Ignore:
Timestamp:
Feb 25, 2009, 3:44:07 PM (16 years ago)
Author:
[email protected]
Message:

JavaScriptCore:

2009-02-25 Geoffrey Garen <[email protected]>

Reviewed by Maciej Stachowiak.


Fixed <rdar://problem/6611174> REGRESSION (r36701): Unable to select
messages on hotmail (24052)


The bug was that for-in enumeration used a cached prototype chain without
validating that it was up-to-date.


This led me to refactor prototype chain caching so it was easier to work
with and harder to get wrong.


After a bit of inlining, this patch is performance-neutral on SunSpider
and the v8 benchmarks.

  • interpreter/Interpreter.cpp: (JSC::Interpreter::tryCachePutByID): (JSC::Interpreter::tryCacheGetByID):
  • jit/JITStubs.cpp: (JSC::JITStubs::tryCachePutByID): (JSC::JITStubs::tryCacheGetByID): (JSC::JITStubs::cti_op_get_by_id_proto_list): Use the new refactored goodness. See lines beginning with "-" and smile.
  • runtime/JSGlobalObject.h: (JSC::Structure::prototypeForLookup): A shout out to const.
  • runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::next): We can use a pointer comparison to see if our cached structure chain is equal to the object's structure chain, since in the case of a cache hit, we share references to the same structure chain.
  • runtime/Operations.h: (JSC::countPrototypeChainEntriesAndCheckForProxies): Use the new refactored goodness.
  • runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::setShouldCache): (JSC::PropertyNameArray::shouldCache): Renamed "cacheable" to "shouldCache" to communicate that the client is specifying a recommendation, not a capability.


  • runtime/Structure.cpp: (JSC::Structure::Structure): No need to initialize a RefPtr. (JSC::Structure::getEnumerablePropertyNames): Moved some code into helper functions.

(JSC::Structure::prototypeChain): New centralized accessor for a prototype
chain. Revalidates on every access, since the objects in the prototype
chain may have mutated.

(JSC::Structure::isValid): Helper function for revalidating a cached
prototype chain.

(JSC::Structure::getEnumerableNamesFromPropertyTable):
(JSC::Structure::getEnumerableNamesFromClassInfoTable): Factored out of
getEnumerablePropertyNames.

  • runtime/Structure.h:
  • runtime/StructureChain.cpp: (JSC::StructureChain::StructureChain):
  • runtime/StructureChain.h: (JSC::StructureChain::create): No need for structureChainsAreEqual, since we use pointer equality now. Refactored StructureChain to make a little more sense and eliminate special cases for null prototypes.

LayoutTests:

2009-02-24 Geoffrey Garen <[email protected]>

Reviewed by Maciej Stachowiak.


Added a test for <rdar://problem/6611174> REGRESSION (r36701): Unable to
select messages on hotmail (24052)

  • fast/js/for-in-cached-expected.txt: Added.
  • fast/js/for-in-cached.html: Added.
  • fast/js/resources/for-in-cached.js: Added. (forIn):
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/jit/JITStubs.cpp

    r41168 r41232  
    114114    // Structure transition, cache transition info
    115115    if (slot.type() == PutPropertySlot::NewProperty) {
    116         StructureChain* chain = structure->cachedPrototypeChain();
    117         if (!chain) {
    118             chain = cachePrototypeChain(callFrame, structure);
    119             if (!chain) {
    120                 // This happens if someone has manually inserted null into the prototype chain
    121                 stubInfo->opcodeID = op_put_by_id_generic;
    122                 return;
    123             }
    124         }
    125         stubInfo->initPutByIdTransition(structure->previousID(), structure, chain);
    126         JIT::compilePutByIdTransition(callFrame->scopeChain()->globalData, codeBlock, stubInfo, structure->previousID(), structure, slot.cachedOffset(), chain, returnAddress);
     116        StructureChain* prototypeChain = structure->prototypeChain(callFrame);
     117        stubInfo->initPutByIdTransition(structure->previousID(), structure, prototypeChain);
     118        JIT::compilePutByIdTransition(callFrame->scopeChain()->globalData, codeBlock, stubInfo, structure->previousID(), structure, slot.cachedOffset(), prototypeChain, returnAddress);
    127119        return;
    128120    }
     
    206198        // Since we're accessing a prototype in a loop, it's a good bet that it
    207199        // should not be treated as a dictionary.
    208         if (slotBaseObject->structure()->isDictionary()) {
    209             RefPtr<Structure> transition = Structure::fromDictionaryTransition(slotBaseObject->structure());
    210             slotBaseObject->setStructure(transition.release());
    211             asCell(baseValue)->structure()->setCachedPrototypeChain(0);
    212         }
     200        if (slotBaseObject->structure()->isDictionary())
     201            slotBaseObject->setStructure(Structure::fromDictionaryTransition(slotBaseObject->structure()));
    213202       
    214203        stubInfo->initGetByIdProto(structure, slotBaseObject->structure());
     
    224213    }
    225214
    226     StructureChain* chain = structure->cachedPrototypeChain();
    227     if (!chain)
    228         chain = cachePrototypeChain(callFrame, structure);
    229     ASSERT(chain);
    230 
    231     stubInfo->initGetByIdChain(structure, chain);
    232 
    233     JIT::compileGetByIdChain(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, chain, count, slot.cachedOffset(), returnAddress);
     215    StructureChain* prototypeChain = structure->prototypeChain(callFrame);
     216    stubInfo->initGetByIdChain(structure, prototypeChain);
     217    JIT::compileGetByIdChain(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, prototypeChain, count, slot.cachedOffset(), returnAddress);
    234218}
    235219
     
    673657        // Since we're accessing a prototype in a loop, it's a good bet that it
    674658        // should not be treated as a dictionary.
    675         if (slotBaseObject->structure()->isDictionary()) {
    676             RefPtr<Structure> transition = Structure::fromDictionaryTransition(slotBaseObject->structure());
    677             slotBaseObject->setStructure(transition.release());
    678             asCell(baseValue)->structure()->setCachedPrototypeChain(0);
    679         }
     659        if (slotBaseObject->structure()->isDictionary())
     660            slotBaseObject->setStructure(Structure::fromDictionaryTransition(slotBaseObject->structure()));
    680661
    681662        int listIndex;
     
    687668            ctiPatchCallByReturnAddress(STUB_RETURN_ADDRESS, reinterpret_cast<void*>(cti_op_get_by_id_proto_list_full));
    688669    } else if (size_t count = countPrototypeChainEntriesAndCheckForProxies(callFrame, baseValue, slot)) {
    689         StructureChain* chain = structure->cachedPrototypeChain();
    690         if (!chain)
    691             chain = cachePrototypeChain(callFrame, structure);
    692         ASSERT(chain);
    693 
    694670        int listIndex;
    695671        PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
    696 
    697         JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, chain, count, slot.cachedOffset());
     672        JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, structure->prototypeChain(callFrame), count, slot.cachedOffset());
    698673
    699674        if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1))
Note: See TracChangeset for help on using the changeset viewer.