Changeset 239231 in webkit

Timestamp:

Dec 14, 2018 1:40:27 PM (5 years ago)

Author:

commit-queue@webkit.org

Message:

Unreviewed, rolling out r239153, r239154, and r239155.
​https://bugs.webkit.org/show_bug.cgi?id=192715

Caused flaky GC-related crashes seen with layout tests
(Requested by ryanhaddad on #webkit).

Reverted changesets:

"[JSC] Optimize Object.keys by caching own keys results in
StructureRareData"
​https://bugs.webkit.org/show_bug.cgi?id=190047
​https://trac.webkit.org/changeset/239153

"Unreviewed, build fix after r239153"
​https://bugs.webkit.org/show_bug.cgi?id=190047
​https://trac.webkit.org/changeset/239154

"Unreviewed, build fix after r239153, part 2"
​https://bugs.webkit.org/show_bug.cgi?id=190047
​https://trac.webkit.org/changeset/239155

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/object-keys-cached-zero.js (deleted)
• JSTests/stress/object-keys-changed-attribute.js (deleted)
• JSTests/stress/object-keys-changed-index.js (deleted)
• JSTests/stress/object-keys-changed.js (deleted)
• JSTests/stress/object-keys-indexed-non-cache.js (deleted)
• JSTests/stress/object-keys-overrides-get-property-names.js (deleted)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Intrinsic.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Intrinsic.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSImmutableButterfly.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/StructureInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StructureRareData.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/StructureRareData.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/StructureRareDataInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-12-14  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r239153, r239154, and r239155.
+        https://bugs.webkit.org/show_bug.cgi?id=192715
+
+        Caused flaky GC-related crashes seen with layout tests
+        (Requested by ryanhaddad on #webkit).
+
+        Reverted changesets:
+
+        "[JSC] Optimize Object.keys by caching own keys results in
+        StructureRareData"
+        https://bugs.webkit.org/show_bug.cgi?id=190047
+        https://trac.webkit.org/changeset/239153
+
+        "Unreviewed, build fix after r239153"
+        https://bugs.webkit.org/show_bug.cgi?id=190047
+        https://trac.webkit.org/changeset/239154
+
+        "Unreviewed, build fix after r239153, part 2"
+        https://bugs.webkit.org/show_bug.cgi?id=190047
+        https://trac.webkit.org/changeset/239155
+
 2018-12-14  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-12-14  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r239153, r239154, and r239155.
+        https://bugs.webkit.org/show_bug.cgi?id=192715
+
+        Caused flaky GC-related crashes seen with layout tests
+        (Requested by ryanhaddad on #webkit).
+
+        Reverted changesets:
+
+        "[JSC] Optimize Object.keys by caching own keys results in
+        StructureRareData"
+        https://bugs.webkit.org/show_bug.cgi?id=190047
+        https://trac.webkit.org/changeset/239153
+
+        "Unreviewed, build fix after r239153"
+        https://bugs.webkit.org/show_bug.cgi?id=190047
+        https://trac.webkit.org/changeset/239154
+
+        "Unreviewed, build fix after r239153, part 2"
+        https://bugs.webkit.org/show_bug.cgi?id=190047
+        https://trac.webkit.org/changeset/239155
+
 2018-12-14  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -44 +44 @@
 #include "PutByIdStatus.h"
 #include "StringObject.h"
-#include "StructureRareDataInlines.h"
 #include <wtf/BooleanLattice.h>
 #include <wtf/CheckedArithmetic.h>
@@ -2579 +2578 @@
             clobberWorld();
         setTypeForNode(node, SpecFinalObject);
-        break;
-    }
-
-    case ObjectKeys: {
-        if (node->child1().useKind() == ObjectUse) {
-            auto& structureSet = forNode(node->child1()).m_structure;
-            if (structureSet.isFinite() && structureSet.size() == 1) {
-                RegisteredStructure structure = structureSet.onlyStructure();
-                if (auto* rareData = structure->rareDataConcurrently()) {
-                    auto* immutableButterfly = rareData->cachedOwnKeysConcurrently();
-                    if (immutableButterfly && immutableButterfly != m_vm.sentinelImmutableButterfly.get()) {
-                        if (m_graph.isWatchingHavingABadTimeWatchpoint(node)) {
-                            m_state.setFoundConstants(true);
-                            didFoldClobberWorld();
-                            setTypeForNode(node, SpecArray);
-                            break;
-                        }
-                    }
-                }
-            }
-        }
-
-        clobberWorld();
-        setTypeForNode(node, SpecArray);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2690 +2690 @@
         insertChecks();
         set(result, addToGraph(SameValue, get(virtualRegisterForArgument(1, registerOffset)), get(virtualRegisterForArgument(2, registerOffset))));
-        return true;
-    }
-
-    case ObjectKeysIntrinsic: {
-        if (argumentCountIncludingThis < 2)
-            return false;
-
-        insertChecks();
-        set(result, addToGraph(ObjectKeys, get(virtualRegisterForArgument(1, registerOffset))));
         return true;
     }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -669 +669 @@
     case InstanceOf:
     case StringValueOf:
-    case ObjectKeys:
         read(World);
         write(Heap);
@@ -1530 +1529 @@
         }
     }
+
 
