Changeset 41232 in webkit for trunk/JavaScriptCore/runtime

Timestamp:

Feb 25, 2009, 3:44:07 PM (16 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2009-02-25 Geoffrey Garen <​[email protected]>

Reviewed by Maciej Stachowiak.

Fixed <rdar://problem/6611174> REGRESSION (r36701): Unable to select
messages on hotmail (24052)

The bug was that for-in enumeration used a cached prototype chain without
validating that it was up-to-date.

This led me to refactor prototype chain caching so it was easier to work
with and harder to get wrong.

After a bit of inlining, this patch is performance-neutral on SunSpider
and the v8 benchmarks.

• interpreter/Interpreter.cpp: (JSC::Interpreter::tryCachePutByID): (JSC::Interpreter::tryCacheGetByID):
• jit/JITStubs.cpp: (JSC::JITStubs::tryCachePutByID): (JSC::JITStubs::tryCacheGetByID): (JSC::JITStubs::cti_op_get_by_id_proto_list): Use the new refactored goodness. See lines beginning with "-" and smile.

• runtime/JSGlobalObject.h: (JSC::Structure::prototypeForLookup): A shout out to const.

• runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::next): We can use a pointer comparison to see if our cached structure chain is equal to the object's structure chain, since in the case of a cache hit, we share references to the same structure chain.

• runtime/Operations.h: (JSC::countPrototypeChainEntriesAndCheckForProxies): Use the new refactored goodness.

• runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::setShouldCache): (JSC::PropertyNameArray::shouldCache): Renamed "cacheable" to "shouldCache" to communicate that the client is specifying a recommendation, not a capability.

• runtime/Structure.cpp: (JSC::Structure::Structure): No need to initialize a RefPtr. (JSC::Structure::getEnumerablePropertyNames): Moved some code into helper functions.

(JSC::Structure::prototypeChain): New centralized accessor for a prototype
chain. Revalidates on every access, since the objects in the prototype
chain may have mutated.

(JSC::Structure::isValid): Helper function for revalidating a cached
prototype chain.

(JSC::Structure::getEnumerableNamesFromPropertyTable):
(JSC::Structure::getEnumerableNamesFromClassInfoTable): Factored out of
getEnumerablePropertyNames.

• runtime/Structure.h:

• runtime/StructureChain.cpp: (JSC::StructureChain::StructureChain):
• runtime/StructureChain.h: (JSC::StructureChain::create): No need for structureChainsAreEqual, since we use pointer equality now. Refactored StructureChain to make a little more sense and eliminate special cases for null prototypes.

LayoutTests:

2009-02-24 Geoffrey Garen <​[email protected]>

Reviewed by Maciej Stachowiak.

Added a test for <rdar://problem/6611174> REGRESSION (r36701): Unable to
select messages on hotmail (24052)

• fast/js/for-in-cached-expected.txt: Added.
• fast/js/for-in-cached.html: Added.
• fast/js/resources/for-in-cached.js: Added. (forIn):

Location:

trunk/JavaScriptCore/runtime

Files:

• JSGlobalObject.h (modified) (2 diffs)
• JSPropertyNameIterator.h (modified) (1 diff)
• Operations.h (modified) (2 diffs)
• PropertyNameArray.h (modified) (4 diffs)
• Structure.cpp (modified) (5 diffs)
• Structure.h (modified) (4 diffs)
• StructureChain.cpp (modified) (1 diff)
• StructureChain.h (modified) (1 diff)

trunk/JavaScriptCore/runtime/JSGlobalObject.h

@@ -330 +330 @@
     }
 
-    inline JSValuePtr Structure::prototypeForLookup(ExecState* exec)
+    inline JSValuePtr Structure::prototypeForLookup(ExecState* exec) const
     {
         if (typeInfo().type() == ObjectType)
@@ -340 +340 @@
         ASSERT(typeInfo().type() == NumberType);
         return exec->lexicalGlobalObject()->numberPrototype();
+    }
+
+    inline StructureChain* Structure::prototypeChain(ExecState* exec) const
+    {
+        // We cache our prototype chain so our clients can share it.
+        if (!isValid(exec, m_cachedPrototypeChain.get())) {
+            JSValuePtr prototype = prototypeForLookup(exec);
+            m_cachedPrototypeChain = StructureChain::create(prototype.isNull() ? 0 : asObject(prototype)->structure());
+        }
+        return m_cachedPrototypeChain.get();
+    }
+
+    inline bool Structure::isValid(ExecState* exec, StructureChain* cachedPrototypeChain) const
+    {
+        if (!cachedPrototypeChain)
+            return false;
+
+        JSValuePtr prototype = prototypeForLookup(exec);
+        RefPtr<Structure>* cachedStructure = cachedPrototypeChain->head();
+        while(*cachedStructure && !prototype.isNull()) {
+            if (asObject(prototype)->structure() != *cachedStructure)
+                return false;
+            ++cachedStructure;
+            prototype = asObject(prototype)->prototype();
+        }
+        return prototype.isNull() && !*cachedStructure;
     }
 

trunk/JavaScriptCore/runtime/JSPropertyNameIterator.h

@@ -100 +100 @@
         return noValue();
 
-    if (m_data->cachedStructure() == m_object->structure() && structureChainsAreEqual(m_data->cachedPrototypeChain(), m_object->structure()->cachedPrototypeChain()))
+    if (m_data->cachedStructure() == m_object->structure() && m_data->cachedPrototypeChain() == m_object->structure()->prototypeChain(exec))
         return jsOwnedString(exec, (*m_position++).ustring());
 

trunk/JavaScriptCore/runtime/Operations.h

@@ -227 +227 @@
     }
 
-    inline StructureChain* cachePrototypeChain(CallFrame* callFrame, Structure* structure)
-    {
-        JSValuePtr prototype = structure->prototypeForLookup(callFrame);
-        if (!prototype.isCell())
-            return 0;
-        RefPtr<StructureChain> chain = StructureChain::create(asObject(prototype)->structure());
-        structure->setCachedPrototypeChain(chain.release());
-        return structure->cachedPrototypeChain();
-    }
-
     inline size_t countPrototypeChainEntriesAndCheckForProxies(CallFrame* callFrame, JSValuePtr baseValue, const PropertySlot& slot)
     {
@@ -255 +245 @@
             // Since we're accessing a prototype in a loop, it's a good bet that it
             // should not be treated as a dictionary.
-            if (cell->structure()->isDictionary()) {
-                RefPtr<Structure> transition = Structure::fromDictionaryTransition(cell->structure());
-                asObject(cell)->setStructure(transition.release());
-                cell->structure()->setCachedPrototypeChain(0);
-            }
+            if (cell->structure()->isDictionary())
+                asObject(cell)->setStructure(Structure::fromDictionaryTransition(cell->structure()));
 
             ++count;

trunk/JavaScriptCore/runtime/PropertyNameArray.h

@@ -66 +66 @@
             : m_data(PropertyNameArrayData::create())
             , m_globalData(globalData)
-            , m_cacheable(true)
+            , m_shouldCache(true)
         {
         }
@@ -73 +73 @@
             : m_data(PropertyNameArrayData::create())
             , m_globalData(&exec->globalData())
-            , m_cacheable(true)
+            , m_shouldCache(true)
         {
         }
@@ -96 +96 @@
         PassRefPtr<PropertyNameArrayData> releaseData() { return m_data.release(); }
 
-        void setCacheable(bool cacheable) { m_cacheable = cacheable; }
-        bool cacheable() const { return m_cacheable; }
+        void setShouldCache(bool shouldCache) { m_shouldCache = shouldCache; }
+        bool shouldCache() const { return m_shouldCache; }
 
     private:
@@ -105 +105 @@
         IdentifierSet m_set;
         JSGlobalData* m_globalData;
-        bool m_cacheable;
+        bool m_shouldCache;
     };
 

trunk/JavaScriptCore/runtime/Structure.cpp

@@ -124 +124 @@
     : m_typeInfo(typeInfo)
     , m_prototype(prototype)
-    , m_cachedPrototypeChain(0)
-    , m_previous(0)
-    , m_nameInPrevious(0)
     , m_propertyTable(0)
     , m_propertyStorageCapacity(JSObject::inlineStorageCapacity)
@@ -290 +287 @@
 void Structure::getEnumerablePropertyNames(ExecState* exec, PropertyNameArray& propertyNames, JSObject* baseObject)
 {
-    bool shouldCache = propertyNames.cacheable() && !(propertyNames.size() || m_isDictionary);
+    bool shouldCache = propertyNames.shouldCache() && !(propertyNames.size() || m_isDictionary);
+
+    if (shouldCache && m_cachedPropertyNameArrayData) {
+        if (m_cachedPropertyNameArrayData->cachedPrototypeChain() == prototypeChain(exec)) {
+            propertyNames.setData(m_cachedPropertyNameArrayData);
+            return;
+        }
+        clearEnumerationCache();
+    }
+
+    getEnumerableNamesFromPropertyTable(propertyNames);
+    getEnumerableNamesFromClassInfoTable(exec, baseObject->classInfo(), propertyNames);
+
+    if (m_prototype.isObject()) {
+        propertyNames.setShouldCache(false); // No need for our prototypes to waste memory on caching, since they're not being enumerated directly.
+        asObject(m_prototype)->getPropertyNames(exec, propertyNames);
+    }
 
     if (shouldCache) {
-        if (m_cachedPropertyNameArrayData) {
-            if (structureChainsAreEqual(m_cachedPropertyNameArrayData->cachedPrototypeChain(), cachedPrototypeChain())) {
-                propertyNames.setData(m_cachedPropertyNameArrayData);
-                return;
-            }
-        }
-        propertyNames.setCacheable(false);
-    }
-
-    getEnumerablePropertyNamesInternal(propertyNames);
-
-    // Add properties from the static hashtables of properties
-    for (const ClassInfo* info = baseObject->classInfo(); info; info = info->parentClass) {
-        const HashTable* table = info->propHashTable(exec);
-        if (!table)
-            continue;
-        table->initializeIfNeeded(exec);
-        ASSERT(table->table);
-#if ENABLE(PERFECT_HASH_SIZE)
-        int hashSizeMask = table->hashSizeMask;
-#else
-        int hashSizeMask = table->compactSize - 1;
-#endif
-        const HashEntry* entry = table->table;
-        for (int i = 0; i <= hashSizeMask; ++i, ++entry) {
-            if (entry->key() && !(entry->attributes() & DontEnum))
-                propertyNames.add(entry->key());
-        }
-    }
-
-    if (m_prototype.isObject())
-        asObject(m_prototype)->getPropertyNames(exec, propertyNames);
-
-    if (shouldCache) {
-        if (m_cachedPropertyNameArrayData)
-            m_cachedPropertyNameArrayData->setCachedStructure(0);
-
         m_cachedPropertyNameArrayData = propertyNames.data();
-
-        StructureChain* chain = cachedPrototypeChain();
-        if (!chain)
-            chain = createCachedPrototypeChain();
-        m_cachedPropertyNameArrayData->setCachedPrototypeChain(chain);
+        m_cachedPropertyNameArrayData->setCachedPrototypeChain(prototypeChain(exec));
         m_cachedPropertyNameArrayData->setCachedStructure(this);
     }
@@ -535 +507 @@
     clearEnumerationCache();
     return offset;
-}
-
-StructureChain* Structure::createCachedPrototypeChain()
-{
-    ASSERT(typeInfo().type() == ObjectType);
-    ASSERT(!m_cachedPrototypeChain);
-
-    JSValuePtr prototype = storedPrototype();
-    if (!prototype.isCell())
-        return 0;
-
-    RefPtr<StructureChain> chain = StructureChain::create(asObject(prototype)->structure());
-    setCachedPrototypeChain(chain.release());
-    return cachedPrototypeChain();
 }
 
@@ -925 +883 @@
 }
 
-void Structure::getEnumerablePropertyNamesInternal(PropertyNameArray& propertyNames)
+void Structure::getEnumerableNamesFromPropertyTable(PropertyNameArray& propertyNames)
 {
     materializePropertyMapIfNecessary();
@@ -979 +937 @@
         for (size_t i = 0; i < sortedEnumerables.size(); ++i)
             propertyNames.add(sortedEnumerables[i]->key);
+    }
+}
+
+void Structure::getEnumerableNamesFromClassInfoTable(ExecState* exec, const ClassInfo* classInfo, PropertyNameArray& propertyNames)
+{
+    // Add properties from the static hashtables of properties
+    for (; classInfo; classInfo = classInfo->parentClass) {
+        const HashTable* table = classInfo->propHashTable(exec);
+        if (!table)
+            continue;
+        table->initializeIfNeeded(exec);
+        ASSERT(table->table);
+#if ENABLE(PERFECT_HASH_SIZE)
+        int hashSizeMask = table->hashSizeMask;
+#else
+        int hashSizeMask = table->compactSize - 1;
+#endif
+        const HashEntry* entry = table->table;
+        for (int i = 0; i <= hashSizeMask; ++i, ++entry) {
+            if (entry->key() && !(entry->attributes() & DontEnum))
+                propertyNames.add(entry->key());
+        }
     }
 }

trunk/JavaScriptCore/runtime/Structure.h

@@ -88 +88 @@
 
         JSValuePtr storedPrototype() const { return m_prototype; }
-        JSValuePtr prototypeForLookup(ExecState*); 
+        JSValuePtr prototypeForLookup(ExecState*) const;
+        StructureChain* prototypeChain(ExecState*) const;
 
