Changeset 167501 in webkit

Timestamp:

Apr 18, 2014 1:07:50 PM (10 years ago)

Author:

mhahnenberg@apple.com

Message:

Deleting properties poisons objects
​https://bugs.webkit.org/show_bug.cgi?id=131551

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:
This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.

• runtime/Structure.cpp:

(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
(JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
delete transitions, but we allow transitioning from them.
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
(JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.

• runtime/Structure.h:
• runtime/StructureInlines.h:

(JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.

LayoutTests:
New JS regress test. We're ~3.5x faster on this microbenchmark now.

• js/regress/delete-a-few-properties-then-get-by-id-expected.txt: Added.
• js/regress/delete-a-few-properties-then-get-by-id.html: Added.
• js/regress/script-tests/delete-a-few-properties-then-get-by-id.js: Added.

(MyObject):
(foo):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/delete-a-few-properties-then-get-by-id-expected.txt (added)
• LayoutTests/js/regress/delete-a-few-properties-then-get-by-id.html (added)
• LayoutTests/js/regress/script-tests/delete-a-few-properties-then-get-by-id.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (13 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/StructureInlines.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Deleting properties poisons objects
+        https://bugs.webkit.org/show_bug.cgi?id=131551
+
+        Reviewed by Geoffrey Garen.
+
+        New JS regress test. We're ~3.5x faster on this microbenchmark now.
+
+        * js/regress/delete-a-few-properties-then-get-by-id-expected.txt: Added.
+        * js/regress/delete-a-few-properties-then-get-by-id.html: Added.
+        * js/regress/script-tests/delete-a-few-properties-then-get-by-id.js: Added.
+        (MyObject):
+        (foo):
+
 2014-04-18  Alexey Proskuryakov  <ap@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Deleting properties poisons objects
+        https://bugs.webkit.org/show_bug.cgi?id=131551
+
+        Reviewed by Geoffrey Garen.
+
+        This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
+        (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
+        Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
+        delete transitions, but we allow transitioning from them.
+        (JSC::Structure::changePrototypeTransition):
+        (JSC::Structure::despecifyFunctionTransition):
+        (JSC::Structure::attributeChangeTransition):
+        (JSC::Structure::toDictionaryTransition):
+        (JSC::Structure::preventExtensionsTransition):
+        (JSC::Structure::addPropertyWithoutTransition):
+        (JSC::Structure::removePropertyWithoutTransition):
+        (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
+        (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
+
 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp

@@ -64 +64 @@
     jsPropertyNameIterator->finishCreation(vm, propertyNames.data(), o);
 
-    if (o->structure()->isDictionary())
+    // JSPropertyNameIterator doesn't know how to skip deleted buckets, so just give up.
+    if (o->structure()->isDictionary() || o->structure()->hasDeletedOffsets())
         return jsPropertyNameIterator;
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -166 +166 @@
     , m_offset(invalidOffset)
     , m_inlineCapacity(inlineCapacity)
+    , m_forgivenDeletes(0)
     , m_dictionaryKind(NoneDictionaryKind)
     , m_isPinnedPropertyTable(false)
@@ -193 +194 @@
     , m_offset(invalidOffset)
     , m_inlineCapacity(0)
+    , m_forgivenDeletes(0)
     , m_dictionaryKind(NoneDictionaryKind)
     , m_isPinnedPropertyTable(false)
@@ -219 +221 @@
     , m_offset(invalidOffset)
     , m_inlineCapacity(previous->m_inlineCapacity)
+    , m_forgivenDeletes(previous->m_forgivenDeletes)
     , m_dictionaryKind(previous->m_dictionaryKind)
     , m_isPinnedPropertyTable(false)
@@ -311 +314 @@
         if (!structure->m_nameInPrevious)
             continue;
-        PropertyMapEntry entry(vm, this, structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious.get());
+
+        PropertyMapEntry entry(vm, this, 
+            structure->m_nameInPrevious.get(), 
+            propertyTable()->nextOffset(m_inlineCapacity),
+            structure->m_attributesInPrevious, 
+            structure->m_specificValueInPrevious.get());
         propertyTable()->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange);
     }
@@ -459 +467 @@
     ASSERT(!structure->isUncacheableDictionary());
 