     case NewObject:

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -767 +767 @@
             }
 
-            case ObjectKeys: {
-                if (node->child1().useKind() == ObjectUse) {
-                    auto& structureSet = m_state.forNode(node->child1()).m_structure;
-                    if (structureSet.isFinite() && structureSet.size() == 1) {
-                        RegisteredStructure structure = structureSet.onlyStructure();
-                        if (auto* rareData = structure->rareDataConcurrently()) {
-                            auto* immutableButterfly = rareData->cachedOwnKeysConcurrently();
-                            if (immutableButterfly && immutableButterfly != m_graph.m_vm.sentinelImmutableButterfly.get()) {
-                                if (m_graph.isWatchingHavingABadTimeWatchpoint(node)) {
-                                    node->convertToNewArrayBuffer(m_graph.freeze(immutableButterfly));
-                                    changed = true;
-                                    break;
-                                }
-                            }
-                        }
-                    }
-                }
-                break;
-            }
-
             case ToNumber: {
                 if (m_state.forNode(node->child1()).m_type & ~SpecBytecodeNumber)

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -340 +340 @@
     case CreateThis:
     case ObjectCreate:
-    case ObjectKeys:
     case AllocatePropertyStorage:
     case ReallocatePropertyStorage:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1592 +1592 @@
                 node->clearFlags(NodeMustGenerate);
                 break;
-            }
-            break;
-        }
-
-        case ObjectKeys: {
-            if (node->child1()->shouldSpeculateObject()) {
-                watchHavingABadTime(node);
-                fixEdge<ObjectUse>(node->child1());
             }
             break;

trunk/Source/JavaScriptCore/dfg/DFGNode.cpp

@@ -32 +32 @@
 #include "DFGPromotedHeapLocation.h"
 #include "JSCInlines.h"
-#include "JSImmutableButterfly.h"
 
 namespace JSC { namespace DFG {
@@ -225 +224 @@
 }
 
-void Node::convertToNewArrayBuffer(FrozenValue* immutableButterfly)
-{
-    setOpAndDefaultFlags(NewArrayBuffer);
-    NewArrayBufferData data { };
-    data.indexingMode = immutableButterfly->cast<JSImmutableButterfly*>()->indexingMode();
-    data.vectorLengthHint = immutableButterfly->cast<JSImmutableButterfly*>()->toButterfly()->vectorLength();
-    children.reset();
-    m_opInfo = immutableButterfly;
-    m_opInfo2 = data.asQuadWord;
-}
-
 void Node::convertToDirectCall(FrozenValue* executable)
 {

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -762 +762 @@
         m_opInfo2 = OpInfoWrapper();
     }
-
-    void convertToNewArrayBuffer(FrozenValue* immutableButterfly);
     
     void convertToDirectCall(FrozenValue*);

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -266 +266 @@
     macro(GetPrototypeOf, NodeMustGenerate | NodeResultJS) \
     macro(ObjectCreate, NodeMustGenerate | NodeResultJS) \
-    macro(ObjectKeys, NodeMustGenerate | NodeResultJS) \
     \
     /* Atomics object functions. */\

