[turbofan] Properly optimize instanceof (even in the presence of @@hasInstance).

src/compiler/js-typed-lowering.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-typed-lowering.h"
 
 #include "src/ast/modules.h"
 #include "src/builtins/builtins-utils.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
@@ skipping 1293 matching lines @@
         node->ReplaceInput(5, control);
         node->TrimInputCount(6);
         NodeProperties::ChangeOp(node, simplified()->StoreBuffer(access));
         return Changed(node);
       }
     }
   }
   return NoChange();
 }
 
-Reduction JSTypedLowering::ReduceJSInstanceOf(Node* node) {
-  DCHECK_EQ(IrOpcode::kJSInstanceOf, node->opcode());
-  Node* const context = NodeProperties::GetContextInput(node);
-  Node* const frame_state = NodeProperties::GetFrameStateInput(node);
+Reduction JSTypedLowering::ReduceJSOrdinaryHasInstance(Node* node) {
+  DCHECK_EQ(IrOpcode::kJSOrdinaryHasInstance, node->opcode());
+  Node* constructor = NodeProperties::GetValueInput(node, 0);
+  Type* constructor_type = NodeProperties::GetType(constructor);
+  Node* object = NodeProperties::GetValueInput(node, 1);
+  Node* context = NodeProperties::GetContextInput(node);
+  Node* frame_state = NodeProperties::GetFrameStateInput(node);
+  Node* effect = NodeProperties::GetEffectInput(node);
+  Node* control = NodeProperties::GetControlInput(node);
 
-  // If deoptimization is disabled, we cannot optimize.
-  if (!(flags() & kDeoptimizationEnabled)) return NoChange();
-
-  // If we are in a try block, don't optimize since the runtime call
-  // in the proxy case can throw.
-  if (NodeProperties::IsExceptionalCall(node)) return NoChange();
-
-  JSBinopReduction r(this, node);
-  Node* object = r.left();
-  Node* effect = r.effect();
-  Node* control = r.control();
-
-  if (!r.right_type()->IsHeapConstant() ||
-      !r.right_type()->AsHeapConstant()->Value()->IsJSFunction()) {
+  // Check if the {constructor} is a (known) JSFunction.
+  if (!constructor_type->IsHeapConstant() ||
+      !constructor_type->AsHeapConstant()->Value()->IsJSFunction()) {
     return NoChange();
   }
+  Handle<JSFunction> function =
+      Handle<JSFunction>::cast(constructor_type->AsHeapConstant()->Value());
 
-  Handle<JSFunction> function =
-      Handle<JSFunction>::cast(r.right_type()->AsHeapConstant()->Value());
-  Handle<SharedFunctionInfo> shared(function->shared(), isolate());
+  // Check if the {function} already has an initial map (i.e. the
+  // {function} has been used as a constructor at least once).
+  if (!function->has_initial_map()) return NoChange();
 
-  // Make sure the prototype of {function} is the %FunctionPrototype%, and it
-  // already has a meaningful initial map (i.e. we constructed at least one
-  // instance using the constructor {function}).
-  if (function->map()->prototype() != function->native_context()->closure() ||
-      function->map()->has_non_instance_prototype() ||
-      !function->has_initial_map()) {
-    return NoChange();
-  }
+  // Check if the {function}s "prototype" is a JSReceiver.
+  if (!function->prototype()->IsJSReceiver()) return NoChange();
 
-  // We can only use the fast case if @@hasInstance was not used so far.
-  if (!isolate()->IsHasInstanceLookupChainIntact()) return NoChange();
-  dependencies()->AssumePropertyCell(factory()->has_instance_protector());
-
+  // Install a code dependency on the {function}s initial map.
   Handle<Map> initial_map(function->initial_map(), isolate());
   dependencies()->AssumeInitialMapCantChange(initial_map);
+
   Node* prototype =
       jsgraph()->Constant(handle(initial_map->prototype(), isolate()));
 
