Changeset 255897 in webkit

Timestamp:

Feb 5, 2020 7:48:34 PM (4 years ago)

Author:

Justin Michaud

Message:

Deleting a property should not turn structures into uncacheable dictionaries
​https://bugs.webkit.org/show_bug.cgi?id=206430

Reviewed by Yusuke Suzuki.

JSTests:

• microbenchmarks/delete-property-from-prototype-chain.js: Added.

(assert):
(noInline.assert.getZ):
(noInline.getZ.C):
(doTest):
(delete.C.prototype.z):

• microbenchmarks/delete-property-keeps-cacheable-structure.js: Added.

(assert):
(C):
(doTest):

• stress/cache-put-by-id-different-attributes.js:

(makePrototypeDict):
(set x):

• stress/cache-put-by-id-different-offset.js:

(makePrototypeDict):
(set x):

• stress/cache-put-by-id-poly-proto.js:

(makePrototypeDict):
(set _):

• stress/delete-property-check-structure-transition.js: Added.

(assert):
(assert_eq):
(assert_neq):
(sd):
(sid):
(testDeleteIsNotUncacheable):
(testCanMaterializeDeletes):
(testCanFlatten):
(testDeleteWithInlineCache.Object.prototype.globalProperty.42.makeFoo):
(testDeleteWithInlineCache.noInline.doTest):
(testDeleteWithInlineCache):

• stress/flatten-object-zero-unused-inline-properties.js:

Source/JavaScriptCore:

Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Instead, we should allow it to transition to a new regular structure like adding a property does. This means that we have to:

1) Break the assumption that structure transition offsets increase monotonically

We add a new flag to tell that a structure has deleted its property, and update materializePropertyTable to use it.

2) Add a new transition map and transition kind for deletes

We cache the delete transition. We will not transition back to a previous structure if you add then immediately remove a property.

3) Find some heuristic for when we should actually transition to uncacheable dictionary.

Since deleting properties is expected to be rare, we just walk the structure list and count its size on removal.

This patch also fixes a related bug in addProperty, where we did not use a GCSafeConcurrentJSLocker, and adds an option to trigger the bug. Finally, we add some helper methods to dollarVM to test.

This gives a 24x speedup on delete-property-keeps-cacheable-structure.js, and is neutral on delete-property-from-prototype-chain.js (which was already generating code using the inline cache).

• heap/HeapInlines.h:

(JSC::Heap::decrementDeferralDepthAndGCIfNeeded):

• runtime/JSObject.cpp:

(JSC::JSObject::deleteProperty):

• runtime/OptionsList.h:
• runtime/PropertyMapHashTable.h:

(JSC::PropertyTable::get):
(JSC::PropertyTable::add):
(JSC::PropertyTable::addDeletedOffset):
(JSC::PropertyTable::reinsert):

• runtime/Structure.cpp:

(JSC::StructureTransitionTable::contains const):
(JSC::StructureTransitionTable::get const):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyTable):
(JSC::Structure::addNewPropertyTransition):
(JSC::Structure::removePropertyTransition):
(JSC::Structure::removePropertyTransitionFromExistingStructure):
(JSC::Structure::removeNewPropertyTransition):
(JSC::Structure::toUncacheableDictionaryTransition):
(JSC::Structure::remove):
(JSC::Structure::visitChildren):

• runtime/Structure.h:
• runtime/StructureInlines.h:

(JSC::Structure::forEachPropertyConcurrently):
(JSC::Structure::add):
(JSC::Structure::remove):
(JSC::Structure::removePropertyWithoutTransition):

• runtime/StructureTransitionTable.h:

(JSC::StructureTransitionTable::Hash::hash):

• tools/JSDollarVM.cpp:

(JSC::JSDollarVMHelper::functionGetStructureTransitionList):
(JSC::functionGetConcurrently):
(JSC::JSDollarVM::finishCreation):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/microbenchmarks/delete-property-from-prototype-chain.js (added)
• JSTests/microbenchmarks/delete-property-keeps-cacheable-structure.js (added)
• JSTests/stress/cache-put-by-id-different-attributes.js (modified) (2 diffs)
• JSTests/stress/cache-put-by-id-different-offset.js (modified) (1 diff)
• JSTests/stress/cache-put-by-id-poly-proto.js (modified) (2 diffs)
• JSTests/stress/delete-property-check-structure-transition.js (added)
• JSTests/stress/flatten-object-zero-unused-inline-properties.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/heap/HeapInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/OptionsList.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertyMapHashTable.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (16 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (5 diffs)
• Source/JavaScriptCore/runtime/StructureInlines.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/StructureTransitionTable.h (modified) (2 diffs)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-02-05  Justin Michaud  <justin_michaud@apple.com>
+
+        Deleting a property should not turn structures into uncacheable dictionaries
+        https://bugs.webkit.org/show_bug.cgi?id=206430
+
+        Reviewed by Yusuke Suzuki.
+
+        * microbenchmarks/delete-property-from-prototype-chain.js: Added.
+        (assert):
+        (noInline.assert.getZ):
+        (noInline.getZ.C):
+        (doTest):
+        (delete.C.prototype.z):
+        * microbenchmarks/delete-property-keeps-cacheable-structure.js: Added.
+        (assert):
+        (C):
+        (doTest):
+        * stress/cache-put-by-id-different-attributes.js:
+        (makePrototypeDict):
+        (set x):
+        * stress/cache-put-by-id-different-offset.js:
+        (makePrototypeDict):
+        (set x):
+        * stress/cache-put-by-id-poly-proto.js:
+        (makePrototypeDict):
+        (set _):
+        * stress/delete-property-check-structure-transition.js: Added.
+        (assert):
+        (assert_eq):
+        (assert_neq):
+        (sd):
+        (sid):
+        (testDeleteIsNotUncacheable):
+        (testCanMaterializeDeletes):
+        (testCanFlatten):
+        (testDeleteWithInlineCache.Object.prototype.globalProperty.42.makeFoo):
+        (testDeleteWithInlineCache.noInline.doTest):
+        (testDeleteWithInlineCache):
+        * stress/flatten-object-zero-unused-inline-properties.js:
+
 2020-02-04  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/JSTests/stress/cache-put-by-id-different-attributes.js

