[ic] Load IC data handlers now support prototype chain checks with global and dictionary objects.

src/code-stub-assembler.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "src/code-stub-assembler.h"
 #include "src/code-factory.h"
 #include "src/frames-inl.h"
 #include "src/frames.h"
 #include "src/ic/handler-configuration.h"
 #include "src/ic/stub-cache.h"
 
@@ skipping 5068 matching lines @@
   // Get the map entry from the cache.
   DCHECK_EQ(kPointerSize * 2, stub_cache->map_reference(table).address() -
                                   stub_cache->key_reference(table).address());
   Node* entry_map =
       Load(MachineType::Pointer(), key_base,
            IntPtrAdd(entry_offset, IntPtrConstant(kPointerSize * 2)));
   GotoIf(WordNotEqual(map, entry_map), if_miss);
 
   DCHECK_EQ(kPointerSize, stub_cache->value_reference(table).address() -
                               stub_cache->key_reference(table).address());
-  Node* handler = Load(MachineType::Pointer(), key_base,
+  Node* handler = Load(MachineType::TaggedPointer(), key_base,
                        IntPtrAdd(entry_offset, IntPtrConstant(kPointerSize)));
 
   // We found the handler.
   var_handler->Bind(handler);
   Goto(if_handler);
 }
 
 void CodeStubAssembler::TryProbeStubCache(
     StubCache* stub_cache, compiler::Node* receiver, compiler::Node* name,
     Label* if_handler, Variable* var_handler, Label* if_miss) {
@@ skipping 423 matching lines @@
                  Arg(Descriptor::kVector, p->vector));
   }
 }
 
 void CodeStubAssembler::HandleLoadICProtoHandler(
     const LoadICParameters* p, Node* handler, Variable* var_holder,
     Variable* var_smi_handler, Label* if_smi_handler, Label* miss) {
   DCHECK_EQ(MachineRepresentation::kTagged, var_holder->rep());
   DCHECK_EQ(MachineRepresentation::kTagged, var_smi_handler->rep());
 
-  Node* validity_cell = LoadObjectField(handler, Tuple3::kValue1Offset);
+  // IC dispatchers rely on these assumptions to be held.
+  STATIC_ASSERT(FixedArray::kLengthOffset == LoadHandler::kHolderCellOffset);
+  DCHECK_EQ(FixedArray::OffsetOfElementAt(LoadHandler::kSmiHandlerIndex),
+            LoadHandler::kSmiHandlerOffset);
+  DCHECK_EQ(FixedArray::OffsetOfElementAt(LoadHandler::kValidityCellIndex),
+            LoadHandler::kValidityCellOffset);
+
+  // Both FixedArray and Tuple3 handlers have validity cell at the same offset.
+  Node* validity_cell =
+      LoadObjectField(handler, LoadHandler::kValidityCellOffset);
   Node* cell_value = LoadObjectField(validity_cell, Cell::kValueOffset);
   GotoIf(WordNotEqual(cell_value,
                       SmiConstant(Smi::FromInt(Map::kPrototypeChainValid))),
          miss);
 
-  Node* holder =
-      LoadWeakCellValue(LoadObjectField(handler, Tuple3::kValue2Offset));
-  // The |holder| is guaranteed to be alive at this point since we passed
-  // both the receiver map check and the validity cell check.
-  CSA_ASSERT(WordNotEqual(holder, IntPtrConstant(0)));
+  Node* smi_handler = LoadObjectField(handler, LoadHandler::kSmiHandlerOffset);
+  CSA_ASSERT(TaggedIsSmi(smi_handler));
 
-  Node* smi_handler = LoadObjectField(handler, Tuple3::kValue3Offset);
-  CSA_ASSERT(TaggedIsSmi(smi_handler));
-  var_holder->Bind(holder);
-  var_smi_handler->Bind(smi_handler);
-
+  Label check_prototypes(this);
   GotoUnless(IsSetWord<LoadHandler::DoNegativeLookupOnReceiverBits>(
                  SmiUntag(smi_handler)),
-             if_smi_handler);
+             &check_prototypes);
+  {
+    // We have a dictionary receiver, do a negative lookup check.
+    NameDictionaryNegativeLookup(p->receiver, p->name, miss);
+    Goto(&check_prototypes);
+  }
 
