[stubs] Implement fast TF Builtin for Object.create

src/code-stub-assembler.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-
 #include "src/code-stub-assembler.h"
 #include "src/code-factory.h"
 #include "src/frames-inl.h"
 #include "src/frames.h"
 #include "src/ic/handler-configuration.h"
 #include "src/ic/stub-cache.h"
 
 namespace v8 {
 namespace internal {
 
@@ skipping 564 matching lines @@
     GotoIf(Int32LessThanOrEqual(LoadMapInstanceType(prototype_map),
                                 Int32Constant(LAST_CUSTOM_ELEMENTS_RECEIVER)),
            possibly_elements);
     GotoIf(WordNotEqual(LoadElements(prototype), empty_elements),
            possibly_elements);
     var_map.Bind(prototype_map);
     Goto(&loop_body);
   }
 }
 
+void CodeStubAssembler::BranchIfJSReceiver(Node* object, Label* if_true,
+                                           Label* if_false) {
+  GotoIf(TaggedIsSmi(object), if_false);
+  STATIC_ASSERT(LAST_JS_RECEIVER_TYPE == LAST_TYPE);
+  Branch(Int32GreaterThanOrEqual(LoadInstanceType(object),
+                                 Int32Constant(FIRST_JS_RECEIVER_TYPE)),
+         if_true, if_false);
+}
+
+void CodeStubAssembler::BranchIfJSObject(Node* object, Label* if_true,
+                                         Label* if_false) {
+  GotoIf(TaggedIsSmi(object), if_false);
+  STATIC_ASSERT(LAST_JS_OBJECT_TYPE == LAST_TYPE);
+  Branch(Int32GreaterThanOrEqual(LoadInstanceType(object),
+                                 Int32Constant(FIRST_JS_OBJECT_TYPE)),
+         if_true, if_false);
+}
+
 void CodeStubAssembler::BranchIfFastJSArray(Node* object, Node* context,
                                             Label* if_true, Label* if_false) {
   // Bailout if receiver is a Smi.
   GotoIf(TaggedIsSmi(object), if_false);
 
   Node* map = LoadMap(object);
 
   // Bailout if instance type is not JS_ARRAY_TYPE.
   GotoIf(WordNotEqual(LoadMapInstanceType(map), Int32Constant(JS_ARRAY_TYPE)),
          if_false);
@@ skipping 305 matching lines @@
 }
 
 Node* CodeStubAssembler::LoadMap(Node* object) {
   return LoadObjectField(object, HeapObject::kMapOffset);
 }
 
 Node* CodeStubAssembler::LoadInstanceType(Node* object) {
   return LoadMapInstanceType(LoadMap(object));
 }
 
+Node* CodeStubAssembler::HasInstanceType(Node* object,
+                                         InstanceType instance_type) {
+  return Word32Equal(LoadInstanceType(object), Int32Constant(instance_type));
+}
+
 void CodeStubAssembler::AssertInstanceType(Node* object,
                                            InstanceType instance_type) {
-  CSA_ASSERT(
-      Word32Equal(LoadInstanceType(object), Int32Constant(instance_type)));
+  CSA_ASSERT(HasInstanceType(object, instance_type));
 }
 
 Node* CodeStubAssembler::LoadProperties(Node* object) {
   return LoadObjectField(object, JSObject::kPropertiesOffset);
 }
 
 Node* CodeStubAssembler::LoadElements(Node* object) {
   return LoadObjectField(object, JSObject::kElementsOffset);
 }
 
@@ skipping 27 matching lines @@
 
 Node* CodeStubAssembler::LoadMapElementsKind(Node* map) {
   Node* bit_field2 = LoadMapBitField2(map);
   return BitFieldDecode<Map::ElementsKindBits>(bit_field2);
 }
 
 Node* CodeStubAssembler::LoadMapDescriptors(Node* map) {
   return LoadObjectField(map, Map::kDescriptorsOffset);
 }
 
+Node* CodeStubAssembler::LoadMapNumberOfOwnDescriptors(Node* map) {

[Igor Sheludko, 2016/10/18 12:33:21]

Semi-useful. Usually we load this number after a fast-map bit check which is
also a part of bit_field3. So here we are going to load the bit field second
time.

[Camillo Bruni, 2016/10/18 14:06:00]

removing it.

