Unreviewed, rolling out r201363 and r201456.
https://bugs.webkit.org/show_bug.cgi?id=158240
"40% regression on date-format-xparb" (Requested by
keith_miller on #webkit).
Reverted changesets:
"LLInt should be able to cache prototype loads for values in
GetById"
https://bugs.webkit.org/show_bug.cgi?id=158032
http://trac.webkit.org/changeset/201363
"get_by_id should support caching unset properties in the
LLInt"
https://bugs.webkit.org/show_bug.cgi?id=158136
http://trac.webkit.org/changeset/201456
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@201532 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt
index 67c5027..61ab6f5 100644
--- a/Source/JavaScriptCore/CMakeLists.txt
+++ b/Source/JavaScriptCore/CMakeLists.txt
@@ -202,7 +202,6 @@
bytecode/InlineCallFrame.cpp
bytecode/InlineCallFrameSet.cpp
bytecode/JumpTable.cpp
- bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
bytecode/LazyOperandValueProfile.cpp
bytecode/MethodOfGettingAValueProfile.cpp
bytecode/ObjectPropertyCondition.cpp
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index e5baad9..4dcfb6a 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,25 @@
2016-05-31 Commit Queue <commit-queue@webkit.org>
+ Unreviewed, rolling out r201363 and r201456.
+ https://bugs.webkit.org/show_bug.cgi?id=158240
+
+ "40% regression on date-format-xparb" (Requested by
+ keith_miller on #webkit).
+
+ Reverted changesets:
+
+ "LLInt should be able to cache prototype loads for values in
+ GetById"
+ https://bugs.webkit.org/show_bug.cgi?id=158032
+ http://trac.webkit.org/changeset/201363
+
+ "get_by_id should support caching unset properties in the
+ LLInt"
+ https://bugs.webkit.org/show_bug.cgi?id=158136
+ http://trac.webkit.org/changeset/201456
+
+2016-05-31 Commit Queue <commit-queue@webkit.org>
+
Unreviewed, rolling out r201359.
https://bugs.webkit.org/show_bug.cgi?id=158238
diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
index 3d55d9b..4060d99 100644
--- a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+++ b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -1187,8 +1187,6 @@
5BD3A06E1CAE35BF00F84BA3 /* JSAsyncFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 5BD3A06D1CAE35BF00F84BA3 /* JSAsyncFunction.h */; };
53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; };
53F6BF6D1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 53FA2AE11CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 53FA2AE31CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */; };
5D5D8AD10E0D0EBE00F9C692 /* libedit.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */; };
5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
5DBB1525131D0BD70056AD36 /* minidom.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 1412110D0A48788700480255 /* minidom.js */; };
@@ -3330,8 +3328,6 @@
53917E831B791CB8000EBD33 /* TypedArrayPrototype.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; name = TypedArrayPrototype.js; path = builtins/TypedArrayPrototype.js; sourceTree = SOURCE_ROOT; };
53F256E11B87E28000B4B768 /* JSTypedArrayViewPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSTypedArrayViewPrototype.cpp; sourceTree = "<group>"; };
53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InternalFunctionAllocationProfile.h; sourceTree = "<group>"; };
- 53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LLIntPrototypeLoadAdaptiveStructureWatchpoint.h; sourceTree = "<group>"; };
- 53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp; sourceTree = "<group>"; };
593D43CCA0BBE06D89C59707 /* MapDataInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MapDataInlines.h; sourceTree = "<group>"; };
5BD3A0611CAE325700F84BA3 /* AsyncFunctionConstructor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AsyncFunctionConstructor.cpp; sourceTree = "<group>"; };
