Revert "Speed up the LookupIterator"

src/lookup.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/lookup.h"
 
 #include "src/bootstrapper.h"
 #include "src/deoptimizer.h"
 #include "src/elements.h"
 #include "src/field-type.h"
@@ skipping 27 matching lines @@
     LookupIterator it(isolate, receiver, index, configuration);
     // Here we try to avoid having to rebuild the string later
     // by storing it on the indexed LookupIterator.
     it.name_ = name;
     return it;
   }
 
   return LookupIterator(receiver, name, configuration);
 }
 
-template <bool is_element>
-void LookupIterator::Start() {
-  DisallowHeapAllocation no_gc;
-
-  has_property_ = false;
-  state_ = NOT_FOUND;
-  number_ = DescriptorArray::kNotFound;
-  holder_ = initial_holder_;
-
-  JSReceiver* holder = *holder_;
-  Map* map = holder->map();
-
-  state_ = LookupInHolder<is_element>(map, holder);
-  if (IsFound()) return;
-
-  NextInternal<is_element>(map, holder);
-}
-
-template void LookupIterator::Start<true>();
-template void LookupIterator::Start<false>();
 
 void LookupIterator::Next() {
   DCHECK_NE(JSPROXY, state_);
   DCHECK_NE(TRANSITION, state_);
   DisallowHeapAllocation no_gc;
   has_property_ = false;
 
   JSReceiver* holder = *holder_;
   Map* map = holder->map();
 
-  if (map->instance_type() <= LAST_SPECIAL_RECEIVER_TYPE) {
-    state_ = IsElement() ? LookupInSpecialHolder<true>(map, holder)
-                         : LookupInSpecialHolder<false>(map, holder);
-    if (IsFound()) return;
-  }
+  // Perform lookup on current holder.
+  state_ = LookupInHolder(map, holder);
+  if (IsFound()) return;
 
-  IsElement() ? NextInternal<true>(map, holder)
-              : NextInternal<false>(map, holder);
-}
-
-template <bool is_element>
-void LookupIterator::NextInternal(Map* map, JSReceiver* holder) {
+  // Continue lookup if lookup on current holder failed.
   do {
     JSReceiver* maybe_holder = NextHolder(map);
     if (maybe_holder == nullptr) {
       if (interceptor_state_ == InterceptorState::kSkipNonMasking) {
-        RestartLookupForNonMaskingInterceptors<is_element>();
+        RestartLookupForNonMaskingInterceptors();
         return;
       }
-      if (holder != *holder_) holder_ = handle(holder, isolate_);
-      return;
+      break;
     }
     holder = maybe_holder;
     map = holder->map();
-    state_ = LookupInHolder<is_element>(map, holder);
+    state_ = LookupInHolder(map, holder);
   } while (!IsFound());
 
-  holder_ = handle(holder, isolate_);
+  if (holder != *holder_) holder_ = handle(holder, isolate_);
 }
 
-template <bool is_element>
+
 void LookupIterator::RestartInternal(InterceptorState interceptor_state) {
+  state_ = NOT_FOUND;
   interceptor_state_ = interceptor_state;
   property_details_ = PropertyDetails::Empty();
-  Start<is_element>();
+  holder_ = initial_holder_;
+  number_ = DescriptorArray::kNotFound;
+  Next();
 }
 
-template void LookupIterator::RestartInternal<true>(InterceptorState);
-template void LookupIterator::RestartInternal<false>(InterceptorState);
 
 // static
 Handle<JSReceiver> LookupIterator::GetRootForNonJSReceiver(
     Isolate* isolate, Handle<Object> receiver, uint32_t index) {
   // Strings are the only objects with properties (only elements) directly on
   // the wrapper. Hence we can skip generating the wrapper for all other cases.
   if (index != kMaxUInt32 && receiver->IsString() &&
       index < static_cast<uint32_t>(String::cast(*receiver)->length())) {
     // TODO(verwaest): Speed this up. Perhaps use a cached wrapper on the native
     // context, ensuring that we don't leak it into JS?
     Handle<JSFunction> constructor = isolate->string_function();
     Handle<JSObject> result = isolate->factory()->NewJSObject(constructor);
     Handle<JSValue>::cast(result)->set_value(*receiver);
     return result;
   }
   auto root = handle(receiver->GetRootMap(isolate)->prototype(), isolate);
   if (root->IsNull()) {
     unsigned int magic = 0xbbbbbbbb;
     isolate->PushStackTraceAndDie(magic, *receiver, NULL, magic);
   }
   return Handle<JSReceiver>::cast(root);
 }
 