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -249 +249 @@
 }
 
-JSArray* JIT_OPERATION operationObjectKeys(ExecState* exec, EncodedJSValue encodedObject)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    JSObject* object = JSValue::decode(encodedObject).toObject(exec);
-    RETURN_IF_EXCEPTION(scope, nullptr);
-    scope.release();
-    return ownPropertyKeys(exec, object, PropertyNameMode::Strings, DontEnumPropertiesMode::Exclude);
-}
-
-JSArray* JIT_OPERATION operationObjectKeysObject(ExecState* exec, JSObject* object)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    return ownPropertyKeys(exec, object, PropertyNameMode::Strings, DontEnumPropertiesMode::Exclude);
-}
-
 JSCell* JIT_OPERATION operationObjectCreate(ExecState* exec, EncodedJSValue encodedPrototype)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -44 +44 @@
 JSCell* JIT_OPERATION operationCallObjectConstructor(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationToObject(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget, UniquedStringImpl*) WTF_INTERNAL;
-JSArray* JIT_OPERATION operationObjectKeys(ExecState*, EncodedJSValue) WTF_INTERNAL;
-JSArray* JIT_OPERATION operationObjectKeysObject(ExecState*, JSObject*) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationObjectCreate(ExecState*, EncodedJSValue) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationObjectCreateObject(ExecState*, JSObject*) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -985 +985 @@
         case NewArrayWithSize:
         case CreateRest:
-        case NewArrayBuffer:
-        case ObjectKeys: {
+        case NewArrayBuffer: {
             setPrediction(SpecArray);
             break;

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -179 +179 @@
     case CreateThis:
     case ObjectCreate:
-    case ObjectKeys:
     case GetCallee:
     case SetCallee:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -12366 +12366 @@
 }
 
-void SpeculativeJIT::compileObjectKeys(Node* node)
-{
-    switch (node->child1().useKind()) {
-    case ObjectUse: {
-        if (m_graph.isWatchingHavingABadTimeWatchpoint(node)) {
-            SpeculateCellOperand object(this, node->child1());
-            GPRTemporary structure(this);
-            GPRTemporary scratch(this);
-            GPRTemporary scratch2(this);
-            GPRTemporary scratch3(this);
-            GPRTemporary result(this);
-
-            GPRReg objectGPR = object.gpr();
-            GPRReg structureGPR = structure.gpr();
-            GPRReg scratchGPR = scratch.gpr();
-            GPRReg scratch2GPR = scratch2.gpr();
-            GPRReg scratch3GPR = scratch3.gpr();
-            GPRReg resultGPR = result.gpr();
-
-            speculateObject(node->child1(), objectGPR);
-
-            CCallHelpers::JumpList slowCases;
-            m_jit.emitLoadStructure(*m_jit.vm(), objectGPR, structureGPR, scratchGPR);
-            m_jit.loadPtr(CCallHelpers::Address(structureGPR, Structure::previousOrRareDataOffset()), scratchGPR);
-
-            slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
