Chromium Code Reviews Chromium Code Reviews
Issue 2511223003:
[turbofan] Properly optimize instanceof (even in the presence of @@hasInstance). (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2015 the V8 project authors. All rights reserved. | 1 // Copyright 2015 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/compiler/js-native-context-specialization.h" | 5 #include "src/compiler/js-native-context-specialization.h" |
| 6 | 6 |
| 7 #include "src/accessors.h" | 7 #include "src/accessors.h" |
| 8 #include "src/code-factory.h" | 8 #include "src/code-factory.h" |
| 9 #include "src/compilation-dependencies.h" | 9 #include "src/compilation-dependencies.h" |
| 10 #include "src/compiler/access-builder.h" | 10 #include "src/compiler/access-builder.h" |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 62 : AdvancedReducer(editor), | 62 : AdvancedReducer(editor), |
| 63 jsgraph_(jsgraph), | 63 jsgraph_(jsgraph), |
| 64 flags_(flags), | 64 flags_(flags), |
| 65 native_context_(native_context), | 65 native_context_(native_context), |
| 66 dependencies_(dependencies), | 66 dependencies_(dependencies), |
| 67 zone_(zone), | 67 zone_(zone), |
| 68 type_cache_(TypeCache::Get()) {} | 68 type_cache_(TypeCache::Get()) {} |
| 69 | 69 |
| 70 Reduction JSNativeContextSpecialization::Reduce(Node* node) { | 70 Reduction JSNativeContextSpecialization::Reduce(Node* node) { |
| 71 switch (node->opcode()) { | 71 switch (node->opcode()) { |
| 72 case IrOpcode::kJSInstanceOf: | |
| 73 return ReduceJSInstanceOf(node); | |
| 72 case IrOpcode::kJSLoadContext: | 74 case IrOpcode::kJSLoadContext: |
| 73 return ReduceJSLoadContext(node); | 75 return ReduceJSLoadContext(node); |
| 74 case IrOpcode::kJSLoadNamed: | 76 case IrOpcode::kJSLoadNamed: |
| 75 return ReduceJSLoadNamed(node); | 77 return ReduceJSLoadNamed(node); |
| 76 case IrOpcode::kJSStoreNamed: | 78 case IrOpcode::kJSStoreNamed: |
| 77 return ReduceJSStoreNamed(node); | 79 return ReduceJSStoreNamed(node); |
| 78 case IrOpcode::kJSLoadProperty: | 80 case IrOpcode::kJSLoadProperty: |
| 79 return ReduceJSLoadProperty(node); | 81 return ReduceJSLoadProperty(node); |
| 80 case IrOpcode::kJSStoreProperty: | 82 case IrOpcode::kJSStoreProperty: |
| 81 return ReduceJSStoreProperty(node); | 83 return ReduceJSStoreProperty(node); |
| 82 default: | 84 default: |
| 83 break; | 85 break; |
| 84 } | 86 } |
| 85 return NoChange(); | 87 return NoChange(); |
| 86 } | 88 } |
| 87 | 89 |
| 90 Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) { | |
| 91 DCHECK_EQ(IrOpcode::kJSInstanceOf, node->opcode()); | |
| 92 Node* object = NodeProperties::GetValueInput(node, 0); | |
| 93 Node* constructor = NodeProperties::GetValueInput(node, 1); | |
| 94 Node* context = NodeProperties::GetContextInput(node); | |
| 95 Node* effect = NodeProperties::GetEffectInput(node); | |
| 96 Node* control = NodeProperties::GetControlInput(node); | |
| 97 | |
| 98 // If deoptimization is disabled, we cannot optimize. | |
| 99 if (!(flags() & kDeoptimizationEnabled)) return NoChange(); | |
| 100 | |
| 101 // Check if the right hand side is a known {receiver}. | |
| 102 HeapObjectMatcher m(constructor); | |
| 103 if (!m.HasValue() || !m.Value()->IsJSObject()) return NoChange(); | |
| 104 Handle<JSObject> receiver = Handle<JSObject>::cast(m.Value()); | |
| 105 Handle<Map> receiver_map(receiver->map(), isolate()); | |
| 106 | |
| 107 // Compute property access info for @@hasInstance on {receiver}. | |
| 108 PropertyAccessInfo access_info; | |
| 109 AccessInfoFactory access_info_factory(dependencies(), native_context(), | |
| 110 graph()->zone()); | |
| 111 if (!access_info_factory.ComputePropertyAccessInfo( | |
| 112 receiver_map, factory()->has_instance_symbol(), AccessMode::kLoad, | |
| 113 &access_info)) { | |
| 114 return NoChange(); | |
| 115 } | |
| 116 | |
| 117 if (access_info.IsNotFound()) { | |
| 118 // If there's no @@hasInstance handler, the OrdinaryHasInstance operation | |
| 119 // takes over, but that requires the {receiver} to be callable. | |
| 120 if (receiver->IsCallable()) { | |
| 121 // Determine actual holder and perform prototype chain checks. | |
| 122 Handle<JSObject> holder; | |
| 123 if (access_info.holder().ToHandle(&holder)) { | |
