RESOLVED FIXED 177909
Make sure all prototypes under poly proto get added into the VM's prototype map 
https://bugs.webkit.org/show_bug.cgi?id=177909
Summary Make sure all prototypes under poly proto get added into the VM's prototype map
Saam Barati
Reported 2017-10-04 18:01:48 PDT
... But they should. This is an invariant I broke.
Attachments
patch (9.59 KB, patch)
2017-10-04 18:48 PDT, Saam Barati 		keith_miller: review+
DetailsFormatted DiffDiff
patch for landing (16.04 KB, patch)
2017-10-04 19:19 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch for landing (16.35 KB, patch)
2017-10-04 19:57 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2017-10-04 18:48:56 PDT
Created attachment 322758 [details] patch
Keith Miller
Comment 2 2017-10-04 19:10:17 PDT
Comment on attachment 322758 [details] patch r=me if you fix the build issues.
Keith Miller
Comment 3 2017-10-04 19:13:13 PDT
Comment on attachment 322758 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=322758&action=review > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:242 > size_t inlineCapacity = pc[3].u.operand; rs=me on adding struct offset names.
Saam Barati
Comment 4 2017-10-04 19:19:50 PDT
Created attachment 322765 [details] patch for landing
Saam Barati
Comment 5 2017-10-04 19:57:15 PDT
Created attachment 322766 [details] patch for landing
WebKit Commit Bot
Comment 6 2017-10-05 00:38:04 PDT
Comment on attachment 322766 [details] patch for landing Clearing flags on attachment: 322766 Committed r222901: <http://trac.webkit.org/changeset/222901>
WebKit Commit Bot
Comment 7 2017-10-05 00:38:05 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 8 2017-10-05 00:39:02 PDT
<rdar://problem/34829138>
Ryan Haddad
Comment 9 2017-10-05 09:48:30 PDT
(In reply to WebKit Commit Bot from comment #6) > Comment on attachment 322766 [details] > patch for landing > > Clearing flags on attachment: 322766 > > Committed r222901: <http://trac.webkit.org/changeset/222901> The following two tests started timing out on Release JSC bots after this change: microbenchmarks/direct-construct-arity-mismatch.js.ftl-eager microbenchmarks/direct-construct.js.ftl-eager https://build.webkit.org/builders/Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/187
Saam Barati
Comment 10 2017-10-05 09:58:15 PDT
(In reply to Ryan Haddad from comment #9) > (In reply to WebKit Commit Bot from comment #6) > > Comment on attachment 322766 [details] > > patch for landing > > > > Clearing flags on attachment: 322766 > > > > Committed r222901: <http://trac.webkit.org/changeset/222901> > The following two tests started timing out on Release JSC bots after this > change: > microbenchmarks/direct-construct-arity-mismatch.js.ftl-eager > microbenchmarks/direct-construct.js.ftl-eager > > https://build.webkit.org/builders/ > Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/187 Will look into it
Saam Barati
Comment 11 2017-10-05 10:57:56 PDT
(In reply to Ryan Haddad from comment #9) > (In reply to WebKit Commit Bot from comment #6) > > Comment on attachment 322766 [details] > > patch for landing > > > > Clearing flags on attachment: 322766 > > > > Committed r222901: <http://trac.webkit.org/changeset/222901> > The following two tests started timing out on Release JSC bots after this > change: > microbenchmarks/direct-construct-arity-mismatch.js.ftl-eager > microbenchmarks/direct-construct.js.ftl-eager > > https://build.webkit.org/builders/ > Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/187 Will fix this in: https://bugs.webkit.org/show_bug.cgi?id=177952
Filip Pizlo
Comment 12 2017-10-07 11:45:53 PDT
Comment on attachment 322766 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=322766&action=review > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:253 > + if (structure->hasPolyProto()) { > + JSObject* prototype = constructor->prototypeForConstruction(vm, exec); > + result->putDirect(vm, structure->polyProtoOffset(), prototype); > + vm.prototypeMap.addPrototype(prototype); > + } I don't think that this was a good idea. This means that if we're using poly proto aggressively (like 1:1 mapping of object and prototype), we'll have this ginormous HashSet of Weak references hanging around. If we really need every prototype to be tracked, then it seems a lot better to just use a bit in the object header, instead of growing a ginormous HashSet.
Filip Pizlo
Comment 13 2017-10-07 11:46:59 PDT
(In reply to Filip Pizlo from comment #12) > Comment on attachment 322766 [details] > patch for landing > > View in context: > https://bugs.webkit.org/attachment.cgi?id=322766&action=review > > > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:253 > > + if (structure->hasPolyProto()) { > > + JSObject* prototype = constructor->prototypeForConstruction(vm, exec); > > + result->putDirect(vm, structure->polyProtoOffset(), prototype); > > + vm.prototypeMap.addPrototype(prototype); > > + } > > I don't think that this was a good idea. > > This means that if we're using poly proto aggressively (like 1:1 mapping of > object and prototype), we'll have this ginormous HashSet of Weak references > hanging around. If we really need every prototype to be tracked, then it > seems a lot better to just use a bit in the object header, instead of > growing a ginormous HashSet. Anyway, I'm tracking fixing this in: https://bugs.webkit.org/show_bug.cgi?id=178051
Saam Barati
Comment 15 2017-10-21 00:04:55 PDT
(In reply to Ryosuke Niwa from comment #14) > Looks like this was ~1% regression on Speedometer 2's react test case? > https://perf.webkit.org/v3/#/charts?since=1505283360823&zoom=(1506767770443. > 9912-1507709310260.7344)&paneList=((18-966-28983529-null-(5-2.5- > 500)))&repository=1 This code is no longer in the tree.
Ryosuke Niwa
Comment 16 2017-10-21 00:29:40 PDT
(In reply to Saam Barati from comment #15) > (In reply to Ryosuke Niwa from comment #14) > > Looks like this was ~1% regression on Speedometer 2's react test case? > > https://perf.webkit.org/v3/#/charts?since=1505283360823&zoom=(1506767770443. > > 9912-1507709310260.7344)&paneList=((18-966-28983529-null-(5-2.5- > > 500)))&repository=1 > > This code is no longer in the tree. Hm... it looks like we never recovered from this :( Maybe there are other regressions looming around. https://perf.webkit.org/v3/#/charts?since=1505283360823&paneList=((18-966-(1506582270543.6445-1508505237448.509)-null-(5-2.5-500)))&repository=1
Saam Barati
Comment 17 2017-10-21 00:42:49 PDT
(In reply to Ryosuke Niwa from comment #16) > (In reply to Saam Barati from comment #15) > > (In reply to Ryosuke Niwa from comment #14) > > > Looks like this was ~1% regression on Speedometer 2's react test case? > > > https://perf.webkit.org/v3/#/charts?since=1505283360823&zoom=(1506767770443. > > > 9912-1507709310260.7344)&paneList=((18-966-28983529-null-(5-2.5- > > > 500)))&repository=1 > > > > This code is no longer in the tree. > > Hm... it looks like we never recovered from this :( Maybe there are other > regressions looming around. > > https://perf.webkit.org/v3/#/charts?since=1505283360823&paneList=((18-966- > (1506582270543.6445-1508505237448.509)-null-(5-2.5-500)))&repository=1 Yeah I think it’s unlikely this is the reason. My original patch was a regression because it forced us to allocate a weak handle and put something in a hashmap. The code in ToT does a CAS on the slow path, and the fast path is just a load and branch.
Note You need to log in before you can comment on or make changes to this bug.