-            slowCases.append(m_jit.branch32(CCallHelpers::Equal, CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), TrustedImm32(bitwise_cast<int32_t>(m_jit.vm()->structureStructure->structureID()))));
-
-            m_jit.loadPtr(CCallHelpers::Address(scratchGPR, StructureRareData::offsetOfCachedOwnKeys()), scratchGPR);
-
-            slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
-            slowCases.append(m_jit.branchPtr(CCallHelpers::Equal, scratchGPR, TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->sentinelImmutableButterfly.get())));
-
-            MacroAssembler::JumpList slowButArrayBufferCases;
-
-            JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic);
-            RegisteredStructure arrayStructure = m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(CopyOnWriteArrayWithContiguous));
-
-            m_jit.move(scratchGPR, scratch3GPR);
-            m_jit.addPtr(TrustedImmPtr(JSImmutableButterfly::offsetOfData()), scratchGPR);
-
-            emitAllocateJSObject<JSArray>(resultGPR, TrustedImmPtr(arrayStructure), scratchGPR, structureGPR, scratch2GPR, slowButArrayBufferCases);
-
-            addSlowPathGenerator(slowPathCall(slowButArrayBufferCases, this, operationNewArrayBuffer, resultGPR, arrayStructure, scratch3GPR));
-
-            addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectKeysObject, resultGPR, objectGPR));
-
-            cellResult(resultGPR, node);
-            break;
-        }
-
-        SpeculateCellOperand object(this, node->child1());
-
-        GPRReg objectGPR = object.gpr();
-
-        speculateObject(node->child1(), objectGPR);
-
-        flushRegisters();
-        GPRFlushedCallResult result(this);
-        GPRReg resultGPR = result.gpr();
-        callOperation(operationObjectKeysObject, resultGPR, objectGPR);
-        m_jit.exceptionCheck();
-
-        cellResult(resultGPR, node);
-        break;
-    }
-
-    case UntypedUse: {
-        JSValueOperand object(this, node->child1());
-
-        JSValueRegs objectRegs = object.jsValueRegs();
-
-        flushRegisters();
-        GPRFlushedCallResult result(this);
-        GPRReg resultGPR = result.gpr();
-        callOperation(operationObjectKeys, resultGPR, objectRegs);
-        m_jit.exceptionCheck();
-
-        cellResult(resultGPR, node);
-        break;
-    }
-
-    default:
-        RELEASE_ASSERT_NOT_REACHED();
-        break;
-    }
-}
-
 void SpeculativeJIT::compileObjectCreate(Node* node)
 {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1480 +1480 @@
     void compileNewTypedArray(Node*);
     void compileToThis(Node*);
-    void compileObjectKeys(Node*);
     void compileObjectCreate(Node*);
     void compileCreateThis(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3165 +3165 @@
     case ObjectCreate: {
         compileObjectCreate(node);
-        break;
-    }
-
-    case ObjectKeys: {
-        compileObjectKeys(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3407 +3407 @@
     case ObjectCreate: {
         compileObjectCreate(node);
-        break;
-    }
-
-    case ObjectKeys: {
-        compileObjectKeys(node);
         break;
     }