 
 Handle<Map> LookupIterator::GetReceiverMap() const {
   if (receiver_->IsNumber()) return factory()->heap_number_map();
   return handle(Handle<HeapObject>::cast(receiver_)->map(), isolate_);
 }
 
+
+Handle<JSObject> LookupIterator::GetStoreTarget() const {
+  if (receiver_->IsJSGlobalProxy()) {
+    Object* prototype = JSGlobalProxy::cast(*receiver_)->map()->prototype();
+    if (!prototype->IsNull()) {
+      return handle(JSGlobalObject::cast(prototype), isolate_);
+    }
+  }
+  return Handle<JSObject>::cast(receiver_);
+}
+
+
 bool LookupIterator::HasAccess() const {
   DCHECK_EQ(ACCESS_CHECK, state_);
   return isolate_->MayAccess(handle(isolate_->context()),
                              GetHolder<JSObject>());
 }
 
-template <bool is_element>
+
 void LookupIterator::ReloadPropertyInformation() {
   state_ = BEFORE_PROPERTY;
   interceptor_state_ = InterceptorState::kUninitialized;
-  state_ = LookupInHolder<is_element>(holder_->map(), *holder_);
+  state_ = LookupInHolder(holder_->map(), *holder_);
   DCHECK(IsFound() || !holder_->HasFastProperties());
 }
 
 bool LookupIterator::HolderIsInContextIndex(uint32_t index) const {
   DisallowHeapAllocation no_gc;
 
   Object* context = heap()->native_contexts_list();
   while (!context->IsUndefined()) {
     Context* current_context = Context::cast(context);
     if (current_context->get(index) == *holder_) {
       return true;
     }
     context = current_context->get(Context::NEXT_CONTEXT_LINK);
   }
   return false;
 }
 
-void LookupIterator::InternalUpdateProtector() {
+void LookupIterator::UpdateProtector() {
+  if (!FLAG_harmony_species) return;
+
+  if (IsElement()) return;
   if (isolate_->bootstrapper()->IsActive()) return;
   if (!isolate_->IsArraySpeciesLookupChainIntact()) return;
 
-  if (*name_ == heap()->constructor_string()) {
+  if (*name_ == *isolate_->factory()->constructor_string()) {
     // Setting the constructor property could change an instance's @@species
     if (holder_->IsJSArray()) {
       isolate_->CountUsage(
           v8::Isolate::UseCounterFeature::kArrayInstanceConstructorModified);
       isolate_->InvalidateArraySpeciesProtector();
     } else if (holder_->map()->is_prototype_map()) {
       // Setting the constructor of Array.prototype of any realm also needs
       // to invalidate the species protector
       if (HolderIsInContextIndex(Context::INITIAL_ARRAY_PROTOTYPE_INDEX)) {
         isolate_->CountUsage(v8::Isolate::UseCounterFeature::
                                  kArrayPrototypeConstructorModified);
         isolate_->InvalidateArraySpeciesProtector();
       }
     }
-  } else if (*name_ == heap()->species_symbol()) {
+  } else if (*name_ == *isolate_->factory()->species_symbol()) {
     // Setting the Symbol.species property of any Array constructor invalidates
     // the species protector
     if (HolderIsInContextIndex(Context::ARRAY_FUNCTION_INDEX)) {
       isolate_->CountUsage(
           v8::Isolate::UseCounterFeature::kArraySpeciesModified);
       isolate_->InvalidateArraySpeciesProtector();
     }
   }
 }
 
