1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-25 04:22:34 +00:00
Commit graph

35 commits

Author SHA1 Message Date
Andreas Kling
1e90379008 LibJS: Introduce "dictionary" mode for object shapes
This is similar to "unique" shapes, which were removed in commit
3d92c26445.

The key difference is that dictionary shapes don't have a serial number,
but instead have a "cacheable" flag.

Shapes become dictionaries after 64 transitions have occurred, at which
point no further transitions occur.

As long as properties are only added to a dictionary shape, it remains
cacheable. (Since if we've cached the shape pointer in an IC somewhere,
we know the IC is still valid.)

Deleting a property from a dictionary shape causes it to become an
uncacheable dictionary.

Note that deleting a property from a non-dictionary shape still performs
a delete transition.

This fixes an issue on Discord where Object.freeze() would eventually
OOM us, since they add more than 16000 properties to a single object
before freezing it.

It also yields a 15% speedup on Octane/pdfjs.js :^)
2023-12-16 14:25:58 +01:00
Andreas Kling
8eacb81eba LibJS: Skip redundant marking of Shape property table keys
All the keys in a property table are guaranteed to be marked via
Shape::m_property_key in each step of the transition chain that leads
up to the Shape.
2023-12-11 20:36:15 +01:00
Andreas Kling
3d92c26445 LibJS: Stop making shapes unique
We previously had a concept of unique shapes, which meant that they
couldn't be shared between multiple objects.

Object shapes became unique in three situations:

- They were the shape of the global object.
- They had more than 100 properties added to them.
- They had one or more properties deleted from them.

Unfortunately, unique shapes presented an annoying problem for inline
caches, and we added a "unique shape serial number" for being able to
tell that a unique shape had been mutated.

This patch gets rid of the concept of unique shapes, simplifying all
the caching code, since inline caches can now simply perform a shape
check and then we're good.

To make this possible, we now have the concept of delete transitions,
which occur when a property is deleted from a shape.

Note that this patch by itself introduces a performance regression in
some situtations, since we now create a lot more shapes, and marking
their property keys can be very heavy. This will be addressed in a
subsequent patch.
2023-12-11 20:36:15 +01:00
Andreas Kling
ef86cf4646 LibJS: Mark forward shape transition keys
These should really be weakly held by the Shape, but we don't have a
mechanism for weak hashmap keys at the moment, so let's just mark
these for now so they don't go stale.
2023-12-11 20:36:15 +01:00
Andreas Kling
3c74dc9f4d LibJS: Segregate GC-allocated objects by type
This patch adds two macros to declare per-type allocators:

- JS_DECLARE_ALLOCATOR(TypeName)
- JS_DEFINE_ALLOCATOR(TypeName)

When used, they add a type-specific CellAllocator that the Heap will
delegate allocation requests to.

The result of this is that GC objects of the same type always end up
within the same HeapBlock, drastically reducing the ability to perform
type confusion attacks.

It also improves HeapBlock utilization, since each block now has cells
sized exactly to the type used within that block. (Previously we only
had a handful of block sizes available, and most GC allocations ended
up with a large amount of slack in their tails.)

There is a small performance hit from this, but I'm sure we can make
up for it elsewhere.

Note that the old size-based allocators still exist, and we fall back
to them for any type that doesn't have its own CellAllocator.
2023-11-19 12:10:31 +01:00
Andreas Kling
e33145aa4b LibJS: Use OrderedHashMap for the Shape property table
This allows us to get rid of property_table_ordered() which was a
heavy-handed way of iterating properties in insertion order by first
copying them to a sorted Vector.

Clients can now simply iterate property_table() directly.

3% speed-up on Kraken/ai-astar.js :^)
2023-09-17 21:00:11 +02:00
Andreas Kling
cf6792ec40 LibJS/Bytecode: Invalidate inline caches on unique shape mutation
Since we can't rely on shape identity (i.e its pointer address) for
unique shapes, give them a serial number that increments whenever a
mutation occurs.

Inline caches can then compare this serial number against what they
have seen before.
2023-07-11 00:14:50 +02:00
Matthew Olsson
a9d192e882 LibJS+LibWeb: Explicitly mark ignored members in visit_edges methods 2023-04-30 06:04:33 +02:00
Matthew Olsson
82eeee2008 LibJS+LibWeb: Normalize calls to Base::visit_edges in GC objects 2023-04-30 06:04:33 +02:00
Matthew Olsson
7c0c1c8f49 LibJS+LibWeb: Wrap raw JS::Cell*/& fields in GCPtr/NonnullGCPtr 2023-03-15 08:48:49 +01:00
Linus Groh
22089436ed LibJS: Convert Heap::allocate{,_without_realm}() to NonnullGCPtr 2022-12-15 06:56:37 -05:00
Linus Groh
72730422bb LibJS: Remove Shape::global_object() and Object::global_object()
Same reason as in commit 275dea9.
2022-08-28 16:36:56 +01:00
Linus Groh
e992a9f469 LibJS+LibWeb: Replace GlobalObject with Realm in Heap::allocate<T>()
This is a continuation of the previous three commits.