5BD3A0621CAE325700F84BA3 /* AsyncFunctionConstructor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncFunctionConstructor.h; sourceTree = "<group>"; };
@@ -6601,8 +6597,6 @@
0FB5467814F5C468002C2989 /* LazyOperandValueProfile.cpp */,
0FB5467614F59AD1002C2989 /* LazyOperandValueProfile.h */,
0F0FC45814BD15F100B81154 /* LLIntCallLinkInfo.h */,
- 53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */,
- 53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */,
0FB5467C14F5CFD3002C2989 /* MethodOfGettingAValueProfile.cpp */,
0FB5467A14F5C7D4002C2989 /* MethodOfGettingAValueProfile.h */,
14CA958C16AB50FA00938A06 /* ObjectAllocationProfile.h */,
@@ -7941,7 +7935,6 @@
0FF7168C15A3B235008F5DAA /* PropertyOffset.h in Headers */,
BC18C4550E16F5CD00B34460 /* PropertySlot.h in Headers */,
0FB7F39C15ED8E4600F167B2 /* PropertyStorage.h in Headers */,
- 53FA2AE11CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h in Headers */,
BC18C4560E16F5CD00B34460 /* Protect.h in Headers */,
1474C33B16AA2D950062F01D /* PrototypeMap.h in Headers */,
0F5780A218FE1E98001E72D9 /* PureNaN.h in Headers */,
@@ -8669,7 +8662,6 @@
65C02850171795E200351E35 /* ARMv7Disassembler.cpp in Sources */,
65C0285C1717966800351E35 /* ARMv7DOpcode.cpp in Sources */,
0F8335B71639C1E6001443B5 /* ArrayAllocationProfile.cpp in Sources */,
- 53FA2AE31CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp in Sources */,
A7A8AF3417ADB5F3005AB174 /* ArrayBuffer.cpp in Sources */,
0FFC99D4184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.cpp in Sources */,
A7A8AF3617ADB5F3005AB174 /* ArrayBufferView.cpp in Sources */,
diff --git a/Source/JavaScriptCore/bytecode/BytecodeList.json b/Source/JavaScriptCore/bytecode/BytecodeList.json
index 84af665..48301cd 100644
--- a/Source/JavaScriptCore/bytecode/BytecodeList.json
+++ b/Source/JavaScriptCore/bytecode/BytecodeList.json
@@ -58,13 +58,11 @@
{ "name" : "op_is_object_or_null", "length" : 3 },
{ "name" : "op_is_function", "length" : 3 },
{ "name" : "op_in", "length" : 4 },
- { "name" : "op_get_array_length", "length" : 9 },
+ { "name" : "op_try_get_by_id", "length" : 4 },
{ "name" : "op_get_by_id", "length" : 9 },
- { "name" : "op_get_by_id_proto_load", "length" : 9 },
- { "name" : "op_get_by_id_unset", "length" : 9 },
{ "name" : "op_get_by_id_with_this", "length" : 5 },
{ "name" : "op_get_by_val_with_this", "length" : 5 },
- { "name" : "op_try_get_by_id", "length" : 4 },
+ { "name" : "op_get_array_length", "length" : 9 },
{ "name" : "op_put_by_id", "length" : 9 },
{ "name" : "op_put_by_id_with_this", "length" : 5 },
{ "name" : "op_del_by_id", "length" : 4 },
diff --git a/Source/JavaScriptCore/bytecode/BytecodeUseDef.h b/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
index 38cf30e..a3e80a8 100644
--- a/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
+++ b/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
@@ -158,8 +158,6 @@
case op_to_primitive:
case op_try_get_by_id:
case op_get_by_id:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
case op_get_array_length:
case op_typeof:
case op_is_empty:
@@ -396,8 +394,6 @@
case op_construct:
case op_try_get_by_id:
case op_get_by_id:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
case op_get_by_id_with_this:
case op_get_by_val_with_this:
case op_get_array_length:
diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
index dce0fd8..81fa4d5 100644
--- a/Source/JavaScriptCore/bytecode/CodeBlock.cpp
+++ b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -50,7 +50,6 @@
#include "JSLexicalEnvironment.h"
#include "JSModuleEnvironment.h"
#include "LLIntEntrypoint.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
#include "LowLevelInterpreter.h"
#include "JSCInlines.h"
#include "PCToCodeOriginMap.h"
@@ -346,12 +345,6 @@
case op_get_by_id:
