Context Navigation

← Previous Changeset
Next Changeset →

Changeset 223125 in webkit

Timestamp:

Oct 10, 2017 12:58:27 AM (7 years ago)

Author:

sbarati@apple.com

Message:

The prototype cache should be aware of the Executable it generates a Structure for
https://bugs.webkit.org/show_bug.cgi?id=177907

Reviewed by Filip Pizlo.

JSTests:

microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.

(assert):
(foo.C):
(foo):
(bar.C):
(bar):
(access):
(makeLongChain):
(accessY):

Source/JavaScriptCore:

This patch renames PrototypeMap to StructureCache because
it is no longer a map of the prototypes in the VM. It's
only used to cache Structures during object construction.

The main change of this patch is to guarantee that Structures generated
by the create_this originating from different two different Executables'
bytecode won't hash-cons to the same thing. Previously, we could hash-cons
them depending on the JSObject* prototype pointer. This would cause the last
thing that hash-consed to overwrite the Structure's poly proto watchpoint. This
happened because when we initialize a JSFunction's ObjectAllocationProfile,
we set the resulting Structure's poly proto watchpoint. This could cause a Structure
generating from some Executable e1 to end up with the poly proto watchpoint
for another Executable e2 simply because JSFunctions backed by e1 and e2
shared the same prototype. Then, based on profiling information, we may fire the
wrong Executable's poly proto watchpoint. This patch fixes this bug by
guaranteeing that Structures generating from create_this for different
Executables are unique even if they share the same prototype by adding
the FunctionExecutable* as another field in PrototypeKey.

JavaScriptCore.xcodeproj/project.pbxproj:
Sources.txt:
bytecode/InternalFunctionAllocationProfile.h:

(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):

bytecode/ObjectAllocationProfile.cpp:

(JSC::ObjectAllocationProfile::initializeProfile):

dfg/DFGOperations.cpp:
runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

runtime/InternalFunction.cpp:

(JSC::InternalFunction::createSubclassStructureSlow):

runtime/IteratorOperations.cpp:

(JSC::createIteratorResultObjectStructure):

runtime/JSBoundFunction.cpp:

(JSC::getBoundFunctionStructure):

runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

runtime/ObjectConstructor.h:

(JSC::constructEmptyObject):

runtime/PrototypeKey.h:

(JSC::PrototypeKey::PrototypeKey):
(JSC::PrototypeKey::executable const):
(JSC::PrototypeKey::operator== const):
(JSC::PrototypeKey::hash const):

runtime/PrototypeMap.cpp: Removed.
runtime/PrototypeMap.h: Removed.
runtime/StructureCache.cpp: Copied from Source/JavaScriptCore/runtime/PrototypeMap.cpp.

(JSC::StructureCache::createEmptyStructure):
(JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
(JSC::StructureCache::emptyObjectStructureForPrototype):
(JSC::PrototypeMap::createEmptyStructure): Deleted.
(JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): Deleted.
(JSC::PrototypeMap::emptyObjectStructureForPrototype): Deleted.

runtime/StructureCache.h: Copied from Source/JavaScriptCore/runtime/PrototypeMap.h.

(JSC::StructureCache::StructureCache):
(JSC::PrototypeMap::PrototypeMap): Deleted.

runtime/VM.cpp:

(JSC::VM::VM):

runtime/VM.h:

Location:

trunk

Files:

: 1 added
: 16 edited
: 2 moved

JSTests/ChangeLog (modified) (1 diff)
JSTests/microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (8 diffs)
Source/JavaScriptCore/Sources.txt (modified) (2 diffs)
Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h (modified) (1 diff)
Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp (modified) (3 diffs)
Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/InternalFunction.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IteratorOperations.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/JSBoundFunction.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/ObjectConstructor.h (modified) (1 diff)
Source/JavaScriptCore/runtime/PrototypeKey.h (modified) (5 diffs)
Source/JavaScriptCore/runtime/StructureCache.cpp (moved) (moved from trunk/Source/JavaScriptCore/runtime/PrototypeMap.cpp) (4 diffs)
Source/JavaScriptCore/runtime/StructureCache.h (moved) (moved from trunk/Source/JavaScriptCore/runtime/PrototypeMap.h) (1 diff)
Source/JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/VM.h (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r223124
+                      r223125
+-10-10  Saam Barati  <sbarati@apple.com>
+        The prototype cache should be aware of the Executable it generates a Structure for
+        https://bugs.webkit.org/show_bug.cgi?id=177907
+        Reviewed by Filip Pizlo.
+        * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
+        (assert):
+        (foo.C):
+        (foo):
+        (bar.C):
+        (bar):
+        (access):
+        (makeLongChain):
+        (accessY):
 -10-09  Yusuke Suzuki  <utatane.tea@gmail.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r223124
+                      r223125
+-10-10  Saam Barati  <sbarati@apple.com>
+        The prototype cache should be aware of the Executable it generates a Structure for
+        https://bugs.webkit.org/show_bug.cgi?id=177907
+        Reviewed by Filip Pizlo.
+        This patch renames PrototypeMap to StructureCache because
+        it is no longer a map of the prototypes in the VM. It's
+        only used to cache Structures during object construction.
+        The main change of this patch is to guarantee that Structures generated
+        by the create_this originating from different two different Executables'
+        bytecode won't hash-cons to the same thing. Previously, we could hash-cons
+        them depending on the JSObject* prototype pointer. This would cause the last
+        thing that hash-consed to overwrite the Structure's poly proto watchpoint. This
+        happened because when we initialize a JSFunction's ObjectAllocationProfile,
+        we set the resulting Structure's poly proto watchpoint. This could cause a Structure
+        generating from some Executable e1 to end up with the poly proto watchpoint
+        for another Executable e2 simply because JSFunctions backed by e1 and e2
+        shared the same prototype. Then, based on profiling information, we may fire the
+        wrong Executable's poly proto watchpoint. This patch fixes this bug by
+        guaranteeing that Structures generating from create_this for different
+        Executables are unique even if they share the same prototype by adding
+        the FunctionExecutable* as another field in PrototypeKey.
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/InternalFunctionAllocationProfile.h:
+        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+        * bytecode/ObjectAllocationProfile.cpp:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructureSlow):
+        * runtime/IteratorOperations.cpp:
+        (JSC::createIteratorResultObjectStructure):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::getBoundFunctionStructure):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/ObjectConstructor.h:
+        (JSC::constructEmptyObject):
+        * runtime/PrototypeKey.h:
+        (JSC::PrototypeKey::PrototypeKey):
+        (JSC::PrototypeKey::executable const):
+        (JSC::PrototypeKey::operator== const):
+        (JSC::PrototypeKey::hash const):
+        * runtime/PrototypeMap.cpp: Removed.
+        * runtime/PrototypeMap.h: Removed.
+        * runtime/StructureCache.cpp: Copied from Source/JavaScriptCore/runtime/PrototypeMap.cpp.
+        (JSC::StructureCache::createEmptyStructure):
+        (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
+        (JSC::StructureCache::emptyObjectStructureForPrototype):
+        (JSC::PrototypeMap::createEmptyStructure): Deleted.
+        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): Deleted.
+        (JSC::PrototypeMap::emptyObjectStructureForPrototype): Deleted.
+        * runtime/StructureCache.h: Copied from Source/JavaScriptCore/runtime/PrototypeMap.h.
+        (JSC::StructureCache::StructureCache):
+        (JSC::PrototypeMap::PrototypeMap): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
 -10-09  Yusuke Suzuki  <utatane.tea@gmail.com>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

