Changeset 240040 in webkit


Ignore:
Timestamp:
Jan 16, 2019 10:10:44 AM (5 years ago)
Author:
mark.lam@apple.com
Message:

JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
https://bugs.webkit.org/show_bug.cgi?id=193423
<rdar://problem/46209355>

Reviewed by Saam Barati.

JSTests:

  • microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
  • stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
  • stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
  • stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.

Source/JavaScriptCore:

JSFunction::canUseAllocationProfile() should return false for most builtins
because the majority of them have no prototype property. The only exception to
this is the few builtin functions that are explicitly used as constructors.

For these builtin constructors, JSFunction::canUseAllocationProfile() should also
return false if the prototype property is a getter or custom getter because
getting the prototype would then be effectful.

  • dfg/DFGOperations.cpp:
  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/JSFunctionInlines.h:

(JSC::JSFunction::canUseAllocationProfile):

  • runtime/PropertySlot.h:
Location:
trunk
Files:
4 added
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r240024 r240040  
     12019-01-15  Mark Lam  <mark.lam@apple.com>
     2
     3        JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
     4        https://bugs.webkit.org/show_bug.cgi?id=193423
     5        <rdar://problem/46209355>
     6
     7        Reviewed by Saam Barati.
     8
     9        * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
     10        * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
     11        * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
     12        * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
     13
    1142019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
    215
  • trunk/Source/JavaScriptCore/ChangeLog

    r240024 r240040  
     12019-01-15  Mark Lam  <mark.lam@apple.com>
     2
     3        JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
     4        https://bugs.webkit.org/show_bug.cgi?id=193423
     5        <rdar://problem/46209355>
     6
     7        Reviewed by Saam Barati.
     8
     9        JSFunction::canUseAllocationProfile() should return false for most builtins
     10        because the majority of them have no prototype property.  The only exception to
     11        this is the few builtin functions that are explicitly used as constructors.
     12
     13        For these builtin constructors, JSFunction::canUseAllocationProfile() should also
     14        return false if the prototype property is a getter or custom getter because
     15        getting the prototype would then be effectful.
     16
     17        * dfg/DFGOperations.cpp:
     18        * runtime/CommonSlowPaths.cpp:
     19        (JSC::SLOW_PATH_DECL):
     20        * runtime/JSFunctionInlines.h:
     21        (JSC::JSFunction::canUseAllocationProfile):
     22        * runtime/PropertySlot.h:
     23
    1242019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
    225
  • trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

    r239612 r240040  
    302302    if (constructor->type() == JSFunctionType && jsCast<JSFunction*>(constructor)->canUseAllocationProfile()) {
    303303        auto rareData = jsCast<JSFunction*>(constructor)->ensureRareDataAndAllocationProfile(exec, inlineCapacity);
    304         RETURN_IF_EXCEPTION(scope, nullptr);
     304        scope.releaseAssertNoException();
    305305        ObjectAllocationProfile* allocationProfile = rareData->objectAllocationProfile();
    306306        Structure* structure = allocationProfile->structure();
  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

    r239455 r240040  
    244244        size_t inlineCapacity = bytecode.inlineCapacity;
    245245        ObjectAllocationProfile* allocationProfile = constructor->ensureRareDataAndAllocationProfile(exec, inlineCapacity)->objectAllocationProfile();
     246        throwScope.releaseAssertNoException();
    246247        Structure* structure = allocationProfile->structure();
    247248        result = constructEmptyObject(exec, structure);
  • trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h

    r231882 r240040  
    111111inline bool JSFunction::canUseAllocationProfile()
    112112{
    113     if (isHostFunction())
    114         return false;
     113    if (isHostOrBuiltinFunction()) {
     114        if (isHostFunction())
     115            return false;
     116
     117        VM& vm = globalObject()->vm();
     118        unsigned attributes;
     119        JSValue prototype = getDirect(vm, vm.propertyNames->prototype, attributes);
     120        if (!prototype || (attributes & PropertyAttribute::AccessorOrCustomAccessorOrValue))
     121            return false;
     122    }
    115123
    116124    // If we don't have a prototype property, we're not guaranteed it's
  • trunk/Source/JavaScriptCore/runtime/PropertySlot.h

    r239427 r240040  
    4646    CustomValue       = 1 << 6,
    4747    CustomAccessorOrValue = CustomAccessor | CustomValue,
     48    AccessorOrCustomAccessorOrValue = Accessor | CustomAccessor | CustomValue,
    4849
    4950    // Things that are used by static hashtables are not in the attributes byte in PropertyMapEntry.
Note: See TracChangeset for help on using the changeset viewer.