[MERGE #5019 @pleath] Support polymorphic type checks for equivalent objtypespec

Merge pull request #5019 from pleath:polyequiv

For type checks where we have a set of multiple equivalent types, create a property guard that is structured like a polymorphic inline cache, with an underlying array of types indexed by a hash of the type pointer.

Author: pleath

lib/Backend/Chakra.Backend.vcxproj

@@ -475,7 +475,6 @@
     <ClInclude Include="NativeCodeGenerator.h" />
     <ClInclude Include="Opnd.h" />
     <ClInclude Include="Peeps.h" />
-    <ClInclude Include="PropertyGuard.h" />
     <ClInclude Include="QueuedFullJitWorkItem.h" />
     <ClInclude Include="Region.h" />
     <ClInclude Include="SccLiveness.h" />

lib/Backend/Chakra.Backend.vcxproj.filters

@@ -372,7 +372,6 @@
     <ClInclude Include="ValueInfo.h" />
     <ClInclude Include="JITThunkEmitter.h" />
     <ClInclude Include="IntConstMath.h" />
-    <ClInclude Include="PropertyGuard.h" />
     <ClInclude Include="JavascriptNativeOperators.h" />
     <ClInclude Include="EquivalentTypeSet.h" />
     <ClInclude Include="arm64\MdOpCodes.h">

lib/Backend/Func.cpp

@@ -1585,6 +1585,26 @@ Func::CreateEquivalentTypeGuard(JITTypeHolder type, uint32 objTypeSpecFldId)
 
     Js::JitEquivalentTypeGuard* guard = NativeCodeDataNewNoFixup(GetNativeCodeDataAllocator(), Js::JitEquivalentTypeGuard, type->GetAddr(), this->indexedPropertyGuardCount++, objTypeSpecFldId);
 
+    this->InitializeEquivalentTypeGuard(guard);
+
+    return guard;
+}
+
+Js::JitPolyEquivalentTypeGuard*
+Func::CreatePolyEquivalentTypeGuard(uint32 objTypeSpecFldId)
+{
+    EnsureEquivalentTypeGuards();
+
+    Js::JitPolyEquivalentTypeGuard* guard = NativeCodeDataNewNoFixup(GetNativeCodeDataAllocator(), Js::JitPolyEquivalentTypeGuard, this->indexedPropertyGuardCount++, objTypeSpecFldId);
+
+    this->InitializeEquivalentTypeGuard(guard);
+
+    return guard;
+}
+
+void
+Func::InitializeEquivalentTypeGuard(Js::JitEquivalentTypeGuard * guard)
+{
     // If we want to hard code the address of the cache, we will need to go back to allocating it from the native code data allocator.
     // We would then need to maintain consistency (double write) to both the recycler allocated cache and the one on the heap.
     Js::EquivalentTypeCache* cache = nullptr;
@@ -1601,8 +1621,6 @@ Func::CreateEquivalentTypeGuard(JITTypeHolder type, uint32 objTypeSpecFldId)
     // Give the cache a back-pointer to the guard so that the guard can be cleared at runtime if necessary.
     cache->SetGuard(guard);
     this->equivalentTypeGuards->Prepend(guard);
-
-    return guard;
 }
 
 void

lib/Backend/Func.h

@@ -449,8 +449,10 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     void EnsureSingleTypeGuards();
     Js::JitTypePropertyGuard* GetOrCreateSingleTypeGuard(intptr_t typeAddr);
 
-    void  EnsureEquivalentTypeGuards();
+    void EnsureEquivalentTypeGuards();
+    void InitializeEquivalentTypeGuard(Js::JitEquivalentTypeGuard * guard);
     Js::JitEquivalentTypeGuard * CreateEquivalentTypeGuard(JITTypeHolder type, uint32 objTypeSpecFldId);
+    Js::JitPolyEquivalentTypeGuard * CreatePolyEquivalentTypeGuard(uint32 objTypeSpecFldId);
 
     void ThrowIfScriptClosed();
     void EnsurePropertyGuardsByPropertyId();

lib/Backend/JITTimeConstructorCache.cpp

@@ -22,7 +22,7 @@ JITTimeConstructorCache::JITTimeConstructorCache(const Js::JavascriptFunction* c
     m_data.guardedPropOps = 0;
     if (runtimeCache->IsNormal())
     {
-        JITType::BuildFromJsType(runtimeCache->content.type, (JITType*)&m_data.type);
+        JITType::BuildFromJsType(reinterpret_cast<Js::DynamicType*>(runtimeCache->GetValue()), (JITType*)&m_data.type);
     }
 }
 

lib/Backend/JavascriptNativeOperators.cpp

@@ -101,16 +101,47 @@ namespace Js
         return CheckIfTypeIsEquivalent(type, guard);
     }
 
