RESOLVED FIXED 212248
hasOwnProperty inside structure property for-in loop should use an opcode like has_structure_property but for hasOwnProperty 
https://bugs.webkit.org/show_bug.cgi?id=212248
Summary hasOwnProperty inside structure property for-in loop should use an opcode lik...
Saam Barati
Reported 2020-05-21 19:31:09 PDT
...
Attachments
patch (60.68 KB, patch)
2020-05-26 21:56 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (63.04 KB, patch)
2020-05-27 10:31 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (62.68 KB, patch)
2020-05-27 12:03 PDT, Saam Barati 		keith_miller: review+
DetailsFormatted DiffDiff
patch for landing (63.68 KB, patch)
2020-05-27 17:50 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2020-05-26 13:31:39 PDT
patch forthcoming Appears to speedup React in Speedo2 by ~5%
Saam Barati
Comment 2 2020-05-26 21:56:09 PDT
Created attachment 400310 [details] patch
Saam Barati
Comment 3 2020-05-27 10:31:46 PDT
Created attachment 400349 [details] patch
Saam Barati
Comment 4 2020-05-27 12:03:03 PDT
Created attachment 400364 [details] patch rebased
Keith Miller
Comment 5 2020-05-27 16:04:04 PDT
Comment on attachment 400364 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=400364&action=review r=me with comments. > Source/JavaScriptCore/bytecode/BytecodeList.rb:1108 > +op :has_self_structure_property, Wouldn't this normally be own? I guess we use the terms interchangeably though. > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:5247 > + unsigned newTarget = std::get<1>(hasOwnPropertyTuple); Like new.target? :P > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:5257 > + // disable peephole optimizations > + generator.m_lastOpcodeID = op_end; Nit: Can we make this a function on BytecodeGenerator? > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:5259 > + OpJmp::emit<OpcodeSize::Wide32>(&generator, BoundLabel(static_cast<int>(newTarget) - static_cast<int>(branchInstIndex))); Why does this have to be Wide32 if we are gonna Nop fill anyway?
Saam Barati
Comment 6 2020-05-27 17:23:32 PDT
Comment on attachment 400364 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=400364&action=review >> Source/JavaScriptCore/bytecode/BytecodeList.rb:1108 >> +op :has_self_structure_property, > > Wouldn't this normally be own? I guess we use the terms interchangeably though. I can switch to own, it's probably more consistent >> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:5247 >> + unsigned newTarget = std::get<1>(hasOwnPropertyTuple); > > Like new.target? :P haha I thought this too when writing it, but kept it given context I can switch to newBranchTarget >> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:5257 >> + generator.m_lastOpcodeID = op_end; > > Nit: Can we make this a function on BytecodeGenerator? sure >> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:5259 >> + OpJmp::emit<OpcodeSize::Wide32>(&generator, BoundLabel(static_cast<int>(newTarget) - static_cast<int>(branchInstIndex))); > > Why does this have to be Wide32 if we are gonna Nop fill anyway? Good point, I don't think it does.
Saam Barati
Comment 7 2020-05-27 17:50:37 PDT
Created attachment 400411 [details] patch for landing
EWS
Comment 8 2020-05-27 19:43:30 PDT
Committed r262233: <https://trac.webkit.org/changeset/262233> All reviewed patches have been landed. Closing bug and clearing flags on attachment 400411 [details].
Radar WebKit Bug Importer
Comment 9 2020-05-27 19:44:20 PDT
<rdar://problem/63701395>
Caio Lima
Comment 10 2020-05-28 06:47:17 PDT
Comment on attachment 400411 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=400411&action=review > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1053 > + JSValue hasOwnPropertyFunction = jsCast<JSFunction*>(objectPrototype()->get(this, vm.propertyNames->hasOwnProperty)); Is there a reason to not use `getDirect()` here? Anyway, if we want to keep using `get`, we need to add a `catchScope.assertNoException()` after this call. Right now this is breaking almost all tests on Debug builds https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests
Mark Lam
Comment 11 2020-05-28 07:30:08 PDT
(In reply to Caio Lima from comment #10) > we need to add a `catchScope.assertNoException()` after this Landed r262239: <http://trac.webkit.org/r262239> to placate the exception checker and green the bots.
Saam Barati
Comment 12 2020-05-28 09:20:06 PDT
(In reply to Caio Lima from comment #10) > Comment on attachment 400411 [details] > patch for landing > > View in context: > https://bugs.webkit.org/attachment.cgi?id=400411&action=review > > > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1053 > > + JSValue hasOwnPropertyFunction = jsCast<JSFunction*>(objectPrototype()->get(this, vm.propertyNames->hasOwnProperty)); > > Is there a reason to not use `getDirect()` here? Anyway, if we want to keep > using `get`, we need to add a `catchScope.assertNoException()` after this > call. Right now this is breaking almost all tests on Debug builds > https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests The reason was just not relying on it being in Structure property storage. But we could also just use getDirect, since this will likely lead to failures in testing if ObjectPrototype ever puts hasOwnProperty elsewhere that isn't in property storage
Note You need to log in before you can comment on or make changes to this bug.