@@ -4 +4 @@
 
 Foo.prototype.x = 0;
+
+function makePrototypeDict() {
+    for (let i=0; i<100; ++i) {
+        Foo.prototype.a = i
+        Foo.prototype.b = i
+        delete Foo.prototype.a
+        delete Foo.prototype.b
+    }
+}
+noInline(makePrototypeDict)
 
 Object.defineProperty(Foo.prototype, 'y', {
@@ -12 +22 @@
                 writable: true,
             });
-            if (typeof $vm !== 'undefined')
+            if (typeof $vm !== 'undefined') {
+                makePrototypeDict()
                 $vm.flattenDictionaryObject(Foo.prototype);
+            }
         }
     },

trunk/JSTests/stress/cache-put-by-id-different-offset.js

@@ -5 +5 @@
 Foo.prototype.x = 0;
 
+function makePrototypeDict() {
+    for (let i=0; i<100; ++i) {
+        Foo.prototype.a = i
+        Foo.prototype.b = i
+        delete Foo.prototype.a
+        delete Foo.prototype.b
+    }
+}
+noInline(makePrototypeDict)
+
 Object.defineProperty(Foo.prototype, 'y', {
     set(x) {
         if (Foo.prototype.x++ === 1) {
             delete Foo.prototype.x;
-            if (typeof $vm !== 'undefined')
+            if (typeof $vm !== 'undefined') {
+                makePrototypeDict()
                 $vm.flattenDictionaryObject(Foo.prototype);
+            }
         }
     }

trunk/JSTests/stress/cache-put-by-id-poly-proto.js

@@ -4 +4 @@
 
 let x = 0;
+
+function makePrototypeDict() {
+    for (let i=0; i<100; ++i) {
+        Foo.prototype.a = i
+        Foo.prototype.b = i
+        delete Foo.prototype.a
+        delete Foo.prototype.b
+    }
+}
+noInline(makePrototypeDict)
 
 Object.defineProperty(Foo.prototype, 'y', {
@@ -12 +22 @@
                 writable: true,
             });
-            if (typeof $vm !== 'undefined')
+            if (typeof $vm !== 'undefined') {
+                makePrototypeDict()
                 $vm.flattenDictionaryObject(Foo.prototype);
+            }
         }
     },

trunk/JSTests/stress/flatten-object-zero-unused-inline-properties.js

@@ -1 +1 @@
 let o = { foo: 1, bar: 2, baz: 3 };
+for (let i=0; i<100; ++i) {
+    o.a = i
+    o.b = i
+    delete o.a
+    delete o.b
+}
 if ($vm.inlineCapacity(o) <= 3)
     throw new Error("There should be inline capacity");

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-02-05  Justin Michaud  <justin_michaud@apple.com>
+
+        Deleting a property should not turn structures into uncacheable dictionaries
+        https://bugs.webkit.org/show_bug.cgi?id=206430
+
+        Reviewed by Yusuke Suzuki.
+
+        Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Instead, we should allow it to transition to a new regular structure like adding a property does. This means that we have to:
+
+        1) Break the assumption that structure transition offsets increase monotonically
+
+        We add a new flag to tell that a structure has deleted its property, and update materializePropertyTable to use it.
+
+        2) Add a new transition map and transition kind for deletes
+
+        We cache the delete transition. We will not transition back to a previous structure if you add then immediately remove a property.
+
+        3) Find some heuristic for when we should actually transition to uncacheable dictionary.
+
+        Since deleting properties is expected to be rare, we just walk the structure list and count its size on removal. 
+
+        This patch also fixes a related bug in addProperty, where we did not use a GCSafeConcurrentJSLocker, and adds an option to trigger the bug. Finally, we add some helper methods to dollarVM to test.
+
+        This gives a 24x speedup on delete-property-keeps-cacheable-structure.js, and is neutral on delete-property-from-prototype-chain.js (which was already generating code using the inline cache).
+
+        * heap/HeapInlines.h:
+        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::deleteProperty):
+        * runtime/OptionsList.h:
+        * runtime/PropertyMapHashTable.h:
+        (JSC::PropertyTable::get):
+        (JSC::PropertyTable::add):
+        (JSC::PropertyTable::addDeletedOffset):
+        (JSC::PropertyTable::reinsert):
+        * runtime/Structure.cpp:
+        (JSC::StructureTransitionTable::contains const):
+        (JSC::StructureTransitionTable::get const):
+        (JSC::StructureTransitionTable::add):
+        (JSC::Structure::Structure):
+        (JSC::Structure::materializePropertyTable):
+        (JSC::Structure::addNewPropertyTransition):
+        (JSC::Structure::removePropertyTransition):
+        (JSC::Structure::removePropertyTransitionFromExistingStructure):
+        (JSC::Structure::removeNewPropertyTransition):
+        (JSC::Structure::toUncacheableDictionaryTransition):
+        (JSC::Structure::remove):
+        (JSC::Structure::visitChildren):
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::forEachPropertyConcurrently):
+        (JSC::Structure::add):
+        (JSC::Structure::remove):
+        (JSC::Structure::removePropertyWithoutTransition):
+        * runtime/StructureTransitionTable.h:
+        (JSC::StructureTransitionTable::Hash::hash):
+        * tools/JSDollarVM.cpp:
+        (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
+        (JSC::functionGetConcurrently):
+        (JSC::JSDollarVM::finishCreation):
+
 2020-02-05  Devin Rousso  <drousso@apple.com>
 

