Use Cells to check prototype chain validity (disabled by default).

src/ic/arm/handler-compiler-arm.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #if V8_TARGET_ARCH_ARM
 
 #include "src/ic/call-optimization.h"
 #include "src/ic/handler-compiler.h"
@@ skipping 393 matching lines @@
       }
       __ b(eq, &do_store);
     }
     __ bind(&do_store);
   }
 }
 
 
 Register PropertyHandlerCompiler::CheckPrototypes(
     Register object_reg, Register holder_reg, Register scratch1,
-    Register scratch2, Handle<Name> name, Label* miss,
-    PrototypeCheckType check) {
+    Register scratch2, Handle<Name> name, Label* miss, PrototypeCheckType check,
+    ReturnHolder return_what) {
   Handle<Map> receiver_map = map();
 
   // Make sure there's no overlap between holder and object registers.
   DCHECK(!scratch1.is(object_reg) && !scratch1.is(holder_reg));
   DCHECK(!scratch2.is(object_reg) && !scratch2.is(holder_reg) &&
          !scratch2.is(scratch1));
 
+  if (FLAG_eliminate_prototype_chain_checks) {
+    Handle<Cell> validity_cell =
+        Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate());
+    if (!validity_cell.is_null()) {
+      DCHECK(validity_cell->value() == Smi::FromInt(Map::kPrototypeChainValid));

[Toon Verwaest, 2015/04/07 09:28:37]

DCHECK_EQ

[Jakob Kummerow, 2015/04/14 09:41:57]

Done.

+      __ mov(scratch1, Operand(validity_cell));
+      __ ldr(scratch1, FieldMemOperand(scratch1, Cell::kValueOffset));
+      __ cmp(scratch1, Operand(Smi::FromInt(Map::kPrototypeChainValid)));
+      __ b(ne, miss);
+    }
+
+    // The prototype chain of primitives (and their JSValue wrappers) depends
+    // on the native context, which can't be guarded by validity cells.
+    // |object_reg| holds the native context specific prototype in this case;
+    // we need to check its map.
+    if (check == CHECK_ALL_MAPS) {
+      __ ldr(scratch1, FieldMemOperand(object_reg, HeapObject::kMapOffset));

[Toon Verwaest, 2015/04/07 09:28:38]

I think you just want to rewrite this code (and its client). Rather than
dynamically loading the right prototype, you want to verify the validity cell
for that prototype. Additionally here you need to check that the current context
matches the expected one (via esi/cp/rsi/...).

[Jakob Kummerow, 2015/04/14 09:41:57]

Acknowledged.

+      Handle<WeakCell> cell = Map::WeakCellForMap(receiver_map);
+      __ CmpWeakValue(scratch1, cell, scratch2);
+      __ b(ne, miss);
+    }
+  }
+
   // Keep track of the current object in register reg.
   Register reg = object_reg;
   int depth = 0;
 
   Handle<JSObject> current = Handle<JSObject>::null();
   if (receiver_map->IsJSGlobalObjectMap()) {
     current = isolate()->global_object();
   }
 
   // Check access rights to the global object.  This has to happen after
@@ skipping 24 matching lines @@
         !current_map->IsJSGlobalObjectMap()) {
       DCHECK(!current_map->IsJSGlobalProxyMap());  // Proxy maps are fast.
       if (!name->IsUniqueName()) {
         DCHECK(name->IsString());
         name = factory()->InternalizeString(Handle<String>::cast(name));
       }
       DCHECK(current.is_null() ||
              current->property_dictionary()->FindEntry(name) ==
                  NameDictionary::kNotFound);
 
+      if (FLAG_eliminate_prototype_chain_checks && depth > 1) {
+        // TODO(jkummerow): Cache and re-use weak cell.
+        __ LoadWeakValue(reg, isolate()->factory()->NewWeakCell(current), miss);

[Toon Verwaest, 2015/04/07 09:28:37]

In the (near) future we should just drop support for dictionary-mode prototypes
in the IC.

[Jakob Kummerow, 2015/04/14 09:41:57]

Acknowledged.

