vector-based ICs did not update type feedback counts correctly.

src/ic/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/accessors.h"
 #include "src/api.h"
 #include "src/arguments.h"
 #include "src/base/bits.h"
@@ skipping 457 matching lines @@
     RelocInfo::Mode mode = it.rinfo()->rmode();
     if (mode == RelocInfo::EMBEDDED_OBJECT &&
         it.rinfo()->target_object()->IsMap()) {
       it.rinfo()->set_target_object(undefined, SKIP_WRITE_BARRIER);
     }
   }
   CpuFeatures::FlushICache(stub->instruction_start(), stub->instruction_size());
 }
 
 
-void IC::Clear(Isolate* isolate, Address address,
-               ConstantPoolArray* constant_pool) {
+void IC::Clear(Isolate* isolate, Address address, TypeFeedbackVector* vector,
+               FeedbackVectorICSlot slot, ConstantPoolArray* constant_pool) {
   Code* target = GetTargetAtAddress(address, constant_pool);
 
   // Don't clear debug break inline cache as it will remove the break point.
   if (target->is_debug_stub()) return;
 
   switch (target->kind()) {
     case Code::LOAD_IC:
-      return LoadIC::Clear(isolate, address, target, constant_pool);
+      return LoadIC::Clear(isolate, address, target, vector, slot,
+                           constant_pool);
     case Code::KEYED_LOAD_IC:
-      return KeyedLoadIC::Clear(isolate, address, target, constant_pool);
+      return KeyedLoadIC::Clear(isolate, address, target, vector, slot,
+                                constant_pool);
     case Code::STORE_IC:
       return StoreIC::Clear(isolate, address, target, constant_pool);
     case Code::KEYED_STORE_IC:
       return KeyedStoreIC::Clear(isolate, address, target, constant_pool);
     case Code::CALL_IC:
-      return CallIC::Clear(isolate, address, target, constant_pool);
+      return CallIC::Clear(isolate, address, target, vector, slot,
+                           constant_pool);
     case Code::COMPARE_IC:
       return CompareIC::Clear(isolate, address, target, constant_pool);
     case Code::COMPARE_NIL_IC:
       return CompareNilIC::Clear(address, target, constant_pool);
     case Code::BINARY_OP_IC:
     case Code::TO_BOOLEAN_IC:
       // Clearing these is tricky and does not
       // make any performance difference.
       return;
     default:
       UNREACHABLE();
   }
 }
 
 
 void KeyedLoadIC::Clear(Isolate* isolate, Address address, Code* target,
+                        TypeFeedbackVector* vector, FeedbackVectorICSlot slot,
                         ConstantPoolArray* constant_pool) {
   if (IsCleared(target)) return;
 
   // If the target is the string_stub, then don't clear it. It is the
   // perfect stub if we continue to see strings. Holding this
   // state is not preventing learning new information.
   if (target != *isolate->builtins()->KeyedLoadIC_String()) {
     // Make sure to also clear the map used in inline fast cases.  If we
     // do not clear these maps, cached code can keep objects alive
     // through the embedded maps.
     SetTargetAtAddress(address, *pre_monomorphic_stub(isolate), constant_pool);
   }
 }
 
 
 void CallIC::Clear(Isolate* isolate, Address address, Code* target,
+                   TypeFeedbackVector* vector, FeedbackVectorICSlot slot,
                    ConstantPoolArray* constant_pool) {
-  // Currently, CallIC doesn't have state changes.
+  if (vector != NULL) {
+    Object* feedback = vector->Get(slot);
+    // Determine our state.
+    State state = FeedbackToState(isolate, vector, slot);
+
+    if (!feedback->IsAllocationSite()) {
+      vector->Set(slot, *TypeFeedbackVector::UninitializedSentinel(isolate));
+      // The change in state must be processed.
+      OnTypeFeedbackChanged(isolate, address, vector, state, UNINITIALIZED);
+    }
+  }
 }
 
 
 void LoadIC::Clear(Isolate* isolate, Address address, Code* target,
+                   TypeFeedbackVector* vector, FeedbackVectorICSlot slot,
                    ConstantPoolArray* constant_pool) {
   if (IsCleared(target)) return;
   Code* code = PropertyICCompiler::FindPreMonomorphic(isolate, Code::LOAD_IC,
                                                       target->extra_ic_state());
   SetTargetAtAddress(address, code, constant_pool);
 }
 
 
 void StoreIC::Clear(Isolate* isolate, Address address, Code* target,
                     ConstantPoolArray* constant_pool) {
@@ skipping 1378 matching lines @@
     TRACE_GENERIC_IC(isolate(), "KeyedStoreIC", "slow stub");
   }
   DCHECK(!stub.is_null());
   set_target(*stub);
   TRACE_IC("StoreIC", key);
 
