Reviewers: Toon Verwaest,
Message:
PTAL
Description:
More set_map() calls replaced with MigrateToMap().
Please review this at https://codereview.chromium.org/338793004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+28, -37 lines):
M src/api.cc
M src/bootstrapper.cc
M src/factory.cc
M src/objects.cc
Index: src/api.cc
diff --git a/src/api.cc b/src/api.cc
index
fc22929fd0ab392744025cea88b1dfbdd09f2330..7c60252156e3382c8d7ff28d7cdf4fb21b15de92
100644
--- a/src/api.cc
+++ b/src/api.cc
@@ -3600,7 +3600,7 @@ void v8::Object::TurnOnAccessCheck() {
i::Handle<i::Map> new_map = i::Map::Copy(i::Handle<i::Map>(obj->map()));
new_map->set_is_access_check_needed(true);
- obj->set_map(*new_map);
+ i::JSObject::MigrateToMap(obj, new_map);
}
Index: src/bootstrapper.cc
diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
index
7dc41009994161cc4ffeb0633a651ea84233dfc4..771b5b2d1f22efc6551d2b47a8df8202347e6de5
100644
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -342,10 +342,10 @@ Handle<Context> Bootstrapper::CreateEnvironment(
static void SetObjectPrototype(Handle<JSObject> object, Handle<Object>
proto) {
// object.__proto__ = proto;
- Handle<Map> old_to_map = Handle<Map>(object->map());
- Handle<Map> new_to_map = Map::Copy(old_to_map);
- new_to_map->set_prototype(*proto);
- object->set_map(*new_to_map);
+ Handle<Map> old_map = Handle<Map>(object->map());
+ Handle<Map> new_map = Map::Copy(old_map);
+ new_map->set_prototype(*proto);
+ JSObject::MigrateToMap(object, new_map);
}
@@ -2540,10 +2540,8 @@ void Genesis::TransferObject(Handle<JSObject> from,
Handle<JSObject> to) {
TransferIndexedProperties(from, to);
// Transfer the prototype (new map is needed).
- Handle<Map> old_to_map = Handle<Map>(to->map());
- Handle<Map> new_to_map = Map::Copy(old_to_map);
- new_to_map->set_prototype(from->map()->prototype());
- to->set_map(*new_to_map);
+ Handle<Object> proto(from->map()->prototype(), isolate());
+ SetObjectPrototype(to, proto);
}
Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index
1996e736f03d207894ab13e8a14c6d72075b3760..c2489fb60b1e1357ac4d0d811d4fd1b4d4a3052c
100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1818,8 +1818,14 @@ void
Factory::ReinitializeJSReceiver(Handle<JSReceiver> object,
// before object re-initialization is finished and filler object is
installed.
DisallowHeapAllocation no_allocation;
+ // Put in filler if the new object is smaller than the old.
+ if (size_difference > 0) {
+ heap->CreateFillerObjectAt(
+ object->address() + map->instance_size(), size_difference);
+ }
+
// Reset the map for the object.
- object->set_map(*map);
+ object->synchronized_set_map(*map);
Handle<JSObject> jsobj = Handle<JSObject>::cast(object);
// Reinitialize the object from the constructor map.
@@ -1832,12 +1838,6 @@ void
Factory::ReinitializeJSReceiver(Handle<JSReceiver> object,
Handle<Context> context(isolate()->context()->native_context());
InitializeFunction(js_function, shared.ToHandleChecked(), context);
}
-
- // Put in filler if the new object is smaller than the old.
- if (size_difference > 0) {
- heap->CreateFillerObjectAt(
- object->address() + map->instance_size(), size_difference);
- }
}
@@ -1863,7 +1863,7 @@ void
Factory::ReinitializeJSGlobalProxy(Handle<JSGlobalProxy> object,
DisallowHeapAllocation no_allocation;
// Reset the map for the object.
- object->set_map(constructor->initial_map());
+ object->synchronized_set_map(*map);
Heap* heap = isolate()->heap();
// Reinitialize the object from the constructor map.
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
e9bedcadeb1eff4b9fbd61d29a71a69b1218849c..408e35ab421e97a22d19533dbfb020c695e05e22
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -761,7 +761,7 @@ Handle<Object>
JSObject::DeleteNormalizedProperty(Handle<JSObject> object,
// the hole value.
