Changeset 195878 in webkit

Timestamp:

Jan 29, 2016 6:45:25 PM (8 years ago)

Author:

keith_miller@apple.com

Message:

Array.prototype native functions should use Symbol.species to construct the result
​https://bugs.webkit.org/show_bug.cgi?id=153660

Reviewed by Saam Barati.

This patch adds support for Symbol.species in the Array.prototype native functions.
We make an optimization to avoid regressions on some benchmarks by using an
adaptive watchpoint to check if Array.prototype.constructor is ever changed.

• runtime/ArrayPrototype.cpp:

(JSC::putLength):
(JSC::setLength):
(JSC::speciesConstructArray):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::ArrayPrototype::setConstructor):
(JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::ArrayPrototypeAdaptiveInferredPropertyWatchpoint):
(JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):

• runtime/ArrayPrototype.h:

(JSC::ArrayPrototype::didChangeConstructorProperty):

• runtime/ConstructData.cpp:

(JSC::construct):

• runtime/ConstructData.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• tests/es6.yaml:
• tests/stress/array-species-functions.js: Added.

(Symbol.species):
(funcThrows):
(test.species):
(test):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/ArrayPrototype.cpp (modified) (13 diffs)
• runtime/ArrayPrototype.h (modified) (2 diffs)
• runtime/ConstructData.cpp (modified) (1 diff)
• runtime/ConstructData.h (modified) (1 diff)
• runtime/JSCJSValue.h (modified) (1 diff)
• runtime/JSCJSValueInlines.h (modified) (1 diff)
• runtime/JSGlobalObject.cpp (modified) (2 diffs)
• tests/es6.yaml (modified) (4 diffs)
• tests/stress/array-species-functions.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-01-29  Keith Miller  <keith_miller@apple.com>
+
+        Array.prototype native functions should use Symbol.species to construct the result
+        https://bugs.webkit.org/show_bug.cgi?id=153660
+
+        Reviewed by Saam Barati.
+
+        This patch adds support for Symbol.species in the Array.prototype native functions.
+        We make an optimization to avoid regressions on some benchmarks by using an
+        adaptive watchpoint to check if Array.prototype.constructor is ever changed.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::putLength):
+        (JSC::setLength):
+        (JSC::speciesConstructArray):
+        (JSC::arrayProtoFuncConcat):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::ArrayPrototype::setConstructor):
+        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::ArrayPrototypeAdaptiveInferredPropertyWatchpoint):
+        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
+        * runtime/ArrayPrototype.h:
+        (JSC::ArrayPrototype::didChangeConstructorProperty):
+        * runtime/ConstructData.cpp:
+        (JSC::construct):
+        * runtime/ConstructData.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * tests/es6.yaml:
+        * tests/stress/array-species-functions.js: Added.
+        (Symbol.species):
+        (funcThrows):
+        (test.species):
+        (test):
+
 2016-01-29  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -25 +25 @@
 #include "ArrayPrototype.h"
 
+#include "AdaptiveInferredPropertyValueWatchpointBase.h"
+#include "ArrayConstructor.h"
 #include "BuiltinNames.h"
 #include "ButterflyInlines.h"
@@ -156 +158 @@
 }
 
