1298878 - Don't store builtin constructors on the global in reserved slots

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jan de Mooij [:jandem]]

Attachment: Patch

The global object uses 3 * JSProto_LIMIT slots to store the following values for each proto key:

* The original constructor.
* The prototype.
* The current value of the property.

The last one is problematic: using addProperty with an explicit slot like that turns all globals into dictionary mode objects. If we store these values in non-reserved slots, globals can be non-dictionary objects and we will share their Shape lineage within a zone (bug 1295967).

Fortunately, these values don't have to be in reserved slots. I think we can use DefineProperty instead of obj->addDataProperty, that also lets us shrink the number of reserved slots.

Comment 1

[Jan de Mooij [:jandem]]

Comment on attachment 8786030 [details] [diff] [review]
Patch

Review of attachment 8786030 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/GlobalObject.h
@@ +67,5 @@
>      /*
>       * Count of slots to store built-in constructors, prototypes, and initial
>       * visible properties for the constructors.
>       */
> +    static const unsigned STANDARD_CLASS_SLOTS  = JSProto_LIMIT * 2;

I'll change the comment to something like: "Count of slots to store builtin prototypes and initial visible properties for the constructors."

Comment 2

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d128c9990a76
Don't store the actual builtin constructor properties on the global in reserved slots. r=Waldo

Comment 3

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/d128c9990a76