trunk/Source/JavaScriptCore/heap/HeapInlines.h

@@ -189 +189 @@
     m_deferralDepth--;
     
-    if (UNLIKELY(m_didDeferGCWork)) {
+    if (UNLIKELY(m_didDeferGCWork) || Options::forceDidDeferGCWork()) {
         decrementDeferralDepthAndGCIfNeededSlow();
         

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2002 +2002 @@
         if (attributes & PropertyAttribute::DontDelete && vm.deletePropertyMode() != VM::DeletePropertyMode::IgnoreConfigurable)
             return false;
-
-        PropertyOffset offset;
+        DeferredStructureTransitionWatchpointFire deferredWatchpointFire(vm, structure);
+
+        PropertyOffset offset = invalidOffset;
         if (structure->isUncacheableDictionary())
-            offset = structure->removePropertyWithoutTransition(vm, propertyName, [] (const ConcurrentJSLocker&, PropertyOffset) { });
-        else
-            thisObject->setStructure(vm, Structure::removePropertyTransition(vm, structure, propertyName, offset));
+            offset = structure->removePropertyWithoutTransition(vm, propertyName, [] (const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset) { });
+        else {
+            structure = Structure::removePropertyTransition(vm, structure, propertyName, offset, &deferredWatchpointFire);
+            if (thisObject->m_butterfly && !structure->outOfLineCapacity() && !structure->hasIndexingHeader(thisObject)) {
+                thisObject->nukeStructureAndSetButterfly(vm, thisObject->structureID(), nullptr);
+                offset = invalidOffset;
+                ASSERT(structure->maxOffset() == invalidOffset);
+            }
+            thisObject->setStructure(vm, structure);
+        }
+
+        ASSERT(!isValidOffset(structure->get(vm, propertyName, attributes)));
 
         if (offset != invalidOffset)

trunk/Source/JavaScriptCore/runtime/OptionsList.h

@@ -348 +348 @@
     v(Bool, gcAtEnd, false, Normal, "If true, the jsc CLI will do a GC before exiting") \
     v(Bool, forceGCSlowPaths, false, Normal, "If true, we will force all JIT fast allocations down their slow paths.") \
+    v(Bool, forceDidDeferGCWork, false, Normal, "If true, we will force all DeferGC destructions to perform a GC.") \
     v(Unsigned, gcMaxHeapSize, 0, Normal, nullptr) \
     v(Unsigned, forceRAMSize, 0, Normal, nullptr) \

trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -170 +170 @@
     ValueType* get(const KeyType&);
     // Add a value to the table
-    enum EffectOnPropertyOffset { PropertyOffsetMayChange, PropertyOffsetMustNotChange };
-    std::pair<find_iterator, bool> add(const ValueType& entry, PropertyOffset&, EffectOnPropertyOffset);
+    std::pair<find_iterator, bool> WARN_UNUSED_RETURN add(const ValueType& entry);
     // Remove a value from the table.
     void remove(const find_iterator& iter);
@@ -322 +321 @@
     ASSERT(key);
     ASSERT(key->isAtom() || key->isSymbol());
+    ASSERT(key != PROPERTY_MAP_DELETED_ENTRY_KEY);
 
     if (!m_keyCount)
@@ -336 +336 @@
         if (entryIndex == EmptyEntryIndex)
             return nullptr;
-        if (key == table()[entryIndex - 1].key)
+        if (key == table()[entryIndex - 1].key) {
+            ASSERT(!m_deletedOffsets || !m_deletedOffsets->contains(table()[entryIndex - 1].offset));
             return &table()[entryIndex - 1];
+        }
 
 #if DUMP_PROPERTYMAP_STATS
@@ -347 +349 @@
 }
 
-inline std::pair<PropertyTable::find_iterator, bool> PropertyTable::add(const ValueType& entry, PropertyOffset& offset, EffectOnPropertyOffset offsetEffect)
-{
+inline std::pair<PropertyTable::find_iterator, bool> WARN_UNUSED_RETURN PropertyTable::add(const ValueType& entry)
+{
+    ASSERT(!m_deletedOffsets || !m_deletedOffsets->contains(entry.offset));
+
     // Look for a value with a matching key already in the array.
     find_iterator iter = find(entry.key);
-    if (iter.first) {
-        RELEASE_ASSERT(iter.first->offset <= offset);
+    if (iter.first)
         return std::make_pair(iter, false);
-    }
 
