| Index: src/compiler/js-native-context-specialization.cc
|
| diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
|
| index 094e3a1166c79e3fee86883a97e42a53eef057e7..f361a3b23d4e44bcb121d1073ea3e58e5effaaae 100644
|
| --- a/src/compiler/js-native-context-specialization.cc
|
| +++ b/src/compiler/js-native-context-specialization.cc
|
| @@ -266,10 +266,17 @@ Reduction JSNativeContextSpecialization::ReduceJSOrdinaryHasInstance(
|
| DCHECK_EQ(IrOpcode::kJSOrdinaryHasInstance, node->opcode());
|
| Node* constructor = NodeProperties::GetValueInput(node, 0);
|
| Node* object = NodeProperties::GetValueInput(node, 1);
|
| + Node* context = NodeProperties::GetContextInput(node);
|
| + Node* frame_state = NodeProperties::GetFrameStateInput(node);
|
| + Node* effect = NodeProperties::GetEffectInput(node);
|
| + Node* control = NodeProperties::GetControlInput(node);
|
|
|
| - // Check if the {constructor} is a JSBoundFunction.
|
| + // Check if the {constructor} is known at compile time.
|
| HeapObjectMatcher m(constructor);
|
| - if (m.HasValue() && m.Value()->IsJSBoundFunction()) {
|
| + if (!m.HasValue()) return NoChange();
|
| +
|
| + // Check if the {constructor} is a JSBoundFunction.
|
| + if (m.Value()->IsJSBoundFunction()) {
|
| // OrdinaryHasInstance on bound functions turns into a recursive
|
| // invocation of the instanceof operator again.
|
| // ES6 section 7.3.19 OrdinaryHasInstance (C, O) step 2.
|
| @@ -283,6 +290,211 @@ Reduction JSNativeContextSpecialization::ReduceJSOrdinaryHasInstance(
|
| return reduction.Changed() ? reduction : Changed(node);
|
| }
|
|
|
| + // Check if the {constructor} is a JSFunction.
|
| + if (m.Value()->IsJSFunction()) {
|
| + // Check if the {function} is a constructor and has an instance "prototype".
|
| + Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value());
|
| + if (function->IsConstructor() && function->has_instance_prototype() &&
|
| + function->prototype()->IsJSReceiver()) {
|
| + // Ensure that the {function} has a valid initial map, so we can
|
| + // depend on that for the prototype constant-folding below.
|
| + JSFunction::EnsureHasInitialMap(function);
|
| +
|
| + // Install a code dependency on the {function}s initial map.
|
| + Handle<Map> initial_map(function->initial_map(), isolate());
|
| + dependencies()->AssumeInitialMapCantChange(initial_map);
|
| +
|
| + // Determine the {function}s prototype.
|
| + Handle<JSReceiver> function_prototype =
|
| + handle(JSReceiver::cast(initial_map->prototype()), isolate());
|
| +
|
| + ZoneHandleSet<Map> object_maps;
|
| + NodeProperties::InferReceiverMapsResult result =
|
| + NodeProperties::InferReceiverMaps(object, effect, &object_maps);
|
| + if (result != NodeProperties::kNoReceiverMaps) {
|
| + bool all = true;
|
| + bool none = true;
|
| + for (size_t i = 0; i < object_maps.size(); ++i) {
|
| + Handle<Map> object_map = object_maps[i];
|
| + if (object_map->instance_type() <= LAST_SPECIAL_RECEIVER_TYPE) {
|
| + all = none = false;
|
| + break;
|
| + }
|
| + if (result == NodeProperties::kUnreliableReceiverMaps) {
|
| + if (!object_map->is_stable()) {
|
| + all = none = false;
|
| + break;
|
| + }
|
| + }
|
| + for (PrototypeIterator j(object_maps[i]);; j.Advance()) {
|
| + if (j.IsAtEnd()) {
|
| + all = false;
|
| + break;
|
| + }
|
| + Handle<JSReceiver> const current =
|
| + PrototypeIterator::GetCurrent<JSReceiver>(j);
