is_invalid_transition()) {
+      return true;
+    }
+  }
+
   InlineCacheHolderFlag cache_holder =
       Code::ExtractCacheHolderFromFlags(target->flags());
 
   Isolate* isolate = target->GetIsolate();
   if (cache_holder == OWN_MAP && !receiver->IsJSObject()) {
     // The stub was generated for JSObject but called for non-JSObject.
     // IC::GetCodeCacheHolder is not applicable.
     return false;
   } else if (cache_holder == PROTOTYPE_MAP &&
              receiver->GetPrototype(isolate)->IsNull()) {
@@ skipping 303 matching lines @@
     int index = frame->ComputeExpressionsCount() - (argc + 1);
     frame->SetExpression(index, *isolate()->factory()->ToObject(object));
   }
 }
 
 
 MaybeObject* CallICBase::LoadFunction(State state,
                                       Code::ExtraICState extra_ic_state,
                                       Handle<Object> object,
                                       Handle<String> name) {
+  if (object->IsJSObject()) {
+    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+    if (receiver->map()->is_invalid_transition()) {

[danno, 2013/04/24 15:23:00]

is_invalid_transition_target or is_invalid. is_deprecated?

[Toon Verwaest, 2013/04/25 10:59:38]

Done.

+      JSObject::MigrateInstance(receiver);
+    }
+  }
+
   // If the object is undefined or null it's illegal to try to get any
   // of its properties; throw a TypeError in that case.
   if (object->IsUndefined() || object->IsNull()) {
     return TypeError("non_object_property_call", object, name);
   }
 
   // Check if the name is trivially convertible to an index and get
   // the element if so.
   uint32_t index;
   if (name->AsArrayIndex(&index)) {
@@ skipping 251 matching lines @@
 MaybeObject* KeyedCallIC::LoadFunction(State state,
                                        Handle<Object> object,
                                        Handle<Object> key) {
   if (key->IsInternalizedString()) {
     return CallICBase::LoadFunction(state,
                                     Code::kNoExtraICState,
                                     object,
                                     Handle<String>::cast(key));
   }
 
+  if (object->IsJSObject()) {
+    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+    if (receiver->map()->is_invalid_transition()) {
+      JSObject::MigrateInstance(receiver);
+    }
+  }
+
   if (object->IsUndefined() || object->IsNull()) {
     return TypeError("non_object_property_call", object, key);
   }
 
   bool use_ic = FLAG_use_ic && !object->IsAccessCheckNeeded();
   ASSERT(!(use_ic && object->IsJSGlobalProxy()));
 
   if (use_ic && state != MEGAMORPHIC) {
     int argc = target()->arguments_count();
     Handle<Code> stub = isolate()->stub_cache()->ComputeCallMegamorphic(
@@ skipping 94 matching lines @@
 
   // Check if the name is trivially convertible to an index and get
   // the element or char if so.
   uint32_t index;
   if (kind() == Code::KEYED_LOAD_IC && name->AsArrayIndex(&index)) {
     // Rewrite to the generic keyed load stub.
     if (FLAG_use_ic) set_target(*generic_stub());
     return Runtime::GetElementOrCharAtOrFail(isolate(), object, index);
   }
 
+  if (object->IsJSObject()) {
+    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+    if (receiver->map()->is_invalid_transition()) {
+      JSObject::MigrateInstance(receiver);
+    }
+  }
+
   // Named lookup in the object.
   LookupResult lookup(isolate());
   LookupForRead(object, name, &lookup);
 
   // If we did not find a property, check if we need to throw an exception.
   if (!lookup.IsFound()) {
     if (IsUndeclaredGlobal(object)) {
       return ReferenceError("not_defined", name);
     }
     LOG(isolate(), SuspectReadEvent(*name, *object));
@@ skipping 44 matching lines @@
                              Handle<Code> code) {
   if (code->type() == Code::NORMAL) return false;
   if (target()->ic_state() == MONOMORPHIC &&
       target()->type() == Code::NORMAL) {
     return false;
   }
 
   MapHandleList receiver_maps;
   CodeHandleList handlers;
 
+  int number_of_valid_maps;
   {
     AssertNoAllocation no_gc;
     target()->FindAllMaps(&receiver_maps);
     int number_of_maps = receiver_maps.length();
-    if (number_of_maps >= 4) return false;
+    number_of_valid_maps = number_of_maps;
+    for (int i = 0; i < number_of_maps; i++) {
+      if (receiver_maps.at(i)->is_invalid_transition()) {
+        number_of_valid_maps--;
+      }
+    }
+
+    if (number_of_valid_maps >= 4) return false;
 
