Changeset 121605 in webkit for trunk/Source/JavaScriptCore/jit/JIT.h

Timestamp:

Jun 29, 2012, 5:25:01 PM (13 years ago)

Author:

[email protected]

Message:

JSObject wastes too much memory on unused property slots
​https://bugs.webkit.org/show_bug.cgi?id=90255

Reviewed by Mark Hahnenberg.

This does a few things:

• JSNonFinalObject no longer has inline property storage.

• Initial out-of-line property storage size is 4 slots for JSNonFinalObject, or 2x the inline storage for JSFinalObject.

• Property storage is only reallocated if it needs to be. Previously, we would reallocate the property storage on any transition where the original structure said shouldGrowProperyStorage(), but this led to spurious reallocations when doing transitionless property adds and there are deleted property slots available. That in turn led to crashes, because we would switch to out-of-line storage even if the capacity matched the criteria for inline storage.

• Inline JSFunction allocation is killed off because we don't have a good way of inlining property storage allocation. This didn't hurt performance. Killing off code is better than fixing it if that code wasn't doing any good.

This looks like a 1% progression on V8.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute):

• jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateBasicJSObject):
(JSC):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_new_func):
(JSC):
(JSC::JIT::emit_op_new_func_exp):

• runtime/JSFunction.cpp:

(JSC::JSFunction::finishCreation):

• runtime/JSObject.h:

(JSC::JSObject::isUsingInlineStorage):
(JSObject):
(JSC::JSObject::finishCreation):
(JSC):
(JSC::JSNonFinalObject::hasInlineStorage):
(JSNonFinalObject):
(JSC::JSNonFinalObject::JSNonFinalObject):
(JSC::JSNonFinalObject::finishCreation):
(JSC::JSFinalObject::hasInlineStorage):
(JSC::JSFinalObject::finishCreation):
(JSC::JSObject::offsetOfInlineStorage):
(JSC::JSObject::setPropertyStorage):
(JSC::Structure::inlineStorageCapacity):
(JSC::Structure::isUsingInlineStorage):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
(JSC::JSObject::putDirectWithoutTransition):

• runtime/Structure.cpp:

(JSC::Structure::Structure):
(JSC::nextPropertyStorageCapacity):
(JSC):
(JSC::Structure::growPropertyStorageCapacity):
(JSC::Structure::suggestedNewPropertyStorageSize):

• runtime/Structure.h:

(JSC::Structure::putWillGrowPropertyStorage):
(Structure):

File:

• trunk/Source/JavaScriptCore/jit/JIT.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2012 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -424 +424 @@
         void emitAllocateBasicStorage(size_t, RegisterID result, RegisterID storagePtr);
         template<typename T> void emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID storagePtr);
-        void emitAllocateJSFunction(FunctionExecutable*, RegisterID scopeChain, RegisterID result, RegisterID storagePtr);
         void emitAllocateJSArray(unsigned valuesRegister, unsigned length, RegisterID cellResult, RegisterID storageResult, RegisterID storagePtr);
         
@@ -751 +750 @@
         void emitSlow_op_to_primitive(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_urshift(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_new_func(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_new_func_exp(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_new_array(Instruction*, Vector<SlowCaseEntry>::iterator&);