Update V8 to 006240292e

Author: hashseed

deps/v8/src/builtins/builtins-api.cc

@@ -118,7 +118,8 @@ MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
     }
     // Rebox the result.
     result->VerifyApiCallResultType();
-    if (!is_construct || result->IsJSObject()) return handle(*result, isolate);
+    if (!is_construct || result->IsJSReceiver())
+      return handle(*result, isolate);
   }
 
   return js_receiver;

deps/v8/src/builtins/builtins-forin-gen.cc

@@ -52,7 +52,7 @@ std::tuple<Node*, Node*, Node*> ForInBuiltinsAssembler::EmitForInPrepare(
   GotoIf(WordEqual(enum_length, SmiConstant(0)), nothing_to_iterate);
   Node* descriptors = LoadMapDescriptors(map);
   Node* cache_offset =
-      LoadObjectField(descriptors, DescriptorArray::kEnumCacheOffset);
+      LoadObjectField(descriptors, DescriptorArray::kEnumCacheBridgeOffset);
   Node* enum_cache = LoadObjectField(
       cache_offset, DescriptorArray::kEnumCacheBridgeCacheOffset);
 

deps/v8/src/builtins/builtins-handler-gen.cc

@@ -129,21 +129,8 @@ TF_BUILTIN(LoadIC_FunctionPrototype, CodeStubAssembler) {
   Node* vector = Parameter(Descriptor::kVector);
   Node* context = Parameter(Descriptor::kContext);
 
-  Label miss(this);
-
-  Node* proto_or_map =
-      LoadObjectField(receiver, JSFunction::kPrototypeOrInitialMapOffset);
-  GotoIf(IsTheHole(proto_or_map), &miss);
-
-  VARIABLE(var_result, MachineRepresentation::kTagged, proto_or_map);
-  Label done(this, &var_result);
-  GotoIfNot(IsMap(proto_or_map), &done);
-
-  var_result.Bind(LoadMapPrototype(proto_or_map));
-  Goto(&done);
-
-  BIND(&done);
-  Return(var_result.value());
+  Label miss(this, Label::kDeferred);
+  Return(LoadJSFunctionPrototype(receiver, &miss));
 
   BIND(&miss);
   TailCallRuntime(Runtime::kLoadIC_Miss, context, receiver, name, slot, vector);

deps/v8/src/code-stub-assembler.cc

@@ -1430,6 +1430,27 @@ Node* CodeStubAssembler::LoadJSArrayElementsMap(ElementsKind kind,
   return LoadContextElement(native_context, Context::ArrayMapIndex(kind));
 }
 
+Node* CodeStubAssembler::LoadJSFunctionPrototype(Node* function,
+                                                 Label* if_bailout) {
+  CSA_ASSERT(this, TaggedIsNotSmi(function));
+  CSA_ASSERT(this, IsJSFunction(function));
+  CSA_ASSERT(this, IsClearWord32(LoadMapBitField(LoadMap(function)),
+                                 1 << Map::kHasNonInstancePrototype));
+  Node* proto_or_map =
+      LoadObjectField(function, JSFunction::kPrototypeOrInitialMapOffset);
+  GotoIf(IsTheHole(proto_or_map), if_bailout);
+
+  VARIABLE(var_result, MachineRepresentation::kTagged, proto_or_map);
+  Label done(this, &var_result);
+  GotoIfNot(IsMap(proto_or_map), &done);
+
+  var_result.Bind(LoadMapPrototype(proto_or_map));
+  Goto(&done);
+
+  BIND(&done);
+  return var_result.value();
+}
+
 Node* CodeStubAssembler::StoreHeapNumberValue(Node* object, Node* value) {
   return StoreObjectFieldNoWriteBarrier(object, HeapNumber::kValueOffset, value,
                                         MachineRepresentation::kFloat64);
@@ -3159,12 +3180,28 @@ Node* CodeStubAssembler::IsMap(Node* map) {
   return HasInstanceType(map, MAP_TYPE);
 }
 