Now that create() receives the allocating realm, we can simply forward
that to allocate(), which accounts for the majority of these changes.
Additionally, we can get rid of the realm_from_global_object() in one
place, with one more remaining in VM::throw_completion().
2022-08-23 13:58:30 +01:00
Andreas Kling
50d951aea2 LibJS: Let Shape store a Realm instead of a GlobalObject
This is a cautious first step towards being able to create JS objects
before a global object has been instantiated.
2022-08-05 12:42:46 +02:00
Andreas Kling
343d699627 LibJS: Add missing Vector::in_reverse() in ensure_property_table()
Regressed with 35fcb028e9.
2022-04-13 21:02:37 +02:00
Andreas Kling
35fcb028e9 LibJS: Tidy up Shape::ensure_property_table() a little bit
- Use a vector or references for the transition chain since null shapes
  are not allowed in the chain.

- Use Vector::in_reverse() for iterating the chain backwards.
2022-04-13 19:52:25 +02:00
Idan Horowitz
086969277e Everywhere: Run clang-format 2022-04-01 21:24:45 +01:00
Lenny Maiorani
d00b79568f Libraries: Use default constructors/destructors in LibJS
https://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines#cother-other-default-operation-rules

"The compiler is more likely to get the default semantics right and
you cannot implement these functions better than the compiler."
2022-03-16 16:19:40 +00:00
Linus Groh
6f20f49b21 Everywhere: Rename JS::PropertyKey variables from property_{name => key}
PropertyKey used to be called PropertyName, but got renamed. Let's
update all the variables of this type as well.
2022-02-06 22:02:45 +00:00
davidot
8da6c01d8f LibJS: Remove the JS_TRACK_ZOMBIE_CELLS option
This feature had bitrotted somewhat and would trigger errors because
PrimitiveStrings were "destroyed" but because of this mode they were not
removed from the string cache. Even fixing that case running test-js
with the options still failed in more places.
2022-02-05 11:52:51 +01:00
Andreas Kling
8bdf6441b1 LibJS: Use u32 for the JS::Shape property count
We don't need to support more than 2^32 object properties anyway, so
there's no point in using 64-bit property counts.

This small reduction in memory usage makes test-js run ~10% faster on
x86_64 locally.
2022-01-31 16:19:23 +01:00
Andreas Kling
4a51165f5f LibJS: Reorganize JS::Shape members a little bit
Now that AK::Weakable doesn't have a bunch of padding at the end,
let's move the smaller members of JS::Shape to the end, since there's
nothing to fold into at the start.
2022-01-31 16:19:23 +01:00
Andreas Kling
1469057033 LibJS: Make JS::Shape smaller by using OwnPtr<HashMap> for transitions
Many shapes don't have any forward transitions to cache, so we can save
a bunch of memory (and time) by only creating the cache maps when
actually needed.
2022-01-31 16:19:23 +01:00
Andreas Kling
398c181c79 LibJS: Rename PropertyName to PropertyKey
Let's use the same name as the spec. :^)
2021-10-24 17:18:07 +02:00
Andreas Kling
6a1b82df2b LibJS: Put zombie cell tracking code behind a compile-time flag
Since this is a debug-only feature, let's not have it impact GC marking
performance when you don't need it.
2021-10-02 16:39:28 +02:00
Ali Mohammad Pur
36516a4c47 LibJS: Take a pointer in get_or_prune_cached_prototype_transition()
Prototypes can be set to null, and while the previous version also kinda
allowed null (by not reading through the null reference), it was making
UBSAN very sad.
2021-10-01 09:20:25 +03:30
Andreas Kling
14c57b4b7f LibJS: Remove transition avoidance & start caching prototype transitions
The way that transition avoidance (foo_without_transition) was
implemented led to shapes being unshareable and caused shape explosion
instead, precisely what we were trying to avoid.

This patch removes all the attempts to avoid transitioning shapes, and
instead *adds* transitions when changing an object's prototype.
This makes transitions flow naturally, and as a result we end up with
way fewer shape objects in real-world situations.

When we run out of big problems, we can get back to avoiding transitions
as an optimization, but for now, let's avoid ballooning our processes
with a unique shape for every object.
2021-10-01 02:59:29 +02:00
Andreas Kling
b9eb8d00ca LibJS: Revoke any outstanding WeakPtr<Shape> when zombifying shapes
The forward transition cache in Shape uses WeakPtr<Shape> to learn when
a cached transition has been garbage collected.

When running in zombification mode, we have to explicitly revoke any
outstanding WeakPtrs to a Shape when it becomes a zombie. That ensures
that it gets pruned from transition caches.
2021-09-11 17:01:45 +02:00
Linus Groh
09bd5f8772 LibJS: Rewrite most of Object for spec compliance :^)
This is a huge patch, I know. In hindsight this perhaps could've been
done slightly more incremental, but I started and then fixed everything
until it worked, and here we are. I tried splitting of some completely
unrelated changes into separate commits, however. Anyway.

