WebKit Bugzilla
Attachment 357335 Details for
Bug 192715
: REGRESSION(r239153): Caused flaky GC-related crashes seen with layout tests (Requested by ryanhaddad on #webkit).
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
ROLLOUT of r239153
bug-192715-20181214133043.patch (text/plain), 51.35 KB, created by
WebKit Commit Bot
on 2018-12-14 13:30:44 PST
(
hide
)
Description:
ROLLOUT of r239153
Filename:
MIME Type:
Creator:
WebKit Commit Bot
Created:
2018-12-14 13:30:44 PST
Size:
51.35 KB
patch
obsolete
>Subversion Revision: 239230 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 991b84d867a4b8e49a7ec5fb228e687d5943a3ae..b02feb8c637c0aafc8d7327d5944d18cb6d83d45 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,26 @@ >+2018-12-14 Commit Queue <commit-queue@webkit.org> >+ >+ Unreviewed, rolling out r239153, r239154, and r239155. >+ https://bugs.webkit.org/show_bug.cgi?id=192715 >+ >+ Caused flaky GC-related crashes seen with layout tests >+ (Requested by ryanhaddad on #webkit). >+ >+ Reverted changesets: >+ >+ "[JSC] Optimize Object.keys by caching own keys results in >+ StructureRareData" >+ https://bugs.webkit.org/show_bug.cgi?id=190047 >+ https://trac.webkit.org/changeset/239153 >+ >+ "Unreviewed, build fix after r239153" >+ https://bugs.webkit.org/show_bug.cgi?id=190047 >+ https://trac.webkit.org/changeset/239154 >+ >+ "Unreviewed, build fix after r239153, part 2" >+ https://bugs.webkit.org/show_bug.cgi?id=190047 >+ https://trac.webkit.org/changeset/239155 >+ > 2018-12-14 Keith Miller <keith_miller@apple.com> > > Callers of JSString::getIndex should check for OOM exceptions >diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >index 3bff948719c448ead2840023588a5a64321233f2..5f5eccc330c22be8bd91e1b4cd7b759714a0dd67 100644 >--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >@@ -43,7 +43,6 @@ > #include "Operations.h" > #include "PutByIdStatus.h" > #include "StringObject.h" >-#include "StructureRareDataInlines.h" > #include <wtf/BooleanLattice.h> > #include <wtf/CheckedArithmetic.h> > >@@ -2581,30 +2580,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi > break; > } > >- case ObjectKeys: { >- if (node->child1().useKind() == ObjectUse) { >- auto& structureSet = forNode(node->child1()).m_structure; >- if (structureSet.isFinite() && structureSet.size() == 1) { >- RegisteredStructure structure = structureSet.onlyStructure(); >- if (auto* rareData = structure->rareDataConcurrently()) { >- auto* immutableButterfly = rareData->cachedOwnKeysConcurrently(); >- if (immutableButterfly && immutableButterfly != m_vm.sentinelImmutableButterfly.get()) { >- if (m_graph.isWatchingHavingABadTimeWatchpoint(node)) { >- m_state.setFoundConstants(true); >- didFoldClobberWorld(); >- setTypeForNode(node, SpecArray); >- break; >- } >- } >- } >- } >- } >- >- clobberWorld(); >- setTypeForNode(node, SpecArray); >- break; >- } >- > case ToObject: > case CallObjectConstructor: { > AbstractValue& source = forNode(node->child1()); >diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >index d6e3843a8d8349490154e08777274f08655f650b..646b02c4a8a834f825db6e105a8ac10cfd22037b 100644 >--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >@@ -2692,15 +2692,6 @@ bool ByteCodeParser::handleIntrinsicCall(Node* callee, VirtualRegister result, I > return true; > } > >- case ObjectKeysIntrinsic: { >- if (argumentCountIncludingThis < 2) >- return false; >- >- insertChecks(); >- set(result, addToGraph(ObjectKeys, get(virtualRegisterForArgument(1, registerOffset)))); >- return true; >- } >- > case ReflectGetPrototypeOfIntrinsic: { > if (argumentCountIncludingThis != 2) > return false; >diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h >index 250ec00443d12c063aa43eeebdc48c70294125a5..87424207c4016483bdbfb4202990e2a27ee99d5f 100644 >--- a/Source/JavaScriptCore/dfg/DFGClobberize.h >+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h >@@ -668,7 +668,6 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu > case CreateThis: > case InstanceOf: > case StringValueOf: >- case ObjectKeys: > read(World); > write(Heap); > return; >@@ -1530,6 +1529,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu > } > } > >+ > case NewObject: > case NewRegexp: > case NewSymbol: >diff --git a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp >index 03f84f55fcf51d81adce812945e158b43eb8f0b0..fb1f6dc231abe448d5f916c6348fd1f137fba023 100644 >--- a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp >@@ -766,26 +766,6 @@ private: > break; > } > >- case ObjectKeys: { >- if (node->child1().useKind() == ObjectUse) { >- auto& structureSet = m_state.forNode(node->child1()).m_structure; >- if (structureSet.isFinite() && structureSet.size() == 1) { >- RegisteredStructure structure = structureSet.onlyStructure(); >- if (auto* rareData = structure->rareDataConcurrently()) { >- auto* immutableButterfly = rareData->cachedOwnKeysConcurrently(); >- if (immutableButterfly && immutableButterfly != m_graph.m_vm.sentinelImmutableButterfly.get()) { >- if (m_graph.isWatchingHavingABadTimeWatchpoint(node)) { >- node->convertToNewArrayBuffer(m_graph.freeze(immutableButterfly)); >- changed = true; >- break; >- } >- } >- } >- } >- } >- break; >- } >- > case ToNumber: { > if (m_state.forNode(node->child1()).m_type & ~SpecBytecodeNumber) > break; >diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >index df74930bdbb3864ad944bc4720712fe0f3947bd5..89fb3258de6668f6d7fbd19be4787e4c3aab7981 100644 >--- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >+++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >@@ -339,7 +339,6 @@ bool doesGC(Graph& graph, Node* node) > case ToThis: > case CreateThis: > case ObjectCreate: >- case ObjectKeys: > case AllocatePropertyStorage: > case ReallocatePropertyStorage: > case Arrayify: >diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >index a2eefa5ab0bc10fc50d439612eb21cc18f7e0c22..35b611863bbbd6a83b25b2614eef912dde9c7271 100644 >--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >@@ -1595,14 +1595,6 @@ private: > break; > } > >- case ObjectKeys: { >- if (node->child1()->shouldSpeculateObject()) { >- watchHavingABadTime(node); >- fixEdge<ObjectUse>(node->child1()); >- } >- break; >- } >- > case CheckStringIdent: { > fixEdge<StringIdentUse>(node->child1()); > break; >diff --git a/Source/JavaScriptCore/dfg/DFGNode.cpp b/Source/JavaScriptCore/dfg/DFGNode.cpp >index 3d1c3ba137621e3b2f03415bb91d1412363ce4f1..dd967c8ad23720c8856675873506e52d150fb771 100644 >--- a/Source/JavaScriptCore/dfg/DFGNode.cpp >+++ b/Source/JavaScriptCore/dfg/DFGNode.cpp >@@ -31,7 +31,6 @@ > #include "DFGGraph.h" > #include "DFGPromotedHeapLocation.h" > #include "JSCInlines.h" >-#include "JSImmutableButterfly.h" > > namespace JSC { namespace DFG { > >@@ -224,17 +223,6 @@ void Node::convertToLazyJSConstant(Graph& graph, LazyJSValue value) > children.reset(); > } > >-void Node::convertToNewArrayBuffer(FrozenValue* immutableButterfly) >-{ >- setOpAndDefaultFlags(NewArrayBuffer); >- NewArrayBufferData data { }; >- data.indexingMode = immutableButterfly->cast<JSImmutableButterfly*>()->indexingMode(); >- data.vectorLengthHint = immutableButterfly->cast<JSImmutableButterfly*>()->toButterfly()->vectorLength(); >- children.reset(); >- m_opInfo = immutableButterfly; >- m_opInfo2 = data.asQuadWord; >-} >- > void Node::convertToDirectCall(FrozenValue* executable) > { > NodeType newOp = LastNodeType; >diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h >index b8014755c7bcb50914ed39d61a53d94aca86021e..d3f73a8c284dbd703f22e6ffceea0986f37349b2 100644 >--- a/Source/JavaScriptCore/dfg/DFGNode.h >+++ b/Source/JavaScriptCore/dfg/DFGNode.h >@@ -761,8 +761,6 @@ public: > m_opInfo = structure; > m_opInfo2 = OpInfoWrapper(); > } >- >- void convertToNewArrayBuffer(FrozenValue* immutableButterfly); > > void convertToDirectCall(FrozenValue*); > >diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h >index dc2f3e16b832aac0af7f0ad63c4c8e281dcba34e..4cfafe7db368a6d41393b85654a6228f32b7b777 100644 >--- a/Source/JavaScriptCore/dfg/DFGNodeType.h >+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h >@@ -265,7 +265,6 @@ namespace JSC { namespace DFG { > macro(ParseInt, NodeMustGenerate | NodeResultJS) \ > macro(GetPrototypeOf, NodeMustGenerate | NodeResultJS) \ > macro(ObjectCreate, NodeMustGenerate | NodeResultJS) \ >- macro(ObjectKeys, NodeMustGenerate | NodeResultJS) \ > \ > /* Atomics object functions. */\ > macro(AtomicsAdd, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \ >diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp >index 0b26c2d162c7f24cfacebc3a79516c49d732144c..b75fcdfb975d91eca2e38fdfc6ed05db0c7cbc3b 100644 >--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp >+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp >@@ -248,25 +248,6 @@ EncodedJSValue JIT_OPERATION operationToThisStrict(ExecState* exec, EncodedJSVal > return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, StrictMode)); > } > >-JSArray* JIT_OPERATION operationObjectKeys(ExecState* exec, EncodedJSValue encodedObject) >-{ >- VM& vm = exec->vm(); >- NativeCallFrameTracer tracer(&vm, exec); >- auto scope = DECLARE_THROW_SCOPE(vm); >- >- JSObject* object = JSValue::decode(encodedObject).toObject(exec); >- RETURN_IF_EXCEPTION(scope, nullptr); >- scope.release(); >- return ownPropertyKeys(exec, object, PropertyNameMode::Strings, DontEnumPropertiesMode::Exclude); >-} >- >-JSArray* JIT_OPERATION operationObjectKeysObject(ExecState* exec, JSObject* object) >-{ >- VM& vm = exec->vm(); >- NativeCallFrameTracer tracer(&vm, exec); >- return ownPropertyKeys(exec, object, PropertyNameMode::Strings, DontEnumPropertiesMode::Exclude); >-} >- > JSCell* JIT_OPERATION operationObjectCreate(ExecState* exec, EncodedJSValue encodedPrototype) > { > VM& vm = exec->vm(); >diff --git a/Source/JavaScriptCore/dfg/DFGOperations.h b/Source/JavaScriptCore/dfg/DFGOperations.h >index 38c116a54f91a615b81c15112148f25f94adb1ef..315fd6adc5271d32e2b5817a80fb02819cbbf283 100644 >--- a/Source/JavaScriptCore/dfg/DFGOperations.h >+++ b/Source/JavaScriptCore/dfg/DFGOperations.h >@@ -43,8 +43,6 @@ EncodedJSValue JIT_OPERATION operationStringFromCharCodeUntyped(ExecState*, Enco > // These routines provide callbacks out to C++ implementations of operations too complex to JIT. > JSCell* JIT_OPERATION operationCallObjectConstructor(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget) WTF_INTERNAL; > JSCell* JIT_OPERATION operationToObject(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget, UniquedStringImpl*) WTF_INTERNAL; >-JSArray* JIT_OPERATION operationObjectKeys(ExecState*, EncodedJSValue) WTF_INTERNAL; >-JSArray* JIT_OPERATION operationObjectKeysObject(ExecState*, JSObject*) WTF_INTERNAL; > JSCell* JIT_OPERATION operationObjectCreate(ExecState*, EncodedJSValue) WTF_INTERNAL; > JSCell* JIT_OPERATION operationObjectCreateObject(ExecState*, JSObject*) WTF_INTERNAL; > JSCell* JIT_OPERATION operationCreateThis(ExecState*, JSObject* constructor, uint32_t inlineCapacity) WTF_INTERNAL; >diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >index b3c69bcf124727bfcc676b2afadab5a88c22f93a..cf2557d1ca2f7cb3d39f0dc1b113949388722f17 100644 >--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >@@ -984,8 +984,7 @@ private: > case NewArray: > case NewArrayWithSize: > case CreateRest: >- case NewArrayBuffer: >- case ObjectKeys: { >+ case NewArrayBuffer: { > setPrediction(SpecArray); > break; > } >diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >index f106982ae39ff3bcc36cfb5aee0d716c07e94316..d19ee8e1bfcdfbfc91cbe8fa0b345146c6f11bd3 100644 >--- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >+++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >@@ -178,7 +178,6 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node, bool igno > case ToThis: > case CreateThis: > case ObjectCreate: >- case ObjectKeys: > case GetCallee: > case SetCallee: > case GetArgumentCountIncludingThis: >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index 817e5626d730b062ee4390b0e3df5f84cc2ec3f8..fe3d6862e2f40ab7d74fbb6bb65baf8533459c47 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -12365,94 +12365,6 @@ void SpeculativeJIT::compileToThis(Node* node) > jsValueResult(tempRegs, node); > } > >-void SpeculativeJIT::compileObjectKeys(Node* node) >-{ >- switch (node->child1().useKind()) { >- case ObjectUse: { >- if (m_graph.isWatchingHavingABadTimeWatchpoint(node)) { >- SpeculateCellOperand object(this, node->child1()); >- GPRTemporary structure(this); >- GPRTemporary scratch(this); >- GPRTemporary scratch2(this); >- GPRTemporary scratch3(this); >- GPRTemporary result(this); >- >- GPRReg objectGPR = object.gpr(); >- GPRReg structureGPR = structure.gpr(); >- GPRReg scratchGPR = scratch.gpr(); >- GPRReg scratch2GPR = scratch2.gpr(); >- GPRReg scratch3GPR = scratch3.gpr(); >- GPRReg resultGPR = result.gpr(); >- >- speculateObject(node->child1(), objectGPR); >- >- CCallHelpers::JumpList slowCases; >- m_jit.emitLoadStructure(*m_jit.vm(), objectGPR, structureGPR, scratchGPR); >- m_jit.loadPtr(CCallHelpers::Address(structureGPR, Structure::previousOrRareDataOffset()), scratchGPR); >- >- slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR)); >- slowCases.append(m_jit.branch32(CCallHelpers::Equal, CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), TrustedImm32(bitwise_cast<int32_t>(m_jit.vm()->structureStructure->structureID())))); >- >- m_jit.loadPtr(CCallHelpers::Address(scratchGPR, StructureRareData::offsetOfCachedOwnKeys()), scratchGPR); >- >- slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR)); >- slowCases.append(m_jit.branchPtr(CCallHelpers::Equal, scratchGPR, TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->sentinelImmutableButterfly.get()))); >- >- MacroAssembler::JumpList slowButArrayBufferCases; >- >- JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic); >- RegisteredStructure arrayStructure = m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(CopyOnWriteArrayWithContiguous)); >- >- m_jit.move(scratchGPR, scratch3GPR); >- m_jit.addPtr(TrustedImmPtr(JSImmutableButterfly::offsetOfData()), scratchGPR); >- >- emitAllocateJSObject<JSArray>(resultGPR, TrustedImmPtr(arrayStructure), scratchGPR, structureGPR, scratch2GPR, slowButArrayBufferCases); >- >- addSlowPathGenerator(slowPathCall(slowButArrayBufferCases, this, operationNewArrayBuffer, resultGPR, arrayStructure, scratch3GPR)); >- >- addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectKeysObject, resultGPR, objectGPR)); >- >- cellResult(resultGPR, node); >- break; >- } >- >- SpeculateCellOperand object(this, node->child1()); >- >- GPRReg objectGPR = object.gpr(); >- >- speculateObject(node->child1(), objectGPR); >- >- flushRegisters(); >- GPRFlushedCallResult result(this); >- GPRReg resultGPR = result.gpr(); >- callOperation(operationObjectKeysObject, resultGPR, objectGPR); >- m_jit.exceptionCheck(); >- >- cellResult(resultGPR, node); >- break; >- } >- >- case UntypedUse: { >- JSValueOperand object(this, node->child1()); >- >- JSValueRegs objectRegs = object.jsValueRegs(); >- >- flushRegisters(); >- GPRFlushedCallResult result(this); >- GPRReg resultGPR = result.gpr(); >- callOperation(operationObjectKeys, resultGPR, objectRegs); >- m_jit.exceptionCheck(); >- >- cellResult(resultGPR, node); >- break; >- } >- >- default: >- RELEASE_ASSERT_NOT_REACHED(); >- break; >- } >-} >- > void SpeculativeJIT::compileObjectCreate(Node* node) > { > switch (node->child1().useKind()) { >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >index 48463c5f79df446456e0aaf744104fe3e02ebf63..438b114c9de65035f049e8f3e5bf555ca8396350 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >@@ -1479,7 +1479,6 @@ public: > void compileNewArrayWithSize(Node*); > void compileNewTypedArray(Node*); > void compileToThis(Node*); >- void compileObjectKeys(Node*); > void compileObjectCreate(Node*); > void compileCreateThis(Node*); > void compileNewObject(Node*); >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >index 20c053a9553ac9e0152360d767b12c4abc73fbf4..952f89158d4cc30bc768beef79c8db7b3dfdf659 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >@@ -3167,11 +3167,6 @@ void SpeculativeJIT::compile(Node* node) > break; > } > >- case ObjectKeys: { >- compileObjectKeys(node); >- break; >- } >- > case CreateThis: { > compileCreateThis(node); > break; >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >index 4e65ebc1371b16738786803708272ebfc4aec2bb..6f5a87c0e0327b0a792c5db5a23ee6eda14c6956 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >@@ -3409,11 +3409,6 @@ void SpeculativeJIT::compile(Node* node) > break; > } > >- case ObjectKeys: { >- compileObjectKeys(node); >- break; >- } >- > case CreateThis: { > compileCreateThis(node); > break; >diff --git a/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h b/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h >index 9f3aa2fe7dc3ecfeb0c870b81a87cbc11f288051..bbd47132fec7bcfcd3b6e2c58414eaa84bc8521f 100644 >--- a/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h >+++ b/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h >@@ -116,10 +116,8 @@ namespace JSC { namespace FTL { > macro(Structure_globalObject, Structure::globalObjectOffset()) \ > macro(Structure_indexingModeIncludingHistory, Structure::indexingModeIncludingHistoryOffset()) \ > macro(Structure_inlineCapacity, Structure::inlineCapacityOffset()) \ >- macro(Structure_previousOrRareData, Structure::previousOrRareDataOffset()) \ > macro(Structure_prototype, Structure::prototypeOffset()) \ > macro(Structure_structureID, Structure::structureIDOffset()) \ >- macro(StructureRareData_cachedOwnKeys, StructureRareData::offsetOfCachedOwnKeys()) \ > macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \ > macro(HashMapImpl_buffer, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \ > macro(HashMapImpl_head, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfHead()) \ >diff --git a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >index 23c9396f4d69e04f6f0cb5f491ba04e6ccfad10a..0f6ceebb5553dfa8a0c00c3264b96591479ba7d1 100644 >--- a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >+++ b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >@@ -201,7 +201,6 @@ inline CapabilityLevel canCompile(Node* node) > case CallObjectConstructor: > case CallStringConstructor: > case ObjectCreate: >- case ObjectKeys: > case MakeRope: > case NewArrayWithSize: > case TryGetById: >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index d55b409c2a1b2dd5846a7302671432d72826f409..185876b83716dbf352629eadfb6184658dd0f3e8 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -866,9 +866,6 @@ private: > case ObjectCreate: > compileObjectCreate(); > break; >- case ObjectKeys: >- compileObjectKeys(); >- break; > case NewObject: > compileNewObject(); > break; >@@ -5500,75 +5497,6 @@ private: > setInt32(m_out.phi(Int32, zeroLengthResult, nonZeroLengthResult)); > } > >- void compileObjectKeys() >- { >- switch (m_node->child1().useKind()) { >- case ObjectUse: { >- if (m_graph.isWatchingHavingABadTimeWatchpoint(m_node)) { >- LBasicBlock notNullCase = m_out.newBlock(); >- LBasicBlock rareDataCase = m_out.newBlock(); >- LBasicBlock notNullCacheCase = m_out.newBlock(); >- LBasicBlock useCacheCase = m_out.newBlock(); >- LBasicBlock slowButArrayBufferCase = m_out.newBlock(); >- LBasicBlock slowCase = m_out.newBlock(); >- LBasicBlock continuation = m_out.newBlock(); >- >- LValue object = lowObject(m_node->child1()); >- LValue structure = loadStructure(object); >- LValue previousOrRareData = m_out.loadPtr(structure, m_heaps.Structure_previousOrRareData); >- m_out.branch(m_out.notNull(previousOrRareData), unsure(notNullCase), unsure(slowCase)); >- >- LBasicBlock lastNext = m_out.appendTo(notNullCase, rareDataCase); >- m_out.branch( >- m_out.notEqual(m_out.load32(previousOrRareData, m_heaps.JSCell_structureID), m_out.constInt32(m_graph.m_vm.structureStructure->structureID())), >- unsure(rareDataCase), unsure(slowCase)); >- >- m_out.appendTo(rareDataCase, notNullCacheCase); >- LValue cachedOwnKeys = m_out.loadPtr(previousOrRareData, m_heaps.StructureRareData_cachedOwnKeys); >- m_out.branch(m_out.notNull(cachedOwnKeys), unsure(notNullCacheCase), unsure(slowCase)); >- >- m_out.appendTo(notNullCacheCase, useCacheCase); >- m_out.branch(m_out.notEqual(cachedOwnKeys, weakPointer(m_graph.m_vm.sentinelImmutableButterfly.get())), unsure(useCacheCase), unsure(slowCase)); >- >- m_out.appendTo(useCacheCase, slowButArrayBufferCase); >- JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic); >- RegisteredStructure arrayStructure = m_graph.registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(CopyOnWriteArrayWithContiguous)); >- LValue fastArray = allocateObject<JSArray>(arrayStructure, m_out.addPtr(cachedOwnKeys, JSImmutableButterfly::offsetOfData()), slowButArrayBufferCase); >- ValueFromBlock fastResult = m_out.anchor(fastArray); >- m_out.jump(continuation); >- >- m_out.appendTo(slowButArrayBufferCase, slowCase); >- LValue slowArray = vmCall(Int64, m_out.operation(operationNewArrayBuffer), m_callFrame, weakStructure(arrayStructure), cachedOwnKeys); >- ValueFromBlock slowButArrayBufferResult = m_out.anchor(slowArray); >- m_out.jump(continuation); >- >- m_out.appendTo(slowCase, continuation); >- VM& vm = this->vm(); >- LValue slowResultValue = lazySlowPath( >- [=, &vm] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> { >- return createLazyCallGenerator(vm, >- operationObjectKeysObject, locations[0].directGPR(), locations[1].directGPR()); >- }, >- object); >- ValueFromBlock slowResult = m_out.anchor(slowResultValue); >- m_out.jump(continuation); >- >- m_out.appendTo(continuation, lastNext); >- setJSValue(m_out.phi(pointerType(), fastResult, slowButArrayBufferResult, slowResult)); >- break; >- } >- setJSValue(vmCall(Int64, m_out.operation(operationObjectKeysObject), m_callFrame, lowObject(m_node->child1()))); >- break; >- } >- case UntypedUse: >- setJSValue(vmCall(Int64, m_out.operation(operationObjectKeys), m_callFrame, lowJSValue(m_node->child1()))); >- break; >- default: >- RELEASE_ASSERT_NOT_REACHED(); >- break; >- } >- } >- > void compileObjectCreate() > { > switch (m_node->child1().useKind()) { >diff --git a/Source/JavaScriptCore/runtime/Intrinsic.cpp b/Source/JavaScriptCore/runtime/Intrinsic.cpp >index fbc4ef3cd8f2ec62da9300da271b1023397434fc..abe6f17286e3be391e0c374c1f6c574c5bd867fb 100644 >--- a/Source/JavaScriptCore/runtime/Intrinsic.cpp >+++ b/Source/JavaScriptCore/runtime/Intrinsic.cpp >@@ -119,8 +119,6 @@ const char* intrinsicName(Intrinsic intrinsic) > return "ObjectGetPrototypeOfIntrinsic"; > case ObjectIsIntrinsic: > return "ObjectIsIntrinsic"; >- case ObjectKeysIntrinsic: >- return "ObjectKeysIntrinsic"; > case ReflectGetPrototypeOfIntrinsic: > return "ReflectGetPrototypeOfIntrinsic"; > case StringPrototypeValueOfIntrinsic: >diff --git a/Source/JavaScriptCore/runtime/Intrinsic.h b/Source/JavaScriptCore/runtime/Intrinsic.h >index b47f46d9e4de0013de8346e82e6816f5fd02f746..cfbd18496352bb9d4e26a02c5693b8c460019025 100644 >--- a/Source/JavaScriptCore/runtime/Intrinsic.h >+++ b/Source/JavaScriptCore/runtime/Intrinsic.h >@@ -72,7 +72,6 @@ enum Intrinsic { > ObjectCreateIntrinsic, > ObjectGetPrototypeOfIntrinsic, > ObjectIsIntrinsic, >- ObjectKeysIntrinsic, > ReflectGetPrototypeOfIntrinsic, > StringPrototypeValueOfIntrinsic, > StringPrototypeReplaceIntrinsic, >diff --git a/Source/JavaScriptCore/runtime/JSImmutableButterfly.h b/Source/JavaScriptCore/runtime/JSImmutableButterfly.h >index 1ff4d276775328bd0c6ca2e4146703827515e8bc..284783c0c75596adda5a1f98f36b069e0eb8e4a1 100644 >--- a/Source/JavaScriptCore/runtime/JSImmutableButterfly.h >+++ b/Source/JavaScriptCore/runtime/JSImmutableButterfly.h >@@ -67,11 +67,6 @@ public: > return array; > } > >- static JSImmutableButterfly* createSentinel(VM& vm) >- { >- return create(vm, CopyOnWriteArrayWithContiguous, 0); >- } >- > unsigned publicLength() const { return m_header.publicLength(); } > unsigned vectorLength() const { return m_header.vectorLength(); } > unsigned length() const { return m_header.publicLength(); } >diff --git a/Source/JavaScriptCore/runtime/ObjectConstructor.cpp b/Source/JavaScriptCore/runtime/ObjectConstructor.cpp >index fcf99b8ecd295f18e44a230bf30464418bd14525..90a36a935578f2b8e313113d29d90ba9d466a945 100644 >--- a/Source/JavaScriptCore/runtime/ObjectConstructor.cpp >+++ b/Source/JavaScriptCore/runtime/ObjectConstructor.cpp >@@ -30,7 +30,6 @@ > #include "JSFunction.h" > #include "JSGlobalObject.h" > #include "JSGlobalObjectFunctions.h" >-#include "JSImmutableButterfly.h" > #include "Lookup.h" > #include "ObjectPrototype.h" > #include "PropertyDescriptor.h" >@@ -74,7 +73,7 @@ const ClassInfo ObjectConstructor::s_info = { "Function", &InternalFunction::s_i > getOwnPropertyDescriptors objectConstructorGetOwnPropertyDescriptors DontEnum|Function 1 > getOwnPropertyNames objectConstructorGetOwnPropertyNames DontEnum|Function 1 > getOwnPropertySymbols objectConstructorGetOwnPropertySymbols DontEnum|Function 1 >- keys objectConstructorKeys DontEnum|Function 1 ObjectKeysIntrinsic >+ keys objectConstructorKeys DontEnum|Function 1 > defineProperty objectConstructorDefineProperty DontEnum|Function 3 > defineProperties objectConstructorDefineProperties DontEnum|Function 2 > create objectConstructorCreate DontEnum|Function 2 ObjectCreateIntrinsic >@@ -272,6 +271,7 @@ EncodedJSValue JSC_HOST_CALL objectConstructorGetOwnPropertySymbols(ExecState* e > RELEASE_AND_RETURN(scope, JSValue::encode(ownPropertyKeys(exec, object, PropertyNameMode::Symbols, DontEnumPropertiesMode::Include))); > } > >+// FIXME: Use the enumeration cache. > EncodedJSValue JSC_HOST_CALL objectConstructorKeys(ExecState* exec) > { > VM& vm = exec->vm(); >@@ -892,25 +892,11 @@ EncodedJSValue JSC_HOST_CALL objectConstructorIs(ExecState* exec) > return JSValue::encode(jsBoolean(sameValue(exec, exec->argument(0), exec->argument(1)))); > } > >+// FIXME: Use the enumeration cache. > JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode propertyNameMode, DontEnumPropertiesMode dontEnumPropertiesMode) > { > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); >- >- auto* globalObject = exec->lexicalGlobalObject(); >- bool isObjectKeys = propertyNameMode == PropertyNameMode::Strings && dontEnumPropertiesMode == DontEnumPropertiesMode::Exclude; >- // We attempt to look up own property keys cache in Object.keys case. >- if (isObjectKeys) { >- if (LIKELY(!globalObject->isHavingABadTime())) { >- if (auto* immutableButterfly = object->structure(vm)->cachedOwnKeys()) { >- if (immutableButterfly != vm.sentinelImmutableButterfly.get()) { >- Structure* arrayStructure = globalObject->originalArrayStructureForIndexingType(immutableButterfly->indexingMode()); >- return JSArray::createWithButterfly(vm, nullptr, arrayStructure, immutableButterfly->toButterfly()); >- } >- } >- } >- } >- > PropertyNameArray properties(&vm, propertyNameMode, PrivateSymbolMode::Exclude); > object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode)); > RETURN_IF_EXCEPTION(scope, nullptr); >@@ -932,31 +918,8 @@ JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode pro > if (propertyNameMode != PropertyNameMode::StringsAndSymbols) { > ASSERT(propertyNameMode == PropertyNameMode::Strings || propertyNameMode == PropertyNameMode::Symbols); > if (!mustFilterProperty && properties.size() < MIN_SPARSE_ARRAY_INDEX) { >+ auto* globalObject = exec->lexicalGlobalObject(); > if (LIKELY(!globalObject->isHavingABadTime())) { >- if (isObjectKeys) { >- Structure* structure = object->structure(vm); >- if (structure->canCacheOwnKeys()) { >- auto* cachedButterfly = structure->cachedOwnKeys(); >- if (cachedButterfly == vm.sentinelImmutableButterfly.get()) { >- // Cache the immutable butterfly! >- size_t numProperties = properties.size(); >- auto* newButterfly = JSImmutableButterfly::create(vm, CopyOnWriteArrayWithContiguous, numProperties); >- for (size_t i = 0; i < numProperties; i++) { >- const auto& identifier = properties[i]; >- ASSERT(!identifier.isSymbol()); >- newButterfly->setIndex(vm, i, jsOwnedString(&vm, identifier.string())); >- } >- >- structure->setCachedOwnKeys(vm, newButterfly); >- Structure* arrayStructure = globalObject->originalArrayStructureForIndexingType(newButterfly->indexingMode()); >- return JSArray::createWithButterfly(vm, nullptr, arrayStructure, newButterfly->toButterfly()); >- } >- >- if (cachedButterfly == nullptr) >- structure->setCachedOwnKeys(vm, jsCast<JSImmutableButterfly*>(vm.sentinelImmutableButterfly.get())); >- } >- } >- > size_t numProperties = properties.size(); > JSArray* keys = JSArray::create(vm, globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous), numProperties); > WriteBarrier<Unknown>* buffer = keys->butterfly()->contiguous().data(); >diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp >index 3542827de3a270454ff6c63402682fc0582348b1..58d83bce4afdade803d384ba710e0ab9d6ad0918 100644 >--- a/Source/JavaScriptCore/runtime/Structure.cpp >+++ b/Source/JavaScriptCore/runtime/Structure.cpp >@@ -1252,7 +1252,17 @@ JSPropertyNameEnumerator* Structure::cachedPropertyNameEnumerator() const > > bool Structure::canCachePropertyNameEnumerator() const > { >- if (!this->canCacheOwnKeys()) >+ auto canCache = [] (const Structure* structure) { >+ if (structure->isDictionary()) >+ return false; >+ if (hasIndexedProperties(structure->indexingType())) >+ return false; >+ if (structure->typeInfo().overridesGetPropertyNames()) >+ return false; >+ return true; >+ }; >+ >+ if (!canCache(this)) > return false; > > StructureChain* structureChain = m_cachedPrototypeChain.get(); >@@ -1261,7 +1271,7 @@ bool Structure::canCachePropertyNameEnumerator() const > while (true) { > if (!structure->get()) > return true; >- if (!structure->get()->canCacheOwnKeys()) >+ if (!canCache(structure->get())) > return false; > structure++; > } >diff --git a/Source/JavaScriptCore/runtime/Structure.h b/Source/JavaScriptCore/runtime/Structure.h >index 1e84c4d19b415db346d52bf5e5e57a1b752b09d7..8ded825bfba93a85090b6148c0f50da19dfac9b7 100644 >--- a/Source/JavaScriptCore/runtime/Structure.h >+++ b/Source/JavaScriptCore/runtime/Structure.h >@@ -38,6 +38,7 @@ > #include "PutPropertySlot.h" > #include "StructureIDBlob.h" > #include "StructureRareData.h" >+#include "StructureRareDataInlines.h" > #include "StructureTransitionTable.h" > #include "JSTypeInfo.h" > #include "Watchpoint.h" >@@ -325,15 +326,6 @@ public: > return static_cast<const StructureRareData*>(m_previousOrRareData.get()); > } > >- const StructureRareData* rareDataConcurrently() const >- { >- JSCell* cell = m_previousOrRareData.get(); >- WTF::loadLoadFence(); >- if (isRareData(cell)) >- return static_cast<StructureRareData*>(cell); >- return nullptr; >- } >- > StructureRareData* ensureRareData(VM& vm) > { > if (!hasRareData()) >@@ -480,10 +472,6 @@ public: > bool canCachePropertyNameEnumerator() const; > bool canAccessPropertiesQuicklyForEnumeration() const; > >- void setCachedOwnKeys(VM&, JSImmutableButterfly*); >- JSImmutableButterfly* cachedOwnKeys() const; >- bool canCacheOwnKeys() const; >- > void getPropertyNamesFromStructure(VM&, PropertyNameArray&, EnumerationMode); > > JSString* objectToStringValue() >@@ -532,11 +520,6 @@ public: > return OBJECT_OFFSETOF(Structure, m_inlineCapacity); > } > >- static ptrdiff_t previousOrRareDataOffset() >- { >- return OBJECT_OFFSETOF(Structure, m_previousOrRareData); >- } >- > static Structure* createStructure(VM&); > > bool transitionWatchpointSetHasBeenInvalidated() const >diff --git a/Source/JavaScriptCore/runtime/StructureInlines.h b/Source/JavaScriptCore/runtime/StructureInlines.h >index ab7e206dde5ece4f70bac7a4e930ee58f5575e39..b3eb1b41e9f1c781e96f0229051000e042705d5e 100644 >--- a/Source/JavaScriptCore/runtime/StructureInlines.h >+++ b/Source/JavaScriptCore/runtime/StructureInlines.h >@@ -219,29 +219,6 @@ inline bool Structure::transitivelyTransitionedFrom(Structure* structureToFind) > return false; > } > >-inline void Structure::setCachedOwnKeys(VM& vm, JSImmutableButterfly* ownKeys) >-{ >- ensureRareData(vm)->setCachedOwnKeys(vm, ownKeys); >-} >- >-inline JSImmutableButterfly* Structure::cachedOwnKeys() const >-{ >- if (!hasRareData()) >- return nullptr; >- return rareData()->cachedOwnKeys(); >-} >- >-inline bool Structure::canCacheOwnKeys() const >-{ >- if (isDictionary()) >- return false; >- if (hasIndexedProperties(indexingType())) >- return false; >- if (typeInfo().overridesGetPropertyNames()) >- return false; >- return true; >-} >- > ALWAYS_INLINE JSValue prototypeForLookupPrimitiveImpl(JSGlobalObject* globalObject, const Structure* structure) > { > ASSERT(!structure->isObject()); >diff --git a/Source/JavaScriptCore/runtime/StructureRareData.cpp b/Source/JavaScriptCore/runtime/StructureRareData.cpp >index d8b2f00fa2139180521f11a06c112429b70be755..8984ce91956a81d51ad0d5233630e699e36deb53 100644 >--- a/Source/JavaScriptCore/runtime/StructureRareData.cpp >+++ b/Source/JavaScriptCore/runtime/StructureRareData.cpp >@@ -27,7 +27,6 @@ > #include "StructureRareData.h" > > #include "AdaptiveInferredPropertyValueWatchpointBase.h" >-#include "JSImmutableButterfly.h" > #include "JSPropertyNameEnumerator.h" > #include "JSString.h" > #include "JSCInlines.h" >@@ -71,7 +70,16 @@ void StructureRareData::visitChildren(JSCell* cell, SlotVisitor& visitor) > visitor.append(thisObject->m_previous); > visitor.append(thisObject->m_objectToStringValue); > visitor.append(thisObject->m_cachedPropertyNameEnumerator); >- visitor.append(thisObject->m_cachedOwnKeys); >+} >+ >+JSPropertyNameEnumerator* StructureRareData::cachedPropertyNameEnumerator() const >+{ >+ return m_cachedPropertyNameEnumerator.get(); >+} >+ >+void StructureRareData::setCachedPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator) >+{ >+ m_cachedPropertyNameEnumerator.set(vm, this, enumerator); > } > > // ----------- Object.prototype.toString() helper watchpoint classes ----------- >diff --git a/Source/JavaScriptCore/runtime/StructureRareData.h b/Source/JavaScriptCore/runtime/StructureRareData.h >index d4de58b5550fb3405cc24204f5fca584aaa46bd3..11c181dd61e7eb6754eba97054bf12a503fb88a7 100644 >--- a/Source/JavaScriptCore/runtime/StructureRareData.h >+++ b/Source/JavaScriptCore/runtime/StructureRareData.h >@@ -58,10 +58,7 @@ public: > > static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype); > >- Structure* previousID() const >- { >- return m_previous.get(); >- } >+ Structure* previousID() const; > void setPreviousID(VM&, Structure*); > void clearPreviousID(); > >@@ -71,20 +68,11 @@ public: > JSPropertyNameEnumerator* cachedPropertyNameEnumerator() const; > void setCachedPropertyNameEnumerator(VM&, JSPropertyNameEnumerator*); > >- JSImmutableButterfly* cachedOwnKeys() const; >- JSImmutableButterfly* cachedOwnKeysConcurrently() const; >- void setCachedOwnKeys(VM&, JSImmutableButterfly*); >- > Box<InlineWatchpointSet> copySharedPolyProtoWatchpoint() const { return m_polyProtoWatchpoint; } > const Box<InlineWatchpointSet>& sharedPolyProtoWatchpoint() const { return m_polyProtoWatchpoint; } > void setSharedPolyProtoWatchpoint(Box<InlineWatchpointSet>&& sharedPolyProtoWatchpoint) { m_polyProtoWatchpoint = WTFMove(sharedPolyProtoWatchpoint); } > bool hasSharedPolyProtoWatchpoint() const { return static_cast<bool>(m_polyProtoWatchpoint); } > >- static ptrdiff_t offsetOfCachedOwnKeys() >- { >- return OBJECT_OFFSETOF(StructureRareData, m_cachedOwnKeys); >- } >- > DECLARE_EXPORT_INFO; > > private: >@@ -98,10 +86,7 @@ private: > > WriteBarrier<Structure> m_previous; > WriteBarrier<JSString> m_objectToStringValue; >- // FIXME: We should have some story for clearing these property names caches in GC. >- // https://bugs.webkit.org/show_bug.cgi?id=192659 > WriteBarrier<JSPropertyNameEnumerator> m_cachedPropertyNameEnumerator; >- WriteBarrier<JSImmutableButterfly> m_cachedOwnKeys; > > typedef HashMap<PropertyOffset, RefPtr<WatchpointSet>, WTF::IntHash<PropertyOffset>, WTF::UnsignedWithZeroKeyHashTraits<PropertyOffset>> PropertyWatchpointMap; > std::unique_ptr<PropertyWatchpointMap> m_replacementWatchpointSets; >diff --git a/Source/JavaScriptCore/runtime/StructureRareDataInlines.h b/Source/JavaScriptCore/runtime/StructureRareDataInlines.h >index 70e77d4c64910c168028f3b6863561c371e478e6..e4e2496a5624ddf7d997cc2032f09ea2501dba9d 100644 >--- a/Source/JavaScriptCore/runtime/StructureRareDataInlines.h >+++ b/Source/JavaScriptCore/runtime/StructureRareDataInlines.h >@@ -25,13 +25,16 @@ > > #pragma once > >-#include "JSImmutableButterfly.h" >-#include "JSPropertyNameEnumerator.h" > #include "JSString.h" > #include "StructureRareData.h" > > namespace JSC { > >+inline Structure* StructureRareData::previousID() const >+{ >+ return m_previous.get(); >+} >+ > inline void StructureRareData::setPreviousID(VM& vm, Structure* structure) > { > m_previous.set(vm, this, structure); >@@ -47,33 +50,4 @@ inline JSString* StructureRareData::objectToStringValue() const > return m_objectToStringValue.get(); > } > >-inline JSPropertyNameEnumerator* StructureRareData::cachedPropertyNameEnumerator() const >-{ >- return m_cachedPropertyNameEnumerator.get(); >-} >- >-inline void StructureRareData::setCachedPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator) >-{ >- m_cachedPropertyNameEnumerator.set(vm, this, enumerator); >-} >- >-inline JSImmutableButterfly* StructureRareData::cachedOwnKeys() const >-{ >- ASSERT(!isCompilationThread()); >- return m_cachedOwnKeys.get(); >-} >- >-inline JSImmutableButterfly* StructureRareData::cachedOwnKeysConcurrently() const >-{ >- auto* result = m_cachedOwnKeys.get(); >- WTF::loadLoadFence(); >- return result; >-} >- >-inline void StructureRareData::setCachedOwnKeys(VM& vm, JSImmutableButterfly* butterfly) >-{ >- WTF::storeStoreFence(); >- m_cachedOwnKeys.set(vm, this, butterfly); >-} >- > } // namespace JSC >diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp >index d83269b64482aae6db9e2fd7849acb74b4d32a77..5d2c452670f20c634783873a85e2ce639b23f562 100644 >--- a/Source/JavaScriptCore/runtime/VM.cpp >+++ b/Source/JavaScriptCore/runtime/VM.cpp >@@ -434,7 +434,6 @@ VM::VM(VMType vmType, HeapType heapType) > exceptionStructure.set(*this, Exception::createStructure(*this, 0, jsNull())); > promiseDeferredStructure.set(*this, JSPromiseDeferred::createStructure(*this, 0, jsNull())); > internalPromiseDeferredStructure.set(*this, JSInternalPromiseDeferred::createStructure(*this, 0, jsNull())); >- nativeStdFunctionCellStructure.set(*this, NativeStdFunctionCell::createStructure(*this, 0, jsNull())); > programCodeBlockStructure.set(*this, ProgramCodeBlock::createStructure(*this, 0, jsNull())); > moduleProgramCodeBlockStructure.set(*this, ModuleProgramCodeBlock::createStructure(*this, 0, jsNull())); > evalCodeBlockStructure.set(*this, EvalCodeBlock::createStructure(*this, 0, jsNull())); >@@ -448,8 +447,8 @@ VM::VM(VMType vmType, HeapType heapType) > > sentinelSetBucket.set(*this, JSSet::BucketType::createSentinel(*this)); > sentinelMapBucket.set(*this, JSMap::BucketType::createSentinel(*this)); >- sentinelImmutableButterfly.set(*this, JSImmutableButterfly::createSentinel(*this)); > >+ nativeStdFunctionCellStructure.set(*this, NativeStdFunctionCell::createStructure(*this, 0, jsNull())); > smallStrings.initializeCommonStrings(*this); > > Thread::current().setCurrentAtomicStringTable(existingEntryAtomicStringTable); >diff --git a/Source/JavaScriptCore/runtime/VM.h b/Source/JavaScriptCore/runtime/VM.h >index 865e5f7361247f803a10c78ad7b8a7d2a8c45892..f5162cbd7ae0115e42959f85c7ee1f797afa5d5d 100644 >--- a/Source/JavaScriptCore/runtime/VM.h >+++ b/Source/JavaScriptCore/runtime/VM.h >@@ -571,7 +571,6 @@ public: > Strong<JSCell> emptyPropertyNameEnumerator; > Strong<JSCell> sentinelSetBucket; > Strong<JSCell> sentinelMapBucket; >- Strong<JSCell> sentinelImmutableButterfly; > > std::unique_ptr<PromiseDeferredTimer> promiseDeferredTimer; > >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index d82e4210f8cfc447d8a8eb2d6d383a4c71f64af8..560dfcbda7b39e44f11701d6cb22c4a286269e32 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,26 @@ >+2018-12-14 Commit Queue <commit-queue@webkit.org> >+ >+ Unreviewed, rolling out r239153, r239154, and r239155. >+ https://bugs.webkit.org/show_bug.cgi?id=192715 >+ >+ Caused flaky GC-related crashes seen with layout tests >+ (Requested by ryanhaddad on #webkit). >+ >+ Reverted changesets: >+ >+ "[JSC] Optimize Object.keys by caching own keys results in >+ StructureRareData" >+ https://bugs.webkit.org/show_bug.cgi?id=190047 >+ https://trac.webkit.org/changeset/239153 >+ >+ "Unreviewed, build fix after r239153" >+ https://bugs.webkit.org/show_bug.cgi?id=190047 >+ https://trac.webkit.org/changeset/239154 >+ >+ "Unreviewed, build fix after r239153, part 2" >+ https://bugs.webkit.org/show_bug.cgi?id=190047 >+ https://trac.webkit.org/changeset/239155 >+ > 2018-12-14 Keith Miller <keith_miller@apple.com> > > Callers of JSString::getIndex should check for OOM exceptions >diff --git a/JSTests/stress/object-keys-cached-zero.js b/JSTests/stress/object-keys-cached-zero.js >deleted file mode 100644 >index f7cc96afacfa848b1030d631b6539157d707b965..