Changeset 128400 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.h

Timestamp:

Sep 12, 2012, 9:18:52 PM (13 years ago)

Author:

[email protected]

Message:

JSC should have property butterflies
​https://bugs.webkit.org/show_bug.cgi?id=91933

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

This changes the JSC object model. Previously, all objects had fast lookup for
named properties. Integer indexed properties were only fast if you used a
JSArray. With this change, all objects have fast indexed properties. This is
accomplished without any space overhead by using a bidirectional object layout,
aka butterflies. Each JSObject has a m_butterfly pointer where previously it
had a m_outOfLineStorage pointer. To the left of the location pointed to by
m_butterfly, we place all named out-of-line properties. To the right, we place
all indexed properties along with indexing meta-data. Though, some indexing
meta-data is placed in the 8-byte word immediately left of the pointed-to
location; this is in anticipation of the indexing meta-data being small enough
in the common case that m_butterfly always points to the first indexed
property.

This is performance neutral, except on tests that use indexed properties on
plain objects, where the speed-up is in excess of an order of magnitude.

One notable aspect of what this change brings is that it allows indexing
storage to morph over time. Currently this is only used to allow all non-array
objects to start out without any indexed storage. But it could be used for
some kinds of array type inference in the future.

• API/JSCallbackObject.h:

(JSCallbackObject):

• API/JSCallbackObjectFunctions.h:

(JSC::::getOwnPropertySlotByIndex):
(JSC):
(JSC::::getOwnNonIndexPropertyNames):

• API/JSObjectRef.cpp:
• CMakeLists.txt:
• GNUmakefile.list.am:
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Target.pri:
• bytecode/ArrayProfile.h:

(JSC):
(JSC::arrayModeFromStructure):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitDirectPutById):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGAdjacencyList.h:

(JSC::DFG::AdjacencyList::AdjacencyList):
(AdjacencyList):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::fromObserved):
(JSC::DFG::modeAlreadyChecked):
(JSC::DFG::modeToString):

• dfg/DFGArrayMode.h:

(DFG):
(JSC::DFG::modeUsesButterfly):
(JSC::DFG::modeIsJSArray):
(JSC::DFG::isInBoundsAccess):
(JSC::DFG::modeSupportsLength):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::addNode):
(FixupPhase):
(JSC::DFG::FixupPhase::checkArray):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::byValIsPure):

• dfg/DFGNode.h:

(JSC::DFG::Node::Node):
(Node):

• dfg/DFGNodeType.h:

(DFG):

• dfg/DFGOperations.cpp:

(JSC::DFG::putByVal):

• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGRepatch.cpp:

(JSC::DFG::generateProtoChainAccessStub):
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::tryBuildGetByIDList):
(JSC::DFG::emitPutReplaceStub):
(JSC::DFG::emitPutTransitionStub):
(JSC::DFG::tryBuildPutByIdList):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStructureCheckHoistingPhase.cpp:

(JSC::DFG::StructureCheckHoistingPhase::run):

• heap/CopiedSpace.h:

(CopiedSpace):

• jit/JIT.h:
• jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateBasicJSObject):
(JSC::JIT::emitAllocateBasicStorage):
(JSC::JIT::emitAllocateJSArray):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_new_array):
(JSC::JIT::emitSlow_op_new_array):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::compileGetDirectOffset):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::compilePutDirectOffset):
(JSC::JIT::privateCompilePatchGetArrayLength):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::compilePutDirectOffset):
(JSC::JIT::compileGetDirectOffset):
(JSC::JIT::privateCompilePatchGetArrayLength):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• jsc.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/Arguments.cpp:

(JSC::Arguments::deletePropertyByIndex):
(JSC::Arguments::defineOwnProperty):

• runtime/ArrayConstructor.cpp:
• runtime/ArrayConventions.h: Added.

(JSC):
(JSC::isDenseEnoughForVector):
(JSC::indexingHeaderForArray):
(JSC::baseIndexingHeaderForArray):

• runtime/ArrayPrototype.cpp:

(JSC::ArrayPrototype::create):
(JSC):
(JSC::ArrayPrototype::ArrayPrototype):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncMap):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncForEach):
(JSC::arrayProtoFuncSome):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):

• runtime/ArrayPrototype.h:

(ArrayPrototype):
(JSC::ArrayPrototype::createStructure):

• runtime/ArrayStorage.h: Added.

(JSC):
(ArrayStorage):
(JSC::ArrayStorage::ArrayStorage):
(JSC::ArrayStorage::from):
(JSC::ArrayStorage::butterfly):
(JSC::ArrayStorage::indexingHeader):
(JSC::ArrayStorage::length):
(JSC::ArrayStorage::setLength):
(JSC::ArrayStorage::vectorLength):
(JSC::ArrayStorage::setVectorLength):
(JSC::ArrayStorage::copyHeaderFromDuringGC):
(JSC::ArrayStorage::inSparseMode):
(JSC::ArrayStorage::lengthOffset):
(JSC::ArrayStorage::vectorLengthOffset):
(JSC::ArrayStorage::numValuesInVectorOffset):
(JSC::ArrayStorage::vectorOffset):
(JSC::ArrayStorage::indexBiasOffset):
(JSC::ArrayStorage::sparseMapOffset):
(JSC::ArrayStorage::sizeFor):

• runtime/Butterfly.h: Added.