+    bool JavascriptNativeOperators::CheckIfPolyTypeIsEquivalentForFixedField(Type* type, JitPolyEquivalentTypeGuard* guard, uint8 index)
+    {
+        if (guard->GetPolyValue(index) == PropertyGuard::GuardValue::Invalidated_DuringSweep)
+        {
+            return false;
+        }
+        return CheckIfPolyTypeIsEquivalent(type, guard, index);
+    }
+
     bool JavascriptNativeOperators::CheckIfTypeIsEquivalent(Type* type, JitEquivalentTypeGuard* guard)
     {
-        if (guard->GetValue() == PropertyGuard::GuardValue::Invalidated)
+        bool result = EquivalenceCheckHelper(type, guard, guard->GetValue());
+        if (result)
+        {
+            guard->SetTypeAddr((intptr_t)type);
+        }
+        return result;
+    }
+
+    bool JavascriptNativeOperators::CheckIfPolyTypeIsEquivalent(Type* type, JitPolyEquivalentTypeGuard* guard, uint8 index)
+    {
+        bool result = EquivalenceCheckHelper(type, guard, guard->GetPolyValue(index));
+        if (result)
+        {
+            guard->SetPolyValue((intptr_t)type, index);
+        }
+        return result;
+    }
+
+    bool JavascriptNativeOperators::EquivalenceCheckHelper(Type* type, JitEquivalentTypeGuard* guard, intptr_t guardValue)
+    {
+        if (guardValue == PropertyGuard::GuardValue::Invalidated)
         {
             return false;
         }
 
-        AssertMsg(type && type->GetScriptContext(), "type and it's ScriptContext should be valid.");
+        AssertMsg(type && type->GetScriptContext(), "type and its ScriptContext should be valid.");
 
-        if (!guard->IsInvalidatedDuringSweep() && ((Js::Type*)guard->GetTypeAddr())->GetScriptContext() != type->GetScriptContext())
+        if (guardValue != PropertyGuard::GuardValue::Invalidated_DuringSweep &&
+            guardValue != PropertyGuard::GuardValue::Uninitialized &&
+            ((Js::Type*)guardValue)->GetScriptContext() != type->GetScriptContext())
         {
             // For valid guard value, can't cache cross-context objects
             return false;
@@ -158,7 +189,6 @@ namespace Js
                     }
                 }
 #endif
-                guard->SetTypeAddr((intptr_t)type);
                 return true;
             }
 
@@ -326,7 +356,6 @@ namespace Js
         }
 
         type->SetHasBeenCached();
-        guard->SetTypeAddr((intptr_t)type);
         return true;
     }
 #endif

lib/Backend/JavascriptNativeOperators.h

@@ -133,6 +133,9 @@ namespace Js
 #endif        
         static bool CheckIfTypeIsEquivalent(Type* type, JitEquivalentTypeGuard* guard);
         static bool CheckIfTypeIsEquivalentForFixedField(Type* type, JitEquivalentTypeGuard* guard);
+        static bool CheckIfPolyTypeIsEquivalent(Type* type, JitPolyEquivalentTypeGuard* guard, uint8 index);
+        static bool CheckIfPolyTypeIsEquivalentForFixedField(Type* type, JitPolyEquivalentTypeGuard* guard, uint8 index);
+        static bool EquivalenceCheckHelper(Type* type, JitEquivalentTypeGuard* guard, intptr_t value);
 
         static Var OP_GetElementI_JIT_ExpectingNativeFloatArray(Var instance, Var index, ScriptContext *scriptContext);
         static Var OP_GetElementI_JIT_ExpectingVarArray(Var instance, Var index, ScriptContext *scriptContext);

lib/Backend/JnHelperMethodList.h

@@ -252,6 +252,8 @@ HELPERCALL(Op_ScopedGetMethodPolymorphic, ((Js::Var (*)(Js::FunctionBody *const,
 
 HELPERCALL(CheckIfTypeIsEquivalent, Js::JavascriptNativeOperators::CheckIfTypeIsEquivalent, 0)
 HELPERCALL(CheckIfTypeIsEquivalentForFixedField, Js::JavascriptNativeOperators::CheckIfTypeIsEquivalentForFixedField, 0)
+HELPERCALL(CheckIfPolyTypeIsEquivalent, Js::JavascriptNativeOperators::CheckIfPolyTypeIsEquivalent, 0)
+HELPERCALL(CheckIfPolyTypeIsEquivalentForFixedField, Js::JavascriptNativeOperators::CheckIfPolyTypeIsEquivalentForFixedField, 0)
 
 HELPERCALL(Op_Delete, Js::JavascriptOperators::Delete, AttrCanThrow)
 HELPERCALL(OP_InitSetter, Js::JavascriptOperators::OP_InitSetter, AttrCanThrow)