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -117 +117 @@
     macro(Structure_indexingModeIncludingHistory, Structure::indexingModeIncludingHistoryOffset()) \
     macro(Structure_inlineCapacity, Structure::inlineCapacityOffset()) \
-    macro(Structure_previousOrRareData, Structure::previousOrRareDataOffset()) \
     macro(Structure_prototype, Structure::prototypeOffset()) \
     macro(Structure_structureID, Structure::structureIDOffset()) \
-    macro(StructureRareData_cachedOwnKeys, StructureRareData::offsetOfCachedOwnKeys()) \
     macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \
     macro(HashMapImpl_buffer,  HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -202 +202 @@
     case CallStringConstructor:
     case ObjectCreate:
-    case ObjectKeys:
     case MakeRope:
     case NewArrayWithSize:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -867 +867 @@
             compileObjectCreate();
             break;
-        case ObjectKeys:
-            compileObjectKeys();
-            break;
         case NewObject:
             compileNewObject();
@@ -5499 +5496 @@
         m_out.appendTo(continuation, lastNext);
         setInt32(m_out.phi(Int32, zeroLengthResult, nonZeroLengthResult));
-    }
-
-    void compileObjectKeys()
-    {
-        switch (m_node->child1().useKind()) {
-        case ObjectUse: {
-            if (m_graph.isWatchingHavingABadTimeWatchpoint(m_node)) {
-                LBasicBlock notNullCase = m_out.newBlock();
-                LBasicBlock rareDataCase = m_out.newBlock();
-                LBasicBlock notNullCacheCase = m_out.newBlock();
-                LBasicBlock useCacheCase = m_out.newBlock();
-                LBasicBlock slowButArrayBufferCase = m_out.newBlock();
-                LBasicBlock slowCase = m_out.newBlock();
-                LBasicBlock continuation = m_out.newBlock();
-
-                LValue object = lowObject(m_node->child1());
-                LValue structure = loadStructure(object);
-                LValue previousOrRareData = m_out.loadPtr(structure, m_heaps.Structure_previousOrRareData);
-                m_out.branch(m_out.notNull(previousOrRareData), unsure(notNullCase), unsure(slowCase));
-
-                LBasicBlock lastNext = m_out.appendTo(notNullCase, rareDataCase);
-                m_out.branch(
-                    m_out.notEqual(m_out.load32(previousOrRareData, m_heaps.JSCell_structureID), m_out.constInt32(m_graph.m_vm.structureStructure->structureID())),
-                    unsure(rareDataCase), unsure(slowCase));
-
-                m_out.appendTo(rareDataCase, notNullCacheCase);
-                LValue cachedOwnKeys = m_out.loadPtr(previousOrRareData, m_heaps.StructureRareData_cachedOwnKeys);
-                m_out.branch(m_out.notNull(cachedOwnKeys), unsure(notNullCacheCase), unsure(slowCase));
-
-                m_out.appendTo(notNullCacheCase, useCacheCase);
-                m_out.branch(m_out.notEqual(cachedOwnKeys, weakPointer(m_graph.m_vm.sentinelImmutableButterfly.get())), unsure(useCacheCase), unsure(slowCase));
-
-                m_out.appendTo(useCacheCase, slowButArrayBufferCase);
-                JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
-                RegisteredStructure arrayStructure = m_graph.registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(CopyOnWriteArrayWithContiguous));
-                LValue fastArray = allocateObject<JSArray>(arrayStructure, m_out.addPtr(cachedOwnKeys, JSImmutableButterfly::offsetOfData()), slowButArrayBufferCase);
-                ValueFromBlock fastResult = m_out.anchor(fastArray);
-                m_out.jump(continuation);
-
-                m_out.appendTo(slowButArrayBufferCase, slowCase);
-                LValue slowArray = vmCall(Int64, m_out.operation(operationNewArrayBuffer), m_callFrame, weakStructure(arrayStructure), cachedOwnKeys);
-                ValueFromBlock slowButArrayBufferResult = m_out.anchor(slowArray);
-                m_out.jump(continuation);
-
-                m_out.appendTo(slowCase, continuation);
-                VM& vm = this->vm();
-                LValue slowResultValue = lazySlowPath(
-                    [=, &vm] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
-                        return createLazyCallGenerator(vm,
-                            operationObjectKeysObject, locations[0].directGPR(), locations[1].directGPR());
-                    },
-                    object);
-                ValueFromBlock slowResult = m_out.anchor(slowResultValue);
-                m_out.jump(continuation);
-
-                m_out.appendTo(continuation, lastNext);
-                setJSValue(m_out.phi(pointerType(), fastResult, slowButArrayBufferResult, slowResult));
-                break;
-            }
-            setJSValue(vmCall(Int64, m_out.operation(operationObjectKeysObject), m_callFrame, lowObject(m_node->child1())));
-            break;
-        }
-        case UntypedUse:
-            setJSValue(vmCall(Int64, m_out.operation(operationObjectKeys), m_callFrame, lowJSValue(m_node->child1())));
-            break;
-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            break;
-        }
     }
 