@@ skipping 29 matching lines @@
   if (old_map.is_identical_to(new_map)) {
     // Update the property details if the representation was None.
     if (representation().IsNone()) {
       property_details_ =
           new_map->instance_descriptors()->GetDetails(descriptor_number());
     }
     return;
   }
 
   JSObject::MigrateToMap(holder, new_map);
-  ReloadPropertyInformation<false>();
+  ReloadPropertyInformation();
 }
 
 
 void LookupIterator::ReconfigureDataProperty(Handle<Object> value,
                                              PropertyAttributes attributes) {
   DCHECK(state_ == DATA || state_ == ACCESSOR);
   DCHECK(HolderIsReceiverOrHiddenPrototype());
   Handle<JSObject> holder = GetHolder<JSObject>();
   if (IsElement()) {
     DCHECK(!holder->HasFixedTypedArrayElements());
     DCHECK(attributes != NONE || !holder->HasFastElements());
     Handle<FixedArrayBase> elements(holder->elements());
     holder->GetElementsAccessor()->Reconfigure(holder, elements, number_, value,
                                                attributes);
-    ReloadPropertyInformation<true>();
+  } else if (!holder->HasFastProperties()) {
+    PropertyDetails details(attributes, v8::internal::DATA, 0,
+                            PropertyCellType::kMutable);
+    JSObject::SetNormalizedProperty(holder, name(), value, details);
   } else {
-    if (!holder->HasFastProperties()) {
-      PropertyDetails details(attributes, v8::internal::DATA, 0,
-                              PropertyCellType::kMutable);
-      JSObject::SetNormalizedProperty(holder, name(), value, details);
-    } else {
-      Handle<Map> old_map(holder->map(), isolate_);
-      Handle<Map> new_map = Map::ReconfigureExistingProperty(
-          old_map, descriptor_number(), i::kData, attributes);
-      new_map =
-          Map::PrepareForDataProperty(new_map, descriptor_number(), value);
-      JSObject::MigrateToMap(holder, new_map);
-    }
-    ReloadPropertyInformation<false>();
+    Handle<Map> old_map(holder->map(), isolate_);
+    Handle<Map> new_map = Map::ReconfigureExistingProperty(
+        old_map, descriptor_number(), i::kData, attributes);
+    new_map = Map::PrepareForDataProperty(new_map, descriptor_number(), value);
+    JSObject::MigrateToMap(holder, new_map);
   }
 
+  ReloadPropertyInformation();
   WriteDataValue(value);
 
 #if VERIFY_HEAP
   if (FLAG_verify_heap) {
     holder->JSObjectVerify();
   }
 #endif
 }
 
 // Can only be called when the receiver is a JSObject. JSProxy has to be handled
@@ skipping 47 matching lines @@
   Handle<Map> transition = transition_map();
   bool simple_transition = transition->GetBackPointer() == receiver->map();
   JSObject::MigrateToMap(receiver, transition);
 
   if (simple_transition) {
     int number = transition->LastAdded();
     number_ = static_cast<uint32_t>(number);
     property_details_ = transition->GetLastDescriptorDetails();
     state_ = DATA;
   } else {
-    ReloadPropertyInformation<false>();
+    ReloadPropertyInformation();
   }
 }
 
 
 void LookupIterator::Delete() {
   Handle<JSReceiver> holder = Handle<JSReceiver>::cast(holder_);
   if (IsElement()) {
     Handle<JSObject> object = Handle<JSObject>::cast(holder);
     ElementsAccessor* accessor = object->GetElementsAccessor();
     accessor->Delete(object, number_);
   } else {
     PropertyNormalizationMode mode = holder->map()->is_prototype_map()
                                          ? KEEP_INOBJECT_PROPERTIES
                                          : CLEAR_INOBJECT_PROPERTIES;
 
     if (holder->HasFastProperties()) {
       JSObject::NormalizeProperties(Handle<JSObject>::cast(holder), mode, 0,
                                     "DeletingProperty");
-      ReloadPropertyInformation<false>();
+      ReloadPropertyInformation();
     }
     // TODO(verwaest): Get rid of the name_ argument.
     JSReceiver::DeleteNormalizedProperty(holder, name_, number_);
     if (holder->IsJSObject()) {
       JSObject::ReoptimizeIfPrototype(Handle<JSObject>::cast(holder));
     }
   }
   state_ = NOT_FOUND;
 }
 