+    if (structure->m_forgivenDeletes < s_maxForgivenDeletes) {
+        Structure* transition = create(vm, structure);
+
+        DeferGC deferGC(vm.heap);
+        structure->materializePropertyMapIfNecessary(vm, deferGC);
+        transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
+        transition->m_offset = structure->m_offset;
+        transition->pinAndPreventTransitions();
+
+        offset = transition->remove(propertyName);
+        ASSERT(offset != invalidOffset);
+        transition->m_forgivenDeletes = structure->m_forgivenDeletes + 1;
+
+        transition->checkOffsetConsistency();
+        return transition;
+    }
+
     Structure* transition = toUncacheableDictionaryTransition(vm, structure);
-
     offset = transition->remove(propertyName);
-
     transition->checkOffsetConsistency();
     return transition;
@@ -477 +500 @@
     transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
     transition->m_offset = structure->m_offset;
-    transition->pin();
+    transition->pinAndPreventTransitions();
 
     transition->checkOffsetConsistency();
@@ -494 +517 @@
     transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
     transition->m_offset = structure->m_offset;
-    transition->pin();
+    transition->pinAndPreventTransitions();
 
     if (transition->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
@@ -516 +539 @@
         transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
         transition->m_offset = structure->m_offset;
-        transition->pin();
+        transition->pinAndPreventTransitions();
         
         structure = transition;
@@ -541 +564 @@
     transition->m_offset = structure->m_offset;
     transition->m_dictionaryKind = kind;
-    transition->pin();
+    transition->pinAndPreventTransitions();
 
     transition->checkOffsetConsistency();
@@ -604 +627 @@
     transition->m_offset = structure->m_offset;
     transition->m_preventExtensions = true;
-    transition->pin();
+    transition->pinAndPreventTransitions();
 
     transition->checkOffsetConsistency();
@@ -753 +776 @@
     materializePropertyMapIfNecessaryForPinning(vm, deferGC);
     
-    pin();
+    pinAndPreventTransitions();
 
     return putSpecificValue(vm, propertyName, attributes, specificValue);
@@ -766 +789 @@
     materializePropertyMapIfNecessaryForPinning(vm, deferGC);
 
-    pin();
+    pinAndPreventTransitions();
     return remove(propertyName);
 }
@@ -774 +797 @@
     ASSERT(propertyTable());
     m_isPinnedPropertyTable = true;
+}
+
+void Structure::pinAndPreventTransitions()
+{
+    pin();
     clearPreviousID();
     m_nameInPrevious.clear();

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -138 +138 @@
     void setPrototypeWithoutTransition(VM& vm, JSValue prototype) { m_prototype.set(vm, this, prototype); }
         
+    bool hasDeletedOffsets() const;
+
     bool isDictionary() const { return m_dictionaryKind != NoneDictionaryKind; }
     bool isUncacheableDictionary() const { return m_dictionaryKind == UncachedDictionaryKind; }
@@ -412 +414 @@
 
     WriteBarrier<PropertyTable>& propertyTable();
+    const WriteBarrier<PropertyTable>& propertyTable() const;
     PropertyTable* takePropertyTableOrCloneIfPinned(VM&, Structure* owner);
     PropertyTable* copyPropertyTable(VM&, Structure* owner);
@@ -458 +461 @@
         
     void pin();
+    void pinAndPreventTransitions();
 
     Structure* previous() const
@@ -513 +517 @@
     ConcurrentJITLock m_lock;
     
+    static const unsigned s_maxForgivenDeletes = 5;
+    unsigned m_forgivenDeletes;
+
     unsigned m_dictionaryKind : 2;
     bool m_isPinnedPropertyTable : 1;

trunk/Source/JavaScriptCore/runtime/StructureInlines.h

@@ -218 +218 @@
 }
 
-ALWAYS_INLINE WriteBarrier<PropertyTable>& Structure::propertyTable()
+inline bool Structure::hasDeletedOffsets() const
+{
+    // If we had deleted anything then we would have pinned our property table.
+    if (!propertyTable())
+        return false;
+    return propertyTable()->hasDeletedOffset();
+}
+
+inline WriteBarrier<PropertyTable>& Structure::propertyTable()
+{
+    return const_cast<WriteBarrier<PropertyTable>&>(static_cast<const Structure*>(this)->propertyTable());
+}
+
+inline const WriteBarrier<PropertyTable>& Structure::propertyTable() const
 {
     ASSERT(!globalObject() || !globalObject()->vm().heap.isCollecting());
@@ -240 +253 @@
         return true;
     
-    RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());
     unsigned totalSize = propertyTable->propertyStorageSize();
+    RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == totalSize);
     RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));