Google Git
Sign in
webkit / WebKit / 00d9c36630c3b100532e86e2616da21d7c5e504a / . / Source / JavaScriptCore / runtime / Structure.cpp
blob: 0b03f31010652c596fd080b9e45dec5835e46335 [file] [log] [blame]
/*
* Copyright (C) 2008-2021 Apple Inc. All rights reserved.
* Copyright (C) 2020 Alexey Shvayka <shvaikalesh@gmail.com>.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "Structure.h"
#include "BrandedStructure.h"
#include "BuiltinNames.h"
#include "DumpContext.h"
#include "JSCInlines.h"
#include "PropertyNameArray.h"
#include "PropertyTable.h"
#include <wtf/CommaPrinter.h>
#include <wtf/NeverDestroyed.h>
#include <wtf/RefPtr.h>
#define DUMP_STRUCTURE_ID_STATISTICS 0
namespace JSC {
#if DUMP_STRUCTURE_ID_STATISTICS
static HashSet<Structure*>& liveStructureSet = *(new HashSet<Structure*>);
#endif
class SingleSlotTransitionWeakOwner final : public WeakHandleOwner {
void finalize(Handle<Unknown>, void* context) final
{
StructureTransitionTable* table = reinterpret_cast<StructureTransitionTable*>(context);
ASSERT(table->isUsingSingleSlot());
WeakSet::deallocate(table->weakImpl());
table->m_data = StructureTransitionTable::UsingSingleSlotFlag;
}
};
static SingleSlotTransitionWeakOwner& singleSlotTransitionWeakOwner()
{
static NeverDestroyed<SingleSlotTransitionWeakOwner> owner;
return owner;
}
inline void StructureTransitionTable::setSingleTransition(Structure* structure)
{
ASSERT(isUsingSingleSlot());
if (WeakImpl* impl = this->weakImpl())
WeakSet::deallocate(impl);
WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
m_data = bitwise_cast<intptr_t>(impl) | UsingSingleSlotFlag;
}
bool StructureTransitionTable::contains(UniquedStringImpl* rep, unsigned attributes, TransitionKind transitionKind) const
{
if (isUsingSingleSlot()) {
Structure* transition = singleTransition();
return transition && transition->m_transitionPropertyName == rep && transition->transitionPropertyAttributes() == attributes && transition->transitionKind() == transitionKind;
}
return map()->get(StructureTransitionTable::Hash::Key(rep, attributes, transitionKind));
}
void StructureTransitionTable::add(VM& vm, Structure* structure)
{
if (isUsingSingleSlot()) {
Structure* existingTransition = singleTransition();
// This handles the first transition being added.
if (!existingTransition) {
setSingleTransition(structure);
return;
}
// This handles the second transition being added
// (or the first transition being despecified!)
setMap(new TransitionMap(vm));
add(vm, existingTransition);
}
// Add the structure to the map.
map()->set(StructureTransitionTable::Hash::Key(structure->m_transitionPropertyName.get(), structure->transitionPropertyAttributes(), structure->transitionKind()), structure);
}
void Structure::dumpStatistics()
{
#if DUMP_STRUCTURE_ID_STATISTICS
unsigned numberLeaf = 0;
unsigned numberUsingSingleSlot = 0;
unsigned numberSingletons = 0;
unsigned numberWithPropertyMaps = 0;
unsigned totalPropertyMapsSize = 0;
HashSet<Structure*>::const_iterator end = liveStructureSet.end();
for (HashSet<Structure*>::const_iterator it = liveStructureSet.begin(); it != end; ++it) {
Structure* structure = *it;
switch (structure->m_transitionTable.size()) {
case 0:
++numberLeaf;
if (!structure->previousID())
++numberSingletons;
break;
case 1:
++numberUsingSingleSlot;
break;
}
if (PropertyTable* table = structure->propertyTableOrNull()) {
++numberWithPropertyMaps;
totalPropertyMapsSize += table->sizeInMemory();
}
}
dataLogF("Number of live Structures: %d\n", liveStructureSet.size());
dataLogF("Number of Structures using the single item optimization for transition map: %d\n", numberUsingSingleSlot);
dataLogF("Number of Structures that are leaf nodes: %d\n", numberLeaf);
dataLogF("Number of Structures that singletons: %d\n", numberSingletons);
dataLogF("Number of Structures with PropertyMaps: %d\n", numberWithPropertyMaps);
dataLogF("Size of a single Structures: %d\n", static_cast<unsigned>(sizeof(Structure)));
dataLogF("Size of sum of all property maps: %d\n", totalPropertyMapsSize);
dataLogF("Size of average of all property maps: %f\n", static_cast<double>(totalPropertyMapsSize) / static_cast<double>(liveStructureSet.size()));
#else
dataLogF("Dumping Structure statistics is not enabled.\n");
#endif
}
#if ASSERT_ENABLED
void Structure::validateFlags()
{
const MethodTable& methodTable = m_classInfo->methodTable;
bool overridesGetCallData = methodTable.getCallData != JSCell::getCallData;
RELEASE_ASSERT(overridesGetCallData == typeInfo().overridesGetCallData());
bool overridesGetOwnPropertySlot =
methodTable.getOwnPropertySlot != JSObject::getOwnPropertySlot
&& methodTable.getOwnPropertySlot != JSCell::getOwnPropertySlot;
// We can strengthen this into an equivalence test if there are no classes
// that specifies this flag without overriding getOwnPropertySlot.
// FIXME: https://bugs.webkit.org/show_bug.cgi?id=212956
if (overridesGetOwnPropertySlot)
RELEASE_ASSERT(typeInfo().overridesGetOwnPropertySlot());
bool overridesGetOwnPropertySlotByIndex =
methodTable.getOwnPropertySlotByIndex != JSObject::getOwnPropertySlotByIndex
&& methodTable.getOwnPropertySlotByIndex != JSCell::getOwnPropertySlotByIndex;
// We can strengthen this into an equivalence test if there are no classes
// that specifies this flag without overriding getOwnPropertySlotByIndex.