trunk/Source/JavaScriptCore/runtime/Intrinsic.cpp

@@ -120 +120 @@
     case ObjectIsIntrinsic:
         return "ObjectIsIntrinsic";
-    case ObjectKeysIntrinsic:
-        return "ObjectKeysIntrinsic";
     case ReflectGetPrototypeOfIntrinsic:
         return "ReflectGetPrototypeOfIntrinsic";

trunk/Source/JavaScriptCore/runtime/Intrinsic.h

@@ -73 +73 @@
     ObjectGetPrototypeOfIntrinsic,
     ObjectIsIntrinsic,
-    ObjectKeysIntrinsic,
     ReflectGetPrototypeOfIntrinsic,
     StringPrototypeValueOfIntrinsic,

trunk/Source/JavaScriptCore/runtime/JSImmutableButterfly.h

@@ -68 +68 @@
     }
 
-    static JSImmutableButterfly* createSentinel(VM& vm)
-    {
-        return create(vm, CopyOnWriteArrayWithContiguous, 0);
-    }
-
     unsigned publicLength() const { return m_header.publicLength(); }
     unsigned vectorLength() const { return m_header.vectorLength(); }

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -31 +31 @@
 #include "JSGlobalObject.h"
 #include "JSGlobalObjectFunctions.h"
-#include "JSImmutableButterfly.h"
 #include "Lookup.h"
 #include "ObjectPrototype.h"
@@ -75 +74 @@
   getOwnPropertyNames       objectConstructorGetOwnPropertyNames        DontEnum|Function 1
   getOwnPropertySymbols     objectConstructorGetOwnPropertySymbols      DontEnum|Function 1
-  keys                      objectConstructorKeys                       DontEnum|Function 1 ObjectKeysIntrinsic
+  keys                      objectConstructorKeys                       DontEnum|Function 1
   defineProperty            objectConstructorDefineProperty             DontEnum|Function 3
   defineProperties          objectConstructorDefineProperties           DontEnum|Function 2
@@ -273 +272 @@
 }
 
+// FIXME: Use the enumeration cache.
 EncodedJSValue JSC_HOST_CALL objectConstructorKeys(ExecState* exec)
 {
@@ -893 +893 @@
 }
 
+// FIXME: Use the enumeration cache.
 JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode propertyNameMode, DontEnumPropertiesMode dontEnumPropertiesMode)
 {
     VM& vm = exec->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
-
-    auto* globalObject = exec->lexicalGlobalObject();
-    bool isObjectKeys = propertyNameMode == PropertyNameMode::Strings && dontEnumPropertiesMode == DontEnumPropertiesMode::Exclude;
-    // We attempt to look up own property keys cache in Object.keys case.
-    if (isObjectKeys) {
-        if (LIKELY(!globalObject->isHavingABadTime())) {
-            if (auto* immutableButterfly = object->structure(vm)->cachedOwnKeys()) {
-                if (immutableButterfly != vm.sentinelImmutableButterfly.get()) {
-                    Structure* arrayStructure = globalObject->originalArrayStructureForIndexingType(immutableButterfly->indexingMode());
-                    return JSArray::createWithButterfly(vm, nullptr, arrayStructure, immutableButterfly->toButterfly());
-                }
-            }
-        }
-    }
-
     PropertyNameArray properties(&vm, propertyNameMode, PrivateSymbolMode::Exclude);
     object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
@@ -933 +919 @@
         ASSERT(propertyNameMode == PropertyNameMode::Strings || propertyNameMode == PropertyNameMode::Symbols);
         if (!mustFilterProperty && properties.size() < MIN_SPARSE_ARRAY_INDEX) {
+            auto* globalObject = exec->lexicalGlobalObject();
             if (LIKELY(!globalObject->isHavingABadTime())) {
-                if (isObjectKeys) {
-                    Structure* structure = object->structure(vm);
-                    if (structure->canCacheOwnKeys()) {
-                        auto* cachedButterfly = structure->cachedOwnKeys();
-                        if (cachedButterfly == vm.sentinelImmutableButterfly.get()) {
-                            // Cache the immutable butterfly!
-                            size_t numProperties = properties.size();
-                            auto* newButterfly = JSImmutableButterfly::create(vm, CopyOnWriteArrayWithContiguous, numProperties);
-                            for (size_t i = 0; i < numProperties; i++) {
-                                const auto& identifier = properties[i];
-                                ASSERT(!identifier.isSymbol());
-                                newButterfly->setIndex(vm, i, jsOwnedString(&vm, identifier.string()));
-                            }
-
-                            structure->setCachedOwnKeys(vm, newButterfly);
-                            Structure* arrayStructure = globalObject->originalArrayStructureForIndexingType(newButterfly->indexingMode());
-                            return JSArray::createWithButterfly(vm, nullptr, arrayStructure, newButterfly->toButterfly());
-                        }
-
-                        if (cachedButterfly == nullptr)
-                            structure->setCachedOwnKeys(vm, jsCast<JSImmutableButterfly*>(vm.sentinelImmutableButterfly.get()));
-                    }
-                }
-
                 size_t numProperties = properties.size();
                 JSArray* keys = JSArray::create(vm, globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous), numProperties);

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -1253 +1253 @@
 bool Structure::canCachePropertyNameEnumerator() const
 {
-    if (!this->canCacheOwnKeys())
+    auto canCache = [] (const Structure* structure) {
+        if (structure->isDictionary())
+            return false;
+        if (hasIndexedProperties(structure->indexingType()))
+            return false;
+        if (structure->typeInfo().overridesGetPropertyNames())
+            return false;
+        return true;
+    };
+
+    if (!canCache(this))
         return false;
 
