Changeset 44171 in webkit for trunk/JavaScriptCore

Timestamp:

May 26, 2009, 7:47:35 PM (16 years ago)

Author:

[email protected]

Message:

2009-05-26 Gavin Barraclough <​[email protected]>

Reviewed by Oliver Hunt.

Fix for: <rdar://problem/6918095> REGRESSION: jQuery load() issue (25981),
and also an ASSERT failure on ​http://ihasahotdog.com/.

When overwriting a property on a dictionary with a cached specific value,
clear the cache if new value being written is different.

• JavaScriptCore.exp:

Export the new symbols.

• jit/JITStubs.cpp: (JSC::JITStubs::cti_op_get_by_id_method_check_second):

Close dictionary prototypes upon caching a method access, as would happen when caching
a regular get_by_id.

• runtime/JSObject.h: (JSC::JSObject::propertyStorage): (JSC::JSObject::locationForOffset):

Make these methods private.

(JSC::JSObject::putDirectInternal):

When overwriting a property on a dictionary with a cached specific value,
clear the cache if new value being written is different.

• runtime/Structure.cpp: (JSC::Structure::despecifyDictionaryFunction):

Reset the specific value field for a given property in a dictionary.

(JSC::Structure::despecifyFunctionTransition):

Rename of 'changeFunctionTransition' (this was already internally refered to as a despecification).

• runtime/Structure.h:

Declare new method.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.exp (modified) (1 diff)
• jit/JITStubs.cpp (modified) (2 diffs)
• runtime/JSObject.h (modified) (6 diffs)
• runtime/Structure.cpp (modified) (2 diffs)
• runtime/Structure.h (modified) (2 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-05-26  Gavin Barraclough  <[email protected]>
+
+        Reviewed by Oliver Hunt.
+
+        Fix for: <rdar://problem/6918095> REGRESSION: jQuery load() issue (25981),
+        and also an ASSERT failure on http://ihasahotdog.com/.
+
+        When overwriting a property on a dictionary with a cached specific value,
+        clear the cache if new value being written is different.
+
+        * JavaScriptCore.exp:
+            Export the new symbols.
+        * jit/JITStubs.cpp:
+        (JSC::JITStubs::cti_op_get_by_id_method_check_second):
+            Close dictionary prototypes upon caching a method access, as would happen when caching
+            a regular get_by_id.
+        * runtime/JSObject.h:
+        (JSC::JSObject::propertyStorage):
+        (JSC::JSObject::locationForOffset):
+            Make these methods private.
+        (JSC::JSObject::putDirectInternal):
+            When overwriting a property on a dictionary with a cached specific value,
+            clear the cache if new value being written is different.
+        * runtime/Structure.cpp:
+        (JSC::Structure::despecifyDictionaryFunction):
+            Reset the specific value field for a given property in a dictionary.
+        (JSC::Structure::despecifyFunctionTransition):
+            Rename of 'changeFunctionTransition' (this was already internally refered to as a despecification).
+        * runtime/Structure.h:
+            Declare new method.
+
 2009-05-26  Gavin Barraclough  <[email protected]>
 

trunk/JavaScriptCore/JavaScriptCore.exp

@@ -265 +265 @@
 __ZN3JSC9Structure21addPropertyTransitionEPS0_RKNS_10IdentifierEjPNS_6JSCellERm
 __ZN3JSC9Structure22materializePropertyMapEv
-__ZN3JSC9Structure24changeFunctionTransitionEPS0_RKNS_10IdentifierE
 __ZN3JSC9Structure25changePrototypeTransitionEPS0_NS_7JSValueE
+__ZN3JSC9Structure27despecifyDictionaryFunctionERKNS_10IdentifierE
+__ZN3JSC9Structure27despecifyFunctionTransitionEPS0_RKNS_10IdentifierE
 __ZN3JSC9Structure28addPropertyWithoutTransitionERKNS_10IdentifierEjPNS_6JSCellE
 __ZN3JSC9Structure3getEPKNS_7UString3RepERjRPNS_6JSCellE

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -733 +733 @@
     Structure* structure;
     JSCell* specific;
+    JSObject* slotBaseObject;
     if (baseValue.isCell()
         && slot.isCacheable()
         && !(structure = asCell(baseValue)->structure())->isDictionary()
-        && asObject(slot.slotBase())->getPropertySpecificValue(callFrame, ident, specific)
+        && (slotBaseObject = asObject(slot.slotBase()))->getPropertySpecificValue(callFrame, ident, specific)
         && specific
         ) {
 
         JSFunction* callee = (JSFunction*)specific;
+
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
+        if (slotBaseObject->structure()->isDictionary())
+            slotBaseObject->setStructure(Structure::fromDictionaryTransition(slotBaseObject->structure()));
 
         // The result fetched should always be the callee!
@@ -748 +754 @@
         // Check to see if the function is on the object's prototype.  Patch up the code to optimize.
         if (slot.slotBase() == structure->prototypeForLookup(callFrame))
-            JIT::patchMethodCallProto(methodCallLinkInfo, callee, structure, asObject(slot.slotBase()));
+            JIT::patchMethodCallProto(methodCallLinkInfo, callee, structure, slotBaseObject);
         // Check to see if the function is on the object itself.
         // Since we generate the method-check to check both the structure and a prototype-structure (since this

trunk/JavaScriptCore/runtime/JSObject.h

@@ -85 +85 @@
         Structure* inheritorID();
 
