Diff
Modified: branches/safari-610.1.1-branch/Source/_javascript_Core/ChangeLog (255648 => 255649)
--- branches/safari-610.1.1-branch/Source/_javascript_Core/ChangeLog 2020-02-04 03:09:39 UTC (rev 255648)
+++ branches/safari-610.1.1-branch/Source/_javascript_Core/ChangeLog 2020-02-04 03:09:42 UTC (rev 255649)
@@ -1,5 +1,50 @@
2020-02-03 Alan Coon <[email protected]>
+ Cherry-pick r255380. rdar://problem/59004377
+
+ Fix small memory regression caused by r206365
+ https://bugs.webkit.org/show_bug.cgi?id=206557
+
+ Reviewed by Yusuke Suzuki.
+
+ Put StructureRareData::m_giveUpOnObjectToStringValueCache into m_objectToStringValue to prevent increasing StructureRareData's size. We make a special value for the pointer
+ objectToStringCacheGiveUpMarker() to signal that we should not cache the string value. As a result, adding m_transitionOffset does not increase the size of the class.
+
+ * runtime/Structure.h:
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::StructureRareData):
+ (JSC::StructureRareData::visitChildren):
+ (JSC::StructureRareData::setObjectToStringValue):
+ (JSC::StructureRareData::clearObjectToStringValue):
+ * runtime/StructureRareData.h:
+ * runtime/StructureRareDataInlines.h:
+ (JSC::StructureRareData::objectToStringValue const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@255380 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-01-29 Justin Michaud <[email protected]>
+
+ Fix small memory regression caused by r206365
+ https://bugs.webkit.org/show_bug.cgi?id=206557
+
+ Reviewed by Yusuke Suzuki.
+
+ Put StructureRareData::m_giveUpOnObjectToStringValueCache into m_objectToStringValue to prevent increasing StructureRareData's size. We make a special value for the pointer
+ objectToStringCacheGiveUpMarker() to signal that we should not cache the string value. As a result, adding m_transitionOffset does not increase the size of the class.
+
+ * runtime/Structure.h:
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::StructureRareData):
+ (JSC::StructureRareData::visitChildren):
+ (JSC::StructureRareData::setObjectToStringValue):
+ (JSC::StructureRareData::clearObjectToStringValue):
+ * runtime/StructureRareData.h:
+ * runtime/StructureRareDataInlines.h:
+ (JSC::StructureRareData::objectToStringValue const):
+
+2020-02-03 Alan Coon <[email protected]>
+
Cherry-pick r254760. rdar://problem/59004377
Separate storage of Structure::m_offset into transition and max offset
Modified: branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/Structure.h (255648 => 255649)
--- branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/Structure.h 2020-02-04 03:09:39 UTC (rev 255648)
+++ branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/Structure.h 2020-02-04 03:09:42 UTC (rev 255649)
@@ -123,6 +123,8 @@
};
class Structure final : public JSCell {
+ static constexpr uint16_t shortInvalidOffset = std::numeric_limits<uint16_t>::max() - 1;
+ static constexpr uint16_t useRareDataFlag = std::numeric_limits<uint16_t>::max();
public:
friend class StructureTransitionTable;
@@ -361,7 +363,7 @@
return rareData()->m_maxOffset;
return m_maxOffset;
}
-
+
void setMaxOffset(VM& vm, PropertyOffset offset)
{
if (offset == invalidOffset)
@@ -824,9 +826,6 @@
COMPILE_ASSERT(firstOutOfLineOffset < 256, firstOutOfLineOffset_fits);
- static constexpr uint16_t shortInvalidOffset = std::numeric_limits<uint16_t>::max();
- static constexpr uint16_t useRareDataFlag = std::numeric_limits<uint16_t>::max() - 1;
-
uint16_t m_transitionOffset;
uint16_t m_maxOffset;
Modified: branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareData.cpp (255648 => 255649)
--- branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareData.cpp 2020-02-04 03:09:39 UTC (rev 255648)
+++ branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareData.cpp 2020-02-04 03:09:42 UTC (rev 255649)
@@ -57,7 +57,6 @@
StructureRareData::StructureRareData(VM& vm, Structure* previous)
: JSCell(vm, vm.structureRareDataStructure.get())
- , m_giveUpOnObjectToStringValueCache(false)
, m_maxOffset(invalidOffset)
, m_transitionOffset(invalidOffset)
{
@@ -72,7 +71,7 @@
Base::visitChildren(thisObject, visitor);
visitor.append(thisObject->m_previous);
- visitor.append(thisObject->m_objectToStringValue);
+ visitor.appendUnbarriered(thisObject->objectToStringValue());
visitor.append(thisObject->m_cachedPropertyNameEnumerator);
auto* cachedOwnKeys = thisObject->m_cachedOwnKeys.unvalidatedGet();
if (cachedOwnKeys != cachedOwnKeysSentinel())
@@ -95,7 +94,7 @@
void StructureRareData::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, Structure* ownStructure, JSString* value, PropertySlot toStringTagSymbolSlot)
{
- if (m_giveUpOnObjectToStringValueCache)
+ if (canCacheObjectToStringValue())
return;
ObjectPropertyConditionSet conditionSet;
@@ -119,7 +118,7 @@
return;
if (!conditionSet.isValid()) {
- m_giveUpOnObjectToStringValueCache = true;
+ giveUpOnObjectToStringValueCache();
return;
}
@@ -132,11 +131,11 @@
// The equivalence condition won't be watchable if we have already seen a replacement.