Handle<Map> new_map =
Map::CopyDropDescriptors(handle(object->map()));
ASSERT(new_map->is_dictionary_map());
- object->set_map(*new_map);
+ JSObject::MigrateToMap(object, new_map);
}
Handle<PropertyCell>
cell(PropertyCell::cast(dictionary->ValueAt(entry)));
Handle<Object> value = isolate->factory()->the_hole_value();
@@ -2145,8 +2145,6 @@ void JSObject::MigrateToMap(Handle<JSObject> object,
Handle<Map> new_map) {
// converted to doubles.
if (!old_map->InstancesNeedRewriting(
*new_map, number_of_fields, inobject, unused)) {
- // Writing the new map here does not require synchronization since it
does
- // not change the actual object size.
object->synchronized_set_map(*new_map);
return;
}
@@ -2180,9 +2178,7 @@ void JSObject::MigrateToMap(Handle<JSObject> object,
Handle<Map> new_map) {
// Set the new property value and do the map transition.
object->set_properties(*new_storage);
- // Writing the new map here does not require synchronization since it
does
- // not change the actual object size.
- object->set_map(*new_map);
+ object->synchronized_set_map(*new_map);
return;
}
Handle<FixedArray> array = isolate->factory()->NewFixedArray(total_size);
@@ -2254,24 +2250,21 @@ void JSObject::MigrateToMap(Handle<JSObject>
object, Handle<Map> new_map) {
ASSERT(instance_size_delta >= 0);
Address address = object->address() + new_instance_size;
- // The trimming is performed on a newly allocated object, which is on a
- // freshly allocated page or on an already swept page. Hence, the sweeper
- // thread can not get confused with the filler creation. No
synchronization
- // needed.
- isolate->heap()->CreateFillerObjectAt(address, instance_size_delta);
+ Heap* heap = isolate->heap();
// If there are properties in the new backing store, trim it to the
correct
// size and install the backing store into the object.
if (external > 0) {
- RightTrimFixedArray<Heap::FROM_MUTATOR>(isolate->heap(), *array,
inobject);
+ RightTrimFixedArray<Heap::FROM_MUTATOR>(heap, *array, inobject);
object->set_properties(*array);
}
- // The trimming is performed on a newly allocated object, which is on a
- // freshly allocated page or on an already swept page. Hence, the sweeper
- // thread can not get confused with the filler creation. No
synchronization
- // needed.
- object->set_map(*new_map);
+ heap->CreateFillerObjectAt(address, instance_size_delta);
+ heap->AdjustLiveBytes(address, -instance_size_delta, Heap::FROM_MUTATOR);
+
+ // We are storing the new map using release store after creating a
filler for
+ // the left-over space to avoid races with the sweeper thread.
+ object->synchronized_set_map(*new_map);
}
@@ -4718,7 +4711,7 @@ void
JSObject::TransformToFastProperties(Handle<JSObject> object,
ASSERT_LE(unused_property_fields, inobject_props);
// Transform the object.
new_map->set_unused_property_fields(inobject_props);
- object->set_map(*new_map);
+ object->synchronized_set_map(*new_map);
object->set_properties(isolate->heap()->empty_fixed_array());
// Check that it really works.
ASSERT(object->HasFastProperties());
@@ -4799,7 +4792,7 @@ void
JSObject::TransformToFastProperties(Handle<JSObject> object,
new_map->set_unused_property_fields(unused_property_fields);
// Transform the object.
- object->set_map(*new_map);
+ object->synchronized_set_map(*new_map);
object->set_properties(*fields);
ASSERT(object->IsJSObject());
@@ -6641,7 +6634,7 @@ void JSObject::SetPropertyCallback(Handle<JSObject>
object,
if (object->IsGlobalObject()) {
Handle<Map> new_map = Map::CopyDropDescriptors(handle(object->map()));
ASSERT(new_map->is_dictionary_map());
- object->set_map(*new_map);
+ JSObject::MigrateToMap(object, new_map);
// When running crankshaft, changing the map is not enough. We
// need to deoptimize all functions that rely on this global
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
