Changeset 62896 in webkit for trunk/JavaScriptCore/interpreter

Timestamp:

Jul 8, 2010, 10:47:49 PM (15 years ago)

Author:

[email protected]

Message:

2010-07-08 Oliver Hunt <​[email protected]>

Reviewed by Sam Weinig.

Property declarations in an object literal should not consider the prototype chain when being added to the new object
​https://bugs.webkit.org/show_bug.cgi?id=41929

To fix this all we need to do is ensure that all new properties are
added with putDirect rather than a fully generic call to put. This
is safe as an object literal is by definition going to produce a
completely normal object.

Rather than duplicating all the put_by_id logic we add an additional
flag to op_put_by_id to indicate it should be using putDirect. In
the interpreter this adds a runtime branch, but in the jit this is
essentially free as the branch is taken at compile time. This does
actually improve object literal creation time even in the interpreter
as we no longer need to walk the prototype chain to verify that the
cached put is safe.

We still emit normal put_by_id code when emitting proto as we want
to get the correct handling for changing the prototype.

Sunspider claims this is a 0.7% speedup which is conceivably real due
to the performance improvement in object literals, but I suspect its
really just the result of code motion.

• bytecode/Opcode.h:
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitPutById): (JSC::BytecodeGenerator::emitDirectPutById):
• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode):
• interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute):
• jit/JIT.h: (JSC::JIT::compilePutByIdTransition):
• jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::patchPutByIdReplace):
• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::patchPutByIdReplace):
• jit/JITStubs.cpp: (JSC::JITThunks::tryCachePutByID): (JSC::DEFINE_STUB_FUNCTION):
• jit/JITStubs.h: (JSC::):
• runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData):
• runtime/JSObject.h: (JSC::JSObject::putDirect): (JSC::JSValue::putDirect):
• runtime/JSValue.h:

2010-07-08 Oliver Hunt <​[email protected]>

Reviewed by Sam Weinig.

Property declarations in an object literal should not consider the prototype chain when being added to the new object
​https://bugs.webkit.org/show_bug.cgi?id=41929

Add tests to ensure correct behaviour of object literals when there
are setters on the prototype chain.

• fast/js/object-literal-direct-put-expected.txt: Added.
• fast/js/object-literal-direct-put.html: Added.
• fast/js/script-tests/object-literal-direct-put.js: Added.
• ietestcenter/Javascript/15.4.4.14-9-b-i-6-expected.txt:
• ietestcenter/Javascript/15.4.4.15-8-b-i-6-expected.txt:
• platform/chromium/test_expectations.txt:

File:

• trunk/JavaScriptCore/interpreter/Interpreter.cpp (modified) (8 diffs)

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -2903 +2903 @@
     }
     DEFINE_OPCODE(op_put_by_id) {
-        /* put_by_id base(r) property(id) value(r) nop(n) nop(n) nop(n) nop(n)
+        /* put_by_id base(r) property(id) value(r) nop(n) nop(n) nop(n) nop(n) direct(b)
 
            Generic property access: Sets the property named by identifier
@@ -2910 +2910 @@
            Unlike many opcodes, this one does not write any output to
            the register file.
+
+           The "direct" flag should only be set this put_by_id is to initialize
+           an object literal.
         */
 
@@ -2915 +2918 @@
         int property = vPC[2].u.operand;
         int value = vPC[3].u.operand;
+        int direct = vPC[8].u.operand;
 
         JSValue baseValue = callFrame->r(base).jsValue();
         Identifier& ident = codeBlock->identifier(property);
         PutPropertySlot slot;
-        baseValue.put(callFrame, ident, callFrame->r(value).jsValue(), slot);
+        if (direct) {
+            baseValue.putDirect(callFrame, ident, callFrame->r(value).jsValue(), slot);
+            ASSERT(slot.base() == baseValue);
+        } else
+            baseValue.put(callFrame, ident, callFrame->r(value).jsValue(), slot);
         CHECK_FOR_EXCEPTION();
 
@@ -2928 +2936 @@
     }
     DEFINE_OPCODE(op_put_by_id_transition) {
-        /* op_put_by_id_transition base(r) property(id) value(r) oldStructure(sID) newStructure(sID) structureChain(chain) offset(n)
+        /* op_put_by_id_transition base(r) property(id) value(r) oldStructure(sID) newStructure(sID) structureChain(chain) offset(n) direct(b)
          
            Cached property access: Attempts to set a new property with a cached transition
@@ -2949 +2957 @@
                 ASSERT(baseCell->isObject());
                 JSObject* baseObject = asObject(baseCell);
-
-                RefPtr<Structure>* it = vPC[6].u.structureChain->head();
-
-                JSValue proto = baseObject->structure()->prototypeForLookup(callFrame);
-                while (!proto.isNull()) {
-                    if (UNLIKELY(asObject(proto)->structure() != (*it).get())) {
-                        uncachePutByID(codeBlock, vPC);
-                        NEXT_INSTRUCTION();
+                int direct = vPC[8].u.operand;
+                
+                if (direct) {
+                    RefPtr<Structure>* it = vPC[6].u.structureChain->head();
+
+                    JSValue proto = baseObject->structure()->prototypeForLookup(callFrame);
+                    while (!proto.isNull()) {
+                        if (UNLIKELY(asObject(proto)->structure() != (*it).get())) {
+                            uncachePutByID(codeBlock, vPC);
+                            NEXT_INSTRUCTION();
+                        }
+                        ++it;
+                        proto = asObject(proto)->structure()->prototypeForLookup(callFrame);
                     }
-                    ++it;
-                    proto = asObject(proto)->structure()->prototypeForLookup(callFrame);
                 }
-
                 baseObject->transitionTo(newStructure);
 
@@ -2978 +2988 @@
     }
     DEFINE_OPCODE(op_put_by_id_replace) {
-        /* op_put_by_id_replace base(r) property(id) value(r) structure(sID) offset(n) nop(n) nop(n)
+        /* op_put_by_id_replace base(r) property(id) value(r) structure(sID) offset(n) nop(n) nop(n) direct(b)
 
            Cached property access: Attempts to set a pre-existing, cached
@@ -3013 +3023 @@
     }
     DEFINE_OPCODE(op_put_by_id_generic) {
-        /* op_put_by_id_generic base(r) property(id) value(r) nop(n) nop(n) nop(n) nop(n)
+        /* op_put_by_id_generic base(r) property(id) value(r) nop(n) nop(n) nop(n) nop(n) direct(b)
 
            Generic property access: Sets the property named by identifier
@@ -3024 +3034 @@
         int property = vPC[2].u.operand;
         int value = vPC[3].u.operand;
+        int direct = vPC[8].u.operand;
 
         JSValue baseValue = callFrame->r(base).jsValue();
         Identifier& ident = codeBlock->identifier(property);
         PutPropertySlot slot;
-        baseValue.put(callFrame, ident, callFrame->r(value).jsValue(), slot);
+        if (direct) {
+            baseValue.putDirect(callFrame, ident, callFrame->r(value).jsValue(), slot);
+            ASSERT(slot.base() == baseValue);
+        } else
+            baseValue.put(callFrame, ident, callFrame->r(value).jsValue(), slot);
         CHECK_FOR_EXCEPTION();