summaryrefslogtreecommitdiff
path: root/Source/JavaScriptCore/runtime/JSObject.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Imported WebKit commit eb954cdcf58f9b915b2fcb6f8e4cb3a60650a4f3Konstantin Tokarev2017-02-021-2/+7
| | | | | Change-Id: I8dda875c38075d43b76fe3a21acb0ffa102bb82d Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Imported QtWebKit TP3 (git b57bc6801f1876c3220d5a4bfea33d620d477443)Konstantin Tokarev2017-02-021-699/+988
| | | | | Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Fix g++ 5.0 buildAllan Sandfeld Jensen2015-03-061-0/+5
| | | | | | | | | | | A non-inline template needs to be explicitly instantiated if used outside the object where it is declared. Patch suggested by Khem Raj. Task-number: QTBUG-44829 Change-Id: Ib0adbd9273bd1cef01e5863bc8aaa9c373022792 Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
* <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace ↵Mark Hahnenberg2014-09-251-15/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | corruption Reviewed by Oliver Hunt. When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace. Instead, after we flatten a dictionary, if properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later. This patch does this clearing, and it also adds JSObject::checkStructure, which overrides JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check that the number of bytes reported to SlotVisitor::copyLater is non-zero. * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::genericConvertDoubleToContiguous): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::setPrototype): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::seal): (JSC::JSObject::freeze): (JSC::JSObject::preventExtensions): (JSC::JSObject::reifyStaticFunctionsForDelete): (JSC::JSObject::removeDirect): * runtime/JSObject.h: (JSC::JSObject::setButterfly): (JSC::JSObject::putDirectInternal): (JSC::JSObject::setStructure): (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on ↵Mark Hahnenberg2014-03-071-2/+2
| | | | | | | | | | | | | | | | | the length of the ArrayStorage after possible reallocing it https://bugs.webkit.org/show_bug.cgi?id=120278 Reviewed by Geoffrey Garen. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): Change-Id: I034d6950683304d08a4e076d58fb1b999ade444b git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Setting a large numeric property on an object causes it to allocate a huge ↵Mark Hahnenberg2014-03-071-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | backing store https://bugs.webkit.org/show_bug.cgi?id=118914 Reviewed by Geoffrey Garen. Source/JavaScriptCore: There are two distinct actions that we're trying to optimize for: new Array(100000); and: a = []; a[100000] = 42; In the first case, the programmer has indicated that they expect this Array to be very big, so they should get a contiguous array up until some threshold, above which we perform density calculations to see if it is indeed dense enough to warrant being contiguous. In the second case, the programmer hasn't indicated anything about the size of the Array, so we should be more conservative and assume it should be sparse until we've proven otherwise. Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish between them for the purposes of not over-allocating large backing stores like we see on http://www.peekanalytics.com/burgerjoints/ The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and introduce a new heuristic for the second case. If we are putting to an index above a certain threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse map instead. So for example, in the second case above the empty array has a blank indexing type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map. This fix is ~800x speedup on the accompanying regression test :-o * runtime/ArrayConventions.h: (JSC::indexIsSufficientlyBeyondLengthForSparseMap): * runtime/JSObject.cpp: (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153374 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I1c29992d6e09c9d523a8093e76e3848a9581ce45 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Import Qt5x2 branch of QtWebkit for Qt 5.2Allan Sandfeld Jensen2013-09-191-358/+354
| | | | | | | Importing a new snapshot of webkit. Change-Id: I2d01ad12cdc8af8cb015387641120a9d7ea5f10c Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots ↵Mark Hahnenberg2013-07-011-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | incorrectly (2/2) https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Filip Pizlo. If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are accessible in the base object's backing store, which is bad. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getPropertyNames): (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::setNumCacheableSlotsForObject): (JSC::PropertyNameArray::setBaseObject): (PropertyNameArray): Change-Id: If61b609438fa1d62364bac556af635413198d8ad git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectlyMark Hahnenberg2013-07-011-3/+5
| | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Geoffrey Garen. Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable properties causes us not to cache any properties at all. We should only cache properties on the object itself since we currently don't take advantage of any sort of name caching for properties in the prototype chain. This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570. * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): Change-Id: I5853ab567cd0a8cd20aeac1372ec64fc4f25df1a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148036 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* get_by_pname can become confused when iterating over objects with static ↵Mark Hahnenberg2013-07-011-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | properties https://bugs.webkit.org/show_bug.cgi?id=113831 Reviewed by Geoffrey Garen. get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly access an object's backing store. One way to fix this is to not cache any properties when iterating over objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::numCacheableSlots): (JSC::PropertyNameArray::setNumCacheableSlots): (PropertyNameArray): Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Restrictions on oversize CopiedBlock allocations should be relaxedMark Hahnenberg2013-02-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105339 Reviewed by Filip Pizlo. Currently the DFG has a single branch in the inline allocation path for property/array storage where it checks to see if the number of bytes requested will fit in the current block. This does not match what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when the collector tries to perform some operation on a CopiedBlock. To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and we should figure out if a block is oversize by some other method than just whatever the JSObject says it is. One way we could record this info Region of the block, since we allocate a one-off Region for oversize blocks. * heap/BlockAllocator.h: (JSC::Region::isCustomSize): (Region): (JSC::Region::createCustomSize): (JSC::Region::Region): (JSC::BlockAllocator::deallocateCustomSize): * heap/CopiedBlock.h: (CopiedBlock): (JSC::CopiedBlock::isOversize): (JSC): * heap/CopiedSpace.cpp: (JSC::CopiedSpace::tryAllocateOversize): (JSC::CopiedSpace::tryReallocate): (JSC::CopiedSpace::tryReallocateOversize): * heap/CopiedSpace.h: (CopiedSpace): * heap/CopiedSpaceInlines.h: (JSC::CopiedSpace::contains): (JSC::CopiedSpace::tryAllocate): (JSC): * heap/CopyVisitor.h: (CopyVisitor): * heap/CopyVisitorInlines.h: (JSC::CopyVisitor::checkIfShouldCopy): (JSC::CopyVisitor::didCopy): * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::copyButterfly): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138067 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Icebcfe83d82ace7c3e1db6a979306f604459c5ae Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Butterfly::growArrayRight shouldn't be called on null Butterfly objectsMark Hahnenberg2013-02-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105221 Reviewed by Filip Pizlo. Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly objects purely by coincidence. We should add a new static function that null checks the old Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for use in the couple of places in JSObject that expect such behavior to work. * runtime/Butterfly.h: (Butterfly): * runtime/ButterflyInlines.h: (JSC::Butterfly::createOrGrowArrayRight): (JSC): * runtime/JSObject.cpp: (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137961 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I643bc988f3e25b6f05be4e99f19fd2dc609152e4 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Imported WebKit commit c60cfe0fc09efd257aa0111d7b133b02deb8a63e ↵Simon Hausmann2012-11-291-8/+2
| | | | | | | | | (http://svn.webkit.org/repository/webkit/trunk@136119) New snapshot that includes the fix for installing the QtWebProcess into libexec Change-Id: I01344e079cbdac5678c4cba6ffcc05f4597cf0d7 Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
* Imported WebKit commit e89504fa9195b2063b2530961d4b73dd08de3242 ↵Simon Hausmann2012-11-221-71/+606
| | | | | | | (http://svn.webkit.org/repository/webkit/trunk@135485) Change-Id: I03774e5ac79721c13ffa30d152537a74d0b12e66 Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
* Imported WebKit commit e2c32e2f53e02d388e70b9db88b91d8d9d28fc84 ↵Simon Hausmann2012-11-091-594/+67
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@133952) Revert back to an older snapshot that should build on ARM
* Imported WebKit commit 7bcdfab9a40db7d16b4b95bb77d78b8a59c9e701 ↵Simon Hausmann2012-11-091-67/+594
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@134025) New snapshot with numerious build fixes, including MSVC 2012 and ARM Thumb-2.
* Imported WebKit commit cf4f8fc6f19b0629f51860cb2d4b25e139d07e00 ↵Simon Hausmann2012-10-171-84/+389
| | | | | | | (http://svn.webkit.org/repository/webkit/trunk@131592) New snapshot that includes the build fixes for Mac OS X 10.6 and earlier as well as the previously cherry-picked changes