op = "get_by_id";
break;
- case op_get_by_id_proto_load:
- op = "get_by_id_proto_load";
- break;
- case op_get_by_id_unset:
- op = "get_by_id_unset";
- break;
case op_get_array_length:
op = "array_length";
break;
@@ -412,8 +405,6 @@
out.printf(" llint(");
dumpStructure(out, "struct", structure, ident);
out.printf(")");
- if (exec->interpreter()->getOpcodeID(instruction[0].u.opcode) == op_get_by_id_proto_load)
- out.printf(" proto(%p)", instruction[6].u.pointer);
}
#if ENABLE(JIT)
@@ -1121,8 +1112,6 @@
break;
}
case op_get_by_id:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
case op_get_array_length: {
printGetByIdOp(out, exec, location, it);
printGetByIdCacheStatus(out, exec, location, stubInfos);
@@ -2773,15 +2762,14 @@
for (size_t size = propertyAccessInstructions.size(), i = 0; i < size; ++i) {
Instruction* curInstruction = &instructions()[propertyAccessInstructions[i]];
switch (interpreter->getOpcodeID(curInstruction[0].u.opcode)) {
- case op_get_by_id:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset: {
+ case op_get_by_id: {
StructureID oldStructureID = curInstruction[4].u.structureID;
if (!oldStructureID || Heap::isMarked(m_vm->heap.structureIDTable().get(oldStructureID)))
break;
if (Options::verboseOSR())
dataLogF("Clearing LLInt property access.\n");
- clearLLIntGetByIdCache(curInstruction);
+ curInstruction[4].u.structureID = 0;
+ curInstruction[5].u.operand = 0;
break;
}
case op_put_by_id: {
@@ -2855,12 +2843,6 @@
}
}
- // We can't just remove all the sets when we clear the caches since we might have created a watchpoint set
- // then cleared the cache without GCing in between.
- m_llintGetByIdWatchpointMap.removeIf([](const StructureWatchpointMap::KeyValuePairType& pair) -> bool {
- return !Heap::isMarked(pair.key);
- });
-
for (unsigned i = 0; i < m_llintCallLinkInfos.size(); ++i) {
if (m_llintCallLinkInfos[i].isLinked() && !Heap::isMarked(m_llintCallLinkInfos[i].callee.get())) {
if (Options::verboseOSR())
diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.h b/Source/JavaScriptCore/bytecode/CodeBlock.h
index 664ecfe..cbb8cf5 100644
--- a/Source/JavaScriptCore/bytecode/CodeBlock.h
+++ b/Source/JavaScriptCore/bytecode/CodeBlock.h
@@ -56,7 +56,6 @@
#include "JSGlobalObject.h"
#include "JumpTable.h"
#include "LLIntCallLinkInfo.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
#include "LazyOperandValueProfile.h"
#include "ObjectAllocationProfile.h"
#include "Options.h"
@@ -679,9 +678,6 @@
return m_llintExecuteCounter;
}
- typedef HashMap<Structure*, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>> StructureWatchpointMap;
- StructureWatchpointMap& llintGetByIdWatchpointMap() { return m_llintGetByIdWatchpointMap; }
-
// Functions for controlling when tiered compilation kicks in. This
// controls both when the optimizing compiler is invoked and when OSR
// entry happens. Two triggers exist: the loop trigger and the return
@@ -1023,7 +1019,6 @@
RefCountedArray<LLIntCallLinkInfo> m_llintCallLinkInfos;
SentinelLinkedList<LLIntCallLinkInfo, BasicRawSentinelNode<LLIntCallLinkInfo>> m_incomingLLIntCalls;
- StructureWatchpointMap m_llintGetByIdWatchpointMap;
RefPtr<JITCode> m_jitCode;
#if ENABLE(JIT)
std::unique_ptr<RegisterAtOffsetList> m_calleeSaveRegisters;
@@ -1314,14 +1309,6 @@
};
#endif
-inline void clearLLIntGetByIdCache(Instruction* instruction)
-{
- instruction[0].u.opcode = LLInt::getOpcode(op_get_by_id);
- instruction[4].u.pointer = nullptr;
- instruction[5].u.pointer = nullptr;
- instruction[6].u.pointer = nullptr;
-}
-
inline Register& ExecState::r(int index)
{
CodeBlock* codeBlock = this->codeBlock();
diff --git a/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp b/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
index bab2cb1..c69514c 100644
