Revert of [ic] Use validity cells to protect keyed element stores against object's prototype chain…

src/ic/accessor-assembler.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ic/accessor-assembler.h"
 #include "src/ic/accessor-assembler-impl.h"
 
 #include "src/code-factory.h"
 #include "src/code-stubs.h"
 #include "src/ic/handler-configuration.h"
@@ skipping 454 matching lines @@
   Variable var_smi_handler(this, MachineRepresentation::kTagged);
   Label if_smi_handler(this);
   HandleLoadICProtoHandlerCase(&p, handler, &var_holder, &var_smi_handler,
                                &if_smi_handler, miss,
                                throw_reference_error_if_nonexistent);
   Bind(&if_smi_handler);
   HandleLoadICSmiHandlerCase(&p, var_holder.value(), var_smi_handler.value(),
                              miss, kOnlyProperties);
 }
 
-void AccessorAssemblerImpl::HandleStoreICHandlerCase(
-    const StoreICParameters* p, Node* handler, Label* miss,
-    ElementSupport support_elements) {
-  Label if_smi_handler(this), if_nonsmi_handler(this);
-  Label if_proto_handler(this), if_element_handler(this), call_handler(this);
+void AccessorAssemblerImpl::HandleStoreICHandlerCase(const StoreICParameters* p,
+                                                     Node* handler,
+                                                     Label* miss) {
+  Label if_smi_handler(this);
+  Label try_proto_handler(this), call_handler(this);
 
-  Branch(TaggedIsSmi(handler), &if_smi_handler, &if_nonsmi_handler);
+  Branch(TaggedIsSmi(handler), &if_smi_handler, &try_proto_handler);
 
   // |handler| is a Smi, encoding what to do. See SmiHandler methods
   // for the encoding format.
   Bind(&if_smi_handler);
   {
     Node* holder = p->receiver;
     Node* handler_word = SmiUntag(handler);
 
     // Handle non-transitioning field stores.
     HandleStoreICSmiHandlerCase(handler_word, holder, p->value, nullptr, miss);
   }
 
-  Bind(&if_nonsmi_handler);
+  Bind(&try_proto_handler);
   {
-    Node* handler_map = LoadMap(handler);
-    if (support_elements == kSupportElements) {
-      GotoIf(IsTuple2Map(handler_map), &if_element_handler);
-    }
-    Branch(IsCodeMap(handler_map), &call_handler, &if_proto_handler);
-  }
-
-  if (support_elements == kSupportElements) {
-    Bind(&if_element_handler);
-    { HandleStoreICElementHandlerCase(p, handler, miss); }
-  }
-
-  Bind(&if_proto_handler);
-  {
+    GotoIf(IsCodeMap(LoadMap(handler)), &call_handler);
     HandleStoreICProtoHandler(p, handler, miss);
   }
 
   // |handler| is a heap object. Must be code, call it.
   Bind(&call_handler);
   {
     StoreWithVectorDescriptor descriptor(isolate());
     TailCallStub(descriptor, handler, p->context, p->receiver, p->name,
                  p->value, p->slot, p->vector);
   }
 }
 
-void AccessorAssemblerImpl::HandleStoreICElementHandlerCase(
-    const StoreICParameters* p, Node* handler, Label* miss) {
-  Comment("HandleStoreICElementHandlerCase");
-  Node* validity_cell = LoadObjectField(handler, Tuple2::kValue1Offset);
-  Node* cell_value = LoadObjectField(validity_cell, Cell::kValueOffset);
-  GotoIf(WordNotEqual(cell_value,
-                      SmiConstant(Smi::FromInt(Map::kPrototypeChainValid))),
-         miss);
-
-  Node* code_handler = LoadObjectField(handler, Tuple2::kValue2Offset);
-  CSA_ASSERT(this, IsCodeMap(LoadMap(code_handler)));
-
-  StoreWithVectorDescriptor descriptor(isolate());
-  TailCallStub(descriptor, code_handler, p->context, p->receiver, p->name,
-               p->value, p->slot, p->vector);
-}
-
 void AccessorAssemblerImpl::HandleStoreICProtoHandler(
     const StoreICParameters* p, Node* handler, Label* miss) {
   // IC dispatchers rely on these assumptions to be held.
   STATIC_ASSERT(FixedArray::kLengthOffset ==
                 StoreHandler::kTransitionCellOffset);
   DCHECK_EQ(FixedArray::OffsetOfElementAt(StoreHandler::kSmiHandlerIndex),
             StoreHandler::kSmiHandlerOffset);
   DCHECK_EQ(FixedArray::OffsetOfElementAt(StoreHandler::kValidityCellIndex),
             StoreHandler::kValidityCellOffset);
 
@@ skipping 980 matching lines @@
 
   Node* receiver_map = LoadReceiverMap(p->receiver);
 
   // Check monomorphic case.
   Node* feedback =
       TryMonomorphicCase(p->slot, p->vector, receiver_map, &if_handler,
                          &var_handler, &try_polymorphic);
   Bind(&if_handler);
   {
     Comment("KeyedStoreIC_if_handler");
-    HandleStoreICHandlerCase(p, var_handler.value(), &miss, kSupportElements);
+    HandleStoreICHandlerCase(p, var_handler.value(), &miss);
   }
 
   Bind(&try_polymorphic);
   {
     // CheckPolymorphic case.
     Comment("KeyedStoreIC_try_polymorphic");
     GotoUnless(
         WordEqual(LoadMap(feedback), LoadRoot(Heap::kFixedArrayMapRootIndex)),
         &try_megamorphic);
     Label if_transition_handler(this);
     Variable var_transition_map_cell(this, MachineRepresentation::kTagged);
     HandleKeyedStorePolymorphicCase(receiver_map, feedback, &if_handler,
                                     &var_handler, &if_transition_handler,
                                     &var_transition_map_cell, &miss);
     Bind(&if_transition_handler);
     Comment("KeyedStoreIC_polymorphic_transition");
-    {
-      Node* handler = var_handler.value();
-      CSA_ASSERT(this, IsTuple2Map(LoadMap(handler)));
-
-      // Check validity cell.
-      Node* validity_cell = LoadObjectField(handler, Tuple2::kValue1Offset);
-      Node* cell_value = LoadObjectField(validity_cell, Cell::kValueOffset);
-      GotoIf(WordNotEqual(cell_value,
-                          SmiConstant(Smi::FromInt(Map::kPrototypeChainValid))),
-             &miss);
-
-      Node* code_handler = LoadObjectField(handler, Tuple2::kValue2Offset);
-      CSA_ASSERT(this, IsCodeMap(LoadMap(code_handler)));
-
-      Node* transition_map =
-          LoadWeakCellValue(var_transition_map_cell.value(), &miss);
-      StoreTransitionDescriptor descriptor(isolate());
-      TailCallStub(descriptor, code_handler, p->context, p->receiver, p->name,
-                   transition_map, p->value, p->slot, p->vector);
-    }
+    Node* transition_map =
+        LoadWeakCellValue(var_transition_map_cell.value(), &miss);
+    StoreTransitionDescriptor descriptor(isolate());
+    TailCallStub(descriptor, var_handler.value(), p->context, p->receiver,
+                 p->name, transition_map, p->value, p->slot, p->vector);
   }
 
   Bind(&try_megamorphic);
   {
     // Check megamorphic case.
     Comment("KeyedStoreIC_try_megamorphic");
     GotoUnless(
         WordEqual(feedback, LoadRoot(Heap::kmegamorphic_symbolRootIndex)),
         &try_polymorphic_name);
     TailCallStub(
@@ skipping 226 matching lines @@
 void AccessorAssembler::GenerateKeyedStoreICTrampolineTF(
     CodeAssemblerState* state, LanguageMode language_mode) {
   AccessorAssemblerImpl assembler(state);
   assembler.GenerateKeyedStoreICTrampolineTF(language_mode);
 }
 
 #undef ACCESSOR_ASSEMBLER_PUBLIC_INTERFACE
 
 }  // namespace internal
 }  // namespace v8