1 // Copyright 2017 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "src/builtins/builtins-utils-gen.h"
6 #include "src/builtins/builtins.h"
7 #include "src/codegen/code-stub-assembler.h"
8 #include "src/heap/factory-inl.h"
9 #include "src/ic/accessor-assembler.h"
10 #include "src/ic/keyed-store-generic.h"
11 #include "src/objects/js-generator.h"
12 #include "src/objects/js-objects.h"
13 #include "src/objects/property-descriptor-object.h"
14 #include "src/objects/property-details.h"
15 #include "src/objects/shared-function-info.h"
16
17 namespace v8 {
18 namespace internal {
19
20 // -----------------------------------------------------------------------------
21 // ES6 section 19.1 Object Objects
22
23 class ObjectBuiltinsAssembler : public CodeStubAssembler {
24 public:
ObjectBuiltinsAssembler(compiler::CodeAssemblerState * state)25 explicit ObjectBuiltinsAssembler(compiler::CodeAssemblerState* state)
26 : CodeStubAssembler(state) {}
27
28 protected:
29 void ReturnToStringFormat(TNode<Context> context, TNode<String> string);
30 void AddToDictionaryIf(TNode<BoolT> condition,
31 TNode<NameDictionary> name_dictionary,
32 Handle<Name> name, TNode<Object> value,
33 Label* bailout);
34 TNode<JSObject> FromPropertyDescriptor(TNode<Context> context,
35 TNode<PropertyDescriptorObject> desc);
36 TNode<JSObject> FromPropertyDetails(TNode<Context> context,
37 TNode<Object> raw_value,
38 TNode<Word32T> details,
39 Label* if_bailout);
40 TNode<JSObject> ConstructAccessorDescriptor(TNode<Context> context,
41 TNode<Object> getter,
42 TNode<Object> setter,
43 TNode<BoolT> enumerable,
44 TNode<BoolT> configurable);
45 TNode<JSObject> ConstructDataDescriptor(TNode<Context> context,
46 TNode<Object> value,
47 TNode<BoolT> writable,
48 TNode<BoolT> enumerable,
49 TNode<BoolT> configurable);
50 TNode<HeapObject> GetAccessorOrUndefined(TNode<HeapObject> accessor,
51 Label* if_bailout);
52 };
53
54 class ObjectEntriesValuesBuiltinsAssembler : public ObjectBuiltinsAssembler {
55 public:
ObjectEntriesValuesBuiltinsAssembler(compiler::CodeAssemblerState * state)56 explicit ObjectEntriesValuesBuiltinsAssembler(
57 compiler::CodeAssemblerState* state)
58 : ObjectBuiltinsAssembler(state) {}
59
60 protected:
61 enum CollectType { kEntries, kValues };
62
63 TNode<BoolT> IsPropertyEnumerable(TNode<Uint32T> details);
64
65 TNode<BoolT> IsPropertyKindAccessor(TNode<Uint32T> kind);
66
67 TNode<BoolT> IsPropertyKindData(TNode<Uint32T> kind);
68
LoadPropertyKind(TNode<Uint32T> details)69 TNode<Uint32T> LoadPropertyKind(TNode<Uint32T> details) {
70 return DecodeWord32<PropertyDetails::KindField>(details);
71 }
72
73 void GetOwnValuesOrEntries(TNode<Context> context, TNode<Object> maybe_object,
74 CollectType collect_type);
75
76 TNode<JSArray> FastGetOwnValuesOrEntries(
77 TNode<Context> context, TNode<JSObject> object,
78 Label* if_call_runtime_with_fast_path, Label* if_no_properties,
79 CollectType collect_type);
80
81 TNode<JSArray> FinalizeValuesOrEntriesJSArray(
82 TNode<Context> context, TNode<FixedArray> values_or_entries,
83 TNode<IntPtrT> size, TNode<Map> array_map, Label* if_empty);
84 };
85
ReturnToStringFormat(TNode<Context> context,TNode<String> string)86 void ObjectBuiltinsAssembler::ReturnToStringFormat(TNode<Context> context,
87 TNode<String> string) {
88 TNode<String> lhs = StringConstant("[object ");
89 TNode<String> rhs = StringConstant("]");
90
91 Callable callable = CodeFactory::StringAdd(isolate(), STRING_ADD_CHECK_NONE);
92
93 Return(CallStub(callable, context, CallStub(callable, context, lhs, string),
94 rhs));
95 }
96
ConstructAccessorDescriptor(TNode<Context> context,TNode<Object> getter,TNode<Object> setter,TNode<BoolT> enumerable,TNode<BoolT> configurable)97 TNode<JSObject> ObjectBuiltinsAssembler::ConstructAccessorDescriptor(
98 TNode<Context> context, TNode<Object> getter, TNode<Object> setter,
99 TNode<BoolT> enumerable, TNode<BoolT> configurable) {
100 TNode<NativeContext> native_context = LoadNativeContext(context);
101 TNode<Map> map = CAST(LoadContextElement(
102 native_context, Context::ACCESSOR_PROPERTY_DESCRIPTOR_MAP_INDEX));
103 TNode<JSObject> js_desc = AllocateJSObjectFromMap(map);
104
105 StoreObjectFieldNoWriteBarrier(
106 js_desc, JSAccessorPropertyDescriptor::kGetOffset, getter);
107 StoreObjectFieldNoWriteBarrier(
108 js_desc, JSAccessorPropertyDescriptor::kSetOffset, setter);
109 StoreObjectFieldNoWriteBarrier(
110 js_desc, JSAccessorPropertyDescriptor::kEnumerableOffset,
111 SelectBooleanConstant(enumerable));
112 StoreObjectFieldNoWriteBarrier(
113 js_desc, JSAccessorPropertyDescriptor::kConfigurableOffset,
114 SelectBooleanConstant(configurable));
115
116 return js_desc;
117 }
118
ConstructDataDescriptor(TNode<Context> context,TNode<Object> value,TNode<BoolT> writable,TNode<BoolT> enumerable,TNode<BoolT> configurable)119 TNode<JSObject> ObjectBuiltinsAssembler::ConstructDataDescriptor(
120 TNode<Context> context, TNode<Object> value, TNode<BoolT> writable,
121 TNode<BoolT> enumerable, TNode<BoolT> configurable) {
122 TNode<NativeContext> native_context = LoadNativeContext(context);
123 TNode<Map> map = CAST(LoadContextElement(
124 native_context, Context::DATA_PROPERTY_DESCRIPTOR_MAP_INDEX));
125 TNode<JSObject> js_desc = AllocateJSObjectFromMap(map);
126
127 StoreObjectFieldNoWriteBarrier(js_desc,
128 JSDataPropertyDescriptor::kValueOffset, value);
129 StoreObjectFieldNoWriteBarrier(js_desc,
130 JSDataPropertyDescriptor::kWritableOffset,
131 SelectBooleanConstant(writable));
132 StoreObjectFieldNoWriteBarrier(js_desc,
133 JSDataPropertyDescriptor::kEnumerableOffset,
134 SelectBooleanConstant(enumerable));
135 StoreObjectFieldNoWriteBarrier(js_desc,
136 JSDataPropertyDescriptor::kConfigurableOffset,
137 SelectBooleanConstant(configurable));
138
139 return js_desc;
140 }
141
IsPropertyEnumerable(TNode<Uint32T> details)142 TNode<BoolT> ObjectEntriesValuesBuiltinsAssembler::IsPropertyEnumerable(
143 TNode<Uint32T> details) {
144 TNode<Uint32T> attributes =
145 DecodeWord32<PropertyDetails::AttributesField>(details);
146 return IsNotSetWord32(attributes, PropertyAttributes::DONT_ENUM);
147 }
148
IsPropertyKindAccessor(TNode<Uint32T> kind)149 TNode<BoolT> ObjectEntriesValuesBuiltinsAssembler::IsPropertyKindAccessor(
150 TNode<Uint32T> kind) {
151 return Word32Equal(kind, Int32Constant(PropertyKind::kAccessor));
152 }
153
IsPropertyKindData(TNode<Uint32T> kind)154 TNode<BoolT> ObjectEntriesValuesBuiltinsAssembler::IsPropertyKindData(
155 TNode<Uint32T> kind) {
156 return Word32Equal(kind, Int32Constant(PropertyKind::kData));
157 }
158
GetOwnValuesOrEntries(TNode<Context> context,TNode<Object> maybe_object,CollectType collect_type)159 void ObjectEntriesValuesBuiltinsAssembler::GetOwnValuesOrEntries(
160 TNode<Context> context, TNode<Object> maybe_object,
161 CollectType collect_type) {
162 TNode<JSReceiver> receiver = ToObject_Inline(context, maybe_object);
163
164 Label if_call_runtime_with_fast_path(this, Label::kDeferred),
165 if_call_runtime(this, Label::kDeferred),
166 if_no_properties(this, Label::kDeferred);
167
168 TNode<Map> map = LoadMap(receiver);
169 GotoIfNot(IsJSObjectMap(map), &if_call_runtime);
170 GotoIfMapHasSlowProperties(map, &if_call_runtime);
171
172 TNode<JSObject> object = CAST(receiver);
173 TNode<FixedArrayBase> elements = LoadElements(object);
174 // If the object has elements, we treat it as slow case.