(JSC):
(Butterfly):
(JSC::Butterfly::Butterfly):
(JSC::Butterfly::totalSize):
(JSC::Butterfly::fromBase):
(JSC::Butterfly::offsetOfIndexingHeader):
(JSC::Butterfly::offsetOfPublicLength):
(JSC::Butterfly::offsetOfVectorLength):
(JSC::Butterfly::indexingHeader):
(JSC::Butterfly::propertyStorage):
(JSC::Butterfly::indexingPayload):
(JSC::Butterfly::arrayStorage):
(JSC::Butterfly::offsetOfPropertyStorage):
(JSC::Butterfly::indexOfPropertyStorage):
(JSC::Butterfly::base):

• runtime/ButterflyInlineMethods.h: Added.

(JSC):
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::create):
(JSC::Butterfly::createUninitializedDuringCollection):
(JSC::Butterfly::base):
(JSC::Butterfly::growPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):

• runtime/ClassInfo.h:

(MethodTable):
(JSC):

• runtime/IndexingHeader.h: Added.

(JSC):
(IndexingHeader):
(JSC::IndexingHeader::offsetOfIndexingHeader):
(JSC::IndexingHeader::offsetOfPublicLength):
(JSC::IndexingHeader::offsetOfVectorLength):
(JSC::IndexingHeader::IndexingHeader):
(JSC::IndexingHeader::vectorLength):
(JSC::IndexingHeader::setVectorLength):
(JSC::IndexingHeader::publicLength):
(JSC::IndexingHeader::setPublicLength):
(JSC::IndexingHeader::from):
(JSC::IndexingHeader::fromEndOf):
(JSC::IndexingHeader::propertyStorage):
(JSC::IndexingHeader::arrayStorage):
(JSC::IndexingHeader::butterfly):

• runtime/IndexingHeaderInlineMethods.h: Added.

(JSC):
(JSC::IndexingHeader::preCapacity):
(JSC::IndexingHeader::indexingPayloadSizeInBytes):

• runtime/IndexingType.h: Added.

(JSC):
(JSC::hasIndexingHeader):

• runtime/JSActivation.cpp:

(JSC::JSActivation::JSActivation):
(JSC::JSActivation::visitChildren):
(JSC::JSActivation::getOwnNonIndexPropertyNames):

• runtime/JSActivation.h:

(JSActivation):
(JSC::JSActivation::tearOff):

• runtime/JSArray.cpp:

(JSC):
(JSC::createArrayButterflyInDictionaryIndexingMode):
(JSC::JSArray::setLengthWritable):
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::getOwnPropertySlot):
(JSC::JSArray::getOwnPropertyDescriptor):
(JSC::JSArray::put):
(JSC::JSArray::deleteProperty):
(JSC::JSArray::getOwnNonIndexPropertyNames):
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::shiftCount):
(JSC::JSArray::unshiftCount):
(JSC::JSArray::sortNumeric):
(JSC::JSArray::sort):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
(JSC::JSArray::compactForSorting):

• runtime/JSArray.h:

(JSC):
(JSArray):
(JSC::JSArray::JSArray):
(JSC::JSArray::length):
(JSC::JSArray::createStructure):
(JSC::JSArray::isLengthWritable):
(JSC::createArrayButterfly):
(JSC::JSArray::create):
(JSC::JSArray::tryCreateUninitialized):

• runtime/JSBoundFunction.cpp:

(JSC::boundFunctionCall):
(JSC::boundFunctionConstruct):
(JSC::JSBoundFunction::finishCreation):

• runtime/JSCell.cpp:

(JSC::JSCell::getOwnNonIndexPropertyNames):
(JSC):

• runtime/JSCell.h:

(JSCell):

• runtime/JSFunction.cpp:

(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::getOwnPropertyDescriptor):
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::defineOwnProperty):

• runtime/JSFunction.h:

(JSFunction):

• runtime/JSGlobalData.cpp:

(JSC::JSGlobalData::JSGlobalData):

• runtime/JSGlobalData.h:

(JSGlobalData):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::reset):

• runtime/JSONObject.cpp:

(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::walk):

• runtime/JSObject.cpp:

(JSC):
(JSC::JSObject::visitButterfly):
(JSC::JSObject::visitChildren):
(JSC::JSFinalObject::visitChildren):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::put):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::createInitialArrayStorage):
(JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::fillGetterPropertySlot):
(JSC::JSObject::putIndexedDescriptor):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::allocateSparseIndexMap):
(JSC::JSObject::deallocateSparseIndexMap):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::checkIndexingConsistency):
(JSC::JSObject::growOutOfLineStorage):
(JSC::JSObject::getOwnPropertyDescriptor):
(JSC::putDescriptor):
(JSC::JSObject::putDirectMayBeIndex):
(JSC::JSObject::defineOwnNonIndexProperty):
(JSC::JSObject::defineOwnProperty):
(JSC::JSObject::getOwnPropertySlotSlow):

• runtime/JSObject.h:

