Unreviewed, rolling out r201363 and r201456.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 31 May 2016 22:35:23 +0000 (22:35 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 31 May 2016 22:35:23 +0000 (22:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=158240

"40% regression on date-format-xparb" (Requested by
keith_miller on #webkit).

Reverted changesets:

"LLInt should be able to cache prototype loads for values in
GetById"
https://bugs.webkit.org/show_bug.cgi?id=158032
http://trac.webkit.org/changeset/201363

"get_by_id should support caching unset properties in the
LLInt"
https://bugs.webkit.org/show_bug.cgi?id=158136
http://trac.webkit.org/changeset/201456

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201532 268f45cc-cd09-0410-ab3c-d52691b4dbfc

23 files changed:
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/bytecode/BytecodeList.json
Source/JavaScriptCore/bytecode/BytecodeUseDef.h
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp [deleted file]
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h [deleted file]
Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGCapabilities.cpp
Source/JavaScriptCore/jit/JIT.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/runtime/Options.h
Source/JavaScriptCore/tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js [deleted file]
Source/WTF/ChangeLog
Source/WTF/wtf/Bag.h

index 67c5027..61ab6f5 100644 (file)
@@ -202,7 +202,6 @@ set(JavaScriptCore_SOURCES
     bytecode/InlineCallFrame.cpp
     bytecode/InlineCallFrameSet.cpp
     bytecode/JumpTable.cpp
-    bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
     bytecode/LazyOperandValueProfile.cpp
     bytecode/MethodOfGettingAValueProfile.cpp
     bytecode/ObjectPropertyCondition.cpp
index e5baad9..4dcfb6a 100644 (file)
@@ -1,5 +1,25 @@
 2016-05-31  Commit Queue  <commit-queue@webkit.org>
 
+        Unreviewed, rolling out r201363 and r201456.
+        https://bugs.webkit.org/show_bug.cgi?id=158240
+
+        "40% regression on date-format-xparb" (Requested by
+        keith_miller on #webkit).
+
+        Reverted changesets:
+
+        "LLInt should be able to cache prototype loads for values in
+        GetById"
+        https://bugs.webkit.org/show_bug.cgi?id=158032
+        http://trac.webkit.org/changeset/201363
+
+        "get_by_id should support caching unset properties in the
+        LLInt"
+        https://bugs.webkit.org/show_bug.cgi?id=158136
+        http://trac.webkit.org/changeset/201456
+
+2016-05-31  Commit Queue  <commit-queue@webkit.org>
+
         Unreviewed, rolling out r201359.
         https://bugs.webkit.org/show_bug.cgi?id=158238
 
