[webkit-changes] [232798] trunk/Source/JavaScriptCore

[utatane . tea]

Title: [232798] trunk/Source/_javascript_Core

Revision

232798

Author

utatane....@gmail.com

Date

2018-06-13 11:32:56 -0700 (Wed, 13 Jun 2018)

Log Message

[JSC] Always use Nuke & Set procedure for x86
https://bugs.webkit.org/show_bug.cgi?id=186592

Reviewed by Keith Miller.

We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
threads.

* runtime/JSObject.cpp:
(JSC::JSObject::convertContiguousToArrayStorage):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (232797 => 232798)

--- trunk/Source/_javascript_Core/ChangeLog	2018-06-13 18:29:16 UTC (rev 232797)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-06-13 18:32:56 UTC (rev 232798)
@@ -1,3 +1,17 @@
+2018-06-13  Yusuke Suzuki  <utatane....@gmail.com>
+
+        [JSC] Always use Nuke & Set procedure for x86
+        https://bugs.webkit.org/show_bug.cgi?id=186592
+
+        Reviewed by Keith Miller.
+
+        We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
+        By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
+        threads.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertContiguousToArrayStorage):
+
 2018-06-12  Saam Barati  <sbar...@apple.com>
 
         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (232797 => 232798)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2018-06-13 18:29:16 UTC (rev 232797)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2018-06-13 18:32:56 UTC (rev 232798)
@@ -1344,7 +1344,9 @@
             newStorage->m_numValuesInVector++;
     }
     
-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
+    StructureID oldStructureID = this->structureID();
+    Structure* oldStructure = vm.getStructure(oldStructureID);
+    Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
 
     // This has a crazy race with the garbage collector. When changing the butterfly and structure,
     // the mutator always sets the structure last. The collector will always read the structure
@@ -1357,19 +1359,13 @@
     // because it will fail to decode two consecutive int32s as if it was a JSValue.
     //
     // Fortunately, we have the JSCell lock for this purpose!
+
+    Locker<JSCellLock> locker(NoLockingNecessary);
+    if (vm.heap.mutatorShouldBeFenced())
+        locker = holdLock(cellLock());
+    nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly());
+    setStructure(vm, newStructure);
     
-    if (vm.heap.mutatorShouldBeFenced()) {
-        auto locker = holdLock(cellLock());
-        setStructureIDDirectly(nuke(structureID()));
-        WTF::storeStoreFence();
-        m_butterfly.set(vm, this, newStorage->butterfly());
-        WTF::storeStoreFence();
-        setStructure(vm, newStructure);
-    } else {
-        m_butterfly.set(vm, this, newStorage->butterfly());
-        setStructure(vm, newStructure);
-    }
-    
     return newStorage;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes