AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
d0e84c8ebd
v8/test/mjsunit/harmony
History
littledan 04c8c11ee5 Make array __proto__ manipulations not disturb the species protector 
Previously, the species protector was invalidated whenever the __proto__ of
an Array instance was manipulated. Then, if the map's new_target_is_base field
remained set, it was correct to conclude that GetPrototypeOf(array) was
%ArrayPrototype%. However, this choice caused the popular D3 framework to
invalidate the species protector, causing many functions to become slower.

This patch eliminates that aspect of the species protector. Instead, the check
is to look at the instance->map()->prototype(). It is valid to look directly
at the map's prototype slot, ignoring hidden prototypes and proxies, because
- This is only called on Array instances, so the receiver cannot be a Proxy.
- For hidden prototypes, any inaccuracy would only result in conservatively
  taking the slow path.

Theoretically, this patch could make methods applied to arrays from other
contexts slower. However, the slowdown would only affect a particular array
instance and not have a global spill-over effect. Further, the slowdown could
be addressed by tracking, either in the instance's map or in the actual
prototype object, whether it is a %ArrayPrototype% from any context, in a way
which is cheap to query, and use that rather than comparing to the currently
executing native context.

In interactive testing, this patch led the OnShape CAD system to experience
faster load times (110+s -> 40s).