index 3d55d9b..4060d99 100644 (file)
                5BD3A06E1CAE35BF00F84BA3 /* JSAsyncFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 5BD3A06D1CAE35BF00F84BA3 /* JSAsyncFunction.h */; };
                53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; };
                53F6BF6D1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
-               53FA2AE11CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
-               53FA2AE31CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */; };
                5D5D8AD10E0D0EBE00F9C692 /* libedit.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */; };
                5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
                5DBB1525131D0BD70056AD36 /* minidom.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 1412110D0A48788700480255 /* minidom.js */; };
                53917E831B791CB8000EBD33 /* TypedArrayPrototype.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; name = TypedArrayPrototype.js; path = builtins/TypedArrayPrototype.js; sourceTree = SOURCE_ROOT; };
                53F256E11B87E28000B4B768 /* JSTypedArrayViewPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSTypedArrayViewPrototype.cpp; sourceTree = "<group>"; };
                53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InternalFunctionAllocationProfile.h; sourceTree = "<group>"; };
-               53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LLIntPrototypeLoadAdaptiveStructureWatchpoint.h; sourceTree = "<group>"; };
-               53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp; sourceTree = "<group>"; };
                593D43CCA0BBE06D89C59707 /* MapDataInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MapDataInlines.h; sourceTree = "<group>"; };
                5BD3A0611CAE325700F84BA3 /* AsyncFunctionConstructor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AsyncFunctionConstructor.cpp; sourceTree = "<group>"; };
                5BD3A0621CAE325700F84BA3 /* AsyncFunctionConstructor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncFunctionConstructor.h; sourceTree = "<group>"; };
                                0FB5467814F5C468002C2989 /* LazyOperandValueProfile.cpp */,
                                0FB5467614F59AD1002C2989 /* LazyOperandValueProfile.h */,
                                0F0FC45814BD15F100B81154 /* LLIntCallLinkInfo.h */,
-                               53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */,
-                               53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */,
                                0FB5467C14F5CFD3002C2989 /* MethodOfGettingAValueProfile.cpp */,
                                0FB5467A14F5C7D4002C2989 /* MethodOfGettingAValueProfile.h */,
                                14CA958C16AB50FA00938A06 /* ObjectAllocationProfile.h */,
                                0FF7168C15A3B235008F5DAA /* PropertyOffset.h in Headers */,
                                BC18C4550E16F5CD00B34460 /* PropertySlot.h in Headers */,
                                0FB7F39C15ED8E4600F167B2 /* PropertyStorage.h in Headers */,
-                               53FA2AE11CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h in Headers */,
                                BC18C4560E16F5CD00B34460 /* Protect.h in Headers */,
                                1474C33B16AA2D950062F01D /* PrototypeMap.h in Headers */,
                                0F5780A218FE1E98001E72D9 /* PureNaN.h in Headers */,
                                65C02850171795E200351E35 /* ARMv7Disassembler.cpp in Sources */,
                                65C0285C1717966800351E35 /* ARMv7DOpcode.cpp in Sources */,
                                0F8335B71639C1E6001443B5 /* ArrayAllocationProfile.cpp in Sources */,
-                               53FA2AE31CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp in Sources */,
                                A7A8AF3417ADB5F3005AB174 /* ArrayBuffer.cpp in Sources */,
                                0FFC99D4184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.cpp in Sources */,
                                A7A8AF3617ADB5F3005AB174 /* ArrayBufferView.cpp in Sources */,
index 84af665..48301cd 100644 (file)
             { "name" : "op_is_object_or_null", "length" : 3 },
             { "name" : "op_is_function", "length" : 3 },
             { "name" : "op_in", "length" : 4 },
-            { "name" : "op_get_array_length", "length" : 9 },
+            { "name" : "op_try_get_by_id", "length" : 4 },
             { "name" : "op_get_by_id", "length" : 9  },
-            { "name" : "op_get_by_id_proto_load", "length" : 9 },
-            { "name" : "op_get_by_id_unset", "length" : 9 },
             { "name" : "op_get_by_id_with_this", "length" : 5 },
             { "name" : "op_get_by_val_with_this", "length" : 5 },
-            { "name" : "op_try_get_by_id", "length" : 4 },
+            { "name" : "op_get_array_length", "length" : 9 },
             { "name" : "op_put_by_id", "length" : 9 },
             { "name" : "op_put_by_id_with_this", "length" : 5 },
             { "name" : "op_del_by_id", "length" : 4 },
index 38cf30e..a3e80a8 100644 (file)
@@ -158,8 +158,6 @@ void computeUsesForBytecodeOffset(
     case op_to_primitive:
     case op_try_get_by_id:
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_array_length:
     case op_typeof:
     case op_is_empty:
@@ -396,8 +394,6 @@ void computeDefsForBytecodeOffset(CodeBlock* codeBlock, BytecodeBasicBlock* bloc
     case op_construct:
     case op_try_get_by_id:
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_by_id_with_this:
     case op_get_by_val_with_this:
     case op_get_array_length:
index dce0fd8..81fa4d5 100644 (file)
@@ -50,7 +50,6 @@
 #include "JSLexicalEnvironment.h"
 #include "JSModuleEnvironment.h"
 #include "LLIntEntrypoint.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
 #include "LowLevelInterpreter.h"
 #include "JSCInlines.h"
 #include "PCToCodeOriginMap.h"
@@ -346,12 +345,6 @@ void CodeBlock::printGetByIdOp(PrintStream& out, ExecState* exec, int location,
     case op_get_by_id:
         op = "get_by_id";
         break;
-    case op_get_by_id_proto_load:
-        op = "get_by_id_proto_load";
-        break;
-    case op_get_by_id_unset:
-        op = "get_by_id_unset";
-        break;
     case op_get_array_length:
         op = "array_length";
         break;
@@ -412,8 +405,6 @@ void CodeBlock::printGetByIdCacheStatus(PrintStream& out, ExecState* exec, int l
         out.printf(" llint(");
         dumpStructure(out, "struct", structure, ident);
         out.printf(")");
-        if (exec->interpreter()->getOpcodeID(instruction[0].u.opcode) == op_get_by_id_proto_load)
-            out.printf(" proto(%p)", instruction[6].u.pointer);
     }
 
