Remake of the load elimination fix made earlier (r18884).

src/hydrogen-instructions.h

Index: src/hydrogen-instructions.h
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 64a1c0b75ddeba4e85765f06b078f895e94f1a61..87af27b28968a44c956f2c90fcc478c89069f8bf 100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -5741,13 +5741,21 @@ class HObjectAccess V8_FINAL {
     return ImmutableField::decode(value_);
   }
 
+  // Returns true if access is being made to an in-object property that
+  // was already added to the object.
+  inline bool existing_inobject_property() const {
+    return ExistingInobjectPropertyField::decode(value_);
+  }
+
   inline HObjectAccess WithRepresentation(Representation representation) {
-    return HObjectAccess(portion(), offset(), representation, name());
+    return HObjectAccess(portion(), offset(), representation, name(),
+                         immutable(), existing_inobject_property());
   }
 
   static HObjectAccess ForHeapNumberValue() {
-    return HObjectAccess(
-        kDouble, HeapNumber::kValueOffset, Representation::Double());
+    return HObjectAccess(kDouble,

[Toon Verwaest, 2014/02/03 13:51:32]

spurious change

[Igor Sheludko, 2014/02/03 17:57:05]

Done.

+                         HeapNumber::kValueOffset,
+                         Representation::Double());
   }
 
   static HObjectAccess ForHeapNumberValueLowestBits() {
@@ -5786,7 +5794,8 @@ class HObjectAccess V8_FINAL {
   static HObjectAccess ForAllocationSiteOffset(int offset);
 
   static HObjectAccess ForAllocationSiteList() {
-    return HObjectAccess(kExternalMemory, 0, Representation::Tagged());
+    return HObjectAccess(kExternalMemory, 0, Representation::Tagged(),
+                         Handle<String>::null(), false, false);
   }
 
   static HObjectAccess ForFixedArrayLength() {
@@ -5888,16 +5897,29 @@ class HObjectAccess V8_FINAL {
   }
 
   static HObjectAccess ForCounter() {
-    return HObjectAccess(kExternalMemory, 0, Representation::Integer32());
+    return HObjectAccess(kExternalMemory, 0, Representation::Integer32(),
+                         Handle<String>::null(), false, false);
   }
 
   // Create an access to an offset in a fixed array header.
   static HObjectAccess ForFixedArrayHeader(int offset);
 
   // Create an access to an in-object property in a JSObject.
-  static HObjectAccess ForJSObjectOffset(int offset,
+  // This kind of access must be used when the object |map| is known and
+  // in-object properties are being accessed. Accesses of the in-object
+  // properties can have different semantics depending on whether corresponding
+  // property was added to the map or not.
+  static HObjectAccess ForJSObjectOffset(Handle<Map> map, int offset,

[titzer, 2014/02/03 13:45:39]

Can we call this one ForMapAndOffset?

[Igor Sheludko, 2014/02/03 17:57:05]

Done.

       Representation representation = Representation::Tagged());
 
+  // Create an access to an in-object property in a JSObject.
+  // This kind of access can be used for accessing object header fields or
+  // in-object properties if the map of the object is not known.
+  static HObjectAccess ForJSObjectOffsetUnsafe(int offset,

[titzer, 2014/02/03 13:45:39]

And then we can keep the ForJSObjectOffset for this one.

[Igor Sheludko, 2014/02/03 17:57:05]

In offline discussions we have chosen a better name:
ForObservableJSObjectPropertyAt.

+      Representation representation = Representation::Tagged()) {
+    return ForJSObjectOffset(Handle<Map>::null(), offset, representation);
+  }
+
   // Create an access to an in-object property in a JSArray.
   static HObjectAccess ForJSArrayOffset(int offset);
 
@@ -5915,39 +5937,41 @@ class HObjectAccess V8_FINAL {
   static HObjectAccess ForCellPayload(Isolate* isolate);
 
   static HObjectAccess ForJSTypedArrayLength() {

[Toon Verwaest, 2014/02/03 13:51:32]

You can probably get a map for each of the unsafe accesses below.

[Igor Sheludko, 2014/02/03 17:57:05]

For all these special cases we already know that the access is made to existing
in-object property. I would prefer not to pass maps in the cases below.