(JSC::JSObject::getArrayLength):
(JSObject):
(JSC::JSObject::getVectorLength):
(JSC::JSObject::putDirectIndex):
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::completeInitialization):
(JSC::JSObject::inSparseIndexingMode):
(JSC::JSObject::butterfly):
(JSC::JSObject::outOfLineStorage):
(JSC::JSObject::offsetForLocation):
(JSC::JSObject::indexingShouldBeSparse):
(JSC::JSObject::butterflyOffset):
(JSC::JSObject::butterflyAddress):
(JSC::JSObject::arrayStorage):
(JSC::JSObject::arrayStorageOrZero):
(JSC::JSObject::ensureArrayStorage):
(JSC::JSObject::checkIndexingConsistency):
(JSC::JSNonFinalObject::JSNonFinalObject):
(JSC):
(JSC::JSObject::setButterfly):
(JSC::JSObject::setButterflyWithoutChangingStructure):
(JSC::JSObject::JSObject):
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
(JSC::JSObject::putDirectWithoutTransition):
(JSC::offsetInButterfly):
(JSC::offsetRelativeToPatchedStorage):
(JSC::indexRelativeToBase):
(JSC::offsetRelativeToBase):

• runtime/JSPropertyNameIterator.cpp:

(JSC::JSPropertyNameIterator::create):

• runtime/JSSymbolTableObject.cpp:

(JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):

• runtime/JSSymbolTableObject.h:

(JSSymbolTableObject):

• runtime/JSTypeInfo.h:

(JSC):
(JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
(JSC::TypeInfo::overridesGetPropertyNames):

• runtime/LiteralParser.cpp:

(JSC::::parse):

• runtime/ObjectConstructor.cpp:
• runtime/ObjectPrototype.cpp:

(JSC::ObjectPrototype::ObjectPrototype):
(JSC):

• runtime/ObjectPrototype.h:

(ObjectPrototype):

• runtime/PropertyOffset.h:

(JSC::offsetInOutOfLineStorage):

• runtime/PropertyStorage.h: Added.

(JSC):

• runtime/PutDirectIndexMode.h: Added.

(JSC):

• runtime/RegExpMatchesArray.cpp:

(JSC::RegExpMatchesArray::RegExpMatchesArray):
(JSC):
(JSC::RegExpMatchesArray::create):
(JSC::RegExpMatchesArray::finishCreation):

• runtime/RegExpMatchesArray.h:

(RegExpMatchesArray):
(JSC::RegExpMatchesArray::createStructure):

• runtime/RegExpObject.cpp:

(JSC::RegExpObject::getOwnNonIndexPropertyNames):

• runtime/RegExpObject.h:

(RegExpObject):

• runtime/Reject.h: Added.

(JSC):
(JSC::reject):

• runtime/SparseArrayValueMap.cpp: Added.

(JSC):

• runtime/SparseArrayValueMap.h: Added.

(JSC):
(SparseArrayEntry):
(JSC::SparseArrayEntry::SparseArrayEntry):
(SparseArrayValueMap):
(JSC::SparseArrayValueMap::sparseMode):
(JSC::SparseArrayValueMap::setSparseMode):
(JSC::SparseArrayValueMap::lengthIsReadOnly):
(JSC::SparseArrayValueMap::setLengthIsReadOnly):
(JSC::SparseArrayValueMap::find):
(JSC::SparseArrayValueMap::remove):
(JSC::SparseArrayValueMap::notFound):
(JSC::SparseArrayValueMap::isEmpty):
(JSC::SparseArrayValueMap::contains):
(JSC::SparseArrayValueMap::size):
(JSC::SparseArrayValueMap::begin):
(JSC::SparseArrayValueMap::end):

• runtime/SparseArrayValueMapInlineMethods.h: Added.

(JSC):
(JSC::SparseArrayValueMap::SparseArrayValueMap):
(JSC::SparseArrayValueMap::~SparseArrayValueMap):
(JSC::SparseArrayValueMap::finishCreation):
(JSC::SparseArrayValueMap::create):
(JSC::SparseArrayValueMap::destroy):
(JSC::SparseArrayValueMap::createStructure):
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayValueMap::putDirect):
(JSC::SparseArrayEntry::get):
(JSC::SparseArrayEntry::getNonSparseMode):
(JSC::SparseArrayValueMap::visitChildren):

• runtime/StorageBarrier.h: Removed.
• runtime/StringObject.cpp:

(JSC::StringObject::putByIndex):
(JSC):
(JSC::StringObject::deletePropertyByIndex):

• runtime/StringObject.h:

(StringObject):

• runtime/StringPrototype.cpp:
• runtime/Structure.cpp:

(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::nonPropertyTransition):
(JSC):

• runtime/Structure.h:

(Structure):
(JSC::Structure::indexingType):
(JSC::Structure::indexingTypeIncludingHistory):
(JSC::Structure::indexingTypeOffset):
(JSC::Structure::create):

• runtime/StructureTransitionTable.h:

(JSC):
(JSC::toAttributes):
(JSC::newIndexingType):
(JSC::StructureTransitionTable::Hash::hash):

• tests/mozilla/js1_6/Array/regress-304828.js:

Source/WebCore:

Teach the DOM that to intercept get/put on indexed properties, you now have
to override getOwnPropertySlotByIndex and putByIndex.