 #if ENABLE(JIT)
@@ -1121,8 +1112,6 @@ void CodeBlock::dumpBytecode(
             break;
         }
         case op_get_by_id:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         case op_get_array_length: {
             printGetByIdOp(out, exec, location, it);
             printGetByIdCacheStatus(out, exec, location, stubInfos);
@@ -2773,15 +2762,14 @@ void CodeBlock::finalizeLLIntInlineCaches()
     for (size_t size = propertyAccessInstructions.size(), i = 0; i < size; ++i) {
         Instruction* curInstruction = &instructions()[propertyAccessInstructions[i]];
         switch (interpreter->getOpcodeID(curInstruction[0].u.opcode)) {
-        case op_get_by_id:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset: {
+        case op_get_by_id: {
             StructureID oldStructureID = curInstruction[4].u.structureID;
             if (!oldStructureID || Heap::isMarked(m_vm->heap.structureIDTable().get(oldStructureID)))
                 break;
             if (Options::verboseOSR())
                 dataLogF("Clearing LLInt property access.\n");
-            clearLLIntGetByIdCache(curInstruction);
+            curInstruction[4].u.structureID = 0;
+            curInstruction[5].u.operand = 0;
             break;
         }
         case op_put_by_id: {
@@ -2855,12 +2843,6 @@ void CodeBlock::finalizeLLIntInlineCaches()
         }
     }
 
-    // We can't just remove all the sets when we clear the caches since we might have created a watchpoint set
-    // then cleared the cache without GCing in between.
-    m_llintGetByIdWatchpointMap.removeIf([](const StructureWatchpointMap::KeyValuePairType& pair) -> bool {
-        return !Heap::isMarked(pair.key);
-    });
-
     for (unsigned i = 0; i < m_llintCallLinkInfos.size(); ++i) {
         if (m_llintCallLinkInfos[i].isLinked() && !Heap::isMarked(m_llintCallLinkInfos[i].callee.get())) {
             if (Options::verboseOSR())
index 664ecfe..cbb8cf5 100644 (file)
@@ -56,7 +56,6 @@
 #include "JSGlobalObject.h"
 #include "JumpTable.h"
 #include "LLIntCallLinkInfo.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
 #include "LazyOperandValueProfile.h"
 #include "ObjectAllocationProfile.h"
 #include "Options.h"
@@ -679,9 +678,6 @@ public:
         return m_llintExecuteCounter;
     }
 
-    typedef HashMap<Structure*, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>> StructureWatchpointMap;
-    StructureWatchpointMap& llintGetByIdWatchpointMap() { return m_llintGetByIdWatchpointMap; }
-
     // Functions for controlling when tiered compilation kicks in. This
     // controls both when the optimizing compiler is invoked and when OSR
     // entry happens. Two triggers exist: the loop trigger and the return
@@ -1023,7 +1019,6 @@ private:
 