This is a rewrite of most of Object, and by extension large parts of
Array, Proxy, Reflect, String, TypedArray, and some other things.

What we already had worked fine for about 90% of things, but getting the
last 10% right proved to be increasingly difficult with the current code
that sort of grew organically and is only very loosely based on the
spec - this became especially obvious when we started fixing a large
number of test262 failures.

Key changes include:

- 1:1 matching function names and parameters of all object-related
  functions, to avoid ambiguity. Previously we had things like put(),
  which the spec doesn't have - as a result it wasn't always clear which
  need to be used.
- Better separation between object abstract operations and internal
  methods - the former are always the same, the latter can be overridden
  (and are therefore virtual). The internal methods (i.e. [[Foo]] in the
  spec) are now prefixed with 'internal_' for clarity - again, it was
  previously not always clear which AO a certain method represents,
  get() could've been both Get and [[Get]] (I don't know which one it
  was closer to right now).
  Note that some of the old names have been kept until all code relying
  on them is updated, but they are now simple wrappers around the
  closest matching standard abstract operation.
- Simplifications of the storage layer: functions that write values to
  storage are now prefixed with 'storage_' to make their purpose clear,
  and as they are not part of the spec they should not contain any steps
  specified by it. Much functionality is now covered by the layers above
  it and was removed (e.g. handling of accessors, attribute checks).
- PropertyAttributes has been greatly simplified, and is being replaced
  by PropertyDescriptor - a concept similar to the current
  implementation, but more aligned with the actual spec. See the commit
  message of the previous commit where it was introduced for details.
- As a bonus, and since I had to look at the spec a whole lot anyway, I
  introduced more inline comments with the exact steps from the spec -
  this makes it super easy to verify correctness.
- East-const all the things.

As a result of all of this, things are much more correct but a bit
slower now. Retaining speed wasn't a consideration at all, I have done
no profiling of the new code - there might be low hanging fruits, which
we can then harvest separately.

Special thanks to Idan for helping me with this by tracking down bugs,
updating everything outside of LibJS to work with these changes (LibWeb,
Spreadsheet, HackStudio), as well as providing countless patches to fix
regressions I introduced - there still are very few (we got it down to
5), but we also get many new passing test262 tests in return. :^)

Co-authored-by: Idan Horowitz <idan.horowitz@gmail.com>
2021-07-04 22:07:36 +01:00
Andreas Kling
5eef07d232 LibJS: Avoid lots of string-to-int during global object construction
We were doing a *lot* of string-to-int conversion while creating a new
global object. This happened because Object::put() would try to convert
the property name (string) to an integer to see if it refers to an
indexed property.

Sidestep this issue by using PropertyName for the CommonPropertyNames
struct on VM (vm.names.foo), and giving PropertyName a flag that tells
us whether it's a string that *may be* a number.

All CommonPropertyNames are set up so they are known to not be numbers.
2021-06-13 19:11:29 +02:00
Andreas Kling
61c56e75f4 LibJS: Flatten Shape::property_table()
In the common case, we take the early return in ensure_property_table()
so let's make sure it gets inlined into property_table().
2021-06-07 10:22:25 +02:00
Andreas Kling
e0493c509e LibJS: Make the forward transition chain weakly cached
Before this patch, every shape would permanently remember every other
shape it had ever transitioned to. This could lead to pathological
accumulation of unused shape objects in some cases.

Fix this by using WeakPtr instead of a strongly visited Shape* in the
the forward transition chain map. This means that we will now miss out
on some shape sharing opportunities, but since this is not required
for correctness it doesn't matter.

Note that the backward transition chain is still strongly cached,
as it's necessary for the reification of property tables.

An interesting future optimization could be to allow property tables
to get garbage collected (by detaching them from the shape object)
and then reconstituted from the backwards transition chain (if needed.)
2021-05-17 21:40:18 +02:00
Brian Gianforcaro
1682f0b760 Everything: Move to SPDX license identifiers in all files.
SPDX License Identifiers are a more compact / standardized
way of representing file license information.

See: https://spdx.dev/resources/use/#identifiers

This was done with the `ambr` search and replace tool.

 ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
2021-04-22 11:22:27 +02:00
Andreas Kling
5d180d1f99 Everywhere: Rename ASSERT => VERIFY
(...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED)

Since all of these checks are done in release builds as well,
let's rename them to VERIFY to prevent confusion, as everyone is
used to assertions being compiled out in release.

We can introduce a new ASSERT macro that is specifically for debug
checks, but I'm doing this wholesale conversion first since we've
accumulated thousands of these already, and it's not immediately
obvious which ones are suitable for ASSERT.
2021-02-23 20:56:54 +01:00
Andreas Kling
13d7c09125 Libraries: Move to Userland/Libraries/ 2021-01-12 12:17:46 +01:00
Renamed from Libraries/LibJS/Runtime/Shape.cpp (Browse further)