--- a/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
+++ b/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
@@ -75,14 +75,8 @@
VM& vm = *profiledBlock->vm();
Instruction* instruction = profiledBlock->instructions().begin() + bytecodeIndex;
-
- Opcode opcode = instruction[0].u.opcode;
-
- ASSERT(opcode == LLInt::getOpcode(op_get_array_length) || opcode == LLInt::getOpcode(op_try_get_by_id) || opcode == LLInt::getOpcode(op_get_by_id_proto_load) || opcode == LLInt::getOpcode(op_get_by_id) || opcode == LLInt::getOpcode(op_get_by_id_unset));
-
- // FIXME: We should not just bail if we see a try_get_by_id or a get_by_id_proto_load.�
- // https://bugs.webkit.org/show_bug.cgi?id=158039
- if (opcode != LLInt::getOpcode(op_get_by_id))
+
+ if (instruction[0].u.opcode == LLInt::getOpcode(op_get_array_length) || instruction[0].u.opcode == LLInt::getOpcode(op_try_get_by_id))
return GetByIdStatus(NoInformation, false);
StructureID structureID = instruction[4].u.structureID;
diff --git a/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp b/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
deleted file mode 100644
index 7ae2c0d..0000000
--- a/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
-
-#include "CodeBlock.h"
-#include "Instruction.h"
-#include "StructureInlines.h"
-
-namespace JSC {
-
-LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition& key, Instruction* getByIdInstruction)
- : m_key(key)
- , m_getByIdInstruction(getByIdInstruction)
-{
- RELEASE_ASSERT(key.watchingRequiresStructureTransitionWatchpoint());
- RELEASE_ASSERT(!key.watchingRequiresReplacementWatchpoint());
-}
-
-void LLIntPrototypeLoadAdaptiveStructureWatchpoint::install()
-{
- RELEASE_ASSERT(m_key.isWatchable());
-
- m_key.object()->structure()->addTransitionWatchpoint(this);
-}
-
-void LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal(const FireDetail& detail)
-{
- if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
- install();
- return;
- }
-
- StringPrintStream out;
- out.print("ObjectToStringValue Adaptation of ", m_key, " failed: ", detail);
-
- StringFireDetail stringDetail(out.toCString().data());
-
- clearLLIntGetByIdCache(m_getByIdInstruction);
-}
-
-} // namespace JSC
diff --git a/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h b/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
deleted file mode 100644
index 2615e10..0000000
--- a/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef LLIntPrototypeLoadAdaptiveStructureWatchpoint_h
-#define LLIntPrototypeLoadAdaptiveStructureWatchpoint_h
-
-#include "Instruction.h"
-#include "ObjectPropertyCondition.h"
-#include "Watchpoint.h"
-
-namespace JSC {
-
-class LLIntPrototypeLoadAdaptiveStructureWatchpoint : public Watchpoint {
-public:
- LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition&, Instruction*);
-
- void install();
-
-protected:
- void fireInternal(const FireDetail&) override;
-
-private:
- ObjectPropertyCondition m_key;
- Instruction* m_getByIdInstruction;
-};
-
-} // namespace JSC
-
-#endif /* LLIntPrototypeLoadAdaptiveStructureWatchpoint_h */
diff --git a/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp b/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
index 05723ad..d570040 100644
--- a/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
+++ b/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
@@ -167,18 +167,6 @@
dumpInContext(out, nullptr);
}
-bool ObjectPropertyConditionSet::isValidAndWatchable() const
-{
- if (!isValid())
- return false;
-
- for (ObjectPropertyCondition condition : m_data->vector) {
- if (!condition.isWatchable())
- return false;
- }
- return true;
-}
-
namespace {
bool verbose = false;
@@ -266,11 +254,9 @@
// Since we're accessing a prototype repeatedly, it's a good bet that it should not be
// treated as a dictionary.
