vector-based ICs did not update type feedback counts correctly.

src/ic/ic.cc

Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 1c621fe4822afd89b284ba6b8a2cf2dc41731eb1..1c0deb15d233220295b2224b339bd605b47d9f85 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -475,8 +475,8 @@ void IC::InvalidateMaps(Code* stub) {
 }
 
 
-void IC::Clear(Isolate* isolate, Address address,
-               ConstantPoolArray* constant_pool) {
+void IC::Clear(Isolate* isolate, Address address, TypeFeedbackVector* vector,
+               FeedbackVectorICSlot slot, ConstantPoolArray* constant_pool) {
   Code* target = GetTargetAtAddress(address, constant_pool);
 
   // Don't clear debug break inline cache as it will remove the break point.
@@ -484,15 +484,18 @@ void IC::Clear(Isolate* isolate, Address address,
 
   switch (target->kind()) {
     case Code::LOAD_IC:
-      return LoadIC::Clear(isolate, address, target, constant_pool);
+      return LoadIC::Clear(isolate, address, target, vector, slot,
+                           constant_pool);
     case Code::KEYED_LOAD_IC:
-      return KeyedLoadIC::Clear(isolate, address, target, constant_pool);
+      return KeyedLoadIC::Clear(isolate, address, target, vector, slot,
+                                constant_pool);
     case Code::STORE_IC:
       return StoreIC::Clear(isolate, address, target, constant_pool);
     case Code::KEYED_STORE_IC:
       return KeyedStoreIC::Clear(isolate, address, target, constant_pool);
     case Code::CALL_IC:
-      return CallIC::Clear(isolate, address, target, constant_pool);
+      return CallIC::Clear(isolate, address, target, vector, slot,
+                           constant_pool);
     case Code::COMPARE_IC:
       return CompareIC::Clear(isolate, address, target, constant_pool);
     case Code::COMPARE_NIL_IC:
@@ -509,6 +512,7 @@ void IC::Clear(Isolate* isolate, Address address,
 
 
 void KeyedLoadIC::Clear(Isolate* isolate, Address address, Code* target,
+                        TypeFeedbackVector* vector, FeedbackVectorICSlot slot,
                         ConstantPoolArray* constant_pool) {
   if (IsCleared(target)) return;
 
@@ -525,12 +529,24 @@ void KeyedLoadIC::Clear(Isolate* isolate, Address address, Code* target,
 
 
 void CallIC::Clear(Isolate* isolate, Address address, Code* target,
+                   TypeFeedbackVector* vector, FeedbackVectorICSlot slot,
                    ConstantPoolArray* constant_pool) {
-  // Currently, CallIC doesn't have state changes.
+  if (vector != NULL) {
+    Object* feedback = vector->Get(slot);
+    // Determine our state.
+    State state = FeedbackToState(isolate, vector, slot);
+
+    if (!feedback->IsAllocationSite()) {
+      vector->Set(slot, *TypeFeedbackVector::UninitializedSentinel(isolate));
+      // The change in state must be processed.
+      OnTypeFeedbackChanged(isolate, address, vector, state, UNINITIALIZED);
+    }
+  }
 }
 
 
 void LoadIC::Clear(Isolate* isolate, Address address, Code* target,
+                   TypeFeedbackVector* vector, FeedbackVectorICSlot slot,
                    ConstantPoolArray* constant_pool) {
   if (IsCleared(target)) return;
   Code* code = PropertyICCompiler::FindPreMonomorphic(isolate, Code::LOAD_IC,
@@ -1929,9 +1945,38 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
 }
 
 
+// static
+void CallIC::OnTypeFeedbackChanged(Isolate* isolate, Address address,
+                                   TypeFeedbackVector* vector, State old_state,
+                                   State new_state) {
+  Code* host =
+      isolate->inner_pointer_to_code_cache()->GetCacheEntry(address)->code;
+  if (host->kind() != Code::FUNCTION) return;
+
+  if (FLAG_type_info_threshold > 0) {
+    int polymorphic_delta = 0;  // "Polymorphic" here includes monomorphic.
+    int generic_delta = 0;      // "Generic" here includes megamorphic.
+    ComputeTypeInfoCountDelta(old_state, new_state, &polymorphic_delta,
+                              &generic_delta);
+    vector->change_ic_with_type_info_count(polymorphic_delta);
+    vector->change_ic_generic_count(generic_delta);
+  }
+  if (host->type_feedback_info()->IsTypeFeedbackInfo()) {

[ulan, 2014/10/15 10:17:05]

Can we have a vector without having type_feedback_info()?

DCHECK(vector == host->type_feedback_info()->feedback_vector());

[mvstanton, 2014/10/16 10:54:14]

Indeed, it looks like we can count on this because we are always a FUNCTION.

