Ignore:
Timestamp:
Oct 10, 2017, 12:58:27 AM (8 years ago)
Author:
[email protected]
Message:

The prototype cache should be aware of the Executable it generates a Structure for
https://bugs.webkit.org/show_bug.cgi?id=177907

Reviewed by Filip Pizlo.

JSTests:

  • microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.

(assert):
(foo.C):
(foo):
(bar.C):
(bar):
(access):
(makeLongChain):
(accessY):

Source/JavaScriptCore:

This patch renames PrototypeMap to StructureCache because
it is no longer a map of the prototypes in the VM. It's
only used to cache Structures during object construction.

The main change of this patch is to guarantee that Structures generated
by the create_this originating from different two different Executables'
bytecode won't hash-cons to the same thing. Previously, we could hash-cons
them depending on the JSObject* prototype pointer. This would cause the last
thing that hash-consed to overwrite the Structure's poly proto watchpoint. This
happened because when we initialize a JSFunction's ObjectAllocationProfile,
we set the resulting Structure's poly proto watchpoint. This could cause a Structure
generating from some Executable e1 to end up with the poly proto watchpoint
for another Executable e2 simply because JSFunctions backed by e1 and e2
shared the same prototype. Then, based on profiling information, we may fire the
wrong Executable's poly proto watchpoint. This patch fixes this bug by
guaranteeing that Structures generating from create_this for different
Executables are unique even if they share the same prototype by adding
the FunctionExecutable* as another field in PrototypeKey.

  • JavaScriptCore.xcodeproj/project.pbxproj:
  • Sources.txt:
  • bytecode/InternalFunctionAllocationProfile.h:

(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):

  • bytecode/ObjectAllocationProfile.cpp:

(JSC::ObjectAllocationProfile::initializeProfile):

  • dfg/DFGOperations.cpp:
  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/InternalFunction.cpp:

(JSC::InternalFunction::createSubclassStructureSlow):

  • runtime/IteratorOperations.cpp:

(JSC::createIteratorResultObjectStructure):

  • runtime/JSBoundFunction.cpp:

(JSC::getBoundFunctionStructure):

  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

  • runtime/ObjectConstructor.h:

(JSC::constructEmptyObject):

  • runtime/PrototypeKey.h:

(JSC::PrototypeKey::PrototypeKey):
(JSC::PrototypeKey::executable const):
(JSC::PrototypeKey::operator== const):
(JSC::PrototypeKey::hash const):

  • runtime/PrototypeMap.cpp: Removed.
  • runtime/PrototypeMap.h: Removed.
  • runtime/StructureCache.cpp: Copied from Source/JavaScriptCore/runtime/PrototypeMap.cpp.

(JSC::StructureCache::createEmptyStructure):
(JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
(JSC::StructureCache::emptyObjectStructureForPrototype):
(JSC::PrototypeMap::createEmptyStructure): Deleted.
(JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): Deleted.
(JSC::PrototypeMap::emptyObjectStructureForPrototype): Deleted.

  • runtime/StructureCache.h: Copied from Source/JavaScriptCore/runtime/PrototypeMap.h.

(JSC::StructureCache::StructureCache):
(JSC::PrototypeMap::PrototypeMap): Deleted.

  • runtime/VM.cpp:

(JSC::VM::VM):

  • runtime/VM.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r223124 r223125  
     12017-10-10  Saam Barati  <[email protected]>
     2
     3        The prototype cache should be aware of the Executable it generates a Structure for
     4        https://bugs.webkit.org/show_bug.cgi?id=177907
     5
     6        Reviewed by Filip Pizlo.
     7
     8        This patch renames PrototypeMap to StructureCache because
     9        it is no longer a map of the prototypes in the VM. It's
     10        only used to cache Structures during object construction.
     11       
     12        The main change of this patch is to guarantee that Structures generated
     13        by the create_this originating from different two different Executables'
     14        bytecode won't hash-cons to the same thing. Previously, we could hash-cons
     15        them depending on the JSObject* prototype pointer. This would cause the last
     16        thing that hash-consed to overwrite the Structure's poly proto watchpoint. This
     17        happened because when we initialize a JSFunction's ObjectAllocationProfile,
     18        we set the resulting Structure's poly proto watchpoint. This could cause a Structure
     19        generating from some Executable e1 to end up with the poly proto watchpoint
     20        for another Executable e2 simply because JSFunctions backed by e1 and e2
     21        shared the same prototype. Then, based on profiling information, we may fire the
     22        wrong Executable's poly proto watchpoint. This patch fixes this bug by
     23        guaranteeing that Structures generating from create_this for different
     24        Executables are unique even if they share the same prototype by adding
     25        the FunctionExecutable* as another field in PrototypeKey.
     26
     27        * JavaScriptCore.xcodeproj/project.pbxproj:
     28        * Sources.txt:
     29        * bytecode/InternalFunctionAllocationProfile.h:
     30        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
     31        * bytecode/ObjectAllocationProfile.cpp:
     32        (JSC::ObjectAllocationProfile::initializeProfile):
     33        * dfg/DFGOperations.cpp:
     34        * runtime/CommonSlowPaths.cpp:
     35        (JSC::SLOW_PATH_DECL):
     36        * runtime/InternalFunction.cpp:
     37        (JSC::InternalFunction::createSubclassStructureSlow):
     38        * runtime/IteratorOperations.cpp:
     39        (JSC::createIteratorResultObjectStructure):
     40        * runtime/JSBoundFunction.cpp:
     41        (JSC::getBoundFunctionStructure):
     42        * runtime/JSGlobalObject.cpp:
     43        (JSC::JSGlobalObject::init):
     44        * runtime/ObjectConstructor.h:
     45        (JSC::constructEmptyObject):
     46        * runtime/PrototypeKey.h:
     47        (JSC::PrototypeKey::PrototypeKey):
     48        (JSC::PrototypeKey::executable const):
     49        (JSC::PrototypeKey::operator== const):
     50        (JSC::PrototypeKey::hash const):
     51        * runtime/PrototypeMap.cpp: Removed.
     52        * runtime/PrototypeMap.h: Removed.
     53        * runtime/StructureCache.cpp: Copied from Source/JavaScriptCore/runtime/PrototypeMap.cpp.
     54        (JSC::StructureCache::createEmptyStructure):
     55        (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
     56        (JSC::StructureCache::emptyObjectStructureForPrototype):
     57        (JSC::PrototypeMap::createEmptyStructure): Deleted.
     58        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): Deleted.
     59        (JSC::PrototypeMap::emptyObjectStructureForPrototype): Deleted.
     60        * runtime/StructureCache.h: Copied from Source/JavaScriptCore/runtime/PrototypeMap.h.
     61        (JSC::StructureCache::StructureCache):
     62        (JSC::PrototypeMap::PrototypeMap): Deleted.
     63        * runtime/VM.cpp:
     64        (JSC::VM::VM):
     65        * runtime/VM.h:
     66
    1672017-10-09  Yusuke Suzuki  <[email protected]>
    268
Note: See TracChangeset for help on using the changeset viewer.