Inobject slack tracking is done on a per-closure basis instead of per-shared info basis.

src/ia32/builtins-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "v8.h"
 
 #if V8_TARGET_ARCH_IA32
 
 #include "codegen.h"
 #include "deoptimizer.h"
@@ skipping 84 matching lines @@
   CallRuntimePassFunction(masm, Runtime::kHiddenTryInstallOptimizedCode);
   GenerateTailCallToReturnedCode(masm);
 
   __ bind(&ok);
   GenerateTailCallToSharedCode(masm);
 }
 
 
 static void Generate_JSConstructStubHelper(MacroAssembler* masm,
                                            bool is_api_function,
-                                           bool count_constructions,
                                            bool create_memento) {
   // ----------- S t a t e -------------
   //  -- eax: number of arguments
   //  -- edi: constructor function
   //  -- ebx: allocation site or undefined
   // -----------------------------------
 
-  // Should never count constructions for api objects.
-  ASSERT(!is_api_function || !count_constructions);
-
   // Should never create mementos for api functions.
   ASSERT(!is_api_function || !create_memento);
 
-  // Should never create mementos before slack tracking is finished.
-  ASSERT(!count_constructions || !create_memento);
-
   // Enter a construct frame.
   {
     FrameScope scope(masm, StackFrame::CONSTRUCT);
 
     if (create_memento) {
       __ AssertUndefinedOrAllocationSite(ebx);
       __ push(ebx);
     }
 
     // Store a smi-tagged arguments count on the stack.
@@ skipping 25 matching lines @@
       __ j(not_equal, &rt_call);
 
       // Check that the constructor is not constructing a JSFunction (see
       // comments in Runtime_NewObject in runtime.cc). In which case the
       // initial map's instance type would be JS_FUNCTION_TYPE.
       // edi: constructor
       // eax: initial map
       __ CmpInstanceType(eax, JS_FUNCTION_TYPE);
       __ j(equal, &rt_call);
 
-      if (count_constructions) {
+      if (!is_api_function) {
+        // esi: slack tracking counter

[Michael Starzinger, 2014/05/21 10:42:01]

nit: At this point esi does not yet contain the counter, it is loaded below.
Let's drop this comment.

[Igor Sheludko, 2014/05/22 08:05:42]

Done.

         Label allocate;
+        // The code below relies on these assumptions.
+        STATIC_ASSERT(JSFunction::kNoSlackTracking == 0);
+        STATIC_ASSERT(Map::ConstructionCount::kShift +
+                      Map::ConstructionCount::kSize == 32);
+        // Check if slack tracking is enabled.
+        __ mov(esi, FieldOperand(eax, Map::kBitField3Offset));
+        __ shr(esi, Map::ConstructionCount::kShift);
+        __ j(zero, &allocate);  // JSFunction::kNoSlackTracking
         // Decrease generous allocation count.
-        __ mov(ecx, FieldOperand(edi, JSFunction::kSharedFunctionInfoOffset));
-        __ dec_b(FieldOperand(ecx,
-                              SharedFunctionInfo::kConstructionCountOffset));
-        __ j(not_zero, &allocate);
+        __ sub(FieldOperand(eax, Map::kBitField3Offset),
+               Immediate(1 << Map::ConstructionCount::kShift));
+
+        __ cmp(esi, JSFunction::kFinishSlackTracking);
+        __ j(not_equal, &allocate);
 
         __ push(eax);
         __ push(edi);
 
         __ push(edi);  // constructor
-        // The call will replace the stub, so the countdown is only done once.
         __ CallRuntime(Runtime::kHiddenFinalizeInstanceSize, 1);
 
         __ pop(edi);
         __ pop(eax);
+        __ xor_(esi, esi);  // JSFunction::kNoSlackTracking
 
         __ bind(&allocate);
       }
 
       // Now allocate the JSObject on the heap.
       // edi: constructor
       // eax: initial map
       __ movzx_b(edi, FieldOperand(eax, Map::kInstanceSizeOffset));
       __ shl(edi, kPointerSizeLog2);
       if (create_memento) {
         __ add(edi, Immediate(AllocationMemento::kSize));
       }
 
       __ Allocate(edi, ebx, edi, no_reg, &rt_call, NO_ALLOCATION_FLAGS);
 
       Factory* factory = masm->isolate()->factory();
 
       // Allocated the JSObject, now initialize the fields.
       // eax: initial map
       // ebx: JSObject
       // edi: start of next object (including memento if create_memento)
       __ mov(Operand(ebx, JSObject::kMapOffset), eax);
       __ mov(ecx, factory->empty_fixed_array());
       __ mov(Operand(ebx, JSObject::kPropertiesOffset), ecx);
       __ mov(Operand(ebx, JSObject::kElementsOffset), ecx);
       // Set extra fields in the newly allocated object.
       // eax: initial map
       // ebx: JSObject
       // edi: start of next object (including memento if create_memento)
+      // esi: slack tracking counter (non-API function case)
+      __ mov(edx, factory->undefined_value());
       __ lea(ecx, Operand(ebx, JSObject::kHeaderSize));
-      __ mov(edx, factory->undefined_value());
-      if (count_constructions) {
+      if (is_api_function) {
+        __ InitializeFieldsWithFiller(ecx, edi, edx);
+      } else {
+        Label no_inobject_slack_tracking, done_field_initialization;
+
+        // Check if slack tracking is enabled.
+        __ cmp(esi, JSFunction::kNoSlackTracking);
+        __ j(equal, &no_inobject_slack_tracking);
+
+        // Allocate object with a slack.
         __ movzx_b(esi,
                    FieldOperand(eax, Map::kPreAllocatedPropertyFieldsOffset));
         __ lea(esi,
                Operand(ebx, esi, times_pointer_size, JSObject::kHeaderSize));
         // esi: offset of first field after pre-allocated fields
         if (FLAG_debug_code) {
           __ cmp(esi, edi);
           __ Assert(less_equal,
                     kUnexpectedNumberOfPreAllocatedPropertyFields);
         }
         __ InitializeFieldsWithFiller(ecx, esi, edx);
         __ mov(edx, factory->one_pointer_filler_map());
         __ InitializeFieldsWithFiller(ecx, edi, edx);
-      } else if (create_memento) {
-        __ lea(esi, Operand(edi, -AllocationMemento::kSize));
-        __ InitializeFieldsWithFiller(ecx, esi, edx);
+        __ jmp(&done_field_initialization);