 
 void LookupIterator::TransitionToAccessorProperty(
     AccessorComponent component, Handle<Object> accessor,
     PropertyAttributes attributes) {
   DCHECK(!accessor->IsNull());
   // Can only be called when the receiver is a JSObject. JSProxy has to be
   // handled via a trap. Adding properties to primitive values is not
   // observable.
   Handle<JSObject> receiver = GetStoreTarget();
 
   if (!IsElement() && !receiver->map()->is_dictionary_map()) {
     holder_ = receiver;
     Handle<Map> old_map(receiver->map(), isolate_);
     Handle<Map> new_map = Map::TransitionToAccessorProperty(
         old_map, name_, component, accessor, attributes);
     JSObject::MigrateToMap(receiver, new_map);
 
-    ReloadPropertyInformation<false>();
+    ReloadPropertyInformation();
 
     if (!new_map->is_dictionary_map()) return;
   }
 
   Handle<AccessorPair> pair;
   if (state() == ACCESSOR && GetAccessors()->IsAccessorPair()) {
     pair = Handle<AccessorPair>::cast(GetAccessors());
     // If the component and attributes are identical, nothing has to be done.
     if (pair->get(component) == *accessor) {
       if (property_details().attributes() == attributes) return;
@@ skipping 39 matching lines @@
     if (receiver->HasSlowArgumentsElements()) {
       FixedArray* parameter_map = FixedArray::cast(receiver->elements());
       uint32_t length = parameter_map->length() - 2;
       if (number_ < length) {
         parameter_map->set(number_ + 2, heap()->the_hole_value());
       }
       FixedArray::cast(receiver->elements())->set(1, *dictionary);
     } else {
       receiver->set_elements(*dictionary);
     }
-
-    ReloadPropertyInformation<true>();
   } else {
     PropertyNormalizationMode mode = receiver->map()->is_prototype_map()
                                          ? KEEP_INOBJECT_PROPERTIES
                                          : CLEAR_INOBJECT_PROPERTIES;
     // Normalize object to make this operation simple.
     JSObject::NormalizeProperties(receiver, mode, 0,
                                   "TransitionToAccessorPair");
 
     JSObject::SetNormalizedProperty(receiver, name_, pair, details);
     JSObject::ReoptimizeIfPrototype(receiver);
+  }
 
-    ReloadPropertyInformation<false>();
-  }
+  ReloadPropertyInformation();
 }
 
 
 bool LookupIterator::HolderIsReceiverOrHiddenPrototype() const {
   DCHECK(has_property_ || state_ == INTERCEPTOR || state_ == JSPROXY);
   // Optimization that only works if configuration_ is not mutable.
   if (!check_prototype_chain()) return true;
   DisallowHeapAllocation no_gc;
   if (*receiver_ == *holder_) return true;
   if (!receiver_->IsJSReceiver()) return false;
@@ skipping 119 matching lines @@
         handle(JSObject::cast(*holder)->global_dictionary());
     PropertyCell::UpdateCell(property_dictionary, dictionary_entry(), value,
                              property_details_);
   } else {
     NameDictionary* property_dictionary = holder->property_dictionary();
     property_dictionary->ValueAtPut(dictionary_entry(), *value);
   }
 }
 
 
+bool LookupIterator::HasInterceptor(Map* map) const {
+  if (IsElement()) return map->has_indexed_interceptor();
+  return map->has_named_interceptor();
+}
+
+
 bool LookupIterator::SkipInterceptor(JSObject* holder) {
   auto info = GetInterceptor(holder);
   // TODO(dcarney): check for symbol/can_intercept_symbols here as well.
   if (info->non_masking()) {
     switch (interceptor_state_) {
       case InterceptorState::kUninitialized:
         interceptor_state_ = InterceptorState::kSkipNonMasking;
       // Fall through.
       case InterceptorState::kSkipNonMasking:
         return true;
       case InterceptorState::kProcessNonMasking:
         return false;
     }
   }
   return interceptor_state_ == InterceptorState::kProcessNonMasking;
 }
 
