Source/JavaScriptCore/ChangeLog · 604d38af8c821321b9cf5056b19deebd0f4afdce · App_Technologies / webkit

JSObject wastes too much memory on unused property slots · 604d38af
fpizlo@apple.com authored Jul 01, 2012
https://bugs.webkit.org/show_bug.cgi?id=90255

Reviewed by Mark Hahnenberg.
        
Rolling back in after applying a simple fix: it appears that
JSObject::setStructureAndReallocateStorageIfNecessary() was allocating more
property storage than necessary. Fixing this appears to resolve the crash.
        
This does a few things:
        
- JSNonFinalObject no longer has inline property storage.
        
- Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
  or 2x the inline storage for JSFinalObject.
        
- Property storage is only reallocated if it needs to be. Previously, we
  would reallocate the property storage on any transition where the original
  structure said shouldGrowProperyStorage(), but this led to spurious
  reallocations when doing transitionless property adds and there are
  deleted property slots available. That in turn led to crashes, because we
  would switch to out-of-line storage even if the capacity matched the
  criteria for inline storage.
        
- Inline JSFunction allocation is killed off because we don't have a good
  way of inlining property storage allocation. This didn't hurt performance.
  Killing off code is better than fixing it if that code wasn't doing any
  good.
        
This looks like a 1% progression on V8.

* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITInlineMethods.h:
(JSC::JIT::emitAllocateBasicJSObject):
(JSC):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_func):
(JSC):
(JSC::JIT::emit_op_new_func_exp):
* runtime/JSFunction.cpp:
(JSC::JSFunction::finishCreation):
* runtime/JSObject.h:
(JSC::JSObject::isUsingInlineStorage):
(JSObject):
(JSC::JSObject::finishCreation):
(JSC):
(JSC::JSNonFinalObject::hasInlineStorage):
(JSNonFinalObject):
(JSC::JSNonFinalObject::JSNonFinalObject):
(JSC::JSNonFinalObject::finishCreation):
(JSC::JSFinalObject::hasInlineStorage):
(JSC::JSFinalObject::finishCreation):
(JSC::JSObject::offsetOfInlineStorage):
(JSC::JSObject::setPropertyStorage):
(JSC::Structure::inlineStorageCapacity):
(JSC::Structure::isUsingInlineStorage):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
(JSC::JSObject::putDirectWithoutTransition):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::nextPropertyStorageCapacity):
(JSC):
(JSC::Structure::growPropertyStorageCapacity):
(JSC::Structure::suggestedNewPropertyStorageSize):
* runtime/Structure.h:
(JSC::Structure::putWillGrowPropertyStorage):
(Structure):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121633 268f45cc-cd09-0410-ab3c-d52691b4dbfc
604d38af