-    return HObjectAccess::ForJSObjectOffset(JSTypedArray::kLengthOffset);
+    return HObjectAccess::ForJSObjectOffsetUnsafe(JSTypedArray::kLengthOffset);
   }
 
   static HObjectAccess ForJSArrayBufferBackingStore() {
-    return HObjectAccess::ForJSObjectOffset(
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
         JSArrayBuffer::kBackingStoreOffset, Representation::External());
   }
 
   static HObjectAccess ForExternalArrayExternalPointer() {
-    return HObjectAccess::ForJSObjectOffset(
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
         ExternalArray::kExternalPointerOffset, Representation::External());
   }
 
   static HObjectAccess ForJSArrayBufferViewWeakNext() {
-    return HObjectAccess::ForJSObjectOffset(JSArrayBufferView::kWeakNextOffset);
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
+        JSArrayBufferView::kWeakNextOffset);
   }
 
   static HObjectAccess ForJSArrayBufferWeakFirstView() {
-    return HObjectAccess::ForJSObjectOffset(
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
         JSArrayBuffer::kWeakFirstViewOffset);
   }
 
   static HObjectAccess ForJSArrayBufferViewBuffer() {
-    return HObjectAccess::ForJSObjectOffset(JSArrayBufferView::kBufferOffset);
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
+        JSArrayBufferView::kBufferOffset);
   }
 
   static HObjectAccess ForJSArrayBufferViewByteOffset() {
-    return HObjectAccess::ForJSObjectOffset(
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
         JSArrayBufferView::kByteOffsetOffset);
   }
 
   static HObjectAccess ForJSArrayBufferViewByteLength() {
-    return HObjectAccess::ForJSObjectOffset(
+    return HObjectAccess::ForJSObjectOffsetUnsafe(
         JSArrayBufferView::kByteLengthOffset);
   }
 
@@ -5980,23 +6004,29 @@ class HObjectAccess V8_FINAL {
   HObjectAccess(Portion portion, int offset,
                 Representation representation = Representation::Tagged(),
                 Handle<String> name = Handle<String>::null(),
-                bool immutable = false)
+                bool immutable = false,
+                bool existing_inobject_property = true)
     : value_(PortionField::encode(portion) |
              RepresentationField::encode(representation.kind()) |
              ImmutableField::encode(immutable ? 1 : 0) |
+             ExistingInobjectPropertyField::encode(
+                 existing_inobject_property ? 1 : 0) |
              OffsetField::encode(offset)),
       name_(name) {
     // assert that the fields decode correctly
     ASSERT(this->offset() == offset);
     ASSERT(this->portion() == portion);
     ASSERT(this->immutable() == immutable);
+    ASSERT(this->existing_inobject_property() == existing_inobject_property);
     ASSERT(RepresentationField::decode(value_) == representation.kind());
+    ASSERT(!this->existing_inobject_property() || IsInobject());
   }
 
   class PortionField : public BitField<Portion, 0, 3> {};
   class RepresentationField : public BitField<Representation::Kind, 3, 4> {};
   class ImmutableField : public BitField<bool, 7, 1> {};
-  class OffsetField : public BitField<int, 8, 24> {};
+  class ExistingInobjectPropertyField : public BitField<bool, 8, 1> {};
+  class OffsetField : public BitField<int, 9, 23> {};
 
   uint32_t value_;  // encodes portion, representation, immutable, and offset
   Handle<String> name_;
@@ -6382,19 +6412,15 @@ class HLoadKeyedGeneric V8_FINAL : public HTemplateInstruction<3> {
 // Indicates whether the store is a store to an entry that was previously
 // initialized or not.
 enum StoreFieldOrKeyedMode {
-  // This is a store of either an undefined value to a field or a hole/NaN to
-  // an entry of a newly allocated object.
-  PREINITIALIZING_STORE,
-  // The entry could be either previously initialized or not.

[titzer, 2014/02/03 13:45:39]

Please preserve the comments here.

[Igor Sheludko, 2014/02/03 17:57:05]

Done.