No new tests because no new behavior. One test was rebased because indexed
property iteration order now matches other engines (indexed properties always
come first).

• bindings/js/ArrayValue.cpp:

(WebCore::ArrayValue::get):

• bindings/js/JSBlobCustom.cpp:

(WebCore::JSBlobConstructor::constructJSBlob):

• bindings/js/JSCanvasRenderingContext2DCustom.cpp:

(WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):

• bindings/js/JSDOMStringListCustom.cpp:

(WebCore::toDOMStringList):

• bindings/js/JSDOMStringMapCustom.cpp:

(WebCore::JSDOMStringMap::deletePropertyByIndex):
(WebCore):

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getOwnPropertySlot):
(WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
(WebCore):
(WebCore::JSDOMWindow::putByIndex):
(WebCore::JSDOMWindow::deletePropertyByIndex):

• bindings/js/JSDOMWindowShell.cpp:

(WebCore::JSDOMWindowShell::getOwnPropertySlotByIndex):
(WebCore):
(WebCore::JSDOMWindowShell::putByIndex):
(WebCore::JSDOMWindowShell::deletePropertyByIndex):

• bindings/js/JSDOMWindowShell.h:

(JSDOMWindowShell):

• bindings/js/JSHistoryCustom.cpp:

(WebCore::JSHistory::deletePropertyByIndex):
(WebCore):

• bindings/js/JSInspectorFrontendHostCustom.cpp:

(WebCore::populateContextMenuItems):

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::deletePropertyByIndex):
(WebCore):

• bindings/js/JSStorageCustom.cpp:

(WebCore::JSStorage::deletePropertyByIndex):
(WebCore):

• bindings/js/JSWebSocketCustom.cpp:

(WebCore::JSWebSocketConstructor::constructJSWebSocket):

• bindings/js/ScriptValue.cpp:

(WebCore::jsToInspectorValue):

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::serialize):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):
(GenerateImplementation):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::RuntimeArray):

• bridge/runtime_array.h:

(JSC::RuntimeArray::createStructure):
(RuntimeArray):

LayoutTests:

Modify the JSON test to indicate that iterating over properties now returns
indexed properties first. This is a behavior change that makes us more
compliant with other implementations.

Also check in new expected file for the edge cases of indexed property access
with prototype accessors. This changeset introduces a known regression in that
department, which is tracked here: ​https://bugs.webkit.org/show_bug.cgi?id=96596

• fast/js/resources/JSON-stringify.js:
• platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Added.

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.h (modified) (29 diffs)

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten ([email protected])
  *  Copyright (C) 2001 Peter Kelly ([email protected])
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2012 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -25 +25 @@
 
 #include "ArgList.h"
+#include "ArrayConventions.h"
+#include "ArrayStorage.h"
+#include "Butterfly.h"
 #include "ClassInfo.h"
 #include "CommonIdentifiers.h"
@@ -30 +33 @@
 #include "JSCell.h"
 #include "PropertySlot.h"
+#include "PropertyStorage.h"
+#include "PutDirectIndexMode.h"
 #include "PutPropertySlot.h"
 
-#include "StorageBarrier.h"
 #include "Structure.h"
 #include "JSGlobalData.h"
 #include "JSString.h"
+#include "SparseArrayValueMap.h"
 #include <wtf/StdLibExtras.h>
 
@@ -80 +85 @@
     };
 
+    COMPILE_ASSERT(None < FirstInternalAttribute, None_is_below_FirstInternalAttribute);
+    COMPILE_ASSERT(ReadOnly < FirstInternalAttribute, ReadOnly_is_below_FirstInternalAttribute);
+    COMPILE_ASSERT(DontEnum < FirstInternalAttribute, DontEnum_is_below_FirstInternalAttribute);
+    COMPILE_ASSERT(DontDelete < FirstInternalAttribute, DontDelete_is_below_FirstInternalAttribute);
+    COMPILE_ASSERT(Function < FirstInternalAttribute, Function_is_below_FirstInternalAttribute);
+    COMPILE_ASSERT(Accessor < FirstInternalAttribute, Accessor_is_below_FirstInternalAttribute);
+
     class JSFinalObject;
 
@@ -97 +109 @@
     public:
         typedef JSCell Base;
-
+        
         JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
 
@@ -121 +133 @@
         bool allowsAccessFrom(ExecState*);
 
+        unsigned getArrayLength() const
+        {
+            switch (structure()->indexingType()) {
+            case NonArray:
+            case Array:
+                return 0;
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage:
+                return m_butterfly->arrayStorage()->length();
+            default:
+                ASSERT_NOT_REACHED();
+                return 0;
+            }
+        }
+        
+        unsigned getVectorLength()
+        {
+            switch (structure()->indexingType()) {
+            case NonArray:
+            case Array:
+                return 0;
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage:
+                return m_butterfly->arrayStorage()->vectorLength();
+            default:
+                ASSERT_NOT_REACHED();
+                return 0;
+            }
+        }
+        
         JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
         JS_EXPORT_PRIVATE static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
+        
+        // This is similar to the putDirect* methods:
+        //  - the prototype chain is not consulted
+        //  - accessors are not called.
+        //  - it will ignore extensibility and read-only properties if PutDirectIndexLikePutDirect is passed as the mode (the default).
+        // This method creates a property with attributes writable, enumerable and configurable all set to true.
+        bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
+        {
+            if (!attributes && canSetIndexQuickly(propertyName)) {
+                setIndexQuickly(exec->globalData(), propertyName, value);
+                return true;
+            }
+            return putDirectIndexBeyondVectorLength(exec, propertyName, value, attributes, mode);
+        }
+        bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value)
+        {
+            return putDirectIndex(exec, propertyName, value, 0, PutDirectIndexLikePutDirect);
+        }
+
+        // A non-throwing version of putDirect and putDirectIndex.
+        void putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
+        
+        bool canGetIndexQuickly(unsigned i)
+        {
+            switch (structure()->indexingType()) {
+            case NonArray:
+            case Array:
+                return false;
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage:
+                return i < m_butterfly->arrayStorage()->vectorLength() && m_butterfly->arrayStorage()->m_vector[i];
+            default:
+                ASSERT_NOT_REACHED();
+                return false;
+            }
+        }
+        
+        JSValue getIndexQuickly(unsigned i)
+        {
+            switch (structure()->indexingType()) {
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage:
+                return m_butterfly->arrayStorage()->m_vector[i].get();
+            default:
+                ASSERT_NOT_REACHED();
+                return JSValue();
+            }
+        }
+        
+        bool canSetIndexQuickly(unsigned i)
+        {
+            switch (structure()->indexingType()) {
+            case NonArray:
+            case Array:
+                return false;
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage:
+                return i < m_butterfly->arrayStorage()->vectorLength();
+            default:
+                ASSERT_NOT_REACHED();
+                return false;
+            }
+        }
+        
+        void setIndexQuickly(JSGlobalData& globalData, unsigned i, JSValue v)
+        {
+            switch (structure()->indexingType()) {
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage: {
+                WriteBarrier<Unknown>& x = m_butterfly->arrayStorage()->m_vector[i];
+                if (!x) {
+                    ArrayStorage* storage = m_butterfly->arrayStorage();
+                    ++storage->m_numValuesInVector;
+                    if (i >= storage->length())
+                        storage->setLength(i + 1);
+                }
+                x.set(globalData, this, v);
+                break;
+            }
+            default:
+                ASSERT_NOT_REACHED();
+            }
+        }
+        
+        void initializeIndex(JSGlobalData& globalData, unsigned i, JSValue v)
+        {
+            switch (structure()->indexingType()) {
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage: {
+                ArrayStorage* storage = m_butterfly->arrayStorage();
+#if CHECK_ARRAY_CONSISTENCY
+                ASSERT(storage->m_inCompactInitialization);
+                // Check that we are initializing the next index in sequence.
+                ASSERT(i == storage->m_initializationIndex);
+                // tryCreateUninitialized set m_numValuesInVector to the initialLength,
+                // check we do not try to initialize more than this number of properties.
+                ASSERT(storage->m_initializationIndex < storage->m_numValuesInVector);
+                storage->m_initializationIndex++;
+#endif
+                ASSERT(i < storage->length());
+                ASSERT(i < storage->m_numValuesInVector);
+                storage->m_vector[i].set(globalData, this, v);
+                break;
+            }
+            default:
+                ASSERT_NOT_REACHED();
+            }
+        }
+        
+        void completeInitialization(unsigned newLength)
+        {
+            switch (structure()->indexingType()) {
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage: {
+                ArrayStorage* storage = m_butterfly->arrayStorage();
+                // Check that we have initialized as meny properties as we think we have.
+                UNUSED_PARAM(storage);
+                ASSERT_UNUSED(newLength, newLength == storage->length());
+#if CHECK_ARRAY_CONSISTENCY
+                // Check that the number of propreties initialized matches the initialLength.
+                ASSERT(storage->m_initializationIndex == m_storage->m_numValuesInVector);
+                ASSERT(storage->m_inCompactInitialization);
+                storage->m_inCompactInitialization = false;
+#endif
+                break;
+            }
+            default:
+                ASSERT_NOT_REACHED();
+            }
+        }
+        
+        bool inSparseIndexingMode()
+        {
+            switch (structure()->indexingType()) {
+            case NonArray:
+            case Array:
+                return false;
+            case NonArrayWithArrayStorage:
+            case ArrayWithArrayStorage:
+                return m_butterfly->arrayStorage()->inSparseMode();
+            default:
+                ASSERT_NOT_REACHED();
+                return false;
+            }
+        }
+        
+        void enterDictionaryIndexingMode(JSGlobalData&);
 
         // putDirect is effectively an unchecked vesion of 'defineOwnProperty':
@@ -128 +317 @@
         //  - accessors are not called.
         //  - attributes will be respected (after the call the property will exist with the given attributes)
+        //  - the property name is assumed to not be an index.
         JS_EXPORT_PRIVATE static void putDirectVirtual(JSObject*, ExecState*, PropertyName, JSValue, unsigned attributes);
         void putDirect(JSGlobalData&, PropertyName, JSValue, unsigned attributes = 0);
         void putDirect(JSGlobalData&, PropertyName, JSValue, PutPropertySlot&);
         void putDirectWithoutTransition(JSGlobalData&, PropertyName, JSValue, unsigned attributes = 0);
-        void putDirectAccessor(JSGlobalData&, PropertyName, JSValue, unsigned attributes);
+        void putDirectAccessor(ExecState*, PropertyName, JSValue, unsigned attributes);
 
         bool propertyIsEnumerable(ExecState*, const Identifier& propertyName) const;
@@ -148 +338 @@
 
