[Webkit-unassigned] [Bug 95073] WindowShell and global registers break IC
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 27 08:17:41 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=95073
--- Comment #4 from Yusuke Suzuki <utatane.tea at gmail.com> 2012-08-27 08:17:42 PST ---
(In reply to comment #3)
> (From update of attachment 160696 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=160696&action=review
>
> > Source/WebCore/bindings/js/JSDOMWindowShell.cpp:99
> > - return thisObject->window()->methodTable()->getOwnPropertySlot(thisObject->window(), exec, propertyName, slot);
> > + const bool res = thisObject->window()->methodTable()->getOwnPropertySlot(thisObject->window(), exec, propertyName, slot);
> > + slot.forceUncacheable();
> > + return res;
>
> Why do you need to forceUncacheable() in addition to the other change?
>
Because WindowShell calls JSGlobalObject method simply, when JSGlobalObject structure is changed, WindowShell structure is not changed.
So, for example,
Object.prototype.T = 20;
window.T // lookup
When lookup is executed(in JIT), this makes chain IC. Chain layout is following,
[WindowShell structure (not JSGlobalObject structure)]
[WindowPrototype structure]
[ObjectPrototype structure]
And we can define JSGlobalObject property like this.
window.T = 20;
When this code is executed, JSGlobalObject structure is changed properly, but window shell structure is not changed. So above chain IC is not invalidated.
Here is an example.
http://jsfiddle.net/V5tL6/
In this page, V8 & SpiderMonkey output 0 and 20 to console, but JSC outputs 0 twice. This is because chain IC isn't invalidated.
> This looks like it could have severe performance consequences.
I've checked this and I think this doesn't make severe perf regression.
Because chain IC first structure is always structure of WindowShell, self IC already fails now. (I saw this by adding breakpoint to JIT::tryCacheGetById. Is it right?)
And because resolve_global target is JSGlobalObject (not WindowShell), their IC still works fine.
This change only adds following pattern IC fails.
Object.getPrototypeOf(window).b = 20;
window.b;
// or
window.toString;
And so I think this performance regression is small.
But I have another idea; when JSGlobalObject structure is changed, notify it to all proxies to refresh their strucutre. What do you think about this?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list