   INITIALIZING_STORE,
-  // At the time of this store it is guaranteed that the entry is already
-  // initialized.
   STORE_TO_INITIALIZED_ENTRY
 };
 
 
 class HStoreNamedField V8_FINAL : public HTemplateInstruction<3> {
  public:
+  DECLARE_INSTRUCTION_FACTORY_P3(HStoreNamedField, HValue*,
+                                 HObjectAccess, HValue*);
   DECLARE_INSTRUCTION_FACTORY_P4(HStoreNamedField, HValue*,
                                  HObjectAccess, HValue*, StoreFieldOrKeyedMode);
 
@@ -6501,17 +6527,12 @@ class HStoreNamedField V8_FINAL : public HTemplateInstruction<3> {
   HStoreNamedField(HValue* obj,
                    HObjectAccess access,
                    HValue* val,
-                   StoreFieldOrKeyedMode store_mode)
+                   StoreFieldOrKeyedMode store_mode = INITIALIZING_STORE)
       : access_(access),
         new_space_dominator_(NULL),
         write_barrier_mode_(UPDATE_WRITE_BARRIER),
         has_transition_(false),
         store_mode_(store_mode) {
-    // PREINITIALIZING_STORE is only used to mark stores that initialize a
-    // memory region resulting from HAllocate (possibly through an
-    // HInnerAllocatedObject).
-    ASSERT(store_mode != PREINITIALIZING_STORE ||
-           obj->IsAllocate() || obj->IsInnerAllocatedObject());

[Toon Verwaest, 2014/02/03 13:51:32]

The equivalent ASSERT should still hold using the access'
ExistingInobjectPropertyField right?

[Igor Sheludko, 2014/02/03 17:57:05]

Done.

     SetOperandAt(0, obj);
     SetOperandAt(1, val);
     SetOperandAt(2, obj);
@@ -6522,7 +6543,7 @@ class HStoreNamedField V8_FINAL : public HTemplateInstruction<3> {
   HValue* new_space_dominator_;
   WriteBarrierMode write_barrier_mode_ : 1;
   bool has_transition_ : 1;
-  StoreFieldOrKeyedMode store_mode_ : 2;
+  StoreFieldOrKeyedMode store_mode_ : 1;
 };
 
 
@@ -6567,6 +6588,8 @@ class HStoreNamedGeneric V8_FINAL : public HTemplateInstruction<3> {
 class HStoreKeyed V8_FINAL
     : public HTemplateInstruction<3>, public ArrayInstructionInterface {
  public:
+  DECLARE_INSTRUCTION_FACTORY_P4(HStoreKeyed, HValue*, HValue*, HValue*,
+                                 ElementsKind);
   DECLARE_INSTRUCTION_FACTORY_P5(HStoreKeyed, HValue*, HValue*, HValue*,
                                  ElementsKind, StoreFieldOrKeyedMode);
 
@@ -6686,7 +6709,7 @@ class HStoreKeyed V8_FINAL
  private:
   HStoreKeyed(HValue* obj, HValue* key, HValue* val,
               ElementsKind elements_kind,
-              StoreFieldOrKeyedMode store_mode)
+              StoreFieldOrKeyedMode store_mode = INITIALIZING_STORE)
       : elements_kind_(elements_kind),
       index_offset_(0),
       is_dehoisted_(false),
@@ -6697,12 +6720,6 @@ class HStoreKeyed V8_FINAL
     SetOperandAt(1, key);
     SetOperandAt(2, val);
 
-    // PREINITIALIZING_STORE is only used to mark stores that initialize a
-    // memory region resulting from HAllocate (possibly through an
-    // HInnerAllocatedObject).
-    ASSERT(store_mode != PREINITIALIZING_STORE ||
-           obj->IsAllocate() || obj->IsInnerAllocatedObject());

[Toon Verwaest, 2014/02/03 13:51:32]

Same as above

[Igor Sheludko, 2014/02/03 17:57:05]

The HObjectAccess mechanism is not applicable to HStoreKeyed.

-
     ASSERT(store_mode != STORE_TO_INITIALIZED_ENTRY ||
            elements_kind == FAST_SMI_ELEMENTS);
 
@@ -6737,7 +6754,7 @@ class HStoreKeyed V8_FINAL
   uint32_t index_offset_;
   bool is_dehoisted_ : 1;
   bool is_uninitialized_ : 1;
-  StoreFieldOrKeyedMode store_mode_: 2;
+  StoreFieldOrKeyedMode store_mode_: 1;
   HValue* new_space_dominator_;
 };