Changeset 225891 in webkit

Timestamp:

Dec 13, 2017 8:10:02 PM (6 years ago)

Author:

sbarati@apple.com

Message:

Arrow functions need their own structure because they have different properties than sloppy functions
​https://bugs.webkit.org/show_bug.cgi?id=180779
<rdar://problem/35814591>

Reviewed by Mark Lam.

JSTests:

• stress/arrow-function-needs-its-own-structure.js: Added.

(assert):
(readPrototype):
(noInline.let.f1):
(noInline):

Source/JavaScriptCore:

We were using the same structure for sloppy functions and
arrow functions. This broke our IC caching machinery because
these two types of functions actually have different properties.
This patch gives them different structures.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileNewFunction):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):

• runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

• runtime/JSFunction.cpp:

(JSC::JSFunction::selectStructureForNewFuncExp):
(JSC::JSFunction::create):

• runtime/JSFunction.h:
• runtime/JSFunctionInlines.h:

(JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::arrowFunctionStructure const):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/arrow-function-needs-its-own-structure.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunctionInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-12-13  Saam Barati  <sbarati@apple.com>
+
+        Arrow functions need their own structure because they have different properties than sloppy functions
+        https://bugs.webkit.org/show_bug.cgi?id=180779
+        <rdar://problem/35814591>
+
+        Reviewed by Mark Lam.
+
+        * stress/arrow-function-needs-its-own-structure.js: Added.
+        (assert):
+        (readPrototype):
+        (noInline.let.f1):
+        (noInline):
+
 2017-12-13  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-12-13  Saam Barati  <sbarati@apple.com>
+
+        Arrow functions need their own structure because they have different properties than sloppy functions
+        https://bugs.webkit.org/show_bug.cgi?id=180779
+        <rdar://problem/35814591>
+
+        Reviewed by Mark Lam.
+
+        We were using the same structure for sloppy functions and
+        arrow functions. This broke our IC caching machinery because
+        these two types of functions actually have different properties.
+        This patch gives them different structures.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::selectStructureForNewFuncExp):
+        (JSC::JSFunction::create):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrowFunctionStructure const):
+
 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2299 +2299 @@
         break;
 
-    case NewFunction:
-        if (node->castOperand<FunctionExecutable*>()->isStrictMode()) {
-            forNode(node).set(
-                m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->strictFunctionStructure());
-        } else {
-            forNode(node).set(
-                m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->sloppyFunctionStructure());
-        }
-        break;
+    case NewFunction: {
+        JSGlobalObject* globalObject = m_codeBlock->globalObjectFor(node->origin.semantic);
+        Structure* structure = JSFunction::selectStructureForNewFuncExp(globalObject, node->castOperand<FunctionExecutable*>());
+        forNode(node).set(m_graph, structure);
+        break;
+    }
         
     case GetCallee:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -6783 +6783 @@
     RegisteredStructure structure = m_jit.graph().registerStructure(
         [&] () {
+            JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic);
             switch (nodeType) {
             case NewGeneratorFunction:
-                return m_jit.graph().globalObjectFor(node->origin.semantic)->generatorFunctionStructure();
+                return globalObject->generatorFunctionStructure();
             case NewAsyncFunction:
-                return m_jit.graph().globalObjectFor(node->origin.semantic)->asyncFunctionStructure();
+                return globalObject->asyncFunctionStructure();
             case NewAsyncGeneratorFunction:
-                return m_jit.graph().globalObjectFor(node->origin.semantic)->asyncGeneratorFunctionStructure();
+                return globalObject->asyncGeneratorFunctionStructure();
             case NewFunction:
-                if (node->castOperand<FunctionExecutable*>()->isStrictMode())
-                    return m_jit.graph().globalObjectFor(node->origin.semantic)->strictFunctionStructure();
-                return m_jit.graph().globalObjectFor(node->origin.semantic)->sloppyFunctionStructure();
+                return JSFunction::selectStructureForNewFuncExp(globalObject, node->castOperand<FunctionExecutable*>());
             default:
                 RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -4737 +4737 @@
             return;
         }
-        
 
