Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (225999 => 226000)
--- trunk/Source/_javascript_Core/ChangeLog 2017-12-16 17:57:09 UTC (rev 225999)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-12-16 18:20:04 UTC (rev 226000)
@@ -1,3 +1,32 @@
+2017-12-16 Keith Miller <keith_mil...@apple.com>
+
+ Indexing should only be computed when the new structure has an indexing header.
+ https://bugs.webkit.org/show_bug.cgi?id=180895
+
+ Reviewed by Saam Barati.
+
+ If we don't have an indexing header then we point the butterfly
+ sizeof(IndexingHeader) past the end of the butterfly. This makes
+ the computation of the offset simpler since it doesn't depend on
+ the indexing headeriness of the butterfly.
+
+ * jit/JITOperations.cpp:
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::createInitialUndecided):
+ (JSC::JSObject::createInitialInt32):
+ (JSC::JSObject::createInitialDouble):
+ (JSC::JSObject::createInitialContiguous):
+ (JSC::JSObject::createArrayStorage):
+ (JSC::JSObject::convertUndecidedToArrayStorage):
+ (JSC::JSObject::convertInt32ToArrayStorage):
+ (JSC::JSObject::convertDoubleToArrayStorage):
+ * runtime/JSObject.h:
+ (JSC::JSObject::setButterfly):
+ (JSC::JSObject::nukeStructureAndSetButterfly):
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::prepareToPutDirectWithoutTransition):
+ (JSC::JSObject::putDirectInternal):
+
2017-12-15 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r225941.
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (225999 => 226000)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2017-12-16 17:57:09 UTC (rev 225999)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2017-12-16 18:20:04 UTC (rev 226000)
@@ -2311,7 +2311,7 @@
ASSERT(!object->structure()->outOfLineCapacity());
Butterfly* result = object->allocateMoreOutOfLineStorage(vm, 0, initialOutOfLineCapacity);
- object->nukeStructureAndSetButterfly(vm, object->structureID(), result);
+ object->nukeStructureAndSetButterfly(vm, object->structureID(), result, object->indexingType());
return reinterpret_cast<char*>(result);
}
@@ -2321,7 +2321,7 @@
NativeCallFrameTracer tracer(&vm, exec);
Butterfly* result = object->allocateMoreOutOfLineStorage(vm, object->structure()->outOfLineCapacity(), newSize);
- object->nukeStructureAndSetButterfly(vm, object->structureID(), result);
+ object->nukeStructureAndSetButterfly(vm, object->structureID(), result, object->indexingType());
return reinterpret_cast<char*>(result);
}
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (225999 => 226000)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-12-16 17:57:09 UTC (rev 225999)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-12-16 18:20:04 UTC (rev 226000)
@@ -1040,7 +1040,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, NonPropertyTransition::AllocateUndecided);
- nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly, newStructure->indexingType());
setStructure(vm, newStructure);
return newButterfly;
}
@@ -1055,7 +1055,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, NonPropertyTransition::AllocateInt32);
- nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly, newStructure->indexingType());
setStructure(vm, newStructure);
return newButterfly->contiguousInt32();
}
@@ -1070,7 +1070,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, NonPropertyTransition::AllocateDouble);
- nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly, newStructure->indexingType());
setStructure(vm, newStructure);
return newButterfly->contiguousDouble();
}
@@ -1085,7 +1085,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, NonPropertyTransition::AllocateContiguous);
- nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly, newStructure->indexingType());
setStructure(vm, newStructure);
return newButterfly->contiguous();
}
@@ -1120,7 +1120,7 @@
Butterfly* newButterfly = createArrayStorageButterfly(vm, this, oldStructure, length, vectorLength, butterfly());
ArrayStorage* result = newButterfly->arrayStorage();
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, suggestedArrayStorageTransition());
- nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly, newStructure->indexingType());
setStructure(vm, newStructure);
return result;
}
@@ -1207,7 +1207,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
- nukeStructureAndSetButterfly(vm, oldStructureID, storage->butterfly());
+ nukeStructureAndSetButterfly(vm, oldStructureID, storage->butterfly(), newStructure->indexingType());
setStructure(vm, newStructure);
return storage;
}
@@ -1265,7 +1265,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
- nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly());
+ nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly(), newStructure->indexingType());
setStructure(vm, newStructure);
return newStorage;
}
@@ -1318,7 +1318,7 @@
StructureID oldStructureID = this->structureID();
Structure* oldStructure = vm.getStructure(oldStructureID);
Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
- nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly());
+ nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly(), newStructure->indexingType());
setStructure(vm, newStructure);
return newStorage;
}
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (225999 => 226000)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2017-12-16 17:57:09 UTC (rev 225999)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2017-12-16 18:20:04 UTC (rev 226000)
@@ -769,7 +769,7 @@
// Call this if you do need to change the structure, or if you changed something about a structure
// in-place.
- void nukeStructureAndSetButterfly(VM&, StructureID, Butterfly*);
+ void nukeStructureAndSetButterfly(VM&, StructureID oldStructureID, Butterfly*, IndexingType newIndexingType);
// Call this only if you are a JSGenericTypedArrayView or are clearing the butterfly.
void setButterflyWithIndexingMask(VM&, Butterfly*, uint32_t indexingMask);
@@ -1265,7 +1265,7 @@
inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
{
- if (LIKELY(!structure(vm)->hijacksIndexingHeader())) {
+ if (hasIndexedProperties(indexingType())) {
m_butterflyIndexingMask = butterfly->computeIndexingMask();
ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
}
@@ -1280,9 +1280,9 @@
m_butterfly.set(vm, this, butterfly);
}
-inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
+inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly, IndexingType newIndexingType)
{
- if (LIKELY(!vm.getStructure(oldStructureID)->hijacksIndexingHeader())) {
+ if (hasIndexedProperties(newIndexingType)) {
m_butterflyIndexingMask = butterfly->computeIndexingMask();
ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
}
Modified: trunk/Source/_javascript_Core/runtime/JSObjectInlines.h (225999 => 226000)
--- trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2017-12-16 17:57:09 UTC (rev 225999)
+++ trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2017-12-16 18:20:04 UTC (rev 226000)
@@ -185,7 +185,7 @@
unsigned newOutOfLineCapacity = Structure::outOfLineCapacity(newLastOffset);
if (newOutOfLineCapacity != oldOutOfLineCapacity) {
Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
- nukeStructureAndSetButterfly(vm, structureID, butterfly);
+ nukeStructureAndSetButterfly(vm, structureID, butterfly, structure->indexingType());
structure->setLastOffset(newLastOffset);
WTF::storeStoreFence();
setStructureIDDirectly(structureID);
@@ -312,7 +312,7 @@
if (currentCapacity != newStructure->outOfLineCapacity()) {
ASSERT(newStructure != this->structure());
newButterfly = allocateMoreOutOfLineStorage(vm, currentCapacity, newStructure->outOfLineCapacity());
- nukeStructureAndSetButterfly(vm, structureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, structureID, newButterfly, newStructure->indexingType());
}
validateOffset(offset);
@@ -366,7 +366,7 @@
ASSERT(oldCapacity <= newCapacity);
if (oldCapacity != newCapacity) {
Butterfly* newButterfly = allocateMoreOutOfLineStorage(vm, oldCapacity, newCapacity);
- nukeStructureAndSetButterfly(vm, structureID, newButterfly);
+ nukeStructureAndSetButterfly(vm, structureID, newButterfly, newStructure->indexingType());
}
putDirect(vm, offset, value);
setStructure(vm, newStructure);
