nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/js/dom/prototype-chain-caching-wit...

32 lines
679 B
HTML
Raw Permalink Normal View History

REGRESSION: 2x regression on Dromaeo DOM query tests https://bugs.webkit.org/show_bug.cgi?id=125377 Reviewed by Filip Pizlo. PerformanceTests: Added a micro-benchmark for updating a named property on document. * Bindings/update-name-getter.html: Added. * Skipped: Source/JavaScriptCore: The bug was caused by JSC not JIT'ing property access on "document" due to its type info having HasImpureGetOwnPropertySlot flag. Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline JIT to generate byte code for access properties on an object with named properties (a.k.a. custom name getter) in DOM. When a new named property appears on the object, VM is notified via VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure properties in the prototype chain. (JSC::GetByIdStatus::computeForChain): Ditto. * jit/Repatch.cpp: (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any object in the prototype chain via StructureStubClearingWatchpoint. (JSC::generateProtoChainAccessStub): Ditto. (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::tryRepatchIn): Ditto. * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints. (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added. * runtime/Operations.h: (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new impure property even if the object had impure properties. * runtime/Structure.h: (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true. * runtime/VM.cpp: (JSC::VM::registerWatchpointForImpureProperty): Added. (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property. * runtime/VM.h: Source/WebCore: The bug was caused by JSC not JIT'ing property accesses on document because of its having custom named getter (named properties). This resulted in resolution of methods on document such as getElementById to happen inside the interpreter. Fixed the bug by using the new JSC type info flag which tells JSC to JIT property access on document, and then notifying JSC whenever a new named property appeared on document. Tests: js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html * bindings/js/JSDOMBinding.cpp: (WebCore::addImpureProperty): Wraps VM::addImpureProperty. * bindings/js/JSDOMBinding.h: * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): Added the support for NewImpurePropertyFiresWatchpoints. * bindings/scripts/IDLAttributes.txt: Ditto. * html/HTMLDocument.cpp: (WebCore::HTMLDocument::addDocumentNamedItem): Calls addImpureProperty. * html/HTMLDocument.idl: Added NewImpurePropertyFiresWatchpoints. LayoutTests: Added more regression tests for throwing away byte code when a new named property appears. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected: Rebaselined. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Fixed the test to use dfgShouldBe. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Added. * js/dom/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Removed. Canonical link: https://commits.webkit.org/143790@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@160628 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2013-12-16 05:56:25 +00:00
<!DOCTYPE html>
<html>
<body>
<script src="../../resources/js-test-pre.js"></script>
<script>
description("Tests what happens when you make prototype chain accesses with impure GetOwnPropertySlot traps in the way.");
var obj = {};
obj.__proto__ = document;
[WebIDL] Re-implement GetOwnPropertySlot[ByIndex] generation to more closely follow WebIDL https://bugs.webkit.org/show_bug.cgi?id=173229 Patch by Sam Weinig <sam@webkit.org> on 2017-06-12 Reviewed by Chris Dumez. LayoutTests/imported/w3c: * web-platform-tests/html/semantics/forms/the-form-element/form-nameditem-expected.txt: Update results for more passing tests. Source/WebCore: * WebCore.xcodeproj/project.pbxproj: * CMakeLists.txt: * bindings/js/JSBindingsAllInOne.cpp: Remove JSHTMLFrameSetElementCustom.cpp which is no longer needed. * bindings/js/JSDOMAbstractOperations.h: (WebCore::isVisibleNamedProperty): Add OverrideBuiltins enum as requested by a previous review (and I forgot address) and adopt it in isVisibleNamedProperty, switch to VMInquiry as we use elsewhere and add a missing FIXME. (WebCore::accessVisibleNamedProperty): Add variation of isVisibleNamedProperty that takes a functor and returns either the value the functor returns, or std::nullopt. This allows getOwnPropertySlot to avoid doing two lookups for property, once in the named property visibility algorithm and again when it needs the value. * bindings/js/JSDOMWindowBase.cpp: * bindings/js/JSDOMWindowBase.h: * bindings/js/JSDOMWindowShell.cpp: * bindings/js/JSDOMWindowShell.h: Standardize toJS functions to match generated code (have one that takes a reference, and does the cast, and one that takes a pointer, does a null check and calls the one that takes a reference). * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot):. Update to use the implementation namedItem (which is also used by the generated getOwnPropertySlotByIndex) and match the updated bindings rules. This cannot yet be generated due to the odd case of the 'open' property