nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/JSTests/typeProfiler/overflow.js

43 lines
1.1 KiB
JavaScript
Raw Permalink Normal View History

Move unsafe jsc shell test functions to the $vm object. https://bugs.webkit.org/show_bug.cgi?id=179980 Reviewed by Yusuke Suzuki. JSTests: * controlFlowProfiler/driver/driver.js: * controlFlowProfiler/execution-count.js: * controlFlowProfiler/if-statement.js: * controlFlowProfiler/loop-statements.js: * controlFlowProfiler/switch-statements.js: * controlFlowProfiler/test-jit.js: * exceptionFuzz/3d-cube.js: * exceptionFuzz/date-format-xparb.js: * exceptionFuzz/earley-boyer.js: * heapProfiler/basic-edges.js: * heapProfiler/property-edge-types.js: * microbenchmarks/try-get-by-id-basic.js: * microbenchmarks/try-get-by-id-polymorphic.js: * modules/namespace-object-try-get.js: * stress/argument-count-bytecode.js: * stress/argument-intrinsic-basic.js: * stress/argument-intrinsic-inlining-use-caller-arg.js: * stress/argument-intrinsic-inlining-with-result-escape.js: * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js: * stress/argument-intrinsic-inlining-with-vararg.js: * stress/argument-intrinsic-nested-inlining.js: * stress/argument-intrinsic-not-convert-to-get-argument.js: * stress/argument-intrinsic-with-stack-write.js: * stress/arity-mismatch-get-argument.js: * stress/array-message-passing.js: * stress/array-push-with-force-exit.js: * stress/check-dom-with-signature.js: * stress/check-sub-class.js: * stress/compare-eq-incomplete-profile.js: * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: * stress/do-eval-virtual-call-correctly.js: * stress/dom-jit-with-poly-proto.js: * stress/domjit-exception-ic.js: * stress/domjit-exception.js: * stress/domjit-getter-complex-with-incorrect-object.js: * stress/domjit-getter-complex.js: * stress/domjit-getter-poly.js: * stress/domjit-getter-proto.js: * stress/domjit-getter-super-poly.js: * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js: * stress/domjit-getter-type-check.js: * stress/domjit-getter.js: * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: * stress/for-in-proxy-target-changed-structure.js: * stress/for-in-proxy.js: * stress/generational-opaque-roots.js: * stress/global-const-redeclaration-setting-2.js: * stress/global-const-redeclaration-setting-3.js: * stress/global-const-redeclaration-setting-4.js: * stress/global-const-redeclaration-setting-5.js: * stress/global-const-redeclaration-setting.js: * stress/import-basic.js: * stress/import-from-eval.js: * stress/import-reject-with-exception.js: * stress/import-syntax.js: * stress/impure-get-own-property-slot-inline-cache.js: * stress/is-constructor.js: * stress/istypedarrayview-intrinsic.js: * stress/jsc-setImpureGetterDelegate-on-bad-type.js: * stress/jsc-test-functions-should-be-more-robust.js: * stress/object-toString-with-proxy.js: * stress/poly-proto-custom-value-and-accessor.js: * stress/proxy-inline-cache.js: * stress/re-execute-error-module.js: * stress/regress-150532.js: * stress/regress-156992.js: * stress/regress-179619.js: * stress/resources/shadow-chicken-support.js: * stress/runtime-array.js: * stress/sampling-profiler-microtasks.js: * stress/shadow-chicken-enabled.js: * stress/spread-correct-global-object-on-exception.js: * stress/super-get-by-id.js: * stress/tailCallForwardArguments.js: * stress/to-object-intrinsic-boolean-edge.js: * stress/to-object-intrinsic-null-or-undefined-edge.js: * stress/to-object-intrinsic-number-edge.js: * stress/to-object-intrinsic-object-edge.js: * stress/to-object-intrinsic-string-edge.js: * stress/to-object-intrinsic-symbol-edge.js: * stress/to-object-intrinsic.js: * stress/try-catch-custom-getter-as-get-by-id.js: * stress/try-get-by-id-poly-proto.js: * stress/try-get-by-id-should-spill-registers-dfg.js: * stress/try-get-by-id.js: * typeProfiler/arrow-functions.js: * typeProfiler/basic.js: * typeProfiler/captured.js: * typeProfiler/classes.js: * typeProfiler/dfg-jit-optimizations.js: * typeProfiler/dictionary-mode.js: * typeProfiler/es6-block-scoping.js: * typeProfiler/es6-classes.js: * typeProfiler/inheritance.js: * typeProfiler/int52-dfg.js: * typeProfiler/loop.js: * typeProfiler/optional-fields.js: * typeProfiler/overflow.js: * typeProfiler/return.js: * typeProfiler/symbol.js: * typeProfiler/weird-prototype-chain.js: Source/JavaScriptCore: Also removed setElementRoot() which was not used. * jsc.cpp: (GlobalObject::finishCreation): (WTF::Element::Element): Deleted. (WTF::Element::root const): Deleted. (WTF::Element::setRoot): Deleted. (WTF::Element::create): Deleted. (WTF::Element::visitChildren): Deleted. (WTF::Element::createStructure): Deleted. (WTF::Root::Root): Deleted. (WTF::Root::element): Deleted. (WTF::Root::setElement): Deleted. (WTF::Root::create): Deleted. (WTF::Root::createStructure): Deleted. (WTF::Root::visitChildren): Deleted. (WTF::ImpureGetter::ImpureGetter): Deleted. (WTF::ImpureGetter::createStructure): Deleted. (WTF::ImpureGetter::create): Deleted. (WTF::ImpureGetter::finishCreation): Deleted. (WTF::ImpureGetter::getOwnPropertySlot): Deleted. (WTF::ImpureGetter::visitChildren): Deleted. (WTF::ImpureGetter::setDelegate): Deleted. (WTF::CustomGetter::CustomGetter): Deleted. (WTF::CustomGetter::createStructure): Deleted. (WTF::CustomGetter::create): Deleted. (WTF::CustomGetter::getOwnPropertySlot): Deleted. (WTF::CustomGetter::customGetter): Deleted. (WTF::CustomGetter::customGetterAcessor): Deleted. (WTF::RuntimeArray::create): Deleted. (WTF::RuntimeArray::~RuntimeArray): Deleted. (WTF::RuntimeArray::destroy): Deleted. (WTF::RuntimeArray::getOwnPropertySlot): Deleted. (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted. (WTF::RuntimeArray::put): Deleted. (WTF::RuntimeArray::deleteProperty): Deleted. (WTF::RuntimeArray::getLength const): Deleted. (WTF::RuntimeArray::createPrototype): Deleted. (WTF::RuntimeArray::createStructure): Deleted. (WTF::RuntimeArray::finishCreation): Deleted. (WTF::RuntimeArray::RuntimeArray): Deleted. (WTF::RuntimeArray::lengthGetter): Deleted. (WTF::SimpleObject::SimpleObject): Deleted. (WTF::SimpleObject::create): Deleted. (WTF::SimpleObject::visitChildren): Deleted. (WTF::SimpleObject::createStructure): Deleted. (WTF::SimpleObject::hiddenValue): Deleted. (WTF::SimpleObject::setHiddenValue): Deleted. (WTF::DOMJITNode::DOMJITNode): Deleted. (WTF::DOMJITNode::createStructure): Deleted. (WTF::DOMJITNode::checkSubClassSnippet): Deleted. (WTF::DOMJITNode::create): Deleted. (WTF::DOMJITNode::value const): Deleted. (WTF::DOMJITNode::offsetOfValue): Deleted. (WTF::DOMJITGetter::DOMJITGetter): Deleted. (WTF::DOMJITGetter::createStructure): Deleted. (WTF::DOMJITGetter::create): Deleted. (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted. (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted. (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted. (WTF::DOMJITGetter::customGetter): Deleted. (WTF::DOMJITGetter::finishCreation): Deleted. (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted. (WTF::DOMJITGetterComplex::createStructure): Deleted. (WTF::DOMJITGetterComplex::create): Deleted. (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted. (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted. (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted. (WTF::DOMJITGetterComplex::functionEnableException): Deleted. (WTF::DOMJITGetterComplex::customGetter): Deleted. (WTF::DOMJITGetterComplex::finishCreation): Deleted. (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted. (WTF::DOMJITFunctionObject::createStructure): Deleted. (WTF::DOMJITFunctionObject::create): Deleted. (WTF::DOMJITFunctionObject::safeFunction): Deleted. (WTF::DOMJITFunctionObject::unsafeFunction): Deleted. (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted. (WTF::DOMJITFunctionObject::finishCreation): Deleted. (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted. (WTF::DOMJITCheckSubClassObject::createStructure): Deleted. (WTF::DOMJITCheckSubClassObject::create): Deleted. (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted. (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted. (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted. (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted. (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted. (WTF::DOMJITGetterBaseJSObject::create): Deleted. (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted. (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted. (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted. (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted. (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted. (WTF::Element::handleOwner): Deleted. (WTF::Element::finishCreation): Deleted. (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted. (JSTestCustomGetterSetter::create): Deleted. (JSTestCustomGetterSetter::createStructure): Deleted. (customGetAccessor): Deleted. (customGetValue): Deleted. (customSetAccessor): Deleted. (customSetValue): Deleted. (JSTestCustomGetterSetter::finishCreation): Deleted. (GlobalObject::addConstructableFunction): Deleted. (functionCreateRoot): Deleted. (functionCreateElement): Deleted. (functionGetElement): Deleted. (functionSetElementRoot): Deleted. (functionCreateSimpleObject): Deleted. (functionGetHiddenValue): Deleted. (functionSetHiddenValue): Deleted. (functionCreateProxy): Deleted. (functionCreateRuntimeArray): Deleted. (functionCreateImpureGetter): Deleted. (functionCreateCustomGetterObject): Deleted. (functionCreateDOMJITNodeObject): Deleted. (functionCreateDOMJITGetterObject): Deleted. (functionCreateDOMJITGetterComplexObject): Deleted. (functionCreateDOMJITFunctionObject): Deleted. (functionCreateDOMJITCheckSubClassObject): Deleted. (functionCreateDOMJITGetterBaseJSObject): Deleted. (functionSetImpureGetterDelegate): Deleted. (functionGetGetterSetter): Deleted. (functionShadowChickenFunctionsOnStack): Deleted. (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted. (functionGlobalObjectForObject): Deleted. (functionLoadGetterFromGetterSetter): Deleted. (functionCreateCustomTestGetterSetter): Deleted. (functionAbort): Deleted. (functionFindTypeForExpression): Deleted. (functionReturnTypeFor): Deleted. (functionDumpBasicBlockExecutionRanges): Deleted. (functionHasBasicBlockExecuted): Deleted. (functionBasicBlockExecutionCount): Deleted. (functionEnableExceptionFuzz): Deleted. (functionCreateBuiltin): Deleted. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * tools/JSDollarVM.cpp: (WTF::Element::Element): (WTF::Element::root const): (WTF::Element::setRoot): (WTF::Element::create): (WTF::Element::visitChildren): (WTF::Element::createStructure): (WTF::Root::Root): (WTF::Root::element): (WTF::Root::setElement): (WTF::Root::create): (WTF::Root::createStructure): (WTF::Root::visitChildren): (WTF::SimpleObject::SimpleObject): (WTF::SimpleObject::create): (WTF::SimpleObject::visitChildren): (WTF::SimpleObject::createStructure): (WTF::SimpleObject::hiddenValue): (WTF::SimpleObject::setHiddenValue): (WTF::ImpureGetter::ImpureGetter): (WTF::ImpureGetter::createStructure): (WTF::ImpureGetter::create): (WTF::ImpureGetter::finishCreation): (WTF::ImpureGetter::getOwnPropertySlot): (WTF::ImpureGetter::visitChildren): (WTF::ImpureGetter::setDelegate): (WTF::CustomGetter::CustomGetter): (WTF::CustomGetter::createStructure): (WTF::CustomGetter::create): (WTF::CustomGetter::getOwnPropertySlot): (WTF::CustomGetter::customGetter): (WTF::CustomGetter::customGetterAcessor): (WTF::RuntimeArray::create): (WTF::RuntimeArray::~RuntimeArray): (WTF::RuntimeArray::destroy): (WTF::RuntimeArray::getOwnPropertySlot): (WTF::RuntimeArray::getOwnPropertySlotByIndex): (WTF::RuntimeArray::put): (WTF::RuntimeArray::deleteProperty): (WTF::RuntimeArray::getLength