Reviewers: Toon Verwaest,
Message:
PTAL
Description:
Map::MigrateToMap() now supports fast case (transition from a map that has
run
out of property space).
Please review this at https://codereview.chromium.org/347413002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+39, -26 lines):
M src/ic.cc
M src/objects.h
M src/objects.cc
Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index
cd92af11852c0f77c7140804cf6500e767087474..dff2a1d6a84fee0af8f23c4f0b935ea5372334a7
100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -2087,26 +2087,7 @@ RUNTIME_FUNCTION(SharedStoreIC_ExtendStorage) {
ASSERT(object->HasFastProperties());
ASSERT(object->map()->unused_property_fields() == 0);
- // Expand the properties array.
- Handle<FixedArray> old_storage = handle(object->properties(), isolate);
- int new_unused = transition->unused_property_fields();
- int new_size = old_storage->length() + new_unused + 1;
-
- Handle<FixedArray> new_storage = FixedArray::CopySize(old_storage,
new_size);
-
- Handle<Object> to_store = value;
-
- PropertyDetails details = transition->instance_descriptors()->GetDetails(
- transition->LastAdded());
- if (details.representation().IsDouble()) {
- to_store = isolate->factory()->NewHeapNumber(value->Number());
- }
-
- new_storage->set(old_storage->length(), *to_store);
-
- // Set the new property value and do the map transition.
- object->set_properties(*new_storage);
- object->set_map(*transition);
+ JSObject::MigrateToNewProperty(object, transition, value);
// Return the stored value.
return *value;
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
0e5d9a26a277a890c673e0338a16bfceb143dbe4..0315138ca1c3cb9ab64b539f66ed1a0c78e9360d
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2168,6 +2168,38 @@ void JSObject::MigrateToMap(Handle<JSObject> object,
Handle<Map> new_map) {
int total_size = number_of_fields + unused;
int external = total_size - inobject;
+
+ if ((old_map->unused_property_fields() == 0) &&
+ (new_map->GetBackPointer() == *old_map)) {
+ // This migration is a transition from a map that has run out out
property
+ // space. Therefore it could be done by extending the backing store.
+ Handle<FixedArray> old_storage = handle(object->properties(), isolate);
+ Handle<FixedArray> new_storage =
+ FixedArray::CopySize(old_storage, external);
+
+ // Properly initialize newly added property.
+ PropertyDetails details = new_map->GetLastDescriptorDetails();
+ Handle<Object> value;
+ if (details.representation().IsDouble()) {
+ value = isolate->factory()->NewHeapNumber(0);
+ } else {
+ value = isolate->factory()->uninitialized_value();
+ }
+ ASSERT(details.type() == FIELD);
+ int target_index = details.field_index() - inobject;
+ ASSERT(target_index >= 0); // Must be a backing store index.
+ new_storage->set(target_index, *value);
+
+ // From here on we cannot fail and we shouldn't GC anymore.
+ DisallowHeapAllocation no_allocation;
+
+ // Set the new property value and do the map transition.
+ object->set_properties(*new_storage);
+ // Writing the new map here does not require synchronization since it
does
+ // not change the actual object size.
+ object->set_map(*new_map);
+ return;
+ }
Handle<FixedArray> array = isolate->factory()->NewFixedArray(total_size);
Handle<DescriptorArray> old_descriptors(old_map->instance_descriptors());
@@ -2238,7 +2270,7 @@ void JSObject::MigrateToMap(Handle<JSObject> object,
Handle<Map> new_map) {
Address address = object->address() + new_instance_size;
// The trimming is performed on a newly allocated object, which is on a
- // fresly allocated page or on an already swept page. Hence, the sweeper
+ // freshly allocated page or on an already swept page. Hence, the sweeper
// thread can not get confused with the filler creation. No
synchronization
// needed.
isolate->heap()->CreateFillerObjectAt(address, instance_size_delta);
@@ -2251,7 +2283,7 @@ void JSObject::MigrateToMap(Handle<JSObject> object,
Handle<Map> new_map) {
}
// The trimming is performed on a newly allocated object, which is on a
- // fresly allocated page or on an already swept page. Hence, the sweeper
+ // freshly allocated page or on an already swept page. Hence, the sweeper
// thread can not get confused with the filler creation. No
synchronization
// needed.
object->set_map(*new_map);
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
7d0791290bae786aad30f90f1ebe84b3cf50c533..025ee702250c7f27f63bfaad8c87363a4a632d15
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -2631,6 +2631,10 @@ class JSObject: public JSReceiver {
Handle<Name> name,
Handle<Object> old_value);
+ static void MigrateToNewProperty(Handle<JSObject> object,
+ Handle<Map> transition,
+ Handle<Object> value);
+
private:
friend class DictionaryElementsAccessor;
friend class JSReceiver;
@@ -2758,10 +2762,6 @@ class JSObject: public JSReceiver {
ValueType value_type,
TransitionFlag flag);
- static void MigrateToNewProperty(Handle<JSObject> object,
- Handle<Map> transition,
- Handle<Object> value);
-
// Add a property to a slow-case object.
static void AddSlowProperty(Handle<JSObject> object,
Handle<Name> name,
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
