[turbofan] Remove unnecessary prototype checks for element access.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 563 matching lines @@
               graph()->NewNode(common()->EffectPhi(this_control_count),
                                this_control_count + 1, &this_effects.front());
 
           // TODO(turbofan): The effect/control linearization will not find a
           // FrameState after the EffectPhi that is generated above.
           this_effect = graph()->NewNode(common()->Checkpoint(), frame_state,
                                          this_effect, this_control);
         }
       }
 
-      // Certain stores need a prototype chain check because shape changes
-      // could allow callbacks on elements in the prototype chain that are
-      // not compatible with (monomorphic) keyed stores.
-      Handle<JSObject> holder;
-      if (access_info.holder().ToHandle(&holder)) {
-        AssumePrototypesStable(receiver_maps, native_context, holder);
-      }
-
       // Access the actual element.
       ValueEffectControl continuation = BuildElementAccess(
           this_receiver, this_index, this_value, this_effect, this_control,
           native_context, access_info, access_mode, store_mode);
       values.push_back(continuation.value());
       effects.push_back(continuation.effect());
       controls.push_back(continuation.control());
     }
 
     DCHECK_NULL(fallthrough_control);
@@ skipping 347 matching lines @@
   return kExternalInt8Array;
 }
 
 }  // namespace
 
 JSNativeContextSpecialization::ValueEffectControl
 JSNativeContextSpecialization::BuildElementAccess(
     Node* receiver, Node* index, Node* value, Node* effect, Node* control,
     Handle<Context> native_context, ElementAccessInfo const& access_info,
     AccessMode access_mode, KeyedAccessStoreMode store_mode) {
-  // Determine actual holder and perform prototype chain checks.
-  Handle<JSObject> holder;
-  if (access_info.holder().ToHandle(&holder)) {
-    AssumePrototypesStable(access_info.receiver_maps(), native_context, holder);
-  }
-
   // TODO(bmeurer): We currently specialize based on elements kind. We should
   // also be able to properly support strings and other JSObjects here.
   ElementsKind elements_kind = access_info.elements_kind();
   MapList const& receiver_maps = access_info.receiver_maps();
 
   // Load the elements for the {receiver}.
   Node* elements = effect = graph()->NewNode(
       simplified()->LoadField(AccessBuilder::ForJSObjectElements()), receiver,
       effect, control);
 