@@ -1262 +1272 @@
         if (!structure->get())
             return true;
-        if (!structure->get()->canCacheOwnKeys())
+        if (!canCache(structure->get()))
             return false;
         structure++;

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -39 +39 @@
 #include "StructureIDBlob.h"
 #include "StructureRareData.h"
+#include "StructureRareDataInlines.h"
 #include "StructureTransitionTable.h"
 #include "JSTypeInfo.h"
@@ -326 +327 @@
     }
 
-    const StructureRareData* rareDataConcurrently() const
-    {
-        JSCell* cell = m_previousOrRareData.get();
-        WTF::loadLoadFence();
-        if (isRareData(cell))
-            return static_cast<StructureRareData*>(cell);
-        return nullptr;
-    }
-
     StructureRareData* ensureRareData(VM& vm)
     {
@@ -481 +473 @@
     bool canAccessPropertiesQuicklyForEnumeration() const;
 
-    void setCachedOwnKeys(VM&, JSImmutableButterfly*);
-    JSImmutableButterfly* cachedOwnKeys() const;
-    bool canCacheOwnKeys() const;
-
     void getPropertyNamesFromStructure(VM&, PropertyNameArray&, EnumerationMode);
 
@@ -531 +519 @@
     {
         return OBJECT_OFFSETOF(Structure, m_inlineCapacity);
-    }
-
-    static ptrdiff_t previousOrRareDataOffset()
-    {
-        return OBJECT_OFFSETOF(Structure, m_previousOrRareData);
     }
 

trunk/Source/JavaScriptCore/runtime/StructureInlines.h

@@ -220 +220 @@
 }
 
-inline void Structure::setCachedOwnKeys(VM& vm, JSImmutableButterfly* ownKeys)
-{
-    ensureRareData(vm)->setCachedOwnKeys(vm, ownKeys);
-}
-
-inline JSImmutableButterfly* Structure::cachedOwnKeys() const
-{
-    if (!hasRareData())
-        return nullptr;
-    return rareData()->cachedOwnKeys();
-}
-
-inline bool Structure::canCacheOwnKeys() const
-{
-    if (isDictionary())
-        return false;
-    if (hasIndexedProperties(indexingType()))
-        return false;
-    if (typeInfo().overridesGetPropertyNames())
-        return false;
-    return true;
-}
-
 ALWAYS_INLINE JSValue prototypeForLookupPrimitiveImpl(JSGlobalObject* globalObject, const Structure* structure)
 {

trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp

@@ -28 +28 @@
 
 #include "AdaptiveInferredPropertyValueWatchpointBase.h"
-#include "JSImmutableButterfly.h"
 #include "JSPropertyNameEnumerator.h"
 #include "JSString.h"
@@ -72 +71 @@
     visitor.append(thisObject->m_objectToStringValue);
     visitor.append(thisObject->m_cachedPropertyNameEnumerator);
-    visitor.append(thisObject->m_cachedOwnKeys);
+}
+
+JSPropertyNameEnumerator* StructureRareData::cachedPropertyNameEnumerator() const
+{
+    return m_cachedPropertyNameEnumerator.get();
+}
+
+void StructureRareData::setCachedPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator)
+{
+    m_cachedPropertyNameEnumerator.set(vm, this, enumerator);
 }
 

trunk/Source/JavaScriptCore/runtime/StructureRareData.h

@@ -59 +59 @@
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
 
-    Structure* previousID() const
-    {
-        return m_previous.get();
-    }
+    Structure* previousID() const;
     void setPreviousID(VM&, Structure*);
     void clearPreviousID();
@@ -72 +69 @@
     void setCachedPropertyNameEnumerator(VM&, JSPropertyNameEnumerator*);
 
-    JSImmutableButterfly* cachedOwnKeys() const;
-    JSImmutableButterfly* cachedOwnKeysConcurrently() const;
-    void setCachedOwnKeys(VM&, JSImmutableButterfly*);
-
     Box<InlineWatchpointSet> copySharedPolyProtoWatchpoint() const { return m_polyProtoWatchpoint; }
     const Box<InlineWatchpointSet>& sharedPolyProtoWatchpoint() const { return m_polyProtoWatchpoint; }
     void setSharedPolyProtoWatchpoint(Box<InlineWatchpointSet>&& sharedPolyProtoWatchpoint) { m_polyProtoWatchpoint = WTFMove(sharedPolyProtoWatchpoint); }
     bool hasSharedPolyProtoWatchpoint() const { return static_cast<bool>(m_polyProtoWatchpoint); }
-
-    static ptrdiff_t offsetOfCachedOwnKeys()
-    {
-        return OBJECT_OFFSETOF(StructureRareData, m_cachedOwnKeys);
-    }
 
