[webkit-changes] [WebKit/WebKit] db8a1f: [JSC] TypedArray can stop [[Prototype]] lookup chain
Yusuke Suzuki
noreply at github.com
Thu Sep 8 00:08:15 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: db8a1fe47e0e2fce54a4d48a7f1fcc0ffbef5cf6
https://github.com/WebKit/WebKit/commit/db8a1fe47e0e2fce54a4d48a7f1fcc0ffbef5cf6
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2022-09-08 (Thu, 08 Sep 2022)
Changed paths:
A JSTests/stress/poly-proto-typed-array-case.js
M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h
M Source/JavaScriptCore/bytecode/PolyProtoAccessChain.cpp
M Source/JavaScriptCore/bytecode/PolyProtoAccessChain.h
M Source/JavaScriptCore/bytecode/Repatch.cpp
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSObjectInlines.h
M Source/JavaScriptCore/runtime/PropertyName.h
M Source/JavaScriptCore/runtime/StructureRareData.cpp
Log Message:
-----------
[JSC] TypedArray can stop [[Prototype]] lookup chain
https://bugs.webkit.org/show_bug.cgi?id=244903
rdar://99644213
Reviewed by Alexey Shvayka and Justin Michaud.
According to the spec[1], TypedArray has an ability to stop [[Prototype]] traversing for numeric index string (e.g. "0.1").
Thus we should align IC's traversing to this behavior, which is already implemented in JSObject::getPropertySlot.
This patch threads property name and we check this abruption in prototype traversing code for IC if structure is TypedArray.
[1]: https://262.ecma-international.org/9.0/#_ref_2826
* JSTests/stress/poly-proto-typed-array-case.js: Added.
(bar.Foo):
(bar):
* Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForPropertyMiss):
(JSC::generateConditionsForPropertySetterMiss):
(JSC::generateConditionsForIndexedMiss):
(JSC::generateConditionsForPrototypePropertyHit):
(JSC::generateConditionsForPrototypePropertyHitCustom):
(JSC::generateConditionsForInstanceOf):
(JSC::generateConditionsForPrototypeEquivalenceConcurrently):
(JSC::generateConditionsForPropertyMissConcurrently):
(JSC::generateConditionsForPropertySetterMissConcurrently):
(JSC::prepareChainForCaching):
* Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h:
* Source/JavaScriptCore/bytecode/PolyProtoAccessChain.cpp:
(JSC::PolyProtoAccessChain::tryCreate):
* Source/JavaScriptCore/bytecode/PolyProtoAccessChain.h:
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheGetBy):
(JSC::tryCacheArrayGetByVal):
(JSC::tryCachePutBy):
(JSC::tryCacheInBy):
(JSC::tryCacheInstanceOf):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
* Source/JavaScriptCore/runtime/JSObjectInlines.h:
(JSC::JSObject::getNonIndexPropertySlot):
* Source/JavaScriptCore/runtime/PropertyName.h:
(JSC::isCanonicalNumericIndexString):
* Source/JavaScriptCore/runtime/StructureRareData.cpp:
(JSC::StructureRareData::cacheSpecialPropertySlow):
Canonical link: https://commits.webkit.org/254264@main
More information about the webkit-changes
mailing list