@@ skipping 151 matching lines @@
       value = effect =
           graph()->NewNode(simplified()->LoadElement(element_access), elements,
                            index, effect, control);
       // Handle loading from holey backing stores correctly, by either mapping
       // the hole to undefined if possible, or deoptimizing otherwise.
       if (elements_kind == FAST_HOLEY_ELEMENTS ||
           elements_kind == FAST_HOLEY_SMI_ELEMENTS) {
         // Perform the hole check on the result.
         CheckTaggedHoleMode mode = CheckTaggedHoleMode::kNeverReturnHole;
         // Check if we are allowed to turn the hole into undefined.
-        // TODO(bmeurer): We might check the JSArray map from a different
-        // context here; may need reinvestigation.
-        if (receiver_maps.size() == 1 &&
-            receiver_maps[0].is_identical_to(
-                handle(isolate()->get_initial_js_array_map(elements_kind))) &&
-            isolate()->IsFastArrayConstructorPrototypeChainIntact()) {
-          // Add a code dependency on the array protector cell.
-          dependencies()->AssumePrototypeMapsStable(
-              receiver_maps[0], isolate()->initial_object_prototype());
-          dependencies()->AssumePropertyCell(factory()->array_protector());
+        if (CanTreatHoleAsUndefined(receiver_maps, native_context)) {
           // Turn the hole into undefined.
           mode = CheckTaggedHoleMode::kConvertHoleToUndefined;
         }
         value = effect = graph()->NewNode(simplified()->CheckTaggedHole(mode),
                                           value, effect, control);
       } else if (elements_kind == FAST_HOLEY_DOUBLE_ELEMENTS) {
         // Perform the hole check on the result.
         CheckFloat64HoleMode mode = CheckFloat64HoleMode::kNeverReturnHole;
         // Check if we are allowed to return the hole directly.
-        // TODO(bmeurer): We might check the JSArray map from a different
-        // context here; may need reinvestigation.
-        if (receiver_maps.size() == 1 &&
-            receiver_maps[0].is_identical_to(
-                handle(isolate()->get_initial_js_array_map(elements_kind))) &&
-            isolate()->IsFastArrayConstructorPrototypeChainIntact()) {
-          // Add a code dependency on the array protector cell.
-          dependencies()->AssumePrototypeMapsStable(
-              receiver_maps[0], isolate()->initial_object_prototype());
-          dependencies()->AssumePropertyCell(factory()->array_protector());
+        if (CanTreatHoleAsUndefined(receiver_maps, native_context)) {
           // Return the signaling NaN hole directly if all uses are truncating.
           mode = CheckFloat64HoleMode::kAllowReturnHole;
         }
         value = effect = graph()->NewNode(simplified()->CheckFloat64Hole(mode),
                                           value, effect, control);
       }
     } else {
       DCHECK_EQ(AccessMode::kStore, access_mode);
       if (IsFastSmiElementsKind(elements_kind)) {
         value = effect = graph()->NewNode(simplified()->CheckTaggedSigned(),
@@ skipping 76 matching lines @@
     // Implemented according to ES6 section 7.3.2 GetV (V, P).
     Handle<JSFunction> constructor;
     if (Map::GetConstructorFunction(map, native_context)
             .ToHandle(&constructor)) {
       map = handle(constructor->initial_map(), isolate());
     }
     dependencies()->AssumePrototypeMapsStable(map, holder);
   }
 }
 
+bool JSNativeContextSpecialization::CanTreatHoleAsUndefined(
+    std::vector<Handle<Map>> const& receiver_maps,
+    Handle<Context> native_context) {
+  // Check if the array prototype chain is intact.
+  if (!isolate()->IsFastArrayConstructorPrototypeChainIntact()) return false;
+
+  // Make sure both the initial Array and Object prototypes are stable.
+  Handle<JSObject> initial_array_prototype(
+      native_context->initial_array_prototype(), isolate());
+  Handle<JSObject> initial_object_prototype(
+      native_context->initial_object_prototype(), isolate());
+  if (!initial_array_prototype->map()->is_stable() ||
+      !initial_object_prototype->map()->is_stable()) {
+    return false;
+  }
+
+  // Check if all {receiver_maps} either have the initial Array.prototype
+  // or the initial Object.prototype as their prototype, as those are
+  // guarded by the array protector cell.
+  for (Handle<Map> map : receiver_maps) {
+    if (map->prototype() != *initial_array_prototype &&
+        map->prototype() != *initial_object_prototype) {
+      return false;
+    }
+  }
+
+  // Install code dependencies on the prototype maps.
+  for (Handle<Map> map : receiver_maps) {
+    dependencies()->AssumePrototypeMapsStable(map, initial_object_prototype);

[adamk, 2016/08/08 22:02:00]

Are you missing a call for initial_array_prototype here? See
https://bugs.chromium.org/p/v8/issues/detail?id=5275

+  }
+
+  // Install code dependency on the array protector cell.
+  dependencies()->AssumePropertyCell(factory()->array_protector());
+  return true;
+}
+
 bool JSNativeContextSpecialization::ExtractReceiverMaps(
     Node* receiver, Node* effect, FeedbackNexus const& nexus,
     MapHandleList* receiver_maps) {
   DCHECK_EQ(0, receiver_maps->length());
   // See if we can infer a concrete type for the {receiver}.
   Handle<Map> receiver_map;
   if (InferReceiverMap(receiver, effect).ToHandle(&receiver_map)) {
     // We can assume that the {receiver} still has the infered {receiver_map}.
     receiver_maps->Add(receiver_map);
     return true;
@@ skipping 108 matching lines @@
 }
 
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8