175 // So, we go to runtime call.
176 GotoIfNot(IsEmptyFixedArray(elements), &if_call_runtime_with_fast_path);
177
178 TNode<JSArray> result = FastGetOwnValuesOrEntries(
179 context, object, &if_call_runtime_with_fast_path, &if_no_properties,
180 collect_type);
181 Return(result);
182
183 BIND(&if_no_properties);
184 {
185 TNode<NativeContext> native_context = LoadNativeContext(context);
186 TNode<Map> array_map =
187 LoadJSArrayElementsMap(PACKED_ELEMENTS, native_context);
188 TNode<JSArray> empty_array = AllocateJSArray(
189 PACKED_ELEMENTS, array_map, IntPtrConstant(0), SmiConstant(0));
190 Return(empty_array);
191 }
192
193 BIND(&if_call_runtime_with_fast_path);
194 {
195 // In slow case, we simply call runtime.
196 if (collect_type == CollectType::kEntries) {
197 Return(CallRuntime(Runtime::kObjectEntries, context, object));
198 } else {
199 DCHECK(collect_type == CollectType::kValues);
200 Return(CallRuntime(Runtime::kObjectValues, context, object));
201 }
202 }
203
204 BIND(&if_call_runtime);
205 {
206 // In slow case, we simply call runtime.
207 if (collect_type == CollectType::kEntries) {
208 Return(
209 CallRuntime(Runtime::kObjectEntriesSkipFastPath, context, receiver));
210 } else {
211 DCHECK(collect_type == CollectType::kValues);
212 Return(
213 CallRuntime(Runtime::kObjectValuesSkipFastPath, context, receiver));
214 }
215 }
216 }
217
FastGetOwnValuesOrEntries(TNode<Context> context,TNode<JSObject> object,Label * if_call_runtime_with_fast_path,Label * if_no_properties,CollectType collect_type)218 TNode<JSArray> ObjectEntriesValuesBuiltinsAssembler::FastGetOwnValuesOrEntries(
219 TNode<Context> context, TNode<JSObject> object,
220 Label* if_call_runtime_with_fast_path, Label* if_no_properties,
221 CollectType collect_type) {
222 TNode<NativeContext> native_context = LoadNativeContext(context);
223 TNode<Map> array_map =
224 LoadJSArrayElementsMap(PACKED_ELEMENTS, native_context);
225 TNode<Map> map = LoadMap(object);
226 TNode<Uint32T> bit_field3 = LoadMapBitField3(map);
227
228 Label if_has_enum_cache(this), if_not_has_enum_cache(this),
229 collect_entries(this);
230 TNode<IntPtrT> object_enum_length =
231 Signed(DecodeWordFromWord32<Map::Bits3::EnumLengthBits>(bit_field3));
232 TNode<BoolT> has_enum_cache = WordNotEqual(
233 object_enum_length, IntPtrConstant(kInvalidEnumCacheSentinel));
234
235 // In case, we found enum_cache in object,
236 // we use it as array_length because it has same size for
237 // Object.(entries/values) result array object length.
238 // So object_enum_length use less memory space than
239 // NumberOfOwnDescriptorsBits value.
240 // And in case, if enum_cache_not_found,
241 // we call runtime and initialize enum_cache for subsequent call of
242 // CSA fast path.
243 Branch(has_enum_cache, &if_has_enum_cache, if_call_runtime_with_fast_path);
244
245 BIND(&if_has_enum_cache);
246 {
247 GotoIf(WordEqual(object_enum_length, IntPtrConstant(0)), if_no_properties);
248 TNode<FixedArray> values_or_entries = CAST(AllocateFixedArray(
249 PACKED_ELEMENTS, object_enum_length, kAllowLargeObjectAllocation));
250
251 // If in case we have enum_cache,
252 // we can't detect accessor of object until loop through descriptors.
253 // So if object might have accessor,
254 // we will remain invalid addresses of FixedArray.
255 // Because in that case, we need to jump to runtime call.
256 // So the array filled by the-hole even if enum_cache exists.
257 FillFixedArrayWithValue(PACKED_ELEMENTS, values_or_entries,
258 IntPtrConstant(0), object_enum_length,
259 RootIndex::kTheHoleValue);
260
261 TVARIABLE(IntPtrT, var_result_index, IntPtrConstant(0));
262 TVARIABLE(IntPtrT, var_descriptor_number, IntPtrConstant(0));
263 // Let desc be ? O.[[GetOwnProperty]](key).
264 TNode<DescriptorArray> descriptors = LoadMapDescriptors(map);
265 Label loop(this, {&var_descriptor_number, &var_result_index}),
266 after_loop(this), next_descriptor(this);
267 Branch(IntPtrEqual(var_descriptor_number.value(), object_enum_length),
268 &after_loop, &loop);
269
270 // We dont use BuildFastLoop.
271 // Instead, we use hand-written loop
272 // because of we need to use 'continue' functionality.
273 BIND(&loop);
274 {
275 // Currently, we will not invoke getters,
276 // so, map will not be changed.
277 CSA_ASSERT(this, TaggedEqual(map, LoadMap(object)));
278 TNode<IntPtrT> descriptor_entry = var_descriptor_number.value();
279 TNode<Name> next_key =
280 LoadKeyByDescriptorEntry(descriptors, descriptor_entry);
281
282 // Skip Symbols.
283 GotoIf(IsSymbol(next_key), &next_descriptor);
284
285 TNode<Uint32T> details =
286 LoadDetailsByDescriptorEntry(descriptors, descriptor_entry);
287
288 TNode<Uint32T> kind = LoadPropertyKind(details);
289
290 // If property is accessor, we escape fast path and call runtime.
291 GotoIf(IsPropertyKindAccessor(kind), if_call_runtime_with_fast_path);
292 CSA_ASSERT(this, IsPropertyKindData(kind));
293
294 // If desc is not undefined and desc.[[Enumerable]] is true, then skip to
295 // the next descriptor.
296 GotoIfNot(IsPropertyEnumerable(details), &next_descriptor);
297
298 TVARIABLE(Object, var_property_value, UndefinedConstant());
299 TNode<IntPtrT> descriptor_name_index = ToKeyIndex<DescriptorArray>(
300 Unsigned(TruncateIntPtrToInt32(var_descriptor_number.value())));
301
302 // Let value be ? Get(O, key).
303 LoadPropertyFromFastObject(object, map, descriptors,
304 descriptor_name_index, details,
305 &var_property_value);
306
307 // If kind is "value", append value to properties.
308 TNode<Object> value = var_property_value.value();
309
310 if (collect_type == CollectType::kEntries) {
311 // Let entry be CreateArrayFromList(« key, value »).
312 TNode<JSArray> array;
313 TNode<FixedArrayBase> elements;
314 std::tie(array, elements) = AllocateUninitializedJSArrayWithElements(
315 PACKED_ELEMENTS, array_map, SmiConstant(2), base::nullopt,
316 IntPtrConstant(2));
317 StoreFixedArrayElement(CAST(elements), 0, next_key, SKIP_WRITE_BARRIER);
318 StoreFixedArrayElement(CAST(elements), 1, value, SKIP_WRITE_BARRIER);
319 value = TNode<JSArray>::UncheckedCast(array);
320 }
321
322 StoreFixedArrayElement(values_or_entries, var_result_index.value(),
323 value);
324 Increment(&var_result_index);
325 Goto(&next_descriptor);
326
327 BIND(&next_descriptor);
328 {
329 Increment(&var_descriptor_number);
330 Branch(IntPtrEqual(var_result_index.value(), object_enum_length),
331 &after_loop, &loop);
332 }
333 }
334 BIND(&after_loop);
335 return FinalizeValuesOrEntriesJSArray(context, values_or_entries,
336 var_result_index.value(), array_map,
337 if_no_properties);
338 }
339 }
340
341 TNode<JSArray>
FinalizeValuesOrEntriesJSArray(TNode<Context> context,TNode<FixedArray> result,TNode<IntPtrT> size,TNode<Map> array_map,Label * if_empty)342 ObjectEntriesValuesBuiltinsAssembler::FinalizeValuesOrEntriesJSArray(
343 TNode<Context> context, TNode<FixedArray> result, TNode<IntPtrT> size,
344 TNode<Map> array_map, Label* if_empty) {
345 CSA_ASSERT(this, IsJSArrayMap(array_map));
346
347 GotoIf(IntPtrEqual(size, IntPtrConstant(0)), if_empty);
348 TNode<JSArray> array = AllocateJSArray(array_map, result, SmiTag(size));
349 return TNode<JSArray>::UncheckedCast(array);
350 }
351
TF_BUILTIN(ObjectPrototypeHasOwnProperty,ObjectBuiltinsAssembler)352 TF_BUILTIN(ObjectPrototypeHasOwnProperty, ObjectBuiltinsAssembler) {
353 auto object = Parameter<Object>(Descriptor::kReceiver);
354 auto key = Parameter<Object>(Descriptor::kKey);
355 auto context = Parameter<Context>(Descriptor::kContext);
356
357 Label call_runtime(this), return_true(this), return_false(this),
358 to_primitive(this);
359
360 // Smi receivers do not have own properties, just perform ToPrimitive on the
361 // key.
