// Copyright 2014 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "src/ast/ast.h" #include "src/common/globals.h" #include "src/execution/arguments-inl.h" #include "src/execution/isolate-inl.h" #include "src/logging/counters.h" #include "src/objects/allocation-site-scopes-inl.h" #include "src/objects/hash-table-inl.h" #include "src/objects/heap-number-inl.h" #include "src/objects/heap-object-inl.h" #include "src/objects/js-regexp-inl.h" #include "src/objects/literal-objects-inl.h" #include "src/runtime/runtime-utils.h" #include "src/runtime/runtime.h" namespace v8 { namespace internal { namespace { bool IsUninitializedLiteralSite(Object literal_site) { return literal_site == Smi::zero(); } bool HasBoilerplate(Handle literal_site) { return !literal_site->IsSmi(); } void PreInitializeLiteralSite(Handle vector, FeedbackSlot slot) { vector->SynchronizedSet(slot, Smi::FromInt(1)); } template class JSObjectWalkVisitor { public: explicit JSObjectWalkVisitor(ContextObject* site_context) : site_context_(site_context) {} V8_WARN_UNUSED_RESULT MaybeHandle StructureWalk( Handle object); protected: V8_WARN_UNUSED_RESULT inline MaybeHandle VisitElementOrProperty( Handle object, Handle value) { // Dont create allocation sites for nested object literals if (!value->IsJSArray()) { return StructureWalk(value); } Handle current_site = site_context()->EnterNewScope(); MaybeHandle copy_of_value = StructureWalk(value); site_context()->ExitScope(current_site, value); return copy_of_value; } inline ContextObject* site_context() { return site_context_; } inline Isolate* isolate() { return site_context()->isolate(); } private: ContextObject* site_context_; }; template MaybeHandle JSObjectWalkVisitor::StructureWalk( Handle object) { Isolate* isolate = this->isolate(); bool copying = ContextObject::kCopying; { StackLimitCheck check(isolate); if (check.HasOverflowed()) { isolate->StackOverflow(); return MaybeHandle(); } } if (object->map(isolate).is_deprecated()) { base::SharedMutexGuard mutex_guard( isolate->boilerplate_migration_access()); JSObject::MigrateInstance(isolate, object); } Handle copy; if (copying) { // JSFunction objects are not allowed to be in normal boilerplates at all. DCHECK(!object->IsJSFunction(isolate)); Handle site_to_pass; if (site_context()->ShouldCreateMemento(object)) { site_to_pass = site_context()->current(); } copy = isolate->factory()->CopyJSObjectWithAllocationSite(object, site_to_pass); } else { copy = object; } DCHECK(copying || copy.is_identical_to(object)); HandleScope scope(isolate); // Deep copy own properties. Arrays only have 1 property "length". if (!copy->IsJSArray(isolate)) { if (copy->HasFastProperties(isolate)) { Handle descriptors( copy->map(isolate).instance_descriptors(isolate), isolate); for (InternalIndex i : copy->map(isolate).IterateOwnDescriptors()) { PropertyDetails details = descriptors->GetDetails(i); DCHECK_EQ(PropertyLocation::kField, details.location()); DCHECK_EQ(PropertyKind::kData, details.kind()); FieldIndex index = FieldIndex::ForPropertyIndex( copy->map(isolate), details.field_index(), details.representation()); Object raw = copy->RawFastPropertyAt(isolate, index); if (raw.IsJSObject(isolate)) { Handle value(JSObject::cast(raw), isolate); ASSIGN_RETURN_ON_EXCEPTION( isolate, value, VisitElementOrProperty(copy, value), JSObject); if (copying) copy->FastPropertyAtPut(index, *value); } else if (copying && details.representation().IsDouble()) { uint64_t double_value = HeapNumber::cast(raw).value_as_bits(kRelaxedLoad); auto value = isolate->factory()->NewHeapNumberFromBits(double_value); copy->FastPropertyAtPut(index, *value); } } } else { if (V8_ENABLE_SWISS_NAME_DICTIONARY_BOOL) { Handle dict( copy->property_dictionary_swiss(isolate), isolate); for (InternalIndex i : dict->IterateEntries()) { Object raw = dict->ValueAt(i); if (!raw.IsJSObject(isolate)) continue; DCHECK(dict->KeyAt(i).IsName()); Handle value(JSObject::cast(raw), isolate); ASSIGN_RETURN_ON_EXCEPTION( isolate, value, VisitElementOrProperty(copy, value), JSObject); if (copying) dict->ValueAtPut(i, *value); } } else { Handle dict(copy->property_dictionary(isolate), isolate); for (InternalIndex i : dict->IterateEntries()) { Object raw = dict->ValueAt(isolate, i); if (!raw.IsJSObject(isolate)) continue; DCHECK(dict->KeyAt(isolate, i).IsName()); Handle value(JSObject::cast(raw), isolate); ASSIGN_RETURN_ON_EXCEPTION( isolate, value, VisitElementOrProperty(copy, value), JSObject); if (copying) dict->ValueAtPut(i, *value); } } } // Assume non-arrays don't end up having elements. if (copy->elements(isolate).length() == 0) return copy; } // Deep copy own elements. switch (copy->GetElementsKind(isolate)) { case PACKED_ELEMENTS: case PACKED_FROZEN_ELEMENTS: case PACKED_SEALED_ELEMENTS: case PACKED_NONEXTENSIBLE_ELEMENTS: case HOLEY_FROZEN_ELEMENTS: case HOLEY_SEALED_ELEMENTS: case HOLEY_NONEXTENSIBLE_ELEMENTS: case HOLEY_ELEMENTS: { Handle elements(FixedArray::cast(copy->elements(isolate)), isolate); if (elements->map(isolate) == ReadOnlyRoots(isolate).fixed_cow_array_map()) { #ifdef DEBUG for (int i = 0; i < elements->length(); i++) { DCHECK(!elements->get(i).IsJSObject()); } #endif } else { for (int i = 0; i < elements->length(); i++) { Object raw = elements->get(isolate, i); if (!raw.IsJSObject(isolate)) continue; Handle value(JSObject::cast(raw), isolate); ASSIGN_RETURN_ON_EXCEPTION( isolate, value, VisitElementOrProperty(copy, value), JSObject); if (copying) elements->set(i, *value); } } break; } case DICTIONARY_ELEMENTS: { Handle element_dictionary( copy->element_dictionary(isolate), isolate); for (InternalIndex i : element_dictionary->IterateEntries()) { Object raw = element_dictionary->ValueAt(isolate, i); if (!raw.IsJSObject(isolate)) continue; Handle value(JSObject::cast(raw), isolate); ASSIGN_RETURN_ON_EXCEPTION( isolate, value, VisitElementOrProperty(copy, value), JSObject); if (copying) element_dictionary->ValueAtPut(i, *value); } break; } case FAST_SLOPPY_ARGUMENTS_ELEMENTS: case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: UNIMPLEMENTED(); break; case FAST_STRING_WRAPPER_ELEMENTS: case SLOW_STRING_WRAPPER_ELEMENTS: case WASM_ARRAY_ELEMENTS: UNREACHABLE(); #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS: TYPED_ARRAYS(TYPED_ARRAY_CASE) RAB_GSAB_TYPED_ARRAYS(TYPED_ARRAY_CASE) #undef TYPED_ARRAY_CASE // Typed elements cannot be created using an object literal. UNREACHABLE(); case PACKED_SMI_ELEMENTS: case HOLEY_SMI_ELEMENTS: case PACKED_DOUBLE_ELEMENTS: case HOLEY_DOUBLE_ELEMENTS: case NO_ELEMENTS: // No contained objects, nothing to do. break; } return copy; } class DeprecationUpdateContext { public: explicit DeprecationUpdateContext(Isolate* isolate) { isolate_ = isolate; } Isolate* isolate() { return isolate_; } bool ShouldCreateMemento(Handle object) { return false; } inline void ExitScope(Handle scope_site, Handle object) {} Handle EnterNewScope() { return Handle(); } Handle current() { UNREACHABLE(); } static const bool kCopying = false; private: Isolate* isolate_; }; // AllocationSiteCreationContext aids in the creation of AllocationSites to // accompany object literals. class AllocationSiteCreationContext : public AllocationSiteContext { public: explicit AllocationSiteCreationContext(Isolate* isolate) : AllocationSiteContext(isolate) {} Handle EnterNewScope() { Handle scope_site; if (top().is_null()) { // We are creating the top level AllocationSite as opposed to a nested // AllocationSite. InitializeTraversal(isolate()->factory()->NewAllocationSite(true)); scope_site = Handle(*top(), isolate()); if (FLAG_trace_creation_allocation_sites) { PrintF("*** Creating top level %s AllocationSite %p\n", "Fat", reinterpret_cast(scope_site->ptr())); } } else { DCHECK(!current().is_null()); scope_site = isolate()->factory()->NewAllocationSite(false); if (FLAG_trace_creation_allocation_sites) { PrintF( "*** Creating nested %s AllocationSite (top, current, new) (%p, " "%p, " "%p)\n", "Slim", reinterpret_cast(top()->ptr()), reinterpret_cast(current()->ptr()), reinterpret_cast(scope_site->ptr())); } current()->set_nested_site(*scope_site); update_current_site(*scope_site); } DCHECK(!scope_site.is_null()); return scope_site; } void ExitScope(Handle scope_site, Handle object) { if (object.is_null()) return; scope_site->set_boilerplate(*object, kReleaseStore); if (FLAG_trace_creation_allocation_sites) { bool top_level = !scope_site.is_null() && top().is_identical_to(scope_site); if (top_level) { PrintF("*** Setting AllocationSite %p transition_info %p\n", reinterpret_cast(scope_site->ptr()), reinterpret_cast(object->ptr())); } else { PrintF("*** Setting AllocationSite (%p, %p) transition_info %p\n", reinterpret_cast(top()->ptr()), reinterpret_cast(scope_site->ptr()), reinterpret_cast(object->ptr())); } } } static const bool kCopying = false; }; MaybeHandle DeepWalk(Handle object, DeprecationUpdateContext* site_context) { JSObjectWalkVisitor v(site_context); MaybeHandle result = v.StructureWalk(object); Handle for_assert; DCHECK(!result.ToHandle(&for_assert) || for_assert.is_identical_to(object)); return result; } MaybeHandle DeepWalk(Handle object, AllocationSiteCreationContext* site_context) { JSObjectWalkVisitor v(site_context); MaybeHandle result = v.StructureWalk(object); Handle for_assert; DCHECK(!result.ToHandle(&for_assert) || for_assert.is_identical_to(object)); return result; } MaybeHandle DeepCopy(Handle object, AllocationSiteUsageContext* site_context) { JSObjectWalkVisitor v(site_context); MaybeHandle copy = v.StructureWalk(object); Handle for_assert; DCHECK(!copy.ToHandle(&for_assert) || !for_assert.is_identical_to(object)); return copy; } Handle CreateObjectLiteral( Isolate* isolate, Handle object_boilerplate_description, int flags, AllocationType allocation); Handle CreateArrayLiteral( Isolate* isolate, Handle array_boilerplate_description, AllocationType allocation); struct ObjectLiteralHelper { static inline Handle Create(Isolate* isolate, Handle description, int flags, AllocationType allocation) { Handle object_boilerplate_description = Handle::cast(description); return CreateObjectLiteral(isolate, object_boilerplate_description, flags, allocation); } }; struct ArrayLiteralHelper { static inline Handle Create(Isolate* isolate, Handle description, int flags_not_used, AllocationType allocation) { Handle array_boilerplate_description = Handle::cast(description); return CreateArrayLiteral(isolate, array_boilerplate_description, allocation); } }; Handle