<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[183113] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/183113">183113</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2015-04-22 10:39:44 -0700 (Wed, 22 Apr 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Don't de-allocate FunctionRareData
https://bugs.webkit.org/show_bug.cgi?id=144000
Patch by Basile Clement <basile_clement@apple.com> on 2015-04-22
Reviewed by Michael Saboff.
A function rare data (containing most notably its allocation profile) is currently
freed and re-allocated each time the function's prototype is cleared.
This is not optimal as it means we are invalidating the watchpoint and recompiling the
scope each time the prototype is cleared.
This makes it so that a single rare data is reused, clearing the underlying
ObjectAllocationProfile instead of throwing away the whole rare data on
.prototype updates.
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::create):
(JSC::FunctionRareData::finishCreation):
* runtime/FunctionRareData.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionRareDatacpp">trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionRareDatah">trunk/Source/JavaScriptCore/runtime/FunctionRareData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctionh">trunk/Source/JavaScriptCore/runtime/JSFunction.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2015-04-22 Basile Clement <basile_clement@apple.com>
+
+ Don't de-allocate FunctionRareData
+ https://bugs.webkit.org/show_bug.cgi?id=144000
+
+ Reviewed by Michael Saboff.
+
+ A function rare data (containing most notably its allocation profile) is currently
+ freed and re-allocated each time the function's prototype is cleared.
+ This is not optimal as it means we are invalidating the watchpoint and recompiling the
+ scope each time the prototype is cleared.
+
+ This makes it so that a single rare data is reused, clearing the underlying
+ ObjectAllocationProfile instead of throwing away the whole rare data on
+ .prototype updates.
+
+ * runtime/FunctionRareData.cpp:
+ (JSC::FunctionRareData::create):
+ (JSC::FunctionRareData::finishCreation):
+ * runtime/FunctionRareData.h:
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::allocateAndInitializeRareData):
+ (JSC::JSFunction::initializeRareData):
+
</ins><span class="cx"> 2015-04-21 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -3513,6 +3513,7 @@
</span><span class="cx"> slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
</span><span class="cx"> m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
</span><span class="cx"> m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</span><ins>+ slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
</ins><span class="cx"> emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</span><span class="cx">
</span><span class="cx"> addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR, node->inlineCapacity()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -3584,6 +3584,7 @@
</span><span class="cx"> slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
</span><span class="cx"> m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
</span><span class="cx"> m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</span><ins>+ slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
</ins><span class="cx"> emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</span><span class="cx">
</span><span class="cx"> addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR, node->inlineCapacity()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -706,6 +706,7 @@
</span><span class="cx"> addSlowCase(branchTestPtr(Zero, rareDataReg));
</span><span class="cx"> loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
</span><span class="cx"> loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
</span><ins>+ addSlowCase(branchTestPtr(Zero, allocatorReg));
</ins><span class="cx">
</span><span class="cx"> emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);
</span><span class="cx"> emitPutVirtualRegister(currentInstruction[1].u.operand);
</span><span class="lines">@@ -713,6 +714,7 @@
</span><span class="cx">
</span><span class="cx"> void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span><span class="cx"> {
</span><ins>+ linkSlowCase(iter); // doesn't have rare data
</ins><span class="cx"> linkSlowCase(iter); // doesn't have an allocation profile
</span><span class="cx"> linkSlowCase(iter); // allocation failed
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -925,6 +925,7 @@
</span><span class="cx"> addSlowCase(branchTestPtr(Zero, rareDataReg));
</span><span class="cx"> loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
</span><span class="cx"> loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
</span><ins>+ addSlowCase(branchTestPtr(Zero, allocatorReg));
</ins><span class="cx">
</span><span class="cx"> emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);
</span><span class="cx"> emitStoreCell(currentInstruction[1].u.operand, resultReg);
</span><span class="lines">@@ -932,6 +933,7 @@
</span><span class="cx">
</span><span class="cx"> void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span><span class="cx"> {
</span><ins>+ linkSlowCase(iter); // doesn't have rare data
</ins><span class="cx"> linkSlowCase(iter); // doesn't have an allocation profile
</span><span class="cx"> linkSlowCase(iter); // allocation failed
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -744,6 +744,7 @@
</span><span class="cx"> btpz t4, .opCreateThisSlow
</span><span class="cx"> loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t4], t1
</span><span class="cx"> loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t4], t2
</span><ins>+ btpz t1, .opCreateThisSlow
</ins><span class="cx"> allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
</span><span class="cx"> loadi 4[PC], t1
</span><span class="cx"> storei CellTag, TagOffset[cfr, t1, 8]
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -630,6 +630,7 @@
</span><span class="cx"> btpz t4, .opCreateThisSlow
</span><span class="cx"> loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t4], t1