         Structure* previousID() const { return m_previous.get(); }
-
-        StructureChain* createCachedPrototypeChain();
-        void setCachedPrototypeChain(PassRefPtr<StructureChain> cachedPrototypeChain) { m_cachedPrototypeChain = cachedPrototypeChain; }
-        StructureChain* cachedPrototypeChain() const { return m_cachedPrototypeChain.get(); }
 
         void growPropertyStorageCapacity();
@@ -114 +111 @@
         size_t put(const Identifier& propertyName, unsigned attributes);
         size_t remove(const Identifier& propertyName);
-        void getEnumerablePropertyNamesInternal(PropertyNameArray&);
+        void getEnumerableNamesFromPropertyTable(PropertyNameArray&);
+        void getEnumerableNamesFromClassInfoTable(ExecState*, const ClassInfo*, PropertyNameArray&);
 
         void expandPropertyMapHashTable();
@@ -145 +143 @@
             return m_offset == noOffset ? 0 : m_offset + 1;
         }
+        
+        bool isValid(ExecState*, StructureChain* cachedPrototypeChain) const;
 
         static const unsigned emptyEntryIndex = 0;
@@ -155 +155 @@
 
         JSValuePtr m_prototype;
-        RefPtr<StructureChain> m_cachedPrototypeChain;
+        mutable RefPtr<StructureChain> m_cachedPrototypeChain;
 
         RefPtr<Structure> m_previous;

trunk/JavaScriptCore/runtime/StructureChain.cpp

@@ -33 +33 @@
 namespace JSC {
 
-StructureChain::StructureChain(Structure* structure)
+StructureChain::StructureChain(Structure* head)
 {
-    size_t size = 1;
-
-    Structure* tmp = structure;
-    while (!tmp->storedPrototype().isNull()) {
+    size_t size = 0;
+    for (Structure* current = head; current; current = current->storedPrototype().isNull() ? 0 : asObject(current->storedPrototype())->structure())
         ++size;
-        tmp = asCell(tmp->storedPrototype())->structure();
-    }
     
     m_vector.set(new RefPtr<Structure>[size + 1]);
 
-    size_t i;
-    for (i = 0; i < size - 1; ++i) {
-        m_vector[i] = structure;
-        structure = asObject(structure->storedPrototype())->structure();
-    }
-    m_vector[i] = structure;
-    m_vector[i + 1] = 0;
-}
-
-bool structureChainsAreEqual(StructureChain* chainA, StructureChain* chainB)
-{
-    if (!chainA || !chainB)
-        return false;
-
-    RefPtr<Structure>* a = chainA->head();
-    RefPtr<Structure>* b = chainB->head();
-    while (1) {
-        if (*a != *b)
-            return false;
-        if (!*a)
-            return true;
-        a++;
-        b++;
-    }
+    size_t i = 0;
+    for (Structure* current = head; current; current = current->storedPrototype().isNull() ? 0 : asObject(current->storedPrototype())->structure())
+        m_vector[i++] = current;
+    m_vector[i] = 0;
 }
 

trunk/JavaScriptCore/runtime/StructureChain.h

@@ -38 +38 @@
     class StructureChain : public RefCounted<StructureChain> {
     public:
-        static PassRefPtr<StructureChain> create(Structure* structure) { return adoptRef(new StructureChain(structure)); }
-
+        static PassRefPtr<StructureChain> create(Structure* head) { return adoptRef(new StructureChain(head)); }
         RefPtr<Structure>* head() { return m_vector.get(); }
 
     private:
-        StructureChain(Structure* structure);
+        StructureChain(Structure* head);
 
         OwnArrayPtr<RefPtr<Structure> > m_vector;
     };
 
-    bool structureChainsAreEqual(StructureChain*, StructureChain*);
-
 } // namespace JSC