if (structure->isDictionary()) {
- if (concurrency == MainThread) {
- if (verbose)
- dataLog("Flattening ", pointerDump(structure));
+ if (concurrency == MainThread)
structure->flattenDictionaryStructure(vm, object);
- } else {
+ else {
if (verbose)
dataLog("Cannot flatten dictionary when not on main thread, so invalid.\n");
return ObjectPropertyConditionSet::invalid();
diff --git a/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h b/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h
index 01ce1a8..76e8a9c 100644
--- a/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h
+++ b/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h
@@ -67,8 +67,6 @@
{
return !m_data || !m_data->vector.isEmpty();
}
-
- bool isValidAndWatchable() const;
bool isEmpty() const
{
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index 59d3677..60b1168 100644
--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -2499,7 +2499,7 @@
instructions().append(0);
instructions().append(0);
instructions().append(0);
- instructions().append(Options::prototypeHitCountForLLIntCaching());
+ instructions().append(0);
instructions().append(profile);
return dst;
}
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index 482bd0b..fa5e7e0 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -4081,8 +4081,6 @@
}
case op_get_by_id:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
case op_get_array_length: {
SpeculatedType prediction = getPrediction();
diff --git a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
index 8eaba38..b9c4592 100644
--- a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
+++ b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
@@ -154,8 +154,6 @@
case op_put_by_val_direct:
case op_try_get_by_id:
case op_get_by_id:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
case op_get_by_id_with_this:
case op_get_by_val_with_this:
case op_get_array_length:
diff --git a/Source/JavaScriptCore/jit/JIT.cpp b/Source/JavaScriptCore/jit/JIT.cpp
index 477c404..a4765ae 100644
--- a/Source/JavaScriptCore/jit/JIT.cpp
+++ b/Source/JavaScriptCore/jit/JIT.cpp
@@ -240,8 +240,6 @@
DEFINE_OP(op_eq_null)
DEFINE_OP(op_try_get_by_id)
case op_get_array_length:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
DEFINE_OP(op_get_by_id)
DEFINE_OP(op_get_by_id_with_this)
DEFINE_OP(op_get_by_val)
@@ -425,8 +423,6 @@
DEFINE_SLOWCASE_OP(op_eq)
DEFINE_SLOWCASE_OP(op_try_get_by_id)
case op_get_array_length:
- case op_get_by_id_proto_load:
- case op_get_by_id_unset:
DEFINE_SLOWCASE_OP(op_get_by_id)
DEFINE_SLOWCASE_OP(op_get_by_val)
DEFINE_SLOWCASE_OP(op_instanceof)
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
index 7444241..1137961 100644
--- a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -53,7 +53,6 @@
#include "LLIntExceptions.h"
#include "LowLevelInterpreter.h"
#include "ObjectConstructor.h"
-#include "ObjectPropertyConditionSet.h"
#include "ProtoCallFrame.h"
#include "ShadowChicken.h"
#include "StructureRareDataInlines.h"
@@ -582,53 +581,6 @@
LLINT_RETURN(slot.getPureResult());
}
-static void setupGetByIdPrototypeCache(ExecState* exec, VM& vm, Instruction* pc, JSCell* baseCell, PropertySlot& slot, const Identifier& ident)
-{
- CodeBlock* codeBlock = exec->codeBlock();
- Structure* structure = baseCell->structure();
-
- if (structure->typeInfo().prohibitsPropertyCaching() || structure->isDictionary())
- return;
-
- ObjectPropertyConditionSet conditions;
- if (slot.isUnset())
