[JSC] attribute-change transition should not pin Structure
https://bugs.webkit.org/show_bug.cgi?id=215528
Patch by Yusuke Suzuki <[email protected]> on 2020-09-11
Reviewed by Saam Barati.
JSTests:
- stress/change-attribute-structure-transition.js: Added.
(shouldBe):
(sd.let.data.vm.getStructureTransitionList.let.result.return.result.kind):
(sd):
(shouldBe.JSON.stringify.sd):
(lastStructureID):
(shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
Source/JavaScriptCore:
This patch avoids using pin in attribute-change transition. To achieve this, attribute-change transition is now fully supported
transition chain in forEachPropertyConcurrently etc.: we can retrieve properties with changed attributes correctly via traversing
transition chain. And we also support attribute-change transition in materializePropertyTable, so we do not need to pin structure.
The design largely mimics existing removePropertyTransition and addPropertyTransition. This patch also adds hasBeenDictionary()
check before adding structure to the transition so that we can avoid adding unnecessary structure entry to the transition table.
(JSC::AccessCase::generateImpl):
(JSC::DFG::clobberize):
(JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
(JSC::tryCacheDeleteBy):
(JSC::Structure::materializePropertyTable):
(JSC::Structure::addPropertyTransitionToExistingStructureImpl):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::addNewPropertyTransition):
(JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
(JSC::Structure::removeNewPropertyTransition):
(JSC::Structure::attributeChangeTransitionToExistingStructure):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::nonPropertyTransitionSlow):
(JSC::Structure::attributeChange):
- runtime/Structure.h:
- runtime/StructureInlines.h:
(JSC::Structure::forEachPropertyConcurrently):
(JSC::Structure::attributeChange):
(JSC::Structure::attributeChangeWithoutTransition):
(JSC::JSDollarVMHelper::functionGetStructureTransitionList):