362 Label if_objectisnotsmi(this);
363 Branch(TaggedIsSmi(object), &to_primitive, &if_objectisnotsmi);
364 BIND(&if_objectisnotsmi);
365
366 TNode<HeapObject> heap_object = CAST(object);
367
368 TNode<Map> map = LoadMap(heap_object);
369 TNode<Uint16T> instance_type = LoadMapInstanceType(map);
370
371 {
372 TVARIABLE(IntPtrT, var_index);
373 TVARIABLE(Name, var_unique);
374
375 Label if_index(this, &var_index), if_unique_name(this),
376 if_notunique_name(this);
377 TryToName(key, &if_index, &var_index, &if_unique_name, &var_unique,
378 &call_runtime, &if_notunique_name);
379
380 BIND(&if_unique_name);
381 TryHasOwnProperty(heap_object, map, instance_type, var_unique.value(),
382 &return_true, &return_false, &call_runtime);
383
384 BIND(&if_index);
385 {
386 TryLookupElement(heap_object, map, instance_type, var_index.value(),
387 &return_true, &return_false, &return_false,
388 &call_runtime);
389 }
390
391 BIND(&if_notunique_name);
392 {
393 Label not_in_string_table(this);
394 TryInternalizeString(CAST(key), &if_index, &var_index, &if_unique_name,
395 &var_unique, ¬_in_string_table, &call_runtime);
396
397 BIND(¬_in_string_table);
398 {
399 // If the string was not found in the string table, then no regular
400 // object can have a property with that name, so return |false|.
401 // "Special API objects" with interceptors must take the slow path.
402 Branch(IsSpecialReceiverInstanceType(instance_type), &call_runtime,
403 &return_false);
404 }
405 }
406 }
407 BIND(&to_primitive);
408 GotoIf(IsNumber(key), &return_false);
409 Branch(IsName(CAST(key)), &return_false, &call_runtime);
410
411 BIND(&return_true);
412 Return(TrueConstant());
413
414 BIND(&return_false);
415 Return(FalseConstant());
416
417 BIND(&call_runtime);
418 Return(CallRuntime(Runtime::kObjectHasOwnProperty, context, object, key));
419 }
420
421 // ES #sec-object.assign
TF_BUILTIN(ObjectAssign,ObjectBuiltinsAssembler)422 TF_BUILTIN(ObjectAssign, ObjectBuiltinsAssembler) {
423 TNode<IntPtrT> argc = ChangeInt32ToIntPtr(
424 UncheckedParameter<Int32T>(Descriptor::kJSActualArgumentsCount));
425 CodeStubArguments args(this, argc);
426
427 auto context = Parameter<Context>(Descriptor::kContext);
428 TNode<Object> target = args.GetOptionalArgumentValue(0);
429
430 // 1. Let to be ? ToObject(target).
431 TNode<JSReceiver> to = ToObject_Inline(context, target);
432
433 Label done(this);
434 // 2. If only one argument was passed, return to.
435 GotoIf(UintPtrLessThanOrEqual(argc, IntPtrConstant(1)), &done);
436
437 // 3. Let sources be the List of argument values starting with the
438 // second argument.
439 // 4. For each element nextSource of sources, in ascending index order,
440 args.ForEach(
441 [=](TNode<Object> next_source) {
442 CallBuiltin(Builtins::kSetDataProperties, context, to, next_source);
443 },
444 IntPtrConstant(1));
445 Goto(&done);
446
447 // 5. Return to.
448 BIND(&done);
449 args.PopAndReturn(to);
450 }
451
452 // ES #sec-object.keys
TF_BUILTIN(ObjectKeys,ObjectBuiltinsAssembler)453 TF_BUILTIN(ObjectKeys, ObjectBuiltinsAssembler) {
454 auto object = Parameter<Object>(Descriptor::kObject);
455 auto context = Parameter<Context>(Descriptor::kContext);
456
457 TVARIABLE(Smi, var_length);
458 TVARIABLE(FixedArrayBase, var_elements);
459 Label if_empty(this, Label::kDeferred), if_empty_elements(this),
460 if_fast(this), if_slow(this, Label::kDeferred), if_join(this);
461
462 // Check if the {object} has a usable enum cache.
463 GotoIf(TaggedIsSmi(object), &if_slow);
464
465 TNode<Map> object_map = LoadMap(CAST(object));
466 TNode<Uint32T> object_bit_field3 = LoadMapBitField3(object_map);
467 TNode<UintPtrT> object_enum_length =
468 DecodeWordFromWord32<Map::Bits3::EnumLengthBits>(object_bit_field3);
469 GotoIf(
470 WordEqual(object_enum_length, IntPtrConstant(kInvalidEnumCacheSentinel)),
471 &if_slow);
472
473 // Ensure that the {object} doesn't have any elements.
474 CSA_ASSERT(this, IsJSObjectMap(object_map));
475 TNode<FixedArrayBase> object_elements = LoadElements(CAST(object));
476 GotoIf(IsEmptyFixedArray(object_elements), &if_empty_elements);
477 Branch(IsEmptySlowElementDictionary(object_elements), &if_empty_elements,
478 &if_slow);
479
480 // Check whether there are enumerable properties.
481 BIND(&if_empty_elements);
482 Branch(WordEqual(object_enum_length, IntPtrConstant(0)), &if_empty, &if_fast);
483
484 // TODO(solanes): These if_xxx here and below seem to be quite similar for
485 // ObjectKeys and for ObjectGetOwnPropertyNames. In particular, if_fast seem
486 // to be the exact same.
487 BIND(&if_fast);
488 {
489 // The {object} has a usable enum cache, use that.
490 TNode<DescriptorArray> object_descriptors = LoadMapDescriptors(object_map);
491 TNode<EnumCache> object_enum_cache = LoadObjectField<EnumCache>(
492 object_descriptors, DescriptorArray::kEnumCacheOffset);
493 auto object_enum_keys = LoadObjectField<FixedArrayBase>(
494 object_enum_cache, EnumCache::kKeysOffset);
495
496 // Allocate a JSArray and copy the elements from the {object_enum_keys}.
497 TNode<JSArray> array;
498 TNode<FixedArrayBase> elements;
499 TNode<NativeContext> native_context = LoadNativeContext(context);
500 TNode<Map> array_map =
501 LoadJSArrayElementsMap(PACKED_ELEMENTS, native_context);
502 TNode<IntPtrT> object_enum_length_intptr = Signed(object_enum_length);
503 TNode<Smi> array_length = SmiTag(object_enum_length_intptr);
504 std::tie(array, elements) = AllocateUninitializedJSArrayWithElements(
505 PACKED_ELEMENTS, array_map, array_length, base::nullopt,
506 object_enum_length_intptr);
507 CopyFixedArrayElements(PACKED_ELEMENTS, object_enum_keys, elements,
508 object_enum_length_intptr, SKIP_WRITE_BARRIER);
509 Return(array);
510 }
511
512 BIND(&if_empty);
513 {
514 // The {object} doesn't have any enumerable keys.
515 var_length = SmiConstant(0);
516 var_elements = EmptyFixedArrayConstant();
517 Goto(&if_join);
518 }
519
520 BIND(&if_slow);
521 {
522 // Let the runtime compute the elements.
523 TNode<FixedArray> elements =
524 CAST(CallRuntime(Runtime::kObjectKeys, context, object));
525 var_length = LoadObjectField<Smi>(elements, FixedArray::kLengthOffset);
526 var_elements = elements;
527 Goto(&if_join);
528 }
529
530 BIND(&if_join);
531 {
532 // Wrap the elements into a proper JSArray and return that.
533 TNode<NativeContext> native_context = LoadNativeContext(context);
534 TNode<Map> array_map =
535 LoadJSArrayElementsMap(PACKED_ELEMENTS, native_context);
536 TNode<JSArray> array =
537 AllocateJSArray(array_map, var_elements.value(), var_length.value());
538 Return(array);
539 }
540 }
541
542 // ES #sec-object.getOwnPropertyNames
TF_BUILTIN(ObjectGetOwnPropertyNames,ObjectBuiltinsAssembler)543 TF_BUILTIN(ObjectGetOwnPropertyNames, ObjectBuiltinsAssembler) {
544 auto object = Parameter<Object>(Descriptor::kObject);
545 auto context = Parameter<Context>(Descriptor::kContext);
546
547 TVARIABLE(Smi, var_length);
548 TVARIABLE(FixedArrayBase, var_elements);
549 Label if_empty(this, Label::kDeferred), if_empty_elements(this),
550 if_fast(this), try_fast(this, Label::kDeferred),
551 if_slow(this, Label::kDeferred), if_join(this);
552
553 // Take the slow path if the {object} IsCustomElementsReceiverInstanceType or
554 // has any elements.
555 GotoIf(TaggedIsSmi(object), &if_slow);
556
557 TNode<Map> object_map = LoadMap(CAST(object));
558 TNode<Uint16T> instance_type = LoadMapInstanceType(object_map);
559 GotoIf(IsCustomElementsReceiverInstanceType(instance_type), &if_slow);
560 TNode<FixedArrayBase> object_elements = LoadElements(CAST(object));
561 GotoIf(IsEmptyFixedArray(object_elements), &if_empty_elements);
562 Branch(IsEmptySlowElementDictionary(object_elements), &if_empty_elements,
563 &if_slow);
564
565 // Check if the {object} has a usable enum cache.