// FIXME: https://bugs.webkit.org/show_bug.cgi?id=212958
if (overridesGetOwnPropertySlotByIndex)
RELEASE_ASSERT(typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero());
bool overridesGetOwnPropertyNames =
methodTable.getOwnPropertyNames != JSObject::getOwnPropertyNames
&& methodTable.getOwnPropertyNames != JSCell::getOwnPropertyNames;
RELEASE_ASSERT(overridesGetOwnPropertyNames == typeInfo().overridesGetOwnPropertyNames());
bool overridesGetOwnSpecialPropertyNames =
methodTable.getOwnSpecialPropertyNames != JSObject::getOwnSpecialPropertyNames
&& methodTable.getOwnSpecialPropertyNames != JSCell::getOwnSpecialPropertyNames;
RELEASE_ASSERT(overridesGetOwnSpecialPropertyNames == typeInfo().overridesGetOwnSpecialPropertyNames());
bool overridesGetPrototype =
methodTable.getPrototype != static_cast<MethodTable::GetPrototypeFunctionPtr>(JSObject::getPrototype)
&& methodTable.getPrototype != JSCell::getPrototype;
RELEASE_ASSERT(overridesGetPrototype == typeInfo().overridesGetPrototype());
bool overridesPut =
methodTable.put != JSObject::put
&& methodTable.put != JSCell::put;
RELEASE_ASSERT(overridesPut == typeInfo().overridesPut());
}
#else
inline void Structure::validateFlags() { }
#endif
Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
: JSCell(vm, vm.structureStructure.get())
, m_blob(vm.heap.structureIDTable().allocateID(this), indexingType, typeInfo)
, m_outOfLineTypeFlags(typeInfo.outOfLineTypeFlags())
, m_inlineCapacity(inlineCapacity)
, m_bitField(0)
, m_globalObject(vm, this, globalObject, WriteBarrier<JSGlobalObject>::MayBeNull)
, m_prototype(vm, this, prototype)
, m_classInfo(classInfo)
, m_transitionWatchpointSet(IsWatched)
, m_propertyHash(0)
{
setDictionaryKind(NoneDictionaryKind);
setIsPinnedPropertyTable(false);
setHasGetterSetterProperties(classInfo->hasStaticSetterOrReadonlyProperties());
setHasCustomGetterSetterProperties(false);
setHasReadOnlyOrGetterSetterPropertiesExcludingProto(classInfo->hasStaticSetterOrReadonlyProperties());
setHasUnderscoreProtoPropertyExcludingOriginalProto(false);
setIsQuickPropertyAccessAllowedForEnumeration(true);
setTransitionPropertyAttributes(0);
setTransitionKind(TransitionKind::Unknown);
setDidPreventExtensions(false);
setDidTransition(false);
setStaticPropertiesReified(false);
setTransitionWatchpointIsLikelyToBeFired(false);
setHasBeenDictionary(false);
setProtectPropertyTableWhileTransitioning(false);
setTransitionOffset(vm, invalidOffset);
setMaxOffset(vm, invalidOffset);
ASSERT(inlineCapacity <= JSFinalObject::maxInlineCapacity());
ASSERT(static_cast<PropertyOffset>(inlineCapacity) < firstOutOfLineOffset);
ASSERT(!hasRareData());
ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() == m_classInfo->hasStaticSetterOrReadonlyProperties());
ASSERT(hasGetterSetterProperties() == m_classInfo->hasStaticSetterOrReadonlyProperties());
validateFlags();
}
const ClassInfo Structure::s_info = { "Structure", nullptr, nullptr, nullptr, CREATE_METHOD_TABLE(Structure) };
Structure::Structure(VM& vm, CreatingEarlyCellTag)
: JSCell(CreatingEarlyCell)
, m_inlineCapacity(0)
, m_bitField(0)
, m_prototype(vm, this, jsNull())
, m_classInfo(info())
, m_transitionWatchpointSet(IsWatched)
, m_propertyHash(0)
{
setDictionaryKind(NoneDictionaryKind);
setIsPinnedPropertyTable(false);
setHasGetterSetterProperties(m_classInfo->hasStaticSetterOrReadonlyProperties());
setHasCustomGetterSetterProperties(false);
setHasReadOnlyOrGetterSetterPropertiesExcludingProto(m_classInfo->hasStaticSetterOrReadonlyProperties());
setHasUnderscoreProtoPropertyExcludingOriginalProto(false);
setIsQuickPropertyAccessAllowedForEnumeration(true);
setTransitionPropertyAttributes(0);
setTransitionKind(TransitionKind::Unknown);
setDidPreventExtensions(false);
setDidTransition(false);
setStaticPropertiesReified(false);
setTransitionWatchpointIsLikelyToBeFired(false);
setHasBeenDictionary(false);
setProtectPropertyTableWhileTransitioning(false);
setTransitionOffset(vm, invalidOffset);
setMaxOffset(vm, invalidOffset);
TypeInfo typeInfo = TypeInfo(StructureType, StructureFlags);
m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), 0, typeInfo);
m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData);
}
Structure::Structure(VM& vm, Structure* previous, DeferredStructureTransitionWatchpointFire* deferred)
: JSCell(vm, vm.structureStructure.get())
, m_inlineCapacity(previous->m_inlineCapacity)
, m_bitField(0)
, m_prototype(vm, this, previous->m_prototype.get())
, m_classInfo(previous->m_classInfo)
, m_transitionWatchpointSet(IsWatched)
, m_propertyHash(previous->m_propertyHash)
, m_seenProperties(previous->m_seenProperties)
{
setDictionaryKind(previous->dictionaryKind());
setIsPinnedPropertyTable(false);
setHasBeenFlattenedBefore(previous->hasBeenFlattenedBefore());
setHasGetterSetterProperties(previous->hasGetterSetterProperties());
setHasCustomGetterSetterProperties(previous->hasCustomGetterSetterProperties());
setHasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->hasReadOnlyOrGetterSetterPropertiesExcludingProto());
setHasUnderscoreProtoPropertyExcludingOriginalProto(previous->hasUnderscoreProtoPropertyExcludingOriginalProto());
setIsQuickPropertyAccessAllowedForEnumeration(previous->isQuickPropertyAccessAllowedForEnumeration());
setTransitionPropertyAttributes(0);
setTransitionKind(TransitionKind::Unknown);
setDidPreventExtensions(previous->didPreventExtensions());
setDidTransition(true);
setStaticPropertiesReified(previous->staticPropertiesReified());
setHasBeenDictionary(previous->hasBeenDictionary());
setProtectPropertyTableWhileTransitioning(false);
setTransitionOffset(vm, invalidOffset);
setMaxOffset(vm, invalidOffset);
TypeInfo typeInfo = previous->typeInfo();
m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), previous->indexingModeIncludingHistory(), typeInfo);
m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
ASSERT(!previous->typeInfo().structureIsImmortal());
setPreviousID(vm, previous);
previous->didTransitionFromThisStructure(deferred);
// Copy this bit now, in case previous was being watched.
setTransitionWatchpointIsLikelyToBeFired(previous->transitionWatchpointIsLikelyToBeFired());
if (previous->m_globalObject)
m_globalObject.set(vm, this, previous->m_globalObject.get());
ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData);
}
Structure::~Structure()
{
if (typeInfo().structureIsImmortal())
return;
if (isBrandedStructure())
static_cast<BrandedStructure*>(this)->destruct();
Heap::heap(this)->structureIDTable().deallocateID(this, m_blob.structureID());
}
void Structure::destroy(JSCell* cell)
{
static_cast<Structure*>(cell)->Structure::~Structure();
}
Structure* Structure::create(PolyProtoTag, VM& vm, JSGlobalObject* globalObject, JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
{
Structure* result = create(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
unsigned oldOutOfLineCapacity = result->outOfLineCapacity();
result->addPropertyWithoutTransition(
vm, vm.propertyNames->builtinNames().polyProtoName(), static_cast<unsigned>(PropertyAttribute::DontEnum),
[&] (const GCSafeConcurrentJSLocker&, PropertyOffset offset, PropertyOffset newMaxOffset) {
RELEASE_ASSERT(Structure::outOfLineCapacity(newMaxOffset) == oldOutOfLineCapacity);
RELEASE_ASSERT(offset == knownPolyProtoOffset);
RELEASE_ASSERT(isInlineOffset(knownPolyProtoOffset));
result->m_prototype.setWithoutWriteBarrier(JSValue());
result->setMaxOffset(vm, newMaxOffset);
});
ASSERT(result->type() == StructureType);
return result;
}
bool Structure::isValidPrototype(JSValue prototype)
{
return prototype.isNull() || (prototype.isObject() && prototype.getObject()->mayBePrototype());
}
bool Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*& structure, PropertyTable*& table)
{
ASSERT(structures.isEmpty());
table = nullptr;
for (structure = this; structure; structure = structure->previousID()) {
structure->m_lock.lock();
table = structure->propertyTableOrNull();
if (table) {
// Leave the structure locked, so that the caller can do things to it atomically
// before it loses its property table.