+      }
       GenerateDictionaryNegativeLookup(masm(), miss, reg, name, scratch1,
                                        scratch2);
-
-      __ ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset));
-      reg = holder_reg;  // From now on the object will be in holder_reg.
-      __ ldr(reg, FieldMemOperand(scratch1, Map::kPrototypeOffset));
+      if (!FLAG_eliminate_prototype_chain_checks) {
+        __ ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset));
+        __ ldr(holder_reg, FieldMemOperand(scratch1, Map::kPrototypeOffset));
+      }
     } else {
       Register map_reg = scratch1;
-      __ ldr(map_reg, FieldMemOperand(reg, HeapObject::kMapOffset));
-
+      if (!FLAG_eliminate_prototype_chain_checks) {
+        __ ldr(map_reg, FieldMemOperand(reg, HeapObject::kMapOffset));
+      }
       if (current_map->IsJSGlobalObjectMap()) {
         GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current),
                                   name, scratch2, miss);
-      } else if (depth != 1 || check == CHECK_ALL_MAPS) {
+      } else if (!FLAG_eliminate_prototype_chain_checks &&
+                 (depth != 1 || check == CHECK_ALL_MAPS)) {
         Handle<WeakCell> cell = Map::WeakCellForMap(current_map);
         __ CmpWeakValue(map_reg, cell, scratch2);
         __ b(ne, miss);
       }
-
-      reg = holder_reg;  // From now on the object will be in holder_reg.
-
-      __ ldr(reg, FieldMemOperand(map_reg, Map::kPrototypeOffset));
+      if (!FLAG_eliminate_prototype_chain_checks) {
+        __ ldr(holder_reg, FieldMemOperand(map_reg, Map::kPrototypeOffset));
+      }
     }
 
+    reg = holder_reg;  // From now on the object will be in holder_reg.
     // Go to the next object in the prototype chain.
     current = prototype;
     current_map = handle(current->map());
   }
 
   DCHECK(!current_map->IsJSGlobalProxyMap());
 
   // Log the check depth.
   LOG(isolate(), IntEvent("check-maps-depth", depth + 1));
 
-  if (depth != 0 || check == CHECK_ALL_MAPS) {
+  if (!FLAG_eliminate_prototype_chain_checks &&
+      (depth != 0 || check == CHECK_ALL_MAPS)) {
     // Check the holder map.
     __ ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset));
     Handle<WeakCell> cell = Map::WeakCellForMap(current_map);
     __ CmpWeakValue(scratch1, cell, scratch2);
     __ b(ne, miss);
   }
 
+  bool return_holder = return_what == RETURN_HOLDER;
+  if (FLAG_eliminate_prototype_chain_checks && return_holder && depth != 0) {
+    __ LoadWeakValue(reg, isolate()->factory()->NewWeakCell(current), miss);
+  }
+
   // Return the register containing the holder.
-  return reg;
+  return return_holder ? reg : no_reg;
 }
 
 
 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) {
   if (!miss->is_unused()) {
     Label success;
     __ b(&success);
     __ bind(miss);
     if (IC::ICUseVector(kind())) {
       DCHECK(kind() == Code::LOAD_IC);
@@ skipping 194 matching lines @@
   return StoreDescriptor::ValueRegister();
 }
 
 
 Handle<Code> NamedLoadHandlerCompiler::CompileLoadGlobal(
     Handle<PropertyCell> cell, Handle<Name> name, bool is_configurable) {
   Label miss;
   if (IC::ICUseVector(kind())) {
     PushVectorAndSlot();
   }
-  FrontendHeader(receiver(), name, &miss);
+  FrontendHeader(receiver(), name, &miss, DONT_RETURN_ANYTHING);
 
   // Get the value from the cell.
   Register result = StoreDescriptor::ValueRegister();
   Handle<WeakCell> weak_cell = factory()->NewWeakCell(cell);
   __ LoadWeakValue(result, weak_cell, &miss);
   __ ldr(result, FieldMemOperand(result, PropertyCell::kValueOffset));
 
   // Check for deleted property if property can actually be deleted.
   if (is_configurable) {
     __ LoadRoot(ip, Heap::kTheHoleValueRootIndex);
@@ skipping 13 matching lines @@
   // Return the generated code.
   return GetCode(kind(), Code::NORMAL, name);
 }
 
 
 #undef __
 }
 }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_ARM