BUG=chromium:606207
LOG=Y

Review-Url: https://codereview.chromium.org/1936393002
Cr-Commit-Position: refs/heads/master@{#36033}
2016-05-04 16:48:50 +00:00
..
regress Remove support for Object.observe 2016-04-22 09:02:41 +00:00
array-species-constructor-accessor.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species-constructor-delete.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species-constructor.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species-delete.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species-modified.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species-parent-constructor.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species-proto.js Make array __proto__ manipulations not disturb the species protector 2016-05-04 16:48:50 +00:00
array-species.js Remove runtime flags for Proxy and Reflect 2016-03-21 19:40:02 +00:00
arraybuffer-species.js TypedArray and ArrayBuffer support for @@species 2016-01-12 06:07:59 +00:00
atomics.js [Atomics] Make Atomics.store a builtin using TF 2016-05-03 17:28:34 +00:00
block-lazy-compile.js
dataview-accessors.js
do-expressions-control.js [fullcodegen] Implement control flow across do-expressions. 2016-02-24 11:06:08 +00:00
do-expressions.js Remove runtime flags for sloppy mode block scoping features 2016-04-08 00:30:20 +00:00
exponentiation-operator.js Remove runtime flags for Proxy and Reflect 2016-03-21 19:40:02 +00:00
for-in.js Add flag for disallowing for-in initializers 2016-04-22 12:04:15 +00:00
function-name.js Remove destructuring and default arguments runtime flags 2016-03-10 23:22:30 +00:00
function-sent.js [generators] Implement Generator.prototype.return. 2016-02-04 17:14:15 +00:00
futex.js [Atomics] Fix atomic access index validation 2016-03-25 21:52:52 +00:00
generators.js [generators] Perform state dispatch in loop header. 2016-04-27 12:42:10 +00:00
harmony-string-pad-end.js [esnext] implement StringPad spec changes from March TC39 meeting 2016-04-27 22:03:27 +00:00
harmony-string-pad-start.js [esnext] implement StringPad spec changes from March TC39 meeting 2016-04-27 22:03:27 +00:00
instanceof-es6.js ES6: Desugaring of instanceof to support @@hasInstance 2016-02-19 19:20:38 +00:00
iterator-close.js Correctly set the closing condition in array patterns. 2016-04-28 10:01:23 +00:00
module-parsing-eval.js Remove --harmony-modules flag and let embedder decide when modules are used 2016-03-15 00:45:00 +00:00
modules.js Enable compiling mjsunit tests as ES6 modules 2015-02-10 19:11:55 +00:00
object-entries.js [esnext] handle elements in FastObjectValuesOrEntries() 2016-03-28 15:54:23 +00:00
object-get-own-property-descriptors.js Remove runtime flags for Proxy and Reflect 2016-03-21 19:40:02 +00:00
object-values.js [esnext] handle elements in FastObjectValuesOrEntries() 2016-03-28 15:54:23 +00:00
private-symbols.js Remove runtime flags for Proxy and Reflect 2016-03-21 19:40:02 +00:00
private.js Update to ES2015 == semantics for Symbol/SIMD wrappers 2015-10-27 20:20:24 +00:00
promise-species.js Add @@species/better subclassing support to Promises 2016-01-12 06:33:15 +00:00
regexp-change-exec.js Add ES2015 RegExp full subclassing semantics behind a flag 2016-03-24 22:27:21 +00:00
regexp-lookbehind.js [regexp] break recursion in mutually recursive capture/back references. 2015-12-16 06:58:58 +00:00
regexp-no-change-exec.js Add ES2015 RegExp full subclassing semantics behind a flag 2016-03-24 22:27:21 +00:00
regexp-property-binary.js [regexp] extend \p syntax to binary and enumerated properties. 2016-04-08 05:39:43 +00:00
regexp-property-blocks.js [regexp] extend \p syntax to binary and enumerated properties. 2016-04-08 05:39:43 +00:00
regexp-property-char-class.js [regexp] extend \p syntax to binary and enumerated properties. 2016-04-08 05:39:43 +00:00
regexp-property-disabled.js [regexp] support \p in character classes. 2016-03-10 23:24:23 +00:00
regexp-property-enumerated.js [regexp] extend \p syntax to binary and enumerated properties. 2016-04-08 05:39:43 +00:00
regexp-property-exact-match.js [regexp] extend \p syntax to binary and enumerated properties. 2016-04-08 05:39:43 +00:00
regexp-property-general-category.js [regexp] require exact match for unicode property names. 2016-03-21 19:22:24 +00:00
regexp-property-scripts.js [regexp] extend \p syntax to binary and enumerated properties. 2016-04-08 05:39:43 +00:00
set-prototype-of.js Fix corner-case behavior of JSObject::SetPrototype. 2015-10-23 14:52:26 +00:00
sharedarraybuffer.js Remove --harmony-tostring runtime flag 2016-03-11 18:20:48 +00:00
simd.js Remove runtime flags for Proxy and Reflect 2016-03-21 19:40:02 +00:00
sloppy-implicit-block-function.js Restrict FunctionDeclarations in Statement position 2016-03-03 21:34:26 +00:00
sloppy-restrictive-block-function.js Restrict FunctionDeclarations in Statement position 2016-03-03 21:34:26 +00:00
species.js Add a --harmony-species flag, defining @@species on constructors 2016-01-04 19:39:59 +00:00
string-match.js [es6] Implement @@match subclassing. 2015-11-24 13:57:31 +00:00
string-replace.js Separate String.prototype.replace into RegExp.prototype[Symbol.replace] 2016-01-19 17:33:44 +00:00
string-split.js [es6] Implement @@split subclassing. 2015-11-10 07:00:44 +00:00
to-length.js [runtime] Implement %_ToLength via ToLengthStub. 2015-10-19 08:35:18 +00:00
to-name.js [es6] Implement Date.prototype[@@toPrimitive] as C++ builtin. 2015-08-31 12:53:10 +00:00
to-number.js [es6] Implement Date.prototype[@@toPrimitive] as C++ builtin. 2015-08-31 12:53:10 +00:00
to-primitive.js [es6] Implement Date.prototype[@@toPrimitive] as C++ builtin. 2015-08-31 12:53:10 +00:00
to-string.js [es6] Implement Date.prototype[@@toPrimitive] as C++ builtin. 2015-08-31 12:53:10 +00:00
typedarray-species.js TypedArray and ArrayBuffer support for @@species 2016-01-12 06:07:59 +00:00
unicode-character-ranges.js [regexp] fix off-by-one in UnicodeRangeSplitter. 2016-02-09 09:10:31 +00:00
unicode-escapes-in-regexps.js Remove --harmony-regexps flag 2016-03-25 23:02:11 +00:00
unicode-regexp-backrefs.js [regexp] back refs must not start/end in the middle of a surrogate pair 2016-01-27 10:51:30 +00:00
unicode-regexp-ignore-case-noi18n.js Revert of [regexp] implement /ui to mirror the implementation for /i. (patchset #2 id:20001 of https://codereview.chromium.org/1641613002/ ) 2016-02-02 11:44:45 +00:00
unicode-regexp-ignore-case.js Revert of [regexp] implement /ui to mirror the implementation for /i. (patchset #2 id:20001 of https://codereview.chromium.org/1641613002/ ) 2016-02-02 11:44:45 +00:00
unicode-regexp-last-index.js [regexp] step back if starting unicode regexp within surrogate pair. 2016-01-25 10:46:11 +00:00
unicode-regexp-restricted-syntax.js [regexp] parse RegExpUnicodeEscapeSequence according to spec. 2016-02-11 12:29:29 +00:00
unicode-regexp-unanchored-advance.js [regexp] simplify unanchored advance for unicode regexps. 2016-02-09 09:11:24 +00:00
unicode-regexp-zero-length.js [regexp] fix zero-length matches for RegExp.prototype.@@split. 2016-02-03 14:49:07 +00:00