| 124 AssumePrototypesStable(access_info.receiver_maps(), holder); | |
| 125 } | |
| 126 | |
| 127 // Monomorphic property access. | |
| 128 effect = | |
| 129 BuildCheckMaps(constructor, effect, control, MapList{receiver_map}); | |
| 130 | |
| 131 // Lower to OrdinaryHasInstance(C, O). | |
| 132 NodeProperties::ReplaceValueInput(node, constructor, 0); | |
| 133 NodeProperties::ReplaceValueInput(node, object, 1); | |
| 134 NodeProperties::ReplaceEffectInput(node, effect); | |
| 135 NodeProperties::ChangeOp(node, javascript()->OrdinaryHasInstance()); | |
|
Yang
2016/11/18 06:26:47
Would it make sense to constant fold if the lhs is
Benedikt Meurer
2016/11/18 06:28:51
Doable, but as discussed offline, there's no real
| |
| 136 return Changed(node); | |
| 137 } | |
| 138 } else if (access_info.IsDataConstant()) { | |
| 139 DCHECK(access_info.constant()->IsCallable()); | |
|
Yang
2016/11/18 06:26:47
Can we assume this? What if I store a non-callable
Benedikt Meurer
2016/11/18 06:28:51
Yes, all data constants stored on the map are curr
| |
| 140 | |
| 141 // Determine actual holder and perform prototype chain checks. | |
| 142 Handle<JSObject> holder; | |
| 143 if (access_info.holder().ToHandle(&holder)) { | |
| 144 AssumePrototypesStable(access_info.receiver_maps(), holder); | |
| 145 } | |
| 146 | |
| 147 // Monomorphic property access. | |
| 148 effect = | |
| 149 BuildCheckMaps(constructor, effect, control, MapList{receiver_map}); | |
| 150 | |
| 151 // Call the @@hasInstance handler. | |
| 152 Node* target = jsgraph()->Constant(access_info.constant()); | |
| 153 node->InsertInput(graph()->zone(), 0, target); | |
| 154 node->ReplaceInput(1, constructor); | |
| 155 node->ReplaceInput(2, object); | |
| 156 NodeProperties::ChangeOp( | |
| 157 node, | |
| 158 javascript()->CallFunction(3, 0.0f, VectorSlotPair(), | |
| 159 ConvertReceiverMode::kNotNullOrUndefined)); | |
| 160 | |
| 161 // Rewire the value uses of {node} to ToBoolean conversion of the result. | |
| 162 Node* value = graph()->NewNode(javascript()->ToBoolean(ToBooleanHint::kAny), | |
| 163 node, context); | |
| 164 for (Edge edge : node->use_edges()) { | |
| 165 if (NodeProperties::IsValueEdge(edge) && edge.from() != value) { | |
| 166 edge.UpdateTo(value); | |
| 167 Revisit(edge.from()); | |
| 168 } | |
| 169 } | |
| 170 return Changed(node); | |
| 171 } | |
| 172 | |
| 173 return NoChange(); | |
| 174 } | |
| 175 | |
| 88 Reduction JSNativeContextSpecialization::ReduceJSLoadContext(Node* node) { | 176 Reduction JSNativeContextSpecialization::ReduceJSLoadContext(Node* node) { |
| 89 DCHECK_EQ(IrOpcode::kJSLoadContext, node->opcode()); | 177 DCHECK_EQ(IrOpcode::kJSLoadContext, node->opcode()); |
| 90 ContextAccess const& access = ContextAccessOf(node->op()); | 178 ContextAccess const& access = ContextAccessOf(node->op()); |
| 91 // Specialize JSLoadContext(NATIVE_CONTEXT_INDEX) to the known native | 179 // Specialize JSLoadContext(NATIVE_CONTEXT_INDEX) to the known native |
| 92 // context (if any), so we can constant-fold those fields, which is | 180 // context (if any), so we can constant-fold those fields, which is |
| 93 // safe, since the NATIVE_CONTEXT_INDEX slot is always immutable. | 181 // safe, since the NATIVE_CONTEXT_INDEX slot is always immutable. |
| 94 if (access.index() == Context::NATIVE_CONTEXT_INDEX) { | 182 if (access.index() == Context::NATIVE_CONTEXT_INDEX) { |
| 95 Node* value = jsgraph()->HeapConstant(native_context()); | 183 Node* value = jsgraph()->HeapConstant(native_context()); |
| 96 ReplaceWithValue(node, value); | 184 ReplaceWithValue(node, value); |
| 97 return Replace(value); | 185 return Replace(value); |
| (...skipping 1617 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1715 return jsgraph()->javascript(); | 1803 return jsgraph()->javascript(); |
| 1716 } | 1804 } |
| 1717 | 1805 |
| 1718 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const { | 1806 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const { |
| 1719 return jsgraph()->simplified(); | 1807 return jsgraph()->simplified(); |
| 1720 } | 1808 } |
| 1721 | 1809 |
| 1722 } // namespace compiler | 1810 } // namespace compiler |
| 1723 } // namespace internal | 1811 } // namespace internal |
| 1724 } // namespace v8 | 1812 } // namespace v8 |
| OLD | NEW |