   return store_handle;
 }
 
 
+// static
+void CallIC::OnTypeFeedbackChanged(Isolate* isolate, Address address,
+                                   TypeFeedbackVector* vector, State old_state,
+                                   State new_state) {
+  Code* host =
+      isolate->inner_pointer_to_code_cache()->GetCacheEntry(address)->code;
+  if (host->kind() != Code::FUNCTION) return;
+
+  if (FLAG_type_info_threshold > 0) {
+    int polymorphic_delta = 0;  // "Polymorphic" here includes monomorphic.
+    int generic_delta = 0;      // "Generic" here includes megamorphic.
+    ComputeTypeInfoCountDelta(old_state, new_state, &polymorphic_delta,
+                              &generic_delta);
+    vector->change_ic_with_type_info_count(polymorphic_delta);
+    vector->change_ic_generic_count(generic_delta);
+  }
+  if (host->type_feedback_info()->IsTypeFeedbackInfo()) {

[ulan, 2014/10/15 10:17:05]

Can we have a vector without having type_feedback_info()?

DCHECK(vector == host->type_feedback_info()->feedback_vector());

[mvstanton, 2014/10/16 10:54:14]

Indeed, it looks like we can count on this because we are always a FUNCTION.

+    TypeFeedbackInfo* info = TypeFeedbackInfo::cast(host->type_feedback_info());
+    info->change_own_type_change_checksum();
+  }
+  host->set_profiler_ticks(0);
+  isolate->runtime_profiler()->NotifyICChanged();
+  // TODO(2029): When an optimized function is patched, it would
+  // be nice to propagate the corresponding type information to its
+  // unoptimized version for the benefit of later inlining.
+}
+
+
 bool CallIC::DoCustomHandler(Handle<Object> receiver, Handle<Object> function,
                              Handle<TypeFeedbackVector> vector,
-                             Handle<Smi> slot, const CallICState& state) {
+                             FeedbackVectorICSlot slot,
+                             const CallICState& state) {
   DCHECK(FLAG_use_ic && function->IsJSFunction());
 
   // Are we the array function?
   Handle<JSFunction> array_function =
       Handle<JSFunction>(isolate()->native_context()->array_function());
   if (array_function.is_identical_to(Handle<JSFunction>::cast(function))) {
     // Alter the slot.
     IC::State old_state = FeedbackToState(vector, slot);
-    Object* feedback = vector->get(slot->value());
+    Object* feedback = vector->Get(slot);
     if (!feedback->IsAllocationSite()) {
       Handle<AllocationSite> new_site =
           isolate()->factory()->NewAllocationSite();
-      vector->set(slot->value(), *new_site);
+      vector->Set(slot, *new_site);
     }
 
     CallIC_ArrayStub stub(isolate(), state);
     set_target(*stub.GetCode());
     Handle<String> name;
     if (array_function->shared()->name()->IsString()) {
       name = Handle<String>(String::cast(array_function->shared()->name()),
                             isolate());
     }
 
     IC::State new_state = FeedbackToState(vector, slot);
-    OnTypeFeedbackChanged(isolate(), address(), old_state, new_state, true);
+    OnTypeFeedbackChanged(vector, old_state, new_state);
     TRACE_VECTOR_IC("CallIC (custom handler)", name, old_state, new_state);
     return true;
   }
   return false;
 }
 
 
 void CallIC::PatchMegamorphic(Handle<Object> function,
                               Handle<TypeFeedbackVector> vector,
-                              Handle<Smi> slot) {
+                              FeedbackVectorICSlot slot) {
   CallICState state(target()->extra_ic_state());
   IC::State old_state = FeedbackToState(vector, slot);
 
   // We are going generic.
-  vector->set(slot->value(),
-              *TypeFeedbackVector::MegamorphicSentinel(isolate()),
+  vector->Set(slot, *TypeFeedbackVector::MegamorphicSentinel(isolate()),
               SKIP_WRITE_BARRIER);
 
   CallICStub stub(isolate(), state);
   Handle<Code> code = stub.GetCode();
   set_target(*code);
 
   Handle<Object> name = isolate()->factory()->empty_string();
   if (function->IsJSFunction()) {
     Handle<JSFunction> js_function = Handle<JSFunction>::cast(function);
     name = handle(js_function->shared()->name(), isolate());
   }
 
