Closed
Bug 1461339
Opened 6 years ago
Closed 6 years ago
Don't eagerly sparsify dense elements in NativeDefineProperty
Categories
(Core :: JavaScript Engine, enhancement)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fixed |
People
(Reporter: anba, Assigned: anba)
Details
Attachments
(1 file)
|
12.16 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
When a dense element is redefined to a non-writable property in NativeDefineProperty (and the property descriptor has no value field!), the element is first changed to a sparse property and then AddOrChangeProperty is called which updates the property attributes. Similar code is present when redefining a dense element to an accessor property [2]. I don't think it's necessary to sparsify the dense element here, given that, for example, we don't do it when the redefining a dense element to a non-configurable property. [1] https://searchfox.org/mozilla-central/rev/a85db9e29eb3f022dbaf8b9a6390ecbacf51e7dd/js/src/vm/NativeObject.cpp#1807-1812 [2] https://searchfox.org/mozilla-central/rev/a85db9e29eb3f022dbaf8b9a6390ecbacf51e7dd/js/src/vm/NativeObject.cpp#1789-1794
|
||
Comment 1•6 years ago
|
||
That means we can remove sparsifyDenseElement? Cool!
|
Assignee | |
Comment 2•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #1) > That means we can remove sparsifyDenseElement? Cool! Exactly! :-) In addition to the sparsifyDenseElement removal, the patch: - Changes |NativeObject::removeDenseElementForSparseIndex()| to a non-static method to better match its sibling methods in NativeObject. - Adds an assertion to |removeDenseElementForSparseIndex()| to ensure a sparse property is actually present. (The assertion is not needed for correctness, it is only intended to help to understand the code.) - And changes |removeDenseElementForSparseIndex()| to call |setDenseElement()| instead of |setDenseElementUnchecked()|, because |removeDenseElementForSparseIndex()| is now only called in situations where the elements are definitely not frozen. - |setDenseElementUnchecked()| is now only called in ||setDenseElement()|, so let's inline it and then remove |setDenseElementUnchecked()|. And do the same for |setDenseInitializedLengthUnchecked()|.
Attachment #8975492 -
Flags: review?(jdemooij)
|
|
||
Comment 3•6 years ago
|
||
Comment on attachment 8975492 [details] [diff] [review] bug1461339.patch Review of attachment 8975492 [details] [diff] [review]: ----------------------------------------------------------------- \o/
Attachment #8975492 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 4•6 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=9eb37cd3af9041b56671d6438b03cf339789234d
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1910489ee839 Don't sparsify dense elements eagerly in NativeDefineProperty. r=jandem
Keywords: checkin-needed
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1910489ee839
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•