requiring custom treatment. I tried removing this, but it cause tests to fail in a way that indicated that accessing the lexical global object in the open implementation was not working correctly. * bindings/js/JSHTMLFrameSetElementCustom.cpp: Removed. Now generated. * bindings/scripts/CodeGeneratorJS.pm: (GenerateIndexedGetter): Add description from the spec and change to return the computed values rather than print them to the output array. This will be useful for some clients going forward, who only want the attributes. (GenerateNamedGetter): Add description from the spec and change to return the computed values rather than print them to the output array. This will be useful for some clients going forward, who only want the attributes. Also greatly simplifies things as [CustomNamedGetter]s are no longer needed/supported and the exception / null value checks are performed elsewhere. (GenerateNamedGetterLambda): This generates a lambda functor for use in accessVisibleNamedProperty(...). It handles calling the named getter implementation, and transforming the result into an one that can be reasoned about by accessVisibleNamedProperty, specifically, converting it from using IDL's notion of nullability to std::optional. (GenerateGetOwnPropertySlot): (GenerateGetOwnPropertySlotByIndex): Add spec annotations and use helper functions. (GenerateGetOwnPropertyNames): Add FIXME about supporting non-contiguous indices (should that ever come up) and use JSObject explicitly, rather than base, to get the default getOwnPropertyNames implementation. (GeneratePut): Use JSObject explicitly, rather than base, to get the default put implementation. (GeneratePutByIndex): Use JSObject explicitly, rather than base, to get the default putByIndex implementation. (GenerateDefineOwnProperty): Use JSObject explicitly, rather than base, to get the default getOwnPropertySlot/defineOwnProperty implementations. (GenerateDeletePropertyCommon): Adopt new OverrideBuiltins enum. (GenerateDeletePropertyDefinition): Use JSObject explicitly, rather than base, to get the default deleteProperty implementation. (GenerateDeletePropertyByIndexDefinition): Use JSObject explicitly, rather than base, to get the default deletePropertyByIndex implementation. (InstanceOverridesGetOwnPropertySlot): Remove [CustomNamedGetter] use. (GenerateHeader): Remove [CustomNamedGetter] use and merge InstanceOverridesGetOwnPropertySlotByIndex into InstanceOverridesGetOwnPropertySlot. Specifying either [CustomGetOwnPropertySlot] or [CustomGetOwnPropertySlotByIndex] will now declare both hooks. (GenerateImplementation): Rename GenerateGetOwnPropertySlotBody/GenerateGetOwnPropertySlotByIndexBody to remove the 'Body', and predicate their generation purely on InstanceOverridesGetOwnPropertySlot as noted for the reasons above. (GenerateGetOwnPropertySlotBody): Deleted. (GenerateGetOwnPropertySlotBodyByIndex): Deleted. (InstanceOverridesGetOwnPropertySlotByIndex): Deleted. * bindings/scripts/IDLAttributes.json: Remove [CustomNamedGetter]. * dom/ExceptionOr.h: (WebCore::ExceptionOr<ReturnType>::returnValue): Add a function to peek at the return value * html/HTMLDocument.h: * html/HTMLDocument.cpp: (WebCore::HTMLDocument::clear): (WebCore::HTMLDocument::captureEvents): (WebCore::HTMLDocument::releaseEvents): Move clear up to be with the other obsolete no-op functions. Add spec annotations to clear up any confusion about why they are no-ops. (WebCore::HTMLDocument::namedItem): Add implementation of namedItem based on the one that was in JSDOMHTMLDocumentCustom.cpp. (WebCore::HTMLDocument::supportedPropertyNames): Add stub version of supportedPropertyNames with the algorithm we need to implement. I don't want to change behavior in this patch, and since we have not enumerated the properties of document in the past, I left this unimplemented for now. * html/HTMLDocument.idl: Remove [CustomNamedGetter] and add named getter. * html/HTMLFrameSetElement.h: * html/HTMLFrameSetElement.cpp: (WebCore::HTMLFrameSetElement::namedItem): Add named getter based on the implementation in JSHTMLFrameSetElementCustom.cpp. (WebCore::HTMLFrameSetElement::supportedPropertyNames): As noted above, I don't want to change behavior with this change, so I have left this unimplemented for now. However, we may not want to implement it at all, as this named getter is not specified and at least Firefox does not support it. * html/HTMLFrameSetElement.idl: Remove [CustomNamedGetter] and add named getter. * bindings/scripts/test/JS/JSTestEventTarget.cpp: * bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp: * bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp: * bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp: * bindings/scripts/test/JS/JSTestInterface.cpp: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp: * bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.cpp: * bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.cpp: * bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.cpp: * bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.cpp: * bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp: * bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp: * bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp: * bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.cpp: * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp: * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.cpp: * bindings/scripts/test/JS/JSTestNode.cpp: * bindings/scripts/test/JS/JSTestObj.cpp: * bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp: Update test results. * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp: Removed. * bindings/scripts/test/JS/JSTestCustomNamedGetter.h: Removed. * bindings/scripts/test/TestCustomNamedGetter.idl: Removed. Remove test of [CustomNamedGetter] which no longer exists. LayoutTests: * fast/dom/HTMLDocument/document-special-properties-expected.txt: Update results. Named properties on HTMLDocument no longer override own properties, they only override properties from the prototype chain (as per the WebIDL specification for OverrideBuiltins). These results now also match Firefox. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html: * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Update tests to use a property on the prototype, rather than the instance, to test overriding the [GetOwnProperty] hook. This is needed now that HTMLDocument correctly follows the OverrideBuiltins rules as explained above. Canonical link: https://commits.webkit.org/190129@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218126 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-06-12 19:50:39 +00:00
Document.prototype.foo = function () {};
REGRESSION: 2x regression on Dromaeo DOM query tests https://bugs.webkit.org/show_bug.cgi?id=125377 Reviewed by Filip Pizlo. PerformanceTests: Added a micro-benchmark for updating a named property on document. * Bindings/update-name-getter.html: Added. * Skipped: Source/JavaScriptCore: The bug was caused by JSC not JIT'ing property access on "document" due to its type info having HasImpureGetOwnPropertySlot flag. Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline JIT to generate byte code for access properties on an object with named properties (a.k.a. custom name getter) in DOM. When a new named property appears on the object, VM is notified via VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure properties in the prototype chain. (JSC::GetByIdStatus::computeForChain): Ditto. * jit/Repatch.cpp: (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any object in the prototype chain via StructureStubClearingWatchpoint. (JSC::generateProtoChainAccessStub): Ditto. (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::tryRepatchIn): Ditto. * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints. (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added. * runtime/Operations.h: (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new impure property even if the object had impure properties. * runtime/Structure.h: (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true. * runtime/VM.cpp: (JSC::VM::registerWatchpointForImpureProperty): Added. (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property. * runtime/VM.h: Source/WebCore: The bug was caused by JSC not JIT'ing property accesses on document because of its having custom named getter (named properties). This resulted in resolution of methods on document such as getElementById to happen inside the interpreter. Fixed the bug by using the new JSC type info flag which tells JSC to JIT property access on document, and then notifying JSC whenever a new named property appeared on document. Tests: js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html * bindings/js/JSDOMBinding.cpp: (WebCore::addImpureProperty): Wraps VM::addImpureProperty. * bindings/js/JSDOMBinding.h: * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): Added the support for NewImpurePropertyFiresWatchpoints. * bindings/scripts/IDLAttributes.txt: Ditto. * html/HTMLDocument.cpp: (WebCore::HTMLDocument::addDocumentNamedItem): Calls addImpureProperty. * html/HTMLDocument.idl: Added NewImpurePropertyFiresWatchpoints. LayoutTests: Added more regression tests for throwing away byte code when a new named property appears. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected: Rebaselined. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Fixed the test to use dfgShouldBe. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5-expected.txt: Added. * js/dom/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-2.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-3.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-4.html: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-expected.txt: Added. * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html: Added. * js/dom/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Removed. Canonical link: https://commits.webkit.org/143790@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@160628 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2013-12-16 05:56:25 +00:00
function f() {
return obj.foo;
}
var expected = "\"function\"";
for (var i = 0; i < 40; ++i) {
if (i == 35) {
var img = new Image();
img.name = "foo";
document.body.appendChild(img);
expected = "\"object\"";
}
shouldBe("typeof f()", expected);
}
</script>
<script src="../../resources/js-test-post.js"></script>
</body>
</html>