CreateObjectLiteral( Isolate* isolate, Handle object_boilerplate_description, int flags, AllocationType allocation) { Handle native_context = isolate->native_context(); bool use_fast_elements = (flags & ObjectLiteral::kFastElements) != 0; bool has_null_prototype = (flags & ObjectLiteral::kHasNullPrototype) != 0; // In case we have function literals, we want the object to be in // slow properties mode for now. We don't go in the map cache because // maps with constant functions can't be shared if the functions are // not the same (which is the common case). int number_of_properties = object_boilerplate_description->backing_store_size(); // Ignoring number_of_properties for force dictionary map with // __proto__:null. Handle map = has_null_prototype ? handle(native_context->slow_object_with_null_prototype_map(), isolate) : isolate->factory()->ObjectLiteralMapFromCache(native_context, number_of_properties); Handle boilerplate = isolate->factory()->NewFastOrSlowJSObjectFromMap( map, number_of_properties, allocation); // Normalize the elements of the boilerplate to save space if needed. if (!use_fast_elements) JSObject::NormalizeElements(boilerplate); // Add the constant properties to the boilerplate. int length = object_boilerplate_description->size(); // TODO(verwaest): Support tracking representations in the boilerplate. for (int index = 0; index < length; index++) { Handle key(object_boilerplate_description->name(isolate, index), isolate); Handle value(object_boilerplate_description->value(isolate, index), isolate); if (value->IsHeapObject()) { if (HeapObject::cast(*value).IsArrayBoilerplateDescription(isolate)) { Handle array_boilerplate = Handle::cast(value); value = CreateArrayLiteral(isolate, array_boilerplate, allocation); } else if (HeapObject::cast(*value).IsObjectBoilerplateDescription( isolate)) { Handle object_boilerplate = Handle::cast(value); value = CreateObjectLiteral(isolate, object_boilerplate, object_boilerplate->flags(), allocation); } } uint32_t element_index = 0; if (key->ToArrayIndex(&element_index)) { // Array index (uint32). if (value->IsUninitialized(isolate)) { value = handle(Smi::zero(), isolate); } JSObject::SetOwnElementIgnoreAttributes(boilerplate, element_index, value, NONE) .Check(); } else { Handle name = Handle::cast(key); DCHECK(!name->AsArrayIndex(&element_index)); JSObject::SetOwnPropertyIgnoreAttributes(boilerplate, name, value, NONE) .Check(); } } if (map->is_dictionary_map() && !has_null_prototype) { // TODO(cbruni): avoid making the boilerplate fast again, the clone stub // supports dict-mode objects directly. JSObject::MigrateSlowToFast( boilerplate, boilerplate->map().UnusedPropertyFields(), "FastLiteral"); } return boilerplate; } Handle CreateArrayLiteral( Isolate* isolate, Handle array_boilerplate_description, AllocationType allocation) { ElementsKind constant_elements_kind = array_boilerplate_description->elements_kind(); Handle constant_elements_values( array_boilerplate_description->constant_elements(isolate), isolate); // Create the JSArray. Handle copied_elements_values; if (IsDoubleElementsKind(constant_elements_kind)) { copied_elements_values = isolate->factory()->CopyFixedDoubleArray( Handle::cast(constant_elements_values)); } else { DCHECK(IsSmiOrObjectElementsKind(constant_elements_kind)); const bool is_cow = (constant_elements_values->map(isolate) == ReadOnlyRoots(isolate).fixed_cow_array_map()); if (is_cow) { copied_elements_values = constant_elements_values; if (DEBUG_BOOL) { Handle fixed_array_values = Handle::cast(copied_elements_values); for (int i = 0; i < fixed_array_values->length(); i++) { DCHECK(!fixed_array_values->get(i).IsFixedArray()); } } } else { Handle fixed_array_values = Handle::cast(constant_elements_values); Handle fixed_array_values_copy = isolate->factory()->CopyFixedArray(fixed_array_values); copied_elements_values = fixed_array_values_copy; for (int i = 0; i < fixed_array_values->length(); i++) { Object value = fixed_array_values_copy->get(isolate, i); HeapObject value_heap_object; if (value.GetHeapObject(isolate, &value_heap_object)) { if (value_heap_object.IsArrayBoilerplateDescription(isolate)) { HandleScope sub_scope(isolate); Handle boilerplate( ArrayBoilerplateDescription::cast(value_heap_object), isolate); Handle result = CreateArrayLiteral(isolate, boilerplate, allocation); fixed_array_values_copy->set(i, *result); } else if (value_heap_object.IsObjectBoilerplateDescription( isolate)) { HandleScope sub_scope(isolate); Handle boilerplate( ObjectBoilerplateDescription::cast(value_heap_object), isolate); Handle result = CreateObjectLiteral( isolate, boilerplate, boilerplate->flags(), allocation); fixed_array_values_copy->set(i, *result); } } } } } return isolate->factory()->NewJSArrayWithElements( copied_elements_values, constant_elements_kind, copied_elements_values->length(), allocation); } template MaybeHandle CreateLiteralWithoutAllocationSite( Isolate* isolate, Handle description, int flags) { Handle literal = LiteralHelper::Create(isolate, description, flags, AllocationType::kYoung); DeprecationUpdateContext update_context(isolate); RETURN_ON_EXCEPTION(isolate, DeepWalk(literal, &update_context), JSObject); return literal; } template MaybeHandle CreateLiteral(Isolate* isolate, MaybeHandle maybe_vector, int literals_index, Handle description, int flags) { if (maybe_vector.is_null()) { return CreateLiteralWithoutAllocationSite( isolate, description, flags); } Handle vector = maybe_vector.ToHandleChecked(); FeedbackSlot literals_slot(FeedbackVector::ToSlot(literals_index)); CHECK(literals_slot.ToInt() < vector->length()); Handle literal_site(vector->Get(literals_slot)->cast(), isolate); Handle site; Handle boilerplate; if (HasBoilerplate(literal_site)) { site = Handle::cast(literal_site); boilerplate = Handle(site->boilerplate(), isolate); } else { // Eagerly create AllocationSites for literals that contain an Array. bool needs_initial_allocation_site = (flags & AggregateLiteral::kNeedsInitialAllocationSite) != 0; if (!needs_initial_allocation_site && IsUninitializedLiteralSite(*literal_site)) { PreInitializeLiteralSite(vector, literals_slot); return CreateLiteralWithoutAllocationSite( isolate, description, flags); } else { boilerplate = LiteralHelper::Create(isolate, description, flags, AllocationType::kOld); } // Install AllocationSite objects. AllocationSiteCreationContext creation_context(isolate); site = creation_context.EnterNewScope(); RETURN_ON_EXCEPTION(isolate, DeepWalk(boilerplate, &creation_context), JSObject); creation_context.ExitScope(site, boilerplate); vector->SynchronizedSet(literals_slot, *site); } STATIC_ASSERT(static_cast(ObjectLiteral::kDisableMementos) == static_cast(ArrayLiteral::kDisableMementos)); bool enable_mementos = (flags & ObjectLiteral::kDisableMementos) == 0; // Copy the existing boilerplate. AllocationSiteUsageContext usage_context(isolate, site, enable_mementos); usage_context.EnterNewScope(); MaybeHandle copy = DeepCopy(boilerplate, &usage_context); usage_context.ExitScope(site, boilerplate); return copy; } } // namespace RUNTIME_FUNCTION(Runtime_CreateObjectLiteral) { HandleScope scope(isolate); DCHECK_EQ(4, args.length()); Handle maybe_vector = args.at(0); int literals_index = args.tagged_index_value_at(1); Handle description = args.at(2); int flags = args.smi_value_at(3); Handle vector; if (maybe_vector->IsFeedbackVector()) { vector = Handle::cast(maybe_vector); } else { DCHECK(maybe_vector->IsUndefined()); } RETURN_RESULT_OR_FAILURE( isolate, CreateLiteral( isolate, vector, literals_index, description, flags)); } RUNTIME_FUNCTION(Runtime_CreateObjectLiteralWithoutAllocationSite) { HandleScope scope(isolate); DCHECK_EQ(2, args.length()); Handle description = args.at(0); int flags = args.smi_value_at(1); RETURN_RESULT_OR_FAILURE( isolate, CreateLiteralWithoutAllocationSite( isolate, description, flags)); } RUNTIME_FUNCTION(Runtime_CreateArrayLiteralWithoutAllocationSite) { HandleScope scope(isolate); DCHECK_EQ(2, args.length()); Handle description = args.at(0); int flags = args.smi_value_at(1); RETURN_RESULT_OR_FAILURE( isolate, CreateLiteralWithoutAllocationSite( isolate, description, flags)); } RUNTIME_FUNCTION(Runtime_CreateArrayLiteral) { HandleScope scope(isolate); DCHECK_EQ(4, args.length()); Handle maybe_vector = args.at(0); int literals_index = args.tagged_index_value_at(1); Handle elements = args.at(2); int flags = args.smi_value_at(3); Handle vector; if (maybe_vector->IsFeedbackVector()) { vector = Handle::cast(maybe_vector); } else { DCHECK(maybe_vector->IsUndefined()); } RETURN_RESULT_OR_FAILURE( isolate, CreateLiteral( isolate, vector, literals_index, elements, flags)); } RUNTIME_FUNCTION(Runtime_CreateRegExpLiteral) { HandleScope scope(isolate); DCHECK_EQ(4, args.length()); Handle maybe_vector = args.at(0); int index = args.tagged_index_value_at(1); Handle pattern = args.at(2); int flags = args.smi_value_at(3); if (maybe_vector->IsUndefined()) { // We don't have a vector; don't create a boilerplate, simply construct a // plain JSRegExp instance and return it. RETURN_RESULT_OR_FAILURE( isolate, JSRegExp::New(isolate, pattern, JSRegExp::Flags(flags))); } Handle vector = Handle::cast(maybe_vector); FeedbackSlot literal_slot(FeedbackVector::ToSlot(index)); Handle literal_site(vector->Get(literal_slot)->cast(), isolate); // This function must not be called when a boilerplate already exists (if it // exists, callers should instead copy the boilerplate into a new JSRegExp // instance). CHECK(!HasBoilerplate(literal_site)); Handle regexp_instance; ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, regexp_instance, JSRegExp::New(isolate, pattern, JSRegExp::Flags(flags))); // JSRegExp literal sites are initialized in a two-step process: // Uninitialized-Preinitialized, and Preinitialized-Initialized. if (IsUninitializedLiteralSite(*literal_site)) { PreInitializeLiteralSite(vector, literal_slot); return *regexp_instance; } Handle data(FixedArray::cast(regexp_instance->data()), isolate); Handle source(String::cast(regexp_instance->source()), isolate); Handle boilerplate = isolate->factory()->NewRegExpBoilerplateDescription( data, source, Smi::FromInt(static_cast(regexp_instance->flags()))); vector->SynchronizedSet(literal_slot, *boilerplate); DCHECK(HasBoilerplate( handle(vector->Get(literal_slot)->cast(), isolate))); return *regexp_instance; } } // namespace internal } // namespace v8