 #if DUMP_PROPERTYMAP_STATS
@@ -378 +380 @@
     ++m_keyCount;
     
-    if (offsetEffect == PropertyOffsetMayChange)
-        offset = std::max(offset, entry.offset);
-    else
-        RELEASE_ASSERT(offset >= entry.offset);
-    
     return std::make_pair(iter, true);
 }
@@ -452 +449 @@
     if (!m_deletedOffsets)
         m_deletedOffsets = makeUnique<Vector<PropertyOffset>>();
+    ASSERT(!m_deletedOffsets->contains(offset));
     m_deletedOffsets->append(offset);
 }

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -88 +88 @@
 }
 
-bool StructureTransitionTable::contains(UniquedStringImpl* rep, unsigned attributes) const
+bool StructureTransitionTable::contains(UniquedStringImpl* rep, unsigned attributes, bool isAddition) const
 {
     if (isUsingSingleSlot()) {
         Structure* transition = singleTransition();
-        return transition && transition->m_transitionPropertyName == rep && transition->transitionPropertyAttributes() == attributes;
-    }
-    return map()->get(std::make_pair(rep, attributes));
-}
-
-inline Structure* StructureTransitionTable::get(UniquedStringImpl* rep, unsigned attributes) const
+        return transition && transition->m_transitionPropertyName == rep && transition->transitionPropertyAttributes() == attributes && transition->isPropertyDeletionTransition() == !isAddition;
+    }
+    return map()->get(std::make_tuple(rep, attributes, isAddition));
+}
+
+inline Structure* StructureTransitionTable::get(UniquedStringImpl* rep, unsigned attributes, bool isAddition) const
 {
     if (isUsingSingleSlot()) {
         Structure* transition = singleTransition();
-        return (transition && transition->m_transitionPropertyName == rep && transition->transitionPropertyAttributes() == attributes) ? transition : 0;
-    }
-    return map()->get(std::make_pair(rep, attributes));
+        return (transition && transition->m_transitionPropertyName == rep && transition->transitionPropertyAttributes() == attributes && transition->isPropertyDeletionTransition() == !isAddition) ? transition : 0;
+    }
+    return map()->get(std::make_tuple(rep, attributes, isAddition));
 }
 
@@ -128 +128 @@
     // When either of the parameters are bitfields, the C++ compiler will try to bind them as lvalues, which is invalid. To work around this, use unary "+" to make the parameter an rvalue.
     // See https://bugs.webkit.org/show_bug.cgi?id=59261 for more details
-    map()->set(std::make_pair(structure->m_transitionPropertyName.get(), +structure->transitionPropertyAttributes()), structure);
+    map()->set(std::make_tuple(structure->m_transitionPropertyName.get(), +structure->transitionPropertyAttributes(), !structure->isPropertyDeletionTransition()), structure);
 }
 
@@ -201 +201 @@
     setTransitionWatchpointIsLikelyToBeFired(false);
     setHasBeenDictionary(false);
-    setIsAddingPropertyForTransition(false);
+    setProtectPropertyTableWhileTransitioning(false);
+    setIsPropertyDeletionTransition(false);
     setTransitionOffset(vm, invalidOffset);
     setMaxOffset(vm, invalidOffset);
@@ -237 +238 @@
     setTransitionWatchpointIsLikelyToBeFired(false);
     setHasBeenDictionary(false);
-    setIsAddingPropertyForTransition(false);
+    setProtectPropertyTableWhileTransitioning(false);
+    setIsPropertyDeletionTransition(false);
     setTransitionOffset(vm, invalidOffset);
     setMaxOffset(vm, invalidOffset);
@@ -273 +275 @@
     setStaticPropertiesReified(previous->staticPropertiesReified());
     setHasBeenDictionary(previous->hasBeenDictionary());
-    setIsAddingPropertyForTransition(false);
+    setProtectPropertyTableWhileTransitioning(false);
+    setIsPropertyDeletionTransition(false);
     setTransitionOffset(vm, invalidOffset);
     setMaxOffset(vm, invalidOffset);
@@ -357 +360 @@
 {
     ASSERT(structure(vm)->classInfo() == info());
-    ASSERT(!isAddingPropertyForTransition());
+    ASSERT(!protectPropertyTableWhileTransitioning());
     
     DeferGC deferGC(vm.heap);
@@ -385 +388 @@
         if (!structure->m_transitionPropertyName)
             continue;
-        ASSERT(i == structures.size() - 1 || structure->maxOffset() > structures[i + 1]->maxOffset());
+        if (structure->isPropertyDeletionTransition()) {
+            auto item = table->find(structure->m_transitionPropertyName.get());
+            ASSERT(item.first);
+            table->remove(item);
+            table->addDeletedOffset(structure->transitionOffset());
+            continue;
+        }
         PropertyMapEntry entry(structure->m_transitionPropertyName.get(), structure->transitionOffset(), structure->transitionPropertyAttributes());
-        auto maxOffset = this->maxOffset();
-        table->add(entry, maxOffset, PropertyTable::PropertyOffsetMustNotChange);
+        auto nextOffset = table->nextOffset(structure->inlineCapacity());
+        ASSERT_UNUSED(nextOffset, nextOffset == structure->transitionOffset());
+        auto result = table->add(entry);
+        ASSERT_UNUSED(result, result.second);
+        ASSERT_UNUSED(result, result.first.first->offset == nextOffset);
     }
     
