Inobject slack tracking is done on a per-closure basis instead of per-shared info basis.

src/x64/builtins-x64.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "v8.h"
 
 #if V8_TARGET_ARCH_X64
 
 #include "codegen.h"
 #include "deoptimizer.h"
@@ skipping 83 matching lines @@
   CallRuntimePassFunction(masm, Runtime::kHiddenTryInstallOptimizedCode);
   GenerateTailCallToReturnedCode(masm);
 
   __ bind(&ok);
   GenerateTailCallToSharedCode(masm);
 }
 
 
 static void Generate_JSConstructStubHelper(MacroAssembler* masm,
                                            bool is_api_function,
-                                           bool count_constructions,
                                            bool create_memento) {
   // ----------- S t a t e -------------
   //  -- rax: number of arguments
   //  -- rdi: constructor function
   //  -- rbx: allocation site or undefined
   // -----------------------------------
 
-  // Should never count constructions for api objects.
-  ASSERT(!is_api_function || !count_constructions);\
-
   // Should never create mementos for api functions.
   ASSERT(!is_api_function || !create_memento);
 
-  // Should never create mementos before slack tracking is finished.
-  ASSERT(!count_constructions || !create_memento);
-
   // Enter a construct frame.
   {
     FrameScope scope(masm, StackFrame::CONSTRUCT);
 
     if (create_memento) {
       __ AssertUndefinedOrAllocationSite(rbx);
       __ Push(rbx);
     }
 
     // Store a smi-tagged arguments count on the stack.
@@ skipping 28 matching lines @@
       __ j(not_equal, &rt_call);
 
       // Check that the constructor is not constructing a JSFunction (see
       // comments in Runtime_NewObject in runtime.cc). In which case the
       // initial map's instance type would be JS_FUNCTION_TYPE.
       // rdi: constructor
       // rax: initial map
       __ CmpInstanceType(rax, JS_FUNCTION_TYPE);
       __ j(equal, &rt_call);
 
-      if (count_constructions) {
+      if (!is_api_function) {
+        // rsi: slack tracking counter
         Label allocate;
+        // The code below relies on these assumptions.
+        STATIC_ASSERT(JSFunction::kNoSlackTracking == 0);
+        STATIC_ASSERT(Map::ConstructionCount::kShift +
+                      Map::ConstructionCount::kSize == 32);
+        // Check if slack tracking is enabled.
+        __ movl(rsi, FieldOperand(rax, Map::kBitField3Offset));
+        __ shrl(rsi, Immediate(Map::ConstructionCount::kShift));
+        __ j(zero, &allocate);  // JSFunction::kNoSlackTracking
         // Decrease generous allocation count.
-        __ movp(rcx, FieldOperand(rdi, JSFunction::kSharedFunctionInfoOffset));
-        __ decb(FieldOperand(rcx,
-                             SharedFunctionInfo::kConstructionCountOffset));
-        __ j(not_zero, &allocate);
+        __ subl(FieldOperand(rax, Map::kBitField3Offset),
+                Immediate(1 << Map::ConstructionCount::kShift));
+
+        __ cmpl(rsi, Immediate(JSFunction::kFinishSlackTracking));
+        __ j(not_equal, &allocate);
 
         __ Push(rax);
         __ Push(rdi);
 
         __ Push(rdi);  // constructor
-        // The call will replace the stub, so the countdown is only done once.
         __ CallRuntime(Runtime::kHiddenFinalizeInstanceSize, 1);
 
         __ Pop(rdi);
         __ Pop(rax);
+        __ xorl(rsi, rsi);  // JSFunction::kNoSlackTracking
 
         __ bind(&allocate);
       }
 
       // Now allocate the JSObject on the heap.
       __ movzxbp(rdi, FieldOperand(rax, Map::kInstanceSizeOffset));
       __ shlp(rdi, Immediate(kPointerSizeLog2));
       if (create_memento) {
         __ addp(rdi, Immediate(AllocationMemento::kSize));
       }
@@ skipping 10 matching lines @@
       // rbx: JSObject (not HeapObject tagged - the actual address).
       // rdi: start of next object (including memento if create_memento)
       __ movp(Operand(rbx, JSObject::kMapOffset), rax);
       __ LoadRoot(rcx, Heap::kEmptyFixedArrayRootIndex);
       __ movp(Operand(rbx, JSObject::kPropertiesOffset), rcx);
       __ movp(Operand(rbx, JSObject::kElementsOffset), rcx);
       // Set extra fields in the newly allocated object.
       // rax: initial map
       // rbx: JSObject
       // rdi: start of next object (including memento if create_memento)
+      // rsi: slack tracking counter (non-API function case)
       __ leap(rcx, Operand(rbx, JSObject::kHeaderSize));
       __ LoadRoot(rdx, Heap::kUndefinedValueRootIndex);
-      if (count_constructions) {
+      if (is_api_function) {
+        __ InitializeFieldsWithFiller(rcx, rdi, rdx);
+      } else {
+        Label no_inobject_slack_tracking, done_field_initialization;
+
+        // Check if slack tracking is enabled.
+        __ cmpl(rsi,
+                Immediate(static_cast<int32_t>(JSFunction::kNoSlackTracking)));
+        __ j(equal, &no_inobject_slack_tracking);
+
+        // Allocate object with a slack.
         __ movzxbp(rsi,
                    FieldOperand(rax, Map::kPreAllocatedPropertyFieldsOffset));
         __ leap(rsi,
                Operand(rbx, rsi, times_pointer_size, JSObject::kHeaderSize));
         // rsi: offset of first field after pre-allocated fields
         if (FLAG_debug_code) {
           __ cmpp(rsi, rdi);
           __ Assert(less_equal,
                     kUnexpectedNumberOfPreAllocatedPropertyFields);
         }
         __ InitializeFieldsWithFiller(rcx, rsi, rdx);
         __ LoadRoot(rdx, Heap::kOnePointerFillerMapRootIndex);
         __ InitializeFieldsWithFiller(rcx, rdi, rdx);
-      } else if (create_memento) {
-        __ leap(rsi, Operand(rdi, -AllocationMemento::kSize));
-        __ InitializeFieldsWithFiller(rcx, rsi, rdx);
+        __ jmp(&done_field_initialization);
 
-        // Fill in memento fields if necessary.
-        // rsi: points to the allocated but uninitialized memento.
-        Handle<Map> allocation_memento_map = factory->allocation_memento_map();
-        __ Move(Operand(rsi, AllocationMemento::kMapOffset),
-                allocation_memento_map);
-        // Get the cell or undefined.
-        __ movp(rdx, Operand(rsp, kPointerSize*2));
-        __ movp(Operand(rsi, AllocationMemento::kAllocationSiteOffset),
-                rdx);
-      } else {
-        __ InitializeFieldsWithFiller(rcx, rdi, rdx);
+        __ bind(&no_inobject_slack_tracking);
+        if (create_memento) {
+          __ leap(rsi, Operand(rdi, -AllocationMemento::kSize));
+          __ InitializeFieldsWithFiller(rcx, rsi, rdx);
+
+          // Fill in memento fields if necessary.
+          // rsi: points to the allocated but uninitialized memento.
+          __ Move(Operand(rsi, AllocationMemento::kMapOffset),
+                  factory->allocation_memento_map());
+          // Get the cell or undefined.
+          __ movp(rdx, Operand(rsp, kPointerSize*2));
+          __ movp(Operand(rsi, AllocationMemento::kAllocationSiteOffset), rdx);
+        } else {
+          __ InitializeFieldsWithFiller(rcx, rdi, rdx);
+        }
+        __ bind(&done_field_initialization);
       }
 
       // Add the object tag to make the JSObject real, so that we can continue
       // and jump into the continuation code at any time from now on. Any
       // failures need to undo the allocation, so that the heap is in a
       // consistent state and verifiable.
       // rax: initial map
       // rbx: JSObject
       // rdi: start of next object
       __ orp(rbx, Immediate(kHeapObjectTag));
@@ skipping 152 matching lines @@
       __ movp(rsi, FieldOperand(rdi, JSFunction::kContextOffset));
       Handle<Code> code =
           masm->isolate()->builtins()->HandleApiCallConstruct();
       __ Call(code, RelocInfo::CODE_TARGET);
     } else {
       ParameterCount actual(rax);
       __ InvokeFunction(rdi, actual, CALL_FUNCTION, NullCallWrapper());
     }
 
     // Store offset of return address for deoptimizer.
-    if (!is_api_function && !count_constructions) {
+    if (!is_api_function) {
       masm->isolate()->heap()->SetConstructStubDeoptPCOffset(masm->pc_offset());
     }
 
     // Restore context from the frame.
     __ movp(rsi, Operand(rbp, StandardFrameConstants::kContextOffset));
 
     // If the result is an object (in the ECMA sense), we should get rid
     // of the receiver and use the result; see ECMA-262 section 13.2.2-7
     // on page 74.
     Label use_receiver, exit;
@@ skipping 22 matching lines @@
   __ PopReturnAddressTo(rcx);
   SmiIndex index = masm->SmiToIndex(rbx, rbx, kPointerSizeLog2);
   __ leap(rsp, Operand(rsp, index.reg, index.scale, 1 * kPointerSize));
   __ PushReturnAddressFrom(rcx);
   Counters* counters = masm->isolate()->counters();
   __ IncrementCounter(counters->constructed_objects(), 1);
   __ ret(0);
 }
 
 
-void Builtins::Generate_JSConstructStubCountdown(MacroAssembler* masm) {
-  Generate_JSConstructStubHelper(masm, false, true, false);
-}
-
-
 void Builtins::Generate_JSConstructStubGeneric(MacroAssembler* masm) {
-  Generate_JSConstructStubHelper(masm, false, false, FLAG_pretenuring_call_new);
+  Generate_JSConstructStubHelper(masm, false, FLAG_pretenuring_call_new);
 }
 
 
 void Builtins::Generate_JSConstructStubApi(MacroAssembler* masm) {
-  Generate_JSConstructStubHelper(masm, true, false, false);
+  Generate_JSConstructStubHelper(masm, true, false);
 }
 
 
 static void Generate_JSEntryTrampolineHelper(MacroAssembler* masm,
                                              bool is_construct) {
   ProfileEntryHookStub::MaybeCallEntryHook(masm);
 
   // Expects five C++ function parameters.
   // - Address entry (ignored)
   // - JSFunction* function (
@@ skipping 1022 matching lines @@
   __ bind(&ok);
   __ ret(0);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_X64