- conditions = generateConditionsForPropertyMiss(vm, codeBlock, exec, structure, ident.impl());
- else
- conditions = generateConditionsForPrototypePropertyHit(vm, codeBlock, exec, structure, slot.slotBase(), ident.impl());
-
- if (!conditions.isValid())
- return;
-
- PropertyOffset offset = invalidOffset;
- CodeBlock::StructureWatchpointMap& watchpointMap = codeBlock->llintGetByIdWatchpointMap();
- auto result = watchpointMap.add(structure, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>());
- for (ObjectPropertyCondition condition : conditions) {
- if (!condition.isWatchable())
- return;
- if (condition.condition().kind() == PropertyCondition::Presence)
- offset = condition.condition().offset();
- result.iterator->value.add(condition, pc)->install();
- }
- ASSERT((offset == invalidOffset) == slot.isUnset());
-
- ConcurrentJITLocker locker(codeBlock->m_lock);
-
- if (slot.isUnset()) {
- pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_unset);
- pc[4].u.structureID = structure->id();
- return;
- }
- ASSERT(slot.isValue());
-
- pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_proto_load);
- pc[4].u.structureID = structure->id();
- pc[5].u.operand = offset;
- // We know that this pointer will remain valid because it will be cleared by either a watchpoint fire or
- // during GC when we clear the LLInt caches.
- pc[6].u.pointer = slot.slotBase();
-}
-
-
LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
{
LLINT_BEGIN();
@@ -643,43 +595,37 @@
if (!LLINT_ALWAYS_ACCESS_SLOW
&& baseValue.isCell()
- && slot.isCacheable()) {
-
+ && slot.isCacheable()
+ && slot.slotBase() == baseValue
+ && slot.isCacheableValue()) {
+
JSCell* baseCell = baseValue.asCell();
Structure* structure = baseCell->structure();
- if (slot.isValue() && slot.slotBase() == baseValue) {
- // Start out by clearing out the old cache.
- pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
- pc[4].u.pointer = nullptr; // old structure
- pc[5].u.pointer = nullptr; // offset
-
- // Prevent the prototype cache from ever happening.
- pc[7].u.operand = 0;
- if (structure->propertyAccessesAreCacheable()) {
- vm.heap.writeBarrier(codeBlock);
-
- ConcurrentJITLocker locker(codeBlock->m_lock);
+ // Start out by clearing out the old cache.
+ pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
+ pc[4].u.pointer = nullptr; // old structure
+ pc[5].u.pointer = nullptr; // offset
+
+ if (!structure->isUncacheableDictionary()
+ && !structure->typeInfo().prohibitsPropertyCaching()
+ && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
+ vm.heap.writeBarrier(codeBlock);
+
+ ConcurrentJITLocker locker(codeBlock->m_lock);
- pc[4].u.structureID = structure->id();
- pc[5].u.operand = slot.cachedOffset();
- }
- } else if (UNLIKELY(pc[7].u.operand && (slot.isValue() || slot.isUnset()))) {
- ASSERT(slot.slotBase() != baseValue);
-
- if (!(--pc[7].u.operand))
- setupGetByIdPrototypeCache(exec, vm, pc, baseCell, slot, ident);
+ pc[4].u.structureID = structure->id();
+ pc[5].u.operand = slot.cachedOffset();
}
- } else if (!LLINT_ALWAYS_ACCESS_SLOW
+ }
+
+ if (!LLINT_ALWAYS_ACCESS_SLOW
&& isJSArray(baseValue)
&& ident == exec->propertyNames().length) {
pc[0].u.opcode = LLInt::getOpcode(op_get_array_length);
ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
arrayProfile->observeStructure(baseValue.asCell()->structure());
pc[4].u.arrayProfile = arrayProfile;
-
- // Prevent the prototype cache from ever happening.