@@ -411 +423 @@
     ASSERT(structure->isObject());
 
-    if (Structure* existingTransition = structure->m_transitionTable.get(uid, attributes)) {
+    constexpr bool isAddition = true;
+    if (Structure* existingTransition = structure->m_transitionTable.get(uid, attributes, isAddition)) {
         validateOffset(existingTransition->transitionOffset(), existingTransition->inlineCapacity());
         offset = existingTransition->transitionOffset();
@@ -485 +498 @@
         ASSERT(structure != transition);
         offset = transition->add(vm, propertyName, attributes);
-        transition->setTransitionOffset(vm, offset);
         return transition;
     }
@@ -501 +513 @@
     // which case the GC will not blow the table away, or we do it after the GC already ran in which
     // case all is well.  If it wasn't for the lock, the GC would have TOCTOU: if could read
-    // isAddingPropertyForTransition before we set it to true, and then blow the table away after.
+    // protectPropertyTableWhileTransitioning before we set it to true, and then blow the table away after.
     {
         ConcurrentJSLocker locker(transition->m_lock);
-        transition->setIsAddingPropertyForTransition(true);
+        transition->setProtectPropertyTableWhileTransitioning(true);
     }
 
@@ -519 +531 @@
     // table away if it wants. We can now rebuild it fine.
     WTF::storeStoreFence();
-    transition->setIsAddingPropertyForTransition(false);
+    transition->setProtectPropertyTableWhileTransitioning(false);
 
     checkOffset(transition->transitionOffset(), transition->inlineCapacity());
     {
-        ConcurrentJSLocker locker(structure->m_lock);
-        DeferGC deferGC(vm.heap);
+        GCSafeConcurrentJSLocker locker(structure->m_lock, vm.heap);
         structure->m_transitionTable.add(vm, transition);
     }
@@ -532 +543 @@
 }
 
-Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset)
-{
-    // NOTE: There are some good reasons why this goes directly to uncacheable dictionary rather than
-    // caching the removal. We can fix all of these things, but we must remember to do so, if we ever try
-    // to optimize this case.
-    //
-    // - Cached transitions usually steal the property table, and assume that this is possible because they
-    //   can just rebuild the table by looking at past transitions. That code assumes that the table only
-    //   grew and never shrank. To support removals, we'd have to change the property table materialization
-    //   code to handle deletions. Also, we have logic to get the list of properties on a structure that
-    //   lacks a property table by just looking back through the set of transitions since the last
-    //   structure that had a pinned table. That logic would also have to be changed to handle cached
-    //   removals.
-    //
+Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset, DeferredStructureTransitionWatchpointFire* deferred)
+{
+    Structure* newStructure = removePropertyTransitionFromExistingStructure(
+        vm, structure, propertyName, offset, deferred);
+    if (newStructure)
+        return newStructure;
+
+    return removeNewPropertyTransition(
+        vm, structure, propertyName, offset, deferred);
+}
+
+Structure* Structure::removePropertyTransitionFromExistingStructure(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset, DeferredStructureTransitionWatchpointFire*)
+{
+    ASSERT(!isCompilationThread());
     ASSERT(!structure->isUncacheableDictionary());
-
-    Structure* transition = toUncacheableDictionaryTransition(vm, structure);
-
-    offset = transition->remove(propertyName);
-
+    ASSERT(structure->isObject());
+
+    unsigned attributes;
+    structure->get(vm, propertyName, attributes);
+
+    constexpr bool isAddition = false;
+    if (Structure* existingTransition = structure->m_transitionTable.get(propertyName.uid(), attributes, isAddition)) {
+        validateOffset(existingTransition->transitionOffset(), existingTransition->inlineCapacity());
+        offset = existingTransition->transitionOffset();
+        return existingTransition;
+    }
+
+    return nullptr;
+}
+
+Structure* Structure::removeNewPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset, DeferredStructureTransitionWatchpointFire* deferred)
+{
+    ASSERT(!structure->isUncacheableDictionary());
+    ASSERT(structure->isObject());
+    ASSERT(!Structure::removePropertyTransitionFromExistingStructure(vm, structure, propertyName, offset, deferred));
+
+    int transitionCount = 0;
+    for (auto* s = structure; s && transitionCount <= s_maxTransitionLength; s = s->previousID())
+        ++transitionCount;
+
+    if (transitionCount > s_maxTransitionLength) {
+        ASSERT(!isCopyOnWrite(structure->indexingMode()));
+        Structure* transition = toUncacheableDictionaryTransition(vm, structure, deferred);
+        ASSERT(structure != transition);
+        offset = transition->remove(vm, propertyName);
+        return transition;
+    }
+
+    Structure* transition = create(vm, structure, deferred);
+    transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
+
+    // While we are deleting the property, we need to make sure the table is not cleared.
+    {
+        ConcurrentJSLocker locker(transition->m_lock);
+        transition->setProtectPropertyTableWhileTransitioning(true);
+    }
+
+    transition->m_blob.setIndexingModeIncludingHistory(structure->indexingModeIncludingHistory() & ~CopyOnWrite);
+    transition->m_transitionPropertyName = propertyName.uid();
+    transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm));
+    transition->setMaxOffset(vm, structure->maxOffset());
+    transition->setIsPropertyDeletionTransition(true);
+
+    offset = transition->remove(vm, propertyName);
+    ASSERT(offset != invalidOffset);
+    transition->setTransitionOffset(vm, offset);
+
+    // Now that everything is fine with the new structure's bookkeeping, the GC is free to blow the
+    // table away if it wants. We can now rebuild it fine.
+    WTF::storeStoreFence();
+    transition->setProtectPropertyTableWhileTransitioning(false);
+
+    checkOffset(transition->transitionOffset(), transition->inlineCapacity());
+    {
+        GCSafeConcurrentJSLocker locker(structure->m_lock, vm.heap);
+        structure->m_transitionTable.add(vm, transition);
+    }
     transition->checkOffsetConsistency();
+    structure->checkOffsetConsistency();
     return transition;
 }
@@ -615 +684 @@
 }
 