     // Only allow 0 maps in case target() was reset to UNINITIALIZED by the GC.
     // In that case, allow the IC to go back monomorphic.
     if (number_of_maps == 0 && target()->ic_state() != UNINITIALIZED) {
       return false;
     }
     target()->FindAllCode(&handlers, receiver_maps.length());
   }
 
   if (!AddOneReceiverMapIfMissing(&receiver_maps,
                                   Handle<Map>(receiver->map()))) {
     return false;
   }
 
   handlers.Add(code);
   Handle<Code> ic = isolate()->stub_cache()->ComputePolymorphicIC(
-      &receiver_maps, &handlers, name);
+      &receiver_maps, &handlers, number_of_valid_maps + 1, name);
   set_target(*ic);
   return true;
 }
 
 
 void LoadIC::UpdateMonomorphicIC(Handle<JSObject> receiver,
                                  Handle<Code> handler,
                                  Handle<String> name) {
   if (handler->type() == Code::NORMAL) return set_target(*handler);
   Handle<Code> ic = isolate()->stub_cache()->ComputeMonomorphicIC(
@@ skipping 70 matching lines @@
             UpdateMonomorphicIC(receiver, code, name);
             break;
           }
           if (UpdatePolymorphicIC(state, strict_mode, receiver, name, code)) {
             break;
           }
         }
         if (target()->type() != Code::NORMAL) {
           if (target()->is_load_stub()) {
             CopyICToMegamorphicCache(name);
+          } else if (target()->is_store_stub()) {
+            MapHandleList maps;

[danno, 2013/04/24 15:23:00]

Comment that this is special handling that is only needed until we have
polymorphic store ICs.

[Toon Verwaest, 2013/04/25 10:59:38]

Done.

+            Code* handler = target();
+            handler->FindAllMaps(&maps);
+            for (int i = 0; i < Min(1, maps.length()); i++) {
+              if (maps.at(i)->is_invalid_transition()) {
+                UpdateMonomorphicIC(receiver, code, name);
+                return;
+              }
+            }
+            if (maps.length() > 0) {
+              if (receiver->map() == *maps.at(0)) {
+                UpdateMonomorphicIC(receiver, code, name);
+                return;
+              }
+              UpdateMegamorphicCache(*maps.at(0), *name, handler);
+            }
           } else {
             Code* handler = target();
             Map* map = handler->FindFirstMap();
             if (map != NULL) {
               UpdateMegamorphicCache(map, *name, handler);
             }
           }
         }
 
         UpdateMegamorphicCache(receiver->map(), *name, *code);
@@ skipping 72 matching lines @@
                           Handle<Object> object,
                           Handle<String> name) {
   // Bail out if the result is not cacheable.
   if (!lookup->IsCacheable()) return;
 
   // Loading properties from values is not common, so don't try to
   // deal with non-JS objects here.
   if (!object->IsJSObject()) return;
 
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+

[danno, 2013/04/24 15:23:00]

extraneous whitespace change

[Toon Verwaest, 2013/04/25 10:59:38]

Done.

   Handle<Code> code;
   if (state == UNINITIALIZED) {
     // This is the first time we execute this inline cache.
     // Set the target to the pre monomorphic stub to delay
     // setting the monomorphic state.
     code = pre_monomorphic_stub();
   } else {
     code = ComputeLoadHandler(lookup, receiver, name);
     if (code.is_null()) return;
   }
@@ skipping 187 matching lines @@
 
   if (use_ic) {
     Handle<Code> stub = generic_stub();
     if (miss_mode != MISS_FORCE_GENERIC) {
       if (object->IsString() && key->IsNumber()) {
         if (state == UNINITIALIZED) {
           stub = string_stub();
         }
       } else if (object->IsJSObject()) {
         Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+        if (receiver->map()->is_invalid_transition()) {
+          JSObject::MigrateInstance(receiver);
+        }
+
         if (receiver->elements()->map() ==
             isolate()->heap()->non_strict_arguments_elements_map()) {
           stub = non_strict_arguments_stub();
         } else if (receiver->HasIndexedInterceptor()) {
           stub = indexed_interceptor_stub();
         } else if (!key->ToSmi()->IsFailure() &&
                    (target() != *non_strict_arguments_stub())) {
           stub = LoadElementStub(receiver);
         }
       }
@@ skipping 46 matching lines @@
       // Always rewrite to the generic case so that we do not
       // repeatedly try to rewrite.
       return generic_stub();
   }
   return Handle<Code>::null();
 }
 
 
 static bool LookupForWrite(Handle<JSObject> receiver,
                            Handle<String> name,
+                           Handle<Object> value,
                            LookupResult* lookup) {
   Handle<JSObject> holder = receiver;
   receiver->Lookup(*name, lookup);
   if (lookup->IsFound()) {
     if (lookup->IsReadOnly() || !lookup->IsCacheable()) return false;
 
     if (lookup->holder() == *receiver) {
       if (lookup->IsInterceptor() &&
           receiver->GetNamedInterceptor()->setter()->IsUndefined()) {
         receiver->LocalLookupRealNamedProperty(*name, lookup);
         return lookup->IsFound() &&
             !lookup->IsReadOnly() &&
+            lookup->CanStore(value) &&
             lookup->IsCacheable();
       }
-      return true;
+      return lookup->CanStore(value);

[danno, 2013/04/24 15:23:00]

CanHoldValue?

[Toon Verwaest, 2013/04/25 10:59:38]

Done.

     }
 
     if (lookup->IsPropertyCallbacks()) return true;
 
     // Currently normal holders in the prototype chain are not supported. They
     // would require a runtime positive lookup and verification that the details
     // have not changed.
     if (lookup->IsInterceptor() || lookup->IsNormal()) return false;
     holder = Handle<JSObject>(lookup->holder(), lookup->isolate());
   }
 
   // While normally LookupTransition gets passed the receiver, in this case we
   // pass the holder of the property that we overwrite. This keeps the holder in
   // the LookupResult intact so we can later use it to generate a prototype
   // chain check. This avoids a double lookup, but requires us to pass in the
   // receiver when trying to fetch extra information from the transition.
   receiver->map()->LookupTransition(*holder, *name, lookup);
-  return lookup->IsTransition() &&
-      !lookup->GetTransitionDetails(receiver->map()).IsReadOnly();
+  if (!lookup->IsTransition()) return false;
+  PropertyDetails target_details =
+      lookup->GetTransitionDetails(receiver->map());
+  if (target_details.IsReadOnly()) return false;
+  return value->FitsRepresentation(target_details.representation());
 }
 
 
 MaybeObject* StoreIC::Store(State state,
                             StrictModeFlag strict_mode,
                             Handle<Object> object,
                             Handle<String> name,
                             Handle<Object> value,
                             JSReceiver::StoreFromKeyed store_mode) {
   // Handle proxies.
@@ skipping 13 matching lines @@
       name->Equals(isolate()->heap()->length_string())) {
     return TypeError("strict_read_only_property", object, name);
   }
 
   // Ignore other stores where the receiver is not a JSObject.
   // TODO(1475): Must check prototype chains of object wrappers.
   if (!object->IsJSObject()) return *value;
 
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);
 
+  if (receiver->map()->is_invalid_transition()) {
+    JSObject::MigrateInstance(receiver);
+  }
+
   // Check if the given name is an array index.
   uint32_t index;
   if (name->AsArrayIndex(&index)) {
     Handle<Object> result =
         JSObject::SetElement(receiver, index, value, NONE, strict_mode);
     RETURN_IF_EMPTY_HANDLE(isolate(), result);
     return *value;
   }
 
   // Observed objects are always modified through the runtime.
@@ skipping 26 matching lines @@
           ? global_proxy_stub_strict()
           : global_proxy_stub();
       set_target(*stub);
       TRACE_IC("StoreIC", name, state, *stub);
     }
     return JSReceiver::SetPropertyOrFail(
         receiver, name, value, NONE, strict_mode, store_mode);
   }
 
   LookupResult lookup(isolate());
-  if (LookupForWrite(receiver, name, &lookup)) {
+  if (LookupForWrite(receiver, name, value, &lookup)) {
     if (FLAG_use_ic) {
       UpdateCaches(&lookup, state, strict_mode, receiver, name, value);
     }
   } else if (strict_mode == kStrictMode &&
              !(lookup.IsProperty() && lookup.IsReadOnly()) &&
              IsUndeclaredGlobal(object)) {
     // Strict mode doesn't allow setting non-existent global property.
     return ReferenceError("not_defined", name);
   }
 
@@ skipping 388 matching lines @@
           JSObject::cast(*object)->map()->is_observed());
   ASSERT(!(use_ic && object->IsJSGlobalProxy()));
 
   if (use_ic) {
     Handle<Code> stub = (strict_mode == kStrictMode)
         ? generic_stub_strict()
         : generic_stub();
     if (miss_mode != MISS_FORCE_GENERIC) {
       if (object->IsJSObject()) {
         Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+        if (receiver->map()->is_invalid_transition()) {
+          JSObject::MigrateInstance(receiver);
+        }
         bool key_is_smi_like = key->IsSmi() ||
             (FLAG_compiled_keyed_stores && !key->ToSmi()->IsFailure());
         if (receiver->elements()->map() ==
             isolate()->heap()->non_strict_arguments_elements_map()) {
           stub = non_strict_arguments_stub();
         } else if (key_is_smi_like &&
                    (target() != *non_strict_arguments_stub())) {
           KeyedAccessStoreMode store_mode = GetStoreMode(receiver, key, value);
           stub = StoreElementStub(receiver, store_mode, strict_mode);
         } else {
@@ skipping 843 matching lines @@
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) {
   return IC_utilities[id];
 }
 
 
 } }  // namespace v8::internal