-  NameDictionaryNegativeLookup(p->receiver, p->name, miss);
-  Goto(if_smi_handler);
+  Bind(&check_prototypes);
+  Node* maybe_holder_cell =
+      LoadObjectField(handler, LoadHandler::kHolderCellOffset);
+  Label array_handler(this), tuple_handler(this);
+  Branch(TaggedIsSmi(maybe_holder_cell), &array_handler, &tuple_handler);
+
+  Bind(&tuple_handler);
+  {
+    Node* holder = LoadWeakCellValue(maybe_holder_cell);
+    // The |holder| is guaranteed to be alive at this point since we passed
+    // both the receiver map check and the validity cell check.
+    CSA_ASSERT(WordNotEqual(holder, IntPtrConstant(0)));
+
+    var_holder->Bind(holder);
+    var_smi_handler->Bind(smi_handler);
+    Goto(if_smi_handler);
+  }
+
+  Bind(&array_handler);
+  {
+    Node* length = SmiUntag(maybe_holder_cell);
+    BuildFastLoop(MachineType::PointerRepresentation(),
+                  IntPtrConstant(LoadHandler::kFirstPrototypeIndex), length,
+                  [this, p, handler, miss](CodeStubAssembler*, Node* current) {
+                    Node* prototype_cell = LoadFixedArrayElement(
+                        handler, current, 0, INTPTR_PARAMETERS);
+                    CheckPrototype(prototype_cell, p->name, miss);
+                  },
+                  1, IndexAdvanceMode::kPost);
+
+    Node* holder_cell = LoadFixedArrayElement(
+        handler, IntPtrConstant(LoadHandler::kHolderCellIndex), 0,
+        INTPTR_PARAMETERS);
+    Node* holder = LoadWeakCellValue(holder_cell);
+    // The |holder| is guaranteed to be alive at this point since we passed
+    // the receiver map check, the validity cell check and the prototype chain
+    // check.
+    CSA_ASSERT(WordNotEqual(holder, IntPtrConstant(0)));
+
+    var_holder->Bind(holder);
+    var_smi_handler->Bind(smi_handler);
+    Goto(if_smi_handler);
+  }
+}
+
+void CodeStubAssembler::CheckPrototype(Node* prototype_cell, Node* name,
+                                       Label* miss) {
+  Node* maybe_prototype = LoadWeakCellValue(prototype_cell, miss);
+
+  Label done(this);
+  Label if_property_cell(this), if_dictionary_object(this);
+
+  // |maybe_prototype| is either a PropertyCell or a slow-mode prototype.
+  Branch(WordEqual(LoadMap(maybe_prototype),
+                   LoadRoot(Heap::kGlobalPropertyCellMapRootIndex)),
+         &if_property_cell, &if_dictionary_object);
+
+  Bind(&if_dictionary_object);
+  {
+    NameDictionaryNegativeLookup(maybe_prototype, name, miss);
+    Goto(&done);
+  }
+
+  Bind(&if_property_cell);
+  {
+    // Ensure the property cell still contains the hole.
+    Node* value = LoadObjectField(maybe_prototype, PropertyCell::kValueOffset);
+    GotoIf(WordNotEqual(value, LoadRoot(Heap::kTheHoleValueRootIndex)), miss);
+    Goto(&done);
+  }
+
+  Bind(&done);
 }
 
 void CodeStubAssembler::NameDictionaryNegativeLookup(Node* object, Node* name,
                                                      Label* miss) {
   CSA_ASSERT(IsDictionaryMap(LoadMap(object)));
   Node* properties = LoadProperties(object);
   // Ensure the property does not exist in a dictionary-mode object.
   Variable var_name_index(this, MachineType::PointerRepresentation());
   Label done(this);
   NameDictionaryLookup<NameDictionary>(properties, name, miss, &var_name_index,
@@ skipping 3008 matching lines @@
   Node* buffer_bit_field = LoadObjectField(
       buffer, JSArrayBuffer::kBitFieldOffset, MachineType::Uint32());
   Node* was_neutered_mask = Int32Constant(JSArrayBuffer::WasNeutered::kMask);
 
   return Word32NotEqual(Word32And(buffer_bit_field, was_neutered_mask),
                         Int32Constant(0));
 }
 
 }  // namespace internal
 }  // namespace v8