[builtins] DeleteProperty: Handle last-added fast properties

src/ic/accessor-assembler.cc

Index: src/ic/accessor-assembler.cc
diff --git a/src/ic/accessor-assembler.cc b/src/ic/accessor-assembler.cc
index c048c7ec818f7774eaf14965ce71b13af487ba64..8bf6e1e37de6dde13163fbe4736645a331f56f59 100644
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -984,15 +984,7 @@ void AccessorAssembler::HandleStoreFieldAndReturn(Node* handler_word,
   BIND(&if_out_of_object);
   {
     if (transition_to_field) {
-      Label storage_extended(this);
-      GotoIfNot(IsSetWord<StoreHandler::ExtendStorageBits>(handler_word),
-                &storage_extended);
-      Comment("[ Extend storage");
-      ExtendPropertiesBackingStore(holder);
-      Comment("] Extend storage");
-      Goto(&storage_extended);
-
-      BIND(&storage_extended);
+      ExtendPropertiesBackingStore(holder, handler_word);
     }
 
     StoreNamedField(handler_word, holder, false, representation, prepared_value,
@@ -1053,7 +1045,12 @@ Node* AccessorAssembler::PrepareValueForStore(Node* handler_word, Node* holder,
   return value;
 }
 
-void AccessorAssembler::ExtendPropertiesBackingStore(Node* object) {
+void AccessorAssembler::ExtendPropertiesBackingStore(Node* object,
+                                                     Node* handler_word) {
+  Label done(this);
+  GotoIfNot(IsSetWord<StoreHandler::ExtendStorageBits>(handler_word), &done);
+  Comment("[ Extend storage");
+
   ParameterMode mode = OptimalParameterMode();
 
   Node* properties = LoadProperties(object);
@@ -1061,6 +1058,17 @@ void AccessorAssembler::ExtendPropertiesBackingStore(Node* object) {
                      ? LoadAndUntagFixedArrayBaseLength(properties)
                      : LoadFixedArrayBaseLength(properties);
 
+  // Previous property deletion could have left behind unused backing store
+  // capacity even for a map that think it doesn't have any unused fields.
+  // Perform a bounds check to see if we actually have to grow the array.
+  Node* new_offset =
+      IntPtrSub(DecodeWord<StoreHandler::FieldOffsetBits>(handler_word),
+                IntPtrConstant(FixedArray::OffsetOfElementAt(0)));
+  constexpr int kSmiShift = kSmiTagSize + kSmiShiftSize;
+  int shift = kPointerSizeLog2 - (mode == SMI_PARAMETERS ? kSmiShift : 0);
+  Node* new_index = WordShr(new_offset, shift);
+  GotoIf(IntPtrOrSmiLessThan(new_index, length, mode), &done);

[Igor Sheludko, 2017/04/21 14:17:50]

Probably the following code would be a bit more readable:

Node* offset = DecodeWord<StoreHandler::FieldOffsetBits>(handler_word);
Node* size = ElementOffsetFromIndex(length, FAST_ELEMENTS, mode,
FixedArray::kHeaderSize);
GotoIf(UintPtrLessThan(offset, size, mode), &done);

[Jakob Kummerow, 2017/04/21 17:49:31]

Thanks, that's much better. Done.

+
   Node* delta = IntPtrOrSmiConstant(JSObject::kFieldsAdded, mode);
   Node* new_capacity = IntPtrOrSmiAdd(length, delta, mode);
 
@@ -1088,6 +1096,10 @@ void AccessorAssembler::ExtendPropertiesBackingStore(Node* object) {
                          SKIP_WRITE_BARRIER, mode);
 
   StoreObjectField(object, JSObject::kPropertiesOffset, new_properties);
+  Comment("] Extend storage");
+  Goto(&done);
+
+  BIND(&done);
 }
 
 void AccessorAssembler::StoreNamedField(Node* handler_word, Node* object,