return true;
}
structures.append(structure);
structure->m_lock.unlock();
}
ASSERT(!structure);
ASSERT(!table);
return false;
}
PropertyTable* Structure::materializePropertyTable(VM& vm, bool setPropertyTable)
{
ASSERT(structure(vm)->classInfo() == info());
ASSERT(!protectPropertyTableWhileTransitioning());
DeferGC deferGC(vm);
Vector<Structure*, 8> structures;
Structure* structure;
PropertyTable* table;
bool didFindStructure = findStructuresAndMapForMaterialization(structures, structure, table);
unsigned capacity = numberOfSlotsForMaxOffset(maxOffset(), m_inlineCapacity);
if (didFindStructure) {
table = table->copy(vm, capacity);
structure->m_lock.unlock();
} else
table = PropertyTable::create(vm, capacity);
// Must hold the lock on this structure, since we will be modifying this structure's
// property map. We don't want getConcurrently() to see the property map in a half-baked
// state.
GCSafeConcurrentJSLocker locker(m_lock, vm);
if (setPropertyTable)
this->setPropertyTable(vm, table);
for (size_t i = structures.size(); i--;) {
structure = structures[i];
if (!structure->m_transitionPropertyName || structure->transitionKind() == TransitionKind::SetBrand)
continue;
switch (structure->transitionKind()) {
case TransitionKind::PropertyAddition: {
PropertyMapEntry entry(structure->m_transitionPropertyName.get(), structure->transitionOffset(), structure->transitionPropertyAttributes());
auto nextOffset = table->nextOffset(structure->inlineCapacity());
ASSERT_UNUSED(nextOffset, nextOffset == structure->transitionOffset());
auto result = table->add(vm, entry);
ASSERT_UNUSED(result, result.second);
ASSERT_UNUSED(result, result.first.first->offset == nextOffset);
break;
}
case TransitionKind::PropertyDeletion: {
auto item = table->find(structure->m_transitionPropertyName.get());
ASSERT(item.first);
table->remove(vm, item);
table->addDeletedOffset(structure->transitionOffset());
break;
}
case TransitionKind::PropertyAttributeChange: {
PropertyMapEntry* entry = table->get(structure->m_transitionPropertyName.get());
entry->attributes = structure->transitionPropertyAttributes();
ASSERT(entry->offset == structure->transitionOffset());
break;
}
default:
ASSERT_NOT_REACHED();
break;
}
}
checkOffsetConsistency(
table,
[&] () {
dataLog("Detected in materializePropertyTable.\n");
dataLog("Found structure = ", RawPointer(structure), "\n");
dataLog("structures = ");
CommaPrinter comma;
for (Structure* structure : structures)
dataLog(comma, RawPointer(structure));
dataLog("\n");
});
return table;
}
bool Structure::holesMustForwardToPrototype(VM& vm, JSObject* base) const
{
ASSERT(base->structure(vm) == this);
if (this->mayInterceptIndexedAccesses())
return true;
JSValue prototype = this->storedPrototype(base);
if (!prototype.isObject())
return false;
JSObject* object = asObject(prototype);
while (true) {
Structure& structure = *object->structure(vm);
if (hasIndexedProperties(object->indexingType()) || structure.mayInterceptIndexedAccesses())
return true;
prototype = structure.storedPrototype(object);
if (!prototype.isObject())
return false;
object = asObject(prototype);
}
RELEASE_ASSERT_NOT_REACHED();
return false;
}
Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset)
{
Structure* newStructure = addPropertyTransitionToExistingStructure(structure, propertyName, attributes, offset);
if (newStructure)
return newStructure;
return addNewPropertyTransition(
vm, structure, propertyName, attributes, offset, PutPropertySlot::UnknownContext);
}
Structure* Structure::addNewPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset, PutPropertySlot::Context context, DeferredStructureTransitionWatchpointFire* deferred)
{
ASSERT(!structure->isDictionary());
ASSERT(structure->isObject());
ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, offset));
int maxTransitionLength;
if (context == PutPropertySlot::PutById)
maxTransitionLength = s_maxTransitionLengthForNonEvalPutById;
else
maxTransitionLength = s_maxTransitionLength;
if (structure->transitionCountEstimate() > maxTransitionLength) {
ASSERT(!isCopyOnWrite(structure->indexingMode()));
Structure* transition = toCacheableDictionaryTransition(vm, structure, deferred);
ASSERT(structure != transition);
offset = transition->add(vm, propertyName, attributes);
return transition;
}
Structure* transition = create(vm, structure, deferred);
transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
// While we are adding the property, rematerializing the property table is super weird: we already
// have a m_transitionPropertyName and transitionPropertyAttributes but the m_transitionOffset is still wrong. If the
// materialization algorithm runs, it'll build a property table that already has the property but
// at a bogus offset. Rather than try to teach the materialization code how to create a table under
// those conditions, we just tell the GC not to blow the table away during this period of time.
// Holding the lock ensures that we either do this before the GC starts scanning the structure, in
// which case the GC will not blow the table away, or we do it after the GC already ran in which
// case all is well. If it wasn't for the lock, the GC would have TOCTOU: if could read
// protectPropertyTableWhileTransitioning before we set it to true, and then blow the table away after.
{
ConcurrentJSLocker locker(transition->m_lock);
transition->setProtectPropertyTableWhileTransitioning(true);
}
transition->m_blob.setIndexingModeIncludingHistory(structure->indexingModeIncludingHistory() & ~CopyOnWrite);
transition->m_transitionPropertyName = propertyName.uid();
transition->setTransitionPropertyAttributes(attributes);
transition->setTransitionKind(TransitionKind::PropertyAddition);
transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm));
transition->setMaxOffset(vm, structure->maxOffset());
offset = transition->add(vm, propertyName, attributes);
transition->setTransitionOffset(vm, offset);
// Now that everything is fine with the new structure's bookkeeping, the GC is free to blow the
// table away if it wants. We can now rebuild it fine.
