Bug 177909 - Make sure all prototypes under poly proto get added into the VM's prototype map
Summary: Make sure all prototypes under poly proto get added into the VM's prototype map
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-10-04 18:01 PDT by Saam Barati
Modified: 2017-10-21 00:42 PDT (History)
15 users (show)

See Also:

Attachments
patch (9.59 KB, patch)
2017-10-04 18:48 PDT, Saam Barati 		keith_miller: review+
Details | Formatted Diff | Diff
patch for landing (16.04 KB, patch)
2017-10-04 19:19 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
patch for landing (16.35 KB, patch)
2017-10-04 19:57 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2017-10-04 18:01:48 PDT 
... But they should. This is an invariant I broke.
Comment 1 Saam Barati 2017-10-04 18:48:56 PDT 
Created attachment 322758 [details]
patch
Comment 2 Keith Miller 2017-10-04 19:10:17 PDT 
Comment on attachment 322758 [details]
patch

r=me if you fix the build issues.
Comment 3 Keith Miller 2017-10-04 19:13:13 PDT 
Comment on attachment 322758 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=322758&action=review

> Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:242
>          size_t inlineCapacity = pc[3].u.operand;

rs=me on adding struct offset names.
Comment 4 Saam Barati 2017-10-04 19:19:50 PDT 
Created attachment 322765 [details]
patch for landing
Comment 5 Saam Barati 2017-10-04 19:57:15 PDT 
Created attachment 322766 [details]
patch for landing
Comment 6 WebKit Commit Bot 2017-10-05 00:38:04 PDT 
Comment on attachment 322766 [details]
patch for landing

Clearing flags on attachment: 322766

Committed r222901: <http://trac.webkit.org/changeset/222901>
Comment 7 WebKit Commit Bot 2017-10-05 00:38:05 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2017-10-05 00:39:02 PDT 
<rdar://problem/34829138>
Comment 9 Ryan Haddad 2017-10-05 09:48:30 PDT 
(In reply to WebKit Commit Bot from comment #6)
> Comment on attachment 322766 [details]
> patch for landing
> 
> Clearing flags on attachment: 322766
> 
> Committed r222901: <http://trac.webkit.org/changeset/222901>
The following two tests started timing out on Release JSC bots after this change:
microbenchmarks/direct-construct-arity-mismatch.js.ftl-eager
microbenchmarks/direct-construct.js.ftl-eager

https://build.webkit.org/builders/Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/187
Comment 10 Saam Barati 2017-10-05 09:58:15 PDT 
(In reply to Ryan Haddad from comment #9)
> (In reply to WebKit Commit Bot from comment #6)
> > Comment on attachment 322766 [details]
> > patch for landing
> > 
> > Clearing flags on attachment: 322766
> > 
> > Committed r222901: <http://trac.webkit.org/changeset/222901>
> The following two tests started timing out on Release JSC bots after this
> change:
> microbenchmarks/direct-construct-arity-mismatch.js.ftl-eager
> microbenchmarks/direct-construct.js.ftl-eager
> 
> https://build.webkit.org/builders/
> Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/187

Will look into it
Comment 11 Saam Barati 2017-10-05 10:57:56 PDT 
(In reply to Ryan Haddad from comment #9)
> (In reply to WebKit Commit Bot from comment #6)
> > Comment on attachment 322766 [details]
> > patch for landing
> > 
> > Clearing flags on attachment: 322766
> > 
> > Committed r222901: <http://trac.webkit.org/changeset/222901>
> The following two tests started timing out on Release JSC bots after this
> change:
> microbenchmarks/direct-construct-arity-mismatch.js.ftl-eager
> microbenchmarks/direct-construct.js.ftl-eager
> 
> https://build.webkit.org/builders/
> Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/187

Will fix this in:
https://bugs.webkit.org/show_bug.cgi?id=177952
Comment 12 Filip Pizlo 2017-10-07 11:45:53 PDT 
Comment on attachment 322766 [details]
patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=322766&action=review

> Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:253
> +        if (structure->hasPolyProto()) {
> +            JSObject* prototype = constructor->prototypeForConstruction(vm, exec);
> +            result->putDirect(vm, structure->polyProtoOffset(), prototype);
> +            vm.prototypeMap.addPrototype(prototype);
> +        }

I don't think that this was a good idea.