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-keys-cached-zero.js >+++ /dev/null >@@ -1,21 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return Object.keys(object); >-} >-noInline(test); >- >-var object = {}; >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 0); >- shouldBe(result[0], undefined); >- result[0] = i; >- shouldBe(result.length, 1); >- shouldBe(result[0], i); >-} >diff --git a/JSTests/stress/object-keys-changed-attribute.js b/JSTests/stress/object-keys-changed-attribute.js >deleted file mode 100644 >index c3f143ec27f002059ae4172569f9b743c13bd1a6..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-keys-changed-attribute.js >+++ /dev/null >@@ -1,28 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return Object.keys(object); >-} >-noInline(test); >- >-var object = { Cocoa: 42 }; >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 1); >- shouldBe(result[0], 'Cocoa'); >-} >- >-Reflect.defineProperty(object, 'Cocoa', { >- enumerable: false >-}); >- >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 0); >- shouldBe(result[0], undefined); >-} >diff --git a/JSTests/stress/object-keys-changed-index.js b/JSTests/stress/object-keys-changed-index.js >deleted file mode 100644 >index 423e09257b29da454bdf6f3fd73ba3ba6b3f7479..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-keys-changed-index.js >+++ /dev/null >@@ -1,28 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return Object.keys(object); >-} >-noInline(test); >- >-var object = {}; >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 0); >- shouldBe(result[0], undefined); >- result[0] = i; >- shouldBe(result.length, 1); >- shouldBe(result[0], i); >-} >- >-object[0] = 42; >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 1); >- shouldBe(result[0], '0'); >-} >diff --git a/JSTests/stress/object-keys-changed.js b/JSTests/stress/object-keys-changed.js >deleted file mode 100644 >index 1d3a3053fbe6d64d902297b083dfa720db46c282..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-keys-changed.js >+++ /dev/null >@@ -1,28 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return Object.keys(object); >-} >-noInline(test); >- >-var object = {}; >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 0); >- shouldBe(result[0], undefined); >- result[0] = i; >- shouldBe(result.length, 1); >- shouldBe(result[0], i); >-} >- >-object.Cocoa = 42; >-for (var i = 0; i < 1e6; ++i) { >- var result = test(object); >- shouldBe(result.length, 1); >- shouldBe(result[0], 'Cocoa'); >-} >diff --git a/JSTests/stress/object-keys-indexed-non-cache.js b/JSTests/stress/object-keys-indexed-non-cache.js >deleted file mode 100644 >index 09c9cf4ee112a7f317cc6790131c00f4b870d68b..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-keys-indexed-non-cache.js >+++ /dev/null >@@ -1,25 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return Object.keys(object); >-} >-noInline(test); >- >-var object = {0: 42}; >-for (var i = 0; i < 1e3; ++i) { >- var result = test(object); >- shouldBe(result.length, 1); >- shouldBe(result[0], '0'); >-} >-object[1] = 44; >-for (var i = 0; i < 1e3; ++i) { >- var result = test(object); >- shouldBe(result.length, 2); >- shouldBe(result[0], '0'); >- shouldBe(result[1], '1'); >-} >diff --git a/JSTests/stress/object-keys-overrides-get-property-names.js b/JSTests/stress/object-keys-overrides-get-property-names.js >deleted file mode 100644 >index 530d8bb17e9198e507be75c5d1961e914b0b7fdc..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-keys-overrides-get-property-names.js >+++ /dev/null >@@ -1,57 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return Object.keys(object); >-} >-noInline(test); >- >-{ >- let object = new String("Cocoa"); >- for (let i = 0; i < 1e3; ++i) { >- let result = test(object); >- shouldBe(result.length, 5); >- shouldBe(result[0], '0'); >- shouldBe(result[1], '1'); >- shouldBe(result[2], '2'); >- shouldBe(result[3], '3'); >- shouldBe(result[4], '4'); >- } >- >- object.Cocoa = 42; >- let result = test(object); >- shouldBe(result.length, 6); >- shouldBe(result[0], '0'); >- shouldBe(result[1], '1'); >- shouldBe(result[2], '2'); >- shouldBe(result[3], '3'); >- shouldBe(result[4], '4'); >- shouldBe(result[5], 'Cocoa'); >-} >- >-{ >- let object = new String("Cocoa"); >- for (let i = 0; i < 1e3; ++i) { >- let result = test(object); >- shouldBe(result.length, 5); >- shouldBe(result[0], '0'); >- shouldBe(result[1], '1'); >- shouldBe(result[2], '2'); >- shouldBe(result[3], '3'); >- shouldBe(result[4], '4'); >- } >- >- object[8] = 42; >- let result = test(object); >- shouldBe(result.length, 6); >- shouldBe(result[0], '0'); >- shouldBe(result[1], '1'); >- shouldBe(result[2], '2'); >- shouldBe(result[3], '3'); >- shouldBe(result[4], '4'); >- shouldBe(result[5], '8'); >-}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357335">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192715
: 357335