WTF::storeStoreFence();
transition->setProtectPropertyTableWhileTransitioning(false);
checkOffset(transition->transitionOffset(), transition->inlineCapacity());
if (!structure->hasBeenDictionary()) {
GCSafeConcurrentJSLocker locker(structure->m_lock, vm);
structure->m_transitionTable.add(vm, transition);
}
transition->checkOffsetConsistency();
structure->checkOffsetConsistency();
return transition;
}
Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset, DeferredStructureTransitionWatchpointFire* deferred)
{
Structure* newStructure = removePropertyTransitionFromExistingStructure(structure, propertyName, offset);
if (newStructure)
return newStructure;
return removeNewPropertyTransition(
vm, structure, propertyName, offset, deferred);
}
Structure* Structure::removePropertyTransitionFromExistingStructureImpl(Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset)
{
ASSERT(!structure->isUncacheableDictionary());
ASSERT(structure->isObject());
offset = invalidOffset;
if (structure->hasBeenDictionary())
return nullptr;
if (Structure* existingTransition = structure->m_transitionTable.get(propertyName.uid(), attributes, TransitionKind::PropertyDeletion)) {
validateOffset(existingTransition->transitionOffset(), existingTransition->inlineCapacity());
offset = existingTransition->transitionOffset();
return existingTransition;
}
return nullptr;
}
Structure* Structure::removePropertyTransitionFromExistingStructure(Structure* structure, PropertyName propertyName, PropertyOffset& offset)
{
ASSERT(!isCompilationThread());
unsigned attributes = 0;
if (structure->getConcurrently(propertyName.uid(), attributes) == invalidOffset)
return nullptr;
return removePropertyTransitionFromExistingStructureImpl(structure, propertyName, attributes, offset);
}
Structure* Structure::removePropertyTransitionFromExistingStructureConcurrently(Structure* structure, PropertyName propertyName, PropertyOffset& offset)
{
unsigned attributes = 0;
if (structure->getConcurrently(propertyName.uid(), attributes) == invalidOffset)
return nullptr;
ConcurrentJSLocker locker(structure->m_lock);
return removePropertyTransitionFromExistingStructureImpl(structure, propertyName, attributes, offset);
}
Structure* Structure::removeNewPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset, DeferredStructureTransitionWatchpointFire* deferred)
{
ASSERT(!isCompilationThread());
ASSERT(!structure->isUncacheableDictionary());
ASSERT(structure->isObject());
ASSERT(!Structure::removePropertyTransitionFromExistingStructure(structure, propertyName, offset));
ASSERT(structure->getConcurrently(propertyName.uid()) != invalidOffset);
if (structure->transitionCountHasOverflowed()) {
ASSERT(!isCopyOnWrite(structure->indexingMode()));
Structure* transition = toUncacheableDictionaryTransition(vm, structure, deferred);
ASSERT(structure != transition);
offset = transition->remove(vm, propertyName);
return transition;
}
Structure* transition = create(vm, structure, deferred);
transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
// While we are deleting the property, we need to make sure the table is not cleared.
{
ConcurrentJSLocker locker(transition->m_lock);
transition->setProtectPropertyTableWhileTransitioning(true);
}
transition->m_blob.setIndexingModeIncludingHistory(structure->indexingModeIncludingHistory() & ~CopyOnWrite);
transition->m_transitionPropertyName = propertyName.uid();
transition->setTransitionKind(TransitionKind::PropertyDeletion);
transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm));
transition->setMaxOffset(vm, structure->maxOffset());
offset = transition->remove(vm, propertyName);
ASSERT(offset != invalidOffset);
transition->setTransitionOffset(vm, offset);
// Now that everything is fine with the new structure's bookkeeping, the GC is free to blow the
// table away if it wants. We can now rebuild it fine.
WTF::storeStoreFence();
transition->setProtectPropertyTableWhileTransitioning(false);
checkOffset(transition->transitionOffset(), transition->inlineCapacity());
if (!structure->hasBeenDictionary()) {
GCSafeConcurrentJSLocker locker(structure->m_lock, vm);
structure->m_transitionTable.add(vm, transition);
}
transition->checkOffsetConsistency();
structure->checkOffsetConsistency();
return transition;
}
Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype, DeferredStructureTransitionWatchpointFire& deferred)
{
ASSERT(isValidPrototype(prototype));
DeferGC deferGC(vm);
Structure* transition = create(vm, structure, &deferred);
transition->m_prototype.set(vm, transition, prototype);
PropertyTable* table = structure->copyPropertyTableForPinning(vm);
transition->pin(Locker { transition->m_lock }, vm, table);
transition->setMaxOffset(vm, structure->maxOffset());
transition->checkOffsetConsistency();
return transition;
}
Structure* Structure::attributeChangeTransitionToExistingStructure(Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset)
{
ASSERT(structure->isObject());
offset = invalidOffset;
if (structure->hasBeenDictionary())
return nullptr;
if (Structure* existingTransition = structure->m_transitionTable.get(propertyName.uid(), attributes, TransitionKind::PropertyAttributeChange)) {
validateOffset(existingTransition->transitionOffset(), existingTransition->inlineCapacity());
offset = existingTransition->transitionOffset();
return existingTransition;
}
return nullptr;
}
Structure* Structure::attributeChangeTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, DeferredStructureTransitionWatchpointFire* deferred)
{
if (structure->isUncacheableDictionary()) {
structure->attributeChangeWithoutTransition(vm, propertyName, attributes, [](const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset) { });
structure->checkOffsetConsistency();
return structure;
}
ASSERT(!structure->isUncacheableDictionary());
PropertyOffset offset = invalidOffset;
if (Structure* existingTransition = attributeChangeTransitionToExistingStructure(structure, propertyName, attributes, offset)) {
validateOffset(existingTransition->transitionOffset(), existingTransition->inlineCapacity());
existingTransition->checkOffsetConsistency();
return existingTransition;
}
if (structure->transitionCountHasOverflowed()) {
ASSERT(!isCopyOnWrite(structure->indexingMode()));
Structure* transition = toUncacheableDictionaryTransition(vm, structure, deferred);
ASSERT(structure != transition);
transition->attributeChange(vm, propertyName, attributes);
return transition;
}
// Even if the current structure is dictionary, we should perform transition since this changes attributes of existing properties to keep
// structure still cacheable.
Structure* transition = create(vm, structure);
transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
{
ConcurrentJSLocker locker(transition->m_lock);
transition->setProtectPropertyTableWhileTransitioning(true);
}
transition->m_blob.setIndexingModeIncludingHistory(structure->indexingModeIncludingHistory() & ~CopyOnWrite);
transition->m_transitionPropertyName = propertyName.uid();
transition->setTransitionPropertyAttributes(attributes);
transition->setTransitionKind(TransitionKind::PropertyAttributeChange);
transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm));
transition->setMaxOffset(vm, structure->maxOffset());
offset = transition->attributeChange(vm, propertyName, attributes);
transition->setTransitionOffset(vm, offset);
// Now that everything is fine with the new structure's bookkeeping, the GC is free to blow the
// table away if it wants. We can now rebuild it fine.