   IC::State new_state = FeedbackToState(vector, slot);
-  OnTypeFeedbackChanged(isolate(), address(), old_state, new_state, true);
+  OnTypeFeedbackChanged(vector, old_state, new_state);
   TRACE_VECTOR_IC("CallIC", name, old_state, new_state);
 }
 
 
 void CallIC::HandleMiss(Handle<Object> receiver, Handle<Object> function,
-                        Handle<TypeFeedbackVector> vector, Handle<Smi> slot) {
+                        Handle<TypeFeedbackVector> vector,
+                        FeedbackVectorICSlot slot) {
   CallICState state(target()->extra_ic_state());
   IC::State old_state = FeedbackToState(vector, slot);
   Handle<Object> name = isolate()->factory()->empty_string();
-  Object* feedback = vector->get(slot->value());
+  Object* feedback = vector->Get(slot);
 
   // Hand-coded MISS handling is easier if CallIC slots don't contain smis.
   DCHECK(!feedback->IsSmi());
 
   if (feedback->IsJSFunction() || !function->IsJSFunction()) {
     // We are going generic.
-    vector->set(slot->value(),
-                *TypeFeedbackVector::MegamorphicSentinel(isolate()),
+    vector->Set(slot, *TypeFeedbackVector::MegamorphicSentinel(isolate()),
                 SKIP_WRITE_BARRIER);
   } else {
     // The feedback is either uninitialized or an allocation site.
     // It might be an allocation site because if we re-compile the full code
     // to add deoptimization support, we call with the default call-ic, and
     // merely need to patch the target to match the feedback.
     // TODO(mvstanton): the better approach is to dispense with patching
     // altogether, which is in progress.
     DCHECK(feedback == *TypeFeedbackVector::UninitializedSentinel(isolate()) ||
            feedback->IsAllocationSite());
 
     // Do we want to install a custom handler?
     if (FLAG_use_ic &&
         DoCustomHandler(receiver, function, vector, slot, state)) {
       return;
     }
 
-    vector->set(slot->value(), *function);
+    vector->Set(slot, *function);
   }
 
   if (function->IsJSFunction()) {
     Handle<JSFunction> js_function = Handle<JSFunction>::cast(function);
     name = handle(js_function->shared()->name(), isolate());
   }
 
   IC::State new_state = FeedbackToState(vector, slot);
-  OnTypeFeedbackChanged(isolate(), address(), old_state, new_state, true);
+  OnTypeFeedbackChanged(vector, old_state, new_state);
   TRACE_VECTOR_IC("CallIC", name, old_state, new_state);
 }
 
 
 #undef TRACE_IC
 
 
 // ----------------------------------------------------------------------------
 // Static IC stub generators.
 //
 
 // Used from ic-<arch>.cc.
 RUNTIME_FUNCTION(CallIC_Miss) {
   TimerEventScope<TimerEventIcMiss> timer(isolate);
   HandleScope scope(isolate);
   DCHECK(args.length() == 4);
   CallIC ic(isolate);
   Handle<Object> receiver = args.at<Object>(0);
   Handle<Object> function = args.at<Object>(1);
   Handle<TypeFeedbackVector> vector = args.at<TypeFeedbackVector>(2);
   Handle<Smi> slot = args.at<Smi>(3);
-  ic.HandleMiss(receiver, function, vector, slot);
+  FeedbackVectorICSlot vector_slot = vector->ToICSlot(slot->value());
+  ic.HandleMiss(receiver, function, vector, vector_slot);
   return *function;
 }
 
 
 RUNTIME_FUNCTION(CallIC_Customization_Miss) {
   TimerEventScope<TimerEventIcMiss> timer(isolate);
   HandleScope scope(isolate);
   DCHECK(args.length() == 4);
   // A miss on a custom call ic always results in going megamorphic.
   CallIC ic(isolate);
   Handle<Object> function = args.at<Object>(1);
   Handle<TypeFeedbackVector> vector = args.at<TypeFeedbackVector>(2);
   Handle<Smi> slot = args.at<Smi>(3);
-  ic.PatchMegamorphic(function, vector, slot);
+  FeedbackVectorICSlot vector_slot = vector->ToICSlot(slot->value());
+  ic.PatchMegamorphic(function, vector, vector_slot);
   return *function;
 }
 
 
 // Used from ic-<arch>.cc.
 RUNTIME_FUNCTION(LoadIC_Miss) {
   TimerEventScope<TimerEventIcMiss> timer(isolate);
   HandleScope scope(isolate);
   DCHECK(args.length() == 2);
   LoadIC ic(IC::NO_EXTRA_FRAME, isolate);
@@ skipping 618 matching lines @@
 static const Address IC_utilities[] = {
 #define ADDR(name) FUNCTION_ADDR(name),
     IC_UTIL_LIST(ADDR) NULL
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) { return IC_utilities[id]; }
 }
 }  // namespace v8::internal