-                      r223081
+                      r223125
 D61DC02EB900AA29BA /* ModuleProgramExecutable.h in Headers */ = {isa = PBXBuildFile; fileRef = 147341D51DC02EB900AA29BA /* ModuleProgramExecutable.h */; settings = {ATTRIBUTES = (Private, ); }; };
 D81DC02F9900AA29BA /* FunctionExecutable.h in Headers */ = {isa = PBXBuildFile; fileRef = 147341D71DC02F9900AA29BA /* FunctionExecutable.h */; settings = {ATTRIBUTES = (Private, ); }; };
-C33B16AA2D950062F01D /* PrototypeMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 14D844A316AA2C7000A65AF0 /* PrototypeMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 1478297B1379E8A800A7C2A3 /* HandleTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 146FA5A81378F6B0003627A3 /* HandleTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
 B83AC0E6DB8C9004775A4 /* BatchedTransitionOptimizer.h in Headers */ = {isa = PBXBuildFile; fileRef = 147B83AA0E6DB8C9004775A4 /* BatchedTransitionOptimizer.h */; settings = {ATTRIBUTES = (Private, ); }; };
 …
 E07AA1B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = 797E07A81B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
 C16D1E3A940E00B71615 /* DFGRegisteredStructureSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 7980C16B1E3A940E00B71615 /* DFGRegisteredStructureSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                7986943B1F8C0ACC009232AE /* StructureCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 7986943A1F8C0AC8009232AE /* StructureCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 798937791DCAB57300F8D4FB /* JSFixedArray.h in Headers */ = {isa = PBXBuildFile; fileRef = 798937771DCAB57300F8D4FB /* JSFixedArray.h */; settings = {ATTRIBUTES = (Private, ); }; };
 EF7C41C56ED96002B0534 /* B3PCToOriginMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 799EF7C31C56ED96002B0534 /* B3PCToOriginMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
 …
 D2F3D9139F4BE200491031 /* MarkedSpace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MarkedSpace.h; sourceTree = "<group>"; };
 D792640DAA03FB001A9F05 /* CLoopStack.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CLoopStack.h; sourceTree = "<group>"; };
-D844A216AA2C7000A65AF0 /* PrototypeMap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PrototypeMap.cpp; sourceTree = "<group>"; };
-D844A316AA2C7000A65AF0 /* PrototypeMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PrototypeMap.h; sourceTree = "<group>"; };
 D857740A4696C80032146C /* testapi.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; name = testapi.js; path = API/tests/testapi.js; sourceTree = "<group>"; };
 DA818E0D99FD2000B0A4FB /* JSLexicalEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSLexicalEnvironment.h; sourceTree = "<group>"; };
 …
 C16A1E3A940E00B71615 /* DFGRegisteredStructureSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGRegisteredStructureSet.cpp; path = dfg/DFGRegisteredStructureSet.cpp; sourceTree = "<group>"; };
 C16B1E3A940E00B71615 /* DFGRegisteredStructureSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGRegisteredStructureSet.h; path = dfg/DFGRegisteredStructureSet.h; sourceTree = "<group>"; };
+                798694391F8C0AC7009232AE /* StructureCache.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = StructureCache.cpp; sourceTree = "<group>"; };
+                7986943A1F8C0AC8009232AE /* StructureCache.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = StructureCache.h; sourceTree = "<group>"; };
                 798937761DCAB57300F8D4FB /* JSFixedArray.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSFixedArray.cpp; sourceTree = "<group>"; };
                 798937771DCAB57300F8D4FB /* JSFixedArray.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSFixedArray.h; sourceTree = "<group>"; };
 …
 C02FBB0637462A003E7EE6 /* Protect.h */,
 F74B93A1F89614500B935D3 /* PrototypeKey.h */,
-D844A216AA2C7000A65AF0 /* PrototypeMap.cpp */,
-D844A316AA2C7000A65AF0 /* PrototypeMap.h */,
 B00CB81C6AB07E0088C65D /* ProxyConstructor.cpp */,
 B00CB91C6AB07E0088C65D /* ProxyConstructor.h */,
 …
                                 BCDE3AB00E6C82CF001453A7 /* Structure.cpp */,
                                 BCDE3AB10E6C82CF001453A7 /* Structure.h */,
+                                798694391F8C0AC7009232AE /* StructureCache.cpp */,
+                                7986943A1F8C0AC8009232AE /* StructureCache.h */,
 E4EE70E0EBB7A5B005934AA /* StructureChain.cpp */,
 E4EE7080EBB7963005934AA /* StructureChain.h */,
 …
                                 BC18C4560E16F5CD00B34460 /* Protect.h in Headers */,
 F74B93B1F89614800B935D3 /* PrototypeKey.h in Headers */,
-C33B16AA2D950062F01D /* PrototypeMap.h in Headers */,
 E03561E53BEDE00213F64 /* ProxyableAccessCase.h in Headers */,
 B00CBD1C6AB07E0088C65D /* ProxyConstructor.h in Headers */,
 …
 B84630E6DE6B1004775A4 /* PutPropertySlot.h in Headers */,
 FF60AC216740F8300029779 /* ReduceWhitespace.h in Headers */,
+                                7986943B1F8C0ACC009232AE /* StructureCache.h in Headers */,
                                 E33637A61B63220200EE0840 /* ReflectObject.h in Headers */,
 B73231BDA08EF00331B84 /* ReflectObject.lut.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

-                      r223081
+                      r223125
 runtime/PropertySlot.cpp
 runtime/PropertyTable.cpp
-runtime/PrototypeMap.cpp
 runtime/ProxyConstructor.cpp
 runtime/ProxyObject.cpp
 …
 runtime/StringRecursionChecker.cpp
 runtime/Structure.cpp
+runtime/StructureCache.cpp
 runtime/StructureChain.cpp
 runtime/StructureIDTable.cpp

trunk/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h

r222827	r223125
55	55	structure = baseStructure;
56	56	else
57		structure = vm.~~prototypeMap~~.emptyStructureForPrototypeFromBaseStructure(globalObject, prototype, baseStructure);
	57	structure = vm.structureCache.emptyStructureForPrototypeFromBaseStructure(globalObject, prototype, baseStructure);
58	58
59	59	// Ensure that if another thread sees the structure, it will see it properly created.

trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp

-                      r222827
+                      r223125
         executable = constructor->jsExecutable();
+        if (Structure* structure = executable->cachedPolyProtoStructure()) {
+            RELEASE_ASSERT(structure->typeInfo().type() == FinalObjectType);
+            m_allocator = nullptr;
+            m_structure.set(vm, owner, structure);
+            m_inlineCapacity = structure->inlineCapacity();
+            return;
+        }
         isPolyProto = false;
         if (Options::forcePolyProto())
 …
         else
             isPolyProto = executable->ensurePolyProtoWatchpoint().hasBeenInvalidated() && executable->singletonFunction()->hasBeenInvalidated();
-        if (isPolyProto) {
-            if (Structure* structure = executable->cachedPolyProtoStructure()) {
-                RELEASE_ASSERT(structure->typeInfo().type() == FinalObjectType);
-                m_allocator = nullptr;
-                m_structure.set(vm, owner, structure);
-                m_inlineCapacity = structure->inlineCapacity();
-                return;
+            }
+        }
+    }
 …
+    }
     Structure* structure = vm.prototypeMap.emptyObjectStructureForPrototype(globalObject, prototype, inlineCapacity, isPolyProto);
+    Structure* structure = vm.structureCache.emptyObjectStructureForPrototype(globalObject, prototype, inlineCapacity, isPolyProto, executable);
     if (isPolyProto) {

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

r223027	r223125
251	251	result->putDirect(vm, structure->polyProtoOffset(), prototype);
252	252	prototype->didBecomePrototype();
	253	ASSERT_WITH_MESSAGE(!hasIndexedProperties(result->indexingType()), "We rely on JSFinalObject not starting out with an indexing type otherwise we would potentially need to convert to slow put storage");
253	254	}
254	255	return result;

