[maps] Create map transitions for derived maps with custom proto

o- · V8 LUCI CQ · commit 9b5b6ee98ed2 · 2023-08-15T09:24:31.000Z
Prevents us from creating excessive maps in the case of e.g., Reflect.construct with a newTarget. Measured impact on top 10k websites is an average of 1% reduction in map allocations. Bug: v8:13978 Change-Id: I324389f0febfa47a3a179ccdb30029723278ba5e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4750265 Commit-Queue: Olivier Flückiger <olivf@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Auto-Submit: Olivier Flückiger <olivf@chromium.org> Cr-Commit-Position: refs/heads/main@{#89520}
diff --git a/src/objects/js-function.cc b/src/objects/js-function.cc
@@ -1083,13 +1083,13 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
                                          isolate);
     prototype = handle(realm_constructor->prototype(), isolate);
   }
-
-  Handle<Map> map = Map::CopyInitialMap(isolate, constructor_initial_map);
-  map->set_new_target_is_base(false);
   CHECK(IsJSReceiver(*prototype));
-  if (map->prototype() != *prototype)
-    Map::SetPrototype(isolate, map, Handle<HeapObject>::cast(prototype));
-  map->SetConstructor(*constructor);
+  DCHECK_EQ(constructor_initial_map->constructor_or_back_pointer(),
+            *constructor);
+
+  Handle<Map> map = Map::TransitionToDerivedMap(
+      isolate, constructor_initial_map, Handle<HeapObject>::cast(prototype));
+  DCHECK_EQ(map->constructor_or_back_pointer(), *constructor);
   return map;
 }
 
diff --git a/src/objects/map.cc b/src/objects/map.cc
@@ -2333,13 +2333,31 @@ void Map::StartInobjectSlackTracking() {
 
 Handle<Map> Map::TransitionToPrototype(Isolate* isolate, Handle<Map> map,
                                        Handle<HeapObject> prototype) {
-  Handle<Map> new_map =
-      TransitionsAccessor::GetPrototypeTransition(isolate, map, prototype);
+  Handle<Map> new_map = TransitionsAccessor::GetPrototypeTransition(
+      isolate, map, prototype, map->new_target_is_base());
   if (new_map.is_null()) {
     new_map = Copy(isolate, map, "TransitionToPrototype");
     TransitionsAccessor::PutPrototypeTransition(isolate, map, prototype,
                                                 new_map);
-    Map::SetPrototype(isolate, new_map, prototype);
+    if (*prototype != map->prototype()) {
+      Map::SetPrototype(isolate, new_map, prototype);
+    }
+  }
+  return new_map;
+}
+
+Handle<Map> Map::TransitionToDerivedMap(Isolate* isolate, Handle<Map> map,
+                                        Handle<HeapObject> prototype) {
+  Handle<Map> new_map = TransitionsAccessor::GetPrototypeTransition(
+      isolate, map, prototype, /* new_target_is_base */ false);
+  if (new_map.is_null()) {
+    new_map = CopyInitialMap(isolate, map);
+    TransitionsAccessor::PutPrototypeTransition(isolate, map, prototype,
+                                                new_map);
+    if (*prototype != map->prototype()) {
+      Map::SetPrototype(isolate, new_map, prototype);
+    }
+    new_map->set_new_target_is_base(false);
   }
   return new_map;
 }
diff --git a/src/objects/map.h b/src/objects/map.h
@@ -859,6 +859,9 @@ class Map : public TorqueGeneratedMap<Map, HeapObject> {
   V8_EXPORT_PRIVATE static Handle<Map> TransitionToPrototype(
       Isolate* isolate, Handle<Map> map, Handle<HeapObject> prototype);
 
+  V8_EXPORT_PRIVATE static Handle<Map> TransitionToDerivedMap(
+      Isolate* isolate, Handle<Map> map, Handle<HeapObject> prototype);
+
   static Handle<Map> TransitionToImmutableProto(Isolate* isolate,
                                                 Handle<Map> map);
 
diff --git a/src/objects/transitions.cc b/src/objects/transitions.cc
@@ -441,8 +441,10 @@ void TransitionsAccessor::PutPrototypeTransition(Isolate* isolate,
 
