Always store stubs on the JSObject receiver, even when in slow mode.

src/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 174 matching lines @@
   if (target()->is_keyed_stub()) {
     // Determine whether the failure is due to a name failure.
     if (!name->IsName()) return false;
     Name* stub_name = target()->FindFirstName();
     if (Name::cast(name) != stub_name) return false;
   }
 
   InlineCacheHolderFlag cache_holder =
       Code::ExtractCacheHolderFromFlags(target()->flags());
 
-  if (cache_holder == OWN_MAP && !receiver->IsJSObject()) {
-    // The stub was generated for JSObject but called for non-JSObject.
-    // IC::GetCodeCacheHolder is not applicable.
-    return false;
-  } else if (cache_holder == PROTOTYPE_MAP &&
-             receiver->GetPrototype(isolate())->IsNull()) {
-    // IC::GetCodeCacheHolder is not applicable.
-    return false;
+  switch (cache_holder) {
+    case OWN_MAP:
+      // The stub was generated for JSObject but called for non-JSObject.
+      // IC::GetCodeCacheHolder is not applicable.
+      if (!receiver->IsJSObject()) return false;
+      break;
+    case PROTOTYPE_MAP:
+      // IC::GetCodeCacheHolder is not applicable.
+      if (receiver->GetPrototype(isolate())->IsNull()) return false;
+      break;
   }
+
   Map* map = IC::GetCodeCacheHolder(isolate(), receiver, cache_holder)->map();
 
   // Decide whether the inline cache failed because of changes to the
   // receiver itself or changes to one of its prototypes.
   //
   // If there are changes to the receiver itself, the map of the
   // receiver will have changed and the current target will not be in
   // the receiver map's code cache.  Therefore, if the current target
   // is in the receiver map's code cache, the inline cache failed due
   // to prototype check failure.
@@ skipping 230 matching lines @@
   SetTargetAtAddress(address, GetRawUninitialized(isolate, op));
   PatchInlinedSmiCode(address, DISABLE_INLINED_SMI_CHECK);
 }
 
 
 static bool HasInterceptorGetter(JSObject* object) {
   return !object->GetNamedInterceptor()->getter()->IsUndefined();
 }
 
 
+static bool HasInterceptorSetter(JSObject* object) {
+  return !object->GetNamedInterceptor()->setter()->IsUndefined();
+}
+
+
 static void LookupForRead(Handle<Object> object,
                           Handle<String> name,
                           LookupResult* lookup) {
   // Skip all the objects with named interceptors, but
   // without actual getter.
   while (true) {
     object->Lookup(*name, lookup);
     // Besides normal conditions (property not found or it's not
     // an interceptor), bail out if lookup is not cacheable: we won't
     // be able to IC it anyway and regular lookup should work fine.
@@ skipping 998 matching lines @@
                            Handle<String> name,
                            Handle<Object> value,
                            LookupResult* lookup,
                            IC* ic) {
   Handle<JSObject> holder = receiver;
   receiver->Lookup(*name, lookup);
   if (lookup->IsFound()) {
     if (lookup->IsReadOnly() || !lookup->IsCacheable()) return false;
 
     if (lookup->holder() == *receiver) {
-      if (lookup->IsInterceptor() &&
-          receiver->GetNamedInterceptor()->setter()->IsUndefined()) {
+      if (lookup->IsInterceptor() && !HasInterceptorSetter(*receiver)) {
         receiver->LocalLookupRealNamedProperty(*name, lookup);
         return lookup->IsFound() &&
             !lookup->IsReadOnly() &&
             lookup->CanHoldValue(value) &&
             lookup->IsCacheable();
       }
       return lookup->CanHoldValue(value);
     }
 
     if (lookup->IsPropertyCallbacks()) return true;
@@ skipping 160 matching lines @@
 void StoreIC::UpdateCaches(LookupResult* lookup,
                            Handle<JSObject> receiver,
                            Handle<String> name,
                            Handle<Object> value) {
   ASSERT(!receiver->IsJSGlobalProxy());
   ASSERT(lookup->IsFound());
 
   // These are not cacheable, so we never see such LookupResults here.
   ASSERT(!lookup->IsHandler());
 
-  Handle<Code> code = ComputeStoreMonomorphic(lookup, receiver, name, value);
+  Handle<Code> code = ComputeStoreHandler(lookup, receiver, name, value);
   if (code.is_null()) {
     set_target(*generic_stub());
     return;
   }
 
   PatchCache(receiver, name, code);
   TRACE_IC("StoreIC", name, target());
 }
 
 
-Handle<Code> StoreIC::ComputeStoreMonomorphic(LookupResult* lookup,
-                                              Handle<JSObject> receiver,
-                                              Handle<String> name,
-                                              Handle<Object> value) {
+Handle<Code> StoreIC::ComputeStoreHandler(LookupResult* lookup,
+                                          Handle<JSObject> receiver,
+                                          Handle<String> name,
+                                          Handle<Object> value) {
   Handle<JSObject> holder(lookup->holder());
   switch (lookup->type()) {
     case FIELD:
       return isolate()->stub_cache()->ComputeStoreField(
           name, receiver, lookup, strict_mode());
     case NORMAL:
       if (receiver->IsGlobalObject()) {
         // The stub generated for the global object picks the value directly
         // from the property cell. So the property must be directly on the
         // global object.
@@ skipping 32 matching lines @@
             name, receiver, holder, Handle<JSFunction>::cast(setter),
             strict_mode());
       }
       // TODO(dcarney): Handle correctly.
       if (callback->IsDeclaredAccessorInfo()) break;
       ASSERT(callback->IsForeign());
       // No IC support for old-style native accessors.
       break;
     }
     case INTERCEPTOR:
-      ASSERT(!receiver->GetNamedInterceptor()->setter()->IsUndefined());
+      ASSERT(HasInterceptorSetter(*receiver));
       return isolate()->stub_cache()->ComputeStoreInterceptor(
           name, receiver, strict_mode());
     case CONSTANT:
       break;
     case TRANSITION: {
       // Explicitly pass in the receiver map since LookupForWrite may have
       // stored something else than the receiver in the holder.
       Handle<Map> transition(
           lookup->GetTransitionTarget(receiver->map()), isolate());
       int descriptor = transition->LastAdded();
@@ skipping 312 matching lines @@
     ASSERT(!stub.is_null());
     set_target(*stub);
     TRACE_IC("KeyedStoreIC", key, target());
   }
 
   return Runtime::SetObjectPropertyOrFail(
       isolate(), object , key, value, NONE, strict_mode());
 }
 
 
-Handle<Code> KeyedStoreIC::ComputeStoreMonomorphic(LookupResult* lookup,
-                                                   Handle<JSObject> receiver,
-                                                   Handle<String> name,
-                                                   Handle<Object> value) {
+Handle<Code> KeyedStoreIC::ComputeStoreHandler(LookupResult* lookup,
+                                               Handle<JSObject> receiver,
+                                               Handle<String> name,
+                                               Handle<Object> value) {
   // If the property has a non-field type allowing map transitions
   // where there is extra room in the object, we leave the IC in its
   // current state.
   switch (lookup->type()) {
     case FIELD:
       return isolate()->stub_cache()->ComputeKeyedStoreField(
           name, receiver, lookup, strict_mode());
     case TRANSITION: {
       // Explicitly pass in the receiver map since LookupForWrite may have
       // stored something else than the receiver in the holder.
@@ skipping 903 matching lines @@
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) {
   return IC_utilities[id];
 }
 
 
 } }  // namespace v8::internal