-static void putLength(ExecState* exec, JSObject* obj, JSValue value)
+static ALWAYS_INLINE void putLength(ExecState* exec, JSObject* obj, JSValue value)
 {
     PutPropertySlot slot(obj);
     obj->methodTable()->put(obj, exec, exec->propertyNames().length, value, slot);
+}
+
+static ALWAYS_INLINE void setLength(ExecState* exec, JSObject* obj, unsigned value)
+{
+    if (isJSArray(obj))
+        jsCast<JSArray*>(obj)->setLength(exec, value);
+    putLength(exec, obj, jsNumber(value));
+}
+
+enum class SpeciesConstructResult {
+    FastPath,
+    Exception,
+    CreatedObject
+};
+
+static ALWAYS_INLINE std::pair<SpeciesConstructResult, JSObject*> speciesConstructArray(ExecState* exec, JSObject* thisObject, unsigned length)
+{
+    // ECMA 9.4.2.3: https://tc39.github.io/ecma262/#sec-arrayspeciescreate
+    JSValue constructor = jsUndefined();
+    if (LIKELY(isJSArray(thisObject))) {
+        // Fast path in the normal case where the user has not set an own constructor and the Array.prototype.constructor is normal.
+        // We need prototype check for subclasses of Array, which are Array objects but have a different prototype by default.
+        if (LIKELY(!thisObject->hasCustomProperties()
+            && thisObject->globalObject()->arrayPrototype() == thisObject->prototype()
+            && !thisObject->globalObject()->arrayPrototype()->didChangeConstructorProperty()))
+            return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+
+        constructor = thisObject->get(exec, exec->propertyNames().constructor);
+        if (exec->hadException())
+            return std::make_pair(SpeciesConstructResult::Exception, nullptr);
+        if (constructor.isConstructor()) {
+            JSObject* constructorObject = jsCast<JSObject*>(constructor);
+            if (exec->lexicalGlobalObject() != constructorObject->globalObject())
+                return std::make_pair(SpeciesConstructResult::FastPath, nullptr);;
+        }
+        if (constructor.isObject()) {
+            constructor = constructor.get(exec, exec->propertyNames().speciesSymbol);
+            if (exec->hadException())
+                return std::make_pair(SpeciesConstructResult::Exception, nullptr);
+            if (constructor.isNull())
+                return std::make_pair(SpeciesConstructResult::FastPath, nullptr);;
+        }
+    }
+    if (constructor.isUndefined())
+        return std::make_pair(SpeciesConstructResult::FastPath, nullptr);;
+
+    MarkedArgumentBuffer args;
+    args.append(jsNumber(length));
+    JSObject* newObject = construct(exec, constructor, args, "Species construction did not get a valid constructor");
+    if (exec->hadException())
+        return std::make_pair(SpeciesConstructResult::Exception, nullptr);
+    return std::make_pair(SpeciesConstructResult::CreatedObject, newObject);
 }
 
@@ -533 +587 @@
     Checked<unsigned, RecordOverflow> finalArraySize = 0;
 
+    // We need to do species construction before geting the rest of the elements.
+    std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, curArg.getObject(), 0);
+    if (speciesResult.first == SpeciesConstructResult::Exception)
+        return JSValue::encode(jsUndefined());
+
     JSArray* currentArray = nullptr;
     JSArray* previousArray = nullptr;
@@ -553 +612 @@
         return JSValue::encode(throwOutOfMemoryError(exec));
 
-    if (argCount == 1 && previousArray && currentArray && finalArraySize.unsafeGet() < MIN_SPARSE_ARRAY_INDEX) {
+    if (speciesResult.first == SpeciesConstructResult::FastPath && argCount == 1 && previousArray && currentArray && finalArraySize.unsafeGet() < MIN_SPARSE_ARRAY_INDEX) {
         IndexingType type = JSArray::fastConcatType(exec->vm(), *previousArray, *currentArray);
         if (type != NonArray)
@@ -559 +618 @@
     }
 
-    JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize.unsafeGet());
-    if (exec->hadException())
-        return JSValue::encode(jsUndefined());
+    ASSERT(speciesResult.first != SpeciesConstructResult::Exception);
+
+    JSObject* result;
+    if (speciesResult.first == SpeciesConstructResult::CreatedObject)
+        result = speciesResult.second;
+    else {
+        // We add the newTarget because the compiler gets confused between 0 being a number and a pointer.
+        result = constructEmptyArray(exec, nullptr, 0, JSValue());
+    }
 
     curArg = thisValue.toObject(exec);
@@ -576 +641 @@
                     return JSValue::encode(jsUndefined());
                 if (v)
-                    arr->putDirectIndex(exec, n, v);
+                    result->putDirectIndex(exec, n, v);
                 n++;
             }
         } else {
-            arr->putDirectIndex(exec, n, curArg);
+            result->putDirectIndex(exec, n, curArg);
             n++;
         }
@@ -587 +652 @@
         curArg = exec->uncheckedArgument(i);
     }
-    arr->setLength(exec, n);
-    return JSValue::encode(arr);
+    setLength(exec, result, n);
+    return JSValue::encode(result);
 }
 
@@ -758 +823 @@
     unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);
 
-    if (isJSArray(thisObj)) {
+    std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, end - begin);
+    // We can only get an exception if we call some user function.
+    if (UNLIKELY(speciesResult.first == SpeciesConstructResult::Exception))
+        return JSValue::encode(jsUndefined());
+
+    if (LIKELY(speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj))) {
         if (JSArray* result = asArray(thisObj)->fastSlice(*exec, begin, end - begin))
             return JSValue::encode(result);
     }
 