This means that if we're using poly proto aggressively (like 1:1 mapping of object and prototype), we'll have this ginormous HashSet of Weak references hanging around.  If we really need every prototype to be tracked, then it seems a lot better to just use a bit in the object header, instead of growing a ginormous HashSet.
Comment 13 Filip Pizlo 2017-10-07 11:46:59 PDT 
(In reply to Filip Pizlo from comment #12)
> Comment on attachment 322766 [details]
> patch for landing
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=322766&action=review
> 
> > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:253
> > +        if (structure->hasPolyProto()) {
> > +            JSObject* prototype = constructor->prototypeForConstruction(vm, exec);
> > +            result->putDirect(vm, structure->polyProtoOffset(), prototype);
> > +            vm.prototypeMap.addPrototype(prototype);
> > +        }
> 
> I don't think that this was a good idea.
> 
> This means that if we're using poly proto aggressively (like 1:1 mapping of
> object and prototype), we'll have this ginormous HashSet of Weak references
> hanging around.  If we really need every prototype to be tracked, then it
> seems a lot better to just use a bit in the object header, instead of
> growing a ginormous HashSet.

Anyway, I'm tracking fixing this in: https://bugs.webkit.org/show_bug.cgi?id=178051
Comment 15 Saam Barati 2017-10-21 00:04:55 PDT 
(In reply to Ryosuke Niwa from comment #14)
> Looks like this was ~1% regression on Speedometer 2's react test case?
> https://perf.webkit.org/v3/#/charts?since=1505283360823&zoom=(1506767770443.
> 9912-1507709310260.7344)&paneList=((18-966-28983529-null-(5-2.5-
> 500)))&repository=1

This code is no longer in the tree.
Comment 16 Ryosuke Niwa 2017-10-21 00:29:40 PDT 
(In reply to Saam Barati from comment #15)
> (In reply to Ryosuke Niwa from comment #14)
> > Looks like this was ~1% regression on Speedometer 2's react test case?
> > https://perf.webkit.org/v3/#/charts?since=1505283360823&zoom=(1506767770443.
> > 9912-1507709310260.7344)&paneList=((18-966-28983529-null-(5-2.5-
> > 500)))&repository=1
> 
> This code is no longer in the tree.

Hm... it looks like we never recovered from this :( Maybe there are other regressions looming around.

https://perf.webkit.org/v3/#/charts?since=1505283360823&paneList=((18-966-(1506582270543.6445-1508505237448.509)-null-(5-2.5-500)))&repository=1
Comment 17 Saam Barati 2017-10-21 00:42:49 PDT 
(In reply to Ryosuke Niwa from comment #16)
> (In reply to Saam Barati from comment #15)
> > (In reply to Ryosuke Niwa from comment #14)
> > > Looks like this was ~1% regression on Speedometer 2's react test case?
> > > https://perf.webkit.org/v3/#/charts?since=1505283360823&zoom=(1506767770443.
> > > 9912-1507709310260.7344)&paneList=((18-966-28983529-null-(5-2.5-
> > > 500)))&repository=1
> > 
> > This code is no longer in the tree.
> 
> Hm... it looks like we never recovered from this :( Maybe there are other
> regressions looming around.
> 
> https://perf.webkit.org/v3/#/charts?since=1505283360823&paneList=((18-966-
> (1506582270543.6445-1508505237448.509)-null-(5-2.5-500)))&repository=1

Yeah I think it’s unlikely this is the reason. My original patch was a regression because it forced us to allocate a weak handle and put something in a hashmap. The code in ToT does a CAS on the slow path, and the fast path is just a load and branch.