[v8-dev] [turbofan] Don't embed pointer to builtins object in generic lowering. (issue 879433002 by bmeurer@chromium.org)

[bmeurer]

Reviewers: Michael Starzinger,

Description:
[turbofan] Don't embed pointer to builtins object in generic lowering.
Accessing the builtins object this way prevents sharing of code across
native contexts; instead we now load the builtin from the context of the
JS operation instead.

R=mstarzin...@chromium.org

Please review this at https://codereview.chromium.org/879433002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+19, -7 lines):
  M src/compiler/js-generic-lowering.cc


Index: src/compiler/js-generic-lowering.cc
diff --git a/src/compiler/js-generic-lowering.cc  
b/src/compiler/js-generic-lowering.cc
index  
bad30ffd0cea10235c2ca995631adc80cc56c94a..cc72a6b02aa5f38bdb340cbb5a99dc09ce512543  
100644
--- a/src/compiler/js-generic-lowering.cc
+++ b/src/compiler/js-generic-lowering.cc
@@ -186,14 +186,26 @@ void JSGenericLowering::ReplaceWithBuiltinCall(Node*  
node,
       CodeFactory::CallFunction(isolate(), nargs - 1,  
NO_CALL_FUNCTION_FLAGS);
   CallDescriptor* desc = linkage()->GetStubCallDescriptor(
       callable.descriptor(), nargs, FlagsForNode(node), properties);
-  // TODO(mstarzinger): Accessing the builtins object this way prevents  
sharing
-  // of code across native contexts. Fix this by loading from given  
context.
-  Handle<JSFunction> function(
-       
JSFunction::cast(info()->context()->builtins()->javascript_builtin(id)));
+  Node* context = NodeProperties::GetContextInput(node);
+  Node* effect = NodeProperties::GetEffectInput(node);
+  CHECK(effect->op()->EffectOutputCount() > 0);
+  Node* global_object =
+      graph()->NewNode(machine()->Load(kMachAnyTagged), context,
+                       jsgraph()->IntPtrConstant(
+                            
Context::SlotOffset(Context::GLOBAL_OBJECT_INDEX)),
+                       effect, graph()->start());
+  Node* builtins_object = graph()->NewNode(
+      machine()->Load(kMachAnyTagged), global_object,
+      jsgraph()->IntPtrConstant(GlobalObject::kBuiltinsOffset -  
kHeapObjectTag),
+      effect, graph()->start());
+  Node* function = graph()->NewNode(
+      machine()->Load(kMachAnyTagged), builtins_object,
+       
jsgraph()->IntPtrConstant(JSBuiltinsObject::OffsetOfFunctionWithId(id) -
+                                kHeapObjectTag),
+      effect, graph()->start());
   Node* stub_code = jsgraph()->HeapConstant(callable.code());
-  Node* function_node = jsgraph()->HeapConstant(function);
   PatchInsertInput(node, 0, stub_code);
-  PatchInsertInput(node, 1, function_node);
+  PatchInsertInput(node, 1, function);
   PatchOperator(node, common()->Call(desc));
 }

@@ -291,8 +303,8 @@ void JSGenericLowering::LowerJSStoreNamed(Node* node) {

 void JSGenericLowering::LowerJSDeleteProperty(Node* node) {
   StrictMode strict_mode = OpParameter<StrictMode>(node);
-  PatchInsertInput(node, 2, jsgraph()->SmiConstant(strict_mode));
   ReplaceWithBuiltinCall(node, Builtins::DELETE, 3);
+  PatchInsertInput(node, 4, jsgraph()->SmiConstant(strict_mode));
 }




--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.