- pc[7].u.operand = 0;
}
pc[OPCODE_LENGTH(op_get_by_id) - 1].u.profile->m_buckets[0] = JSValue::encode(result);
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
index f5f7560..52e0b45 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -1334,12 +1334,10 @@
# We only do monomorphic get_by_id caching for now, and we do not modify the
-# opcode for own properties. We also allow for the cache to change anytime it fails,
-# since ping-ponging is free. At best we get lucky and the get_by_id will continue
+# opcode. We do, however, allow for the cache to change anytime if fails, since
+# ping-ponging is free. At best we get lucky and the get_by_id will continue
# to take fast path on the new cache. At worst we take slow path, which is what
-# we would have been doing anyway. For prototype/unset properties, we will attempt to
-# convert opcode into a get_by_id_proto_load/get_by_id_unset, respectively, after an
-# execution counter hits zero.
+# we would have been doing anyway.
_llint_op_get_by_id:
traceExecution()
@@ -1360,43 +1358,6 @@
dispatch(9)
-_llint_op_get_by_id_proto_load:
- traceExecution()
- loadi 8[PC], t0
- loadi 16[PC], t1
- loadConstantOrVariablePayload(t0, CellTag, t3, .opGetByIdProtoSlow)
- loadi 20[PC], t2
- bineq JSCell::m_structureID[t3], t1, .opGetByIdProtoSlow
- loadpFromInstruction(6, t3)
- loadPropertyAtVariableOffset(t2, t3, t0, t1)
- loadi 4[PC], t2
- storei t0, TagOffset[cfr, t2, 8]
- storei t1, PayloadOffset[cfr, t2, 8]
- valueProfile(t0, t1, 32, t2)
- dispatch(9)
-
-.opGetByIdProtoSlow:
- callSlowPath(_llint_slow_path_get_by_id)
- dispatch(9)
-
-
-_llint_op_get_by_id_unset:
- traceExecution()
- loadi 8[PC], t0
- loadi 16[PC], t1
- loadConstantOrVariablePayload(t0, CellTag, t3, .opGetByIdUnsetSlow)
- bineq JSCell::m_structureID[t3], t1, .opGetByIdUnsetSlow
- loadi 4[PC], t2
- storei UndefinedTag, TagOffset[cfr, t2, 8]
- storei 0, PayloadOffset[cfr, t2, 8]
- valueProfile(UndefinedTag, 0, 32, t2)
- dispatch(9)
-
-.opGetByIdUnsetSlow:
- callSlowPath(_llint_slow_path_get_by_id)
- dispatch(9)
-
-
_llint_op_get_array_length:
traceExecution()
loadi 8[PC], t0
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index b9c17a5..46e5616 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -1232,43 +1232,6 @@
dispatch(9)
-_llint_op_get_by_id_proto_load:
- traceExecution()
- loadisFromInstruction(2, t0)
- loadConstantOrVariableCell(t0, t3, .opGetByIdProtoSlow)
- loadi JSCell::m_structureID[t3], t1
- loadisFromInstruction(4, t2)
- bineq t2, t1, .opGetByIdProtoSlow
- loadisFromInstruction(5, t1)
- loadpFromInstruction(6, t3)
- loadisFromInstruction(1, t2)
- loadPropertyAtVariableOffset(t1, t3, t0)
- storeq t0, [cfr, t2, 8]
- valueProfile(t0, 8, t1)
- dispatch(9)
-
-.opGetByIdProtoSlow:
- callSlowPath(_llint_slow_path_get_by_id)
- dispatch(9)
-
-
-_llint_op_get_by_id_unset:
- traceExecution()
- loadisFromInstruction(2, t0)
- loadConstantOrVariableCell(t0, t3, .opGetByIdUnsetSlow)
- loadi JSCell::m_structureID[t3], t1