* Revert "Imported WebKit commit 0dc6cd75e1d4836eaffbb520be96fac4847cc9d2 ↵Simon Hausmann2012-10-161-389/+84
| | | | | | | | (http://svn.webkit.org/repository/webkit/trunk@131300)" This reverts commit 5466563f4b5b6b86523e3f89bb7f77e5b5270c78. Caused OOM issues on some CI machines :(
* Imported WebKit commit 0dc6cd75e1d4836eaffbb520be96fac4847cc9d2 ↵Simon Hausmann2012-10-151-84/+389
| | | | | | | | | (http://svn.webkit.org/repository/webkit/trunk@131300) WebKit update which introduces the QtWebKitWidgets module that contains the WK1 widgets based API. (In fact it renames QtWebKit to QtWebKitWidgets while we're working on completing the entire split as part of https://bugs.webkit.org/show_bug.cgi?id=99314
* Imported WebKit commit c596dd7f03007fa7ed896b928106497e8784b3b5 ↵Simon Hausmann2012-09-261-2/+5
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@129610) New snapshot that removes QtQuick1 support (to be moved into QtQuick1 module)
* Imported WebKit commit ce614b0924ba46f78d4435e28ff93c8525fbb7cc ↵Simon Hausmann2012-09-251-16/+2
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@129485) New snapshot that includes MingW build fixes
* Imported WebKit commit 6339232fec7f5d9984a33388aecfd2cbc7832053 ↵Simon Hausmann2012-09-241-53/+12
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@129343) New snapshot with build fixes for latest qtbase
* Imported WebKit commit c7503cef7ecb236730d1309676ab9fc723fd061d ↵Simon Hausmann2012-09-181-56/+214
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@128886) New snapshot with various build fixes
* Imported WebKit commit 37c5e5041d39a14ea0d429a77ebd352e4bd26516 ↵Simon Hausmann2012-09-141-67/+975
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@128608) New snapshot that enables WebKit2 build on Windows (still some bugs) and allows for WebKit to be built with qmake && make
* Imported WebKit commit 68645295d2e3e09af2c942f092556f06aa5f8b0d ↵Simon Hausmann2012-09-101-16/+16
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@128073) New snapshot
* Imported WebKit commit 0282df8ca7c11d8c8a66ea18543695c69f545a27 ↵Simon Hausmann2012-07-301-27/+39
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@124002) New snapshot with prospective Mountain Lion build fix
* Imported WebKit commit 0fbd41c4e13f5a190faf160bf993eee614e6e18e ↵Simon Hausmann2012-07-241-9/+11
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@123477) New snapshot that adapts to latest Qt API changes
* Imported WebKit commit e65cbc5b6ac32627c797e7fc7f46eb7794410c92 ↵Simon Hausmann2012-07-231-13/+7
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@123308) New snapshot with better configure tests
* Imported WebKit commit 8ff1f22783a32de82fee915abd55bd1b298f2644 ↵Simon Hausmann2012-07-111-23/+50
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@122325) New snapshot that should work with the latest Qt build system changes
* Imported WebKit commit c4b613825abd39ac739a47d7b4410468fcef66dc ↵Simon Hausmann2012-06-251-4/+14
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@121147) New snapshot that includes Win32 debug build fix (use SVGAllInOne)
* Imported WebKit commit 3a8c29f35d00659d2ce7a0ccdfa8304f14e82327 ↵Simon Hausmann2012-06-201-11/+13
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@120813) New snapshot with Windows build fixes
* Imported WebKit commit eb5c1b8fe4d4b1b90b5137433fc58a91da0e6878 ↵Simon Hausmann2012-05-251-5/+0
| | | | (http://svn.webkit.org/repository/webkit/trunk@118516)
* Imported WebKit commit 1350e72f7345ced9da2bd9980deeeb5a8d62fab4 ↵Simon Hausmann2012-05-181-16/+16
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@117578) Weekly snapshot
* Imported WebKit commit 9a52e27980f47e8b0d8f8b7cc0fd7b5741bceb92 ↵Simon Hausmann2012-05-111-2/+2
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@116736) New snapshot to include QDeclarative* -> QQml* build fixes
* Imported WebKit commit 7e538425aa020340619e927792f3d895061fb54b ↵Simon Hausmann2012-05-071-7/+13
| | | | (http://svn.webkit.org/repository/webkit/trunk@116286)
* Imported WebKit commit 3db4eb1820ac8fb03065d7ea73a4d9db1e8fea1a ↵Simon Hausmann2012-03-121-11/+6
| | | | | | (http://svn.webkit.org/repository/webkit/trunk@110422) This includes build fixes for the latest qtbase/qtdeclarative as well as the final QML2 API.
* Imported WebKit commit bb52bf3c0119e8a128cd93afe5572413a8617de9 ↵Simon Hausmann2012-02-241-72/+86
| | | | (http://svn.webkit.org/repository/webkit/trunk@108790)
* Imported WebKit commit e09a82039aa4273ab318b71122e92d8e5f233525 ↵Simon Hausmann2012-02-091-100/+0
| | | | (http://svn.webkit.org/repository/webkit/trunk@107223)
* Imported WebKit commit fce473cb4d55aa9fe9d0b0322a2fffecb731b961 ↵Simon Hausmann2012-02-031-66/+87
| | | | (http://svn.webkit.org/repository/webkit/trunk@106560)
* Imported WebKit commit 75bb2fc5882d2e1b3d5572c2961507996cbca5e3 ↵Simon Hausmann2012-01-111-2/+2
| | | | (http://svn.webkit.org/repository/webkit/trunk@104681)
* Imported WebKit commit 2ea9d364d0f6efa8fa64acf19f451504c59be0e4 ↵Simon Hausmann2012-01-061-0/+848
(http://svn.webkit.org/repository/webkit/trunk@104285)
View Lorry Controller Status