566 BIND(&if_empty_elements);
567 TNode<Uint32T> object_bit_field3 = LoadMapBitField3(object_map);
568 TNode<UintPtrT> object_enum_length =
569 DecodeWordFromWord32<Map::Bits3::EnumLengthBits>(object_bit_field3);
570 GotoIf(
571 WordEqual(object_enum_length, IntPtrConstant(kInvalidEnumCacheSentinel)),
572 &try_fast);
573
574 // Check whether all own properties are enumerable.
575 TNode<UintPtrT> number_descriptors =
576 DecodeWordFromWord32<Map::Bits3::NumberOfOwnDescriptorsBits>(
577 object_bit_field3);
578 GotoIfNot(WordEqual(object_enum_length, number_descriptors), &if_slow);
579
580 // Check whether there are enumerable properties.
581 Branch(WordEqual(object_enum_length, IntPtrConstant(0)), &if_empty, &if_fast);
582
583 // TODO(solanes): These if_xxx here and below seem to be quite similar for
584 // ObjectKeys and for ObjectGetOwnPropertyNames. In particular, if_fast seem
585 // to be the exact same.
586 BIND(&if_fast);
587 {
588 // The {object} has a usable enum cache and all own properties are
589 // enumerable, use that.
590 TNode<DescriptorArray> object_descriptors = LoadMapDescriptors(object_map);
591 TNode<EnumCache> object_enum_cache = LoadObjectField<EnumCache>(
592 object_descriptors, DescriptorArray::kEnumCacheOffset);
593 auto object_enum_keys = LoadObjectField<FixedArrayBase>(
594 object_enum_cache, EnumCache::kKeysOffset);
595
596 // Allocate a JSArray and copy the elements from the {object_enum_keys}.
597 TNode<JSArray> array;
598 TNode<FixedArrayBase> elements;
599 TNode<NativeContext> native_context = LoadNativeContext(context);
600 TNode<Map> array_map =
601 LoadJSArrayElementsMap(PACKED_ELEMENTS, native_context);
602 TNode<IntPtrT> object_enum_length_intptr = Signed(object_enum_length);
603 TNode<Smi> array_length = SmiTag(object_enum_length_intptr);
604 std::tie(array, elements) = AllocateUninitializedJSArrayWithElements(
605 PACKED_ELEMENTS, array_map, array_length, base::nullopt,
606 object_enum_length_intptr);
607 CopyFixedArrayElements(PACKED_ELEMENTS, object_enum_keys, elements,
608 object_enum_length_intptr, SKIP_WRITE_BARRIER);
609 Return(array);
610 }
611
612 BIND(&try_fast);
613 {
614 // Let the runtime compute the elements and try initializing enum cache.
615 TNode<FixedArray> elements = CAST(CallRuntime(
616 Runtime::kObjectGetOwnPropertyNamesTryFast, context, object));
617 var_length = LoadObjectField<Smi>(elements, FixedArray::kLengthOffset);
618 var_elements = elements;
619 Goto(&if_join);
620 }
621
622 BIND(&if_empty);
623 {
624 // The {object} doesn't have any enumerable keys.
625 var_length = SmiConstant(0);
626 var_elements = EmptyFixedArrayConstant();
627 Goto(&if_join);
628 }
629
630 BIND(&if_slow);
631 {
632 // Let the runtime compute the elements.
633 TNode<FixedArray> elements =
634 CAST(CallRuntime(Runtime::kObjectGetOwnPropertyNames, context, object));
635 var_length = LoadObjectField<Smi>(elements, FixedArray::kLengthOffset);
636 var_elements = elements;
637 Goto(&if_join);
638 }
639
640 BIND(&if_join);
641 {
642 // Wrap the elements into a proper JSArray and return that.
643 TNode<NativeContext> native_context = LoadNativeContext(context);
644 TNode<Map> array_map =
645 LoadJSArrayElementsMap(PACKED_ELEMENTS, native_context);
646 TNode<JSArray> array =
647 AllocateJSArray(array_map, var_elements.value(), var_length.value());
648 Return(array);
649 }
650 }
651
TF_BUILTIN(ObjectValues,ObjectEntriesValuesBuiltinsAssembler)652 TF_BUILTIN(ObjectValues, ObjectEntriesValuesBuiltinsAssembler) {
653 auto object = UncheckedParameter<JSObject>(Descriptor::kObject);
654 auto context = UncheckedParameter<Context>(Descriptor::kContext);
655 GetOwnValuesOrEntries(context, object, CollectType::kValues);
656 }
657
TF_BUILTIN(ObjectEntries,ObjectEntriesValuesBuiltinsAssembler)658 TF_BUILTIN(ObjectEntries, ObjectEntriesValuesBuiltinsAssembler) {
659 auto object = UncheckedParameter<JSObject>(Descriptor::kObject);
660 auto context = UncheckedParameter<Context>(Descriptor::kContext);
661 GetOwnValuesOrEntries(context, object, CollectType::kEntries);
662 }
663
664 // ES #sec-object.prototype.isprototypeof
TF_BUILTIN(ObjectPrototypeIsPrototypeOf,ObjectBuiltinsAssembler)665 TF_BUILTIN(ObjectPrototypeIsPrototypeOf, ObjectBuiltinsAssembler) {
666 auto receiver = Parameter<Object>(Descriptor::kReceiver);
667 auto value = Parameter<Object>(Descriptor::kValue);
668 auto context = Parameter<Context>(Descriptor::kContext);
669 Label if_receiverisnullorundefined(this, Label::kDeferred),
670 if_valueisnotreceiver(this, Label::kDeferred);
671
672 // We only check whether {value} is a Smi here, so that the
673 // prototype chain walk below can safely access the {value}s
674 // map. We don't rule out Primitive {value}s, since all of
675 // them have null as their prototype, so the chain walk below
676 // immediately aborts and returns false anyways.
677 GotoIf(TaggedIsSmi(value), &if_valueisnotreceiver);
678
679 {
680 TNode<HeapObject> value_heap_object = CAST(value);
681
682 // Check if {receiver} is either null or undefined and in that case,
683 // invoke the ToObject builtin, which raises the appropriate error.
684 // Otherwise we don't need to invoke ToObject, since {receiver} is
685 // either already a JSReceiver, in which case ToObject is a no-op,
686 // or it's a Primitive and ToObject would allocate a fresh
687 // JSPrimitiveWrapper wrapper, which wouldn't be identical to any existing
688 // JSReceiver found in the prototype chain of {value}, hence it will return
689 // false no matter if we search for the Primitive {receiver} or
690 // a newly allocated JSPrimitiveWrapper wrapper for {receiver}.
691 GotoIf(IsNull(receiver), &if_receiverisnullorundefined);
692 GotoIf(IsUndefined(receiver), &if_receiverisnullorundefined);
693
694 // Loop through the prototype chain looking for the {receiver}.
695 Return(HasInPrototypeChain(context, value_heap_object, receiver));
696
697 BIND(&if_receiverisnullorundefined);
698 {
699 // If {value} is a primitive HeapObject, we need to return
700 // false instead of throwing an exception per order of the
701 // steps in the specification, so check that first here.
702 GotoIfNot(IsJSReceiver(value_heap_object), &if_valueisnotreceiver);
703
704 // Simulate the ToObject invocation on {receiver}.
705 ToObject(context, receiver);
706 Unreachable();
707 }
708 }
709
710 BIND(&if_valueisnotreceiver);
711 Return(FalseConstant());
712 }
713
TF_BUILTIN(ObjectToString,ObjectBuiltinsAssembler)714 TF_BUILTIN(ObjectToString, ObjectBuiltinsAssembler) {
715 Label checkstringtag(this), if_arguments(this), if_array(this),
716 if_boolean(this), if_date(this), if_error(this), if_function(this),
717 if_number(this, Label::kDeferred), if_object(this), if_primitive(this),
718 if_proxy(this, Label::kDeferred), if_regexp(this), if_string(this),
719 if_symbol(this, Label::kDeferred), if_value(this),
720 if_bigint(this, Label::kDeferred);
721
722 auto receiver = Parameter<Object>(Descriptor::kReceiver);
723 auto context = Parameter<Context>(Descriptor::kContext);
724
725 TVARIABLE(String, var_default);
726 TVARIABLE(HeapObject, var_holder);
727
728 // This is arranged to check the likely cases first.