WTF::storeStoreFence();
transition->setProtectPropertyTableWhileTransitioning(false);
checkOffset(transition->transitionOffset(), transition->inlineCapacity());
if (!structure->hasBeenDictionary()) {
GCSafeConcurrentJSLocker locker(structure->m_lock, vm);
structure->m_transitionTable.add(vm, transition);
}
transition->checkOffsetConsistency();
structure->checkOffsetConsistency();
return transition;
}
Structure* Structure::toDictionaryTransition(VM& vm, Structure* structure, DictionaryKind kind, DeferredStructureTransitionWatchpointFire* deferred)
{
ASSERT(!structure->isUncacheableDictionary());
DeferGC deferGC(vm);
Structure* transition = create(vm, structure, deferred);
PropertyTable* table = structure->copyPropertyTableForPinning(vm);
transition->pin(Locker { transition->m_lock }, vm, table);
transition->setMaxOffset(vm, structure->maxOffset());
transition->setDictionaryKind(kind);
transition->setHasBeenDictionary(true);
transition->checkOffsetConsistency();
return transition;
}
Structure* Structure::toCacheableDictionaryTransition(VM& vm, Structure* structure, DeferredStructureTransitionWatchpointFire* deferred)
{
return toDictionaryTransition(vm, structure, CachedDictionaryKind, deferred);
}
Structure* Structure::toUncacheableDictionaryTransition(VM& vm, Structure* structure, DeferredStructureTransitionWatchpointFire* deferred)
{
return toDictionaryTransition(vm, structure, UncachedDictionaryKind, deferred);
}
Structure* Structure::sealTransition(VM& vm, Structure* structure)
{
return nonPropertyTransition(vm, structure, TransitionKind::Seal);
}
Structure* Structure::freezeTransition(VM& vm, Structure* structure)
{
return nonPropertyTransition(vm, structure, TransitionKind::Freeze);
}
Structure* Structure::preventExtensionsTransition(VM& vm, Structure* structure)
{
return nonPropertyTransition(vm, structure, TransitionKind::PreventExtensions);
}
PropertyTable* Structure::takePropertyTableOrCloneIfPinned(VM& vm)
{
// This must always return a property table. It can't return null.
PropertyTable* result = propertyTableOrNull();
if (result) {
if (isPinnedPropertyTable())
return result->copy(vm, result->size() + 1);
ConcurrentJSLocker locker(m_lock);
setPropertyTable(vm, nullptr);
return result;
}
bool setPropertyTable = false;
return materializePropertyTable(vm, setPropertyTable);
}
Structure* Structure::nonPropertyTransitionSlow(VM& vm, Structure* structure, TransitionKind transitionKind)
{
IndexingType indexingModeIncludingHistory = newIndexingType(structure->indexingModeIncludingHistory(), transitionKind);
if (!structure->isDictionary()) {
if (Structure* existingTransition = structure->m_transitionTable.get(nullptr, 0, transitionKind)) {
ASSERT(existingTransition->transitionKind() == transitionKind);
ASSERT(existingTransition->indexingModeIncludingHistory() == indexingModeIncludingHistory);
return existingTransition;
}
}
DeferGC deferGC(vm);
Structure* transition = create(vm, structure);
transition->setTransitionKind(transitionKind);
transition->m_blob.setIndexingModeIncludingHistory(indexingModeIncludingHistory);
if (preventsExtensions(transitionKind))
transition->setDidPreventExtensions(true);
if (setsDontDeleteOnAllProperties(transitionKind)
|| setsReadOnlyOnNonAccessorProperties(transitionKind)) {
// We pin the property table on transitions that do wholesale editing of the property
// table, since our logic for walking the property transition chain to rematerialize the
// table doesn't know how to take into account such wholesale edits.
PropertyTable* table = structure->copyPropertyTableForPinning(vm);
transition->pinForCaching(Locker { transition->m_lock }, vm, table);
transition->setMaxOffset(vm, structure->maxOffset());
table = transition->propertyTableOrNull();
RELEASE_ASSERT(table);
for (auto& entry : *table) {
if (setsDontDeleteOnAllProperties(transitionKind))
entry.attributes |= static_cast<unsigned>(PropertyAttribute::DontDelete);
if (setsReadOnlyOnNonAccessorProperties(transitionKind) && !(entry.attributes & PropertyAttribute::Accessor))
entry.attributes |= static_cast<unsigned>(PropertyAttribute::ReadOnly);
}
} else {
transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm));
transition->setMaxOffset(vm, structure->maxOffset());
checkOffset(transition->maxOffset(), transition->inlineCapacity());
}
if (setsReadOnlyOnNonAccessorProperties(transitionKind)
&& !transition->propertyTableOrNull()->isEmpty())
transition->setHasReadOnlyOrGetterSetterPropertiesExcludingProto(true);
if (structure->isDictionary()) {
PropertyTable* table = transition->ensurePropertyTable(vm);
transition->pin(Locker { transition->m_lock }, vm, table);
} else {
Locker locker { structure->m_lock };
structure->m_transitionTable.add(vm, transition);
}
transition->checkOffsetConsistency();
return transition;
}
// In future we may want to cache this property.
bool Structure::isSealed(VM& vm)
{
if (isStructureExtensible())
return false;
PropertyTable* table = ensurePropertyTableIfNotEmpty(vm);
if (!table)
return true;
PropertyTable::iterator end = table->end();
for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) {
if ((iter->attributes & PropertyAttribute::DontDelete) != static_cast<unsigned>(PropertyAttribute::DontDelete))
return false;
}
return true;
}
// In future we may want to cache this property.
bool Structure::isFrozen(VM& vm)
{
if (isStructureExtensible())
return false;
PropertyTable* table = ensurePropertyTableIfNotEmpty(vm);
if (!table)
return true;
PropertyTable::iterator end = table->end();
for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) {
if (!(iter->attributes & PropertyAttribute::DontDelete))
return false;
if (!(iter->attributes & (PropertyAttribute::ReadOnly | PropertyAttribute::Accessor)))
return false;
}
return true;
}
Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
{
checkOffsetConsistency();
ASSERT(isDictionary());
ASSERT(object->structure(vm) == this);
GCSafeConcurrentJSLocker locker(m_lock, vm);
object->setStructureIDDirectly(nuke(id()));
WTF::storeStoreFence();
size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
if (isUncacheableDictionary()) {
PropertyTable* table = propertyTableOrNull();
ASSERT(table);
size_t propertyCount = table->size();
// Holds our values compacted by insertion order.
