Title: [239489] releases/WebKitGTK/webkit-2.22
- Revision
- 239489
- Author
- [email protected]
- Date
- 2018-12-20 18:29:46 -0800 (Thu, 20 Dec 2018)
Log Message
Merge r239392 - JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
https://bugs.webkit.org/show_bug.cgi?id=192464
<rdar://problem/46519455>
Reviewed by Saam Barati.
JSTests:
This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
microbenchmark.
* microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
* stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
Source/_javascript_Core:
This is because the process of getting its property names may cause some lazy
properties to be reified, and the structure will change. This is needed in order
for get_direct_pname to work correctly.
* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (239488 => 239489)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-12-21 02:24:50 UTC (rev 239488)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-12-21 02:29:46 UTC (rev 239489)
@@ -1,3 +1,17 @@
+2018-12-19 Mark Lam <[email protected]>
+
+ JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
+ https://bugs.webkit.org/show_bug.cgi?id=192464
+ <rdar://problem/46519455>
+
+ Reviewed by Saam Barati.
+
+ This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
+ microbenchmark.
+
+ * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
+ * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
+
2018-12-13 Mark Lam <[email protected]>
Add a missing exception check.
Added: releases/WebKitGTK/webkit-2.22/JSTests/microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js (0 => 239489)
--- releases/WebKitGTK/webkit-2.22/JSTests/microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js 2018-12-21 02:29:46 UTC (rev 239489)
@@ -0,0 +1,14 @@
+function foo(o) {
+ var count = 0;
+ for (var p in o) {
+ if (o[p])
+ count ++;
+ }
+ return count;
+}
+noInline(foo);
+
+var total = 0;
+for (let j = 0; j < 100000; ++j)
+ total += foo(new Error);
+
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js (0 => 239489)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js 2018-12-21 02:29:46 UTC (rev 239489)
@@ -0,0 +1,11 @@
+function foo(){
+ o = Error();
+ for (var s in o) {
+ o[s];
+ o = Error();
+ }
+}
+noInline(foo);
+
+for(var i = 0; i < 100; i++)
+ foo();
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (239488 => 239489)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-21 02:24:50 UTC (rev 239488)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-21 02:29:46 UTC (rev 239489)
@@ -1,3 +1,18 @@
+2018-12-18 Mark Lam <[email protected]>
+
+ JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
+ https://bugs.webkit.org/show_bug.cgi?id=192464
+ <rdar://problem/46519455>
+
+ Reviewed by Saam Barati.
+
+ This is because the process of getting its property names may cause some lazy
+ properties to be reified, and the structure will change. This is needed in order
+ for get_direct_pname to work correctly.
+
+ * runtime/JSPropertyNameEnumerator.h:
+ (JSC::propertyNameEnumerator):
+
2018-12-14 Darin Adler <[email protected]>
LiteralParser has a bunch of uses of String::format with untrusted data
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h (239488 => 239489)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h 2018-12-21 02:24:50 UTC (rev 239488)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h 2018-12-21 02:29:46 UTC (rev 239489)
@@ -135,8 +135,9 @@
bool sawPolyProto;
bool successfullyNormalizedChain = normalizePrototypeChain(exec, base, sawPolyProto) != InvalidPrototypeChain;
- enumerator = JSPropertyNameEnumerator::create(vm, structure, indexedLength, numberStructureProperties, WTFMove(propertyNames));
- if (!indexedLength && successfullyNormalizedChain && base->structure(vm) == structure) {
+ Structure* structureAfterGettingPropertyNames = base->structure(vm);
+ enumerator = JSPropertyNameEnumerator::create(vm, structureAfterGettingPropertyNames, indexedLength, numberStructureProperties, WTFMove(propertyNames));
+ if (!indexedLength && successfullyNormalizedChain && structureAfterGettingPropertyNames == structure) {
enumerator->setCachedPrototypeChain(vm, structure->prototypeChain(exec, base));
if (structure->canCachePropertyNameEnumerator())
structure->setCachedPropertyNameEnumerator(vm, enumerator);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