     RefCountedArray<LLIntCallLinkInfo> m_llintCallLinkInfos;
     SentinelLinkedList<LLIntCallLinkInfo, BasicRawSentinelNode<LLIntCallLinkInfo>> m_incomingLLIntCalls;
-    StructureWatchpointMap m_llintGetByIdWatchpointMap;
     RefPtr<JITCode> m_jitCode;
 #if ENABLE(JIT)
     std::unique_ptr<RegisterAtOffsetList> m_calleeSaveRegisters;
@@ -1314,14 +1309,6 @@ private:
 };
 #endif
 
-inline void clearLLIntGetByIdCache(Instruction* instruction)
-{
-    instruction[0].u.opcode = LLInt::getOpcode(op_get_by_id);
-    instruction[4].u.pointer = nullptr;
-    instruction[5].u.pointer = nullptr;
-    instruction[6].u.pointer = nullptr;
-}
-
 inline Register& ExecState::r(int index)
 {
     CodeBlock* codeBlock = this->codeBlock();
index bab2cb1..c69514c 100644 (file)
@@ -75,14 +75,8 @@ GetByIdStatus GetByIdStatus::computeFromLLInt(CodeBlock* profiledBlock, unsigned
     VM& vm = *profiledBlock->vm();
     
     Instruction* instruction = profiledBlock->instructions().begin() + bytecodeIndex;
-
-    Opcode opcode = instruction[0].u.opcode;
-
-    ASSERT(opcode == LLInt::getOpcode(op_get_array_length) || opcode == LLInt::getOpcode(op_try_get_by_id) || opcode == LLInt::getOpcode(op_get_by_id_proto_load) || opcode == LLInt::getOpcode(op_get_by_id) || opcode == LLInt::getOpcode(op_get_by_id_unset));
-
-    // FIXME: We should not just bail if we see a try_get_by_id or a get_by_id_proto_load.\ e
-    // https://bugs.webkit.org/show_bug.cgi?id=158039
-    if (opcode != LLInt::getOpcode(op_get_by_id))
+    
+    if (instruction[0].u.opcode == LLInt::getOpcode(op_get_array_length) || instruction[0].u.opcode == LLInt::getOpcode(op_try_get_by_id))
         return GetByIdStatus(NoInformation, false);
 
     StructureID structureID = instruction[4].u.structureID;
diff --git a/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp b/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
deleted file mode 100644 (file)
index 7ae2c0d..0000000
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
-
-#include "CodeBlock.h"
-#include "Instruction.h"
-#include "StructureInlines.h"
-
-namespace JSC {
-
-LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition& key, Instruction* getByIdInstruction)
-    : m_key(key)
-    , m_getByIdInstruction(getByIdInstruction)
-{
-    RELEASE_ASSERT(key.watchingRequiresStructureTransitionWatchpoint());
-    RELEASE_ASSERT(!key.watchingRequiresReplacementWatchpoint());
-}
-
-void LLIntPrototypeLoadAdaptiveStructureWatchpoint::install()
-{
-    RELEASE_ASSERT(m_key.isWatchable());
-
-    m_key.object()->structure()->addTransitionWatchpoint(this);
-}
-
-void LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal(const FireDetail& detail)
-{
-    if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
-        install();
-        return;
-    }
-
-    StringPrintStream out;
-    out.print("ObjectToStringValue Adaptation of ", m_key, " failed: ", detail);
-
-    StringFireDetail stringDetail(out.toCString().data());
-
-    clearLLIntGetByIdCache(m_getByIdInstruction);
-}
-
-} // namespace JSC
diff --git a/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h b/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
deleted file mode 100644 (file)
index 2615e10..0000000
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef LLIntPrototypeLoadAdaptiveStructureWatchpoint_h
-#define LLIntPrototypeLoadAdaptiveStructureWatchpoint_h
-
-#include "Instruction.h"
-#include "ObjectPropertyCondition.h"
-#include "Watchpoint.h"
-
-namespace JSC {
-
-class LLIntPrototypeLoadAdaptiveStructureWatchpoint : public Watchpoint {
-public:
-    LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition&, Instruction*);
-
-    void install();
-
-protected:
-    void fireInternal(const FireDetail&) override;
-
-private:
-    ObjectPropertyCondition m_key;
-    Instruction* m_getByIdInstruction;
-};
-
-} // namespace JSC
-
-#endif /* LLIntPrototypeLoadAdaptiveStructureWatchpoint_h */
index 05723ad..d570040 100644 (file)
@@ -167,18 +167,6 @@ void ObjectPropertyConditionSet::dump(PrintStream& out) const
     dumpInContext(out, nullptr);
 }
 