Vector<JSValue> values(propertyCount);
// Copies out our values from their hashed locations, compacting property table offsets as we go.
unsigned i = 0;
PropertyTable::iterator end = table->end();
auto offset = invalidOffset;
for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter, ++i) {
values[i] = object->getDirect(iter->offset);
offset = iter->offset = offsetForPropertyNumber(i, m_inlineCapacity);
}
setMaxOffset(vm, offset);
ASSERT(transitionOffset() == invalidOffset);
// Copies in our values to their compacted locations.
for (unsigned i = 0; i < propertyCount; i++)
object->putDirect(vm, offsetForPropertyNumber(i, m_inlineCapacity), values[i]);
table->clearDeletedOffsets();
// We need to zero our unused property space; otherwise the GC might see a
// stale pointer when we add properties in the future.
gcSafeZeroMemory(
object->inlineStorageUnsafe() + inlineSize(),
(inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
Butterfly* butterfly = object->butterfly();
size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
gcSafeZeroMemory(static_cast<JSValue*>(startOfPropertyStorageSlots), (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
checkOffsetConsistency();
}
setDictionaryKind(NoneDictionaryKind);
setHasBeenFlattenedBefore(true);
size_t afterOutOfLineCapacity = this->outOfLineCapacity();
if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);
// If the object had a Butterfly but after flattening/compacting we no longer have need of it,
// we need to zero it out because the collector depends on the Structure to know the size for copying.
if (!afterOutOfLineCapacity && !this->hasIndexingHeader(object))
object->setButterfly(vm, nullptr);
// If the object was down-sized to the point where the base of the Butterfly is no longer within the
// first CopiedBlock::blockSize bytes, we'll get the wrong answer if we try to mask the base back to
// the CopiedBlock header. To prevent this case we need to memmove the Butterfly down.
else
object->shiftButterflyAfterFlattening(locker, vm, this, afterOutOfLineCapacity);
}
WTF::storeStoreFence();
object->setStructureIDDirectly(id());
// We need to do a writebarrier here because the GC thread might be scanning the butterfly while
// we are shuffling properties around. See: https://bugs.webkit.org/show_bug.cgi?id=166989
vm.writeBarrier(object);
return this;
}
void Structure::pin(const AbstractLocker&, VM& vm, PropertyTable* table)
{
setIsPinnedPropertyTable(true);
setPropertyTable(vm, table);
clearPreviousID();
m_transitionPropertyName = nullptr;
}
void Structure::pinForCaching(const AbstractLocker&, VM& vm, PropertyTable* table)
{
setIsPinnedPropertyTable(true);
setPropertyTable(vm, table);
m_transitionPropertyName = nullptr;
}
void Structure::allocateRareData(VM& vm)
{
ASSERT(!hasRareData());
StructureRareData* rareData = StructureRareData::create(vm, previousID());
WTF::storeStoreFence();
m_previousOrRareData.set(vm, this, rareData);
ASSERT(hasRareData());
}
WatchpointSet* Structure::ensurePropertyReplacementWatchpointSet(VM& vm, PropertyOffset offset)
{
ASSERT(!isUncacheableDictionary());
// In some places it's convenient to call this with an invalid offset. So, we do the check here.
if (!isValidOffset(offset))
return nullptr;
if (!hasRareData())
allocateRareData(vm);
ConcurrentJSLocker locker(m_lock);
StructureRareData* rareData = this->rareData();
auto result = rareData->m_replacementWatchpointSets.add(offset, nullptr);
if (result.isNewEntry)
result.iterator->value = WatchpointSet::create(IsWatched);
return result.iterator->value.get();
}
void Structure::startWatchingPropertyForReplacements(VM& vm, PropertyName propertyName)
{
ASSERT(!isUncacheableDictionary());
startWatchingPropertyForReplacements(vm, get(vm, propertyName));
}
void Structure::didCachePropertyReplacement(VM& vm, PropertyOffset offset)
{
RELEASE_ASSERT(isValidOffset(offset));
ensurePropertyReplacementWatchpointSet(vm, offset)->fireAll(vm, "Did cache property replacement");
}
void Structure::startWatchingInternalProperties(VM& vm)
{
if (!isUncacheableDictionary()) {
startWatchingPropertyForReplacements(vm, vm.propertyNames->toString);
startWatchingPropertyForReplacements(vm, vm.propertyNames->valueOf);
}
setDidWatchInternalProperties(true);
}
#if DUMP_PROPERTYMAP_STATS
PropertyTableStats* propertyTableStats = 0;
struct PropertyTableStatisticsExitLogger {
PropertyTableStatisticsExitLogger();
~PropertyTableStatisticsExitLogger();
};
DEFINE_GLOBAL_FOR_LOGGING(PropertyTableStatisticsExitLogger, logger, { });
PropertyTableStatisticsExitLogger::PropertyTableStatisticsExitLogger()
{
propertyTableStats = adoptPtr(new PropertyTableStats()).leakPtr();
}
PropertyTableStatisticsExitLogger::~PropertyTableStatisticsExitLogger()
{
unsigned finds = propertyTableStats->numFinds;
unsigned collisions = propertyTableStats->numCollisions;
dataLogF("\nJSC::PropertyMap statistics for process %d\n\n", getCurrentProcessID());
dataLogF("%d finds\n", finds);
dataLogF("%d collisions (%.1f%%)\n", collisions, 100.0 * collisions / finds);
dataLogF("%d lookups\n", propertyTableStats->numLookups.load());
dataLogF("%d lookup probings\n", propertyTableStats->numLookupProbing.load());
dataLogF("%d adds\n", propertyTableStats->numAdds.load());
dataLogF("%d removes\n", propertyTableStats->numRemoves.load());
dataLogF("%d rehashes\n", propertyTableStats->numRehashes.load());
dataLogF("%d reinserts\n", propertyTableStats->numReinserts.load());
}
#endif
PropertyTable* Structure::copyPropertyTableForPinning(VM& vm)
{
if (PropertyTable* table = propertyTableOrNull())
return PropertyTable::clone(vm, *table);
bool setPropertyTable = false;
return materializePropertyTable(vm, setPropertyTable);
}
PropertyOffset Structure::getConcurrently(UniquedStringImpl* uid, unsigned& attributes)
{
Vector<Structure*, 8> structures;
Structure* tableStructure;
PropertyTable* table;
bool didFindStructure = findStructuresAndMapForMaterialization(structures, tableStructure, table);
for (auto* structure : structures) {
if (!structure->m_transitionPropertyName)
continue;
switch (structure->transitionKind()) {
case TransitionKind::PropertyAddition:
case TransitionKind::PropertyAttributeChange:
break;
case TransitionKind::PropertyDeletion:
if (structure->m_transitionPropertyName.get() == uid) {
if (didFindStructure) {
assertIsHeld(tableStructure->m_lock); // Sadly Clang needs some help here.
tableStructure->m_lock.unlock();
}
return invalidOffset;
}
continue;
case TransitionKind::SetBrand:
continue;
default:
ASSERT_NOT_REACHED();
break;
}
if (structure->m_transitionPropertyName.get() == uid) {
PropertyOffset result = structure->transitionOffset();
attributes = structure->transitionPropertyAttributes();
if (didFindStructure) {
assertIsHeld(tableStructure->m_lock); // Sadly Clang needs some help here.
tableStructure->m_lock.unlock();
}
return result;
}
}
PropertyOffset result = invalidOffset;
if (didFindStructure) {
assertIsHeld(tableStructure->m_lock); // Sadly Clang needs some help here.
// Because uid is UniquedStringImpl, it is guaranteed that the hash is already computed.