-    JSArray* result = constructEmptyArray(exec, nullptr, end - begin);
+    JSObject* result;
+    if (speciesResult.first == SpeciesConstructResult::CreatedObject)
+        result = speciesResult.second;
+    else
+        result = constructEmptyArray(exec, nullptr, end - begin);
 
     unsigned n = 0;
@@ -773 +847 @@
             result->putDirectIndex(exec, n, v);
     }
-    result->setLength(exec, n);
+    setLength(exec, result, n);
     return JSValue::encode(result);
 }
@@ -787 +861 @@
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
-    
-    if (!exec->argumentCount())
-        return JSValue::encode(constructEmptyArray(exec, nullptr));
+
+    if (!exec->argumentCount()) {
+        std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, 0);
+        if (speciesResult.first == SpeciesConstructResult::Exception)
+            return JSValue::encode(jsUndefined());
+
+        JSObject* result;
+        if (speciesResult.first == SpeciesConstructResult::CreatedObject)
+            result = speciesResult.second;
+        else
+            result = constructEmptyArray(exec, nullptr);
+
+        setLength(exec, result, 0);
+        return JSValue::encode(result);
+    }
 
     unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
@@ -804 +890 @@
     }
 
-    JSArray* result = nullptr;
-
-    if (isJSArray(thisObj))
+    std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, deleteCount);
+    if (speciesResult.first == SpeciesConstructResult::Exception)
+        return JSValue::encode(jsUndefined());
+
+    JSObject* result = nullptr;
+    if (speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj))
         result = asArray(thisObj)->fastSlice(*exec, begin, deleteCount);
 
     if (!result) {
-        result = JSArray::tryCreateUninitialized(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), deleteCount);
-        if (!result)
-            return JSValue::encode(throwOutOfMemoryError(exec));
+        if (speciesResult.first == SpeciesConstructResult::CreatedObject)
+            result = speciesResult.second;
+        else {
+            result = JSArray::tryCreateUninitialized(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), deleteCount);
+            if (!result)
+                return JSValue::encode(throwOutOfMemoryError(exec));
+        }
 
         for (unsigned k = 0; k < deleteCount; ++k) {
@@ -838 +931 @@
     }
 
-    putLength(exec, thisObj, jsNumber(length - deleteCount + additionalArgs));
+    setLength(exec, thisObj, length - deleteCount + additionalArgs);
     return JSValue::encode(result);
 }
@@ -944 +1037 @@
 }
 
+// -------------------- ArrayPrototype.constructor Watchpoint ------------------
+
+class ArrayPrototypeAdaptiveInferredPropertyWatchpoint : public AdaptiveInferredPropertyValueWatchpointBase {
+public:
+    typedef AdaptiveInferredPropertyValueWatchpointBase Base;
+    ArrayPrototypeAdaptiveInferredPropertyWatchpoint(const ObjectPropertyCondition&, ArrayPrototype*);
+
+private:
+    virtual void handleFire(const FireDetail&) override;
+
+    ArrayPrototype* m_arrayPrototype;
+};
+
+void ArrayPrototype::setConstructor(VM& vm, JSObject* constructorProperty, unsigned attributes)
+{
+    putDirectWithoutTransition(vm, vm.propertyNames->constructor, constructorProperty, attributes);
+
+    PropertyOffset offset = this->structure()->get(vm, vm.propertyNames->constructor);
+    ASSERT(isValidOffset(offset));
+    this->structure()->startWatchingPropertyForReplacements(vm, offset);
+
+    ObjectPropertyCondition condition = ObjectPropertyCondition::equivalence(vm, this, this, vm.propertyNames->constructor.impl(), constructorProperty);
+    ASSERT(condition.isWatchable());
+
+    m_constructorWatchpoint = std::make_unique<ArrayPrototypeAdaptiveInferredPropertyWatchpoint>(condition, this);
+    m_constructorWatchpoint->install();
+}
+
+ArrayPrototypeAdaptiveInferredPropertyWatchpoint::ArrayPrototypeAdaptiveInferredPropertyWatchpoint(const ObjectPropertyCondition& key, ArrayPrototype* prototype)
+    : Base(key)
+    , m_arrayPrototype(prototype)
+{
+}
+
+void ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire(const FireDetail& detail)
+{
+    StringPrintStream out;
+    out.print("ArrayPrototype adaption of ", key(), " failed: ", detail);
+
+    StringFireDetail stringDetail(out.toCString().data());
+
+    m_arrayPrototype->m_didChangeConstructorProperty = true;
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h

@@ -27 +27 @@
 namespace JSC {
 
+class ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
+
 class ArrayPrototype : public JSArray {
 private:
@@ -43 +45 @@
     }
 
+    void setConstructor(VM&, JSObject* constructorProperty, unsigned attributes);
+
+    bool didChangeConstructorProperty() const { return m_didChangeConstructorProperty; }
+
 protected:
     void finishCreation(VM&, JSGlobalObject*);
+
+private:
+    // This bit is set if any user modifies the constructor property Array.prototype. This is used to optimize species creation for JSArrays.
+    friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
+    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
+    bool m_didChangeConstructorProperty = false;
 };
 

trunk/Source/JavaScriptCore/runtime/ConstructData.cpp

@@ -36 +36 @@
 namespace JSC {
 
+JSObject* construct(ExecState* exec, JSValue constructorObject, const ArgList& args, const String& errorMessage)
+{
+    ConstructData constructData;
+    ConstructType constructType = getConstructData(constructorObject, constructData);
+    if (constructType == ConstructTypeNone)
+        return throwTypeError(exec, errorMessage);
+
+    return construct(exec, constructorObject, constructType, constructData, args, constructorObject);
+}
+
+
 JSObject* construct(ExecState* exec, JSValue constructorObject, ConstructType constructType, const ConstructData& constructData, const ArgList& args, JSValue newTarget)
 {

trunk/Source/JavaScriptCore/runtime/ConstructData.h

@@ -57 +57 @@
 };
 
+// Convenience wrapper so you don't need to deal with CallData and CallType unless you are going to use them.
+JSObject* construct(ExecState*, JSValue functionObject, const ArgList&, const String& errorMessage);
 JS_EXPORT_PRIVATE JSObject* construct(ExecState*, JSValue constructor, ConstructType, const ConstructData&, const ArgList&, JSValue newTarget);
 

trunk/Source/JavaScriptCore/runtime/JSCJSValue.h

@@ -220 +220 @@
     bool isEmpty() const;
     bool isFunction() const;
+    bool isConstructor() const;
     bool isUndefined() const;
     bool isNull() const;

trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

@@ -683 +683 @@
 }
 
+// FIXME: We could do this in a smarter way. See: https://bugs.webkit.org/show_bug.cgi?id=153670
+inline bool JSValue::isConstructor() const
+{
+    if (isFunction()) {
+        ConstructData data;
+        return getConstructData(*this, data) != ConstructTypeNone;
+    }
+    return false;
+}
+
 // this method is here to be after the inline declaration of JSCell::inherits
 inline bool JSValue::inherits(const ClassInfo* classInfo) const

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -405 +405 @@
 
     JSCell* functionConstructor = FunctionConstructor::create(vm, FunctionConstructor::createStructure(vm, this, m_functionPrototype.get()), m_functionPrototype.get());
-    JSCell* arrayConstructor = ArrayConstructor::create(vm, ArrayConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayPrototype.get(), speciesGetterSetter);
+    JSObject* arrayConstructor = ArrayConstructor::create(vm, ArrayConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayPrototype.get(), speciesGetterSetter);
     
     m_regExpConstructor.set(vm, this, RegExpConstructor::create(vm, RegExpConstructor::createStructure(vm, this, m_functionPrototype.get()), m_regExpPrototype.get(), speciesGetterSetter));
@@ -440 +440 @@
     m_objectPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, objectConstructor, DontEnum);
     m_functionPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, functionConstructor, DontEnum);
-    m_arrayPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayConstructor, DontEnum);
+    m_arrayPrototype->setConstructor(vm, arrayConstructor, DontEnum);
     m_regExpPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, m_regExpConstructor.get(), DontEnum);
     

trunk/Source/JavaScriptCore/tests/es6.yaml

@@ -718 +718 @@
   cmd: runES6 :normal
 - path: es6/Array_is_subclassable_Array.prototype.concat.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/Array_is_subclassable_Array.prototype.filter.js
   cmd: runES6 :fail
@@ -724 +724 @@
   cmd: runES6 :fail
 - path: es6/Array_is_subclassable_Array.prototype.slice.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/Array_is_subclassable_Array.prototype.splice.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/Array_is_subclassable_correct_prototype_chain.js
   cmd: runES6 :normal
@@ -1196 +1196 @@
   cmd: runES6 :fail
 - path: es6/well-known_symbols_Symbol.species_Array.prototype.concat.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/well-known_symbols_Symbol.species_Array.prototype.filter.js
   cmd: runES6 :fail
@@ -1202 +1202 @@
   cmd: runES6 :fail
 - path: es6/well-known_symbols_Symbol.species_Array.prototype.slice.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/well-known_symbols_Symbol.species_Array.prototype.splice.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/well-known_symbols_Symbol.species_existence.js
   cmd: runES6 :normal