         JS_EXPORT_PRIVATE static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+        JS_EXPORT_PRIVATE static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
         JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
 
@@ -204 +395 @@
         }
         
-        ConstPropertyStorage outOfLineStorage() const { return m_outOfLineStorage.get(); }
-        PropertyStorage outOfLineStorage() { return m_outOfLineStorage.get(); }
+        const Butterfly* butterfly() const { return m_butterfly; }
+        Butterfly* butterfly() { return m_butterfly; }
+        
+        ConstPropertyStorage outOfLineStorage() const { return m_butterfly->propertyStorage(); }
+        PropertyStorage outOfLineStorage() { return m_butterfly->propertyStorage(); }
 
         const WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset) const
@@ -228 +422 @@
                 result = offsetInInlineStorage;
             else
-                result = outOfLineStorage() - location + (inlineStorageCapacity - 2);
+                result = outOfLineStorage() - location + (inlineStorageCapacity - 1);
             validateOffset(result, structure()->typeInfo().type());
             return result;
@@ -266 +460 @@
         bool isFrozen(JSGlobalData& globalData) { return structure()->isFrozen(globalData); }
         bool isExtensible() { return structure()->isExtensible(); }
+        bool indexingShouldBeSparse()
+        {
+            return !isExtensible()
+                || structure()->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero();
+        }
 
         bool staticFunctionsReified() { return structure()->staticFunctionsReified(); }
         void reifyStaticFunctionsForDelete(ExecState* exec);
 
-        JS_EXPORT_PRIVATE PropertyStorage growOutOfLineStorage(JSGlobalData&, size_t oldSize, size_t newSize);
-        void setOutOfLineStorage(JSGlobalData&, PropertyStorage, Structure*);
+        JS_EXPORT_PRIVATE Butterfly* growOutOfLineStorage(JSGlobalData&, size_t oldSize, size_t newSize);
+        void setButterfly(JSGlobalData&, Butterfly*, Structure*);
+        void setButterflyWithoutChangingStructure(Butterfly*); // You probably don't want to call this.
         
         void setStructureAndReallocateStorageIfNecessary(JSGlobalData&, unsigned oldCapacity, Structure*);
         void setStructureAndReallocateStorageIfNecessary(JSGlobalData&, Structure*);
-
-        void* addressOfOutOfLineStorage()
-        {
-            return &m_outOfLineStorage;
-        }
 
         void flattenDictionaryObject(JSGlobalData& globalData)
@@ -294 +489 @@
         
         static size_t offsetOfInlineStorage();
-        static size_t offsetOfOutOfLineStorage();
+        
+        static ptrdiff_t butterflyOffset()
+        {
+            return OBJECT_OFFSETOF(JSObject, m_butterfly);
+        }
+        
+        void* butterflyAddress()
+        {
+            return &m_butterfly;
+        }
 
         static JS_EXPORTDATA const ClassInfo s_info;
@@ -317 +521 @@
         // To instantiate objects you likely want JSFinalObject, below.
         // To create derived types you likely want JSNonFinalObject, below.
-        JSObject(JSGlobalData&, Structure*);
+        JSObject(JSGlobalData&, Structure*, Butterfly* = 0);
         
         void resetInheritorID(JSGlobalData& globalData)
@@ -324 +528 @@
         }
         
-        void visitOutOfLineStorage(SlotVisitor&, PropertyStorage, size_t storageSize);
+        void visitButterfly(SlotVisitor&, Butterfly*, size_t storageSize);
+
+        // Call this if you know that the object is in a mode where it has array
+        // storage. This will assert otherwise.
+        ArrayStorage* arrayStorage()
+        {
+            ASSERT(structure()->indexingType() | HasArrayStorage);
+            return m_butterfly->arrayStorage();
+        }
+        
+        // Call this if you want to predicate some actions on whether or not the
+        // object is in a mode where it has array storage.
+        ArrayStorage* arrayStorageOrNull()
+        {
+            switch (structure()->indexingType()) {
+            case ArrayWithArrayStorage:
+            case NonArrayWithArrayStorage:
+                return m_butterfly->arrayStorage();
+                
+            default:
+                return 0;
+            }
+        }
+
+        // Ensure that the object is in a mode where it has array storage. Use
+        // this if you're about to perform actions that would have required the
+        // object to be converted to have array storage, if it didn't have it
+        // already.
+        ArrayStorage* ensureArrayStorage(JSGlobalData& globalData)
+        {
+            switch (structure()->indexingType()) {
+            case ArrayWithArrayStorage:
+            case NonArrayWithArrayStorage:
+                return m_butterfly->arrayStorage();
+                
+            case NonArray:
+            case Array:
+                return createInitialArrayStorage(globalData);
+                
+            default:
+                ASSERT_NOT_REACHED();
+                return 0;
+            }
+        }
+        
+        ArrayStorage* createArrayStorage(JSGlobalData&, unsigned length, unsigned vectorLength);
+        ArrayStorage* createInitialArrayStorage(JSGlobalData&);
+        
+        ArrayStorage* ensureArrayStorageExistsAndEnterDictionaryIndexingMode(JSGlobalData&);
+        
+        bool defineOwnNonIndexProperty(ExecState*, PropertyName, PropertyDescriptor&, bool throwException);
+
+        enum ConsistencyCheckType { NormalConsistencyCheck, DestructorConsistencyCheck, SortConsistencyCheck };
+#if !CHECK_ARRAY_CONSISTENCY
+        void checkIndexingConsistency(ConsistencyCheckType = NormalConsistencyCheck) { }
+#else
+        void checkIndexingConsistency(ConsistencyCheckType = NormalConsistencyCheck);
+#endif
+        
+        void putByIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, bool shouldThrow, ArrayStorage*);
+
+        bool increaseVectorLength(JSGlobalData&, unsigned newLength);
+        void deallocateSparseIndexMap();
+        bool defineOwnIndexedProperty(ExecState*, unsigned, PropertyDescriptor&, bool throwException);
+        SparseArrayValueMap* allocateSparseIndexMap(JSGlobalData&);
 
