[webkit-changes] [253432] trunk

Thu, 12 Dec 2019 10:08:47 -0800

Title: [253432] trunk
Revision
253432
Author
[email protected]
Date
2019-12-12 10:07:33 -0800 (Thu, 12 Dec 2019)

Log Message

DFG and FTL expects String.prototype to not qualify for StringObjectUse.
https://bugs.webkit.org/show_bug.cgi?id=205147
<rdar://problem/57748888>

Reviewed by Saam Barati.

JSTests:

* stress/ftl-expects-string-prototype-to-not-be-StringObjectUse.js: Added.

Source/_javascript_Core:

Currently, String.prototype's JSType is StringObjectType.

However, in the compiler, there are a few places that expect that the
String.prototype value to not qualify as StringObjectUse.  These places are:
1. SpeculatedType.cpp's speculationFromClassInfo() will speculate SpecObjectOther
   for the StringPrototype object.
2. DFGFixupPhase.cpp's addCheckStructureForOriginalStringObjectUse() only emits a
   CheckStructure against globalObject->stringObjectStructure().  It does not
   check against String.prototype's structure.

To resolve this discrepancy, we can either do:
a. change String.prototype's JSType to something else.
b. fix the places in the compiler to accept String.prototype as StringObjectUse.

(a) is trivial and cheap to do.  (b) is doable but will result in less optimal
compiled code.  Since passing String.prototype as a StringObject is expected to
be a rare thing in JS code, it's not worth incurring the cost for (b).  In this
patch, we apply (a) to fix the discrepancy.

Also added a specialization case to FOR_EACH_JS_DYNAMIC_CAST_JS_TYPE_OVERLOAD
for jsDynamicCast<StringObject> for completeness.

* runtime/JSCast.h:
* runtime/JSType.cpp:
(WTF::printInternal):
* runtime/JSType.h:
* runtime/StringPrototype.h:

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (253431 => 253432)


--- trunk/JSTests/ChangeLog	2019-12-12 17:51:29 UTC (rev 253431)
+++ trunk/JSTests/ChangeLog	2019-12-12 18:07:33 UTC (rev 253432)
@@ -1,3 +1,13 @@
+2019-12-12  Mark Lam  <[email protected]>
+
+        DFG and FTL expects String.prototype to not qualify for StringObjectUse.
+        https://bugs.webkit.org/show_bug.cgi?id=205147
+        <rdar://problem/57748888>
+
+        Reviewed by Saam Barati.
+
+        * stress/ftl-expects-string-prototype-to-not-be-StringObjectUse.js: Added.
+
 2019-12-11  Keith Miller  <[email protected]>
 
         Add test for osr exiting with interpreter on the stack

Added: trunk/JSTests/stress/ftl-expects-string-prototype-to-not-be-StringObjectUse.js (0 => 253432)


--- trunk/JSTests/stress/ftl-expects-string-prototype-to-not-be-StringObjectUse.js	                        (rev 0)
+++ trunk/JSTests/stress/ftl-expects-string-prototype-to-not-be-StringObjectUse.js	2019-12-12 18:07:33 UTC (rev 253432)
@@ -0,0 +1,6 @@
+for (var i = 0; i < 1000; i++) {
+    new String().split();
+}
+for (let i = 0; i < 100000; i++) {
+    String.prototype.split();
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (253431 => 253432)


