[turbofan] Properly handle dictionary maps in the prototype chain.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 207 matching lines @@
       this_effect =
           (this_control_count == 1)
               ? this_effects.front()
               : graph()->NewNode(common()->EffectPhi(this_control_count),
                                  this_effect_count, &this_effects.front());
     }
 
     // Determine actual holder and perform prototype chain checks.
     Handle<JSObject> holder;
     if (access_info.holder().ToHandle(&holder)) {
-      AssumePrototypesStable(receiver_type, native_context, holder);
+      this_effect = CheckPrototypeMaps(receiver_type, native_context, holder,
+                                       this_effect, this_control);
     }
 
     // Generate the actual property access.
     if (access_info.IsNotFound()) {
       DCHECK_EQ(AccessMode::kLoad, access_mode);
       this_value = jsgraph()->UndefinedConstant();
     } else if (access_info.IsDataConstant()) {
       this_value = jsgraph()->Constant(access_info.constant());
       if (access_mode == AccessMode::kStore) {
         Node* check = graph()->NewNode(
@@ skipping 422 matching lines @@
       // observable by JavaScript.
       this_effect = graph()->NewNode(common()->Checkpoint(), frame_state,
                                      this_effect, this_control);
     }
 
     // Certain stores need a prototype chain check because shape changes
     // could allow callbacks on elements in the prototype chain that are
     // not compatible with (monomorphic) keyed stores.
     Handle<JSObject> holder;
     if (access_info.holder().ToHandle(&holder)) {
-      AssumePrototypesStable(receiver_type, native_context, holder);
+      this_effect = CheckPrototypeMaps(receiver_type, native_context, holder,
+                                       this_effect, this_control);
     }
 
     // TODO(bmeurer): We currently specialize based on elements kind. We should
     // also be able to properly support strings and other JSObjects here.
     ElementsKind elements_kind = access_info.elements_kind();
 
     // Load the elements for the {receiver}.
     Node* this_elements = this_effect = graph()->NewNode(
         simplified()->LoadField(AccessBuilder::ForJSObjectElements()),
         this_receiver, this_effect, this_control);
@@ skipping 64 matching lines @@
           elements_kind == FAST_HOLEY_SMI_ELEMENTS) {
         // Perform the hole check on the result.
         CheckTaggedHoleMode mode = CheckTaggedHoleMode::kNeverReturnHole;
         // Check if we are allowed to turn the hole into undefined.
         Type* initial_holey_array_type = Type::Class(
             handle(isolate()->get_initial_js_array_map(elements_kind)),
             graph()->zone());
         if (receiver_type->NowIs(initial_holey_array_type) &&
             isolate()->IsFastArrayConstructorPrototypeChainIntact()) {
           // Add a code dependency on the array protector cell.
-          AssumePrototypesStable(receiver_type, native_context,
-                                 isolate()->initial_object_prototype());
+          this_effect = CheckPrototypeMaps(
+              receiver_type, native_context,
+              isolate()->initial_object_prototype(), this_effect, this_control);
           dependencies()->AssumePropertyCell(factory()->array_protector());
           // Turn the hole into undefined.
           mode = CheckTaggedHoleMode::kConvertHoleToUndefined;
         }
         this_value = this_effect =
             graph()->NewNode(simplified()->CheckTaggedHole(mode), this_value,
                              this_effect, this_control);
       } else if (elements_kind == FAST_HOLEY_DOUBLE_ELEMENTS) {
         // Perform the hole check on the result.
         CheckFloat64HoleMode mode = CheckFloat64HoleMode::kNeverReturnHole;
         // Check if we are allowed to return the hole directly.
         Type* initial_holey_array_type = Type::Class(
             handle(isolate()->get_initial_js_array_map(elements_kind)),
             graph()->zone());
         if (receiver_type->NowIs(initial_holey_array_type) &&
             isolate()->IsFastArrayConstructorPrototypeChainIntact()) {
           // Add a code dependency on the array protector cell.
-          AssumePrototypesStable(receiver_type, native_context,
-                                 isolate()->initial_object_prototype());
+          this_effect = CheckPrototypeMaps(
+              receiver_type, native_context,
+              isolate()->initial_object_prototype(), this_effect, this_control);
           dependencies()->AssumePropertyCell(factory()->array_protector());
           // Return the signaling NaN hole directly if all uses are truncating.
           mode = CheckFloat64HoleMode::kAllowReturnHole;
         }
         this_value = this_effect =
             graph()->NewNode(simplified()->CheckFloat64Hole(mode), this_value,
                              this_effect, this_control);
       }
     } else {
       DCHECK_EQ(AccessMode::kStore, access_mode);
@@ skipping 162 matching lines @@
   KeyedStoreICNexus nexus(p.feedback().vector(), p.feedback().slot());
 
   // Extract the keyed access store mode from the KEYED_STORE_IC.
   KeyedAccessStoreMode store_mode = nexus.GetKeyedAccessStoreMode();
 
   // Try to lower the keyed access based on the {nexus}.
   return ReduceKeyedAccess(node, index, value, nexus, AccessMode::kStore,
                            p.language_mode(), store_mode);
 }
 
-
-void JSNativeContextSpecialization::AssumePrototypesStable(
+Node* JSNativeContextSpecialization::CheckPrototypeMaps(
     Type* receiver_type, Handle<Context> native_context,
-    Handle<JSObject> holder) {
+    Handle<JSObject> holder, Node* effect, Node* control) {
   // Determine actual holder and perform prototype chain checks.
   for (auto i = receiver_type->Classes(); !i.Done(); i.Advance()) {
     Handle<Map> map = i.Current();
     // Perform the implicit ToObject for primitives here.
     // Implemented according to ES6 section 7.3.2 GetV (V, P).
     Handle<JSFunction> constructor;
     if (Map::GetConstructorFunction(map, native_context)
             .ToHandle(&constructor)) {
       map = handle(constructor->initial_map(), isolate());
     }
-    dependencies()->AssumePrototypeMapsStable(map, holder);
+    for (PrototypeIterator j(map); !j.IsAtEnd(); j.Advance()) {
+      Handle<JSReceiver> const current =
+          PrototypeIterator::GetCurrent<JSReceiver>(j);
+      Handle<Map> current_map(current->map(), isolate());
+      if (current_map->is_stable()) {
+        dependencies()->AssumeMapStable(current_map);
+      } else {
+        // TODO(bmeurer): Introduce a dedicated CheckMaps operator.
+        Node* prototype = jsgraph()->HeapConstant(current);
+        Node* prototype_map = effect =
+            graph()->NewNode(simplified()->LoadField(AccessBuilder::ForMap()),
+                             prototype, effect, control);
+        Node* check = graph()->NewNode(
+            simplified()->ReferenceEqual(Type::Internal()), prototype_map,
+            jsgraph()->HeapConstant(current_map));
+        effect =
+            graph()->NewNode(simplified()->CheckIf(), check, effect, control);
+      }
+      if (holder.is_identical_to(current)) break;
+    }
   }
+  return effect;
 }
 
 bool JSNativeContextSpecialization::ExtractReceiverMaps(
     Node* receiver, Node* effect, FeedbackNexus const& nexus,
     MapHandleList* receiver_maps) {
   DCHECK_EQ(0, receiver_maps->length());
   // See if we can infer a concrete type for the {receiver}.
   Handle<Map> receiver_map;
   if (InferReceiverMap(receiver, effect).ToHandle(&receiver_map)) {
     // We can assume that the {receiver} still has the infered {receiver_map}.
@@ skipping 106 matching lines @@
 }
 
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8