REGRESSION: 2x regression on Dromaeo DOM query tests
https://bugs.webkit.org/show_bug.cgi?id=125377
Reviewed by Filip Pizlo.
PerformanceTests:
Added a micro-benchmark for updating a named property on document.
- Bindings/update-name-getter.html: Added.
- Skipped:
Source/JavaScriptCore:
The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
HasImpureGetOwnPropertySlot flag.
Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
JIT to generate byte code for access properties on an object with named properties (a.k.a.
custom name getter) in DOM. When a new named property appears on the object, VM is notified via
VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
- bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
properties in the prototype chain.
(JSC::GetByIdStatus::computeForChain): Ditto.
(JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
object in the prototype chain via StructureStubClearingWatchpoint.
(JSC::generateProtoChainAccessStub): Ditto.
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::tryRepatchIn): Ditto.
- runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
(JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
(JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
impure property even if the object had impure properties.
(JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
(JSC::VM::registerWatchpointForImpureProperty): Added.
(JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
Source/WebCore:
The bug was caused by JSC not JIT'ing property accesses on document because of its having
custom named getter (named properties). This resulted in resolution of methods on document
such as getElementById to happen inside the interpreter.
Fixed the bug by using the new JSC type info flag which tells JSC to JIT property access on
document, and then notifying JSC whenever a new named property appeared on document.
Tests: js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html
js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html
js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html
js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html
js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html
js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html
- bindings/js/JSDOMBinding.cpp:
(WebCore::addImpureProperty): Wraps VM::addImpureProperty.
- bindings/js/JSDOMBinding.h:
- bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader): Added the support for NewImpurePropertyFiresWatchpoints.
- bindings/scripts/IDLAttributes.txt: Ditto.
- html/HTMLDocument.cpp:
(WebCore::HTMLDocument::addDocumentNamedItem): Calls addImpureProperty.
- html/HTMLDocument.idl: Added NewImpurePropertyFiresWatchpoints.
LayoutTests:
Added more regression tests for throwing away byte code when a new named property appears.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected: Rebaselined.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Fixed the test to use dfgShouldBe.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2-expected.txt: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3-expected.txt: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4-expected.txt: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5-expected.txt: Added.
- js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2-expected.txt: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3-expected.txt: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4-expected.txt: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-expected.txt: Added.
- js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Added.
- js/dom/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Removed.
