[webkit-changes] [239392] trunk

Wed, 19 Dec 2018 14:02:15 -0800

Title: [239392] trunk
Revision
239392
Author
mark....@apple.com
Date
2018-12-19 14:00:43 -0800 (Wed, 19 Dec 2018)

Log Message

JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
https://bugs.webkit.org/show_bug.cgi?id=192464
<rdar://problem/46519455>

Reviewed by Saam Barati.

JSTests:

This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
microbenchmark.

* microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
* stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.

Source/_javascript_Core:

This is because the process of getting its property names may cause some lazy
properties to be reified, and the structure will change.  This is needed in order
for get_direct_pname to work correctly.

* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (239391 => 239392)


--- trunk/JSTests/ChangeLog	2018-12-19 22:00:22 UTC (rev 239391)
+++ trunk/JSTests/ChangeLog	2018-12-19 22:00:43 UTC (rev 239392)
@@ -1,3 +1,17 @@
+2018-12-19  Mark Lam  <mark....@apple.com>
+
+        JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
+        https://bugs.webkit.org/show_bug.cgi?id=192464
+        <rdar://problem/46519455>
+
+        Reviewed by Saam Barati.
+
+        This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
+        microbenchmark.
+
+        * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
+        * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
+
 2018-12-19  Tadeu Zagallo  <tzaga...@apple.com>
 
         String overflow in JSC::createError results in ASSERT in WTF::makeString

Added: trunk/JSTests/microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js (0 => 239392)


--- trunk/JSTests/microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js	                        (rev 0)
+++ trunk/JSTests/microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js	2018-12-19 22:00:43 UTC (rev 239392)
@@ -0,0 +1,14 @@
+function foo(o) {
+    var count = 0;
+    for (var p in o) {
+        if (o[p])
+            count ++;
+    }
+    return count;
+}
+noInline(foo);
+
+var total = 0;
+for (let j = 0; j < 100000; ++j)
+    total += foo(new Error);
+

Added: trunk/JSTests/stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js (0 => 239392)


--- trunk/JSTests/stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js	                        (rev 0)
+++ trunk/JSTests/stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js	2018-12-19 22:00:43 UTC (rev 239392)
@@ -0,0 +1,11 @@
+function foo(){
+    o = Error();
+    for (var s in o) {
+        o[s];
+        o = Error();
+    }
+}
+noInline(foo);
+
+for(var i = 0; i < 100; i++)
+    foo();

Modified: trunk/Source/_javascript_Core/ChangeLog (239391 => 239392)


--- trunk/Source/_javascript_Core/ChangeLog	2018-12-19 22:00:22 UTC (rev 239391)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-12-19 22:00:43 UTC (rev 239392)
@@ -1,3 +1,18 @@
+2018-12-18  Mark Lam  <mark....@apple.com>
+
+        JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
+        https://bugs.webkit.org/show_bug.cgi?id=192464
+        <rdar://problem/46519455>
+
+        Reviewed by Saam Barati.
+
+        This is because the process of getting its property names may cause some lazy
+        properties to be reified, and the structure will change.  This is needed in order
+        for get_direct_pname to work correctly.
+
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+
 2018-12-19  Caio Lima  <ticaiol...@gmail.com>
 
         [BigInt] We should enable CSE into arithmetic operations that speculate BigIntUse

Modified: trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h (239391 => 239392)


--- trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h	2018-12-19 22:00:22 UTC (rev 239391)
+++ trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h	2018-12-19 22:00:43 UTC (rev 239392)
@@ -135,8 +135,9 @@
     bool sawPolyProto;
     bool successfullyNormalizedChain = normalizePrototypeChain(exec, base, sawPolyProto) != InvalidPrototypeChain;
 
-    enumerator = JSPropertyNameEnumerator::create(vm, structure, indexedLength, numberStructureProperties, WTFMove(propertyNames));
-    if (!indexedLength && successfullyNormalizedChain && base->structure(vm) == structure) {
+    Structure* structureAfterGettingPropertyNames = base->structure(vm);
+    enumerator = JSPropertyNameEnumerator::create(vm, structureAfterGettingPropertyNames, indexedLength, numberStructureProperties, WTFMove(propertyNames));
+    if (!indexedLength && successfullyNormalizedChain && structureAfterGettingPropertyNames == structure) {
         enumerator->setCachedPrototypeChain(vm, structure->prototypeChain(exec, base));
         if (structure->canCachePropertyNameEnumerator())
             structure->setCachedPropertyNameEnumerator(vm, enumerator);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to