[KeyedLoadIC] Support Smi "handlers" for simple field loads

src/code-stub-assembler.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/code-stub-assembler.h"
 #include "src/code-factory.h"
 #include "src/frames-inl.h"
 #include "src/frames.h"
 #include "src/ic/stub-cache.h"
 
@@ skipping 2398 matching lines @@
   };
   // clang-format on
   STATIC_ASSERT(arraysize(values) == arraysize(labels));
   Switch(elements_kind, if_bailout, values, labels, arraysize(values));
 
   Bind(&if_isobjectorsmi);
   {
     Node* elements = LoadElements(object);
     Node* length = LoadFixedArrayBaseLength(elements);
 
-    GotoIf(Int32GreaterThanOrEqual(index, SmiToWord32(length)), if_not_found);
+    GotoUnless(Uint32LessThan(index, SmiToWord32(length)), if_not_found);

[Jakob Kummerow, 2016/07/26 14:43:28]

Drive-by fix: bounds checks should use unsigned comparisons. This isn't
currently a bug because callers are careful enough, but it's better to be robust
here.

[Igor Sheludko, 2016/07/26 16:25:11]

Acknowledged.

 
     Node* element = LoadFixedArrayElement(elements, index);
     Node* the_hole = TheHoleConstant();
     Branch(WordEqual(element, the_hole), if_not_found, if_found);
   }
   Bind(&if_isdouble);
   {
     Node* elements = LoadElements(object);
     Node* length = LoadFixedArrayBaseLength(elements);
 
-    GotoIf(Int32GreaterThanOrEqual(index, SmiToWord32(length)), if_not_found);
+    GotoUnless(Uint32LessThan(index, SmiToWord32(length)), if_not_found);
 
     if (kPointerSize == kDoubleSize) {
       Node* element =
           LoadFixedDoubleArrayElement(elements, index, MachineType::Uint64());
       Node* the_hole = Int64Constant(kHoleNanInt64);
       Branch(Word64Equal(element, the_hole), if_not_found, if_found);
     } else {
       Node* element_upper =
           LoadFixedDoubleArrayElement(elements, index, MachineType::Uint32(),
                                       kIeeeDoubleExponentWordOffset);
       Branch(Word32Equal(element_upper, Int32Constant(kHoleNanUpper32)),
              if_not_found, if_found);
     }
   }
   Bind(&if_isdictionary);
   {
     Variable var_entry(this, MachineRepresentation::kWord32);
     Node* elements = LoadElements(object);
     NumberDictionaryLookup<SeededNumberDictionary>(elements, index, if_found,
                                                    &var_entry, if_not_found);
   }
   Bind(&if_isfaststringwrapper);
   {
     AssertInstanceType(object, JS_VALUE_TYPE);
     Node* string = LoadJSValueValue(object);
     Assert(Int32LessThan(LoadInstanceType(string),
                          Int32Constant(FIRST_NONSTRING_TYPE)));
     Node* length = LoadStringLength(string);
-    GotoIf(Int32LessThan(index, SmiToWord32(length)), if_found);
+    GotoIf(Uint32LessThan(index, SmiToWord32(length)), if_found);
     Goto(&if_isobjectorsmi);
   }
   Bind(&if_isslowstringwrapper);
   {
     AssertInstanceType(object, JS_VALUE_TYPE);
     Node* string = LoadJSValueValue(object);
     Assert(Int32LessThan(LoadInstanceType(string),
                          Int32Constant(FIRST_NONSTRING_TYPE)));
     Node* length = LoadStringLength(string);
-    GotoIf(Int32LessThan(index, SmiToWord32(length)), if_found);
+    GotoIf(Uint32LessThan(index, SmiToWord32(length)), if_found);
     Goto(&if_isdictionary);
   }
 }
 
 // Instantiate template methods to workaround GCC compilation issue.
 template void CodeStubAssembler::NumberDictionaryLookup<SeededNumberDictionary>(
     Node*, Node*, Label*, Variable*, Label*);
 template void CodeStubAssembler::NumberDictionaryLookup<
     UnseededNumberDictionary>(Node*, Node*, Label*, Variable*, Label*);
 
@@ skipping 490 matching lines @@
                            receiver_map, if_handler, var_handler, &miss);
   }
 
   Bind(&miss);
   {
     IncrementCounter(counters->megamorphic_stub_cache_misses(), 1);
     Goto(if_miss);
   }
 }
 