</span><span class="cx"> loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t4], t2
</span><ins>+ btpz t1, .opCreateThisSlow
</ins><span class="cx"> allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
</span><span class="cx"> loadisFromInstruction(1, t1)
</span><span class="cx"> storeq t0, [cfr, t1, 8]
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionRareDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -80,7 +80,18 @@
</span><span class="cx"> void FunctionRareData::finishCreation(VM& vm, JSObject* prototype, size_t inlineCapacity)
</span><span class="cx"> {
</span><span class="cx"> Base::finishCreation(vm);
</span><ins>+ initialize(vm, prototype, inlineCapacity);
+}
+
+void FunctionRareData::initialize(VM& vm, JSObject* prototype, size_t inlineCapacity)
+{
</ins><span class="cx"> m_allocationProfile.initialize(vm, this, prototype, inlineCapacity);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void FunctionRareData::clear(const char* reason)
+{
+ m_allocationProfile.clear();
+ m_allocationProfileWatchpoint.fireAll(reason);
</ins><span class="cx"> }
</span><ins>+
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionRareDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionRareData.h (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionRareData.h 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/runtime/FunctionRareData.h 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -77,6 +77,12 @@
</span><span class="cx"> return m_allocationProfileWatchpoint;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void clear(const char* reason);
+
+ void initialize(VM&, JSObject* prototype, size_t inlineCapacity);
+
+ bool isInitialized() { return !m_allocationProfile.isNull(); }
+
</ins><span class="cx"> protected:
</span><span class="cx"> FunctionRareData(VM&);
</span><span class="cx"> ~FunctionRareData();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -108,8 +108,9 @@
</span><span class="cx"> return function;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-FunctionRareData* JSFunction::createRareData(ExecState* exec, size_t inlineCapacity)
</del><ins>+FunctionRareData* JSFunction::allocateAndInitializeRareData(ExecState* exec, size_t inlineCapacity)
</ins><span class="cx"> {
</span><ins>+ ASSERT(!m_rareData);
</ins><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
</span><span class="cx"> if (!prototype)
</span><span class="lines">@@ -119,6 +120,17 @@
</span><span class="cx"> return m_rareData.get();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+FunctionRareData* JSFunction::initializeRareData(ExecState* exec, size_t inlineCapacity)
+{
+ ASSERT(!!m_rareData);
+ VM& vm = exec->vm();
+ JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
+ if (!prototype)
+ prototype = globalObject()->objectPrototype();
+ m_rareData->initialize(globalObject()->vm(), prototype, inlineCapacity);
+ return m_rareData.get();
+}
+
</ins><span class="cx"> String JSFunction::name(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> return get(exec, exec->vm().propertyNames->name).toWTFString(exec);
</span><span class="lines">@@ -389,10 +401,8 @@
</span><span class="cx"> // following the rules set out in ECMA-262 8.12.9.
</span><span class="cx"> PropertySlot slot(thisObject);
</span><span class="cx"> thisObject->methodTable(exec->vm())->getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><del>- if (thisObject->m_rareData) {
- thisObject->m_rareData->allocationProfileWatchpointSet().fireAll("Store to prototype property of a function");
- thisObject->m_rareData.clear();
- }
</del><ins>+ if (thisObject->m_rareData)
+ thisObject->m_rareData->clear("Store to prototype property of a function");
</ins><span class="cx"> // Don't allow this to be cached, since a [[Put]] must clear m_rareData.
</span><span class="cx"> PutPropertySlot dontCache(thisObject);
</span><span class="cx"> Base::put(thisObject, exec, propertyName, value, dontCache);
</span><span class="lines">@@ -438,10 +448,8 @@
</span><span class="cx"> // following the rules set out in ECMA-262 8.12.9.
</span><span class="cx"> PropertySlot slot(thisObject);
</span><span class="cx"> thisObject->methodTable(exec->vm())->getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><del>- if (thisObject->m_rareData) {
- thisObject->m_rareData->allocationProfileWatchpointSet().fireAll("Store to prototype property of a function");
- thisObject->m_rareData.clear();
- }
</del><ins>+ if (thisObject->m_rareData)
+ thisObject->m_rareData->clear("Store to prototype property of a function");
</ins><span class="cx"> return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.h (183112 => 183113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.h 2015-04-22 17:39:38 UTC (rev 183112)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.h 2015-04-22 17:39:44 UTC (rev 183113)
</span><span class="lines">@@ -112,7 +112,9 @@
</span><span class="cx"> FunctionRareData* rareData(ExecState* exec, unsigned inlineCapacity)
</span><span class="cx"> {
</span><span class="cx"> if (UNLIKELY(!m_rareData))
</span><del>- return createRareData(exec, inlineCapacity);
</del><ins>+ return allocateAndInitializeRareData(exec, inlineCapacity);
+ if (UNLIKELY(!m_rareData->isInitialized()))
+ return initializeRareData(exec, inlineCapacity);
</ins><span class="cx"> return m_rareData.get();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -138,7 +140,8 @@
</span><span class="cx"> void finishCreation(VM&, NativeExecutable*, int length, const String& name);
</span><span class="cx"> using Base::finishCreation;
</span><span class="cx">
</span><del>- FunctionRareData* createRareData(ExecState*, size_t inlineCapacity);
</del><ins>+ FunctionRareData* allocateAndInitializeRareData(ExecState*, size_t inlineCapacity);
+ FunctionRareData* initializeRareData(ExecState*, size_t inlineCapacity);
</ins><span class="cx">
</span><span class="cx"> static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
</span><span class="cx"> static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode = EnumerationMode());
</span></span></pre>
</div>
</div>
</body>
</html>