-Node* CodeStubAssembler::IsJSValue(Node* map) {
-  return HasInstanceType(map, JS_VALUE_TYPE);
+Node* CodeStubAssembler::IsJSValueInstanceType(Node* instance_type) {
+  return Word32Equal(instance_type, Int32Constant(JS_VALUE_TYPE));
+}
+
+Node* CodeStubAssembler::IsJSValue(Node* object) {
+  return IsJSValueMap(LoadMap(object));
+}
+
+Node* CodeStubAssembler::IsJSValueMap(Node* map) {
+  return IsJSValueInstanceType(LoadMapInstanceType(map));
+}
+
+Node* CodeStubAssembler::IsJSArrayInstanceType(Node* instance_type) {
+  return Word32Equal(instance_type, Int32Constant(JS_ARRAY_TYPE));
 }
 
 Node* CodeStubAssembler::IsJSArray(Node* object) {
-  return HasInstanceType(object, JS_ARRAY_TYPE);
+  return IsJSArrayMap(LoadMap(object));
+}
+
+Node* CodeStubAssembler::IsJSArrayMap(Node* map) {
+  return IsJSArrayInstanceType(LoadMapInstanceType(map));
 }
 
 Node* CodeStubAssembler::IsWeakCell(Node* object) {
@@ -3238,8 +3275,16 @@ Node* CodeStubAssembler::IsUnseededNumberDictionary(Node* object) {
                    LoadRoot(Heap::kUnseededNumberDictionaryMapRootIndex));
 }
 
+Node* CodeStubAssembler::IsJSFunctionInstanceType(Node* instance_type) {
+  return Word32Equal(instance_type, Int32Constant(JS_FUNCTION_TYPE));
+}
+
 Node* CodeStubAssembler::IsJSFunction(Node* object) {
-  return HasInstanceType(object, JS_FUNCTION_TYPE);
+  return IsJSFunctionMap(LoadMap(object));
+}
+
+Node* CodeStubAssembler::IsJSFunctionMap(Node* map) {
+  return IsJSFunctionInstanceType(LoadMapInstanceType(map));
 }
 
 Node* CodeStubAssembler::IsJSTypedArray(Node* object) {
@@ -5374,16 +5419,56 @@ Node* CodeStubAssembler::CallGetterIfAccessor(Node* value, Node* details,
   // AccessorInfo case.
   BIND(&if_accessor_info);
   {
-    // TODO(ishell): Consider doing this for the Function.prototype and the
-    // String.length accessor infos as well.
+    Node* accessor_info = value;
     CSA_ASSERT(this, IsAccessorInfo(value));
     CSA_ASSERT(this, TaggedIsNotSmi(receiver));
-    GotoIfNot(IsJSArray(receiver), if_bailout);
-    // The only AccessorInfo on JSArray is the "length" property.
-    CSA_ASSERT(this, IsLengthString(
-                         LoadObjectField(value, AccessorInfo::kNameOffset)));
-    var_value.Bind(LoadJSArrayLength(receiver));
-    Goto(&done);
+    Label if_array(this), if_function(this), if_value(this);
+
+    // Dispatch based on {receiver} instance type.
+    Node* receiver_map = LoadMap(receiver);
+    Node* receiver_instance_type = LoadMapInstanceType(receiver_map);
+    GotoIf(IsJSArrayInstanceType(receiver_instance_type), &if_array);
+    GotoIf(IsJSFunctionInstanceType(receiver_instance_type), &if_function);
+    Branch(IsJSValueInstanceType(receiver_instance_type), &if_value,
+           if_bailout);
+
+    // JSArray AccessorInfo case.
+    BIND(&if_array);
+    {
+      // The only AccessorInfo on JSArray is the "length" property.
+      CSA_ASSERT(this, IsLengthString(LoadObjectField(
+                           accessor_info, AccessorInfo::kNameOffset)));
+      var_value.Bind(LoadJSArrayLength(receiver));
+      Goto(&done);
+    }
+
+    // JSFunction AccessorInfo case.
+    BIND(&if_function);
+    {
+      // We only deal with the "prototype" accessor on JSFunction here.
+      GotoIfNot(IsPrototypeString(
+                    LoadObjectField(accessor_info, AccessorInfo::kNameOffset)),
+                if_bailout);
+      GotoIf(IsSetWord32(LoadMapBitField(receiver_map),
+                         1 << Map::kHasNonInstancePrototype),
+             if_bailout);
+      var_value.Bind(LoadJSFunctionPrototype(receiver, if_bailout));
+      Goto(&done);
+    }
+
+    // JSValue AccessorInfo case.
+    BIND(&if_value);
+    {
+      // We only deal with the "length" accessor on JSValue string wrappers.
+      GotoIfNot(IsLengthString(
+                    LoadObjectField(accessor_info, AccessorInfo::kNameOffset)),
+                if_bailout);
+      Node* receiver_value = LoadJSValueValue(receiver);
+      GotoIfNot(TaggedIsNotSmi(receiver_value), if_bailout);
+      GotoIfNot(IsString(receiver_value), if_bailout);
+      var_value.Bind(LoadStringLength(receiver_value));
+      Goto(&done);
+    }
   }
 