729 GotoIf(TaggedIsSmi(receiver), &if_number);
730
731 TNode<HeapObject> receiver_heap_object = CAST(receiver);
732 TNode<Map> receiver_map = LoadMap(receiver_heap_object);
733 var_holder = receiver_heap_object;
734 TNode<Uint16T> receiver_instance_type = LoadMapInstanceType(receiver_map);
735 GotoIf(IsPrimitiveInstanceType(receiver_instance_type), &if_primitive);
736 const struct {
737 InstanceType value;
738 Label* label;
739 } kJumpTable[] = {{JS_OBJECT_TYPE, &if_object},
740 {JS_ARRAY_TYPE, &if_array},
741 {JS_FUNCTION_TYPE, &if_function},
742 {JS_REG_EXP_TYPE, &if_regexp},
743 {JS_ARGUMENTS_OBJECT_TYPE, &if_arguments},
744 {JS_DATE_TYPE, &if_date},
745 {JS_BOUND_FUNCTION_TYPE, &if_function},
746 {JS_API_OBJECT_TYPE, &if_object},
747 {JS_SPECIAL_API_OBJECT_TYPE, &if_object},
748 {JS_PROXY_TYPE, &if_proxy},
749 {JS_ERROR_TYPE, &if_error},
750 {JS_PRIMITIVE_WRAPPER_TYPE, &if_value}};
751 size_t const kNumCases = arraysize(kJumpTable);
752 Label* case_labels[kNumCases];
753 int32_t case_values[kNumCases];
754 for (size_t i = 0; i < kNumCases; ++i) {
755 case_labels[i] = kJumpTable[i].label;
756 case_values[i] = kJumpTable[i].value;
757 }
758 Switch(receiver_instance_type, &if_object, case_values, case_labels,
759 arraysize(case_values));
760
761 BIND(&if_arguments);
762 {
763 var_default = ArgumentsToStringConstant();
764 Goto(&checkstringtag);
765 }
766
767 BIND(&if_array);
768 {
769 var_default = ArrayToStringConstant();
770 Goto(&checkstringtag);
771 }
772
773 BIND(&if_boolean);
774 {
775 TNode<NativeContext> native_context = LoadNativeContext(context);
776 TNode<JSFunction> boolean_constructor = CAST(
777 LoadContextElement(native_context, Context::BOOLEAN_FUNCTION_INDEX));
778 TNode<Map> boolean_initial_map = LoadObjectField<Map>(
779 boolean_constructor, JSFunction::kPrototypeOrInitialMapOffset);
780 TNode<HeapObject> boolean_prototype =
781 LoadObjectField<HeapObject>(boolean_initial_map, Map::kPrototypeOffset);
782 var_default = BooleanToStringConstant();
783 var_holder = boolean_prototype;
784 Goto(&checkstringtag);
785 }
786
787 BIND(&if_date);
788 {
789 var_default = DateToStringConstant();
790 Goto(&checkstringtag);
791 }
792
793 BIND(&if_error);
794 {
795 var_default = ErrorToStringConstant();
796 Goto(&checkstringtag);
797 }
798
799 BIND(&if_function);
800 {
801 var_default = FunctionToStringConstant();
802 Goto(&checkstringtag);
803 }
804
805 BIND(&if_number);
806 {
807 TNode<NativeContext> native_context = LoadNativeContext(context);
808 TNode<JSFunction> number_constructor = CAST(
809 LoadContextElement(native_context, Context::NUMBER_FUNCTION_INDEX));
810 TNode<Map> number_initial_map = LoadObjectField<Map>(
811 number_constructor, JSFunction::kPrototypeOrInitialMapOffset);
812 TNode<HeapObject> number_prototype =
813 LoadObjectField<HeapObject>(number_initial_map, Map::kPrototypeOffset);
814 var_default = NumberToStringConstant();
815 var_holder = number_prototype;
816 Goto(&checkstringtag);
817 }
818
819 BIND(&if_object);
820 {
821 CSA_ASSERT(this, IsJSReceiver(CAST(receiver)));
822 var_default = ObjectToStringConstant();
823 Goto(&checkstringtag);
824 }
825
826 BIND(&if_primitive);
827 {
828 Label return_undefined(this);
829
830 GotoIf(IsStringInstanceType(receiver_instance_type), &if_string);
831 GotoIf(IsBigIntInstanceType(receiver_instance_type), &if_bigint);
832 GotoIf(IsBooleanMap(receiver_map), &if_boolean);
833 GotoIf(IsHeapNumberMap(receiver_map), &if_number);
834 GotoIf(IsSymbolMap(receiver_map), &if_symbol);
835 GotoIf(IsUndefined(receiver), &return_undefined);
836 CSA_ASSERT(this, IsNull(receiver));
837 Return(NullToStringConstant());
838
839 BIND(&return_undefined);
840 Return(UndefinedToStringConstant());
841 }
842
843 BIND(&if_proxy);
844 {
845 // If {receiver} is a proxy for a JSArray, we default to "[object Array]",
846 // otherwise we default to "[object Object]" or "[object Function]" here,
847 // depending on whether the {receiver} is callable. The order matters here,
848 // i.e. we need to execute the %ArrayIsArray check before the [[Get]] below,
849 // as the exception is observable.
850 TNode<Object> receiver_is_array =
851 CallRuntime(Runtime::kArrayIsArray, context, receiver);
852 TNode<String> builtin_tag = Select<String>(
853 IsTrue(receiver_is_array), [=] { return ArrayStringConstant(); },
854 [=] {
855 return Select<String>(
856 IsCallableMap(receiver_map),
857 [=] { return FunctionStringConstant(); },
858 [=] { return ObjectStringConstant(); });
859 });
860
861 // Lookup the @@toStringTag property on the {receiver}.
862 TVARIABLE(Object, var_tag,
863 GetProperty(context, receiver,
864 isolate()->factory()->to_string_tag_symbol()));
865 Label if_tagisnotstring(this), if_tagisstring(this);
866 GotoIf(TaggedIsSmi(var_tag.value()), &if_tagisnotstring);
867 Branch(IsString(CAST(var_tag.value())), &if_tagisstring,
868 &if_tagisnotstring);
869 BIND(&if_tagisnotstring);
870 {
871 var_tag = builtin_tag;
872 Goto(&if_tagisstring);
873 }
874 BIND(&if_tagisstring);
875 ReturnToStringFormat(context, CAST(var_tag.value()));
876 }
877
878 BIND(&if_regexp);
879 {
880 var_default = RegexpToStringConstant();
881 Goto(&checkstringtag);
882 }
883
884 BIND(&if_string);
885 {
886 TNode<NativeContext> native_context = LoadNativeContext(context);
887 TNode<JSFunction> string_constructor = CAST(
888 LoadContextElement(native_context, Context::STRING_FUNCTION_INDEX));
889 TNode<Map> string_initial_map = LoadObjectField<Map>(
890 string_constructor, JSFunction::kPrototypeOrInitialMapOffset);
891 TNode<HeapObject> string_prototype =
892 LoadObjectField<HeapObject>(string_initial_map, Map::kPrototypeOffset);
893 var_default = StringToStringConstant();
894 var_holder = string_prototype;
895 Goto(&checkstringtag);
896 }
897
898 BIND(&if_symbol);
899 {
900 TNode<NativeContext> native_context = LoadNativeContext(context);
901 TNode<JSFunction> symbol_constructor = CAST(
902 LoadContextElement(native_context, Context::SYMBOL_FUNCTION_INDEX));
903 TNode<Map> symbol_initial_map = LoadObjectField<Map>(
904 symbol_constructor, JSFunction::kPrototypeOrInitialMapOffset);
905 TNode<HeapObject> symbol_prototype =
906 LoadObjectField<HeapObject>(symbol_initial_map, Map::kPrototypeOffset);
907 var_default = ObjectToStringConstant();
908 var_holder = symbol_prototype;
909 Goto(&checkstringtag);
910 }
911
912 BIND(&if_bigint);
913 {
914 TNode<NativeContext> native_context = LoadNativeContext(context);
915 TNode<JSFunction> bigint_constructor = CAST(
916 LoadContextElement(native_context, Context::BIGINT_FUNCTION_INDEX));
917 TNode<Map> bigint_initial_map = LoadObjectField<Map>(
918 bigint_constructor, JSFunction::kPrototypeOrInitialMapOffset);
919 TNode<HeapObject> bigint_prototype =
920 LoadObjectField<HeapObject>(bigint_initial_map, Map::kPrototypeOffset);
921 var_default = ObjectToStringConstant();
922 var_holder = bigint_prototype;
923 Goto(&checkstringtag);
924 }
925
926 BIND(&if_value);
927 {
928 Label if_value_is_number(this, Label::kDeferred),
929 if_value_is_boolean(this, Label::kDeferred),
930 if_value_is_symbol(this, Label::kDeferred),
931 if_value_is_bigint(this, Label::kDeferred),
932 if_value_is_string(this, Label::kDeferred);
933
934 TNode<Object> receiver_value =
935 LoadJSPrimitiveWrapperValue(CAST(receiver_heap_object));
936 // We need to start with the object to see if the value was a subclass
937 // which might have interesting properties.