         RegisteredStructure structure = m_graph.registerStructure(
             [&] () {
+                JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
                 switch (m_node->op()) {
                 case NewGeneratorFunction:
-                    return m_graph.globalObjectFor(m_node->origin.semantic)->generatorFunctionStructure();
+                    return globalObject->generatorFunctionStructure();
                 case NewAsyncFunction:
-                    return m_graph.globalObjectFor(m_node->origin.semantic)->asyncFunctionStructure();
+                    return globalObject->asyncFunctionStructure();
                 case NewAsyncGeneratorFunction:
-                    return m_graph.globalObjectFor(m_node->origin.semantic)->asyncGeneratorFunctionStructure();
+                    return globalObject->asyncGeneratorFunctionStructure();
                 case NewFunction:
-                    if (m_node->castOperand<FunctionExecutable*>()->isStrictMode())
-                        return m_graph.globalObjectFor(m_node->origin.semantic)->strictFunctionStructure();
-                    return m_graph.globalObjectFor(m_node->origin.semantic)->sloppyFunctionStructure();
-                    break;
+                    return JSFunction::selectStructureForNewFuncExp(globalObject, m_node->castOperand<FunctionExecutable*>());
                 default:
                     RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp

@@ -176 +176 @@
     switch (functionConstructionMode) {
     case FunctionConstructionMode::Function:
-        if (function->isStrictMode())
-            structure = globalObject->strictFunctionStructure();
-        else
-            structure = globalObject->sloppyFunctionStructure();
+        structure = JSFunction::selectStructureForNewFuncExp(globalObject, function);
         break;
     case FunctionConstructionMode::Generator:

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -66 +66 @@
 }
 
+Structure* JSFunction::selectStructureForNewFuncExp(JSGlobalObject* globalObject, FunctionExecutable* executable)
+{
+    if (executable->isArrowFunction())
+        return globalObject->arrowFunctionStructure();
+    if (executable->isStrictMode())
+        return globalObject->strictFunctionStructure();
+    return globalObject->sloppyFunctionStructure();
+}
+
 JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope)
 {
-    Structure* structure = executable->isStrictMode() ? scope->globalObject(vm)->strictFunctionStructure() : scope->globalObject(vm)->sloppyFunctionStructure();
-    return create(vm, executable, scope, structure);
+    return create(vm, executable, scope, selectStructureForNewFuncExp(scope->globalObject(vm), executable));
 }
 

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -71 +71 @@
     }
 
+    static Structure* selectStructureForNewFuncExp(JSGlobalObject*, FunctionExecutable*);
+
     JS_EXPORT_PRIVATE static JSFunction* create(VM&, JSGlobalObject*, int length, const String& name, NativeFunction, Intrinsic = NoIntrinsic, NativeFunction nativeConstructor = callHostFunctionAsConstructor, const DOMJIT::Signature* = nullptr);
     

trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h

@@ -36 +36 @@
 {
     ASSERT(executable->singletonFunction()->hasBeenInvalidated());
-    Structure* structure = executable->isStrictMode() ? scope->globalObject(vm)->strictFunctionStructure() : scope->globalObject(vm)->sloppyFunctionStructure();
-    return createImpl(vm, executable, scope, structure);
+    return createImpl(vm, executable, scope, selectStructureForNewFuncExp(scope->globalObject(vm), executable));
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -389 +389 @@
     m_strictFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_sloppyFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_arrowFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_customGetterSetterFunctionStructure.initLater(
         [] (const Initializer<Structure>& init) {
@@ -1315 +1316 @@
     visitor.append(thisObject->m_strictFunctionStructure);
     visitor.append(thisObject->m_sloppyFunctionStructure);
+    visitor.append(thisObject->m_arrowFunctionStructure);
     thisObject->m_customGetterSetterFunctionStructure.visit(visitor);
     thisObject->m_boundFunctionStructure.visit(visitor);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -323 +323 @@
     WriteBarrier<Structure> m_calleeStructure;
     WriteBarrier<Structure> m_strictFunctionStructure;
+    WriteBarrier<Structure> m_arrowFunctionStructure;
     WriteBarrier<Structure> m_sloppyFunctionStructure;
     LazyProperty<JSGlobalObject, Structure> m_boundFunctionStructure;
@@ -632 +633 @@
     Structure* strictFunctionStructure() const { return m_strictFunctionStructure.get(); }
     Structure* sloppyFunctionStructure() const { return m_sloppyFunctionStructure.get(); }
+    Structure* arrowFunctionStructure() const { return m_arrowFunctionStructure.get(); }
     Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(this); }
     Structure* customGetterSetterFunctionStructure() const { return m_customGetterSetterFunctionStructure.get(this); }