// So we can use PropertyTable::get even from the concurrent compilers.
if (auto* entry = table->get(uid)) {
result = entry->offset;
attributes = entry->attributes;
}
tableStructure->m_lock.unlock();
}
return result;
}
Vector<PropertyMapEntry> Structure::getPropertiesConcurrently()
{
Vector<PropertyMapEntry> result;
forEachPropertyConcurrently(
[&] (const PropertyMapEntry& entry) -> bool {
result.append(entry);
return true;
});
return result;
}
PropertyOffset Structure::add(VM& vm, PropertyName propertyName, unsigned attributes)
{
return add<ShouldPin::No>(
vm, propertyName, attributes,
[this, &vm] (const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset newMaxOffset) {
setMaxOffset(vm, newMaxOffset);
});
}
PropertyOffset Structure::remove(VM& vm, PropertyName propertyName)
{
return remove<ShouldPin::No>(vm, propertyName, [this, &vm] (const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset newMaxOffset) {
setMaxOffset(vm, newMaxOffset);
});
}
PropertyOffset Structure::attributeChange(VM& vm, PropertyName propertyName, unsigned attributes)
{
return attributeChange<ShouldPin::No>(
vm, propertyName, attributes,
[this, &vm] (const GCSafeConcurrentJSLocker&, PropertyOffset, PropertyOffset newMaxOffset) {
setMaxOffset(vm, newMaxOffset);
});
}
void Structure::getPropertyNamesFromStructure(VM& vm, PropertyNameArray& propertyNames, DontEnumPropertiesMode mode)
{
PropertyTable* table = ensurePropertyTableIfNotEmpty(vm);
if (!table)
return;
bool knownUnique = propertyNames.canAddKnownUniqueForStructure();
bool foundSymbol = false;
auto checkDontEnumAndAdd = [&](PropertyTable::iterator iter) {
if (mode == DontEnumPropertiesMode::Include || !(iter->attributes & PropertyAttribute::DontEnum)) {
if (knownUnique)
propertyNames.addUnchecked(iter->key);
else
propertyNames.add(iter->key);
}
};
PropertyTable::iterator end = table->end();
for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) {
ASSERT(!isQuickPropertyAccessAllowedForEnumeration() || !(iter->attributes & PropertyAttribute::DontEnum));
ASSERT(!isQuickPropertyAccessAllowedForEnumeration() || !iter->key->isSymbol());
if (iter->key->isSymbol()) {
foundSymbol = true;
if (propertyNames.propertyNameMode() != PropertyNameMode::Symbols)
continue;
}
checkDontEnumAndAdd(iter);
}
if (foundSymbol && propertyNames.propertyNameMode() == PropertyNameMode::StringsAndSymbols) {
// To ensure the order defined in the spec, we append symbols at the last elements of keys.
// https://tc39.es/ecma262/#sec-ordinaryownpropertykeys
for (PropertyTable::iterator iter = table->begin(); iter != end; ++iter) {
if (iter->key->isSymbol())
checkDontEnumAndAdd(iter);
}
}
}
void StructureFireDetail::dump(PrintStream& out) const
{
out.print("Structure transition from ", *m_structure);
}
DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire(VM& vm, Structure* structure)
: DeferredWatchpointFire(vm)
, m_structure(structure)
{
}
DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire()
{
fireAll();
}
void DeferredStructureTransitionWatchpointFire::dump(PrintStream& out) const
{
out.print("Structure transition from ", *m_structure);
}
void Structure::didTransitionFromThisStructure(DeferredStructureTransitionWatchpointFire* deferred) const
{
// If the structure is being watched, and this is the kind of structure that the DFG would
// like to watch, then make sure to note for all future versions of this structure that it's
// unwise to watch it.
if (m_transitionWatchpointSet.isBeingWatched())
const_cast<Structure*>(this)->setTransitionWatchpointIsLikelyToBeFired(true);
if (deferred) {
ASSERT(deferred->structure() == this);
m_transitionWatchpointSet.fireAll(vm(), deferred);
} else
m_transitionWatchpointSet.fireAll(vm(), StructureFireDetail(this));
}
template<typename Visitor>
void Structure::visitChildrenImpl(JSCell* cell, Visitor& visitor)
{
Structure* thisObject = jsCast<Structure*>(cell);
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
Base::visitChildren(thisObject, visitor);
ConcurrentJSLocker locker(thisObject->m_lock);
visitor.append(thisObject->m_globalObject);
if (!thisObject->isObject()) {
// We do not need to clear JSPropertyNameEnumerator since it is never cached for non-object Structure.
// We do not have code clearing JSPropertyNameEnumerator since this function can be called concurrently.
thisObject->m_cachedPrototypeChain.clear();
#if ASSERT_ENABLED
if (auto* rareData = thisObject->tryRareData())
ASSERT(!rareData->cachedPropertyNameEnumerator());
#endif
} else {
visitor.append(thisObject->m_prototype);
visitor.append(thisObject->m_cachedPrototypeChain);
}
visitor.append(thisObject->m_previousOrRareData);
if (thisObject->isPinnedPropertyTable() || thisObject->protectPropertyTableWhileTransitioning()) {
// NOTE: This can interleave in pin(), in which case it may see a null property table.
// That's fine, because then the barrier will fire and we will scan this again.
visitor.append(thisObject->m_propertyTableUnsafe);
} else if (visitor.vm().isAnalyzingHeap())
visitor.append(thisObject->m_propertyTableUnsafe);
else if (thisObject->m_propertyTableUnsafe)
thisObject->m_propertyTableUnsafe.clear();
if (thisObject->isBrandedStructure())
BrandedStructure::visitAdditionalChildren(cell, visitor);
}
DEFINE_VISIT_CHILDREN(Structure);
template<typename Visitor>
ALWAYS_INLINE bool Structure::isCheapDuringGC(Visitor& visitor)
{
// FIXME: We could make this even safer by returning false if this structure's property table
// has any large property names.
