Changeset 59055 in webkit for trunk/JavaScriptCore

Timestamp:

May 9, 2010, 4:18:25 AM (15 years ago)

Author:

[email protected]

Message:

2010-05-09 Maciej Stachowiak <​[email protected]>

Fixed version of: "Optimized o[s] where o is a cell and s is a string"
​https://bugs.webkit.org/show_bug.cgi?id=38815

Fixed the previous patch for this from Geoff Garen.

The two problems were a missing exception check and a PropertySlot
initialized improperly, leading to crashes and failures in the case
of getters accessed with bracket syntax.

Previous patch:

Optimized o[s] where o is a cell and s is a string, removing some old
code that wasn't really tuned for the JIT.

SunSpider says 0.8% faster.

• jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION):
• runtime/JSCell.h:

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• jit/JITStubs.cpp (modified) (1 diff)
• runtime/JSCell.h (modified) (2 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-05-09  Maciej Stachowiak  <[email protected]>
+
+        Fixed version of: "Optimized o[s] where o is a cell and s is a string"
+        https://bugs.webkit.org/show_bug.cgi?id=38815
+        
+        Fixed the previous patch for this from Geoff Garen.
+        
+        The two problems were a missing exception check and a PropertySlot
+        initialized improperly, leading to crashes and failures in the case
+        of getters accessed with bracket syntax.
+
+    Previous patch:
+
+        Optimized o[s] where o is a cell and s is a string, removing some old
+        code that wasn't really tuned for the JIT.
+        
+        SunSpider says 0.8% faster.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/JSCell.h:
+
 2010-05-08  Laszlo Gombos  <[email protected]>
 

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -2088 +2088 @@
     JSValue subscript = stackFrame.args[1].jsValue();
 
-    JSValue result;
-
-    if (LIKELY(subscript.isUInt32())) {
+    if (LIKELY(baseValue.isCell() && subscript.isString())) {
+        Identifier propertyName(callFrame, asString(subscript)->value(callFrame));
+        PropertySlot slot(asCell(baseValue));
+        if (asCell(baseValue)->fastGetOwnPropertySlot(callFrame, propertyName, slot)) {
+            JSValue result = slot.getValue(callFrame, propertyName);
+            CHECK_FOR_EXCEPTION();
+            return JSValue::encode(result);
+        }
+    }
+
+    if (subscript.isUInt32()) {
         uint32_t i = subscript.asUInt32();
-        if (isJSArray(globalData, baseValue)) {
-            JSArray* jsArray = asArray(baseValue);
-            if (jsArray->canGetIndex(i))
-                result = jsArray->getIndex(i);
-            else
-                result = jsArray->JSArray::get(callFrame, i);
-        } else if (isJSString(globalData, baseValue) && asString(baseValue)->canGetIndex(i)) {
-            // All fast byte array accesses are safe from exceptions so return immediately to avoid exception checks.
+        if (isJSString(globalData, baseValue) && asString(baseValue)->canGetIndex(i)) {
             ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_val_string));
-            result = asString(baseValue)->getIndex(callFrame, i);
-        } else if (isJSByteArray(globalData, baseValue) && asByteArray(baseValue)->canAccessIndex(i)) {
+            JSValue result = asString(baseValue)->getIndex(callFrame, i);
+            CHECK_FOR_EXCEPTION();
+            return JSValue::encode(result);
+        }
+        if (isJSByteArray(globalData, baseValue) && asByteArray(baseValue)->canAccessIndex(i)) {
             // All fast byte array accesses are safe from exceptions so return immediately to avoid exception checks.
             ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_val_byte_array));
             return JSValue::encode(asByteArray(baseValue)->getIndex(callFrame, i));
-        } else
-            result = baseValue.get(callFrame, i);
-    } else {
-        Identifier property(callFrame, subscript.toString(callFrame));
-        result = baseValue.get(callFrame, property);
-    }
-
+        }
+        JSValue result = baseValue.get(callFrame, i);
+        CHECK_FOR_EXCEPTION();
+        return JSValue::encode(result);
+    }
+    
+    Identifier property(callFrame, subscript.toString(callFrame));
+    JSValue result = baseValue.get(callFrame, property);
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);

trunk/JavaScriptCore/runtime/JSCell.h

@@ -112 +112 @@
         void setVPtr(void* vptr) { *reinterpret_cast<void**>(this) = vptr; }
 
+        // FIXME: Rename getOwnPropertySlot to virtualGetOwnPropertySlot, and
+        // fastGetOwnPropertySlot to getOwnPropertySlot. Callers should always
+        // call this function, not its slower virtual counterpart. (For integer
+        // property names, we want a similar interface with appropriate optimizations.)
+        bool fastGetOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);
+
     protected:
         static const unsigned AnonymousSlotCount = 0;
@@ -117 +123 @@
     private:
         // Base implementation; for non-object classes implements getPropertySlot.
-        bool fastGetOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);
         virtual bool getOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);
         virtual bool getOwnPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);