- loadisFromInstruction(4, t2)
- bineq t2, t1, .opGetByIdUnsetSlow
- loadisFromInstruction(1, t2)
- storeq ValueUndefined, [cfr, t2, 8]
- valueProfile(ValueUndefined, 8, t1)
- dispatch(9)
-
-.opGetByIdUnsetSlow:
- callSlowPath(_llint_slow_path_get_by_id)
- dispatch(9)
-
-
_llint_op_get_array_length:
traceExecution()
loadisFromInstruction(2, t0)
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index 5d92d5d..9b4bb19 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -362,8 +362,6 @@
\
v(bool, useICStats, false, Normal, nullptr) \
\
- v(unsigned, prototypeHitCountForLLIntCaching, 2, Normal, "Number of prototype property hits before caching a prototype in the LLInt. A count of 0 means never cache.") \
- \
v(bool, dumpModuleRecord, false, Normal, nullptr) \
v(bool, dumpModuleLoadingState, false, Normal, nullptr) \
v(bool, exposeInternalModuleLoader, false, Normal, "expose the internal module loader object to the global space for debugging") \
diff --git a/Source/JavaScriptCore/tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js b/Source/JavaScriptCore/tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js
deleted file mode 100644
index 44a27e1..0000000
--- a/Source/JavaScriptCore/tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js
+++ /dev/null
@@ -1,19 +0,0 @@
-
-expected = Object.prototype.toString;
-foo = {foo: 1, bar: 20};
-delete foo.bar;
-
-
-function test() {
- let toString = foo.toString;
- if (toString !== expected)
- throw new Error();
-}
-
-for (i = 0; i < 10; i++)
- test();
-
-foo.toString = 100;
-expected = 100;
-
-test();
diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
index 55ad359..c5aa505 100644
--- a/Source/WTF/ChangeLog
+++ b/Source/WTF/ChangeLog
@@ -1,3 +1,23 @@
+2016-05-31 Commit Queue <commit-queue@webkit.org>
+
+ Unreviewed, rolling out r201363 and r201456.
+ https://bugs.webkit.org/show_bug.cgi?id=158240
+
+ "40% regression on date-format-xparb" (Requested by
+ keith_miller on #webkit).
+
+ Reverted changesets:
+
+ "LLInt should be able to cache prototype loads for values in
+ GetById"
+ https://bugs.webkit.org/show_bug.cgi?id=158032
+ http://trac.webkit.org/changeset/201363
+
+ "get_by_id should support caching unset properties in the
+ LLInt"
+ https://bugs.webkit.org/show_bug.cgi?id=158136
+ http://trac.webkit.org/changeset/201456
+
2016-05-31 Brady Eidson <beidson@apple.com>
Make createCrossThreadTask() functions return on the stack instead of the heap.
diff --git a/Source/WTF/wtf/Bag.h b/Source/WTF/wtf/Bag.h
index 52040c5..db51132 100644
--- a/Source/WTF/wtf/Bag.h
+++ b/Source/WTF/wtf/Bag.h
@@ -48,22 +48,9 @@
public:
Bag()
+ : m_head(nullptr)
{
}
-
- Bag(Bag<T>&& other)
- {
- ASSERT(!m_head);
- m_head = other.m_head;
- other.m_head = nullptr;
- }
-
- Bag& operator=(Bag<T>&& other)
- {
- m_head = other.m_head;
- other.m_head = nullptr;
- return *this;
- }
~Bag()
{
@@ -134,7 +121,7 @@
bool isEmpty() const { return !m_head; }
private:
- Node* m_head { nullptr };
+ Node* m_head;
};
} // namespace WTF
