JSFunction::canUseAllocationProfile() should account for builtin functions with no...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Jan 2019 18:10:44 +0000 (18:10 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Jan 2019 18:10:44 +0000 (18:10 +0000)
commit13798919218f40b62b2e36af176363ecea0dfebf
tree0b9650a4c57113ff88c7ccc28cfd4955cf5819c1
parentec78a74605cd99483994138b063c4dcca94cb881
JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
https://bugs.webkit.org/show_bug.cgi?id=193423
<rdar://problem/46209355>

Reviewed by Saam Barati.

JSTests:

* microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
* stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
* stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
* stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.

Source/JavaScriptCore:

JSFunction::canUseAllocationProfile() should return false for most builtins
because the majority of them have no prototype property.  The only exception to
this is the few builtin functions that are explicitly used as constructors.

For these builtin constructors, JSFunction::canUseAllocationProfile() should also
return false if the prototype property is a getter or custom getter because
getting the prototype would then be effectful.

* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::canUseAllocationProfile):
* runtime/PropertySlot.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240040 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/microbenchmarks/sinkable-new-object-with-builtin-constructor.js [new file with mode: 0644]
JSTests/stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js [new file with mode: 0644]
JSTests/stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js [new file with mode: 0644]
JSTests/stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/JSFunctionInlines.h
Source/JavaScriptCore/runtime/PropertySlot.h