diff options
Diffstat (limited to 'Source/JavaScriptCore/runtime/Structure.cpp')
| -rw-r--r-- | Source/JavaScriptCore/runtime/Structure.cpp | 1321 |
1 files changed, 726 insertions, 595 deletions
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp index 8781ab007..d730254c5 100644 --- a/Source/JavaScriptCore/runtime/Structure.cpp +++ b/Source/JavaScriptCore/runtime/Structure.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008, 2009, 2013 Apple Inc. All rights reserved. + * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,10 +10,10 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR @@ -28,75 +28,99 @@ #include "CodeBlock.h" #include "DumpContext.h" +#include "JSCInlines.h" #include "JSObject.h" -#include "JSPropertyNameIterator.h" +#include "JSPropertyNameEnumerator.h" #include "Lookup.h" +#include "PropertyMapHashTable.h" #include "PropertyNameArray.h" #include "StructureChain.h" #include "StructureRareDataInlines.h" +#include "WeakGCMapInlines.h" #include <wtf/CommaPrinter.h> -#include <wtf/RefCountedLeakCounter.h> +#include <wtf/NeverDestroyed.h> +#include <wtf/ProcessID.h> #include <wtf/RefPtr.h> #include <wtf/Threading.h> #define DUMP_STRUCTURE_ID_STATISTICS 0 -#ifndef NDEBUG -#define DO_PROPERTYMAP_CONSTENCY_CHECK 0 -#else -#define DO_PROPERTYMAP_CONSTENCY_CHECK 0 -#endif - using namespace std; using namespace WTF; -#if DUMP_PROPERTYMAP_STATS - -int numProbes; -int numCollisions; -int numRehashes; -int numRemoves; - -#endif - namespace JSC { #if DUMP_STRUCTURE_ID_STATISTICS static HashSet<Structure*>& liveStructureSet = *(new HashSet<Structure*>); #endif -bool StructureTransitionTable::contains(StringImpl* rep, unsigned attributes) const +class SingleSlotTransitionWeakOwner final : public WeakHandleOwner { + void finalize(Handle<Unknown>, void* context) override + { + StructureTransitionTable* table = reinterpret_cast<StructureTransitionTable*>(context); + ASSERT(table->isUsingSingleSlot()); + WeakSet::deallocate(table->weakImpl()); + table->m_data = StructureTransitionTable::UsingSingleSlotFlag; + } +}; + +static SingleSlotTransitionWeakOwner& singleSlotTransitionWeakOwner() +{ + static NeverDestroyed<SingleSlotTransitionWeakOwner> owner; + return owner; +} + +inline Structure* StructureTransitionTable::singleTransition() const +{ + ASSERT(isUsingSingleSlot()); + if (WeakImpl* impl = this->weakImpl()) { + if (impl->state() == WeakImpl::Live) + return jsCast<Structure*>(impl->jsValue().asCell()); + } + return nullptr; +} + +inline void StructureTransitionTable::setSingleTransition(Structure* structure) +{ + ASSERT(isUsingSingleSlot()); + if (WeakImpl* impl = this->weakImpl()) + WeakSet::deallocate(impl); + WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this); + m_data = reinterpret_cast<intptr_t>(impl) | UsingSingleSlotFlag; +} + +bool StructureTransitionTable::contains(UniquedStringImpl* rep, unsigned attributes) const { if (isUsingSingleSlot()) { Structure* transition = singleTransition(); - return transition && transition->m_nameInPrevious == rep && transition->m_attributesInPrevious == attributes; + return transition && transition->m_nameInPrevious == rep && transition->attributesInPrevious() == attributes; } return map()->get(std::make_pair(rep, attributes)); } -inline Structure* StructureTransitionTable::get(StringImpl* rep, unsigned attributes) const +Structure* StructureTransitionTable::get(UniquedStringImpl* rep, unsigned attributes) const { if (isUsingSingleSlot()) { Structure* transition = singleTransition(); - return (transition && transition->m_nameInPrevious == rep && transition->m_attributesInPrevious == attributes) ? transition : 0; + return (transition && transition->m_nameInPrevious == rep && transition->attributesInPrevious() == attributes) ? transition : 0; } return map()->get(std::make_pair(rep, attributes)); } -inline void StructureTransitionTable::add(VM& vm, Structure* structure) +void StructureTransitionTable::add(VM& vm, Structure* structure) { if (isUsingSingleSlot()) { Structure* existingTransition = singleTransition(); // This handles the first transition being added. if (!existingTransition) { - setSingleTransition(vm, structure); + setSingleTransition(structure); return; } // This handles the second transition being added // (or the first transition being despecified!) - setMap(new TransitionMap()); + setMap(new TransitionMap(vm)); add(vm, existingTransition); } @@ -105,7 +129,7 @@ inline void StructureTransitionTable::add(VM& vm, Structure* structure) // Newer versions of the STL have an std::make_pair function that takes rvalue references. // When either of the parameters are bitfields, the C++ compiler will try to bind them as lvalues, which is invalid. To work around this, use unary "+" to make the parameter an rvalue. // See https://bugs.webkit.org/show_bug.cgi?id=59261 for more details - map()->set(std::make_pair(structure->m_nameInPrevious.get(), +structure->m_attributesInPrevious), structure); + map()->set(std::make_pair(structure->m_nameInPrevious.get(), +structure->attributesInPrevious()), structure); } void Structure::dumpStatistics() @@ -133,9 +157,9 @@ void Structure::dumpStatistics() break; } - if (structure->propertyTable()) { + if (PropertyTable* table = structure->propertyTableOrNull()) { ++numberWithPropertyMaps; - totalPropertyMapsSize += structure->propertyTable()->sizeInMemory(); + totalPropertyMapsSize += table->sizeInMemory(); } } @@ -155,33 +179,38 @@ void Structure::dumpStatistics() Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity) : JSCell(vm, vm.structureStructure.get()) + , m_blob(vm.heap.structureIDTable().allocateID(this), indexingType, typeInfo) + , m_outOfLineTypeFlags(typeInfo.outOfLineTypeFlags()) , m_globalObject(vm, this, globalObject, WriteBarrier<JSGlobalObject>::MayBeNull) , m_prototype(vm, this, prototype) , m_classInfo(classInfo) , m_transitionWatchpointSet(IsWatched) , m_offset(invalidOffset) - , m_typeInfo(typeInfo) - , m_indexingType(indexingType) , m_inlineCapacity(inlineCapacity) - , m_dictionaryKind(NoneDictionaryKind) - , m_isPinnedPropertyTable(false) - , m_hasGetterSetterProperties(classInfo->hasStaticSetterOrReadonlyProperties(vm)) - , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(classInfo->hasStaticSetterOrReadonlyProperties(vm)) - , m_hasNonEnumerableProperties(false) - , m_attributesInPrevious(0) - , m_specificFunctionThrashCount(0) - , m_preventExtensions(false) - , m_didTransition(false) - , m_staticFunctionReified(false) + , m_bitField(0) { + setDictionaryKind(NoneDictionaryKind); + setIsPinnedPropertyTable(false); + setHasGetterSetterProperties(classInfo->hasStaticSetterOrReadonlyProperties()); + setHasCustomGetterSetterProperties(false); + setHasReadOnlyOrGetterSetterPropertiesExcludingProto(classInfo->hasStaticSetterOrReadonlyProperties()); + setIsQuickPropertyAccessAllowedForEnumeration(true); + setAttributesInPrevious(0); + setDidPreventExtensions(false); + setDidTransition(false); + setStaticPropertiesReified(false); + setTransitionWatchpointIsLikelyToBeFired(false); + setHasBeenDictionary(false); + setIsAddingPropertyForTransition(false); + ASSERT(inlineCapacity <= JSFinalObject::maxInlineCapacity()); ASSERT(static_cast<PropertyOffset>(inlineCapacity) < firstOutOfLineOffset); - ASSERT(!typeInfo.structureHasRareData()); - ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm)); - ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm)); + ASSERT(!hasRareData()); + ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); + ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); } -const ClassInfo Structure::s_info = { "Structure", 0, 0, 0, CREATE_METHOD_TABLE(Structure) }; +const ClassInfo Structure::s_info = { "Structure", 0, 0, CREATE_METHOD_TABLE(Structure) }; Structure::Structure(VM& vm) : JSCell(CreatingEarlyCell) @@ -189,54 +218,76 @@ Structure::Structure(VM& vm) , m_classInfo(info()) , m_transitionWatchpointSet(IsWatched) , m_offset(invalidOffset) - , m_typeInfo(CompoundType, OverridesVisitChildren) - , m_indexingType(0) , m_inlineCapacity(0) - , m_dictionaryKind(NoneDictionaryKind) - , m_isPinnedPropertyTable(false) - , m_hasGetterSetterProperties(m_classInfo->hasStaticSetterOrReadonlyProperties(vm)) - , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(m_classInfo->hasStaticSetterOrReadonlyProperties(vm)) - , m_hasNonEnumerableProperties(false) - , m_attributesInPrevious(0) - , m_specificFunctionThrashCount(0) - , m_preventExtensions(false) - , m_didTransition(false) - , m_staticFunctionReified(false) -{ - ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm)); - ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm)); -} - -Structure::Structure(VM& vm, const Structure* previous) + , m_bitField(0) +{ + setDictionaryKind(NoneDictionaryKind); + setIsPinnedPropertyTable(false); + setHasGetterSetterProperties(m_classInfo->hasStaticSetterOrReadonlyProperties()); + setHasCustomGetterSetterProperties(false); + setHasReadOnlyOrGetterSetterPropertiesExcludingProto(m_classInfo->hasStaticSetterOrReadonlyProperties()); + setIsQuickPropertyAccessAllowedForEnumeration(true); + setAttributesInPrevious(0); + setDidPreventExtensions(false); + setDidTransition(false); + setStaticPropertiesReified(false); + setTransitionWatchpointIsLikelyToBeFired(false); + setHasBeenDictionary(false); + setIsAddingPropertyForTransition(false); + + TypeInfo typeInfo = TypeInfo(CellType, StructureFlags); + m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), 0, typeInfo); + m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags(); + + ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); + ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); +} + +Structure::Structure(VM& vm, Structure* previous, DeferredStructureTransitionWatchpointFire* deferred) : JSCell(vm, vm.structureStructure.get()) , m_prototype(vm, this, previous->storedPrototype()) , m_classInfo(previous->m_classInfo) , m_transitionWatchpointSet(IsWatched) , m_offset(invalidOffset) - , m_typeInfo(previous->typeInfo().type(), previous->typeInfo().flags() & ~StructureHasRareData) - , m_indexingType(previous->indexingTypeIncludingHistory()) , m_inlineCapacity(previous->m_inlineCapacity) - , m_dictionaryKind(previous->m_dictionaryKind) - , m_isPinnedPropertyTable(false) - , m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties) - , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto) - , m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties) - , m_attributesInPrevious(0) - , m_specificFunctionThrashCount(previous->m_specificFunctionThrashCount) - , m_preventExtensions(previous->m_preventExtensions) - , m_didTransition(true) - , m_staticFunctionReified(previous->m_staticFunctionReified) -{ - if (previous->typeInfo().structureHasRareData() && previous->rareData()->needsCloning()) - cloneRareDataFrom(vm, previous); - else if (previous->previousID()) - m_previousOrRareData.set(vm, this, previous->previousID()); - - previous->notifyTransitionFromThisStructure(); + , m_bitField(0) +{ + setDictionaryKind(previous->dictionaryKind()); + setIsPinnedPropertyTable(previous->hasBeenFlattenedBefore()); + setHasGetterSetterProperties(previous->hasGetterSetterProperties()); + setHasCustomGetterSetterProperties(previous->hasCustomGetterSetterProperties()); + setHasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->hasReadOnlyOrGetterSetterPropertiesExcludingProto()); + setIsQuickPropertyAccessAllowedForEnumeration(previous->isQuickPropertyAccessAllowedForEnumeration()); + setAttributesInPrevious(0); + setDidPreventExtensions(previous->didPreventExtensions()); + setDidTransition(true); + setStaticPropertiesReified(previous->staticPropertiesReified()); + setHasBeenDictionary(previous->hasBeenDictionary()); + setIsAddingPropertyForTransition(false); + + TypeInfo typeInfo = previous->typeInfo(); + m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), previous->indexingTypeIncludingHistory(), typeInfo); + m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags(); + + ASSERT(!previous->typeInfo().structureIsImmortal()); + setPreviousID(vm, previous); + + previous->didTransitionFromThisStructure(deferred); + + // Copy this bit now, in case previous was being watched. + setTransitionWatchpointIsLikelyToBeFired(previous->transitionWatchpointIsLikelyToBeFired()); + if (previous->m_globalObject) m_globalObject.set(vm, this, previous->m_globalObject.get()); - ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm)); - ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm)); + ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); + ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); +} + +Structure::~Structure() +{ + if (typeInfo().structureIsImmortal()) + return; + Heap::heap(this)->structureIDTable().deallocateID(this, m_blob.structureID()); } void Structure::destroy(JSCell* cell) @@ -252,7 +303,7 @@ void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& st for (structure = this; structure; structure = structure->previousID()) { structure->m_lock.lock(); - table = structure->propertyTable().get(); + table = structure->propertyTableOrNull(); if (table) { // Leave the structure locked, so that the caller can do things to it atomically // before it loses its property table. @@ -267,78 +318,66 @@ void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& st ASSERT(!table); } -void Structure::materializePropertyMap(VM& vm) +PropertyTable* Structure::materializePropertyTable(VM& vm, bool setPropertyTable) { ASSERT(structure()->classInfo() == info()); - ASSERT(!propertyTable()); - + ASSERT(!isAddingPropertyForTransition()); + + DeferGC deferGC(vm.heap); + Vector<Structure*, 8> structures; Structure* structure; PropertyTable* table; findStructuresAndMapForMaterialization(structures, structure, table); + unsigned capacity = numberOfSlotsForLastOffset(m_offset, m_inlineCapacity); if (table) { - table = table->copy(vm, structure, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity)); + table = table->copy(vm, capacity); structure->m_lock.unlock(); - } + } else + table = PropertyTable::create(vm, capacity); // Must hold the lock on this structure, since we will be modifying this structure's // property map. We don't want getConcurrently() to see the property map in a half-baked // state. - GCSafeConcurrentJITLocker locker(m_lock, vm.heap); - if (!table) - createPropertyMap(locker, vm, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity)); - else - propertyTable().set(vm, this, table); + GCSafeConcurrentJSLocker locker(m_lock, vm.heap); + if (setPropertyTable) + this->setPropertyTable(vm, table); + + InferredTypeTable* typeTable = m_inferredTypeTable.get(); for (size_t i = structures.size(); i--;) { structure = structures[i]; if (!structure->m_nameInPrevious) continue; - PropertyMapEntry entry(vm, this, structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious.get()); - propertyTable()->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange); + PropertyMapEntry entry(structure->m_nameInPrevious.get(), structure->m_offset, structure->attributesInPrevious()); + if (typeTable && typeTable->get(structure->m_nameInPrevious.get())) + entry.hasInferredType = true; + table->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange); } - checkOffsetConsistency(); -} - -inline size_t nextOutOfLineStorageCapacity(size_t currentCapacity) -{ - if (!currentCapacity) - return initialOutOfLineCapacity; - return currentCapacity * outOfLineGrowthFactor; -} - -size_t Structure::suggestedNewOutOfLineStorageCapacity() -{ - return nextOutOfLineStorageCapacity(outOfLineCapacity()); -} - -void Structure::despecifyDictionaryFunction(VM& vm, PropertyName propertyName) -{ - StringImpl* rep = propertyName.uid(); - - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - - ASSERT(isDictionary()); - ASSERT(propertyTable()); - - PropertyMapEntry* entry = propertyTable()->find(rep).first; - ASSERT(entry); - entry->specificValue.clear(); + checkOffsetConsistency( + table, + [&] () { + dataLog("Detected in materializePropertyTable.\n"); + dataLog("Found structure = ", RawPointer(structure), "\n"); + dataLog("structures = "); + CommaPrinter comma; + for (Structure* structure : structures) + dataLog(comma, RawPointer(structure)); + dataLog("\n"); + }); + + return table; } -Structure* Structure::addPropertyTransitionToExistingStructureImpl(Structure* structure, StringImpl* uid, unsigned attributes, JSCell* specificValue, PropertyOffset& offset) +Structure* Structure::addPropertyTransitionToExistingStructureImpl(Structure* structure, UniquedStringImpl* uid, unsigned attributes, PropertyOffset& offset) { ASSERT(!structure->isDictionary()); ASSERT(structure->isObject()); if (Structure* existingTransition = structure->m_transitionTable.get(uid, attributes)) { - JSCell* specificValueInPrevious = existingTransition->m_specificValueInPrevious.get(); - if (specificValueInPrevious && specificValueInPrevious != specificValue) - return 0; validateOffset(existingTransition->m_offset, existingTransition->inlineCapacity()); offset = existingTransition->m_offset; return existingTransition; @@ -347,16 +386,16 @@ Structure* Structure::addPropertyTransitionToExistingStructureImpl(Structure* st return 0; } -Structure* Structure::addPropertyTransitionToExistingStructure(Structure* structure, PropertyName propertyName, unsigned attributes, JSCell* specificValue, PropertyOffset& offset) +Structure* Structure::addPropertyTransitionToExistingStructure(Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset) { ASSERT(!isCompilationThread()); - return addPropertyTransitionToExistingStructureImpl(structure, propertyName.uid(), attributes, specificValue, offset); + return addPropertyTransitionToExistingStructureImpl(structure, propertyName.uid(), attributes, offset); } -Structure* Structure::addPropertyTransitionToExistingStructureConcurrently(Structure* structure, StringImpl* uid, unsigned attributes, JSCell* specificValue, PropertyOffset& offset) +Structure* Structure::addPropertyTransitionToExistingStructureConcurrently(Structure* structure, UniquedStringImpl* uid, unsigned attributes, PropertyOffset& offset) { - ConcurrentJITLocker locker(structure->m_lock); - return addPropertyTransitionToExistingStructureImpl(structure, uid, attributes, specificValue, offset); + ConcurrentJSLocker locker(structure->m_lock); + return addPropertyTransitionToExistingStructureImpl(structure, uid, attributes, offset); } bool Structure::anyObjectInChainMayInterceptIndexedAccesses() const @@ -373,6 +412,30 @@ bool Structure::anyObjectInChainMayInterceptIndexedAccesses() const } } +bool Structure::holesMustForwardToPrototype(VM& vm) const +{ + if (this->mayInterceptIndexedAccesses()) + return true; + + JSValue prototype = this->storedPrototype(); + if (!prototype.isObject()) + return false; + JSObject* object = asObject(prototype); + + while (true) { + Structure& structure = *object->structure(vm); + if (hasIndexedProperties(object->indexingType()) || structure.mayInterceptIndexedAccesses()) + return true; + prototype = structure.storedPrototype(); + if (!prototype.isObject()) + return false; + object = asObject(prototype); + } + + RELEASE_ASSERT_NOT_REACHED(); + return false; +} + bool Structure::needsSlowPutIndexing() const { return anyObjectInChainMayInterceptIndexedAccesses() @@ -382,57 +445,74 @@ bool Structure::needsSlowPutIndexing() const NonPropertyTransition Structure::suggestedArrayStorageTransition() const { if (needsSlowPutIndexing()) - return AllocateSlowPutArrayStorage; + return NonPropertyTransition::AllocateSlowPutArrayStorage; - return AllocateArrayStorage; + return NonPropertyTransition::AllocateArrayStorage; } -Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, JSCell* specificValue, PropertyOffset& offset, PutPropertySlot::Context context) +Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset) { - // If we have a specific function, we may have got to this point if there is - // already a transition with the correct property name and attributes, but - // specialized to a different function. In this case we just want to give up - // and despecialize the transition. - // In this case we clear the value of specificFunction which will result - // in us adding a non-specific transition, and any subsequent lookup in - // Structure::addPropertyTransitionToExistingStructure will just use that. - if (specificValue && structure->m_transitionTable.contains(propertyName.uid(), attributes)) - specificValue = 0; + Structure* newStructure = addPropertyTransitionToExistingStructure( + structure, propertyName, attributes, offset); + if (newStructure) + return newStructure; + + return addNewPropertyTransition( + vm, structure, propertyName, attributes, offset, PutPropertySlot::UnknownContext); +} +Structure* Structure::addNewPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset, PutPropertySlot::Context context, DeferredStructureTransitionWatchpointFire* deferred) +{ ASSERT(!structure->isDictionary()); ASSERT(structure->isObject()); - ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, specificValue, offset)); + ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, offset)); - if (structure->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount) - specificValue = 0; - int maxTransitionLength; if (context == PutPropertySlot::PutById) maxTransitionLength = s_maxTransitionLengthForNonEvalPutById; else maxTransitionLength = s_maxTransitionLength; if (structure->transitionCount() > maxTransitionLength) { - Structure* transition = toCacheableDictionaryTransition(vm, structure); + Structure* transition = toCacheableDictionaryTransition(vm, structure, deferred); ASSERT(structure != transition); - offset = transition->putSpecificValue(vm, propertyName, attributes, specificValue); + offset = transition->add(vm, propertyName, attributes); return transition; } - Structure* transition = create(vm, structure); + Structure* transition = create(vm, structure, deferred); transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get()); - transition->setPreviousID(vm, transition, structure); + + // While we are adding the property, rematerializing the property table is super weird: we already + // have a m_nameInPrevious and attributesInPrevious but the m_offset is still wrong. If the + // materialization algorithm runs, it'll build a property table that already has the property but + // at a bogus offset. Rather than try to teach the materialization code how to create a table under + // those conditions, we just tell the GC not to blow the table away during this period of time. + // Holding the lock ensures that we either do this before the GC starts scanning the structure, in + // which case the GC will not blow the table away, or we do it after the GC already ran in which + // case all is well. If it wasn't for the lock, the GC would have TOCTOU: if could read + // isAddingPropertyForTransition before we set it to true, and then blow the table away after. + { + ConcurrentJSLocker locker(transition->m_lock); + transition->setIsAddingPropertyForTransition(true); + } + transition->m_nameInPrevious = propertyName.uid(); - transition->m_attributesInPrevious = attributes; - transition->m_specificValueInPrevious.setMayBeNull(vm, transition, specificValue); - transition->propertyTable().set(vm, transition, structure->takePropertyTableOrCloneIfPinned(vm, transition)); + transition->setAttributesInPrevious(attributes); + transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm)); transition->m_offset = structure->m_offset; + transition->m_inferredTypeTable.setMayBeNull(vm, transition, structure->m_inferredTypeTable.get()); + + offset = transition->add(vm, propertyName, attributes); - offset = transition->putSpecificValue(vm, propertyName, attributes, specificValue); + // Now that everything is fine with the new structure's bookkeeping, the GC is free to blow the + // table away if it wants. We can now rebuild it fine. + WTF::storeStoreFence(); + transition->setIsAddingPropertyForTransition(false); checkOffset(transition->m_offset, transition->inlineCapacity()); { - ConcurrentJITLocker locker(structure->m_lock); + ConcurrentJSLocker locker(structure->m_lock); structure->m_transitionTable.add(vm, transition); } transition->checkOffsetConsistency(); @@ -442,6 +522,24 @@ Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, Proper Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset) { + // NOTE: There are some good reasons why this goes directly to uncacheable dictionary rather than + // caching the removal. We can fix all of these things, but we must remember to do so, if we ever try + // to optimize this case. + // + // - Cached transitions usually steal the property table, and assume that this is possible because they + // can just rebuild the table by looking at past transitions. That code assumes that the table only + // grew and never shrank. To support removals, we'd have to change the property table materialization + // code to handle deletions. Also, we have logic to get the list of properties on a structure that + // lacks a property table by just looking back through the set of transitions since the last + // structure that had a pinned table. That logic would also have to be changed to handle cached + // removals. + // + // - InferredTypeTable assumes that removal has never happened. This is important since if we could + // remove a property and then re-add it later, then the "absence means top" optimization wouldn't + // work anymore, unless removal also either poisoned type inference (by doing something equivalent to + // hasBeenDictionary) or by strongly marking the entry as Top by ensuring that it is not absent, but + // instead, has a null entry. + ASSERT(!structure->isUncacheableDictionary()); Structure* transition = toUncacheableDictionaryTransition(vm, structure); @@ -454,60 +552,32 @@ Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, Pro Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype) { - Structure* transition = create(vm, structure); - - transition->m_prototype.set(vm, transition, prototype); - DeferGC deferGC(vm.heap); - structure->materializePropertyMapIfNecessary(vm, deferGC); - transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition)); - transition->m_offset = structure->m_offset; - transition->pin(); - - transition->checkOffsetConsistency(); - return transition; -} - -Structure* Structure::despecifyFunctionTransition(VM& vm, Structure* structure, PropertyName replaceFunction) -{ - ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount); Structure* transition = create(vm, structure); - ++transition->m_specificFunctionThrashCount; + transition->m_prototype.set(vm, transition, prototype); - DeferGC deferGC(vm.heap); - structure->materializePropertyMapIfNecessary(vm, deferGC); - transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition)); + PropertyTable* table = structure->copyPropertyTableForPinning(vm); + transition->pin(holdLock(transition->m_lock), vm, table); transition->m_offset = structure->m_offset; - transition->pin(); - - if (transition->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount) - transition->despecifyAllFunctions(vm); - else { - bool removed = transition->despecifyFunction(vm, replaceFunction); - ASSERT_UNUSED(removed, removed); - } - + transition->checkOffsetConsistency(); return transition; } Structure* Structure::attributeChangeTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes) { - DeferGC deferGC(vm.heap); if (!structure->isUncacheableDictionary()) { Structure* transition = create(vm, structure); - structure->materializePropertyMapIfNecessary(vm, deferGC); - transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition)); + PropertyTable* table = structure->copyPropertyTableForPinning(vm); + transition->pin(holdLock(transition->m_lock), vm, table); transition->m_offset = structure->m_offset; - transition->pin(); structure = transition; } - ASSERT(structure->propertyTable()); - PropertyMapEntry* entry = structure->propertyTable()->find(propertyName.uid()).first; + PropertyMapEntry* entry = structure->ensurePropertyTable(vm)->get(propertyName.uid()); ASSERT(entry); entry->attributes = attributes; @@ -515,26 +585,26 @@ Structure* Structure::attributeChangeTransition(VM& vm, Structure* structure, Pr return structure; } -Structure* Structure::toDictionaryTransition(VM& vm, Structure* structure, DictionaryKind kind) +Structure* Structure::toDictionaryTransition(VM& vm, Structure* structure, DictionaryKind kind, DeferredStructureTransitionWatchpointFire* deferred) { ASSERT(!structure->isUncacheableDictionary()); + DeferGC deferGC(vm.heap); - Structure* transition = create(vm, structure); + Structure* transition = create(vm, structure, deferred); - DeferGC deferGC(vm.heap); - structure->materializePropertyMapIfNecessary(vm, deferGC); - transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition)); + PropertyTable* table = structure->copyPropertyTableForPinning(vm); + transition->pin(holdLock(transition->m_lock), vm, table); transition->m_offset = structure->m_offset; - transition->m_dictionaryKind = kind; - transition->pin(); - + transition->setDictionaryKind(kind); + transition->setHasBeenDictionary(true); + transition->checkOffsetConsistency(); return transition; } -Structure* Structure::toCacheableDictionaryTransition(VM& vm, Structure* structure) +Structure* Structure::toCacheableDictionaryTransition(VM& vm, Structure* structure, DeferredStructureTransitionWatchpointFire* deferred) { - return toDictionaryTransition(vm, structure, CachedDictionaryKind); + return toDictionaryTransition(vm, structure, CachedDictionaryKind, deferred); } Structure* Structure::toUncacheableDictionaryTransition(VM& vm, Structure* structure) @@ -542,109 +612,105 @@ Structure* Structure::toUncacheableDictionaryTransition(VM& vm, Structure* struc return toDictionaryTransition(vm, structure, UncachedDictionaryKind); } -// In future we may want to cache this transition. Structure* Structure::sealTransition(VM& vm, Structure* structure) { - Structure* transition = preventExtensionsTransition(vm, structure); - - if (transition->propertyTable()) { - PropertyTable::iterator end = transition->propertyTable()->end(); - for (PropertyTable::iterator iter = transition->propertyTable()->begin(); iter != end; ++iter) - iter->attributes |= DontDelete; - } - - transition->checkOffsetConsistency(); - return transition; + return nonPropertyTransition(vm, structure, NonPropertyTransition::Seal); } -// In future we may want to cache this transition. Structure* Structure::freezeTransition(VM& vm, Structure* structure) { - Structure* transition = preventExtensionsTransition(vm, structure); - - if (transition->propertyTable()) { - PropertyTable::iterator iter = transition->propertyTable()->begin(); - PropertyTable::iterator end = transition->propertyTable()->end(); - if (iter != end) - transition->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true; - for (; iter != end; ++iter) - iter->attributes |= iter->attributes & Accessor ? DontDelete : (DontDelete | ReadOnly); - } - - ASSERT(transition->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !transition->classInfo()->hasStaticSetterOrReadonlyProperties(vm)); - ASSERT(transition->hasGetterSetterProperties() || !transition->classInfo()->hasStaticSetterOrReadonlyProperties(vm)); - transition->checkOffsetConsistency(); - return transition; + return nonPropertyTransition(vm, structure, NonPropertyTransition::Freeze); } -// In future we may want to cache this transition. Structure* Structure::preventExtensionsTransition(VM& vm, Structure* structure) { - Structure* transition = create(vm, structure); - - // Don't set m_offset, as one can not transition to this. - - DeferGC deferGC(vm.heap); - structure->materializePropertyMapIfNecessary(vm, deferGC); - transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition)); - transition->m_offset = structure->m_offset; - transition->m_preventExtensions = true; - transition->pin(); - - transition->checkOffsetConsistency(); - return transition; + return nonPropertyTransition(vm, structure, NonPropertyTransition::PreventExtensions); } -PropertyTable* Structure::takePropertyTableOrCloneIfPinned(VM& vm, Structure* owner) +PropertyTable* Structure::takePropertyTableOrCloneIfPinned(VM& vm) { - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessaryForPinning(vm, deferGC); - - if (m_isPinnedPropertyTable) - return propertyTable()->copy(vm, owner, propertyTable()->size() + 1); - - // Hold the lock while stealing the table - so that getConcurrently() on another thread - // will either have to bypass this structure, or will get to use the property table - // before it is stolen. - ConcurrentJITLocker locker(m_lock); - PropertyTable* takenPropertyTable = propertyTable().get(); - propertyTable().clear(); - return takenPropertyTable; + // This must always return a property table. It can't return null. + PropertyTable* result = propertyTableOrNull(); + if (result) { + if (isPinnedPropertyTable()) + return result->copy(vm, result->size() + 1); + ConcurrentJSLocker locker(m_lock); + setPropertyTable(vm, nullptr); + return result; + } + bool setPropertyTable = false; + return materializePropertyTable(vm, setPropertyTable); } Structure* Structure::nonPropertyTransition(VM& vm, Structure* structure, NonPropertyTransition transitionKind) { unsigned attributes = toAttributes(transitionKind); - IndexingType indexingType = newIndexingType(structure->indexingTypeIncludingHistory(), transitionKind); + IndexingType indexingTypeIncludingHistory = newIndexingType(structure->indexingTypeIncludingHistory(), transitionKind); - if (JSGlobalObject* globalObject = structure->m_globalObject.get()) { - if (globalObject->isOriginalArrayStructure(structure)) { - Structure* result = globalObject->originalArrayStructureForIndexingType(indexingType); - if (result->indexingTypeIncludingHistory() == indexingType) { - structure->notifyTransitionFromThisStructure(); - return result; + if (changesIndexingType(transitionKind)) { + if (JSGlobalObject* globalObject = structure->m_globalObject.get()) { + if (globalObject->isOriginalArrayStructure(structure)) { + Structure* result = globalObject->originalArrayStructureForIndexingType(indexingTypeIncludingHistory); + if (result->indexingTypeIncludingHistory() == indexingTypeIncludingHistory) { + structure->didTransitionFromThisStructure(); + return result; + } } } } - if (Structure* existingTransition = structure->m_transitionTable.get(0, attributes)) { - ASSERT(existingTransition->m_attributesInPrevious == attributes); - ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingType); + Structure* existingTransition; + if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes))) { + ASSERT(existingTransition->attributesInPrevious() == attributes); + ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingTypeIncludingHistory); return existingTransition; } + DeferGC deferGC(vm.heap); + Structure* transition = create(vm, structure); - transition->setPreviousID(vm, transition, structure); - transition->m_attributesInPrevious = attributes; - transition->m_indexingType = indexingType; - transition->propertyTable().set(vm, transition, structure->takePropertyTableOrCloneIfPinned(vm, transition)); - transition->m_offset = structure->m_offset; - checkOffset(transition->m_offset, transition->inlineCapacity()); + transition->setAttributesInPrevious(attributes); + transition->m_blob.setIndexingTypeIncludingHistory(indexingTypeIncludingHistory); - { - ConcurrentJITLocker locker(structure->m_lock); + if (preventsExtensions(transitionKind)) + transition->setDidPreventExtensions(true); + + if (setsDontDeleteOnAllProperties(transitionKind) + || setsReadOnlyOnNonAccessorProperties(transitionKind)) { + // We pin the property table on transitions that do wholesale editing of the property + // table, since our logic for walking the property transition chain to rematerialize the + // table doesn't know how to take into account such wholesale edits. + + PropertyTable* table = structure->copyPropertyTableForPinning(vm); + transition->pinForCaching(holdLock(transition->m_lock), vm, table); + transition->m_offset = structure->m_offset; + + table = transition->propertyTableOrNull(); + RELEASE_ASSERT(table); + for (auto& entry : *table) { + if (setsDontDeleteOnAllProperties(transitionKind)) + entry.attributes |= DontDelete; + if (setsReadOnlyOnNonAccessorProperties(transitionKind) && !(entry.attributes & Accessor)) + entry.attributes |= ReadOnly; + } + } else { + transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm)); + transition->m_offset = structure->m_offset; + checkOffset(transition->m_offset, transition->inlineCapacity()); + } + + if (setsReadOnlyOnNonAccessorProperties(transitionKind) + && !transition->propertyTableOrNull()->isEmpty()) + transition->setHasReadOnlyOrGetterSetterPropertiesExcludingProto(true); + + if (structure->isDictionary()) { + PropertyTable* table = transition->ensurePropertyTable(vm); + transition->pin(holdLock(transition->m_lock), vm, table); + } else { + auto locker = holdLock(structure->m_lock); structure->m_transitionTable.add(vm, transition); } + transition->checkOffsetConsistency(); return transition; } @@ -652,16 +718,15 @@ Structure* Structure::nonPropertyTransition(VM& vm, Structure* structure, NonPro // In future we may want to cache this property. bool Structure::isSealed(VM& vm) { - if (isExtensible()) + if (isStructureExtensible()) return false; - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - if (!propertyTable()) + PropertyTable* table = ensurePropertyTableIfNotEmpty(vm); + if (!table) return true; - - PropertyTable::iterator end = propertyTable()->end(); - for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) { + + PropertyTable::iterator end = table->end(); + for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) { if ((iter->attributes & DontDelete) != DontDelete) return false; } @@ -671,16 +736,15 @@ bool Structure::isSealed(VM& vm) // In future we may want to cache this property. bool Structure::isFrozen(VM& vm) { - if (isExtensible()) + if (isStructureExtensible()) return false; - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - if (!propertyTable()) + PropertyTable* table = ensurePropertyTableIfNotEmpty(vm); + if (!table) return true; - - PropertyTable::iterator end = propertyTable()->end(); - for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) { + + PropertyTable::iterator end = table->end(); + for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) { if (!(iter->attributes & DontDelete)) return false; if (!(iter->attributes & (ReadOnly | Accessor))) @@ -693,19 +757,27 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) { checkOffsetConsistency(); ASSERT(isDictionary()); + + GCSafeConcurrentJSLocker locker(m_lock, vm.heap); + + object->setStructureIDDirectly(nuke(id())); + WTF::storeStoreFence(); + + size_t beforeOutOfLineCapacity = this->outOfLineCapacity(); if (isUncacheableDictionary()) { - ASSERT(propertyTable()); + PropertyTable* table = propertyTableOrNull(); + ASSERT(table); - size_t propertyCount = propertyTable()->size(); + size_t propertyCount = table->size(); // Holds our values compacted by insertion order. Vector<JSValue> values(propertyCount); // Copies out our values from their hashed locations, compacting property table offsets as we go. unsigned i = 0; - PropertyTable::iterator end = propertyTable()->end(); + PropertyTable::iterator end = table->end(); m_offset = invalidOffset; - for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter, ++i) { + for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter, ++i) { values[i] = object->getDirect(iter->offset); m_offset = iter->offset = offsetForPropertyNumber(i, m_inlineCapacity); } @@ -714,267 +786,285 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) for (unsigned i = 0; i < propertyCount; i++) object->putDirect(vm, offsetForPropertyNumber(i, m_inlineCapacity), values[i]); - propertyTable()->clearDeletedOffsets(); + table->clearDeletedOffsets(); checkOffsetConsistency(); } - m_dictionaryKind = NoneDictionaryKind; + setDictionaryKind(NoneDictionaryKind); + setHasBeenFlattenedBefore(true); + + size_t afterOutOfLineCapacity = this->outOfLineCapacity(); + + if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) { + ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity); + // If the object had a Butterfly but after flattening/compacting we no longer have need of it, + // we need to zero it out because the collector depends on the Structure to know the size for copying. + if (!afterOutOfLineCapacity && !this->hasIndexingHeader(object)) + object->setButterfly(vm, nullptr); + // If the object was down-sized to the point where the base of the Butterfly is no longer within the + // first CopiedBlock::blockSize bytes, we'll get the wrong answer if we try to mask the base back to + // the CopiedBlock header. To prevent this case we need to memmove the Butterfly down. + else + object->shiftButterflyAfterFlattening(locker, vm, this, afterOutOfLineCapacity); + } + + WTF::storeStoreFence(); + object->setStructureIDDirectly(id()); - // If the object had a Butterfly but after flattening/compacting we no longer have need of it, - // we