[turbofan] Fix and rework deopt in call to super property.

src/compiler/ast-graph-builder.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/ast-graph-builder.h"
 
 #include "src/compiler.h"
 #include "src/compiler/ast-loop-assignment-analyzer.h"
 #include "src/compiler/control-builders.h"
 #include "src/compiler/linkage.h"
@@ skipping 2320 matching lines @@
     }
     case Call::LOOKUP_SLOT_CALL: {
       Variable* variable = callee->AsVariableProxy()->var();
       DCHECK(variable->location() == VariableLocation::LOOKUP);
       Node* name = jsgraph()->Constant(variable->name());
       const Operator* op =
           javascript()->CallRuntime(Runtime::kLoadLookupSlot, 2);
       Node* pair = NewNode(op, current_context(), name);
       callee_value = NewNode(common()->Projection(0), pair);
       receiver_value = NewNode(common()->Projection(1), pair);
-
       PrepareFrameState(pair, expr->LookupId(),
                         OutputFrameStateCombine::Push(2));
       break;
     }
     case Call::PROPERTY_CALL: {
       Property* property = callee->AsProperty();
       VectorSlotPair pair =
           CreateVectorSlotPair(property->PropertyFeedbackSlot());
-      if (!property->IsSuperAccess()) {
-        VisitForValue(property->obj());
-        Node* object = environment()->Top();
-
-        if (property->key()->IsPropertyName()) {
+      LhsKind property_type = Property::GetAssignType(property);

[Michael Starzinger, 2015/10/28 17:26:26]

The LhsKind is somewhat being abused at this point. I would still like to
temporarily go with it for now. But I could imagine to extend Call::CallType and
Call::GetCallType with new cases that distinguish these four property calls as a
follow-up to this CL. WDYT?

[rossberg, 2015/10/29 10:34:12]

SGTM

+      switch (property_type) {
+        case NAMED_PROPERTY: {
+          VisitForValue(property->obj());
           FrameStateBeforeAndAfter states(this, property->obj()->id());
           Handle<Name> name = property->key()->AsLiteral()->AsPropertyName();
+          Node* object = environment()->Top();
           callee_value = BuildNamedLoad(object, name, pair);
           states.AddToNode(callee_value, property->LoadId(),
                            OutputFrameStateCombine::Push());
-        } else {
+          // Note that a PROPERTY_CALL requires the receiver to be wrapped into
+          // an object for sloppy callees. However the receiver is guaranteed
+          // not to be null or undefined at this point.
+          receiver_hint = ConvertReceiverMode::kNotNullOrUndefined;
+          receiver_value = environment()->Pop();
+          flags = CALL_AS_METHOD;
+          break;
+        }
+        case KEYED_PROPERTY: {
+          VisitForValue(property->obj());
           VisitForValue(property->key());
           FrameStateBeforeAndAfter states(this, property->key()->id());
           Node* key = environment()->Pop();
+          Node* object = environment()->Top();
           callee_value = BuildKeyedLoad(object, key, pair);
           states.AddToNode(callee_value, property->LoadId(),
                            OutputFrameStateCombine::Push());
+          // Note that a PROPERTY_CALL requires the receiver to be wrapped into
+          // an object for sloppy callees. However the receiver is guaranteed
+          // not to be null or undefined at this point.
+          receiver_hint = ConvertReceiverMode::kNotNullOrUndefined;
+          receiver_value = environment()->Pop();
+          flags = CALL_AS_METHOD;
+          break;
         }
-        // Note that a PROPERTY_CALL requires the receiver to be wrapped into an
-        // object for sloppy callees. However the receiver is guaranteed not to
-        // be null or undefined at this point.
-        receiver_hint = ConvertReceiverMode::kNotNullOrUndefined;
-        receiver_value = environment()->Pop();
-        flags = CALL_AS_METHOD;
-
-      } else {
-        // TODO(mstarzinger): Cleanup this special handling for super access,
-        // the stack layout seems to be completely out of sync here, fix this!
-        VisitForValue(property->obj()->AsSuperPropertyReference()->this_var());
-        VisitForValue(
-            property->obj()->AsSuperPropertyReference()->home_object());
-        Node* home_object = environment()->Pop();
-        receiver_value = environment()->Pop();
-        if (property->key()->IsPropertyName()) {
+        case NAMED_SUPER_PROPERTY: {
+          SuperPropertyReference* super_ref =
+              property->obj()->AsSuperPropertyReference();
+          VisitForValue(super_ref->home_object());
+          VisitForValue(super_ref->this_var());
+          Node* home = environment()->Peek(1);
+          Node* object = environment()->Top();
+          Handle<Name> name = property->key()->AsLiteral()->AsPropertyName();
           FrameStateBeforeAndAfter states(this, property->obj()->id());
-          Handle<Name> name = property->key()->AsLiteral()->AsPropertyName();
-          callee_value =
-              BuildNamedSuperLoad(receiver_value, home_object, name, pair);
+          callee_value = BuildNamedSuperLoad(object, home, name, pair);
           states.AddToNode(callee_value, property->LoadId(),
                            OutputFrameStateCombine::Push());
-
-        } else {
+          // Note that the receiver is not the target of the property load, so
+          // it could very well be null or undefined at this point.
+          receiver_value = environment()->Pop();
+          environment()->Drop(1);
+          break;
+        }
+        case KEYED_SUPER_PROPERTY: {
+          SuperPropertyReference* super_ref =
+              property->obj()->AsSuperPropertyReference();
+          VisitForValue(super_ref->home_object());
+          VisitForValue(super_ref->this_var());
+          environment()->Push(environment()->Top());    // Duplicate this_var.
+          environment()->Push(environment()->Peek(2));  // Duplicate home_obj.
           VisitForValue(property->key());
+          Node* key = environment()->Pop();
+          Node* home = environment()->Pop();
+          Node* object = environment()->Pop();
           FrameStateBeforeAndAfter states(this, property->key()->id());
-          Node* key = environment()->Pop();
-          callee_value =
-              BuildKeyedSuperLoad(receiver_value, home_object, key, pair);
+          callee_value = BuildKeyedSuperLoad(object, home, key, pair);
           states.AddToNode(callee_value, property->LoadId(),
                            OutputFrameStateCombine::Push());
+          // Note that the receiver is not the target of the property load, so
+          // it could very well be null or undefined at this point.
+          receiver_value = environment()->Pop();
+          environment()->Drop(1);
+          break;
         }
+        case VARIABLE:
+          UNREACHABLE();
       }
-
       break;
     }
     case Call::SUPER_CALL:
       return VisitCallSuper(expr);
     case Call::POSSIBLY_EVAL_CALL:
       possibly_eval = true;
       if (callee->AsVariableProxy()->var()->IsLookupSlot()) {
         Variable* variable = callee->AsVariableProxy()->var();
         Node* name = jsgraph()->Constant(variable->name());
         const Operator* op =
@@ skipping 1816 matching lines @@
     // Phi does not exist yet, introduce one.
     value = NewPhi(inputs, value, control);
     value->ReplaceInput(inputs - 1, other);
   }
   return value;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8