     DECLARE_EXPORT_INFO;
@@ -99 +87 @@
     WriteBarrier<Structure> m_previous;
     WriteBarrier<JSString> m_objectToStringValue;
-    // FIXME: We should have some story for clearing these property names caches in GC.
-    // https://bugs.webkit.org/show_bug.cgi?id=192659
     WriteBarrier<JSPropertyNameEnumerator> m_cachedPropertyNameEnumerator;
-    WriteBarrier<JSImmutableButterfly> m_cachedOwnKeys;
 
     typedef HashMap<PropertyOffset, RefPtr<WatchpointSet>, WTF::IntHash<PropertyOffset>, WTF::UnsignedWithZeroKeyHashTraits<PropertyOffset>> PropertyWatchpointMap;

trunk/Source/JavaScriptCore/runtime/StructureRareDataInlines.h

@@ -26 +26 @@
 #pragma once
 
-#include "JSImmutableButterfly.h"
-#include "JSPropertyNameEnumerator.h"
 #include "JSString.h"
 #include "StructureRareData.h"
 
 namespace JSC {
+
+inline Structure* StructureRareData::previousID() const
+{
+    return m_previous.get();
+}
 
 inline void StructureRareData::setPreviousID(VM& vm, Structure* structure)
@@ -48 +51 @@
 }
 
-inline JSPropertyNameEnumerator* StructureRareData::cachedPropertyNameEnumerator() const
-{
-    return m_cachedPropertyNameEnumerator.get();
-}
-
-inline void StructureRareData::setCachedPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator)
-{
-    m_cachedPropertyNameEnumerator.set(vm, this, enumerator);
-}
-
-inline JSImmutableButterfly* StructureRareData::cachedOwnKeys() const
-{
-    ASSERT(!isCompilationThread());
-    return m_cachedOwnKeys.get();
-}
-
-inline JSImmutableButterfly* StructureRareData::cachedOwnKeysConcurrently() const
-{
-    auto* result = m_cachedOwnKeys.get();
-    WTF::loadLoadFence();
-    return result;
-}
-
-inline void StructureRareData::setCachedOwnKeys(VM& vm, JSImmutableButterfly* butterfly)
-{
-    WTF::storeStoreFence();
-    m_cachedOwnKeys.set(vm, this, butterfly);
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -435 +435 @@
     promiseDeferredStructure.set(*this, JSPromiseDeferred::createStructure(*this, 0, jsNull()));
     internalPromiseDeferredStructure.set(*this, JSInternalPromiseDeferred::createStructure(*this, 0, jsNull()));
-    nativeStdFunctionCellStructure.set(*this, NativeStdFunctionCell::createStructure(*this, 0, jsNull()));
     programCodeBlockStructure.set(*this, ProgramCodeBlock::createStructure(*this, 0, jsNull()));
     moduleProgramCodeBlockStructure.set(*this, ModuleProgramCodeBlock::createStructure(*this, 0, jsNull()));
@@ -449 +448 @@
     sentinelSetBucket.set(*this, JSSet::BucketType::createSentinel(*this));
     sentinelMapBucket.set(*this, JSMap::BucketType::createSentinel(*this));
-    sentinelImmutableButterfly.set(*this, JSImmutableButterfly::createSentinel(*this));
-
+
+    nativeStdFunctionCellStructure.set(*this, NativeStdFunctionCell::createStructure(*this, 0, jsNull()));
     smallStrings.initializeCommonStrings(*this);
 

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -572 +572 @@
     Strong<JSCell> sentinelSetBucket;
     Strong<JSCell> sentinelMapBucket;
-    Strong<JSCell> sentinelImmutableButterfly;
 
     std::unique_ptr<PromiseDeferredTimer> promiseDeferredTimer;