--- trunk/Source/_javascript_Core/ChangeLog	2019-12-12 17:51:29 UTC (rev 253431)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-12-12 18:07:33 UTC (rev 253432)
@@ -1,3 +1,39 @@
+2019-12-12  Mark Lam  <[email protected]>
+
+        DFG and FTL expects String.prototype to not qualify for StringObjectUse.
+        https://bugs.webkit.org/show_bug.cgi?id=205147
+        <rdar://problem/57748888>
+
+        Reviewed by Saam Barati.
+
+        Currently, String.prototype's JSType is StringObjectType.
+
+        However, in the compiler, there are a few places that expect that the
+        String.prototype value to not qualify as StringObjectUse.  These places are:
+        1. SpeculatedType.cpp's speculationFromClassInfo() will speculate SpecObjectOther
+           for the StringPrototype object.
+        2. DFGFixupPhase.cpp's addCheckStructureForOriginalStringObjectUse() only emits a
+           CheckStructure against globalObject->stringObjectStructure().  It does not
+           check against String.prototype's structure.
+
+        To resolve this discrepancy, we can either do:
+        a. change String.prototype's JSType to something else.
+        b. fix the places in the compiler to accept String.prototype as StringObjectUse.
+
+        (a) is trivial and cheap to do.  (b) is doable but will result in less optimal
+        compiled code.  Since passing String.prototype as a StringObject is expected to
+        be a rare thing in JS code, it's not worth incurring the cost for (b).  In this
+        patch, we apply (a) to fix the discrepancy.
+
+        Also added a specialization case to FOR_EACH_JS_DYNAMIC_CAST_JS_TYPE_OVERLOAD
+        for jsDynamicCast<StringObject> for completeness.
+
+        * runtime/JSCast.h:
+        * runtime/JSType.cpp:
+        (WTF::printInternal):
+        * runtime/JSType.h:
+        * runtime/StringPrototype.h:
+
 2019-12-12  Yusuke Suzuki  <[email protected]>
 
         [JSC] IsoHeapCellType should have destroy function member instead of specializing template function

Modified: trunk/Source/_javascript_Core/runtime/JSCast.h (253431 => 253432)


--- trunk/Source/_javascript_Core/runtime/JSCast.h	2019-12-12 17:51:29 UTC (rev 253431)
+++ trunk/Source/_javascript_Core/runtime/JSCast.h	2019-12-12 18:07:33 UTC (rev 253432)
@@ -74,6 +74,7 @@
     macro(JSLexicalEnvironment, JSType::LexicalEnvironmentType, JSType::ModuleEnvironmentType) \
     macro(JSSymbolTableObject, JSType::GlobalObjectType, JSType::ModuleEnvironmentType) \
     macro(JSScope, JSType::GlobalObjectType, JSType::WithScopeType) \
+    macro(StringObject, JSType::StringObjectType, JSType::DerivedStringObjectType) \
 
 
 // Forward declare the classes because they may not already exist.

Modified: trunk/Source/_javascript_Core/runtime/JSType.cpp (253431 => 253432)


--- trunk/Source/_javascript_Core/runtime/JSType.cpp	2019-12-12 17:51:29 UTC (rev 253431)
+++ trunk/Source/_javascript_Core/runtime/JSType.cpp	2019-12-12 18:07:33 UTC (rev 253432)
@@ -107,6 +107,7 @@
     CASE(JSWeakSetType)
     CASE(WebAssemblyModuleType)
     CASE(StringObjectType)
+    CASE(DerivedStringObjectType)
     CASE(MaxJSType)
     }
 }

Modified: trunk/Source/_javascript_Core/runtime/JSType.h (253431 => 253432)


--- trunk/Source/_javascript_Core/runtime/JSType.h	2019-12-12 17:51:29 UTC (rev 253431)
+++ trunk/Source/_javascript_Core/runtime/JSType.h	2019-12-12 18:07:33 UTC (rev 253432)
@@ -117,9 +117,12 @@
     JSWeakMapType,
     JSWeakSetType,
     WebAssemblyModuleType,
+    // Start StringObjectType types.
     StringObjectType,
+    DerivedStringObjectType,
+    // End StringObjectType types.
 
-    LastJSCObjectType = StringObjectType, // This is the last "JSC" Object type. After this, we have embedder's (e.g., WebCore) extended object types.
+    LastJSCObjectType = DerivedStringObjectType, // This is the last "JSC" Object type. After this, we have embedder's (e.g., WebCore) extended object types.
     MaxJSType = 0b11111111,
 };

Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.h (253431 => 253432)


--- trunk/Source/_javascript_Core/runtime/StringPrototype.h	2019-12-12 17:51:29 UTC (rev 253431)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.h	2019-12-12 18:07:33 UTC (rev 253432)
@@ -41,7 +41,7 @@
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(StringObjectType, StructureFlags), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(DerivedStringObjectType, StructureFlags), info());
     }
 
     DECLARE_INFO;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to