+    TypeFeedbackInfo* info = TypeFeedbackInfo::cast(host->type_feedback_info());
+    info->change_own_type_change_checksum();
+  }
+  host->set_profiler_ticks(0);
+  isolate->runtime_profiler()->NotifyICChanged();
+  // TODO(2029): When an optimized function is patched, it would
+  // be nice to propagate the corresponding type information to its
+  // unoptimized version for the benefit of later inlining.
+}
+
+
 bool CallIC::DoCustomHandler(Handle<Object> receiver, Handle<Object> function,
                              Handle<TypeFeedbackVector> vector,
-                             Handle<Smi> slot, const CallICState& state) {
+                             FeedbackVectorICSlot slot,
+                             const CallICState& state) {
   DCHECK(FLAG_use_ic && function->IsJSFunction());
 
   // Are we the array function?
@@ -1940,11 +1985,11 @@ bool CallIC::DoCustomHandler(Handle<Object> receiver, Handle<Object> function,
   if (array_function.is_identical_to(Handle<JSFunction>::cast(function))) {
     // Alter the slot.
     IC::State old_state = FeedbackToState(vector, slot);
-    Object* feedback = vector->get(slot->value());
+    Object* feedback = vector->Get(slot);
     if (!feedback->IsAllocationSite()) {
       Handle<AllocationSite> new_site =
           isolate()->factory()->NewAllocationSite();
-      vector->set(slot->value(), *new_site);
+      vector->Set(slot, *new_site);
     }
 
     CallIC_ArrayStub stub(isolate(), state);
@@ -1956,7 +2001,7 @@ bool CallIC::DoCustomHandler(Handle<Object> receiver, Handle<Object> function,
     }
 
     IC::State new_state = FeedbackToState(vector, slot);
-    OnTypeFeedbackChanged(isolate(), address(), old_state, new_state, true);
+    OnTypeFeedbackChanged(vector, old_state, new_state);
     TRACE_VECTOR_IC("CallIC (custom handler)", name, old_state, new_state);
     return true;
   }
@@ -1966,13 +2011,12 @@ bool CallIC::DoCustomHandler(Handle<Object> receiver, Handle<Object> function,
 
 void CallIC::PatchMegamorphic(Handle<Object> function,
                               Handle<TypeFeedbackVector> vector,
-                              Handle<Smi> slot) {
+                              FeedbackVectorICSlot slot) {
   CallICState state(target()->extra_ic_state());
   IC::State old_state = FeedbackToState(vector, slot);
 
   // We are going generic.
-  vector->set(slot->value(),
-              *TypeFeedbackVector::MegamorphicSentinel(isolate()),
+  vector->Set(slot, *TypeFeedbackVector::MegamorphicSentinel(isolate()),
               SKIP_WRITE_BARRIER);
 
   CallICStub stub(isolate(), state);
@@ -1986,25 +2030,25 @@ void CallIC::PatchMegamorphic(Handle<Object> function,
   }
 
   IC::State new_state = FeedbackToState(vector, slot);
-  OnTypeFeedbackChanged(isolate(), address(), old_state, new_state, true);
+  OnTypeFeedbackChanged(vector, old_state, new_state);
   TRACE_VECTOR_IC("CallIC", name, old_state, new_state);
 }
 
 
 void CallIC::HandleMiss(Handle<Object> receiver, Handle<Object> function,
-                        Handle<TypeFeedbackVector> vector, Handle<Smi> slot) {
+                        Handle<TypeFeedbackVector> vector,
+                        FeedbackVectorICSlot slot) {
   CallICState state(target()->extra_ic_state());
   IC::State old_state = FeedbackToState(vector, slot);
   Handle<Object> name = isolate()->factory()->empty_string();
-  Object* feedback = vector->get(slot->value());
+  Object* feedback = vector->Get(slot);
 
   // Hand-coded MISS handling is easier if CallIC slots don't contain smis.
   DCHECK(!feedback->IsSmi());
 
   if (feedback->IsJSFunction() || !function->IsJSFunction()) {
     // We are going generic.
-    vector->set(slot->value(),
-                *TypeFeedbackVector::MegamorphicSentinel(isolate()),
+    vector->Set(slot, *TypeFeedbackVector::MegamorphicSentinel(isolate()),
                 SKIP_WRITE_BARRIER);
   } else {
     // The feedback is either uninitialized or an allocation site.
@@ -2022,7 +2066,7 @@ void CallIC::HandleMiss(Handle<Object> receiver, Handle<Object> function,
       return;
     }
 
-    vector->set(slot->value(), *function);
+    vector->Set(slot, *function);
   }
 
   if (function->IsJSFunction()) {
@@ -2031,7 +2075,7 @@ void CallIC::HandleMiss(Handle<Object> receiver, Handle<Object> function,
   }
 
   IC::State new_state = FeedbackToState(vector, slot);
-  OnTypeFeedbackChanged(isolate(), address(), old_state, new_state, true);
+  OnTypeFeedbackChanged(vector, old_state, new_state);
   TRACE_VECTOR_IC("CallIC", name, old_state, new_state);
 }
 
@@ -2053,7 +2097,8 @@ RUNTIME_FUNCTION(CallIC_Miss) {
   Handle<Object> function = args.at<Object>(1);
   Handle<TypeFeedbackVector> vector = args.at<TypeFeedbackVector>(2);
   Handle<Smi> slot = args.at<Smi>(3);
-  ic.HandleMiss(receiver, function, vector, slot);
+  FeedbackVectorICSlot vector_slot = vector->ToICSlot(slot->value());
+  ic.HandleMiss(receiver, function, vector, vector_slot);
   return *function;
 }
 
@@ -2067,7 +2112,8 @@ RUNTIME_FUNCTION(CallIC_Customization_Miss) {
   Handle<Object> function = args.at<Object>(1);
   Handle<TypeFeedbackVector> vector = args.at<TypeFeedbackVector>(2);
   Handle<Smi> slot = args.at<Smi>(3);
-  ic.PatchMegamorphic(function, vector, slot);
+  FeedbackVectorICSlot vector_slot = vector->ToICSlot(slot->value());
+  ic.PatchMegamorphic(function, vector, vector_slot);
   return *function;
 }