938 var_holder = receiver_heap_object;
939 GotoIf(TaggedIsSmi(receiver_value), &if_value_is_number);
940 TNode<Map> receiver_value_map = LoadMap(CAST(receiver_value));
941 GotoIf(IsHeapNumberMap(receiver_value_map), &if_value_is_number);
942 GotoIf(IsBooleanMap(receiver_value_map), &if_value_is_boolean);
943 GotoIf(IsSymbolMap(receiver_value_map), &if_value_is_symbol);
944 TNode<Uint16T> receiver_value_instance_type =
945 LoadMapInstanceType(receiver_value_map);
946 GotoIf(IsBigIntInstanceType(receiver_value_instance_type),
947 &if_value_is_bigint);
948 CSA_ASSERT(this, IsStringInstanceType(receiver_value_instance_type));
949 Goto(&if_value_is_string);
950
951 BIND(&if_value_is_number);
952 {
953 var_default = NumberToStringConstant();
954 Goto(&checkstringtag);
955 }
956
957 BIND(&if_value_is_boolean);
958 {
959 var_default = BooleanToStringConstant();
960 Goto(&checkstringtag);
961 }
962
963 BIND(&if_value_is_string);
964 {
965 var_default = StringToStringConstant();
966 Goto(&checkstringtag);
967 }
968
969 BIND(&if_value_is_bigint);
970 {
971 var_default = ObjectToStringConstant();
972 Goto(&checkstringtag);
973 }
974
975 BIND(&if_value_is_symbol);
976 {
977 var_default = ObjectToStringConstant();
978 Goto(&checkstringtag);
979 }
980 }
981
982 BIND(&checkstringtag);
983 {
984 // Check if all relevant maps (including the prototype maps) don't
985 // have any interesting symbols (i.e. that none of them have the
986 // @@toStringTag property).
987 Label loop(this, &var_holder), return_default(this),
988 return_generic(this, Label::kDeferred);
989 Goto(&loop);
990 BIND(&loop);
991 {
992 TNode<HeapObject> holder = var_holder.value();
993 GotoIf(IsNull(holder), &return_default);
994 TNode<Map> holder_map = LoadMap(holder);
995 TNode<Uint32T> holder_bit_field3 = LoadMapBitField3(holder_map);
996 GotoIf(IsSetWord32<Map::Bits3::MayHaveInterestingSymbolsBit>(
997 holder_bit_field3),
998 &return_generic);
999 var_holder = LoadMapPrototype(holder_map);
1000 Goto(&loop);
1001 }
1002
1003 BIND(&return_generic);
1004 {
1005 TNode<Object> tag = GetProperty(context, ToObject(context, receiver),
1006 ToStringTagSymbolConstant());
1007 GotoIf(TaggedIsSmi(tag), &return_default);
1008 GotoIfNot(IsString(CAST(tag)), &return_default);
1009 ReturnToStringFormat(context, CAST(tag));
1010 }
1011
1012 BIND(&return_default);
1013 Return(var_default.value());
1014 }
1015 }
1016
1017 // ES #sec-object.create
TF_BUILTIN(ObjectCreate,ObjectBuiltinsAssembler)1018 TF_BUILTIN(ObjectCreate, ObjectBuiltinsAssembler) {
1019 int const kPrototypeArg = 0;
1020 int const kPropertiesArg = 1;
1021
1022 TNode<IntPtrT> argc = ChangeInt32ToIntPtr(
1023 UncheckedParameter<Int32T>(Descriptor::kJSActualArgumentsCount));
1024 CodeStubArguments args(this, argc);
1025
1026 TNode<Object> prototype = args.GetOptionalArgumentValue(kPrototypeArg);
1027 TNode<Object> properties = args.GetOptionalArgumentValue(kPropertiesArg);
1028 auto native_context = Parameter<NativeContext>(Descriptor::kContext);
1029
1030 Label call_runtime(this, Label::kDeferred), prototype_valid(this),
1031 no_properties(this);
1032 {
1033 Comment("Argument 1 check: prototype");
1034 GotoIf(IsNull(prototype), &prototype_valid);
1035 BranchIfJSReceiver(prototype, &prototype_valid, &call_runtime);
1036 }
1037
1038 BIND(&prototype_valid);
1039 {
1040 Comment("Argument 2 check: properties");
1041 // Check that we have a simple object
1042 GotoIf(TaggedIsSmi(properties), &call_runtime);
1043 // Undefined implies no properties.
1044 GotoIf(IsUndefined(properties), &no_properties);
1045 TNode<Map> properties_map = LoadMap(CAST(properties));
1046 GotoIf(IsSpecialReceiverMap(properties_map), &call_runtime);
1047 // Stay on the fast path only if there are no elements.
1048 GotoIfNot(
1049 TaggedEqual(LoadElements(CAST(properties)), EmptyFixedArrayConstant()),
1050 &call_runtime);
1051 // Handle dictionary objects or fast objects with properties in runtime.
1052 TNode<Uint32T> bit_field3 = LoadMapBitField3(properties_map);
1053 GotoIf(IsSetWord32<Map::Bits3::IsDictionaryMapBit>(bit_field3),
1054 &call_runtime);
1055 Branch(IsSetWord32<Map::Bits3::NumberOfOwnDescriptorsBits>(bit_field3),
1056 &call_runtime, &no_properties);
1057 }
1058
1059 // Create a new object with the given prototype.
1060 BIND(&no_properties);
1061 {
1062 TVARIABLE(Map, map);
1063 TVARIABLE(HeapObject, properties);
1064 Label null_proto(this), non_null_proto(this), instantiate_map(this);
1065
1066 Branch(IsNull(prototype), &null_proto, &non_null_proto);
1067
1068 BIND(&null_proto);
1069 {
1070 map = LoadSlowObjectWithNullPrototypeMap(native_context);
1071 properties = AllocateNameDictionary(NameDictionary::kInitialCapacity);
1072 Goto(&instantiate_map);
1073 }
1074
1075 BIND(&non_null_proto);
1076 {
1077 properties = EmptyFixedArrayConstant();
1078 map = LoadObjectFunctionInitialMap(native_context);
1079 GotoIf(TaggedEqual(prototype, LoadMapPrototype(map.value())),
1080 &instantiate_map);
1081 // Try loading the prototype info.
1082 TNode<PrototypeInfo> prototype_info =
1083 LoadMapPrototypeInfo(LoadMap(CAST(prototype)), &call_runtime);
1084 Comment("Load ObjectCreateMap from PrototypeInfo");
1085 TNode<MaybeObject> maybe_map = LoadMaybeWeakObjectField(
1086 prototype_info, PrototypeInfo::kObjectCreateMapOffset);
1087 GotoIf(TaggedEqual(maybe_map, UndefinedConstant()), &call_runtime);
1088 map = CAST(GetHeapObjectAssumeWeak(maybe_map, &call_runtime));
1089 Goto(&instantiate_map);
1090 }
1091
1092 BIND(&instantiate_map);
1093 {
1094 TNode<JSObject> instance =
1095 AllocateJSObjectFromMap(map.value(), properties.value());
1096 args.PopAndReturn(instance);
1097 }
1098 }
1099
1100 BIND(&call_runtime);
1101 {
1102 TNode<Object> result = CallRuntime(Runtime::kObjectCreate, native_context,
1103 prototype, properties);
1104 args.PopAndReturn(result);
1105 }
1106 }
1107
1108 // ES #sec-object.is
TF_BUILTIN(ObjectIs,ObjectBuiltinsAssembler)1109 TF_BUILTIN(ObjectIs, ObjectBuiltinsAssembler) {
1110 const auto left = Parameter<Object>(Descriptor::kLeft);
1111 const auto right = Parameter<Object>(Descriptor::kRight);
1112
1113 Label return_true(this), return_false(this);
1114 BranchIfSameValue(left, right, &return_true, &return_false);
1115
1116 BIND(&return_true);
1117 Return(TrueConstant());
1118
1119 BIND(&return_false);
1120 Return(FalseConstant());
1121 }
1122
TF_BUILTIN(CreateIterResultObject,ObjectBuiltinsAssembler)1123 TF_BUILTIN(CreateIterResultObject, ObjectBuiltinsAssembler) {
1124 const auto value = Parameter<Object>(Descriptor::kValue);
1125 const auto done = Parameter<Oddball>(Descriptor::kDone);
1126 const auto context = Parameter<Context>(Descriptor::kContext);
1127
1128 const TNode<NativeContext> native_context = LoadNativeContext(context);
1129 const TNode<Map> map = CAST(
1130 LoadContextElement(native_context, Context::ITERATOR_RESULT_MAP_INDEX));
1131
1132 const TNode<JSObject> result = AllocateJSObjectFromMap(map);
1133
1134 StoreObjectFieldNoWriteBarrier(result, JSIteratorResult::kValueOffset, value);
1135 StoreObjectFieldNoWriteBarrier(result, JSIteratorResult::kDoneOffset, done);
1136
1137 Return(result);
1138 }
1139
TF_BUILTIN(HasProperty,ObjectBuiltinsAssembler)1140 TF_BUILTIN(HasProperty, ObjectBuiltinsAssembler) {
1141 auto key = Parameter<Object>(Descriptor::kKey);
1142 auto object = Parameter<Object>(Descriptor::kObject);
1143 auto context = Parameter<Context>(Descriptor::kContext);
1144
1145 Return(HasProperty(context, object, key, kHasProperty));
1146 }
1147
TF_BUILTIN(InstanceOf,ObjectBuiltinsAssembler)1148 TF_BUILTIN(InstanceOf, ObjectBuiltinsAssembler) {
1149 auto object = Parameter<Object>(Descriptor::kLeft);
1150 auto callable = Parameter<Object>(Descriptor::kRight);
1151 auto context = Parameter<Context>(Descriptor::kContext);
1152
1153 Return(InstanceOf(object, callable, context));
1154 }
1155
TF_BUILTIN(InstanceOf_WithFeedback,ObjectBuiltinsAssembler)1156 TF_BUILTIN(InstanceOf_WithFeedback, ObjectBuiltinsAssembler) {
1157 auto object = Parameter<Object>(Descriptor::kLeft);
1158 auto callable = Parameter<Object>(Descriptor::kRight);
1159 auto context = Parameter<Context>(Descriptor::kContext);
1160 auto maybe_feedback_vector =
1161 Parameter<HeapObject>(Descriptor::kMaybeFeedbackVector);
1162 auto slot = UncheckedParameter<UintPtrT>(Descriptor::kSlot);
1163
1164 CollectInstanceOfFeedback(callable, context, maybe_feedback_vector, slot);
1165 Return(InstanceOf(object, callable, context));
1166 }
1167
1168 // ES6 section 7.3.19 OrdinaryHasInstance ( C, O )
TF_BUILTIN(OrdinaryHasInstance,ObjectBuiltinsAssembler)1169 TF_BUILTIN(OrdinaryHasInstance, ObjectBuiltinsAssembler) {
1170 auto constructor = Parameter<Object>(Descriptor::kLeft);
1171 auto object = Parameter<Object>(Descriptor::kRight);
1172 auto context = Parameter<Context>(Descriptor::kContext);
1173
1174 Return(OrdinaryHasInstance(context, constructor, object));
1175 }
1176
TF_BUILTIN(CreateGeneratorObject,ObjectBuiltinsAssembler)1177 TF_BUILTIN(CreateGeneratorObject, ObjectBuiltinsAssembler) {
1178 auto closure = Parameter<JSFunction>(Descriptor::kClosure);
1179 auto receiver = Parameter<Object>(Descriptor::kReceiver);
1180 auto context = Parameter<Context>(Descriptor::kContext);
1181
1182 // Get the initial map from the function, jumping to the runtime if we don't
1183 // have one.
