[turbofan] Add support for "ignore OOB stores" to typed arrays.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 409 matching lines @@
          node->opcode() == IrOpcode::kJSStoreProperty);
   Node* receiver = NodeProperties::GetValueInput(node, 0);
   Node* effect = NodeProperties::GetEffectInput(node);
   Node* control = NodeProperties::GetControlInput(node);
   Node* frame_state = NodeProperties::FindFrameStateBefore(node);
 
   // Not much we can do if deoptimization support is disabled.
   if (!(flags() & kDeoptimizationEnabled)) return NoChange();
 
   // TODO(bmeurer): Add support for non-standard stores.
-  if (store_mode != STANDARD_STORE) return NoChange();
+  if (store_mode != STANDARD_STORE &&
+      store_mode != STORE_NO_TRANSITION_IGNORE_OUT_OF_BOUNDS) {
+    return NoChange();
+  }
 
   // Retrieve the native context from the given {node}.
   Handle<Context> native_context;
   if (!GetNativeContext(node).ToHandle(&native_context)) return NoChange();
 
   // Compute element access infos for the receiver maps.
   AccessInfoFactory access_info_factory(dependencies(), native_context,
                                         graph()->zone());
   ZoneVector<ElementAccessInfo> access_infos(zone());
   if (!access_info_factory.ComputeElementAccessInfos(receiver_maps, access_mode,
@@ skipping 34 matching lines @@
     // don't have the kNoWrite flag on it, even though they are not
     // observable by JavaScript.
     effect =
         graph()->NewNode(common()->Checkpoint(), frame_state, effect, control);
 
     // Perform map check on the {receiver}.
     effect =
         BuildCheckMaps(receiver, effect, control, access_info.receiver_maps());
 
     // Access the actual element.
-    ValueEffectControl continuation =
-        BuildElementAccess(receiver, index, value, effect, control,
-                           native_context, access_info, access_mode);
+    ValueEffectControl continuation = BuildElementAccess(
+        receiver, index, value, effect, control, native_context, access_info,
+        access_mode, store_mode);
     value = continuation.value();
     effect = continuation.effect();
     control = continuation.control();
   } else {
     // The final states for every polymorphic branch. We join them with
     // Merge+Phi+EffectPhi at the bottom.
     ZoneVector<Node*> values(zone());
     ZoneVector<Node*> effects(zone());
     ZoneVector<Node*> controls(zone());
 
@@ skipping 84 matching lines @@
       // could allow callbacks on elements in the prototype chain that are
       // not compatible with (monomorphic) keyed stores.
       Handle<JSObject> holder;
       if (access_info.holder().ToHandle(&holder)) {
         AssumePrototypesStable(receiver_maps, native_context, holder);
       }
 
       // Access the actual element.
       ValueEffectControl continuation = BuildElementAccess(
           this_receiver, this_index, this_value, this_effect, this_control,
-          native_context, access_info, access_mode);
+          native_context, access_info, access_mode, store_mode);
       values.push_back(continuation.value());
       effects.push_back(continuation.effect());
       controls.push_back(continuation.control());
     }
 
     DCHECK_NULL(fallthrough_control);
 
     // Generate the final merge point for all (polymorphic) branches.
     int const control_count = static_cast<int>(controls.size());
     if (control_count == 0) {
@@ skipping 342 matching lines @@
   UNREACHABLE();
   return kExternalInt8Array;
 }
 
 }  // namespace
 
 JSNativeContextSpecialization::ValueEffectControl
 JSNativeContextSpecialization::BuildElementAccess(
     Node* receiver, Node* index, Node* value, Node* effect, Node* control,
     Handle<Context> native_context, ElementAccessInfo const& access_info,
-    AccessMode access_mode) {
+    AccessMode access_mode, KeyedAccessStoreMode store_mode) {
   // Determine actual holder and perform prototype chain checks.
   Handle<JSObject> holder;
   if (access_info.holder().ToHandle(&holder)) {
     AssumePrototypesStable(access_info.receiver_maps(), native_context, holder);
   }
 
   // TODO(bmeurer): We currently specialize based on elements kind. We should
   // also be able to properly support strings and other JSObjects here.
   ElementsKind elements_kind = access_info.elements_kind();
   MapList const& receiver_maps = access_info.receiver_maps();
@@ skipping 29 matching lines @@
         graph()->NewNode(
             simplified()->NumberBitwiseAnd(), buffer_bitfield,
             jsgraph()->Constant(JSArrayBuffer::WasNeutered::kMask)),
         jsgraph()->ZeroConstant());
 
     // Default to zero if the {receiver}s buffer was neutered.
     length = graph()->NewNode(
         common()->Select(MachineRepresentation::kTagged, BranchHint::kTrue),
         check, length, jsgraph()->ZeroConstant());
 