-bool ObjectPropertyConditionSet::isValidAndWatchable() const
-{
-    if (!isValid())
-        return false;
-
-    for (ObjectPropertyCondition condition : m_data->vector) {
-        if (!condition.isWatchable())
-            return false;
-    }
-    return true;
-}
-
 namespace {
 
 bool verbose = false;
@@ -266,11 +254,9 @@ ObjectPropertyConditionSet generateConditions(
         // Since we're accessing a prototype repeatedly, it's a good bet that it should not be
         // treated as a dictionary.
         if (structure->isDictionary()) {
-            if (concurrency == MainThread) {
-                if (verbose)
-                    dataLog("Flattening ", pointerDump(structure));
+            if (concurrency == MainThread)
                 structure->flattenDictionaryStructure(vm, object);
-            else {
+            else {
                 if (verbose)
                     dataLog("Cannot flatten dictionary when not on main thread, so invalid.\n");
                 return ObjectPropertyConditionSet::invalid();
index 01ce1a8..76e8a9c 100644 (file)
@@ -67,8 +67,6 @@ public:
     {
         return !m_data || !m_data->vector.isEmpty();
     }
-
-    bool isValidAndWatchable() const;
     
     bool isEmpty() const
     {
index 59d3677..60b1168 100644 (file)
@@ -2499,7 +2499,7 @@ RegisterID* BytecodeGenerator::emitGetById(RegisterID* dst, RegisterID* base, co
     instructions().append(0);
     instructions().append(0);
     instructions().append(0);
-    instructions().append(Options::prototypeHitCountForLLIntCaching());
+    instructions().append(0);
     instructions().append(profile);
     return dst;
 }
index 482bd0b..fa5e7e0 100644 (file)
@@ -4081,8 +4081,6 @@ bool ByteCodeParser::parseBlock(unsigned limit)
         }
 
         case op_get_by_id:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         case op_get_array_length: {
             SpeculatedType prediction = getPrediction();
             
index 8eaba38..b9c4592 100644 (file)
@@ -154,8 +154,6 @@ CapabilityLevel capabilityLevel(OpcodeID opcodeID, CodeBlock* codeBlock, Instruc
     case op_put_by_val_direct:
     case op_try_get_by_id:
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_by_id_with_this:
     case op_get_by_val_with_this:
     case op_get_array_length:
index 477c404..a4765ae 100644 (file)
@@ -240,8 +240,6 @@ void JIT::privateCompileMainPass()
         DEFINE_OP(op_eq_null)
         DEFINE_OP(op_try_get_by_id)
         case op_get_array_length:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         DEFINE_OP(op_get_by_id)
         DEFINE_OP(op_get_by_id_with_this)
         DEFINE_OP(op_get_by_val)
@@ -425,8 +423,6 @@ void JIT::privateCompileSlowCases()
         DEFINE_SLOWCASE_OP(op_eq)
         DEFINE_SLOWCASE_OP(op_try_get_by_id)
         case op_get_array_length:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         DEFINE_SLOWCASE_OP(op_get_by_id)
         DEFINE_SLOWCASE_OP(op_get_by_val)
         DEFINE_SLOWCASE_OP(op_instanceof)
index 7444241..1137961 100644 (file)
@@ -53,7 +53,6 @@
 #include "LLIntExceptions.h"
 #include "LowLevelInterpreter.h"
 #include "ObjectConstructor.h"
-#include "ObjectPropertyConditionSet.h"
 #include "ProtoCallFrame.h"
 #include "ShadowChicken.h"
 #include "StructureRareDataInlines.h"
@@ -582,53 +581,6 @@ LLINT_SLOW_PATH_DECL(slow_path_try_get_by_id)
     LLINT_RETURN(slot.getPureResult());
 }
 