+void CodeStubAssembler::HaveLoadICHandler(const LoadICParameters* p,
+                                          Node* handler, Label* miss) {
+  Comment("have_handler");
+  Label call_handler(this);
+  GotoUnless(WordIsSmi(handler), &call_handler);
+
+  // |handler| is a Smi. It encodes a field index as obtained by
+  // FieldIndex.GetLoadByFieldOffset().
+  // TODO(jkummerow): For KeyedLoadICs, extend this scheme to encode
+  // fast *element* loads.
+  {
+    Variable var_double_value(this, MachineRepresentation::kFloat64);
+    Label rebox_double(this, &var_double_value);
+
+    Node* handler_word = SmiUntag(handler);
+    // |handler_word| is a field index as obtained by
+    // FieldIndex.GetLoadByFieldOffset():
+    // (offset << 3) | (is_double << 2) | (is_inobject << 1) | 1.
+    Label inobject_double(this), out_of_object(this),
+        out_of_object_double(this);
+    Node* inobject_bit = WordAnd(handler_word, IntPtrConstant(1 << 1));
+    Node* double_bit = WordAnd(handler_word, IntPtrConstant(1 << 2));
+    Node* offset = WordSar(handler_word, IntPtrConstant(3));
+
+    GotoIf(WordEqual(inobject_bit, IntPtrConstant(0)), &out_of_object);
+
+    GotoUnless(WordEqual(double_bit, IntPtrConstant(0)), &inobject_double);
+    Return(LoadObjectField(p->receiver, offset));
+
+    Bind(&inobject_double);
+    if (FLAG_unbox_double_fields) {
+      var_double_value.Bind(
+          LoadObjectField(p->receiver, offset, MachineType::Float64()));
+    } else {
+      Node* mutable_heap_number = LoadObjectField(p->receiver, offset);
+      var_double_value.Bind(LoadHeapNumberValue(mutable_heap_number));
+    }
+    Goto(&rebox_double);
+
+    Bind(&out_of_object);
+    Node* properties = LoadProperties(p->receiver);
+    Node* value = LoadObjectField(properties, offset);
+    GotoUnless(WordEqual(double_bit, IntPtrConstant(0)), &out_of_object_double);
+    Return(value);
+
+    Bind(&out_of_object_double);
+    var_double_value.Bind(LoadHeapNumberValue(value));
+    Goto(&rebox_double);
+
+    Bind(&rebox_double);
+    Return(AllocateHeapNumberWithValue(var_double_value.value()));
+  }
+
+  // |handler| is a heap object. Must be code, call it.
+  Bind(&call_handler);
+  LoadWithVectorDescriptor descriptor(isolate());
+  TailCallStub(descriptor, handler, p->context, p->receiver, p->name, p->slot,
+               p->vector);
+}
+
 void CodeStubAssembler::LoadIC(const LoadICParameters* p) {
   Variable var_handler(this, MachineRepresentation::kTagged);
   // TODO(ishell): defer blocks when it works.
   Label if_handler(this, &var_handler), try_polymorphic(this),
       try_megamorphic(this /*, Label::kDeferred*/),
       miss(this /*, Label::kDeferred*/);
 
   Node* receiver_map = LoadReceiverMap(p->receiver);
 
   // Check monomorphic case.
   Node* feedback = TryMonomorphicCase(p, receiver_map, &if_handler,
                                       &var_handler, &try_polymorphic);
   Bind(&if_handler);
   {
-    Comment("LoadIC_if_handler");
-    Label call_handler(this);
-    Node* handler = var_handler.value();
-    GotoUnless(WordIsSmi(handler), &call_handler);
-
-    // |handler| is a Smi. It encodes a field index as obtained by
-    // FieldIndex.GetLoadByFieldOffset().
-    {
-      Label inobject_double(this), out_of_object(this),
-          out_of_object_double(this);
-      Variable var_double_value(this, MachineRepresentation::kFloat64);
-      Label rebox_double(this, &var_double_value);
-
-      Node* handler_word = SmiToWord32(handler);
-      // handler == (offset << 1) | is_double.
-      Node* double_bit = Word32And(handler_word, Int32Constant(1));
-      Node* offset = Word32Sar(handler_word, Int32Constant(1));
-
-      // Negative index -> out of object.
-      GotoIf(Int32LessThan(offset, Int32Constant(0)), &out_of_object);
-
-      Node* offset_ptr = ChangeInt32ToIntPtr(offset);
-      GotoUnless(Word32Equal(double_bit, Int32Constant(0)), &inobject_double);
-      Return(LoadObjectField(p->receiver, offset_ptr));
-
-      Bind(&inobject_double);
-      if (FLAG_unbox_double_fields) {
-        var_double_value.Bind(
-            LoadObjectField(p->receiver, offset_ptr, MachineType::Float64()));
-      } else {
-        Node* mutable_heap_number = LoadObjectField(p->receiver, offset_ptr);
-        var_double_value.Bind(LoadHeapNumberValue(mutable_heap_number));
-      }
-      Goto(&rebox_double);
-
-      Bind(&out_of_object);
-      // |offset| == -actual_offset
-      offset_ptr = ChangeInt32ToIntPtr(Int32Sub(Int32Constant(0), offset));
-      Node* properties = LoadProperties(p->receiver);
-      Node* value = LoadObjectField(properties, offset_ptr);
-      GotoUnless(Word32Equal(double_bit, Int32Constant(0)),
-                 &out_of_object_double);
-      Return(value);
-
-      Bind(&out_of_object_double);
-      var_double_value.Bind(LoadHeapNumberValue(value));
-      Goto(&rebox_double);
-
-      Bind(&rebox_double);
-      Return(AllocateHeapNumberWithValue(var_double_value.value()));
-    }
-
-    // |handler| is a heap object. Must be code, call it.
-    Bind(&call_handler);
-    LoadWithVectorDescriptor descriptor(isolate());
-    TailCallStub(descriptor, handler, p->context, p->receiver, p->name, p->slot,
-                 p->vector);
+    HaveLoadICHandler(p, var_handler.value(), &miss);
   }
 
   Bind(&try_polymorphic);
   {
     // Check polymorphic case.
     Comment("LoadIC_try_polymorphic");
     GotoUnless(
         WordEqual(LoadMap(feedback), LoadRoot(Heap::kFixedArrayMapRootIndex)),
         &try_megamorphic);
     HandlePolymorphicCase(p, receiver_map, feedback, &if_handler, &var_handler,
@@ skipping 10 matching lines @@
     TryProbeStubCache(isolate()->load_stub_cache(), p->receiver, p->name,
                       &if_handler, &var_handler, &miss);
   }
   Bind(&miss);
   {
     TailCallRuntime(Runtime::kLoadIC_Miss, p->context, p->receiver, p->name,
                     p->slot, p->vector);
   }
 }
 
+void CodeStubAssembler::KeyedLoadIC(const LoadICParameters* p) {
+  Variable var_handler(this, MachineRepresentation::kTagged);
+  // TODO(ishell): defer blocks when it works.
+  Label if_handler(this, &var_handler), try_polymorphic(this),
+      try_megamorphic(this /*, Label::kDeferred*/),
+      try_polymorphic_name(this /*, Label::kDeferred*/),
+      miss(this /*, Label::kDeferred*/);
+
+  Node* receiver_map = LoadReceiverMap(p->receiver);
+
+  // Check monomorphic case.
+  Node* feedback = TryMonomorphicCase(p, receiver_map, &if_handler,
+                                      &var_handler, &try_polymorphic);
+  Bind(&if_handler);
+  {
+    HaveLoadICHandler(p, var_handler.value(), &miss);
+  }
+
+  Bind(&try_polymorphic);
+  {
+    // Check polymorphic case.
+    Comment("KeyedLoadIC_try_polymorphic");
+    GotoUnless(
+        WordEqual(LoadMap(feedback), LoadRoot(Heap::kFixedArrayMapRootIndex)),
+        &try_megamorphic);
+    HandlePolymorphicCase(p, receiver_map, feedback, &if_handler, &var_handler,
+                          &miss, 2);
+  }
+
+  Bind(&try_megamorphic);
+  {
+    // Check megamorphic case.
+    Comment("KeyedLoadIC_try_megamorphic");
+    GotoUnless(
+        WordEqual(feedback, LoadRoot(Heap::kmegamorphic_symbolRootIndex)),
+        &try_polymorphic_name);
+    // TODO(jkummerow): Inline this? Or some of it?
+    TailCallStub(CodeFactory::KeyedLoadIC_Megamorphic(isolate()), p->context,
+                 p->receiver, p->name, p->slot, p->vector);
+  }
+  Bind(&try_polymorphic_name);
+  {
+    // We might have a name in feedback, and a fixed array in the next slot.
+    Comment("KeyedLoadIC_try_polymorphic_name");
+    GotoUnless(WordEqual(feedback, p->name), &miss);
+    // If the name comparison succeeded, we know we have a fixed array with
+    // at least one map/handler pair.
+    Node* offset = ElementOffsetFromIndex(
+        p->slot, FAST_HOLEY_ELEMENTS, SMI_PARAMETERS,
+        FixedArray::kHeaderSize + kPointerSize - kHeapObjectTag);
+    Node* array = Load(MachineType::AnyTagged(), p->vector, offset);
+    HandlePolymorphicCase(p, receiver_map, array, &if_handler, &var_handler,
+                          &miss, 1);
+  }
+  Bind(&miss);
+  {
+    Comment("KeyedLoadIC_miss");
+    TailCallRuntime(Runtime::kKeyedLoadIC_Miss, p->context, p->receiver,
+                    p->name, p->slot, p->vector);
+  }
+}
+
 void CodeStubAssembler::LoadGlobalIC(const LoadICParameters* p) {
   Label try_handler(this), miss(this);
   Node* weak_cell =
       LoadFixedArrayElement(p->vector, p->slot, 0, SMI_PARAMETERS);
   AssertInstanceType(weak_cell, WEAK_CELL_TYPE);
 
   // Load value or try handler case if the {weak_cell} is cleared.
   Node* property_cell = LoadWeakCellValue(weak_cell, &try_handler);
   AssertInstanceType(property_cell, PROPERTY_CELL_TYPE);
 
@@ skipping 87 matching lines @@
     // For all objects but the receiver, check that the cache is empty.
     current_map.Bind(LoadMap(current_js_object.value()));
     Node* enum_length = EnumLength(current_map.value());
     Node* zero_constant = SmiConstant(Smi::FromInt(0));
     BranchIf(WordEqual(enum_length, zero_constant), &loop, use_runtime);
   }
 }
 
 }  // namespace internal
 }  // namespace v8