need to zero it out because the collector depends on the Structure to know the size for copying. - if (object->butterfly() && !this->outOfLineCapacity() && !this->hasIndexingHeader(object)) - object->setStructureAndButterfly(vm, this, 0); + // FIXME: This is probably no longer needed since we have a stronger mechanism + // for detecting races and rescanning an object. + // https://bugs.webkit.org/show_bug.cgi?id=166989 + vm.heap.writeBarrier(object); return this; } -PropertyOffset Structure::addPropertyWithoutTransition(VM& vm, PropertyName propertyName, unsigned attributes, JSCell* specificValue) +void Structure::pin(const AbstractLocker&, VM& vm, PropertyTable* table) { - ASSERT(!enumerationCache()); - - if (m_specificFunctionThrashCount == maxSpecificFunctionThrashCount) - specificValue = 0; + setIsPinnedPropertyTable(true); + setPropertyTable(vm, table); + clearPreviousID(); + m_nameInPrevious = nullptr; +} - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessaryForPinning(vm, deferGC); - - pin(); +void Structure::pinForCaching(const AbstractLocker&, VM& vm, PropertyTable* table) +{ + setIsPinnedPropertyTable(true); + setPropertyTable(vm, table); + m_nameInPrevious = nullptr; +} - return putSpecificValue(vm, propertyName, attributes, specificValue); +void Structure::allocateRareData(VM& vm) +{ + ASSERT(!hasRareData()); + StructureRareData* rareData = StructureRareData::create(vm, previousID()); + WTF::storeStoreFence(); + m_previousOrRareData.set(vm, this, rareData); + ASSERT(hasRareData()); } -PropertyOffset Structure::removePropertyWithoutTransition(VM& vm, PropertyName propertyName) +WatchpointSet* Structure::ensurePropertyReplacementWatchpointSet(VM& vm, PropertyOffset offset) { - ASSERT(isUncacheableDictionary()); - ASSERT(!enumerationCache()); + ASSERT(!isUncacheableDictionary()); - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessaryForPinning(vm, deferGC); + // In some places it's convenient to call this with an invalid offset. So, we do the check here. + if (!isValidOffset(offset)) + return nullptr; + + if (!hasRareData()) + allocateRareData(vm); + ConcurrentJSLocker locker(m_lock); + StructureRareData* rareData = this->rareData(); + if (!rareData->m_replacementWatchpointSets) { + rareData->m_replacementWatchpointSets = + std::make_unique<StructureRareData::PropertyWatchpointMap>(); + WTF::storeStoreFence(); + } + auto result = rareData->m_replacementWatchpointSets->add(offset, nullptr); + if (result.isNewEntry) + result.iterator->value = adoptRef(new WatchpointSet(IsWatched)); + return result.iterator->value.get(); +} - pin(); - return remove(propertyName); +void Structure::startWatchingPropertyForReplacements(VM& vm, PropertyName propertyName) +{ + ASSERT(!isUncacheableDictionary()); + + startWatchingPropertyForReplacements(vm, get(vm, propertyName)); } -void Structure::pin() +void Structure::didCachePropertyReplacement(VM& vm, PropertyOffset offset) { - ASSERT(propertyTable()); - m_isPinnedPropertyTable = true; - clearPreviousID(); - m_nameInPrevious.clear(); + ensurePropertyReplacementWatchpointSet(vm, offset)->fireAll(vm, "Did cache property replacement"); } -void Structure::allocateRareData(VM& vm) +void Structure::startWatchingInternalProperties(VM& vm) { - ASSERT(!typeInfo().structureHasRareData()); - StructureRareData* rareData = StructureRareData::create(vm, previous()); - m_typeInfo = TypeInfo(typeInfo().type(), typeInfo().flags() | StructureHasRareData); - m_previousOrRareData.set(vm, this, rareData); + if (!isUncacheableDictionary()) { + startWatchingPropertyForReplacements(vm, vm.propertyNames->toString); + startWatchingPropertyForReplacements(vm, vm.propertyNames->valueOf); + } + setDidWatchInternalProperties(true); } -void Structure::cloneRareDataFrom(VM& vm, const Structure* other) +void Structure::willStoreValueSlow( + VM& vm, PropertyName propertyName, JSValue value, bool shouldOptimize, + InferredTypeTable::StoredPropertyAge age) { - ASSERT(other->typeInfo().structureHasRareData()); - StructureRareData* newRareData = StructureRareData::clone(vm, other->rareData()); - m_typeInfo = TypeInfo(typeInfo().type(), typeInfo().flags() | StructureHasRareData); - m_previousOrRareData.set(vm, this, newRareData); + ASSERT(!isCompilationThread()); + ASSERT(structure()->classInfo() == info()); + ASSERT(!hasBeenDictionary()); + + // Create the inferred type table before doing anything else, so that we don't GC after we have already + // grabbed a pointer into the property map. + InferredTypeTable* table = m_inferredTypeTable.get(); + if (!table) { + table = InferredTypeTable::create(vm); + WTF::storeStoreFence(); + m_inferredTypeTable.set(vm, this, table); + } + + // This only works if we've got a property table. + PropertyTable* propertyTable = ensurePropertyTable(vm); + + // We must be calling this after having created the given property or confirmed that it was present + // already, so the property must be present. + PropertyMapEntry* entry = propertyTable->get(propertyName.uid()); + ASSERT(entry); + + if (shouldOptimize) + entry->hasInferredType = table->willStoreValue(vm, propertyName, value, age); + else { + table->makeTop(vm, propertyName, age); + entry->hasInferredType = false; + } + + propertyTable->use(); // This makes it safe to use entry above. } #if DUMP_PROPERTYMAP_STATS +PropertyMapHashTableStats* propertyMapHashTableStats = 0; + struct PropertyMapStatisticsExitLogger { + PropertyMapStatisticsExitLogger(); ~PropertyMapStatisticsExitLogger(); }; -static PropertyMapStatisticsExitLogger logger; +DEFINE_GLOBAL_FOR_LOGGING(PropertyMapStatisticsExitLogger, logger, ); -PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger() +PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger() { - dataLogF("\nJSC::PropertyMap statistics\n\n"); - dataLogF("%d probes\n", numProbes); - dataLogF("%d collisions (%.1f%%)\n", numCollisions, 100.0 * numCollisions / numProbes); - dataLogF("%d rehashes\n", numRehashes); - dataLogF("%d removes\n", numRemoves); + propertyMapHashTableStats = adoptPtr(new PropertyMapHashTableStats()).leakPtr(); } -#endif - -#if !DO_PROPERTYMAP_CONSTENCY_CHECK - -inline void Structure::checkConsistency() +PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger() { - checkOffsetConsistency(); + unsigned finds = propertyMapHashTableStats->numFinds; + unsigned collisions = propertyMapHashTableStats->numCollisions; + dataLogF("\nJSC::PropertyMap statistics for process %d\n\n", getCurrentProcessID()); + dataLogF("%d finds\n", finds); + dataLogF("%d collisions (%.1f%%)\n", collisions, 100.0 * collisions / finds); + dataLogF("%d lookups\n", propertyMapHashTableStats->numLookups.load()); + dataLogF("%d lookup probings\n", propertyMapHashTableStats->numLookupProbing.load()); + dataLogF("%d adds\n", propertyMapHashTableStats->numAdds.load()); + dataLogF("%d removes\n", propertyMapHashTableStats->numRemoves.load()); + dataLogF("%d rehashes\n", propertyMapHashTableStats->numRehashes.load()); + dataLogF("%d reinserts\n", propertyMapHashTableStats->numReinserts.load()); } #endif -PropertyTable* Structure::copyPropertyTable(VM& vm, Structure* owner) +PropertyTable* Structure::copyPropertyTableForPinning(VM& vm) { - if (!propertyTable()) - return 0; - return PropertyTable::clone(vm, owner, *propertyTable().get()); + if (PropertyTable* table = propertyTableOrNull()) + return PropertyTable::clone(vm, *table); + bool setPropertyTable = false; + return materializePropertyTable(vm, setPropertyTable); } -PropertyTable* Structure::copyPropertyTableForPinning(VM& vm, Structure* owner) +PropertyOffset Structure::getConcurrently(UniquedStringImpl* uid, unsigned& attributes) { - if (propertyTable()) - return PropertyTable::clone(vm, owner, *propertyTable().get()); - return PropertyTable::create(vm, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity)); -} - -PropertyOffset Structure::getConcurrently(VM&, StringImpl* uid, unsigned& attributes, JSCell*& specificValue) -{ - Vector<Structure*, 8> structures; - Structure* structure; - PropertyTable* table; - - findStructuresAndMapForMaterialization(structures, structure, table); + PropertyOffset result = invalidOffset; - if (table) { - PropertyMapEntry* entry = table->find(uid).first; - if (entry) { - attributes = entry->attributes; - specificValue = entry->specificValue.get(); - PropertyOffset result = entry->offset; - structure->m_lock.unlock(); - return result; - } - structure->m_lock.unlock(); - } - - for (unsigned i = structures.size(); i--;) { - structure = structures[i]; - if (structure->m_nameInPrevious.get() != uid) - continue; - - attributes = structure->m_attributesInPrevious; - specificValue = structure->m_specificValueInPrevious.get(); - return structure->m_offset; - } + forEachPropertyConcurrently( + [&] (const PropertyMapEntry& candidate) -> bool { + if (candidate.key != uid) + return true; + + result = candidate.offset; + attributes = candidate.attributes; + return false; + }); - return invalidOffset; + return result; } -PropertyOffset Structure::get(VM& vm, PropertyName propertyName, unsigned& attributes, JSCell*& specificValue) +Vector<PropertyMapEntry> Structure::getPropertiesConcurrently() { - ASSERT(!isCompilationThread()); - ASSERT(structure()->classInfo() == info()); + Vector<PropertyMapEntry> result; - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - if (!propertyTable()) - return invalidOffset; - - PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first; - if (!entry) - return invalidOffset; - - attributes = entry->attributes; - specificValue = entry->specificValue.get(); - return entry->offset; + forEachPropertyConcurrently( + [&] (const PropertyMapEntry& entry) -> bool { + result.append(entry); + return true; + }); + + return result; } -bool Structure::despecifyFunction(VM& vm, PropertyName propertyName) +PropertyOffset Structure::add(VM& vm, PropertyName propertyName, unsigned attributes) { - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - if (!propertyTable()) - return false; - - PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first; - if (!entry) - return false; - - ASSERT(entry->specificValue); - entry->specificValue.clear(); - return true; + return add<ShouldPin::No>( + vm, propertyName, attributes, + [this] (const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset newLastOffset) { + setLastOffset(newLastOffset); + }); } -void Structure::despecifyAllFunctions(VM& vm) +PropertyOffset Structure::remove(PropertyName propertyName) { - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - if (!propertyTable()) - return; - - PropertyTable::iterator end = propertyTable()->end(); - for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) - iter->specificValue.clear(); + return remove(propertyName, [] (const ConcurrentJSLocker&, PropertyOffset) { }); } -PropertyOffset Structure::putSpecificValue(VM& vm, PropertyName propertyName, unsigned attributes, JSCell* specificValue) +void Structure::getPropertyNamesFromStructure(VM& vm, PropertyNameArray& propertyNames, EnumerationMode mode) { - GCSafeConcurrentJITLocker locker(m_lock, vm.heap); + PropertyTable* table = ensurePropertyTableIfNotEmpty(vm); + if (!table) + return; - ASSERT(!JSC::isValidOffset(get(vm, propertyName))); - - checkConsistency(); - if (attributes & DontEnum) - m_hasNonEnumerableProperties = true; - - StringImpl* rep = propertyName.uid(); - - if (!propertyTable()) - createPropertyMap(locker, vm); - - PropertyOffset newOffset = propertyTable()->nextOffset(m_inlineCapacity); - - propertyTable()->add(PropertyMapEntry(vm, this, rep, newOffset, attributes, specificValue), m_offset, PropertyTable::PropertyOffsetMayChange); + bool knownUnique = propertyNames.canAddKnownUniqueForStructure(); - checkConsistency(); - return newOffset; + PropertyTable::iterator end = table->end(); + for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) { + ASSERT(!isQuickPropertyAccessAllowedForEnumeration() || !(iter->attributes & DontEnum)); + ASSERT(!isQuickPropertyAccessAllowedForEnumeration() || !iter->key->isSymbol()); + if (!(iter->attributes & DontEnum) || mode.includeDontEnumProperties()) { + if (iter->key->isSymbol() && !propertyNames.includeSymbolProperties()) + continue; + if (knownUnique) + propertyNames.addUnchecked(iter->key); + else + propertyNames.add(iter->key); + } + } } -PropertyOffset Structure::remove(PropertyName propertyName) +void StructureFireDetail::dump(PrintStream& out) const { - ConcurrentJITLocker locker(m_lock); - - checkConsistency(); - - StringImpl* rep = propertyName.uid(); - - if (!propertyTable()) - return invalidOffset; - - PropertyTable::find_iterator position = propertyTable()->find(rep); - if (!position.first) - return invalidOffset; - - PropertyOffset offset = position.first->offset; - - propertyTable()->remove(position); - propertyTable()->addDeletedOffset(offset); - - checkConsistency(); - return offset; + out.print("Structure transition from ", *m_structure); } -void Structure::createPropertyMap(const GCSafeConcurrentJITLocker&, VM& vm, unsigned capacity) +DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire() + : m_structure(nullptr) { - ASSERT(!propertyTable()); - - checkConsistency(); - propertyTable().set(vm, this, PropertyTable::create(vm, capacity)); } -void Structure::getPropertyNamesFromStructure(VM& vm, PropertyNameArray& propertyNames, EnumerationMode mode) +DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire() { - DeferGC deferGC(vm.heap); - materializePropertyMapIfNecessary(vm, deferGC); - if (!propertyTable()) - return; + if (m_structure) + m_structure->transitionWatchpointSet().fireAll(*m_structure->vm(), StructureFireDetail(m_structure)); +} - bool knownUnique = !propertyNames.size(); +void DeferredStructureTransitionWatchpointFire::add(const Structure* structure) +{ + RELEASE_ASSERT(!m_structure); + RELEASE_ASSERT(structure); + m_structure = structure; +} - PropertyTable::iterator end = propertyTable()->end(); - for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) { - ASSERT(m_hasNonEnumerableProperties || !(iter->attributes & DontEnum)); - if (iter->key->isIdentifier() && (!(iter->attributes & DontEnum) || mode == IncludeDontEnumProperties)) { - if (knownUnique) - propertyNames.addKnownUnique(iter->key); - else - propertyNames.add(iter->key); - } - } +void Structure::didTransitionFromThisStructure(DeferredStructureTransitionWatchpointFire* deferred) const +{ + // If the structure is being watched, and this is the kind of structure that the DFG would + // like to watch, then make sure to note for all future versions of this structure that it's + // unwise to watch it. + if (m_transitionWatchpointSet.isBeingWatched()) + const_cast<Structure*>(this)->setTransitionWatchpointIsLikelyToBeFired(true); + + if (deferred) + deferred->add(this); + else + m_transitionWatchpointSet.fireAll(*vm(), StructureFireDetail(this)); } JSValue Structure::prototypeForLookup(CodeBlock* codeBlock) const @@ -986,30 +1076,54 @@ void Structure::visitChildren(JSCell* cell, SlotVisitor& visitor) { Structure* thisObject = jsCast<Structure*>(cell); ASSERT_GC_OBJECT_INHERITS(thisObject, info()); - ASSERT(thisObject->structure()->typeInfo().overridesVisitChildren()); JSCell::visitChildren(thisObject, visitor); - visitor.append(&thisObject->m_globalObject); + + ConcurrentJSLocker locker(thisObject->m_lock); + + visitor.append(thisObject->m_globalObject); if (!thisObject->isObject()) thisObject->m_cachedPrototypeChain.clear(); else { - visitor.append(&thisObject->m_prototype); - visitor.append(&thisObject->m_cachedPrototypeChain); + visitor.append(thisObject->m_prototype); + visitor.append(thisObject->m_cachedPrototypeChain); } - visitor.append(&thisObject->m_previousOrRareData); - visitor.append(&thisObject->m_specificValueInPrevious); - - if (thisObject->m_isPinnedPropertyTable) { - ASSERT(thisObject->m_propertyTableUnsafe); - visitor.append(&thisObject->m_propertyTableUnsafe); - } else if (thisObject->m_propertyTableUnsafe) + visitor.append(thisObject->m_previousOrRareData); + + if (thisObject->isPinnedPropertyTable() || thisObject->isAddingPropertyForTransition()) { + // NOTE: This can interleave in pin(), in which case it may see a null property table. + // That's fine, because then the barrier will fire and we will scan this again. + visitor.append(thisObject->m_propertyTableUnsafe); + } else if (visitor.isBuildingHeapSnapshot()) + visitor.append(thisObject->m_propertyTableUnsafe); + else if (thisObject->m_propertyTableUnsafe) thisObject->m_propertyTableUnsafe.clear(); + + visitor.append(thisObject->m_inferredTypeTable); +} + +bool Structure::isCheapDuringGC() +{ + // FIXME: We could make this even safer by returning false if this structure's property table + // has any large property names. + // https://bugs.webkit.org/show_bug.cgi?id=157334 + + return (!m_globalObject || Heap::isMarkedConcurrently(m_globalObject.get())) + && (!storedPrototypeObject() || Heap::isMarkedConcurrently(storedPrototypeObject())); +} + +bool Structure::markIfCheap(SlotVisitor& visitor) +{ + if (!isCheapDuringGC()) + return Heap::isMarkedConcurrently(this); + + visitor.appendUnbarriered(this); + return true; } bool Structure::prototypeChainMayInterceptStoreTo(VM& vm, PropertyName propertyName) { - unsigned i = propertyName.asIndex(); - if (i != PropertyName::NotAnIndex) + if (parseIndex(propertyName)) return anyObjectInChainMayInterceptIndexedAccesses(); for (Structure* current = this; ;) { @@ -1017,11 +1131,10 @@ bool Structure::prototypeChainMayInterceptStoreTo(VM& vm, PropertyName propertyN if (prototype.isNull()) return false; - current = prototype.asCell()->structure(); + current = prototype.asCell()->structure(vm); unsigned attributes; - JSCell* specificValue; - PropertyOffset offset = current->get(vm, propertyName, attributes, specificValue); + PropertyOffset offset = current->get(vm, propertyName, attributes); if (!JSC::isValidOffset(offset)) continue; @@ -1032,39 +1145,83 @@ bool Structure::prototypeChainMayInterceptStoreTo(VM& vm, PropertyName propertyN } } +Ref<StructureShape> Structure::toStructureShape(JSValue value) +{ + Ref<StructureShape> baseShape = StructureShape::create(); + RefPtr<StructureShape> curShape = baseShape.ptr(); + Structure* curStructure = this; + JSValue curValue = value; + while (curStructure) { + curStructure->forEachPropertyConcurrently( + [&] (const PropertyMapEntry& entry) -> bool { + curShape->addProperty(*entry.key); + return true; + }); + + if (JSObject* curObject = curValue.getObject()) + curShape->setConstructorName(JSObject::calculatedClassName(curObject)); + else + curShape->setConstructorName(curStructure->classInfo()->className); + + if (curStructure->isDictionary()) + curShape->enterDictionaryMode(); + + curShape->markAsFinal(); + + if (curStructure->storedPrototypeStructure()) { + auto newShape = StructureShape::create(); + curShape->setProto(newShape.copyRef()); + curShape = WTFMove(newShape); + curValue = curStructure->storedPrototype(); + } + + curStructure = curStructure->storedPrototypeStructure(); + } + + return baseShape; +} + +bool Structure::canUseForAllocationsOf(Structure* other) +{ + return inlineCapacity() == other->inlineCapacity() + && storedPrototype() == other->storedPrototype() + && objectInitializationBlob() == other->objectInitializationBlob(); +} + void Structure::dump(PrintStream& out) const { out.print(RawPointer(this), ":[", classInfo()->className, ", {"); - Vector<Structure*, 8> structures; - Structure* structure; - PropertyTable* table; - - const_cast<Structure*>(this)->findStructuresAndMapForMaterialization( - structures, structure, table); - CommaPrinter comma; - if (table) { - PropertyTable::iterator iter = table->begin(); - PropertyTable::iterator end = table->end(); - for (; iter != end; ++iter) - out.print(comma, iter->key, ":", static_cast<int>(iter->offset)); - - structure->m_lock.unlock(); - } - - for (unsigned i = structures.size(); i--;) { - Structure* structure = structures[i]; - if (!structure->m_nameInPrevious) - continue; - out.print(comma, structure->m_nameInPrevious.get(), ":", static_cast<int>(structure->m_offset)); - } + const_cast<Structure*>(this)->forEachPropertyConcurrently( + [&] (const PropertyMapEntry& entry) -> bool { + out.print(comma, entry.key, ":", static_cast<int>(entry.offset)); + return true; + }); out.print("}, ", IndexingTypeDump(indexingType())); if (m_prototype.get().isCell()) out.print(", Proto:", RawPointer(m_prototype.get().asCell())); + + switch (dictionaryKind()) { + case NoneDictionaryKind: + if (hasBeenDictionary()) + out.print(", Has been dictionary"); + break; + case CachedDictionaryKind: + out.print(", Dictionary"); + break; + case UncachedDictionaryKind: + out.print(", UncacheableDictionary"); + break; + } + + if (transitionWatchpointSetIsStillValid()) + out.print(", Leaf"); + else if (transitionWatchpointIsLikelyToBeFired()) + out.print(", Shady leaf"); out.print("]"); } @@ -1087,92 +1244,66 @@ void Structure::dumpContextHeader(PrintStream& out) out.print("Structures:"); } -#if DO_PROPERTYMAP_CONSTENCY_CHECK - -void PropertyTable::checkConsistency() +bool ClassInfo::hasStaticSetterOrReadonlyProperties() const { - checkOffsetConsistency(); - ASSERT(m_indexSize >= PropertyTable::MinimumTableSize); - ASSERT(m_indexMask); - ASSERT(m_indexSize == m_indexMask + 1); - ASSERT(!(m_indexSize & m_indexMask)); - - ASSERT(m_keyCount <= m_indexSize / 2); - ASSERT(m_keyCount + m_deletedCount <= m_indexSize / 2); - ASSERT(m_deletedCount <= m_indexSize / 4); - - unsigned indexCount = 0; - unsigned deletedIndexCount = 0; - for (unsigned a = 0; a != m_indexSize; ++a) { - unsigned entryIndex = m_index[a]; - if (entryIndex == PropertyTable::EmptyEntryIndex) - continue; - if (entryIndex == deletedEntryIndex()) { - ++deletedIndexCount; - continue; - } - ASSERT(entryIndex < deletedEntryIndex()); - ASSERT(entryIndex - 1 <= usedCount()); - ++indexCount; - - for (unsigned b = a + 1; b != m_indexSize; ++b) - ASSERT(m_index[b] != entryIndex); - } - ASSERT(indexCount == m_keyCount); - ASSERT(deletedIndexCount == m_deletedCount); - - ASSERT(!table()[deletedEntryIndex() - 1].key); - - unsigned nonEmptyEntryCount = 0; - for (unsigned c = 0; c < usedCount(); ++c) { - StringImpl* rep = table()[c].key; - if (rep == PROPERTY_MAP_DELETED_ENTRY_KEY) - continue; - ++nonEmptyEntryCount; - unsigned i = rep->existingHash(); - unsigned k = 0; - unsigned entryIndex; - while (1) { - entryIndex = m_index[i & m_indexMask]; - ASSERT(entryIndex != PropertyTable::EmptyEntryIndex); - if (rep == table()[entryIndex - 1].key) - break; - if (k == 0) - k = 1 | doubleHash(rep->existingHash()); - i += k; + for (const ClassInfo* ci = this; ci; ci = ci->parentClass) { + if (const HashTable* table = ci->staticPropHashTable) { + if (table->hasSetterOrReadonlyProperties) + return true; } - ASSERT(entryIndex == c + 1); } + return false; +} - ASSERT(nonEmptyEntryCount == m_keyCount); +void Structure::setCachedPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator) +{ + ASSERT(!isDictionary()); + if (!hasRareData()) + allocateRareData(vm); + rareData()->setCachedPropertyNameEnumerator(vm, enumerator); } -void Structure::checkConsistency() +JSPropertyNameEnumerator* Structure::cachedPropertyNameEnumerator() const { - if (!propertyTable()) - return; + if (!hasRareData()) + return nullptr; + return rareData()->cachedPropertyNameEnumerator(); +} - if (!m_hasNonEnumerableProperties) { - PropertyTable::iterator end = propertyTable()->end(); - for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) { - ASSERT(!(iter->attributes & DontEnum)); - } - } +bool Structure::canCachePropertyNameEnumerator() const +{ + if (isDictionary()) + return false; - propertyTable()->checkConsistency(); -} + if (hasIndexedProperties(indexingType())) + return false; -#endif // DO_PROPERTYMAP_CONSTENCY_CHECK + if (typeInfo().overridesGetPropertyNames()) + return false; -bool ClassInfo::hasStaticSetterOrReadonlyProperties(VM& vm) const -{ - for (const ClassInfo* ci = this; ci; ci = ci->parentClass) { - if (const HashTable* table = ci->propHashTable(vm)) { - if (table->hasSetterOrReadonlyProperties) - return true; - } + StructureChain* structureChain = m_cachedPrototypeChain.get(); + ASSERT(structureChain); + WriteBarrier<Structure>* structure = structureChain->head(); + while (true) { + if (!structure->get()) + break; + if (structure->get()->typeInfo().overridesGetPropertyNames()) + return false; + structure++; } - return false; + + return true; +} + +bool Structure::canAccessPropertiesQuicklyForEnumeration() const +{ + if (!isQuickPropertyAccessAllowedForEnumeration()) + return false; + if (hasGetterSetterProperties()) + return false; + if (isUncacheableDictionary()) + return false; + return true; } } // namespace JSC |