1184 Label done(this), runtime(this);
1185 GotoIfNot(IsFunctionWithPrototypeSlotMap(LoadMap(closure)), &runtime);
1186 TNode<HeapObject> maybe_map = LoadObjectField<HeapObject>(
1187 closure, JSFunction::kPrototypeOrInitialMapOffset);
1188 GotoIf(DoesntHaveInstanceType(maybe_map, MAP_TYPE), &runtime);
1189 TNode<Map> map = CAST(maybe_map);
1190
1191 TNode<SharedFunctionInfo> shared = LoadObjectField<SharedFunctionInfo>(
1192 closure, JSFunction::kSharedFunctionInfoOffset);
1193 TNode<BytecodeArray> bytecode_array =
1194 LoadSharedFunctionInfoBytecodeArray(shared);
1195
1196 TNode<IntPtrT> formal_parameter_count =
1197 ChangeInt32ToIntPtr(LoadObjectField<Uint16T>(
1198 shared, SharedFunctionInfo::kFormalParameterCountOffset));
1199 TNode<IntPtrT> frame_size = ChangeInt32ToIntPtr(
1200 LoadObjectField<Int32T>(bytecode_array, BytecodeArray::kFrameSizeOffset));
1201 TNode<IntPtrT> size =
1202 IntPtrAdd(WordSar(frame_size, IntPtrConstant(kTaggedSizeLog2)),
1203 formal_parameter_count);
1204 TNode<FixedArrayBase> parameters_and_registers =
1205 AllocateFixedArray(HOLEY_ELEMENTS, size);
1206 FillFixedArrayWithValue(HOLEY_ELEMENTS, parameters_and_registers,
1207 IntPtrConstant(0), size, RootIndex::kUndefinedValue);
1208 // TODO(cbruni): support start_offset to avoid double initialization.
1209 TNode<JSObject> result = AllocateJSObjectFromMap(
1210 map, base::nullopt, base::nullopt, kNone, kWithSlackTracking);
1211 StoreObjectFieldNoWriteBarrier(result, JSGeneratorObject::kFunctionOffset,
1212 closure);
1213 StoreObjectFieldNoWriteBarrier(result, JSGeneratorObject::kContextOffset,
1214 context);
1215 StoreObjectFieldNoWriteBarrier(result, JSGeneratorObject::kReceiverOffset,
1216 receiver);
1217 StoreObjectFieldNoWriteBarrier(
1218 result, JSGeneratorObject::kParametersAndRegistersOffset,
1219 parameters_and_registers);
1220 TNode<Smi> resume_mode = SmiConstant(JSGeneratorObject::ResumeMode::kNext);
1221 StoreObjectFieldNoWriteBarrier(result, JSGeneratorObject::kResumeModeOffset,
1222 resume_mode);
1223 TNode<Smi> executing = SmiConstant(JSGeneratorObject::kGeneratorExecuting);
1224 StoreObjectFieldNoWriteBarrier(result, JSGeneratorObject::kContinuationOffset,
1225 executing);
1226 GotoIfNot(InstanceTypeEqual(LoadMapInstanceType(map),
1227 JS_ASYNC_GENERATOR_OBJECT_TYPE),
1228 &done);
1229 StoreObjectFieldNoWriteBarrier(
1230 result, JSAsyncGeneratorObject::kIsAwaitingOffset, SmiConstant(0));
1231 Goto(&done);
1232
1233 BIND(&done);
1234 { Return(result); }
1235
1236 BIND(&runtime);
1237 {
1238 Return(CallRuntime(Runtime::kCreateJSGeneratorObject, context, closure,
1239 receiver));
1240 }
1241 }
1242
1243 // ES6 section 19.1.2.7 Object.getOwnPropertyDescriptor ( O, P )
TF_BUILTIN(ObjectGetOwnPropertyDescriptor,ObjectBuiltinsAssembler)1244 TF_BUILTIN(ObjectGetOwnPropertyDescriptor, ObjectBuiltinsAssembler) {
1245 auto argc = UncheckedParameter<Int32T>(Descriptor::kJSActualArgumentsCount);
1246 auto context = Parameter<Context>(Descriptor::kContext);
1247 CSA_ASSERT(this, IsUndefined(Parameter<Object>(Descriptor::kJSNewTarget)));
1248
1249 CodeStubArguments args(this, argc);
1250 TNode<Object> object_input = args.GetOptionalArgumentValue(0);
1251 TNode<Object> key = args.GetOptionalArgumentValue(1);
1252
1253 // 1. Let obj be ? ToObject(O).
1254 TNode<JSReceiver> object = ToObject_Inline(context, object_input);
1255
1256 // 2. Let key be ? ToPropertyKey(P).
1257 key = CallBuiltin(Builtins::kToName, context, key);
1258
1259 // 3. Let desc be ? obj.[[GetOwnProperty]](key).
1260 Label if_keyisindex(this), if_iskeyunique(this),
1261 call_runtime(this, Label::kDeferred),
1262 return_undefined(this, Label::kDeferred), if_notunique_name(this);
1263 TNode<Map> map = LoadMap(object);
1264 TNode<Uint16T> instance_type = LoadMapInstanceType(map);
1265 GotoIf(IsSpecialReceiverInstanceType(instance_type), &call_runtime);
1266 {
1267 TVARIABLE(IntPtrT, var_index, IntPtrConstant(0));
1268 TVARIABLE(Name, var_name);
1269
1270 TryToName(key, &if_keyisindex, &var_index, &if_iskeyunique, &var_name,
1271 &call_runtime, &if_notunique_name);
1272
1273 BIND(&if_notunique_name);
1274 {
1275 Label not_in_string_table(this);
1276 TryInternalizeString(CAST(key), &if_keyisindex, &var_index,
1277 &if_iskeyunique, &var_name, ¬_in_string_table,
1278 &call_runtime);
1279
1280 BIND(¬_in_string_table);
1281 {
1282 // If the string was not found in the string table, then no regular
1283 // object can have a property with that name, so return |undefined|.
1284 Goto(&return_undefined);
1285 }
1286 }
1287
1288 BIND(&if_iskeyunique);
1289 {
1290 Label if_found_value(this), return_empty(this), if_not_found(this);
1291
1292 TVARIABLE(Object, var_value);
1293 TVARIABLE(Uint32T, var_details);
1294 TVARIABLE(Object, var_raw_value);
1295
1296 TryGetOwnProperty(context, object, object, map, instance_type,
1297 var_name.value(), &if_found_value, &var_value,
1298 &var_details, &var_raw_value, &return_empty,
1299 &if_not_found, kReturnAccessorPair);
1300
1301 BIND(&if_found_value);
1302 // 4. Return FromPropertyDetails(desc).
1303 TNode<JSObject> js_desc = FromPropertyDetails(
1304 context, var_value.value(), var_details.value(), &call_runtime);
1305 args.PopAndReturn(js_desc);
1306
1307 BIND(&return_empty);
1308 var_value = UndefinedConstant();
1309 args.PopAndReturn(UndefinedConstant());
1310
1311 BIND(&if_not_found);
1312 Goto(&call_runtime);
1313 }
1314 }
1315
1316 BIND(&if_keyisindex);
1317 Goto(&call_runtime);
1318
1319 BIND(&call_runtime);
1320 {
1321 TNode<Object> desc =
1322 CallRuntime(Runtime::kGetOwnPropertyDescriptor, context, object, key);
1323
1324 GotoIf(IsUndefined(desc), &return_undefined);
1325
1326 TNode<PropertyDescriptorObject> desc_object = CAST(desc);
1327
1328 // 4. Return FromPropertyDescriptor(desc).