     private:
@@ -337 +605 @@
         void isString();
         
+        ArrayStorage* enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(JSGlobalData&, ArrayStorage*);
+        
         template<PutMode>
         bool putDirectInternal(JSGlobalData&, PropertyName, JSValue, unsigned attr, PutPropertySlot&, JSCell*);
 
         bool inlineGetOwnPropertySlot(ExecState*, PropertyName, PropertySlot&);
-        JS_EXPORT_PRIVATE void fillGetterPropertySlot(PropertySlot&, WriteBarrierBase<Unknown>* location);
+        JS_EXPORT_PRIVATE void fillGetterPropertySlot(PropertySlot&, PropertyOffset);
 
         const HashEntry* findPropertyHashEntry(ExecState*, PropertyName) const;
         Structure* createInheritorID(JSGlobalData&);
-
-        StorageBarrier m_outOfLineStorage;
+        
+        void putIndexedDescriptor(ExecState*, SparseArrayEntry*, PropertyDescriptor&, PropertyDescriptor& old);
+        
+        void putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
+        bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
+        JS_EXPORT_PRIVATE bool putDirectIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
+        
+        unsigned getNewVectorLength(unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
+        unsigned getNewVectorLength(unsigned desiredLength);
+
+        JS_EXPORT_PRIVATE bool getOwnPropertySlotSlow(ExecState*, PropertyName, PropertySlot&);
+        
+    protected:
+        Butterfly* m_butterfly;
     };
 
@@ -370 +652 @@
 
     protected:
-        explicit JSNonFinalObject(JSGlobalData& globalData, Structure* structure)
-            : JSObject(globalData, structure)
+        explicit JSNonFinalObject(JSGlobalData& globalData, Structure* structure, Butterfly* butterfly = 0)
+            : JSObject(globalData, structure, butterfly)
         {
         }
@@ -454 +736 @@
 }
 
-inline size_t JSObject::offsetOfOutOfLineStorage()
-{
-    return OBJECT_OFFSETOF(JSObject, m_outOfLineStorage);
-}
-
 inline bool JSObject::isGlobalObject() const
 {
@@ -489 +766 @@
 }
 
-inline void JSObject::setOutOfLineStorage(JSGlobalData& globalData, PropertyStorage storage, Structure* structure)
+inline void JSObject::setButterfly(JSGlobalData& globalData, Butterfly* butterfly, Structure* structure)
 {
     ASSERT(structure);
-    if (!storage) {
-        ASSERT(!structure->outOfLineCapacity());
-        ASSERT(!structure->outOfLineSize());
-    } else {
-        ASSERT(structure->outOfLineCapacity());
-        ASSERT(structure->outOfLineSize());
-    }
+    ASSERT(!butterfly == (!structure->outOfLineCapacity() && !hasIndexingHeader(structure->indexingType())));
     setStructure(globalData, structure);
-    m_outOfLineStorage.set(globalData, this, storage);
+    m_butterfly = butterfly;
+}
+
+inline void JSObject::setButterflyWithoutChangingStructure(Butterfly* butterfly)
+{
+    m_butterfly = butterfly;
 }
 
@@ -538 +814 @@
 }
 
-inline JSObject::JSObject(JSGlobalData& globalData, Structure* structure)
+inline JSObject::JSObject(JSGlobalData& globalData, Structure* structure, Butterfly* butterfly)
     : JSCell(globalData, structure)
-    , m_outOfLineStorage(globalData, this, 0)
+    , m_butterfly(butterfly)
 {
 }
@@ -588 +864 @@
 ALWAYS_INLINE bool JSObject::inlineGetOwnPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
 {
-    if (WriteBarrierBase<Unknown>* location = getDirectLocation(exec->globalData(), propertyName)) {
-        if (structure()->hasGetterSetterProperties() && location->isGetterSetter())
-            fillGetterPropertySlot(slot, location);
+    PropertyOffset offset = structure()->get(exec->globalData(), propertyName);
+    if (LIKELY(isValidOffset(offset))) {
+        JSValue value = getDirectOffset(offset);
+        if (structure()->hasGetterSetterProperties() && value.isGetterSetter())
+            fillGetterPropertySlot(slot, offset);
         else
-            slot.setValue(this, location->get(), offsetForLocation(location));
+            slot.setValue(this, value, offset);
         return true;
     }
 
