[webkit-changes] [221970] trunk

Wed, 13 Sep 2017 08:52:52 -0700

Title: [221970] trunk
Revision
221970
Author
[email protected]
Date
2017-09-13 08:48:20 -0700 (Wed, 13 Sep 2017)

Log Message

[JSC] Fix Array allocation in Object.keys
https://bugs.webkit.org/show_bug.cgi?id=176826

Reviewed by Saam Barati.

JSTests:

* stress/object-own-property-keys.js: Added.
(shouldBe):

Source/_javascript_Core:

When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
We check isHavingABadTime() in ownPropertyKeys fast path.
And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.

* runtime/ObjectConstructor.cpp:
(JSC::ownPropertyKeys):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (221969 => 221970)


--- trunk/JSTests/ChangeLog	2017-09-13 15:31:16 UTC (rev 221969)
+++ trunk/JSTests/ChangeLog	2017-09-13 15:48:20 UTC (rev 221970)
@@ -1,3 +1,13 @@
+2017-09-13  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Fix Array allocation in Object.keys
+        https://bugs.webkit.org/show_bug.cgi?id=176826
+
+        Reviewed by Saam Barati.
+
+        * stress/object-own-property-keys.js: Added.
+        (shouldBe):
+
 2017-09-12  Yusuke Suzuki  <[email protected]>
 
         [DFG] Optimize WeakMap::get by adding intrinsic and fixup

Added: trunk/JSTests/stress/object-own-property-keys.js (0 => 221970)


--- trunk/JSTests/stress/object-own-property-keys.js	                        (rev 0)
+++ trunk/JSTests/stress/object-own-property-keys.js	2017-09-13 15:48:20 UTC (rev 221970)
@@ -0,0 +1,45 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+Object.defineProperty(Array.prototype, '0', {
+    get() {
+        throw new Error('out');
+    },
+    set(value) {
+        throw new Error('out');
+    }
+});
+
+{
+    let object = {
+        a: 42,
+        b: 42,
+        c: 42
+    };
+    {
+        let result = Object.keys(object);
+        shouldBe(JSON.stringify(result), `["a","b","c"]`);
+    }
+    {
+        let result = Object.values(object);
+        shouldBe(JSON.stringify(result), `[42,42,42]`);
+    }
+}
+{
+    let object = {
+        [Symbol.iterator]: 42,
+        b: 42,
+        c: 42
+    };
+    {
+        let result = Object.getOwnPropertyNames(object);
+        shouldBe(JSON.stringify(result), `["b","c"]`);
+    }
+    {
+        let result = Object.getOwnPropertySymbols(object);
+        shouldBe(result.length, 1);
+        shouldBe(result[0], Symbol.iterator);
+    }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (221969 => 221970)


--- trunk/Source/_javascript_Core/ChangeLog	2017-09-13 15:31:16 UTC (rev 221969)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-09-13 15:48:20 UTC (rev 221970)
@@ -1,3 +1,17 @@
+2017-09-13  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Fix Array allocation in Object.keys
+        https://bugs.webkit.org/show_bug.cgi?id=176826
+
+        Reviewed by Saam Barati.
+
+        When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
+        We check isHavingABadTime() in ownPropertyKeys fast path.
+        And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ownPropertyKeys):
+
 2017-09-12  Yusuke Suzuki  <[email protected]>
 
         [DFG] Optimize WeakMap::get by adding intrinsic and fixup

Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (221969 => 221970)


--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2017-09-13 15:31:16 UTC (rev 221969)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2017-09-13 15:48:20 UTC (rev 221970)
@@ -855,15 +855,18 @@
     // If !mustFilterProperty and PropertyNameMode::Strings mode, we do not need to filter out any entries in PropertyNameArray.
     // We can use fast allocation and initialization.
     if (!mustFilterProperty && propertyNameMode == PropertyNameMode::Strings && properties.size() < MIN_SPARSE_ARRAY_INDEX) {
-        size_t numProperties = properties.size();
-        JSArray* keys = JSArray::create(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous), numProperties);
-        WriteBarrier<Unknown>* buffer = keys->butterfly()->contiguous().data();
-        for (size_t i = 0; i < numProperties; i++) {
-            const auto& identifier = properties[i];
-            ASSERT(!identifier.isSymbol());
-            buffer[i].set(vm, keys, jsOwnedString(&vm, identifier.string()));
+        auto* globalObject = exec->lexicalGlobalObject();
+        if (LIKELY(!globalObject->isHavingABadTime())) {
+            size_t numProperties = properties.size();
+            JSArray* keys = JSArray::create(vm, globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous), numProperties);
+            WriteBarrier<Unknown>* buffer = keys->butterfly()->contiguous().data();
+            for (size_t i = 0; i < numProperties; i++) {
+                const auto& identifier = properties[i];
+                ASSERT(!identifier.isSymbol());
+                buffer[i].set(vm, keys, jsOwnedString(&vm, identifier.string()));
+            }
+            return keys;
         }
-        return keys;
     }
 
     JSArray* keys = constructEmptyArray(exec, nullptr);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to