   Node* check0 = graph()->NewNode(simplified()->ObjectIsSmi(), object);
   Node* branch0 =
       graph()->NewNode(common()->Branch(BranchHint::kFalse), check0, control);
 
   Node* if_true0 = graph()->NewNode(common()->IfTrue(), branch0);
   Node* etrue0 = effect;
   Node* vtrue0 = jsgraph()->FalseConstant();
@@ skipping 47 matching lines @@
 
   Node* if_false1 = graph()->NewNode(common()->IfFalse(), branch10);
   Node* efalse1 = etrue1;
   Node* vfalse1;
   {
     // Slow path, need to call the %HasInPrototypeChain runtime function.
     vfalse1 = efalse1 = graph()->NewNode(
         javascript()->CallRuntime(Runtime::kHasInPrototypeChain), object,
         prototype, context, frame_state, efalse1, if_false1);
     if_false1 = graph()->NewNode(common()->IfSuccess(), vfalse1);
+
+    // Replace any potential IfException on {node} to catch exceptions
+    // from this %HasInPrototypeChain runtime call instead.
+    for (Edge edge : node->use_edges()) {
+      if (edge.from()->opcode() == IrOpcode::kIfException) {
+        edge.UpdateTo(vfalse1);
+        Revisit(edge.from());
+      }
+    }
   }
 
   // Load the {object} prototype.
   Node* object_prototype = effect = graph()->NewNode(
       simplified()->LoadField(AccessBuilder::ForMapPrototype()), object_map,
       effect, control);
 
   // Check if we reached the end of {object}s prototype chain.
   Node* check2 = graph()->NewNode(simplified()->ReferenceEqual(),
                                   object_prototype, jsgraph()->NullConstant());
@@ skipping 759 matching lines @@
       return ReduceUI32Shift(node, kSigned);
     case IrOpcode::kJSShiftRightLogical:
       return ReduceUI32Shift(node, kUnsigned);
     case IrOpcode::kJSAdd:
       return ReduceJSAdd(node);
     case IrOpcode::kJSSubtract:
     case IrOpcode::kJSMultiply:
     case IrOpcode::kJSDivide:
     case IrOpcode::kJSModulus:
       return ReduceNumberBinop(node);
+    case IrOpcode::kJSOrdinaryHasInstance:
+      return ReduceJSOrdinaryHasInstance(node);
     case IrOpcode::kJSToBoolean:
       return ReduceJSToBoolean(node);
     case IrOpcode::kJSToInteger:
       return ReduceJSToInteger(node);
     case IrOpcode::kJSToLength:
       return ReduceJSToLength(node);
     case IrOpcode::kJSToName:
       return ReduceJSToName(node);
     case IrOpcode::kJSToNumber:
       return ReduceJSToNumber(node);
     case IrOpcode::kJSToString:
       return ReduceJSToString(node);
     case IrOpcode::kJSToObject:
       return ReduceJSToObject(node);
     case IrOpcode::kJSTypeOf:
       return ReduceJSTypeOf(node);
     case IrOpcode::kJSLoadNamed:
       return ReduceJSLoadNamed(node);
     case IrOpcode::kJSLoadProperty:
       return ReduceJSLoadProperty(node);
     case IrOpcode::kJSStoreProperty:
       return ReduceJSStoreProperty(node);
-    case IrOpcode::kJSInstanceOf:
-      return ReduceJSInstanceOf(node);
     case IrOpcode::kJSLoadContext:
       return ReduceJSLoadContext(node);
     case IrOpcode::kJSStoreContext:
       return ReduceJSStoreContext(node);
     case IrOpcode::kJSLoadModule:
       return ReduceJSLoadModule(node);
     case IrOpcode::kJSStoreModule:
       return ReduceJSStoreModule(node);
     case IrOpcode::kJSConvertReceiver:
       return ReduceJSConvertReceiver(node);
@@ skipping 39 matching lines @@
 }
 
 
 CompilationDependencies* JSTypedLowering::dependencies() const {
   return dependencies_;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8