-    return false;
+    return getOwnPropertySlotSlow(exec, propertyName, slot);
 }
 
@@ -682 +960 @@
     ASSERT(value.isGetterSetter() == !!(attributes & Accessor));
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
+    ASSERT(propertyName.asIndex() == PropertyName::NotAnIndex);
 
     if (structure()->isDictionary()) {
@@ -710 +989 @@
             return false;
 
-        PropertyStorage newStorage = outOfLineStorage();
+        Butterfly* newButterfly = m_butterfly;
         if (structure()->putWillGrowOutOfLineStorage())
-            newStorage = growOutOfLineStorage(globalData, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());
+            newButterfly = growOutOfLineStorage(globalData, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());
         offset = structure()->addPropertyWithoutTransition(globalData, propertyName, attributes, specificFunction);
-        setOutOfLineStorage(globalData, newStorage, structure());
+        setButterfly(globalData, newButterfly, structure());
 
         validateOffset(offset);
@@ -728 +1007 @@
     size_t currentCapacity = structure()->outOfLineCapacity();
     if (Structure* structure = Structure::addPropertyTransitionToExistingStructure(this->structure(), propertyName, attributes, specificFunction, offset)) {
-        PropertyStorage newStorage = outOfLineStorage(); 
+        Butterfly* newButterfly = m_butterfly;
         if (currentCapacity != structure->outOfLineCapacity())
-            newStorage = growOutOfLineStorage(globalData, currentCapacity, structure->outOfLineCapacity());
+            newButterfly = growOutOfLineStorage(globalData, currentCapacity, structure->outOfLineCapacity());
 
         validateOffset(offset);
         ASSERT(structure->isValidOffset(offset));
-        setOutOfLineStorage(globalData, newStorage, structure);
+        setButterfly(globalData, newButterfly, structure);
         putDirectOffset(globalData, offset, value);
         // This is a new property; transitions with specific values are not currently cachable,
@@ -801 +1080 @@
     }
     
-    PropertyStorage newStorage = growOutOfLineStorage(
+    Butterfly* newButterfly = growOutOfLineStorage(
         globalData, oldCapacity, newStructure->outOfLineCapacity());
-    setOutOfLineStorage(globalData, newStorage, newStructure);
+    setButterfly(globalData, newButterfly, newStructure);
 }
 
@@ -837 +1116 @@
 {
     ASSERT(!value.isGetterSetter() && !(attributes & Accessor));
-    PropertyStorage newStorage = outOfLineStorage();
+    Butterfly* newButterfly = m_butterfly;
     if (structure()->putWillGrowOutOfLineStorage())
-        newStorage = growOutOfLineStorage(globalData, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());
+        newButterfly = growOutOfLineStorage(globalData, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());
     PropertyOffset offset = structure()->addPropertyWithoutTransition(globalData, propertyName, attributes, getCallableObject(value));
-    setOutOfLineStorage(globalData, newStorage, structure());
+    setButterfly(globalData, newButterfly, structure());
     putDirectOffset(globalData, offset, value);
 }
@@ -933 +1212 @@
 }
 
+inline size_t offsetInButterfly(PropertyOffset offset)
+{
+    return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
+}
+
 // This is a helper for patching code where you want to emit a load or store and
 // the base is:
@@ -940 +1224 @@
 {
     if (isOutOfLineOffset(offset))
-        return sizeof(EncodedJSValue) * offsetInOutOfLineStorage(offset);
-    return JSObject::offsetOfInlineStorage() - JSObject::offsetOfOutOfLineStorage() + sizeof(EncodedJSValue) * offsetInInlineStorage(offset);
+        return sizeof(EncodedJSValue) * offsetInButterfly(offset);
+    return JSObject::offsetOfInlineStorage() - JSObject::butterflyOffset() + sizeof(EncodedJSValue) * offsetInInlineStorage(offset);
 }
 
@@ -947 +1231 @@
 {
     if (isOutOfLineOffset(offset))
-        return offsetInOutOfLineStorage(offset);
+        return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
     ASSERT(!(JSObject::offsetOfInlineStorage() % sizeof(EncodedJSValue)));
     return JSObject::offsetOfInlineStorage() / sizeof(EncodedJSValue) + offsetInInlineStorage(offset);
@@ -955 +1239 @@
 {
     if (isOutOfLineOffset(offset))
-        return offsetInOutOfLineStorage(offset) * sizeof(EncodedJSValue);
+        return offsetInOutOfLineStorage(offset) * sizeof(EncodedJSValue) + Butterfly::offsetOfPropertyStorage();
     return JSObject::offsetOfInlineStorage() + offsetInInlineStorage(offset) * sizeof(EncodedJSValue);
 }