|
| + if (current.is_identical_to(function_prototype)) {
|
| + none = false;
|
| + break;
|
| + }
|
| + if (!current->map()->is_stable() ||
|
| + current->map()->IsSpecialReceiverMap()) {
|
| + all = none = false;
|
| + break;
|
| + }
|
| + }
|
| + }
|
| +
|
| + DCHECK_IMPLIES(all, !none);
|
| + DCHECK_IMPLIES(none, !all);
|
| +
|
| + if (all || none) {
|
| + for (size_t i = 0; i < object_maps.size(); ++i) {
|
| + if (result == NodeProperties::kUnreliableReceiverMaps) {
|
| + dependencies()->AssumeMapStable(object_maps[i]);
|
| + }
|
| + for (PrototypeIterator j(object_maps[i]); !j.IsAtEnd();
|
| + j.Advance()) {
|
| + Handle<JSReceiver> const current =
|
| + PrototypeIterator::GetCurrent<JSReceiver>(j);
|
| + if (current.is_identical_to(function_prototype)) break;
|
| + dependencies()->AssumeMapStable(handle(current->map()));
|
| + }
|
| + }
|
| + Node* value = jsgraph()->BooleanConstant(all);
|
| + ReplaceWithValue(node, value, effect, control);
|
| + return Replace(value);
|
| + }
|
| + }
|
| +
|
| + Node* prototype = jsgraph()->Constant(function_prototype);
|
| +
|
| + Node* check0 = graph()->NewNode(simplified()->ObjectIsSmi(), object);
|
| + Node* branch0 = graph()->NewNode(common()->Branch(BranchHint::kFalse),
|
| + check0, control);
|
| +
|
| + Node* if_true0 = graph()->NewNode(common()->IfTrue(), branch0);
|
| + Node* etrue0 = effect;
|
| + Node* vtrue0 = jsgraph()->FalseConstant();
|
| +
|
| + control = graph()->NewNode(common()->IfFalse(), branch0);
|
| +
|
| + // Loop through the {object}s prototype chain looking for the {prototype}.
|
| + Node* loop = control =
|
| + graph()->NewNode(common()->Loop(2), control, control);
|
| + Node* eloop = effect =
|
| + graph()->NewNode(common()->EffectPhi(2), effect, effect, loop);
|
| + Node* vloop = object =
|
| + graph()->NewNode(common()->Phi(MachineRepresentation::kTagged, 2),
|
| + object, object, loop);
|
| +
|
| + // Load the {object} map and instance type.
|
| + Node* object_map = effect =
|
| + graph()->NewNode(simplified()->LoadField(AccessBuilder::ForMap()),
|
| + object, effect, control);
|
| + Node* object_instance_type = effect = graph()->NewNode(
|
| + simplified()->LoadField(AccessBuilder::ForMapInstanceType()),
|
| + object_map, effect, control);
|
| +
|
| + // Check if the {object} is a special receiver, because for special
|
| + // receivers, i.e. proxies or API objects that need access checks,
|
| + // we have to use the %HasInPrototypeChain runtime function instead.
|
| + Node* check1 = graph()->NewNode(
|
| + simplified()->NumberLessThanOrEqual(), object_instance_type,
|
| + jsgraph()->Constant(LAST_SPECIAL_RECEIVER_TYPE));
|
| + Node* branch1 = graph()->NewNode(common()->Branch(BranchHint::kFalse),
|
| + check1, control);
|
| +
|
| + control = graph()->NewNode(common()->IfFalse(), branch1);
|
| +
|
| + Node* if_true1 = graph()->NewNode(common()->IfTrue(), branch1);
|
| + Node* etrue1 = effect;
|
| + Node* vtrue1;
|
| +
|
| + // Check if the {object} is not a receiver at all.
|
| + Node* check10 =
|
| + graph()->NewNode(simplified()->NumberLessThan(), object_instance_type,
|
| + jsgraph()->Constant(FIRST_JS_RECEIVER_TYPE));
|
| + Node* branch10 = graph()->NewNode(common()->Branch(BranchHint::kTrue),
|
| + check10, if_true1);
|
| +
|
| + // A primitive value cannot match the {prototype} we're looking for.
|
| + if_true1 = graph()->NewNode(common()->IfTrue(), branch10);
|
| + vtrue1 = jsgraph()->FalseConstant();
|
| +
|
| + Node* if_false1 = graph()->NewNode(common()->IfFalse(), branch10);
|
| + Node* efalse1 = etrue1;
|
| + Node* vfalse1;
|
| + {
|
| + // Slow path, need to call the %HasInPrototypeChain runtime function.
|
| + vfalse1 = efalse1 = if_false1 = graph()->NewNode(
|
| + javascript()->CallRuntime(Runtime::kHasInPrototypeChain), object,
|
| + prototype, context, frame_state, efalse1, if_false1);
|
| +
|
| + // Replace any potential {IfException} uses of {node} to catch
|
| + // exceptions from this %HasInPrototypeChain runtime call instead.
|
| + Node* on_exception = nullptr;
|
| + if (NodeProperties::IsExceptionalCall(node, &on_exception)) {
|
| + NodeProperties::ReplaceControlInput(on_exception, vfalse1);
|
| + NodeProperties::ReplaceEffectInput(on_exception, efalse1);
|
| + if_false1 = graph()->NewNode(common()->IfSuccess(), vfalse1);
|
| + Revisit(on_exception);
|
| + }
|
| + }
|
| +
|
| + // Load the {object} prototype.
|
| + Node* object_prototype = effect = graph()->NewNode(
|
| + simplified()->LoadField(AccessBuilder::ForMapPrototype()), object_map,
|
| + effect, control);
|
| +
|
| + // Check if we reached the end of {object}s prototype chain.
|
| + Node* check2 =
|
| + graph()->NewNode(simplified()->ReferenceEqual(), object_prototype,
|
| + jsgraph()->NullConstant());
|
| + Node* branch2 = graph()->NewNode(common()->Branch(), check2, control);
|
| +
|
| + Node* if_true2 = graph()->NewNode(common()->IfTrue(), branch2);
|
| + Node* etrue2 = effect;
|
| + Node* vtrue2 = jsgraph()->FalseConstant();
|
| +
|
| + control = graph()->NewNode(common()->IfFalse(), branch2);
|
| +
|
| + // Check if we reached the {prototype}.
|
| + Node* check3 = graph()->NewNode(simplified()->ReferenceEqual(),
|
| + object_prototype, prototype);
|
| + Node* branch3 = graph()->NewNode(common()->Branch(), check3, control);
|
| +
|
| + Node* if_true3 = graph()->NewNode(common()->IfTrue(), branch3);
|
| + Node* etrue3 = effect;
|
| + Node* vtrue3 = jsgraph()->TrueConstant();
|
| +
|
| + control = graph()->NewNode(common()->IfFalse(), branch3);
|
| +
|
| + // Close the loop.
|
| + vloop->ReplaceInput(1, object_prototype);
|
| + eloop->ReplaceInput(1, effect);
|
| + loop->ReplaceInput(1, control);
|
| +
|
| + control = graph()->NewNode(common()->Merge(5), if_true0, if_true1,
|
| + if_true2, if_true3, if_false1);
|
| + effect = graph()->NewNode(common()->EffectPhi(5), etrue0, etrue1, etrue2,
|
| + etrue3, efalse1, control);
|
| +
|
| + // Morph the {node} into an appropriate Phi.
|
| + ReplaceWithValue(node, node, effect, control);
|
| + node->ReplaceInput(0, vtrue0);
|
| + node->ReplaceInput(1, vtrue1);
|
| + node->ReplaceInput(2, vtrue2);
|
| + node->ReplaceInput(3, vtrue3);
|
| + node->ReplaceInput(4, vfalse1);
|
| + node->ReplaceInput(5, control);
|
| + node->TrimInputCount(6);
|
| + NodeProperties::ChangeOp(
|
| + node, common()->Phi(MachineRepresentation::kTagged, 5));
|
| + return Changed(node);
|
| + }
|
| + }
|
| +
|
| return NoChange();
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 2823403003:
[WIP] Move JSOrdinaryHasInstance lowering to JSNativeContextSpecialization. (Closed)