1329 TNode<JSObject> js_desc = FromPropertyDescriptor(context, desc_object);
1330 args.PopAndReturn(js_desc);
1331 }
1332 BIND(&return_undefined);
1333 args.PopAndReturn(UndefinedConstant());
1334 }
1335
AddToDictionaryIf(TNode<BoolT> condition,TNode<NameDictionary> name_dictionary,Handle<Name> name,TNode<Object> value,Label * bailout)1336 void ObjectBuiltinsAssembler::AddToDictionaryIf(
1337 TNode<BoolT> condition, TNode<NameDictionary> name_dictionary,
1338 Handle<Name> name, TNode<Object> value, Label* bailout) {
1339 Label done(this);
1340 GotoIfNot(condition, &done);
1341
1342 Add<NameDictionary>(name_dictionary, HeapConstant(name), value, bailout);
1343 Goto(&done);
1344
1345 BIND(&done);
1346 }
1347
FromPropertyDescriptor(TNode<Context> context,TNode<PropertyDescriptorObject> desc)1348 TNode<JSObject> ObjectBuiltinsAssembler::FromPropertyDescriptor(
1349 TNode<Context> context, TNode<PropertyDescriptorObject> desc) {
1350 TVARIABLE(JSObject, js_descriptor);
1351
1352 TNode<Int32T> flags = LoadAndUntagToWord32ObjectField(
1353 desc, PropertyDescriptorObject::kFlagsOffset);
1354
1355 TNode<Int32T> has_flags =
1356 Word32And(flags, Int32Constant(PropertyDescriptorObject::kHasMask));
1357
1358 Label if_accessor_desc(this), if_data_desc(this), if_generic_desc(this),
1359 return_desc(this);
1360 GotoIf(
1361 Word32Equal(has_flags,
1362 Int32Constant(
1363 PropertyDescriptorObject::kRegularAccessorPropertyBits)),
1364 &if_accessor_desc);
1365 GotoIf(Word32Equal(
1366 has_flags,
1367 Int32Constant(PropertyDescriptorObject::kRegularDataPropertyBits)),
1368 &if_data_desc);
1369 Goto(&if_generic_desc);
1370
1371 BIND(&if_accessor_desc);
1372 {
1373 js_descriptor = ConstructAccessorDescriptor(
1374 context, LoadObjectField(desc, PropertyDescriptorObject::kGetOffset),
1375 LoadObjectField(desc, PropertyDescriptorObject::kSetOffset),
1376 IsSetWord32<PropertyDescriptorObject::IsEnumerableBit>(flags),
1377 IsSetWord32<PropertyDescriptorObject::IsConfigurableBit>(flags));
1378 Goto(&return_desc);
1379 }
1380
1381 BIND(&if_data_desc);
1382 {
1383 js_descriptor = ConstructDataDescriptor(
1384 context, LoadObjectField(desc, PropertyDescriptorObject::kValueOffset),
1385 IsSetWord32<PropertyDescriptorObject::IsWritableBit>(flags),
1386 IsSetWord32<PropertyDescriptorObject::IsEnumerableBit>(flags),
1387 IsSetWord32<PropertyDescriptorObject::IsConfigurableBit>(flags));
1388 Goto(&return_desc);
1389 }
1390
1391 BIND(&if_generic_desc);
1392 {
1393 TNode<NativeContext> native_context = LoadNativeContext(context);
1394 TNode<Map> map = CAST(LoadContextElement(
1395 native_context, Context::SLOW_OBJECT_WITH_OBJECT_PROTOTYPE_MAP));
1396 // We want to preallocate the slots for value, writable, get, set,
1397 // enumerable and configurable - a total of 6
1398 TNode<NameDictionary> properties = AllocateNameDictionary(6);
1399 TNode<JSObject> js_desc = AllocateJSObjectFromMap(map, properties);
1400
1401 Label bailout(this, Label::kDeferred);
1402
1403 Factory* factory = isolate()->factory();
1404 TNode<Object> value =
1405 LoadObjectField(desc, PropertyDescriptorObject::kValueOffset);
1406 AddToDictionaryIf(IsNotTheHole(value), properties, factory->value_string(),
1407 value, &bailout);
1408 AddToDictionaryIf(
1409 IsSetWord32<PropertyDescriptorObject::HasWritableBit>(flags),
1410 properties, factory->writable_string(),
1411 SelectBooleanConstant(
1412 IsSetWord32<PropertyDescriptorObject::IsWritableBit>(flags)),
1413 &bailout);
1414
1415 TNode<Object> get =
1416 LoadObjectField(desc, PropertyDescriptorObject::kGetOffset);
1417 AddToDictionaryIf(IsNotTheHole(get), properties, factory->get_string(), get,
1418 &bailout);
1419 TNode<Object> set =
1420 LoadObjectField(desc, PropertyDescriptorObject::kSetOffset);
1421 AddToDictionaryIf(IsNotTheHole(set), properties, factory->set_string(), set,
1422 &bailout);
1423
1424 AddToDictionaryIf(
1425 IsSetWord32<PropertyDescriptorObject::HasEnumerableBit>(flags),
1426 properties, factory->enumerable_string(),
1427 SelectBooleanConstant(
1428 IsSetWord32<PropertyDescriptorObject::IsEnumerableBit>(flags)),
1429 &bailout);
1430 AddToDictionaryIf(
1431 IsSetWord32<PropertyDescriptorObject::HasConfigurableBit>(flags),
1432 properties, factory->configurable_string(),
1433 SelectBooleanConstant(
1434 IsSetWord32<PropertyDescriptorObject::IsConfigurableBit>(flags)),
1435 &bailout);
1436
1437 js_descriptor = js_desc;
1438 Goto(&return_desc);
1439
1440 BIND(&bailout);
1441 CSA_ASSERT(this, Int32Constant(0));
1442 Unreachable();
1443 }
1444
1445 BIND(&return_desc);
1446 return js_descriptor.value();
1447 }
1448
FromPropertyDetails(TNode<Context> context,TNode<Object> raw_value,TNode<Word32T> details,Label * if_bailout)1449 TNode<JSObject> ObjectBuiltinsAssembler::FromPropertyDetails(
1450 TNode<Context> context, TNode<Object> raw_value, TNode<Word32T> details,
1451 Label* if_bailout) {
1452 TVARIABLE(JSObject, js_descriptor);
1453
1454 Label if_accessor_desc(this), if_data_desc(this), return_desc(this);
1455 BranchIfAccessorPair(raw_value, &if_accessor_desc, &if_data_desc);
1456
1457 BIND(&if_accessor_desc);
1458 {
1459 TNode<AccessorPair> accessor_pair_value = CAST(raw_value);
1460 TNode<HeapObject> getter = LoadObjectField<HeapObject>(
1461 accessor_pair_value, AccessorPair::kGetterOffset);
1462 TNode<HeapObject> setter = LoadObjectField<HeapObject>(
1463 accessor_pair_value, AccessorPair::kSetterOffset);
1464 js_descriptor = ConstructAccessorDescriptor(
1465 context, GetAccessorOrUndefined(getter, if_bailout),
1466 GetAccessorOrUndefined(setter, if_bailout),
1467 IsNotSetWord32(details, PropertyDetails::kAttributesDontEnumMask),
1468 IsNotSetWord32(details, PropertyDetails::kAttributesDontDeleteMask));
1469 Goto(&return_desc);
1470 }
1471
1472 BIND(&if_data_desc);
1473 {
1474 js_descriptor = ConstructDataDescriptor(
1475 context, raw_value,
1476 IsNotSetWord32(details, PropertyDetails::kAttributesReadOnlyMask),
1477 IsNotSetWord32(details, PropertyDetails::kAttributesDontEnumMask),
1478 IsNotSetWord32(details, PropertyDetails::kAttributesDontDeleteMask));
1479 Goto(&return_desc);
1480 }
1481
1482 BIND(&return_desc);
1483 return js_descriptor.value();
1484 }
1485
GetAccessorOrUndefined(TNode<HeapObject> accessor,Label * if_bailout)1486 TNode<HeapObject> ObjectBuiltinsAssembler::GetAccessorOrUndefined(
1487 TNode<HeapObject> accessor, Label* if_bailout) {
1488 Label bind_undefined(this, Label::kDeferred), return_result(this);
1489 TVARIABLE(HeapObject, result);
1490
1491 GotoIf(IsNull(accessor), &bind_undefined);
1492 result = accessor;
1493 TNode<Map> map = LoadMap(accessor);
1494 // TODO(ishell): probe template instantiations cache.
1495 GotoIf(IsFunctionTemplateInfoMap(map), if_bailout);
1496 Goto(&return_result);
1497
1498 BIND(&bind_undefined);
1499 result = UndefinedConstant();
1500 Goto(&return_result);
1501
1502 BIND(&return_result);
1503 return result.value();
1504 }
1505 } // namespace internal
1506 } // namespace v8
1507