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

r223027	r223125
251	251	result->putDirect(vm, structure->polyProtoOffset(), prototype);
252	252	prototype->didBecomePrototype();
	253	ASSERT_WITH_MESSAGE(!hasIndexedProperties(result->indexingType()), "We rely on JSFinalObject not starting out with an indexing type otherwise we would potentially need to convert to slow put storage");
253	254	}
254	255	} else {

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

r222827	r223125
124	124	// This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target.
125	125	// Thus, we don't care about the cost of looking up the structure from our hash table every time.
126		return vm.~~prototypeMap~~.emptyStructureForPrototypeFromBaseStructure(lexicalGlobalObject, prototype, baseClass);
	126	return vm.structureCache.emptyStructureForPrototypeFromBaseStructure(lexicalGlobalObject, prototype, baseClass);
127	127	}
128	128	}

trunk/Source/JavaScriptCore/runtime/IteratorOperations.cpp

r222421	r223125
138	138	Structure* createIteratorResultObjectStructure(VM& vm, JSGlobalObject& globalObject)
139	139	{
140		Structure* iteratorResultStructure = vm.~~prototypeMap~~.emptyObjectStructureForPrototype(&globalObject, globalObject.objectPrototype(), JSFinalObject::defaultInlineCapacity());
	140	Structure* iteratorResultStructure = vm.structureCache.emptyObjectStructureForPrototype(&globalObject, globalObject.objectPrototype(), JSFinalObject::defaultInlineCapacity());
141	141	PropertyOffset offset;
142	142	iteratorResultStructure = Structure::addPropertyTransition(vm, iteratorResultStructure, vm.propertyNames->done, 0, offset);

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

r222473	r223125
146	146	// See: https://bugs.webkit.org/show_bug.cgi?id=152738
147	147	if (prototype.isObject() && prototype.getObject()->globalObject() == globalObject) {
148		result = vm.~~prototypeMap~~.emptyStructureForPrototypeFromBaseStructure(globalObject, prototype.getObject(), result);
	148	result = vm.structureCache.emptyStructureForPrototypeFromBaseStructure(globalObject, prototype.getObject(), result);
149	149	ASSERT_WITH_SECURITY_IMPLICATION(result->globalObject() == globalObject);
150	150	} else

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

r222895	r223125
455	455	m_objectPrototype->putDirectNonIndexAccessor(vm, vm.propertyNames->underscoreProto, protoAccessor, PropertyAttribute::Accessor \| PropertyAttribute::DontEnum);
456	456	m_functionPrototype->structure()->setPrototypeWithoutTransition(vm, m_objectPrototype.get());
457		m_objectStructureForObjectConstructor.set(vm, this, vm.~~prototypeMap~~.emptyObjectStructureForPrototype(this, m_objectPrototype.get(), JSFinalObject::defaultInlineCapacity()));
	457	m_objectStructureForObjectConstructor.set(vm, this, vm.structureCache.emptyObjectStructureForPrototype(this, m_objectPrototype.get(), JSFinalObject::defaultInlineCapacity()));
458	458	m_objectProtoValueOfFunction.set(vm, this, jsCast<JSFunction*>(objectPrototype()->getDirect(vm, vm.propertyNames->valueOf)));
459	459

