Move delete-last-fast-property code from CSA to C++

src/runtime/runtime-object.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/runtime/runtime-utils.h"
 
 #include "src/arguments.h"
 #include "src/bootstrapper.h"
 #include "src/debug/debug.h"
 #include "src/isolate-inl.h"
@@ skipping 108 matching lines @@
       Factory* factory = isolate->factory();
       return factory->LookupSingleCharacterStringFromCode(
           String::Flatten(str)->Get(index));
     }
   }
 
   // Fall back to GetObjectProperty.
   return Runtime::GetObjectProperty(isolate, receiver_obj, key_obj);
 }
 
+namespace {
+
+bool DeleteObjectPropertyFast(Isolate* isolate, Handle<JSReceiver> receiver,
+                              Handle<Object> raw_key) {
+  Map* map = receiver->map();
+  if (map->instance_type() <= LAST_SPECIAL_RECEIVER_TYPE) return false;

[Igor Sheludko, 2017/05/03 14:39:25]

map->IsSpecialReceiverMap()

[Jakob Kummerow, 2017/05/03 14:49:27]

Done.

+  if (!raw_key->IsUniqueName()) return false;
+  Handle<Name> key = Handle<Name>::cast(raw_key);
+  // This implements a special case for fast property deletion: when the
+  // last property in an object is deleted, then instead of normalizing
+  // the properties, we can undo the last map transition, with a few
+  // prerequisites:
+  // (1) The current map must not be marked stable. Otherwise there could be
+  // optimized code that depends on the assumption that no object that reached
+  // this map transitions away from it (without triggering the "deoptimize
+  // dependent code" mechanism).
+  if (map->is_stable()) return false;
+  // (2) The property to be deleted must be the last property.
+  int nof = map->NumberOfOwnDescriptors();
+  if (nof == 0) return false;
+  int descriptor = nof - 1;
+  DescriptorArray* descriptors = map->instance_descriptors();
+  if (descriptors->GetKey(descriptor) != *key) return false;
+  // (3) The property to be deleted must be deletable.
+  PropertyDetails details = descriptors->GetDetails(descriptor);
+  if (!details.IsConfigurable()) return false;
+  // (4) The map must have a back pointer.
+  Object* backpointer = map->GetBackPointer();
+  if (!backpointer->IsMap()) return false;
+  // (5) The last transition must hvae been caused by adding a property

[Igor Sheludko, 2017/05/03 14:39:25]

s/hvae/have/

[Jakob Kummerow, 2017/05/03 14:49:27]

Done.

+  // (and not any kind of special transition).
+  if (Map::cast(backpointer)->NumberOfOwnDescriptors() != nof - 1) return false;
+
+  // Preconditions successful, perform the map rollback!
+  // Zap the property to avoid keeping objects alive. Zapping is not necessary
+  // for properties stored in the descriptor array.
+  if (details.location() == kField) {
+    Object* filler = isolate->heap()->one_pointer_filler_map();
+    FieldIndex index = FieldIndex::ForPropertyIndex(map, details.field_index());
+    JSObject::cast(*receiver)->RawFastPropertyAtPut(index, filler);
+    // We must clear any recorded slot for the deleted property, because
+    // subsequent object modifications might put a raw double there.
+    // Slot clearing is the reason why this entire function cannot currently
+    // be implemented in the DeleteProperty stub.
+    if (index.is_inobject() && !map->IsUnboxedDoubleField(index)) {

[Igor Sheludko, 2017/05/03 14:39:25]

"index.is_inobject() &&" is not necessary because Map::IsUnboxedDoubleField()
also checks that.

[Jakob Kummerow, 2017/05/03 14:49:27]

Nope, it's necessary. For out-of-object fields, "IsUnboxedDoubleField()" will
return "false" (because it checks for it), but we don't want to enter the
conditional block.

[Igor Sheludko, 2017/05/03 14:53:26]

Acknowledged.

+      isolate->heap()->ClearRecordedSlot(
+          *receiver, HeapObject::RawField(*receiver, index.offset()));
+    }
+  }
+  receiver->synchronized_set_map(Map::cast(backpointer));
+  return true;
+}
+
+}  // namespace
 
 Maybe<bool> Runtime::DeleteObjectProperty(Isolate* isolate,
                                           Handle<JSReceiver> receiver,
                                           Handle<Object> key,
                                           LanguageMode language_mode) {
+  if (DeleteObjectPropertyFast(isolate, receiver, key)) return Just(true);
+
   bool success = false;
   LookupIterator it = LookupIterator::PropertyOrElement(
       isolate, receiver, key, &success, LookupIterator::OWN);
   if (!success) return Nothing<bool>();
 
   return JSReceiver::DeleteProperty(&it, language_mode);
 }
 
 // ES6 19.1.3.2
 RUNTIME_FUNCTION(Runtime_ObjectHasOwnProperty) {
@@ skipping 893 matching lines @@
   // While iteration alone may not have observable side-effects, calling
   // toNumber on an object will. Make sure the arg is not an array of objects.
   ElementsKind kind = JSObject::cast(*obj)->GetElementsKind();
   if (!IsFastNumberElementsKind(kind)) return isolate->heap()->ToBoolean(false);
 
   return isolate->heap()->ToBoolean(!obj->IterationHasObservableEffects());
 }
 
 }  // namespace internal
 }  // namespace v8