const): (WTF::RuntimeArray::createPrototype): (WTF::RuntimeArray::createStructure): (WTF::RuntimeArray::finishCreation): (WTF::RuntimeArray::RuntimeArray): (WTF::RuntimeArray::lengthGetter): (WTF::DOMJITNode::DOMJITNode): (WTF::DOMJITNode::createStructure): (WTF::DOMJITNode::checkSubClassSnippet): (WTF::DOMJITNode::create): (WTF::DOMJITNode::value const): (WTF::DOMJITNode::offsetOfValue): (WTF::DOMJITGetter::DOMJITGetter): (WTF::DOMJITGetter::createStructure): (WTF::DOMJITGetter::create): (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): (WTF::DOMJITGetter::DOMJITAttribute::slowCall): (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): (WTF::DOMJITGetter::customGetter): (WTF::DOMJITGetter::finishCreation): (WTF::DOMJITGetterComplex::DOMJITGetterComplex): (WTF::DOMJITGetterComplex::createStructure): (WTF::DOMJITGetterComplex::create): (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): (WTF::DOMJITGetterComplex::functionEnableException): (WTF::DOMJITGetterComplex::customGetter): (WTF::DOMJITGetterComplex::finishCreation): (WTF::DOMJITFunctionObject::DOMJITFunctionObject): (WTF::DOMJITFunctionObject::createStructure): (WTF::DOMJITFunctionObject::create): (WTF::DOMJITFunctionObject::safeFunction): (WTF::DOMJITFunctionObject::unsafeFunction): (WTF::DOMJITFunctionObject::checkSubClassSnippet): (WTF::DOMJITFunctionObject::finishCreation): (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): (WTF::DOMJITCheckSubClassObject::createStructure): (WTF::DOMJITCheckSubClassObject::create): (WTF::DOMJITCheckSubClassObject::safeFunction): (WTF::DOMJITCheckSubClassObject::unsafeFunction): (WTF::DOMJITCheckSubClassObject::finishCreation): (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): (WTF::DOMJITGetterBaseJSObject::createStructure): (WTF::DOMJITGetterBaseJSObject::create): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): (WTF::DOMJITGetterBaseJSObject::customGetter): (WTF::DOMJITGetterBaseJSObject::finishCreation): (WTF::Message::releaseContents): (WTF::Message::index const): (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter): (WTF::JSTestCustomGetterSetter::create): (WTF::JSTestCustomGetterSetter::createStructure): (WTF::customGetAccessor): (WTF::customGetValue): (WTF::customSetAccessor): (WTF::customSetValue): (WTF::JSTestCustomGetterSetter::finishCreation): (WTF::Element::handleOwner): (WTF::Element::finishCreation): (JSC::functionCrash): (JSC::functionCreateProxy): (JSC::functionCreateRuntimeArray): (JSC::functionCreateImpureGetter): (JSC::functionCreateCustomGetterObject): (JSC::functionCreateDOMJITNodeObject): (JSC::functionCreateDOMJITGetterObject): (JSC::functionCreateDOMJITGetterComplexObject): (JSC::functionCreateDOMJITFunctionObject): (JSC::functionCreateDOMJITCheckSubClassObject): (JSC::functionCreateDOMJITGetterBaseJSObject): (JSC::functionSetImpureGetterDelegate): (JSC::functionCreateBuiltin): (JSC::functionCreateRoot): (JSC::functionCreateElement): (JSC::functionGetElement): (JSC::functionCreateSimpleObject): (JSC::functionGetHiddenValue): (JSC::functionSetHiddenValue): (JSC::functionShadowChickenFunctionsOnStack): (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): (JSC::functionFindTypeForExpression): (JSC::functionReturnTypeFor): (JSC::functionDumpBasicBlockExecutionRanges): (JSC::functionHasBasicBlockExecuted): (JSC::functionBasicBlockExecutionCount): (JSC::functionEnableExceptionFuzz): (JSC::functionGlobalObjectForObject): (JSC::functionGetGetterSetter): (JSC::functionLoadGetterFromGetterSetter): (JSC::functionCreateCustomTestGetterSetter): (JSC::JSDollarVM::finishCreation): (JSC::JSDollarVM::addFunction): (JSC::JSDollarVM::addConstructibleFunction): * tools/JSDollarVM.h: (JSC::JSDollarVM::create): Tools: Always set --useDollarVM=true for jsc runs of benchmarks. This is needed because some microbenchmarks relies on createBuiltin(). Also set --useDollarVM=true for runExceptionFuzz and runExecutableAllocationFuzz. * Scripts/run-jsc-benchmarks: * Scripts/run-jsc-stress-tests: LayoutTests: * js/script-tests/stack-trace.js: * js/stack-trace-expected.txt: Canonical link: https://commits.webkit.org/195997@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225129 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-11-24 10:58:16 +00:00
var findTypeForExpression = $vm.findTypeForExpression;
TypeSet needs a mode where it no longer profiles structure shapes https://bugs.webkit.org/show_bug.cgi?id=136263 Reviewed by Filip Pizlo. The TypeSet data structure used to gather as many StructureShape objects as it encountered during type profiling. But, this meant that there was no upper limit on how many objects it could allocate. This patch places a fixed upper bound on the number of StructureShapes allocated per TypeSet to prevent using too much memory for little gain in type profiling usefulness. StructureShape objects are now also aware of when they are created from Structures which are dictionaries. In total, this patch lays the final groundwork needed in refactoring the inspector protocol for the type profiler. * runtime/Structure.cpp: (JSC::Structure::toStructureShape): * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): * runtime/TypeSet.cpp: (JSC::TypeSet::TypeSet): (JSC::TypeSet::addTypeInformation): (JSC::StructureShape::StructureShape): (JSC::StructureShape::toJSONString): (JSC::StructureShape::enterDictionaryMode): * runtime/TypeSet.h: (JSC::TypeSet::isOverflown): * tests/typeProfiler/dictionary-mode.js: Added. (wrapper): * tests/typeProfiler/driver/driver.js: * tests/typeProfiler/overflow.js: Added. (wrapper.Proto): (wrapper): Canonical link: https://commits.webkit.org/154518@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@173469 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2014-09-10 16:43:01 +00:00
load("./driver/driver.js");
function wrapper()
{
var x;
var Proto = function() {};
var oldProto;
for (var i = 0; i < MaxStructureCountWithoutOverflow; i++) {
// Make sure we get a new prototype chain on each assignment to x because objects with shared prototype chains will be merged.
x = new Proto;
Implement polymorphic prototypes https://bugs.webkit.org/show_bug.cgi?id=176391 Reviewed by Filip Pizlo. JSTests: * microbenchmarks/poly-proto-access.js: Added. (assert): (foo.C): (foo.C.prototype.get bar): (foo): (bar): * microbenchmarks/poly-proto-put-transition-speed.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): * microbenchmarks/poly-proto-setter-speed.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo.C.prototype.set p): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): * stress/constructor-with-return.js: (i.tests.forEach.Constructor): (i.tests.forEach): (tests.forEach.Constructor): Deleted. (tests.forEach): Deleted. * stress/dom-jit-with-poly-proto.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (validate): * stress/poly-proto-custom-value-and-accessor.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (items.forEach): (set get for): * stress/poly-proto-intrinsic-getter-correctness.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (foo): * stress/poly-proto-miss.js: Added. (makePolyProtoInstanceWithNullPrototype.foo.C): (makePolyProtoInstanceWithNullPrototype.foo): (makePolyProtoInstanceWithNullPrototype): (assert): (validate): * stress/poly-proto-op-in-caching.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (validate): (validate2): * stress/poly-proto-put-transition.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): (i.obj.__proto__.set p): * stress/poly-proto-set-prototype.js: Added. (assert): (let.alternateProto.get x): (let.alternateProto2.get y): (let.alternateProto2.get x): (foo.C): (foo): (validate): * stress/poly-proto-setter.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo.C.prototype.set p): (makePolyProtoObject.foo.C.prototype.get p): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): * stress/poly-proto-using-inheritance.js: Added. (assert): (foo.C): (foo.C.prototype.get baz): (foo): (bar.C): (bar): (validate): * stress/primitive-poly-proto.js: Added. (makePolyProtoInstance.foo.C): (makePolyProtoInstance.foo): (makePolyProtoInstance): (assert): (validate): * stress/prototype-is-not-js-object.js: Added. (foo.bar): (foo): (assert): (validate): * stress/try-get-by-id-poly-proto.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (tryGetByIdText): (x.__proto__.get bar): (validate): * typeProfiler/overflow.js: Source/JavaScriptCore: This patch changes JSC's object model with respect to where the prototype of an object is stored. Previously, it was always stored as a constant value inside Structure. So an object's structure used to always tell you what its prototype is. Anytime an object changed its prototype, it would do a structure transition. This enables a large class of optimizations: just by doing a structure check, we know what the prototype is. However, this design falls down when you have many objects that have the same shape, but only differ in what their prototype value is. This arises in many JS programs. A simple, and probably common, example is when the program has a constructor inside of a function: ``` function foo() { class C { constructor() { this.field1 = 42; ...; this.fieldN = 42; } method1() { doStuffWith(this.field); } method2() { doStuffWith(this.field); } } let c = new C; do things with c; } repeatedly call foo() here. ``` Before this patch, in the above program, each time `new C` created an object, it would create an object with a different structure. The reason for this is that each time foo is called, there is a new instance of C.prototype. However, each `new C` that was created with have identical shape sans its prototype value. This would cause all ICs that used `c` to quickly give up on any form of caching because they would see too many structures and give up and permanently divert control flow to the slow path. This patch fixes this issue by expanding the notion of where the prototype of an object is stored. There are now two notions of where the prototype is stored. A Structure can now be in two modes: 1. Mono proto mode. This is the same mode as we used to have. It means the structure itself has a constant prototype value. 2. Poly proto mode. This means the structure knows nothing about the prototype value itself. Objects with this structure store their prototype in normal object field storage. The structure will tell you the offset of this prototype inside the object's storage. As of today, we only reserve inline slots for the prototype field because poly proto only occurs for JSFinalObject. However, this will be expanded to support out of line offsets in a future patch when we extend poly proto to work when we inherit from builtin types like Map and Array. In this initial patch, we do poly proto style inline caching whenever we see an object that is poly proto or if an object in its prototype lookup chain is poly proto. Poly proto ICs work by verifying the lookup chain at runtime. This essentially boils down to performing structure checks up the prototype chain. In a future patch, we're going to extend object property condition set to work with objects that don't have poly proto bases. Initially, accesses that have poly proto access chains will always turn into GetById/PutById in the DFG. In a future patch, I'm going to teach the DFG how to inline certain accesses that have poly proto in the access chain. One of most interesting parts about this patch is how we decide when to go poly proto. This patch uses a profiling based approach. An IC will inform a watchpoint that it sees an opportunity when two Structure's are structurally the same, sans the base object's prototype. This means that two structures have equivalent shapes all the way up the prototype chain. To support fast structural comparison, we compute a hash for a structure based on the properties it has. We compute this hash as we add properties to the structure. This computation is nearly free since we always add UniquedStringImpl*'s which already have their hashes computed. To compare structural equivalence, we just compare hash values all the way up the prototype chain. This means we can get hash conflicts between two structures, but it's extremely rare. First, it'll be rare for two structures to have the same hash. Secondly, we only consider structures originating from the same executable. How we set up this poly proto watchpoint is crucial to its design. When we create_this an object originating from some executable, that executable will create a Box<InlineWatchpointSet>. Each structure that originates from this executable will get a copy of that Box<InlineWatchpointSet>. As that structure transitions to new structures, they too will get a copy of that Box<InilneWatchpointSet>. Therefore, when invalidating an arbitrary structure's poly proto watchpoint, we will know the next time we create_this from that executable that it had been invalidated, and that we should create an object with a poly proto structure. We also use the pointer value of this Box<InlineWatchpointSet> to determine if two structures originated from the same executable. This pruning will severely limit the chances of getting a hash conflict in practice. This patch is neutral on my MBP on traditional JS benchmarks like Octane/Kraken/Sunspider. It may be a 1-2% ARES-6 progression. This patch is between neutral and a 9x progression on the various tests I added. Most of the microbenchmarks are progressed by at least 50%. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * builtins/BuiltinNames.cpp: * builtins/BuiltinNames.h: (JSC::BuiltinNames::BuiltinNames): (JSC::BuiltinNames::underscoreProtoPrivateName const): * bytecode/AccessCase.cpp: (JSC::AccessCase::AccessCase): (JSC::AccessCase::create): (JSC::AccessCase::commit): (JSC::AccessCase::guardedByStructureCheck const): (JSC::AccessCase::canReplace const): (JSC::AccessCase::dump const): (JSC::AccessCase::visitWeak const): (JSC::AccessCase::propagateTransitions const): (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/AccessCase.h: (JSC::AccessCase::usesPolyProto const): (JSC::AccessCase::AccessCase): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::GetterSetterAccessCase): (JSC::GetterSetterAccessCase::create): * bytecode/GetterSetterAccessCase.h: * bytecode/InternalFunctionAllocationProfile.h: (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): * bytecode/IntrinsicGetterAccessCase.cpp: (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase): * bytecode/IntrinsicGetterAccessCase.h: * bytecode/ModuleNamespaceAccessCase.cpp: (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase): * bytecode/ObjectAllocationProfile.cpp: Added. (JSC::ObjectAllocationProfile::initializeProfile): (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::clear): (JSC::ObjectAllocationProfile::initialize): Deleted. (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted. * bytecode/ObjectPropertyConditionSet.cpp: * bytecode/PolyProtoAccessChain.cpp: Added. (JSC::PolyProtoAccessChain::create): (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const): (JSC::PolyProtoAccessChain::operator== const): (JSC::PolyProtoAccessChain::dump const): * bytecode/PolyProtoAccessChain.h: Added. (JSC::PolyProtoAccessChain::clone): (JSC::PolyProtoAccessChain:: const): (JSC::PolyProtoAccessChain::operator!= const): (JSC::PolyProtoAccessChain::forEach const): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::addCases): (JSC::PolymorphicAccess::regenerate): (WTF::printInternal): * bytecode/PolymorphicAccess.h: (JSC::AccessGenerationResult::shouldResetStub const): (JSC::AccessGenerationState::AccessGenerationState): * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): * bytecode/ProxyableAccessCase.cpp: (JSC::ProxyableAccessCase::ProxyableAccessCase): (JSC::ProxyableAccessCase::create): * bytecode/ProxyableAccessCase.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeForStubInfo): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::addAccessCase): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::load): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::canDoFastSpread): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): (JSC::DFG::SpeculativeJIT::compileInstanceOf): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_instanceof): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_instanceof): * jit/Repatch.cpp: (JSC::tryCacheGetByID): (JSC::tryCachePutByID): (JSC::tryRepatchIn): * jsc.cpp: (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): (WTF::DOMJITGetterBaseJSObject::createStructure): (WTF::DOMJITGetterBaseJSObject::create): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): (WTF::DOMJITGetterBaseJSObject::customGetter): (WTF::DOMJITGetterBaseJSObject::finishCreation): (GlobalObject::finishCreation): (functionCreateDOMJITGetterBaseJSObject): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/ArrayPrototype.cpp: (JSC::holesMustForwardToPrototype): (JSC::fastJoin): (JSC::arrayProtoFuncReverse): (JSC::moveElements): * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::createEmpty): (JSC::ClonedArguments::createWithInlineFrame): (JSC::ClonedArguments::createWithMachineFrame): (JSC::ClonedArguments::createByCopyingFrom): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::visitChildren): * runtime/FunctionExecutable.h: * runtime/FunctionRareData.cpp: (JSC::FunctionRareData::initializeObjectAllocationProfile): * runtime/FunctionRareData.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructureSlow): * runtime/JSArray.cpp: (JSC::JSArray::fastSlice): (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::isIteratorProtocolFastAndNonObservable): * runtime/JSArrayInlines.h: (JSC::JSArray::canFastCopy): * runtime/JSCJSValue.cpp: (JSC::JSValue::dumpInContextAssumingStructure const): * runtime/JSFunction.cpp: (JSC::JSFunction::prototypeForConstruction): (JSC::JSFunction::allocateAndInitializeRareData): (JSC::JSFunction::initializeRareData): (JSC::JSFunction::getOwnPropertySlot): * runtime/JSFunction.h: * runtime/JSMap.cpp: (JSC::JSMap::isIteratorProtocolFastAndNonObservable): (JSC::JSMap::canCloneFastAndNonObservable): * runtime/JSObject.cpp: (JSC::JSObject::putInlineSlow): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::ensureInt32Slow): (JSC::JSObject::ensureDoubleSlow): (JSC::JSObject::ensureContiguousSlow): (JSC::JSObject::ensureArrayStorageSlow): (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::ordinaryToPrimitive const): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): (JSC::JSObject::getEnumerableLength): (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const): (JSC::JSObject::prototypeChainMayInterceptStoreTo): (JSC::JSObject::needsSlowPutIndexing const): (JSC::JSObject::suggestedArrayStorageTransition const): * runtime/JSObject.h: (JSC::JSObject::finishCreation): (JSC::JSObject::getPrototypeDirect const): (JSC::JSObject::getPropertySlot): * runtime/JSObjectInlines.h: (JSC::JSObject::getPropertySlot): (JSC::JSObject::getNonIndexPropertySlot): (JSC::JSObject::putInlineForJSObject): * runtime/JSPropertyNameEnumerator.h: (JSC::propertyNameEnumerator): * runtime/JSSet.cpp: (JSC::JSSet::isIteratorProtocolFastAndNonObservable): (JSC::JSSet::canCloneFastAndNonObservable): * runtime/LazyClassStructure.h: (JSC::LazyClassStructure::prototypeConcurrently const): Deleted. * runtime/Operations.cpp: (JSC::normalizePrototypeChain): * runtime/Operations.h: * runtime/Options.h: * runtime/PrototypeMap.cpp: (JSC::PrototypeMap::createEmptyStructure): (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): (JSC::PrototypeMap::emptyObjectStructureForPrototype): (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): * runtime/PrototypeMap.h: * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::create): (JSC::Structure::holesMustForwardToPrototype const): (JSC::Structure::changePrototypeTransition): (JSC::Structure::isCheapDuringGC): (JSC::Structure::toStructureShape): (JSC::Structure::dump const): (JSC::Structure::canCachePropertyNameEnumerator const): (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses const): Deleted. (JSC::Structure::needsSlowPutIndexing const): Deleted. (JSC::Structure::suggestedArrayStorageTransition const): Deleted. (JSC::Structure::prototypeForLookup const): Deleted. (JSC::Structure::prototypeChainMayInterceptStoreTo): Deleted. (JSC::Structure::canUseForAllocationsOf): Deleted. * runtime/Structure.h: * runtime/StructureChain.h: * runtime/StructureInlines.h: (JSC::Structure::create): (JSC::Structure::storedPrototypeObject const): (JSC::Structure::storedPrototypeStructure const): (JSC::Structure::storedPrototype const): (JSC::prototypeForLookupPrimitiveImpl): (JSC::Structure::prototypeForLookup const): (JSC::Structure::prototypeChain const): (JSC::Structure::isValid const): (JSC::Structure::add): (JSC::Structure::setPropertyTable): (JSC::Structure::shouldConvertToPolyProto): * runtime/StructureRareData.h: * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::processLogEntries): * runtime/TypeSet.cpp: (JSC::TypeSet::addTypeInformation): * runtime/TypeSet.h: * runtime/WriteBarrier.h: (JSC::WriteBarrierBase<Unknown>::isInt32 const): Source/WTF: * wtf/Box.h: (WTF::Box::operator bool const): (WTF::Box::operator bool): Deleted. Make Box movable. Also ensure its operator bool doesn't do an atomic increment. * wtf/RefPtr.h: (WTF::RefPtr::operator bool const): Add `explicit operator bool()` for RefPtr. Tools: * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/194106@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-10-04 01:53:18 +00:00
x['field' + i] = 20;
x = x
TypeSet needs a mode where it no longer profiles structure shapes https://bugs.webkit.org/show_bug.cgi?id=136263 Reviewed by Filip Pizlo. The TypeSet data structure used to gather as many StructureShape objects as it encountered during type profiling. But, this meant that there was no upper limit on how many objects it could allocate. This patch places a fixed upper bound on the number of StructureShapes allocated per TypeSet to prevent using too much memory for little gain in type profiling usefulness. StructureShape objects are now also aware of when they are created from Structures which are dictionaries. In total, this patch lays the final groundwork needed in refactoring the inspector protocol for the type profiler. * runtime/Structure.cpp: (JSC::Structure::toStructureShape): * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): * runtime/TypeSet.cpp: (JSC::TypeSet::TypeSet): (JSC::TypeSet::addTypeInformation): (JSC::StructureShape::StructureShape): (JSC::StructureShape::toJSONString): (JSC::StructureShape::enterDictionaryMode): * runtime/TypeSet.h: (JSC::TypeSet::isOverflown): * tests/typeProfiler/dictionary-mode.js: Added. (wrapper): * tests/typeProfiler/driver/driver.js: * tests/typeProfiler/overflow.js: Added. (wrapper.Proto): (wrapper): Canonical link: https://commits.webkit.org/154518@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@173469 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2014-09-10 16:43:01 +00:00
oldProto = Proto;
Proto = function() {};
Proto.prototype.__proto__ = oldProto.prototype;
}
x = {};
var y;
Proto = function() {};
oldProto = null;
for (var i = 0; i < MaxStructureCountWithoutOverflow - 1; i++) {
y = new Proto;
Implement polymorphic prototypes https://bugs.webkit.org/show_bug.cgi?id=176391 Reviewed by Filip Pizlo. JSTests: * microbenchmarks/poly-proto-access.js: Added. (assert): (foo.C): (foo.C.prototype.get bar): (foo): (bar): * microbenchmarks/poly-proto-put-transition-speed.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): * microbenchmarks/poly-proto-setter-speed.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo.C.prototype.set p): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): * stress/constructor-with-return.js: (i.tests.forEach.Constructor): (i.tests.forEach): (tests.forEach.Constructor): Deleted. (tests.forEach): Deleted. * stress/dom-jit-with-poly-proto.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (validate): * stress/poly-proto-custom-value-and-accessor.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (items.forEach): (set get for): * stress/poly-proto-intrinsic-getter-correctness.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (foo): * stress/poly-proto-miss.js: Added. (makePolyProtoInstanceWithNullPrototype.foo.C): (makePolyProtoInstanceWithNullPrototype.foo): (makePolyProtoInstanceWithNullPrototype): (assert): (validate): * stress/poly-proto-op-in-caching.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (validate): (validate2): * stress/poly-proto-put-transition.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): (i.obj.__proto__.set p): * stress/poly-proto-set-prototype.js: Added. (assert): (let.alternateProto.get x): (let.alternateProto2.get y): (let.alternateProto2.get x): (foo.C): (foo): (validate): * stress/poly-proto-setter.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo.C.prototype.set p): (makePolyProtoObject.foo.C.prototype.get p): (makePolyProtoObject.foo): (makePolyProtoObject): (performSet): * stress/poly-proto-using-inheritance.js: Added. (assert): (foo.C): (foo.C.prototype.get baz): (foo): (bar.C): (bar): (validate): * stress/primitive-poly-proto.js: Added. (makePolyProtoInstance.foo.C): (makePolyProtoInstance.foo): (makePolyProtoInstance): (assert): (validate): * stress/prototype-is-not-js-object.js: Added. (foo.bar): (foo): (assert): (validate): * stress/try-get-by-id-poly-proto.js: Added. (assert): (makePolyProtoObject.foo.C): (makePolyProtoObject.foo): (makePolyProtoObject): (tryGetByIdText): (x.__proto__.get bar): (validate): * typeProfiler/overflow.js: Source/JavaScriptCore: This patch changes JSC's object model with respect to where the prototype of an object is stored. Previously, it was always stored as a constant value inside Structure. So an object's structure used to always tell you what its prototype is. Anytime an object changed its prototype, it would do a structure transition. This enables a large class of optimizations: just by doing a structure check, we know what the prototype is. However, this design falls down when you have many objects that have the same shape, but only differ in what their prototype value is. This arises in many JS programs. A simple, and probably common, example is when the program has a constructor inside of a function: ``` function foo() { class C { constructor() { this.field1 = 42; ...; this.fieldN = 42; } method1() { doStuffWith(this.field); } method2() { doStuffWith(this.field); } } let c = new C; do things with c; } repeatedly call foo() here. ``` Before this patch, in the above program, each time `new C` created an object, it would create an object with a different structure. The reason for this is that each time foo is called, there is a new instance of C.prototype. However, each `new C` that was created with have identical shape sans its prototype value. This would cause all ICs that used `c` to quickly give up on any form of caching because they would see too many structures and give up and permanently divert control flow to the slow path. This patch fixes this issue by expanding the notion of where the prototype of an object is stored. There are now two notions of where the prototype is stored. A Structure can now be in two modes: 1. Mono proto mode. This is the same mode as we used to have. It means the structure itself has a constant prototype value. 2. Poly proto mode. This means the structure knows nothing about the prototype value itself. Objects with this structure store their prototype in normal object field storage. The structure will tell you the offset of this prototype inside the object's storage. As of today, we only reserve inline slots for the prototype field because poly proto only occurs for JSFinalObject. However, this will be expanded to support out of line offsets in a future patch when we extend poly proto to work when we inherit from builtin types like Map and Array. In this initial patch, we do poly proto style inline caching whenever we see an object that is poly proto or if an object in its prototype lookup chain is poly proto. Poly proto ICs work by verifying the lookup chain at runtime. This essentially boils down to performing structure checks up the prototype chain. In a future patch, we're going to extend object property condition set to work with objects that don't have poly proto bases. Initially, accesses that have poly proto access chains will always turn into GetById/PutById in the DFG. In a future patch, I'm going to teach the DFG how to inline certain accesses that have poly proto in the access chain. One of most interesting parts about this patch is how we decide when to go poly proto. This patch uses a profiling based approach. An IC will inform a watchpoint that it sees an opportunity when two Structure's are structurally the same, sans the base object's prototype. This means that two structures have equivalent shapes all the way up the prototype chain. To support fast structural comparison, we compute a hash for a structure based on the properties it has. We compute this hash as we add properties to the structure. This computation is nearly free since we always add UniquedStringImpl*'s which already have their hashes computed. To compare structural equivalence, we just compare hash values all the way up the prototype chain. This means we can get hash conflicts between two structures, but it's extremely rare. First, it'll be rare for two structures to have the same hash. Secondly, we only consider structures originating from the same executable. How we set up this poly proto watchpoint is crucial to its design. When we create_this an object originating from some executable, that executable will create a Box<InlineWatchpointSet>. Each structure that originates from this executable will get a copy of that Box<InlineWatchpointSet>. As that structure transitions to new structures, they too will get a copy of that Box<InilneWatchpointSet>. Therefore, when invalidating an arbitrary structure's poly proto watchpoint, we will know the next time we create_this from that executable that it had been invalidated, and that we should create an object with a poly proto structure. We also use the pointer value of this Box<InlineWatchpointSet> to determine if two structures originated from the same executable. This pruning will severely limit the chances of getting a hash conflict in practice. This patch is neutral on my MBP on traditional JS benchmarks like Octane/Kraken/Sunspider. It may be a 1-2% ARES-6 progression. This patch is between neutral and a 9x progression on the various tests I added. Most of the microbenchmarks are progressed by at least 50%. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * builtins/BuiltinNames.cpp: * builtins/BuiltinNames.h: (JSC::BuiltinNames::BuiltinNames): (JSC::BuiltinNames::underscoreProtoPrivateName const): * bytecode/AccessCase.cpp: (JSC::AccessCase::AccessCase): (JSC::AccessCase::create): (JSC::AccessCase::commit): (JSC::AccessCase::guardedByStructureCheck const): (JSC::AccessCase::canReplace const): (JSC::AccessCase::dump const): (JSC::AccessCase::visitWeak const): (JSC::AccessCase::propagateTransitions const): (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/AccessCase.h: (JSC::AccessCase::usesPolyProto const): (JSC::AccessCase::AccessCase): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::GetterSetterAccessCase): (JSC::GetterSetterAccessCase::create): * bytecode/GetterSetterAccessCase.h: * bytecode/InternalFunctionAllocationProfile.h: (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): * bytecode/IntrinsicGetterAccessCase.cpp: (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase): * bytecode/IntrinsicGetterAccessCase.h: * bytecode/ModuleNamespaceAccessCase.cpp: (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase): * bytecode/ObjectAllocationProfile.cpp: Added. (JSC::ObjectAllocationProfile::initializeProfile): (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::clear): (JSC::ObjectAllocationProfile::initialize): Deleted. (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted. * bytecode/ObjectPropertyConditionSet.cpp: * bytecode/PolyProtoAccessChain.cpp: Added. (JSC::PolyProtoAccessChain::create): (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const): (JSC::PolyProtoAccessChain::operator== const): (JSC::PolyProtoAccessChain::dump const): * bytecode/PolyProtoAccessChain.h: Added. (JSC::PolyProtoAccessChain::clone): (JSC::PolyProtoAccessChain:: const): (JSC::PolyProtoAccessChain::operator!= const): (JSC::PolyProtoAccessChain::forEach const): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::addCases): (JSC::PolymorphicAccess::regenerate): (WTF::printInternal): * bytecode/PolymorphicAccess.h: (JSC::AccessGenerationResult::shouldResetStub const): (JSC::AccessGenerationState::AccessGenerationState): * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): * bytecode/ProxyableAccessCase.cpp: (JSC::ProxyableAccessCase::ProxyableAccessCase): (JSC::ProxyableAccessCase::create): * bytecode/ProxyableAccessCase.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeForStubInfo): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::addAccessCase): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::load): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::canDoFastSpread): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): (JSC::DFG::SpeculativeJIT::compileInstanceOf): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_instanceof): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_instanceof): * jit/Repatch.cpp: (JSC::tryCacheGetByID): (JSC::tryCachePutByID): (JSC::tryRepatchIn): * jsc.cpp: (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): (WTF::DOMJITGetterBaseJSObject::createStructure): (WTF::DOMJITGetterBaseJSObject::create): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): (WTF::DOMJITGetterBaseJSObject::customGetter): (WTF::DOMJITGetterBaseJSObject::finishCreation): (GlobalObject::finishCreation): (functionCreateDOMJITGetterBaseJSObject): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/ArrayPrototype.cpp: (JSC::holesMustForwardToPrototype): (JSC::fastJoin): (JSC::arrayProtoFuncReverse): (JSC::moveElements): * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::createEmpty): (JSC::ClonedArguments::createWithInlineFrame): (JSC::ClonedArguments::createWithMachineFrame): (JSC::ClonedArguments::createByCopyingFrom): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::visitChildren): * runtime/FunctionExecutable.h: * runtime/FunctionRareData.cpp: (JSC::FunctionRareData::initializeObjectAllocationProfile): * runtime/FunctionRareData.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructureSlow): * runtime/JSArray.cpp: (JSC::JSArray::fastSlice): (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::isIteratorProtocolFastAndNonObservable): * runtime/JSArrayInlines.h: (JSC::JSArray::canFastCopy): * runtime/JSCJSValue.cpp: (JSC::JSValue::dumpInContextAssumingStructure const): * runtime/JSFunction.cpp: (JSC::JSFunction::prototypeForConstruction): (JSC::JSFunction::allocateAndInitializeRareData): (JSC::JSFunction::initializeRareData): (JSC::JSFunction::getOwnPropertySlot): * runtime/JSFunction.h: * runtime/JSMap.cpp: (JSC::JSMap::isIteratorProtocolFastAndNonObservable): (JSC::JSMap::canCloneFastAndNonObservable): * runtime/JSObject.cpp: (JSC::JSObject::putInlineSlow): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::ensureInt32Slow): (JSC::JSObject::ensureDoubleSlow): (JSC::JSObject::ensureContiguousSlow): (JSC::JSObject::ensureArrayStorageSlow): (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::ordinaryToPrimitive const): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): (JSC::JSObject::getEnumerableLength): (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const): (JSC::JSObject::prototypeChainMayInterceptStoreTo): (JSC::JSObject::needsSlowPutIndexing const): (JSC::JSObject::suggestedArrayStorageTransition const): * runtime/JSObject.h: (JSC::JSObject::finishCreation): (JSC::JSObject::getPrototypeDirect const): (JSC::JSObject::getPropertySlot): * runtime/JSObjectInlines.h: (JSC::JSObject::getPropertySlot): (JSC::JSObject::getNonIndexPropertySlot): (JSC::JSObject::putInlineForJSObject): * runtime/JSPropertyNameEnumerator.h: (JSC::propertyNameEnumerator): * runtime/JSSet.cpp: (JSC::JSSet::isIteratorProtocolFastAndNonObservable): (JSC::JSSet::canCloneFastAndNonObservable): * runtime/LazyClassStructure.h: (JSC::LazyClassStructure::prototypeConcurrently const): Deleted. * runtime/Operations.cpp: (JSC::normalizePrototypeChain): * runtime/Operations.h: * runtime/Options.h: * runtime/PrototypeMap.cpp: (JSC::PrototypeMap::createEmptyStructure): (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): (JSC::PrototypeMap::emptyObjectStructureForPrototype): (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): * runtime/PrototypeMap.h: * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::create): (JSC::Structure::holesMustForwardToPrototype const): (JSC::Structure::changePrototypeTransition): (JSC::Structure::isCheapDuringGC): (JSC::Structure::toStructureShape): (JSC::Structure::dump const): (JSC::Structure::canCachePropertyNameEnumerator const): (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses const): Deleted. (JSC::Structure::needsSlowPutIndexing const): Deleted. (JSC::Structure::suggestedArrayStorageTransition const): Deleted. (JSC::Structure::prototypeForLookup const): Deleted. (JSC::Structure::prototypeChainMayInterceptStoreTo): Deleted. (JSC::Structure::canUseForAllocationsOf): Deleted. * runtime/Structure.h: * runtime/StructureChain.h: * runtime/StructureInlines.h: (JSC::Structure::create): (JSC::Structure::storedPrototypeObject const): (JSC::Structure::storedPrototypeStructure const): (JSC::Structure::storedPrototype const): (JSC::prototypeForLookupPrimitiveImpl): (JSC::Structure::prototypeForLookup const): (JSC::Structure::prototypeChain const): (JSC::Structure::isValid const): (JSC::Structure::add): (JSC::Structure::setPropertyTable): (JSC::Structure::shouldConvertToPolyProto): * runtime/StructureRareData.h: * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::processLogEntries): * runtime/TypeSet.cpp: (JSC::TypeSet::addTypeInformation): * runtime/TypeSet.h: * runtime/WriteBarrier.h: (JSC::WriteBarrierBase<Unknown>::isInt32 const): Source/WTF: * wtf/Box.h: (WTF::Box::operator bool const): (WTF::Box::operator bool): Deleted. Make Box movable. Also ensure its operator bool doesn't do an atomic increment. * wtf/RefPtr.h: (WTF::RefPtr::operator bool const): Add `explicit operator bool()` for RefPtr. Tools: * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/194106@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-10-04 01:53:18 +00:00
y['field' + i] = 20;
y = y
TypeSet needs a mode where it no longer profiles structure shapes https://bugs.webkit.org/show_bug.cgi?id=136263 Reviewed by Filip Pizlo. The TypeSet data structure used to gather as many StructureShape objects as it encountered during type profiling. But, this meant that there was no upper limit on how many objects it could allocate. This patch places a fixed upper bound on the number of StructureShapes allocated per TypeSet to prevent using too much memory for little gain in type profiling usefulness. StructureShape objects are now also aware of when they are created from Structures which are dictionaries. In total, this patch lays the final groundwork needed in refactoring the inspector protocol for the type profiler. * runtime/Structure.cpp: (JSC::Structure::toStructureShape): * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): * runtime/TypeSet.cpp: (JSC::TypeSet::TypeSet): (JSC::TypeSet::addTypeInformation): (JSC::StructureShape::StructureShape): (JSC::StructureShape::toJSONString): (JSC::StructureShape::enterDictionaryMode): * runtime/TypeSet.h: (JSC::TypeSet::isOverflown): * tests/typeProfiler/dictionary-mode.js: Added. (wrapper): * tests/typeProfiler/driver/driver.js: * tests/typeProfiler/overflow.js: Added. (wrapper.Proto): (wrapper): Canonical link: https://commits.webkit.org/154518@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@173469 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2014-09-10 16:43:01 +00:00
oldProto = Proto;
Proto = function() {};
Proto.prototype.__proto__ = oldProto.prototype;
}
y = {};
}
wrapper();
var types = findTypeForExpression(wrapper, "x;");
assert(types.isOverflown, "x should be overflown with too many structure shapes.");
var types = findTypeForExpression(wrapper, "y;");
assert(!types.isOverflown, "y should not be overflown with too many structure shapes.");