-Structure* Structure::toUncacheableDictionaryTransition(VM& vm, Structure* structure)
-{
-    return toDictionaryTransition(vm, structure, UncachedDictionaryKind);
+Structure* Structure::toUncacheableDictionaryTransition(VM& vm, Structure* structure, DeferredStructureTransitionWatchpointFire* deferred)
+{
+    return toDictionaryTransition(vm, structure, UncachedDictionaryKind, deferred);
 }
 
@@ -656 +725 @@
     
     Structure* existingTransition;
-    if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes))) {
+    constexpr bool isAddition = true;
+    if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes, isAddition))) {
         ASSERT(existingTransition->transitionPropertyAttributes() == attributes);
         ASSERT(existingTransition->indexingModeIncludingHistory() == indexingModeIncludingHistory);
@@ -978 +1048 @@
 }
 
-PropertyOffset Structure::remove(PropertyName propertyName)
-{
-    return remove(propertyName, [] (const ConcurrentJSLocker&, PropertyOffset) { });
+PropertyOffset Structure::remove(VM& vm, PropertyName propertyName)
+{
+    return remove<ShouldPin::No>(vm, propertyName, [this, &vm] (const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset newMaxOffset) {
+        setMaxOffset(vm, newMaxOffset);
+    });
 }
 
@@ -1060 +1132 @@
     visitor.append(thisObject->m_previousOrRareData);
 
-    if (thisObject->isPinnedPropertyTable() || thisObject->isAddingPropertyForTransition()) {
+    if (thisObject->isPinnedPropertyTable() || thisObject->protectPropertyTableWhileTransitioning()) {
         // NOTE: This can interleave in pin(), in which case it may see a null property table.
         // That's fine, because then the barrier will fire and we will scan this again.

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -190 +190 @@
     static Structure* addPropertyTransitionToExistingStructureConcurrently(Structure*, UniquedStringImpl* uid, unsigned attributes, PropertyOffset&);
     JS_EXPORT_PRIVATE static Structure* addPropertyTransitionToExistingStructure(Structure*, PropertyName, unsigned attributes, PropertyOffset&);
-    static Structure* removePropertyTransition(VM&, Structure*, PropertyName, PropertyOffset&);
+    static Structure* removeNewPropertyTransition(VM&, Structure*, PropertyName, PropertyOffset&, DeferredStructureTransitionWatchpointFire* = nullptr);
+    static Structure* removePropertyTransition(VM&, Structure*, PropertyName, PropertyOffset&, DeferredStructureTransitionWatchpointFire* = nullptr);
+    static Structure* removePropertyTransitionFromExistingStructure(VM&, Structure*, PropertyName, PropertyOffset&, DeferredStructureTransitionWatchpointFire* = nullptr);
     static Structure* changePrototypeTransition(VM&, Structure*, JSValue prototype, DeferredStructureTransitionWatchpointFire&);
     JS_EXPORT_PRIVATE static Structure* attributeChangeTransition(VM&, Structure*, PropertyName, unsigned attributes);
     JS_EXPORT_PRIVATE static Structure* toCacheableDictionaryTransition(VM&, Structure*, DeferredStructureTransitionWatchpointFire* = nullptr);
-    static Structure* toUncacheableDictionaryTransition(VM&, Structure*);
+    static Structure* toUncacheableDictionaryTransition(VM&, Structure*, DeferredStructureTransitionWatchpointFire* = nullptr);
     JS_EXPORT_PRIVATE static Structure* sealTransition(VM&, Structure*);
     JS_EXPORT_PRIVATE static Structure* freezeTransition(VM&, Structure*);
@@ -450 +452 @@
     {
         return std::min<unsigned>(maxOffset() + 1, m_inlineCapacity);
-    }
-    unsigned totalStorageSize() const
-    {
-        return numberOfSlotsForMaxOffset(maxOffset(), m_inlineCapacity);
     }
     unsigned totalStorageCapacity() const
@@ -702 +700 @@
     DEFINE_BITFIELD(bool, transitionWatchpointIsLikelyToBeFired, TransitionWatchpointIsLikelyToBeFired, 1, 26);
     DEFINE_BITFIELD(bool, hasBeenDictionary, HasBeenDictionary, 1, 27);
-    DEFINE_BITFIELD(bool, isAddingPropertyForTransition, IsAddingPropertyForTransition, 1, 28);
+    DEFINE_BITFIELD(bool, protectPropertyTableWhileTransitioning, ProtectPropertyTableWhileTransitioning, 1, 28);
     DEFINE_BITFIELD(bool, hasUnderscoreProtoPropertyExcludingOriginalProto, HasUnderscoreProtoPropertyExcludingOriginalProto, 1, 29);
+    DEFINE_BITFIELD(bool, isPropertyDeletionTransition, IsPropertyDeletionTransition, 1, 30);
 