-static void setupGetByIdPrototypeCache(ExecState* exec, VM& vm, Instruction* pc, JSCell* baseCell, PropertySlot& slot, const Identifier& ident)
-{
-    CodeBlock* codeBlock = exec->codeBlock();
-    Structure* structure = baseCell->structure();
-
-    if (structure->typeInfo().prohibitsPropertyCaching() || structure->isDictionary())
-        return;
-
-    ObjectPropertyConditionSet conditions;
-    if (slot.isUnset())
-        conditions = generateConditionsForPropertyMiss(vm, codeBlock, exec, structure, ident.impl());
-    else
-        conditions = generateConditionsForPrototypePropertyHit(vm, codeBlock, exec, structure, slot.slotBase(), ident.impl());
-
-    if (!conditions.isValid())
-        return;
-
-    PropertyOffset offset = invalidOffset;
-    CodeBlock::StructureWatchpointMap& watchpointMap = codeBlock->llintGetByIdWatchpointMap();
-    auto result = watchpointMap.add(structure, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>());
-    for (ObjectPropertyCondition condition : conditions) {
-        if (!condition.isWatchable())
-            return;
-        if (condition.condition().kind() == PropertyCondition::Presence)
-            offset = condition.condition().offset();
-        result.iterator->value.add(condition, pc)->install();
-    }
-    ASSERT((offset == invalidOffset) == slot.isUnset());
-
-    ConcurrentJITLocker locker(codeBlock->m_lock);
-
-    if (slot.isUnset()) {
-        pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_unset);
-        pc[4].u.structureID = structure->id();
-        return;
-    }
-    ASSERT(slot.isValue());
-
-    pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_proto_load);
-    pc[4].u.structureID = structure->id();
-    pc[5].u.operand = offset;
-    // We know that this pointer will remain valid because it will be cleared by either a watchpoint fire or
-    // during GC when we clear the LLInt caches.
-    pc[6].u.pointer = slot.slotBase();
-}
-
-
 LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
 {
     LLINT_BEGIN();
@@ -643,43 +595,37 @@ LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
     
     if (!LLINT_ALWAYS_ACCESS_SLOW
         && baseValue.isCell()
-        && slot.isCacheable()) {
-
+        && slot.isCacheable()
+        && slot.slotBase() == baseValue
+        && slot.isCacheableValue()) {
+        
         JSCell* baseCell = baseValue.asCell();
         Structure* structure = baseCell->structure();
-        if (slot.isValue() && slot.slotBase() == baseValue) {
-            // Start out by clearing out the old cache.
-            pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
-            pc[4].u.pointer = nullptr; // old structure
-            pc[5].u.pointer = nullptr; // offset
-
-            // Prevent the prototype cache from ever happening.
-            pc[7].u.operand = 0;
         
-            if (structure->propertyAccessesAreCacheable()) {
-                vm.heap.writeBarrier(codeBlock);
-                
-                ConcurrentJITLocker locker(codeBlock->m_lock);
-
-                pc[4].u.structureID = structure->id();
-                pc[5].u.operand = slot.cachedOffset();
-            }
-        } else if (UNLIKELY(pc[7].u.operand && (slot.isValue() || slot.isUnset()))) {
-            ASSERT(slot.slotBase() != baseValue);
+        // Start out by clearing out the old cache.
+        pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
+        pc[4].u.pointer = nullptr; // old structure
+        pc[5].u.pointer = nullptr; // offset
+        
+        if (!structure->isUncacheableDictionary()
+            && !structure->typeInfo().prohibitsPropertyCaching()
+            && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
+            vm.heap.writeBarrier(codeBlock);
+            
+            ConcurrentJITLocker locker(codeBlock->m_lock);
 
-            if (!(--pc[7].u.operand))
-                setupGetByIdPrototypeCache(exec, vm, pc, baseCell, slot, ident);
+            pc[4].u.structureID = structure->id();
+            pc[5].u.operand = slot.cachedOffset();
         }
-    } else if (!LLINT_ALWAYS_ACCESS_SLOW
+    }
+
+    if (!LLINT_ALWAYS_ACCESS_SLOW
         && isJSArray(baseValue)
         && ident == exec->propertyNames().length) {
         pc[0].u.opcode = LLInt::getOpcode(op_get_array_length);
         ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
         arrayProfile->observeStructure(baseValue.asCell()->structure());
         pc[4].u.arrayProfile = arrayProfile;
-
-        // Prevent the prototype cache from ever happening.
-        pc[7].u.operand = 0;
     }
 
     pc[OPCODE_LENGTH(op_get_by_id) - 1].u.profile->m_buckets[0] = JSValue::encode(result);
index f5f7560..52e0b45 100644 (file)
@@ -1334,12 +1334,10 @@ end
 
 
 # We only do monomorphic get_by_id caching for now, and we do not modify the
-# opcode for own properties. We also allow for the cache to change anytime it fails,
-# since ping-ponging is free. At best we get lucky and the get_by_id will continue
+# opcode. We do, however, allow for the cache to change anytime if fails, since
+# ping-ponging is free. At best we get lucky and the get_by_id will continue
 # to take fast path on the new cache. At worst we take slow path, which is what
-# we would have been doing anyway. For prototype/unset properties, we will attempt to
-# convert opcode into a get_by_id_proto_load/get_by_id_unset, respectively, after an
-# execution counter hits zero.
+# we would have been doing anyway.
 
 _llint_op_get_by_id:
     traceExecution()
@@ -1360,43 +1358,6 @@ _llint_op_get_by_id:
     dispatch(9)
 
 
-_llint_op_get_by_id_proto_load:
-    traceExecution()
-    loadi 8[PC], t0
-    loadi 16[PC], t1
-    loadConstantOrVariablePayload(t0, CellTag, t3, .opGetByIdProtoSlow)
-    loadi 20[PC], t2
-    bineq JSCell::m_structureID[t3], t1, .opGetByIdProtoSlow
-    loadpFromInstruction(6, t3)
-    loadPropertyAtVariableOffset(t2, t3, t0, t1)
-    loadi 4[PC], t2
-    storei t0, TagOffset[cfr, t2, 8]
-    storei t1, PayloadOffset[cfr, t2, 8]
-    valueProfile(t0, t1, 32, t2)
-    dispatch(9)
-
-.opGetByIdProtoSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(9)
-
-
-_llint_op_get_by_id_unset:
-    traceExecution()
-    loadi 8[PC], t0
-    loadi 16[PC], t1
-    loadConstantOrVariablePayload(t0, CellTag, t3, .opGetByIdUnsetSlow)
-    bineq JSCell::m_structureID[t3], t1, .opGetByIdUnsetSlow
-    loadi 4[PC], t2
-    storei UndefinedTag, TagOffset[cfr, t2, 8]
-    storei 0, PayloadOffset[cfr, t2, 8]
-    valueProfile(UndefinedTag, 0, 32, t2)
-    dispatch(9)
-
-.opGetByIdUnsetSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(9)
-
-
 _llint_op_get_array_length:
     traceExecution()
     loadi 8[PC], t0
index b9c17a5..46e5616 100644 (file)
@@ -1232,43 +1232,6 @@ _llint_op_get_by_id:
     dispatch(9)
 