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.h

r218790	r223125
71	71	{
72	72	JSGlobalObject* globalObject = exec->lexicalGlobalObject();
73		~~PrototypeMap& prototypeMap = globalObject->vm().prototypeMap~~;
74		Structure* structure = ~~prototypeMap~~.emptyObjectStructureForPrototype(globalObject, prototype, inlineCapacity);
	73	StructureCache& structureCache = globalObject->vm().structureCache;
	74	Structure* structure = structureCache.emptyObjectStructureForPrototype(globalObject, prototype, inlineCapacity);
75	75	return constructEmptyObject(exec, structure);
76	76	}

trunk/Source/JavaScriptCore/runtime/PrototypeKey.h

-                      r223027
+                      r223125
     PrototypeKey() { }
     PrototypeKey(JSObject* prototype, unsigned inlineCapacity, const ClassInfo* classInfo, JSGlobalObject* globalObject)
+    PrototypeKey(JSObject* prototype, FunctionExecutable* executable, unsigned inlineCapacity, const ClassInfo* classInfo, JSGlobalObject* globalObject)
         : m_prototype(prototype)
+        , m_executable(executable)
         , m_inlineCapacity(inlineCapacity)
         , m_classInfo(classInfo)
 …
     JSObject* prototype() const { return m_prototype; }
+    FunctionExecutable* executable() const { return m_executable; }
     unsigned inlineCapacity() const { return m_inlineCapacity; }
     const ClassInfo* classInfo() const { return m_classInfo; }
 …
+    {
         return m_prototype == other.m_prototype
+            && m_executable == other.m_executable
             && m_inlineCapacity == other.m_inlineCapacity
             && m_classInfo == other.m_classInfo
 …
     unsigned hash() const
+    {
         return WTF::IntHash<uintptr_t>::hash(bitwise_cast<uintptr_t>(m_prototype) ^ bitwise_cast<uintptr_t>(m_classInfo) ^ bitwise_cast<uintptr_t>(m_globalObject)) + m_inlineCapacity;
+        return WTF::IntHash<uintptr_t>::hash(bitwise_cast<uintptr_t>(m_prototype) ^ bitwise_cast<uintptr_t>(m_executable) ^ bitwise_cast<uintptr_t>(m_classInfo) ^ bitwise_cast<uintptr_t>(m_globalObject)) + m_inlineCapacity;
+    }
 …
     // WARNING: We require all of these default values to be zero. Otherwise, you'll need to add
     // "static const bool emptyValueIsZero = false;" to the HashTraits at the bottom of this file.
+    JSObject* m_prototype { nullptr };
+    JSObject* m_prototype { nullptr };
+    FunctionExecutable* m_executable { nullptr };
     unsigned m_inlineCapacity { 0 };
     const ClassInfo* m_classInfo { nullptr };

trunk/Source/JavaScriptCore/runtime/StructureCache.cpp

-                      r223124
+                      r223125
 #include "config.h"
 #include "PrototypeMap.h"
+#include "StructureCache.h"
 #include "IndexingType.h"
 …
 namespace JSC {
 inline Structure* PrototypeMap::createEmptyStructure(JSGlobalObject* globalObject, JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity, bool makePolyProtoStructure)
+inline Structure* StructureCache::createEmptyStructure(JSGlobalObject* globalObject, JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity, bool makePolyProtoStructure, FunctionExecutable* executable)
+{
     RELEASE_ASSERT(!!prototype); // We use nullptr inside the HashMap for prototype to mean poly proto, so user's of this API must provide non-null prototypes.
     auto key = PrototypeKey(makePolyProtoStructure ? nullptr : prototype, inlineCapacity, classInfo, globalObject);
+    PrototypeKey key { makePolyProtoStructure ? nullptr : prototype, executable, inlineCapacity, classInfo, globalObject };
     if (Structure* structure = m_structures.get(key)) {
         if (makePolyProtoStructure) {
 …
             vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
+    }
     m_structures.set(key, Weak<Structure>(structure));
+    m_structures.set(key, structure);
     return structure;
+}
 Structure* PrototypeMap::emptyStructureForPrototypeFromBaseStructure(JSGlobalObject* globalObject, JSObject* prototype, Structure* baseStructure)
+Structure* StructureCache::emptyStructureForPrototypeFromBaseStructure(JSGlobalObject* globalObject, JSObject* prototype, Structure* baseStructure)
+{
     // We currently do not have inline capacity static analysis for subclasses and all internal function constructors have a default inline capacity of 0.
 …
         indexingType = (indexingType & ~IndexingShapeMask) | SlowPutArrayStorageShape;
     return createEmptyStructure(globalObject, prototype, baseStructure->typeInfo(), baseStructure->classInfo(), indexingType, 0, false);
+    return createEmptyStructure(globalObject, prototype, baseStructure->typeInfo(), baseStructure->classInfo(), indexingType, 0, false, nullptr);
+}
 Structure* PrototypeMap::emptyObjectStructureForPrototype(JSGlobalObject* globalObject, JSObject* prototype, unsigned inlineCapacity, bool makePolyProtoStructure)
+Structure* StructureCache::emptyObjectStructureForPrototype(JSGlobalObject* globalObject, JSObject* prototype, unsigned inlineCapacity, bool makePolyProtoStructure, FunctionExecutable* executable)
+{
     return createEmptyStructure(globalObject, prototype, JSFinalObject::typeInfo(), JSFinalObject::info(), JSFinalObject::defaultIndexingType, inlineCapacity, makePolyProtoStructure);
+    return createEmptyStructure(globalObject, prototype, JSFinalObject::typeInfo(), JSFinalObject::info(), JSFinalObject::defaultIndexingType, inlineCapacity, makePolyProtoStructure, executable);
+}