// https://bugs.webkit.org/show_bug.cgi?id=157334
return (!m_globalObject || visitor.isMarked(m_globalObject.get()))
&& (hasPolyProto() || !storedPrototypeObject() || visitor.isMarked(storedPrototypeObject()));
}
template<typename Visitor>
bool Structure::markIfCheap(Visitor& visitor)
{
if (!isCheapDuringGC(visitor))
return visitor.isMarked(this);
visitor.appendUnbarriered(this);
return true;
}
template bool Structure::markIfCheap(AbstractSlotVisitor&);
template bool Structure::markIfCheap(SlotVisitor&);
Ref<StructureShape> Structure::toStructureShape(JSValue value, bool& sawPolyProtoStructure)
{
Ref<StructureShape> baseShape = StructureShape::create();
RefPtr<StructureShape> curShape = baseShape.ptr();
Structure* curStructure = this;
JSValue curValue = value;
sawPolyProtoStructure = false;
while (curStructure) {
sawPolyProtoStructure |= curStructure->hasPolyProto();
curStructure->forEachPropertyConcurrently(
[&] (const PropertyMapEntry& entry) -> bool {
if (!PropertyName(entry.key).isPrivateName())
curShape->addProperty(*entry.key);
return true;
});
if (JSObject* curObject = curValue.getObject())
curShape->setConstructorName(JSObject::calculatedClassName(curObject));
else
curShape->setConstructorName(curStructure->classInfo()->className);
if (curStructure->isDictionary())
curShape->enterDictionaryMode();
curShape->markAsFinal();
if (!curValue.isObject())
break;
JSObject* object = asObject(curValue);
JSObject* prototypeObject = object->structure()->storedPrototypeObject(object);
if (!prototypeObject)
break;
auto newShape = StructureShape::create();
curShape->setProto(newShape.copyRef());
curShape = WTFMove(newShape);
curValue = prototypeObject;
curStructure = prototypeObject->structure();
}
return baseShape;
}
void Structure::dump(PrintStream& out) const
{
auto* structureID = reinterpret_cast<void*>(id());
out.print(RawPointer(this), ":[", RawPointer(structureID),
"/", (uint32_t)(reinterpret_cast<uintptr_t>(structureID)), ", ",
classInfo()->className, ", (", inlineSize(), "/", inlineCapacity(), ", ",
outOfLineSize(), "/", outOfLineCapacity(), "){");
CommaPrinter comma;
const_cast<Structure*>(this)->forEachPropertyConcurrently(
[&] (const PropertyMapEntry& entry) -> bool {
out.print(comma, entry.key, ":", static_cast<int>(entry.offset));
return true;
});
out.print("}, ", IndexingTypeDump(indexingMode()));
if (hasPolyProto())
out.print(", PolyProto offset:", knownPolyProtoOffset);
else if (m_prototype.get().isCell())
out.print(", Proto:", RawPointer(m_prototype.get().asCell()));
switch (dictionaryKind()) {
case NoneDictionaryKind:
if (hasBeenDictionary())
out.print(", Has been dictionary");
break;
case CachedDictionaryKind:
out.print(", Dictionary");
break;
case UncachedDictionaryKind:
out.print(", UncacheableDictionary");
break;
}
if (transitionWatchpointSetIsStillValid())
out.print(", Leaf");
else if (transitionWatchpointIsLikelyToBeFired())
out.print(", Shady leaf");
if (transitionWatchpointSet().isBeingWatched())
out.print(" (Watched)");
out.print("]");
}
void Structure::dumpInContext(PrintStream& out, DumpContext* context) const
{
if (context)
context->structures.dumpBrief(this, out);
else
dump(out);
}
void Structure::dumpBrief(PrintStream& out, const CString& string) const
{
out.print("%", string, ":", classInfo()->className);
if (indexingType() & IndexingShapeMask)
out.print(",", IndexingTypeDump(indexingType()));
}
void Structure::dumpContextHeader(PrintStream& out)
{
out.print("Structures:");
}
bool ClassInfo::hasStaticSetterOrReadonlyProperties() const
{
for (const ClassInfo* ci = this; ci; ci = ci->parentClass) {
if (const HashTable* table = ci->staticPropHashTable) {
if (table->hasSetterOrReadonlyProperties)
return true;
}
}
return false;
}
void Structure::setCachedPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator, StructureChain* chain)
{
ASSERT(typeInfo().isObject());
ASSERT(!isDictionary());
if (!hasRareData())
allocateRareData(vm);
ASSERT(chain == m_cachedPrototypeChain.get());
rareData()->setCachedPropertyNameEnumerator(vm, this, enumerator, chain);
}
JSPropertyNameEnumerator* Structure::cachedPropertyNameEnumerator() const
{
if (!hasRareData())
return nullptr;
return rareData()->cachedPropertyNameEnumerator();
}
uintptr_t Structure::cachedPropertyNameEnumeratorAndFlag() const
{
if (!hasRareData())
return 0;
return rareData()->cachedPropertyNameEnumeratorAndFlag();
}
bool Structure::canCachePropertyNameEnumerator(VM& vm) const
{
if (!this->canCacheOwnPropertyNames())
return false;
StructureChain* structureChain = m_cachedPrototypeChain.get();
ASSERT(structureChain);
StructureID* currentStructureID = structureChain->head();
while (true) {
StructureID structureID = *currentStructureID;
if (!structureID)
return true;
Structure* structure = vm.getStructure(structureID);
if (!structure->canCacheOwnPropertyNames())
return false;
currentStructureID++;
}
ASSERT_NOT_REACHED();
return true;
}
bool Structure::canAccessPropertiesQuicklyForEnumeration() const
{
if (!isQuickPropertyAccessAllowedForEnumeration())
return false;
if (hasGetterSetterProperties())
return false;
if (hasCustomGetterSetterProperties())
return false;
if (isUncacheableDictionary())
return false;
if (typeInfo().overridesGetOwnPropertyNames())
return false;
return true;
}
auto Structure::findPropertyHashEntry(PropertyName propertyName) const -> std::optional<PropertyHashEntry>
{
for (const ClassInfo* info = classInfo(); info; info = info->parentClass) {
if (const HashTable* propHashTable = info->staticPropHashTable) {
if (const HashTableValue* entry = propHashTable->entry(propertyName))
return PropertyHashEntry { propHashTable, entry };
}
}
return std::nullopt;
}
Structure* Structure::setBrandTransitionFromExistingStructureImpl(Structure* structure, UniquedStringImpl* brandID)
{
ASSERT(structure->isObject());
if (structure->hasBeenDictionary())
return nullptr;
if (Structure* existingTransition = structure->m_transitionTable.get(brandID, 0, TransitionKind::SetBrand))
return existingTransition;
return nullptr;
}
Structure* Structure::setBrandTransitionFromExistingStructureConcurrently(Structure* structure, UniquedStringImpl* brandID)
{
ConcurrentJSLocker locker(structure->m_lock);
return setBrandTransitionFromExistingStructureImpl(structure, brandID);
}
Structure* Structure::setBrandTransition(VM& vm, Structure* structure, Symbol* brand, DeferredStructureTransitionWatchpointFire* deferred)
{
Structure* existingTransition = setBrandTransitionFromExistingStructureImpl(structure, &brand->uid());
if (existingTransition)
return existingTransition;
Structure* transition = BrandedStructure::create(vm, structure, &brand->uid(), deferred);
transition->setTransitionKind(TransitionKind::SetBrand);
transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
transition->m_blob.setIndexingModeIncludingHistory(structure->indexingModeIncludingHistory());
transition->m_transitionPropertyName = &brand->uid();
transition->setTransitionPropertyAttributes(0);
transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm));
transition->setMaxOffset(vm, structure->maxOffset());
checkOffset(transition->maxOffset(), transition->inlineCapacity());
if (structure->isDictionary()) {
PropertyTable* table = transition->ensurePropertyTable(vm);
transition->pin(Locker { transition->m_lock }, vm, table);
} else {
Locker locker { structure->m_lock };
structure->m_transitionTable.add(vm, transition);
}
transition->checkOffsetConsistency();
return transition;
}
} // namespace JSC