   BIND(&done);

deps/v8/src/code-stub-assembler.h

@@ -29,6 +29,7 @@ enum class PrimitiveType { kBoolean, kNumber, kString, kSymbol };
   V(CodeMap, CodeMap)                                 \
   V(empty_string, EmptyString)                        \
   V(length_string, LengthString)                      \
+  V(prototype_string, PrototypeString)                \
   V(EmptyFixedArray, EmptyFixedArray)                 \
   V(FalseValue, False)                                \
   V(FixedArrayMap, FixedArrayMap)                     \
@@ -466,6 +467,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
 
   Node* LoadJSArrayElementsMap(ElementsKind kind, Node* native_context);
 
+  // Load the "prototype" property of a JSFunction.
+  Node* LoadJSFunctionPrototype(Node* function, Label* if_bailout);
+
   // Store the floating point value of a HeapNumber.
   Node* StoreHeapNumberValue(Node* object, Node* value);
   // Store a field to an object on the heap.
@@ -751,16 +755,22 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
   Node* IsName(Node* object);
   Node* IsSymbol(Node* object);
   Node* IsPrivateSymbol(Node* object);
+  Node* IsJSValueInstanceType(Node* instance_type);
   Node* IsJSValue(Node* object);
+  Node* IsJSValueMap(Node* map);
+  Node* IsJSArrayInstanceType(Node* instance_type);
   Node* IsJSArray(Node* object);
+  Node* IsJSArrayMap(Node* object);
   Node* IsNativeContext(Node* object);
   Node* IsWeakCell(Node* object);
   Node* IsFixedDoubleArray(Node* object);
   Node* IsHashTable(Node* object);
   Node* IsDictionary(Node* object);
   Node* IsUnseededNumberDictionary(Node* object);
   Node* IsConstructorMap(Node* map);
+  Node* IsJSFunctionInstanceType(Node* instance_type);
   Node* IsJSFunction(Node* object);
+  Node* IsJSFunctionMap(Node* object);
   Node* IsJSTypedArray(Node* object);
   Node* IsJSArrayBuffer(Node* object);
   Node* IsFixedTypedArray(Node* object);

deps/v8/src/compiler/access-builder.cc

@@ -412,9 +412,9 @@ FieldAccess AccessBuilder::ForFixedTypedArrayBaseExternalPointer() {
 }
 
