Changeset 246709 in webkit

Timestamp:

Jun 22, 2019 12:48:08 AM (5 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Strict, Sloppy and Arrow functions should have different classInfo
​https://bugs.webkit.org/show_bug.cgi?id=197631

Reviewed by Saam Barati.

JSTests:

• stress/has-own-property-arguments.js: Added.

(shouldBe):
(A):

Source/JavaScriptCore:

If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class.
This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we
cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked
by comparing classInfo of the cached structure and the given base structure. This implicitly assume that
each builtin class's InternalFunction creates an instance based on one structure.

However, Function constructor is an exception: Function constructor creates an instance which has different
structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function
instance with strict function structure.

As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code.

class A extends Function { };
let a = new A("'use strict'");
let b = new A("");

While a and b should have different structures, A caches the structure for a, and reuse it even the given
code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions
because they have different properties. However, in the above case, a and b have the same structure while they have
different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache.

In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design
works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each
structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the
cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL
optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization.

Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array
structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile.

• runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that

sizeof(JSAsyncFunction) == sizeof(JSFunction).

• runtime/JSAsyncGeneratorFunction.cpp:
• runtime/JSAsyncGeneratorFunction.h: Ditto.
• runtime/JSFunction.cpp:
• runtime/JSFunction.h:
• runtime/JSGeneratorFunction.h: Ditto.
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/has-own-property-arguments.js (added)
• JSTests/stress/inline-cache-arguments.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSAsyncFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSAsyncGeneratorFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSAsyncGeneratorFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGeneratorFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Strict, Sloppy and Arrow functions should have different classInfo
+        https://bugs.webkit.org/show_bug.cgi?id=197631
+
+        Reviewed by Saam Barati.
+
+        * stress/has-own-property-arguments.js: Added.
+        (shouldBe):
+        (A):
+
 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Strict, Sloppy and Arrow functions should have different classInfo
+        https://bugs.webkit.org/show_bug.cgi?id=197631
+
+        Reviewed by Saam Barati.
+
+        If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class.
+        This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we
+        cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked
+        by comparing classInfo of the cached structure and the given base structure. This implicitly assume that
+        each builtin class's InternalFunction creates an instance based on one structure.
+
+        However, Function constructor is an exception: Function constructor creates an instance which has different
+        structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function
+        instance with strict function structure.
+
+        As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code.
+
+            class A extends Function { };
+            let a = new A("'use strict'");
+            let b = new A("");
+
+        While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given
+        code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions
+        because they have different properties. However, in the above case, a and b have the same structure while they have
+        different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache.
+
+        In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design
+        works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each
+        structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the
+        cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL
+        optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization.
+
+        Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array
+        structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile.
+
+        * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that
+        sizeof(JSAsyncFunction) == sizeof(JSFunction).
+        * runtime/JSAsyncGeneratorFunction.cpp:
+        * runtime/JSAsyncGeneratorFunction.h: Ditto.
+        * runtime/JSFunction.cpp:
+        * runtime/JSFunction.h:
+        * runtime/JSGeneratorFunction.h: Ditto.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSAsyncFunction.h

@@ -39 +39 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType, SubspaceAccess>
-    static IsoSubspace* subspaceFor(VM& vm)
-    {
-        return &vm.functionSpace;
-    }
-
     DECLARE_EXPORT_INFO;
 

trunk/Source/JavaScriptCore/runtime/JSAsyncGeneratorFunction.cpp

@@ -38 +38 @@
 namespace JSC {
 
-const ClassInfo JSAsyncGeneratorFunction    ::s_info = { "JSAsyncGeneratorFunction",  &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSAsyncGeneratorFunction) };
+const ClassInfo JSAsyncGeneratorFunction::s_info = { "JSAsyncGeneratorFunction",  &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSAsyncGeneratorFunction) };
 
 JSAsyncGeneratorFunction::JSAsyncGeneratorFunction(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)

trunk/Source/JavaScriptCore/runtime/JSAsyncGeneratorFunction.h

@@ -39 +39 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType, SubspaceAccess>
-    static IsoSubspace* subspaceFor(VM& vm)
-    {
-        return &vm.functionSpace;
-    }
-
     DECLARE_EXPORT_INFO;
 

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -61 +61 @@
 
 const ClassInfo JSFunction::s_info = { "Function", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSFunction) };
+const ClassInfo JSStrictFunction::s_info = { "Function", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSStrictFunction) };
+const ClassInfo JSSloppyFunction::s_info = { "Function", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSSloppyFunction) };
+const ClassInfo JSArrowFunction::s_info = { "Function", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSArrowFunction) };
 
 bool JSFunction::isHostFunctionNonInline() const

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -227 +227 @@
 };
 
+class JSStrictFunction final : public JSFunction {
+public:
+    using Base = JSFunction;
+
+    DECLARE_EXPORT_INFO;
+
+    static constexpr unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        ASSERT(globalObject);
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSFunctionType, StructureFlags), info());
+    }
+};
+static_assert(sizeof(JSStrictFunction) == sizeof(JSFunction), "Allocated in JSFunction IsoSubspace");
+
+class JSSloppyFunction final : public JSFunction {
+public:
+    using Base = JSFunction;
+
+    DECLARE_EXPORT_INFO;
+
+    static constexpr unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        ASSERT(globalObject);
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSFunctionType, StructureFlags), info());
+    }
+};
+static_assert(sizeof(JSSloppyFunction) == sizeof(JSFunction), "Allocated in JSFunction IsoSubspace");
+
+class JSArrowFunction final : public JSFunction {
+public:
+    using Base = JSFunction;
+
+    DECLARE_EXPORT_INFO;
+
+    static constexpr unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        ASSERT(globalObject);
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSFunctionType, StructureFlags), info());
+    }
+};
+static_assert(sizeof(JSArrowFunction) == sizeof(JSFunction), "Allocated in JSFunction IsoSubspace");
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGeneratorFunction.h

@@ -67 +67 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType, SubspaceAccess>
-    static IsoSubspace* subspaceFor(VM& vm)
-    {
-        return &vm.functionSpace;
-    }
-
     DECLARE_EXPORT_INFO;
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -473 +473 @@
 
     auto initFunctionStructures = [&] (FunctionStructures& structures) {
-        structures.strictFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
-        structures.sloppyFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
-        structures.arrowFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
+        structures.strictFunctionStructure.set(vm, this, JSStrictFunction::createStructure(vm, this, m_functionPrototype.get()));
+        structures.sloppyFunctionStructure.set(vm, this, JSSloppyFunction::createStructure(vm, this, m_functionPrototype.get()));
+        structures.arrowFunctionStructure.set(vm, this, JSArrowFunction::createStructure(vm, this, m_functionPrototype.get()));
     };
     initFunctionStructures(m_builtinFunctions);