 // static
 Handle<Map> TransitionsAccessor::GetPrototypeTransition(
-    Isolate* isolate, Handle<Map> map, Handle<Object> prototype) {
+    Isolate* isolate, Handle<Map> map, Handle<Object> prototype_handle,
+    bool new_target_is_base) {
   DisallowGarbageCollection no_gc;
+  Object prototype = *prototype_handle;
   WeakFixedArray cache = GetPrototypeTransitions(isolate, map);
   int length = TransitionArray::NumberOfPrototypeTransitions(cache);
   for (int i = 0; i < length; i++) {
@@ -452,7 +454,8 @@ Handle<Map> TransitionsAccessor::GetPrototypeTransition(
     HeapObject heap_object;
     if (target->GetHeapObjectIfWeak(&heap_object)) {
       Map target_map = Map::cast(heap_object);
-      if (target_map->prototype() == *prototype) {
+      if (target_map->prototype() == prototype &&
+          target_map->new_target_is_base() == new_target_is_base) {
         return handle(target_map, isolate);
       }
     }
diff --git a/src/objects/transitions.h b/src/objects/transitions.h
@@ -121,19 +121,20 @@ class V8_EXPORT_PRIVATE TransitionsAccessor {
   }
 
   // ===== PROTOTYPE TRANSITIONS =====
-  // When you set the prototype of an object using the __proto__ accessor you
-  // need a new map for the object (the prototype is stored in the map).  In
-  // order not to multiply maps unnecessarily we store these as transitions in
-  // the original map.  That way we can transition to the same map if the same
-  // prototype is set, rather than creating a new map every time.  The
-  // transitions are in the form of a map where the keys are prototype objects
-  // and the values are the maps they transition to.
-  // PutPrototypeTransition can trigger GC.
+  // When you set the prototype of an object using the __proto__ accessor, or if
+  // an unrelated new.target is passed to a constructor you need a new map for
+  // the object (the prototype is stored in the map).  In order not to multiply
+  // maps unnecessarily we store these as transitions in the original map.  That
+  // way we can transition to the same map if the same prototype is set, rather
+  // than creating a new map every time.  The transitions are in the form of a
+  // map where the keys are prototype objects and the values are the maps they
+  // transition to. PutPrototypeTransition can trigger GC.
   static void PutPrototypeTransition(Isolate* isolate, Handle<Map>,
                                      Handle<Object> prototype,
                                      Handle<Map> target_map);
   static Handle<Map> GetPrototypeTransition(Isolate* isolate, Handle<Map> map,
-                                            Handle<Object> prototype);
+                                            Handle<Object> prototype,
+                                            bool new_target_is_base);
 
   // During the first-time Map::Update and Map::TryUpdate, the migration target
   // map could be cached in the raw_transitions slot of the old map that is
diff --git a/test/mjsunit/regress/regress-reflect-construct.js b/test/mjsunit/regress/regress-reflect-construct.js
@@ -0,0 +1,31 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+
+class A {};
+class B {};
+class C {};
+class D {};
+class E {};
+class V { constructor() { this.v = 1 } };
+class W { constructor() { this.w = 1 } };
+class X { constructor() { this.x = 1 } };
+class Y { constructor() { this.y = 1 } };
+class Z { constructor() { this.z = 1 } };
+
+var ctrs = [
+  function() {},
+  A,B,C,D,E,V,W,X,Y,Z
+];
+
+for (var it = 0; it < 20; ++it) {
+  for (var i in ctrs) {
+    for (var j in ctrs) {
+      assertTrue(%HaveSameMap(Reflect.construct(ctrs[i],[],ctrs[j]),
+                              Reflect.construct(ctrs[i],[],ctrs[j])));
+    }
+  }
+}