-    // Check that the {index} is in the valid range for the {receiver}.
-    index = effect = graph()->NewNode(simplified()->CheckBounds(), index,
-                                      length, effect, control);
+    if (store_mode == STORE_NO_TRANSITION_IGNORE_OUT_OF_BOUNDS) {
+      // Check that the {index} is a valid array index, we do the actual
+      // bounds check below and just skip the store below if it's out of
+      // bounds for the {receiver}.
+      index = effect = graph()->NewNode(simplified()->CheckBounds(), index,
+                                        jsgraph()->Constant(Smi::kMaxValue),
+                                        effect, control);
+    } else {
+      // Check that the {index} is in the valid range for the {receiver}.
+      DCHECK_EQ(STANDARD_STORE, store_mode);
+      index = effect = graph()->NewNode(simplified()->CheckBounds(), index,
+                                        length, effect, control);
+    }
 
     // Load the base and external pointer for the {receiver}.
     Node* base_pointer = effect = graph()->NewNode(
         simplified()->LoadField(
             AccessBuilder::ForFixedTypedArrayBaseBasePointer()),
         elements, effect, control);
     Node* external_pointer = effect = graph()->NewNode(
         simplified()->LoadField(
             AccessBuilder::ForFixedTypedArrayBaseExternalPointer()),
         elements, effect, control);
 
     // Access the actual element.
     ExternalArrayType external_array_type =
         GetArrayTypeFromElementsKind(elements_kind);
     switch (access_mode) {
       case AccessMode::kLoad: {
         value = effect = graph()->NewNode(
             simplified()->LoadTypedElement(external_array_type), buffer,
             base_pointer, external_pointer, index, effect, control);
         break;
       }
       case AccessMode::kStore: {
         // Ensure that the {value} is actually a Number.
         value = effect = graph()->NewNode(simplified()->CheckNumber(), value,
                                           effect, control);
-        effect = graph()->NewNode(
-            simplified()->StoreTypedElement(external_array_type), buffer,
-            base_pointer, external_pointer, index, value, effect, control);
+
+        // Check if we can skip the out-of-bounds store.
+        if (store_mode == STORE_NO_TRANSITION_IGNORE_OUT_OF_BOUNDS) {
+          Node* check =
+              graph()->NewNode(simplified()->NumberLessThan(), index, length);
+          Node* branch = graph()->NewNode(common()->Branch(BranchHint::kTrue),
+                                          check, control);
+
+          Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
+          Node* etrue = effect;
+          {
+            // Perform the actual store.
+            etrue = graph()->NewNode(
+                simplified()->StoreTypedElement(external_array_type), buffer,
+                base_pointer, external_pointer, index, value, etrue, if_true);
+          }
+
+          Node* if_false = graph()->NewNode(common()->IfFalse(), branch);
+          Node* efalse = effect;
+          {
+            // Just ignore the out-of-bounds write.
+          }
+
+          control = graph()->NewNode(common()->Merge(2), if_true, if_false);
+          effect =
+              graph()->NewNode(common()->EffectPhi(2), etrue, efalse, control);
+        } else {
+          // Perform the actual store
+          DCHECK_EQ(STANDARD_STORE, store_mode);
+          effect = graph()->NewNode(
+              simplified()->StoreTypedElement(external_array_type), buffer,
+              base_pointer, external_pointer, index, value, effect, control);
+        }
         break;
       }
     }
   } else {
+    // TODO(turbofan): Add support for additional store modes.
+    DCHECK_EQ(STANDARD_STORE, store_mode);
+
     // Load the length of the {receiver}.
     Node* length = effect =
         HasOnlyJSArrayMaps(receiver_maps)
             ? graph()->NewNode(
                   simplified()->LoadField(
                       AccessBuilder::ForJSArrayLength(elements_kind)),
                   receiver, effect, control)
             : graph()->NewNode(
                   simplified()->LoadField(AccessBuilder::ForFixedArrayLength()),
                   elements, effect, control);
 
     // Check that the {index} is in the valid range for the {receiver}.
     index = effect = graph()->NewNode(simplified()->CheckBounds(), index,
                                       length, effect, control);
 
     // Compute the element access.
     Type* element_type = Type::Any();
     MachineType element_machine_type = MachineType::AnyTagged();
     if (IsFastDoubleElementsKind(elements_kind)) {
       element_type = Type::Number();
       element_machine_type = MachineType::Float64();
     } else if (IsFastSmiElementsKind(elements_kind)) {
       element_type = type_cache_.kSmi;
     }
     ElementAccess element_access = {kTaggedBase, FixedArray::kHeaderSize,
                                     element_type, element_machine_type,
                                     kFullWriteBarrier};
 
     // Access the actual element.
-    // TODO(bmeurer): Refactor this into separate methods or even a separate
-    // class that deals with the elements access.
     if (access_mode == AccessMode::kLoad) {
       // Compute the real element access type, which includes the hole in case
       // of holey backing stores.
       if (elements_kind == FAST_HOLEY_ELEMENTS ||
           elements_kind == FAST_HOLEY_SMI_ELEMENTS) {
         element_access.type = Type::Union(
             element_type,
             Type::Constant(factory()->the_hole_value(), graph()->zone()),
             graph()->zone());
       }
@@ skipping 254 matching lines @@
 }
 
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8