trunk/Source/JavaScriptCore/runtime/StructureCache.h

-                      r223124
+                      r223125
 // Tracks the canonical structure an object should be allocated with when inheriting from a given prototype.
 class PrototypeMap {
+class StructureCache {
 public:
     explicit PrototypeMap(VM& vm)
+    explicit StructureCache(VM& vm)
         : m_structures(vm)
+    {
+    }
     JS_EXPORT_PRIVATE Structure* emptyObjectStructureForPrototype(JSGlobalObject*, JSObject*, unsigned inlineCapacity, bool makePolyProtoStructure = false);
+    JS_EXPORT_PRIVATE Structure* emptyObjectStructureForPrototype(JSGlobalObject*, JSObject*, unsigned inlineCapacity, bool makePolyProtoStructure = false, FunctionExecutable* = nullptr);
     JS_EXPORT_PRIVATE Structure* emptyStructureForPrototypeFromBaseStructure(JSGlobalObject*, JSObject*, Structure*);
 private:
     Structure* createEmptyStructure(JSGlobalObject*, JSObject* prototype, const TypeInfo&, const ClassInfo*, IndexingType, unsigned inlineCapacity, bool makePolyProtoStructure);
+    Structure* createEmptyStructure(JSGlobalObject*, JSObject* prototype, const TypeInfo&, const ClassInfo*, IndexingType, unsigned inlineCapacity, bool makePolyProtoStructure, FunctionExecutable*);
     using StructureMap = WeakGCMap<PrototypeKey, Structure>;

trunk/Source/JavaScriptCore/runtime/VM.cpp

r223002	r223125
195	195	, stringCache(*this)
196	196	, symbolImplToSymbolMap(*this)
197		, ~~prototypeMap~~(*this)
	197	, structureCache(*this)
198	198	, interpreter(0)
199	199	, entryScope(0)

trunk/Source/JavaScriptCore/runtime/VM.h

-                      r223024
+                      r223125
 #include "Microtask.h"
 #include "NumericStrings.h"
-#include "PrototypeMap.h"
 #include "SmallStrings.h"
 #include "Strong.h"
+#include "StructureCache.h"
 #include "Subspace.h"
 #include "TemplateRegistryKeyTable.h"
 …
     void clearSourceProviderCaches();
     PrototypeMap prototypeMap;
+    StructureCache structureCache;
     typedef HashMap<RefPtr<SourceProvider>, RefPtr<SourceProviderCache>> SourceProviderCacheMap;

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 223125 in webkit

Legend:

Download in other formats: