From: danno@chromium.org <danno@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 18 Feb 2014 08:34:56 +0000 (+0000)
Subject: Revert r19409: "Allow ICs to be generated for own global proxy."
X-Git-Tag: upstream/4.7.83~10671
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=438db990a0bce21755b920572847731b26cd679e;p=platform%2Fupstream%2Fv8.git

Revert r19409: "Allow ICs to be generated for own global proxy."

Causing Layout test crashes

TBR=verwaest@chromium.org

Review URL: https://codereview.chromium.org/170253002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19423 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
index b7247eb..e1d11fb 100644
--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc
@@ -1051,16 +1051,13 @@ HValue* CodeStubGraphBuilder<StoreGlobalStub>::BuildCodeInitializedStub() {
   Handle<PropertyCell> placeholder_cell =
       isolate()->factory()->NewPropertyCell(placeholer_value);
 
+  HParameter* receiver = GetParameter(0);
   HParameter* value = GetParameter(2);
 
-  if (stub->check_global()) {
-    // Check that the map of the global has not changed: use a placeholder map
-    // that will be replaced later with the global object's map.
-    Handle<Map> placeholder_map = isolate()->factory()->meta_map();
-    HValue* global = Add<HConstant>(
-        StoreGlobalStub::global_placeholder(isolate()));
-    Add<HCheckMaps>(global, placeholder_map, top_info());
-  }
+  // Check that the map of the global has not changed: use a placeholder map
+  // that will be replaced later with the global object's map.
+  Handle<Map> placeholder_map = isolate()->factory()->meta_map();
+  Add<HCheckMaps>(receiver, placeholder_map, top_info());
 
   HValue* cell = Add<HConstant>(placeholder_cell);
   HObjectAccess access(HObjectAccess::ForCellPayload(isolate()));
diff --git a/src/code-stubs.h b/src/code-stubs.h
index 07e34be..90e7c0d 100644
--- a/src/code-stubs.h
+++ b/src/code-stubs.h
@@ -954,27 +954,19 @@ class LoadFieldStub: public HandlerStub {
 
 class StoreGlobalStub : public HandlerStub {
  public:
-  explicit StoreGlobalStub(bool is_constant, bool check_global) {
-    bit_field_ = IsConstantBits::encode(is_constant) |
-        CheckGlobalBits::encode(check_global);
-  }
-
-  static Handle<HeapObject> global_placeholder(Isolate* isolate) {
-    return isolate->factory()->uninitialized_value();
+  explicit StoreGlobalStub(bool is_constant) {
+    bit_field_ = IsConstantBits::encode(is_constant);
   }
 
   Handle<Code> GetCodeCopyFromTemplate(Isolate* isolate,
-                                       GlobalObject* global,
+                                       Map* receiver_map,
                                        PropertyCell* cell) {
     Handle<Code> code = CodeStub::GetCodeCopyFromTemplate(isolate);
-    if (check_global()) {
-      // Replace the placeholder cell and global object map with the actual
-      // global cell and receiver map.
-      code->ReplaceNthObject(1, global_placeholder(isolate)->map(), global);
-      code->ReplaceNthObject(1, isolate->heap()->meta_map(), global->map());
-    }
+    // Replace the placeholder cell and global object map with the actual global
+    // cell and receiver map.
     Map* cell_map = isolate->heap()->global_property_cell_map();
     code->ReplaceNthObject(1, cell_map, cell);
+    code->ReplaceNthObject(1, isolate->heap()->meta_map(), receiver_map);
     return code;
   }
 
@@ -986,12 +978,9 @@ class StoreGlobalStub : public HandlerStub {
       Isolate* isolate,
       CodeStubInterfaceDescriptor* descriptor);
 
-  bool is_constant() const {
+  bool is_constant() {
     return IsConstantBits::decode(bit_field_);
   }
-  bool check_global() const {
-    return CheckGlobalBits::decode(bit_field_);
-  }
   void set_is_constant(bool value) {
     bit_field_ = IsConstantBits::update(bit_field_, value);
   }
@@ -1008,7 +997,6 @@ class StoreGlobalStub : public HandlerStub {
 
   class IsConstantBits: public BitField<bool, 0, 1> {};
   class RepresentationBits: public BitField<Representation::Kind, 1, 8> {};
-  class CheckGlobalBits: public BitField<bool, 9, 1> {};
 
   DISALLOW_COPY_AND_ASSIGN(StoreGlobalStub);
 };
diff --git a/src/ic.cc b/src/ic.cc
index dc9daff..44bc2f2 100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1069,7 +1069,7 @@ MaybeObject* KeyedLoadIC::Load(Handle<Object> object, Handle<Object> key) {
     maybe_object = LoadIC::Load(object, Handle<String>::cast(key));
     if (maybe_object->IsFailure()) return maybe_object;
   } else if (FLAG_use_ic && !object->IsAccessCheckNeeded()) {
-    ASSERT(!object->IsAccessCheckNeeded());
+    ASSERT(!object->IsJSGlobalProxy());
     if (object->IsString() && key->IsNumber()) {
       if (state() == UNINITIALIZED) stub = string_stub();
     } else if (object->IsJSObject()) {
@@ -1122,9 +1122,7 @@ static bool LookupForWrite(Handle<JSObject> receiver,
     }
 
     if (lookup->IsPropertyCallbacks()) return true;
-    // JSGlobalProxy either stores on the global object in the prototype, or
-    // goes into the runtime if access checks are needed, so this is always
-    // safe.
+    // JSGlobalProxy always goes via the runtime, so it's safe to cache.
     if (receiver->IsJSGlobalProxy()) return true;
     // Currently normal holders in the prototype chain are not supported. They
     // would require a runtime positive lookup and verification that the details
@@ -1311,7 +1309,7 @@ Handle<Code> StoreIC::CompileHandler(LookupResult* lookup,
                                      Handle<String> name,
                                      Handle<Object> value,
                                      InlineCacheHolderFlag cache_holder) {
-  if (object->IsAccessCheckNeeded()) return slow_stub();
+  if (object->IsJSGlobalProxy()) return slow_stub();
   ASSERT(cache_holder == OWN_MAP);
   // This is currently guaranteed by checks in StoreIC::Store.
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);
@@ -1339,19 +1337,17 @@ Handle<Code> StoreIC::CompileHandler(LookupResult* lookup,
     }
     case NORMAL:
       if (kind() == Code::KEYED_STORE_IC) break;
-      if (receiver->IsJSGlobalProxy() || receiver->IsGlobalObject()) {
+      if (receiver->IsGlobalObject()) {
         // The stub generated for the global object picks the value directly
         // from the property cell. So the property must be directly on the
         // global object.
-        Handle<GlobalObject> global = receiver->IsJSGlobalProxy()
-            ? handle(GlobalObject::cast(receiver->GetPrototype()))
-            : Handle<GlobalObject>::cast(receiver);
+        Handle<GlobalObject> global = Handle<GlobalObject>::cast(receiver);
         Handle<PropertyCell> cell(global->GetPropertyCell(lookup), isolate());
         Handle<HeapType> union_type = PropertyCell::UpdatedType(cell, value);
-        StoreGlobalStub stub(
-            union_type->IsConstant(), receiver->IsJSGlobalProxy());
+        StoreGlobalStub stub(union_type->IsConstant());
+
         Handle<Code> code = stub.GetCodeCopyFromTemplate(
-            isolate(), *global, *cell);
+            isolate(), receiver->map(), *cell);
         // TODO(verwaest): Move caching of these NORMAL stubs outside as well.
         HeapObject::UpdateMapCodeCache(receiver, name, code);
         return code;
@@ -1688,7 +1684,7 @@ MaybeObject* KeyedStoreIC::Store(Handle<Object> object,
     }
 
     if (use_ic) {
-      ASSERT(!object->IsAccessCheckNeeded());
+      ASSERT(!object->IsJSGlobalProxy());
 
       if (object->IsJSObject()) {
         Handle<JSObject> receiver = Handle<JSObject>::cast(object);
diff --git a/src/isolate.cc b/src/isolate.cc
index ca32460..a008b6a 100644
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -778,7 +778,7 @@ static MayAccessDecision MayAccessPreCheck(Isolate* isolate,
 
 bool Isolate::MayNamedAccess(JSObject* receiver, Object* key,
                              v8::AccessType type) {
-  ASSERT(receiver->IsJSGlobalProxy() || receiver->IsAccessCheckNeeded());
+  ASSERT(receiver->IsAccessCheckNeeded());
 
   // The callers of this method are not expecting a GC.
   DisallowHeapAllocation no_gc;
@@ -829,7 +829,7 @@ bool Isolate::MayNamedAccess(JSObject* receiver, Object* key,
 bool Isolate::MayIndexedAccess(JSObject* receiver,
                                uint32_t index,
                                v8::AccessType type) {
-  ASSERT(receiver->IsJSGlobalProxy() || receiver->IsAccessCheckNeeded());
+  ASSERT(receiver->IsAccessCheckNeeded());
   // Check for compatibility between the security tokens in the
   // current lexical context and the accessed object.
   ASSERT(context());
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 0cc0d09..4cdc073 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -927,8 +927,7 @@ bool Object::IsJSGlobalProxy() {
   bool result = IsHeapObject() &&
                 (HeapObject::cast(this)->map()->instance_type() ==
                  JS_GLOBAL_PROXY_TYPE);
-  ASSERT(!result ||
-         HeapObject::cast(this)->map()->is_access_check_needed());
+  ASSERT(!result || IsAccessCheckNeeded());
   return result;
 }
 
@@ -953,14 +952,8 @@ bool Object::IsUndetectableObject() {
 
 
 bool Object::IsAccessCheckNeeded() {
-  if (!IsHeapObject()) return false;
-  if (IsJSGlobalProxy()) {
-    JSGlobalProxy* proxy = JSGlobalProxy::cast(this);
-    GlobalObject* global =
-        proxy->GetIsolate()->context()->global_object();
-    return proxy->IsDetachedFrom(global);
-  }
-  return HeapObject::cast(this)->map()->is_access_check_needed();
+  return IsHeapObject()
+    && HeapObject::cast(this)->map()->is_access_check_needed();
 }
 
 
diff --git a/src/runtime.cc b/src/runtime.cc
index 958675a..3ab39ab 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -14649,7 +14649,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_IsAccessAllowedForObserver) {
   ASSERT(args.length() == 3);
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, observer, 0);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 1);
-  ASSERT(object->map()->is_access_check_needed());
+  ASSERT(object->IsAccessCheckNeeded());
   Handle<Object> key = args.at<Object>(2);
   SaveContext save(isolate);
   isolate->set_context(observer->context());