+
 JSReceiver* LookupIterator::NextHolder(Map* map) {
   DisallowHeapAllocation no_gc;
-  if (map->prototype() == heap()->null_value()) return NULL;
+  if (!map->prototype()->IsJSReceiver()) return NULL;
 
   DCHECK(!map->IsJSGlobalProxyMap() || map->has_hidden_prototype());
 
   if (!check_prototype_chain() &&
       !(check_hidden() && map->has_hidden_prototype()) &&
       // Always lookup behind the JSGlobalProxy into the JSGlobalObject, even
       // when not checking other hidden prototypes.
       !map->IsJSGlobalProxyMap()) {
     return NULL;
   }
 
   return JSReceiver::cast(map->prototype());
 }
 
 LookupIterator::State LookupIterator::NotFound(JSReceiver* const holder) const {
   DCHECK(!IsElement());
   if (!holder->IsJSTypedArray() || !name_->IsString()) return NOT_FOUND;
 
   Handle<String> name_string = Handle<String>::cast(name_);
   if (name_string->length() == 0) return NOT_FOUND;
 
   return IsSpecialIndex(isolate_->unicode_cache(), *name_string)
              ? INTEGER_INDEXED_EXOTIC
              : NOT_FOUND;
 }
 
-namespace {
-
-template <bool is_element>
-bool HasInterceptor(Map* map) {
-  return is_element ? map->has_indexed_interceptor()
-                    : map->has_named_interceptor();
-}
-
-}  // namespace
-
-template <bool is_element>
-LookupIterator::State LookupIterator::LookupInSpecialHolder(
-    Map* const map, JSReceiver* const holder) {
+LookupIterator::State LookupIterator::LookupInHolder(Map* const map,
+                                                     JSReceiver* const holder) {
   STATIC_ASSERT(INTERCEPTOR == BEFORE_PROPERTY);
+  DisallowHeapAllocation no_gc;
+  if (interceptor_state_ == InterceptorState::kProcessNonMasking) {
+    return LookupNonMaskingInterceptorInHolder(map, holder);
+  }
   switch (state_) {
     case NOT_FOUND:
       if (map->IsJSProxyMap()) {
-        if (is_element || !name_->IsPrivate()) return JSPROXY;
+        if (IsElement() || !name_->IsPrivate()) return JSPROXY;
       }
       if (map->is_access_check_needed()) {
-        if (is_element || !name_->IsPrivate()) return ACCESS_CHECK;
+        if (IsElement() || !name_->IsPrivate()) return ACCESS_CHECK;
       }
     // Fall through.
     case ACCESS_CHECK:
-      if (check_interceptor() && HasInterceptor<is_element>(map) &&
+      if (check_interceptor() && HasInterceptor(map) &&
           !SkipInterceptor(JSObject::cast(holder))) {
-        if (is_element || !name_->IsPrivate()) return INTERCEPTOR;
+        if (IsElement() || !name_->IsPrivate()) return INTERCEPTOR;
       }
     // Fall through.
     case INTERCEPTOR:
-      if (!is_element && map->IsJSGlobalObjectMap()) {
+      if (IsElement()) {
+        JSObject* js_object = JSObject::cast(holder);
+        ElementsAccessor* accessor = js_object->GetElementsAccessor();
+        FixedArrayBase* backing_store = js_object->elements();
+        number_ = accessor->GetEntryForIndex(js_object, backing_store, index_);
+        if (number_ == kMaxUInt32) {
+          return holder->IsJSTypedArray() ? INTEGER_INDEXED_EXOTIC : NOT_FOUND;
+        }
+        property_details_ = accessor->GetDetails(js_object, number_);
+      } else if (!map->is_dictionary_map()) {
+        DescriptorArray* descriptors = map->instance_descriptors();
+        int number = descriptors->SearchWithCache(isolate_, *name_, map);
+        if (number == DescriptorArray::kNotFound) return NotFound(holder);
+        number_ = static_cast<uint32_t>(number);
+        property_details_ = descriptors->GetDetails(number_);
+      } else if (map->IsJSGlobalObjectMap()) {
         GlobalDictionary* dict = JSObject::cast(holder)->global_dictionary();
         int number = dict->FindEntry(name_);
         if (number == GlobalDictionary::kNotFound) return NOT_FOUND;
         number_ = static_cast<uint32_t>(number);
         DCHECK(dict->ValueAt(number_)->IsPropertyCell());
         PropertyCell* cell = PropertyCell::cast(dict->ValueAt(number_));
         if (cell->value()->IsTheHole()) return NOT_FOUND;
         property_details_ = cell->property_details();
-        has_property_ = true;
-        switch (property_details_.kind()) {
-          case v8::internal::kData:
-            return DATA;
-          case v8::internal::kAccessor:
-            return ACCESSOR;
-        }
+      } else {
+        NameDictionary* dict = holder->property_dictionary();
+        int number = dict->FindEntry(name_);
+        if (number == NameDictionary::kNotFound) return NotFound(holder);
+        number_ = static_cast<uint32_t>(number);
+        property_details_ = dict->DetailsAt(number_);
       }
-      return LookupInRegularHolder<is_element>(map, holder);
+      has_property_ = true;
+      switch (property_details_.kind()) {
+        case v8::internal::kData:
+          return DATA;
+        case v8::internal::kAccessor:
+          return ACCESSOR;
+      }
     case ACCESSOR:
     case DATA:
       return NOT_FOUND;
     case INTEGER_INDEXED_EXOTIC:
     case JSPROXY:
     case TRANSITION:
       UNREACHABLE();
   }
   UNREACHABLE();
-  return NOT_FOUND;
+  return state_;
 }
 