+  return BitFieldDecodeWord<Map::NumberOfOwnDescriptorsBits>(
+      LoadMapBitField3(map));
+}
+
 Node* CodeStubAssembler::LoadMapPrototype(Node* map) {
   return LoadObjectField(map, Map::kPrototypeOffset);
 }
 
+Node* CodeStubAssembler::LoadMapPrototypeInfo(Node* map,
+                                              Label* if_no_proto_info) {
+  Node* prototype_info =
+      LoadObjectField(map, Map::kTransitionsOrPrototypeInfoOffset);
+  GotoIf(TaggedIsSmi(prototype_info), if_no_proto_info);
+  GotoUnless(HasInstanceType(prototype_info, PROTOTYPE_INFO_TYPE),

[Igor Sheludko, 2016/10/18 12:33:21]

Map check is better here.

[Camillo Bruni, 2016/10/18 14:06:00]

done.

+             if_no_proto_info);
+  return prototype_info;
+}
+
 Node* CodeStubAssembler::LoadMapInstanceSize(Node* map) {
   return ChangeUint32ToWord(
       LoadObjectField(map, Map::kInstanceSizeOffset, MachineType::Uint8()));
 }
 
 Node* CodeStubAssembler::LoadMapInobjectProperties(Node* map) {
   // See Map::GetInObjectProperties() for details.
   STATIC_ASSERT(LAST_JS_OBJECT_TYPE == LAST_TYPE);
   CSA_ASSERT(Int32GreaterThanOrEqual(LoadMapInstanceType(map),
                                      Int32Constant(FIRST_JS_OBJECT_TYPE)));
@@ skipping 25 matching lines @@
         Word32Equal(LoadInstanceType(result.value()), Int32Constant(MAP_TYPE));
     GotoUnless(is_map_type, &done);
     result.Bind(
         LoadObjectField(result.value(), Map::kConstructorOrBackPointerOffset));
     Goto(&loop);
   }
   Bind(&done);
   return result.value();
 }
 
+Node* CodeStubAssembler::IsFastMap(Node* map) {

[Igor Sheludko, 2016/10/18 12:33:21]

Semi-useful. Same a above.

[Camillo Bruni, 2016/10/18 14:06:00]

agreed, removed it.

+  Node* bit_field3 = LoadMapBitField3(map);
+  return BitFieldDecode<Map::DictionaryMap>(bit_field3);
+}
+
+Node* CodeStubAssembler::IsSpecialReceiverMap(Node* map) {
+  Node* bit_field = LoadMapBitField(map);
+  Node* mask = Int32Constant(1 << Map::kHasNamedInterceptor |
+                             1 << Map::kIsAccessCheckNeeded);
+  Assert(Word32Equal(Word32And(bit_field, mask), Int32Constant(0)));
+  return IsSpecialReceiverInstanceType(LoadMapInstanceType(map));
+}
+
+Node* CodeStubAssembler::IsSpecialReceiverInstanceType(Node* instance_type) {
+  STATIC_ASSERT(JS_GLOBAL_OBJECT_TYPE <= LAST_SPECIAL_RECEIVER_TYPE);
+  return Int32LessThanOrEqual(instance_type,
+                              Int32Constant(LAST_SPECIAL_RECEIVER_TYPE));
+}
+
 Node* CodeStubAssembler::LoadNameHashField(Node* name) {
   return LoadObjectField(name, Name::kHashFieldOffset, MachineType::Uint32());
 }
 
 Node* CodeStubAssembler::LoadNameHash(Node* name, Label* if_hash_not_computed) {
   Node* hash_field = LoadNameHashField(name);
   if (if_hash_not_computed != nullptr) {
     GotoIf(Word32Equal(
                Word32And(hash_field, Int32Constant(Name::kHashNotComputedMask)),
                Int32Constant(0)),
@@ skipping 408 matching lines @@
       AllocateFixedArray(elements_kind, length_intptr, parameter_mode);
   StoreObjectField(result, JSArray::kElementsOffset, elements);
 