if (!equivCondition.isWatchable()) {
- m_giveUpOnObjectToStringValueCache = true;
+ giveUpOnObjectToStringValueCache();
return;
}
} else if (!condition.isWatchable()) {
- m_giveUpOnObjectToStringValueCache = true;
+ giveUpOnObjectToStringValueCache();
return;
}
}
@@ -157,7 +156,8 @@
{
m_objectToStringAdaptiveWatchpointSet.clear();
m_objectToStringAdaptiveInferredValueWatchpoint.reset();
- m_objectToStringValue.clear();
+ if (!canCacheObjectToStringValue())
+ m_objectToStringValue.clear();
}
void StructureRareData::finalizeUnconditionally(VM& vm)
Modified: branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareData.h (255648 => 255649)
--- branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareData.h 2020-02-04 03:09:39 UTC (rev 255648)
+++ branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareData.h 2020-02-04 03:09:42 UTC (rev 255649)
@@ -67,6 +67,9 @@
JSString* objectToStringValue() const;
void setObjectToStringValue(JSGlobalObject*, VM&, Structure* baseStructure, JSString* value, PropertySlot toStringTagSymbolSlot);
+ void giveUpOnObjectToStringValueCache() { m_objectToStringValue.setWithoutWriteBarrier(objectToStringCacheGiveUpMarker()); }
+ bool canCacheObjectToStringValue() { return m_objectToStringValue.unvalidatedGet() == objectToStringCacheGiveUpMarker(); }
+ static JSString* objectToStringCacheGiveUpMarker() { return bitwise_cast<JSString*>(static_cast<uintptr_t>(1)); }
JSPropertyNameEnumerator* cachedPropertyNameEnumerator() const;
void setCachedPropertyNameEnumerator(VM&, JSPropertyNameEnumerator*);
@@ -113,7 +116,6 @@
Bag<ObjectToStringAdaptiveStructureWatchpoint> m_objectToStringAdaptiveWatchpointSet;
std::unique_ptr<ObjectToStringAdaptiveInferredPropertyValueWatchpoint> m_objectToStringAdaptiveInferredValueWatchpoint;
Box<InlineWatchpointSet> m_polyProtoWatchpoint;
- bool m_giveUpOnObjectToStringValueCache;
PropertyOffset m_maxOffset;
PropertyOffset m_transitionOffset;
Modified: branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareDataInlines.h (255648 => 255649)
--- branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareDataInlines.h 2020-02-04 03:09:39 UTC (rev 255648)
+++ branches/safari-610.1.1-branch/Source/_javascript_Core/runtime/StructureRareDataInlines.h 2020-02-04 03:09:42 UTC (rev 255649)
@@ -44,7 +44,12 @@
inline JSString* StructureRareData::objectToStringValue() const
{
- return m_objectToStringValue.get();
+ auto* value = m_objectToStringValue.unvalidatedGet();
+ if (value == objectToStringCacheGiveUpMarker())
+ return nullptr;
+ if (value)
+ validateCell(value);
+ return value;
}
inline JSPropertyNameEnumerator* StructureRareData::cachedPropertyNameEnumerator() const