-template <bool is_element>
-LookupIterator::State LookupIterator::LookupInRegularHolder(
+
+LookupIterator::State LookupIterator::LookupNonMaskingInterceptorInHolder(
     Map* const map, JSReceiver* const holder) {
-  DisallowHeapAllocation no_gc;
-  if (interceptor_state_ == InterceptorState::kProcessNonMasking) {
-    return NOT_FOUND;
+  switch (state_) {
+    case NOT_FOUND:
+      if (check_interceptor() && HasInterceptor(map) &&
+          !SkipInterceptor(JSObject::cast(holder))) {
+        return INTERCEPTOR;
+      }
+    // Fall through.
+    default:
+      return NOT_FOUND;
   }
-
-  if (is_element) {
-    JSObject* js_object = JSObject::cast(holder);
-    ElementsAccessor* accessor = js_object->GetElementsAccessor();
-    FixedArrayBase* backing_store = js_object->elements();
-    number_ = accessor->GetEntryForIndex(js_object, backing_store, index_);
-    if (number_ == kMaxUInt32) {
-      return holder->IsJSTypedArray() ? INTEGER_INDEXED_EXOTIC : NOT_FOUND;
-    }
-    property_details_ = accessor->GetDetails(js_object, number_);
-  } else if (!map->is_dictionary_map()) {
-    DescriptorArray* descriptors = map->instance_descriptors();
-    int number = descriptors->SearchWithCache(isolate_, *name_, map);
-    if (number == DescriptorArray::kNotFound) return NotFound(holder);
-    number_ = static_cast<uint32_t>(number);
-    property_details_ = descriptors->GetDetails(number_);
-  } else {
-    NameDictionary* dict = holder->property_dictionary();
-    int number = dict->FindEntry(name_);
-    if (number == NameDictionary::kNotFound) return NotFound(holder);
-    number_ = static_cast<uint32_t>(number);
-    property_details_ = dict->DetailsAt(number_);
-  }
-  has_property_ = true;
-  switch (property_details_.kind()) {
-    case v8::internal::kData:
-      return DATA;
-    case v8::internal::kAccessor:
-      return ACCESSOR;
-  }
-
   UNREACHABLE();
   return state_;
 }
 
 }  // namespace internal
 }  // namespace v8