   // Fill in the elements with undefined.
   FillFixedArrayWithValue(elements_kind, elements, zero, length_intptr,
                           Heap::kUndefinedValueRootIndex, parameter_mode);
 
   return result;
 }
 
+Node* CodeStubAssembler::AllocateJSObjectFromMap(Node* map, Node* properties,
+                                                 Node* elements) {
+  Node* size =
+      IntPtrMul(LoadMapInstanceSize(map), IntPtrConstant(kPointerSize));
+  Node* object = Allocate(size);
+  StoreMapNoWriteBarrier(object, map);
+  InitializeJSObjectFromMap(object, map, size, properties, elements);
+  return object;
+}
+
+void CodeStubAssembler::InitializeJSObjectFromMap(Node* object, Node* map,
+                                                  Node* size, Node* properties,
+                                                  Node* elements) {
+  if (properties == nullptr) {
+    StoreObjectFieldRoot(object, JSObject::kPropertiesOffset,
+                         Heap::kEmptyFixedArrayRootIndex);
+  } else {
+    StoreObjectFieldNoWriteBarrier(object, JSObject::kPropertiesOffset,

[Igor Sheludko, 2016/10/18 12:33:21]

Please add a comment about why is it possible to skip write barriers in this
function. Maybe assert that the object is in new space.

[Camillo Bruni, 2016/10/18 14:06:00]

done, added semi-assertion in AllocateJSObjectFromMap

+                                   properties);
+  }
+  if (elements == nullptr) {
+    StoreObjectFieldRoot(object, JSObject::kElementsOffset,
+                         Heap::kEmptyFixedArrayRootIndex);
+  } else {
+    StoreObjectFieldNoWriteBarrier(object, JSObject::kElementsOffset, elements);
+  }
+  InitializeJSObjectBody(object, map, size, JSObject::kHeaderSize);
+}
+
+void CodeStubAssembler::InitializeJSObjectBody(Node* object, Node* map,
+                                               Node* size, int start_offset) {
+  // TODO(cbruni): activate in-object slack tracking machinery.
+  Comment("InitializeJSObjectBody");
+  Node* filler = LoadRoot(Heap::kUndefinedValueRootIndex);
+  Node* start_address = IntPtrAdd(object, IntPtrConstant(start_offset));
+  Node* end_address = IntPtrAdd(object, size);
+  StoreFieldsNoWriteBarrier(start_address, end_address, filler);
+}
+
+void CodeStubAssembler::StoreFieldsNoWriteBarrier(Node* start_address,
+                                                  Node* end_address,
+                                                  Node* value) {
+  Comment("StoreFieldsNoWriteBarrier");

[Igor Sheludko, 2016/10/18 12:33:21]

Consider using BuildFastLoop().

[Camillo Bruni, 2016/10/18 14:06:00]

done.

+  Variable current(this, MachineRepresentation::kTagged);

[Igor Sheludko, 2016/10/18 12:33:22]

Why is it kTagged? I think it should be PointerRepresentation() instead.

[Camillo Bruni, 2016/10/18 14:06:00]

done.

+  Label decrement(this, &current), done(this);
+
+  start_address = IntPtrSub(start_address, IntPtrConstant(1));

[Igor Sheludko, 2016/10/18 12:33:21]

I think it would be better to "untag" it in the caller instead of here.

+  end_address = IntPtrSub(end_address, IntPtrConstant(1));

[Igor Sheludko, 2016/10/18 12:33:21]

And thus this would not be necessary.

[Camillo Bruni, 2016/10/18 14:06:00]

done.

+  Assert(IsWordAligned(start_address));
+  Assert(IsWordAligned(end_address));
+
+  current.Bind(end_address);
+  Branch(WordEqual(current.value(), start_address), &done, &decrement);
+  Bind(&decrement);
+  {
+    current.Bind(IntPtrSub(current.value(), IntPtrConstant(kPointerSize)));
+
+    StoreNoWriteBarrier(MachineType::PointerRepresentation(), current.value(),
+                        value);
+
+    Branch(WordEqual(current.value(), start_address), &done, &decrement);
+  }
+
+  Bind(&done);
+}
+
 Node* CodeStubAssembler::AllocateUninitializedJSArrayWithoutElements(
     ElementsKind kind, Node* array_map, Node* length, Node* allocation_site) {
   Comment("begin allocation of JSArray without elements");
   int base_size = JSArray::kSize;
   if (allocation_site != nullptr) {
     base_size += AllocationMemento::kSize;
   }
 
   Node* size = IntPtrConstant(base_size);
   Node* array = AllocateUninitializedJSArray(kind, array_map, length,
@@ skipping 6033 matching lines @@
     result.Bind(CallRuntime(Runtime::kInstanceOf, context, object, callable));
     Goto(&end);
   }
 
   Bind(&end);
   return result.value();
 }
 
 }  // namespace internal
 }  // namespace v8