 private:
@@ -728 +727 @@
     PropertyOffset add(VM&, PropertyName, unsigned attributes, const Func&);
     PropertyOffset add(VM&, PropertyName, unsigned attributes);
-    template<typename Func>
-    PropertyOffset remove(PropertyName, const Func&);
-    PropertyOffset remove(PropertyName);
+    template<ShouldPin, typename Func>
+    PropertyOffset remove(VM&, PropertyName, const Func&);
+    PropertyOffset remove(VM&, PropertyName);
 
     void checkConsistency();
@@ -842 +841 @@
 
     friend class VMInspector;
+    friend class JSDollarVMHelper;
 };
 

trunk/Source/JavaScriptCore/runtime/StructureInlines.h

@@ -164 +164 @@
 {
     Vector<Structure*, 8> structures;
-    Structure* structure;
+    Structure* tableStructure;
     PropertyTable* table;
     
-    findStructuresAndMapForMaterialization(structures, structure, table);
+    findStructuresAndMapForMaterialization(structures, tableStructure, table);
+
+    HashSet<UniquedStringImpl*> seenProperties;
+
+    for (auto* structure : structures) {
+        if (!structure->m_transitionPropertyName || seenProperties.contains(structure->m_transitionPropertyName.get()))
+            continue;
+
+        seenProperties.add(structure->m_transitionPropertyName.get());
+
+        if (structure->isPropertyDeletionTransition())
+            continue;
+
+        if (!functor(PropertyMapEntry(structure->m_transitionPropertyName.get(), structure->transitionOffset(), structure->transitionPropertyAttributes()))) {
+            if (table)
+                tableStructure->m_lock.unlock();
+            return;
+        }
+    }
     
     if (table) {
         for (auto& entry : *table) {
+            if (seenProperties.contains(entry.key))
+                continue;
+
             if (!functor(entry)) {
-                structure->m_lock.unlock();
+                tableStructure->m_lock.unlock();
                 return;
             }
         }
-        structure->m_lock.unlock();
-    }
-    
-    for (unsigned i = structures.size(); i--;) {
-        structure = structures[i];
-        if (!structure->m_transitionPropertyName)
-            continue;
-        
-        if (!functor(PropertyMapEntry(structure->m_transitionPropertyName.get(), structure->transitionOffset(), structure->transitionPropertyAttributes())))
-            return;
+        tableStructure->m_lock.unlock();
     }
 }
@@ -452 +464 @@
 
     m_propertyHash = m_propertyHash ^ rep->existingSymbolAwareHash();
-
     m_seenProperties.add(bitwise_cast<uintptr_t>(rep));
-    
-    PropertyOffset newMaxOffset = maxOffset();
-    table->add(PropertyMapEntry(rep, newOffset, attributes), newMaxOffset, PropertyTable::PropertyOffsetMayChange);
+
+    auto result = table->add(PropertyMapEntry(rep, newOffset, attributes));
+    ASSERT_UNUSED(result, result.second);
+    ASSERT_UNUSED(result, result.first.first->offset == newOffset);
+    auto newMaxOffset = std::max(newOffset, maxOffset());
     
     func(locker, newOffset, newMaxOffset);
@@ -466 +479 @@
 }
 
-template<typename Func>
-inline PropertyOffset Structure::remove(PropertyName propertyName, const Func& func)
-{
-    ConcurrentJSLocker locker(m_lock);
-    
+template<Structure::ShouldPin shouldPin, typename Func>
+inline PropertyOffset Structure::remove(VM& vm, PropertyName propertyName, const Func& func)
+{
+    PropertyTable* table = ensurePropertyTable(vm);
+    GCSafeConcurrentJSLocker locker(m_lock, vm.heap);
+
+    switch (shouldPin) {
+    case ShouldPin::Yes:
+        pin(locker, vm, table);
+        break;
+    case ShouldPin::No:
+        setPropertyTable(vm, table);
+        break;
+    }
+
+    ASSERT(JSC::isValidOffset(get(vm, propertyName)));
+
     checkConsistency();
 
     auto rep = propertyName.uid();
-    
-    // We ONLY remove from uncacheable dictionaries, which will have a pinned property table.
-    // The only way for them not to have a table is if they are empty.
-    PropertyTable* table = propertyTableOrNull();
-
-    if (!table)
-        return invalidOffset;
 
     PropertyTable::find_iterator position = table->find(rep);
     if (!position.first)
         return invalidOffset;
+
+    setIsQuickPropertyAccessAllowedForEnumeration(false);
     
     PropertyOffset offset = position.first->offset;
@@ -491 +511 @@
     table->addDeletedOffset(offset);
 
+    PropertyOffset newMaxOffset = maxOffset();
+
+    func(locker, offset, newMaxOffset);
+
+    ASSERT(maxOffset() == newMaxOffset);
+    ASSERT(!JSC::isValidOffset(get(vm, propertyName)));
+
     checkConsistency();
-
-    func(locker, offset);
     return offset;
 }
@@ -504 +529 @@
 
 template<typename Func>
-inline PropertyOffset Structure::removePropertyWithoutTransition(VM&, PropertyName propertyName, const Func& func)
+inline PropertyOffset Structure::removePropertyWithoutTransition(VM& vm, PropertyName propertyName, const Func& func)
 {
     ASSERT(isUncacheableDictionary());
@@ -510 +535 @@
     ASSERT(propertyTableOrNull());
     
-    return remove(propertyName, func);
+    return remove<ShouldPin::Yes>(vm, propertyName, func);
 }
 

trunk/Source/JavaScriptCore/runtime/StructureTransitionTable.h

@@ -145 +145 @@
     
     struct Hash {
-        typedef std::pair<UniquedStringImpl*, unsigned> Key;
+        typedef std::tuple<UniquedStringImpl*, unsigned, bool> Key;
         
         static unsigned hash(const Key& p)
         {
-            return PtrHash<UniquedStringImpl*>::hash(p.first) + p.second;
+            return PtrHash<UniquedStringImpl*>::hash(std::get<0>(p)) + std::get<1>(p);
         }
 
@@ -182 +182 @@
 
     void add(VM&, Structure*);
-    bool contains(UniquedStringImpl*, unsigned attributes) const;
-    Structure* get(UniquedStringImpl*, unsigned attributes) const;
+    bool contains(UniquedStringImpl*, unsigned attributes, bool isAddition) const;
+    Structure* get(UniquedStringImpl*, unsigned attributes, bool isAddition) const;
 
 private:

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -82 +82 @@
     void updateVMStackLimits() { return m_vm.updateStackLimits(); };
 
+    static EncodedJSValue JSC_HOST_CALL functionGetStructureTransitionList(JSGlobalObject*, CallFrame*);
+
 private:
     VM& m_vm;
@@ -2770 +2772 @@
 }
 
+EncodedJSValue JSC_HOST_CALL JSDollarVMHelper::functionGetStructureTransitionList(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    JSObject* obj = callFrame->argument(0).toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, { });
+    if (!obj)
+        return JSValue::encode(jsNull());
+    Vector<Structure*, 8> structures;
+
+    for (auto* structure = obj->structure(); structure; structure = structure->previousID())
+        structures.append(structure);
+
+    JSArray* result = JSArray::tryCreate(vm, globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous), 0);
+    RETURN_IF_EXCEPTION(scope, { });
+
+    for (size_t i = 0; i < structures.size(); ++i) {
+        auto* structure = structures[structures.size() - i - 1];
+        result->push(globalObject, JSValue(structure->id()));
+        RETURN_IF_EXCEPTION(scope, { });
+        result->push(globalObject, JSValue(structure->transitionOffset()));
+        RETURN_IF_EXCEPTION(scope, { });
+        result->push(globalObject, JSValue(structure->maxOffset()));
+        RETURN_IF_EXCEPTION(scope, { });
+        if (structure->m_transitionPropertyName)
+            result->push(globalObject, jsString(vm, String(*structure->m_transitionPropertyName)));
+        else
+            result->push(globalObject, jsNull());
+        RETURN_IF_EXCEPTION(scope, { });
+        result->push(globalObject, JSValue(structure->isPropertyDeletionTransition()));
+        RETURN_IF_EXCEPTION(scope, { });
+    }
+
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionGetConcurrently(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    JSObject* obj = callFrame->argument(0).toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, { });
+    if (!obj)
+        return JSValue::encode(jsNull());
+    String property = callFrame->argument(1).toWTFString(globalObject);
+    RETURN_IF_EXCEPTION(scope, { });
+    auto name = PropertyName(Identifier::fromString(vm, property));
+    auto offset = obj->structure()->getConcurrently(name.uid());
+    if (offset != invalidOffset)
+        ASSERT(JSValue::encode(obj->getDirect(offset)));
+    JSValue result = JSValue(offset != invalidOffset);
+    RETURN_IF_EXCEPTION(scope, { });
+    return JSValue::encode(result);
+}
+
 void JSDollarVM::finishCreation(VM& vm)
 {
@@ -2898 +2957 @@
     addFunction(vm, "make16BitStringIfPossible", functionMake16BitStringIfPossible, 1);
 
+    addFunction(vm, "getStructureTransitionList", JSDollarVMHelper::functionGetStructureTransitionList, 1);
+    addFunction(vm, "getConcurrently", functionGetConcurrently, 2);
+
     m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure.set(vm, this, ObjectDoingSideEffectPutWithoutCorrectSlotStatus::createStructure(vm, globalObject, jsNull()));
 }