[Michael Starzinger, 2014/05/21 10:42:01]

This will skip initialization of the memento even though we allocated space for
it. This will probably throw off the heap verifier.

Talking to Michael Stanton, he agreed that the safest path forward would be to
not allocate a Memento while slack-tracking is in progress.

[Igor Sheludko, 2014/05/22 08:05:42]

Done. Now mementos are always initialized if they are allocated.

 
-        // Fill in memento fields if necessary.
-        // esi: points to the allocated but uninitialized memento.
-        Handle<Map> allocation_memento_map = factory->allocation_memento_map();
-        __ mov(Operand(esi, AllocationMemento::kMapOffset),
-               allocation_memento_map);
-        // Get the cell or undefined.
-        __ mov(edx, Operand(esp, kPointerSize*2));
-        __ mov(Operand(esi, AllocationMemento::kAllocationSiteOffset),
-               edx);
-      } else {
-        __ InitializeFieldsWithFiller(ecx, edi, edx);
+        __ bind(&no_inobject_slack_tracking);
+
+        if (create_memento) {
+          __ lea(esi, Operand(edi, -AllocationMemento::kSize));
+          __ InitializeFieldsWithFiller(ecx, esi, edx);
+
+          // Fill in memento fields if necessary.
+          // esi: points to the allocated but uninitialized memento.
+          __ mov(Operand(esi, AllocationMemento::kMapOffset),
+                 factory->allocation_memento_map());
+          // Get the cell or undefined.
+          __ mov(edx, Operand(esp, kPointerSize*2));
+          __ mov(Operand(esi, AllocationMemento::kAllocationSiteOffset),
+                 edx);
+        } else {
+          __ InitializeFieldsWithFiller(ecx, edi, edx);
+        }
+        __ bind(&done_field_initialization);
       }
 
       // Add the object tag to make the JSObject real, so that we can continue
       // and jump into the continuation code at any time from now on. Any
       // failures need to undo the allocation, so that the heap is in a
       // consistent state and verifiable.
       // eax: initial map
       // ebx: JSObject
       // edi: start of next object
       __ or_(ebx, Immediate(kHeapObjectTag));
@@ skipping 152 matching lines @@
       Handle<Code> code =
           masm->isolate()->builtins()->HandleApiCallConstruct();
       __ call(code, RelocInfo::CODE_TARGET);
     } else {
       ParameterCount actual(eax);
       __ InvokeFunction(edi, actual, CALL_FUNCTION,
                         NullCallWrapper());
     }
 
     // Store offset of return address for deoptimizer.
-    if (!is_api_function && !count_constructions) {
+    if (!is_api_function) {
       masm->isolate()->heap()->SetConstructStubDeoptPCOffset(masm->pc_offset());
     }
 
     // Restore context from the frame.
     __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
 
     // If the result is an object (in the ECMA sense), we should get rid
     // of the receiver and use the result; see ECMA-262 section 13.2.2-7
     // on page 74.
     Label use_receiver, exit;
@@ skipping 21 matching lines @@
   // Remove caller arguments from the stack and return.
   STATIC_ASSERT(kSmiTagSize == 1 && kSmiTag == 0);
   __ pop(ecx);
   __ lea(esp, Operand(esp, ebx, times_2, 1 * kPointerSize));  // 1 ~ receiver
   __ push(ecx);
   __ IncrementCounter(masm->isolate()->counters()->constructed_objects(), 1);
   __ ret(0);
 }
 
 
-void Builtins::Generate_JSConstructStubCountdown(MacroAssembler* masm) {
-  Generate_JSConstructStubHelper(masm, false, true, false);
-}
-
-
 void Builtins::Generate_JSConstructStubGeneric(MacroAssembler* masm) {
-  Generate_JSConstructStubHelper(masm, false, false, FLAG_pretenuring_call_new);
+  Generate_JSConstructStubHelper(masm, false, FLAG_pretenuring_call_new);
 }
 
 
 void Builtins::Generate_JSConstructStubApi(MacroAssembler* masm) {
-  Generate_JSConstructStubHelper(masm, true, false, false);
+  Generate_JSConstructStubHelper(masm, true, false);
 }
 
 
 static void Generate_JSEntryTrampolineHelper(MacroAssembler* masm,
                                              bool is_construct) {
   ProfileEntryHookStub::MaybeCallEntryHook(masm);
 
   // Clear the context before we push it when entering the internal frame.
   __ Move(esi, Immediate(0));
 
@@ skipping 954 matching lines @@
 
   __ bind(&ok);
   __ ret(0);
 }
 
 #undef __
 }
 }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_IA32