 
-_llint_op_get_by_id_proto_load:
-    traceExecution()
-    loadisFromInstruction(2, t0)
-    loadConstantOrVariableCell(t0, t3, .opGetByIdProtoSlow)
-    loadi JSCell::m_structureID[t3], t1
-    loadisFromInstruction(4, t2)
-    bineq t2, t1, .opGetByIdProtoSlow
-    loadisFromInstruction(5, t1)
-    loadpFromInstruction(6, t3)
-    loadisFromInstruction(1, t2)
-    loadPropertyAtVariableOffset(t1, t3, t0)
-    storeq t0, [cfr, t2, 8]
-    valueProfile(t0, 8, t1)
-    dispatch(9)
-
-.opGetByIdProtoSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(9)
-
-
-_llint_op_get_by_id_unset:
-    traceExecution()
-    loadisFromInstruction(2, t0)
-    loadConstantOrVariableCell(t0, t3, .opGetByIdUnsetSlow)
-    loadi JSCell::m_structureID[t3], t1
-    loadisFromInstruction(4, t2)
-    bineq t2, t1, .opGetByIdUnsetSlow
-    loadisFromInstruction(1, t2)
-    storeq ValueUndefined, [cfr, t2, 8]
-    valueProfile(ValueUndefined, 8, t1)
-    dispatch(9)
-
-.opGetByIdUnsetSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(9)
-
-
 _llint_op_get_array_length:
     traceExecution()
     loadisFromInstruction(2, t0)
index 5d92d5d..9b4bb19 100644 (file)
@@ -362,8 +362,6 @@ typedef const char* optionString;
     \
     v(bool, useICStats, false, Normal, nullptr) \
     \
-    v(unsigned, prototypeHitCountForLLIntCaching, 2, Normal, "Number of prototype property hits before caching a prototype in the LLInt. A count of 0 means never cache.") \
-    \
     v(bool, dumpModuleRecord, false, Normal, nullptr) \
     v(bool, dumpModuleLoadingState, false, Normal, nullptr) \
     v(bool, exposeInternalModuleLoader, false, Normal, "expose the internal module loader object to the global space for debugging") \
diff --git a/Source/JavaScriptCore/tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js b/Source/JavaScriptCore/tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js
deleted file mode 100644 (file)
index 44a27e1..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-
-expected = Object.prototype.toString;
-foo = {foo: 1, bar: 20};
-delete foo.bar;
-
-
-function test() {
-    let toString = foo.toString;
-    if (toString !== expected)
-        throw new Error();
-}
-
-for (i = 0; i < 10; i++)
-    test();
-
-foo.toString = 100;
-expected = 100;
-
-test();
index 55ad359..c5aa505 100644 (file)
@@ -1,3 +1,23 @@
+2016-05-31  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r201363 and r201456.
+        https://bugs.webkit.org/show_bug.cgi?id=158240
+
+        "40% regression on date-format-xparb" (Requested by
+        keith_miller on #webkit).
+
+        Reverted changesets:
+
+        "LLInt should be able to cache prototype loads for values in
+        GetById"
+        https://bugs.webkit.org/show_bug.cgi?id=158032
+        http://trac.webkit.org/changeset/201363
+
+        "get_by_id should support caching unset properties in the
+        LLInt"
+        https://bugs.webkit.org/show_bug.cgi?id=158136
+        http://trac.webkit.org/changeset/201456
+
 2016-05-31  Brady Eidson  <beidson@apple.com>
 
         Make createCrossThreadTask() functions return on the stack instead of the heap.
index 52040c5..db51132 100644 (file)
@@ -48,22 +48,9 @@ private:
     
 public:
     Bag()
+        : m_head(nullptr)
     {
     }
-
-    Bag(Bag<T>&& other)
-    {
-        ASSERT(!m_head);
-        m_head = other.m_head;
-        other.m_head = nullptr;
-    }
-
-    Bag& operator=(Bag<T>&& other)
-    {
-        m_head = other.m_head;
-        other.m_head = nullptr;
-        return *this;
-    }
     
     ~Bag()
     {
@@ -134,7 +121,7 @@ public:
     bool isEmpty() const { return !m_head; }
     
 private:
-    Node* m_head { nullptr };
+    Node* m_head;
 };
 
 } // namespace WTF