 // static
-FieldAccess AccessBuilder::ForDescriptorArrayEnumCache() {
+FieldAccess AccessBuilder::ForDescriptorArrayEnumCacheBridge() {
   FieldAccess access = {
-      kTaggedBase,           DescriptorArray::kEnumCacheOffset,
+      kTaggedBase,           DescriptorArray::kEnumCacheBridgeOffset,
       Handle<Name>(),        MaybeHandle<Map>(),
       Type::OtherInternal(), MachineType::TaggedPointer(),
       kPointerWriteBarrier};

deps/v8/src/compiler/access-builder.h

@@ -140,8 +140,8 @@ class V8_EXPORT_PRIVATE AccessBuilder final
   // Provides access to FixedTypedArrayBase::external_pointer() field.
   static FieldAccess ForFixedTypedArrayBaseExternalPointer();
 
-  // Provides access to DescriptorArray::enum_cache() field.
-  static FieldAccess ForDescriptorArrayEnumCache();
+  // Provides access to DescriptorArray::enum_cache_bridge() field.
+  static FieldAccess ForDescriptorArrayEnumCacheBridge();
 
   // Provides access to DescriptorArray::enum_cache_bridge_cache() field.
   static FieldAccess ForDescriptorArrayEnumCacheBridgeCache();

deps/v8/src/compiler/ast-graph-builder.cc

@@ -3016,8 +3016,9 @@ void AstGraphBuilder::Environment::PrepareForOsrEntry() {
   // Set the control and effect to the OSR loop entry.
   Node* osr_loop_entry = graph->NewNode(builder_->common()->OsrLoopEntry(),
                                         graph->start(), graph->start());
+  Node* effect = osr_loop_entry;
   UpdateControlDependency(osr_loop_entry);
-  UpdateEffectDependency(osr_loop_entry);
+  UpdateEffectDependency(effect);
 
   // Set OSR values.
   for (int i = 0; i < size; ++i) {
@@ -3030,30 +3031,11 @@ void AstGraphBuilder::Environment::PrepareForOsrEntry() {
       builder_->common()->OsrValue(Linkage::kOsrContextSpillSlotIndex);
   contexts()->back() = graph->NewNode(op_inner, osr_loop_entry);
 
-  // Create a checkpoint.
-  Node* frame_state = Checkpoint(builder_->info()->osr_ast_id());
-  Node* checkpoint = graph->NewNode(common()->Checkpoint(), frame_state,
-                                    osr_loop_entry, osr_loop_entry);
-  UpdateEffectDependency(checkpoint);
-
-  // Create the OSR guard nodes.
-  const Operator* guard_op =
-      builder_->info()->is_deoptimization_enabled()
-          ? builder_->common()->OsrGuard(OsrGuardType::kUninitialized)
-          : builder_->common()->OsrGuard(OsrGuardType::kAny);
-  Node* effect = checkpoint;
-  for (int i = 0; i < size; ++i) {
-    values()->at(i) = effect =
-        graph->NewNode(guard_op, values()->at(i), effect, osr_loop_entry);
-  }
-  contexts()->back() = effect =
-      graph->NewNode(guard_op, contexts()->back(), effect, osr_loop_entry);
-
   // The innermost context is the OSR value, and the outer contexts are
   // reconstructed by dynamically walking up the context chain.
   const Operator* load_op =
       builder_->javascript()->LoadContext(0, Context::PREVIOUS_INDEX, true);
-  Node* osr_context = effect = contexts()->back();
+  Node* osr_context = contexts()->back();
   int last = static_cast<int>(contexts()->size() - 1);
   for (int i = last - 1; i >= 0; i--) {
     osr_context = effect = graph->NewNode(load_op, osr_context, effect);

deps/v8/src/compiler/bytecode-graph-builder.cc

@@ -318,24 +318,6 @@ void BytecodeGraphBuilder::Environment::PrepareForOsrEntry() {
     if (i >= accumulator_base()) idx = Linkage::kOsrAccumulatorRegisterIndex;
     values()->at(i) = graph()->NewNode(common()->OsrValue(idx), entry);
   }
-
-  BailoutId loop_id(builder_->bytecode_iterator().current_offset());
-  Node* frame_state =
-      Checkpoint(loop_id, OutputFrameStateCombine::Ignore(), false, nullptr);
-  Node* checkpoint =
-      graph()->NewNode(common()->Checkpoint(), frame_state, entry, entry);
-  UpdateEffectDependency(checkpoint);
-
-  // Create the OSR guard nodes.
-  const Operator* guard_op = common()->OsrGuard(OsrGuardType::kUninitialized);
-  Node* effect = checkpoint;
-  for (int i = 0; i < size; i++) {
-    values()->at(i) = effect =
-        graph()->NewNode(guard_op, values()->at(i), effect, entry);
-  }
-  Node* context = effect = graph()->NewNode(guard_op, Context(), effect, entry);
-  SetContext(context);
-  UpdateEffectDependency(effect);
 }
 
 bool BytecodeGraphBuilder::Environment::StateValuesRequireUpdate(

deps/v8/src/compiler/common-operator.cc

@@ -307,26 +307,6 @@ int OsrValueIndexOf(Operator const* op) {
   return OpParameter<int>(op);
 }
 
-size_t hash_value(OsrGuardType type) { return static_cast<size_t>(type); }
-
-std::ostream& operator<<(std::ostream& os, OsrGuardType type) {
-  switch (type) {
-    case OsrGuardType::kUninitialized:
-      return os << "Uninitialized";
-    case OsrGuardType::kSignedSmall:
-      return os << "SignedSmall";
-    case OsrGuardType::kAny:
-      return os << "Any";
-  }
-  UNREACHABLE();
-  return os;
-}
-
-OsrGuardType OsrGuardTypeOf(Operator const* op) {
-  DCHECK_EQ(IrOpcode::kOsrGuard, op->opcode());
-  return OpParameter<OsrGuardType>(op);
-}
-
 SparseInputMask SparseInputMaskOf(Operator const* op) {
   DCHECK(op->opcode() == IrOpcode::kStateValues ||
          op->opcode() == IrOpcode::kTypedStateValues);
@@ -1010,14 +990,6 @@ const Operator* CommonOperatorBuilder::OsrValue(int index) {
       index);                                        // parameter
 }
 
-const Operator* CommonOperatorBuilder::OsrGuard(OsrGuardType type) {
-  return new (zone()) Operator1<OsrGuardType>(  // --
-      IrOpcode::kOsrGuard, Operator::kNoThrow,  // opcode
-      "OsrGuard",                               // name
-      1, 1, 1, 1, 1, 0,                         // counts
-      type);                                    // parameter
-}
-
 const Operator* CommonOperatorBuilder::Int32Constant(int32_t value) {
   return new (zone()) Operator1<int32_t>(         // --
       IrOpcode::kInt32Constant, Operator::kPure,  // opcode

deps/v8/src/compiler/common-operator.h

@@ -287,11 +287,6 @@ Type* TypeGuardTypeOf(Operator const*) WARN_UNUSED_RESULT;
 
 int OsrValueIndexOf(Operator const*);
 
-enum class OsrGuardType { kUninitialized, kSignedSmall, kAny };
-size_t hash_value(OsrGuardType type);
-std::ostream& operator<<(std::ostream&, OsrGuardType);
-OsrGuardType OsrGuardTypeOf(Operator const*);
-
 SparseInputMask SparseInputMaskOf(Operator const*);
 
 ZoneVector<MachineType> const* MachineTypesOf(Operator const*)
@@ -337,7 +332,6 @@ class V8_EXPORT_PRIVATE CommonOperatorBuilder final
   const Operator* OsrNormalEntry();
   const Operator* OsrLoopEntry();
   const Operator* OsrValue(int index);
-  const Operator* OsrGuard(OsrGuardType type);
 
   const Operator* Int32Constant(int32_t);
   const Operator* Int64Constant(int64_t);