-        ConstPropertyStorage propertyStorage() const { return (isUsingInlineStorage() ? m_inlineStorage : m_externalStorage); }
-        PropertyStorage propertyStorage() { return (isUsingInlineStorage() ? m_inlineStorage : m_externalStorage); }
-
         virtual UString className() const;
 
@@ -141 +138 @@
         }
 
-        size_t getOffset(const Identifier& propertyName)
-        {
-            return m_structure->get(propertyName);
-        }
-
         JSValue* getDirectLocation(const Identifier& propertyName)
         {
@@ -164 +156 @@
         }
 
-        const JSValue* locationForOffset(size_t offset) const
-        {
-            return reinterpret_cast<const JSValue*>(&propertyStorage()[offset]);
-        }
-
-        JSValue* locationForOffset(size_t offset)
-        {
-            return reinterpret_cast<JSValue*>(&propertyStorage()[offset]);
-        }
-
         void transitionTo(Structure*);
 
@@ -224 +206 @@
 
     private:
+        ConstPropertyStorage propertyStorage() const { return (isUsingInlineStorage() ? m_inlineStorage : m_externalStorage); }
+        PropertyStorage propertyStorage() { return (isUsingInlineStorage() ? m_inlineStorage : m_externalStorage); }
+
+        const JSValue* locationForOffset(size_t offset) const
+        {
+            return reinterpret_cast<const JSValue*>(&propertyStorage()[offset]);
+        }
+
+        JSValue* locationForOffset(size_t offset)
+        {
+            return reinterpret_cast<JSValue*>(&propertyStorage()[offset]);
+        }
+
         void putDirectInternal(const Identifier& propertyName, JSValue value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot, JSCell*);
         void putDirectInternal(JSGlobalData&, const Identifier& propertyName, JSValue value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot);
@@ -427 +422 @@
         size_t offset = m_structure->get(propertyName, currentAttributes, currentSpecificFunction);
         if (offset != WTF::notFound) {
+            if (currentSpecificFunction && (specificFunction != currentSpecificFunction))
+                m_structure->despecifyDictionaryFunction(propertyName);
             if (checkReadOnly && currentAttributes & ReadOnly)
                 return;
             putDirectOffset(offset, value);
-            slot.setExistingProperty(this, offset);
+            if (!specificFunction && !currentSpecificFunction)
+                slot.setExistingProperty(this, offset);
             return;
         }
@@ -470 +468 @@
 
         if (currentSpecificFunction && (specificFunction != currentSpecificFunction)) {
-            setStructure(Structure::changeFunctionTransition(m_structure, propertyName));
+            setStructure(Structure::despecifyFunctionTransition(m_structure, propertyName));
             putDirectOffset(offset, value);
             // Function transitions are not currently cachable, so leave the slot in an uncachable state.

trunk/JavaScriptCore/runtime/Structure.cpp

@@ -328 +328 @@
 }
 
+void Structure::despecifyDictionaryFunction(const Identifier& propertyName)
+{
+    const UString::Rep* rep = propertyName._ustring.rep();
+
+    materializePropertyMapIfNecessary();
+
+    ASSERT(m_isDictionary);
+    ASSERT(m_propertyTable);
+
+    unsigned i = rep->computedHash();
+
+#if DUMP_PROPERTYMAP_STATS
+    ++numProbes;
+#endif
+
+    unsigned entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
+    ASSERT(entryIndex != emptyEntryIndex);
+
+    if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
+        m_propertyTable->entries()[entryIndex - 1].specificValue = 0;
+        return;
+    }
+
+#if DUMP_PROPERTYMAP_STATS
+    ++numCollisions;
+#endif
+
+    unsigned k = 1 | doubleHash(rep->computedHash());
+
+    while (1) {
+        i += k;
+
+#if DUMP_PROPERTYMAP_STATS
+        ++numRehashes;
+#endif
+
+        entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
+        ASSERT(entryIndex != emptyEntryIndex);
+
+        if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
+            m_propertyTable->entries()[entryIndex - 1].specificValue = 0;
+            return;
+        }
+    }
+}
+
 PassRefPtr<Structure> Structure::addPropertyTransitionToExistingStructure(Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset)
 {
@@ -441 +487 @@
 }
 
-PassRefPtr<Structure> Structure::changeFunctionTransition(Structure* structure, const Identifier& replaceFunction)
+PassRefPtr<Structure> Structure::despecifyFunctionTransition(Structure* structure, const Identifier& replaceFunction)
 {
     RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());

trunk/JavaScriptCore/runtime/Structure.h

@@ -66 +66 @@
         static PassRefPtr<Structure> removePropertyTransition(Structure*, const Identifier& propertyName, size_t& offset);
         static PassRefPtr<Structure> changePrototypeTransition(Structure*, JSValue prototype);
-        static PassRefPtr<Structure> changeFunctionTransition(Structure*, const Identifier&);        
+        static PassRefPtr<Structure> despecifyFunctionTransition(Structure*, const Identifier&);        
         static PassRefPtr<Structure> getterSetterTransition(Structure*);
         static PassRefPtr<Structure> toDictionaryTransition(Structure*);
@@ -115 +115 @@
 
         JSCell* specificValue() { return m_specificValueInPrevious; }
+        void despecifyDictionaryFunction(const Identifier& propertyName);
 
     private: