| blob | b47b43e86caf3d482f544150d9d3078ed0b0ff25 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef vm_PropMap_h
8 #define vm_PropMap_h
18 // [SMDOC] Property Maps
19 //
20 // Property maps are used to store information about native object properties.
21 // Each property map represents an ordered list of (PropertyKey, PropertyInfo)
22 // tuples.
23 //
24 // Each property map can store up to 8 properties (see PropMap::Capacity). To
25 // store more than eight properties, multiple maps must be linked together with
26 // the |previous| pointer.
27 //
28 // Shapes and Property Maps
29 // ------------------------
30 // Native object shapes represent property information as a (PropMap*, length)
31 // tuple. When there are no properties yet, the shape's map will be nullptr and
32 // the length is zero.
33 //
34 // For example, consider the following objects:
35 //
36 // o1 = {x: 1, y: 2}
37 // o2 = {x: 3, y: 4, z: 5}
38 //
39 // This is stored as follows:
40 //
41 // +-------------+ +--------------+ +-------------------+
42 // | JSObject o1 | | Shape S1 | | PropMap M1 |
43 // |-------------+ +--------------+ +-------------------+
44 // | shape: S1 -+---> | map: M1 -+--+> | key 0: x (slot 0) |
45 // | slot 0: 1 | | mapLength: 2 | | | key 1: y (slot 1) |
46 // | slot 1: 2 | +--------------+ | | key 2: z (slot 2) |
47 // +-------------+ | | ... |
48 // | +-------------------+
49 // |
50 // +-------------+ +--------------+ |
51 // | JSObject o2 | | Shape S2 | |
52 // |-------------+ +--------------+ |
53 // | shape: S2 -+---> | map: M1 -+--+
54 // | slot 0: 3 | | mapLength: 3 |
55 // | slot 1: 4 | +--------------+
56 // | slot 2: 5 |
57 // +-------------+
58 //
59 // There's a single map M1 shared by shapes S1 and S2. Shape S1 includes only
60 // the first two properties and shape S2 includes all three properties.
61 //
62 // Class Hierarchy
63 // ---------------
64 // Property maps have the following C++ class hierarchy:
65 //
66 // PropMap (abstract)
67 // |
68 // +-- SharedPropMap (abstract)
69 // | |
70 // | +-- CompactPropMap
71 // | |
72 // | +-- NormalPropMap
73 // |
74 // +-- DictionaryPropMap
75 //
76 // * PropMap: base class. It has a flags word and an array of PropertyKeys.
77 //
78 // * SharedPropMap: base class for all shared property maps. See below for more
79 // information on shared maps.
80 //
81 // * CompactPropMap: a shared map that stores its information more compactly
82 // than the other maps. It saves four words by not storing a
83 // PropMapTable, previous pointer, and by using a more compact
84 // PropertyInfo type for slot numbers that fit in one byte.
85 //
86 // * NormalPropMap: a shared map, used when CompactPropMap can't be used.
87 //
88 // * DictionaryPropMap: an unshared map (used by a single object/shape). See
89 // below for more information on dictionary maps.
90 //
91 // Secondary hierarchy
92 // -------------------
93 // NormalPropMap and DictionaryPropMap store property information in the same
94 // way. This means property lookups don't have to distinguish between these two
95 // types. This is represented with a second class hierarchy:
96 //
97 // PropMap (abstract)
98 // |
99 // +-- CompactPropMap
100 // |
101 // +-- LinkedPropMap (NormalPropMap or DictionaryPropMap)
102 //
103 // Property lookup and property iteration are very performance sensitive and use
104 // this Compact vs Linked "view" so that they don't have to handle the three map
105 // types separately.
106 //
107 // LinkedPropMap also stores the PropMapTable and a pointer to the |previous|
108 // map. Compact maps don't have these fields.
109 //
110 // To summarize these map types:
111 //
112 // +-------------------+-------------+--------+
113 // | Concrete type | Shared/tree | Linked |
114 // +-------------------+-------------+--------+
115 // | CompactPropMap | yes | no |
116 // | NormalPropMap | yes | yes |
117 // | DictionaryPropMap | no | yes |
118 // +-------------------+-------------+--------+
119 //
120 // PropMapTable
121 // ------------
122 // Finding the PropertyInfo for a particular PropertyKey requires a linear
123 // search if the map is small. For larger maps we can create a PropMapTable, a
124 // hash table that maps from PropertyKey to PropMap + index, to speed up
125 // property lookups.
126 //
127 // To save memory, property map tables can be discarded on GC and recreated when
128 // needed. AutoKeepPropMapTables can be used to avoid discarding tables in a
129 // particular zone. Methods to access a PropMapTable take either an
130 // AutoCheckCannotGC or AutoKeepPropMapTables argument, to help ensure tables
131 // are not purged while we're using them.
132 //
133 // Shared Property Maps
134 // --------------------
135 // Shared property maps can be shared per-Zone by objects with the same property
136 // keys, flags, and slot numbers. To make this work, shared maps form a tree:
137 //
138 // - Each Zone has a table that maps from first PropertyKey + PropertyInfo to
139 // a SharedPropMap that begins with that property. This is used to lookup the
140 // the map to use when adding the first property.
141 // See ShapeZone::initialPropMaps.
142 //
143 // - When adding a property other than the first one, the property is stored in
144 // the next entry of the same map when possible. If the map is full or the
145 // next entry already stores a different property, a child map is created and
146 // linked to the parent map.
147 //
148 // For example, imagine we want to create these objects:
149 //
150 // o1 = {x: 1, y: 2, z: 3}
151 // o2 = {x: 1, y: 2, foo: 4}
152 //
153 // This will result in the following maps being created:
154 //
155 // +---------------------+ +---------------------+
156 // | SharedPropMap M1 | | SharedPropMap M2 |
157 // +---------------------+ +---------------------+
158 // | Child M2 (index 1) -+--> | Parent M1 (index 1) |
159 // +---------------------+ +---------------------+
160 // | 0: x | | 0: x |
161 // | 1: y | | 1: y |
162 // | 2: z | | 2: foo |
163 // | ... | | ... |
164 // +---------------------+ +---------------------+
165 //
166 // M1 is the map used for initial property "x". Properties "y" and "z" can be
167 // stored inline. When later adding "foo" following "y", the map has to be
168 // forked: a child map M2 is created and M1 remembers this transition at
169 // property index 1 so that M2 will be used the next time properties "x", "y",
170 // and "foo" are added to an object.
171 //
172 // Shared maps contain a TreeData struct that stores the parent and children
173 // links for the SharedPropMap tree. The parent link is a tagged pointer that
174 // stores both the parent map and the property index of the last used property
175 // in the parent map before the branch. The children are stored similarly: the
176 // parent map can store a single child map and index, or a set of children.
177 // See SharedChildrenPtr.
178 //
179 // Looking up a child map can then be done based on the index of the last
180 // property in the parent map and the new property's key and flags. So for the
181 // example above, the lookup key for M1 => M2 is (index 1, "foo", <flags>).
182 //
183 // Note: shared maps can have both a |previous| map and a |parent| map. They are
184 // equal when the previous map was full, but can be different maps when
185 // branching in the middle of a map like in the example above: M2 has parent M1
186 // but does not have a |previous| map (because it only has three properties).
187 //
188 // Dictionary Property Maps
189 // ------------------------
190 // Certain operations can't be implemented (efficiently) for shared property
191 // maps, for example changing or deleting a property other than the last one.
192 // When this happens the map is copied as a DictionaryPropMap.
193 //
194 // Dictionary maps are unshared so can be mutated in place (after generating a
195 // new shape for the object).
196 //
197 // Unlike shared maps, dictionary maps can have holes between two property keys
198 // after removing a property. When there are more holes than properties, the
199 // map is compacted. See DictionaryPropMap::maybeCompact.
211 // Template class for storing a PropMap* and a property index as tagged pointer.
224 }
237 }
241 }
247 }
250 }
259 // Children of shared maps. This is either:
260 //
261 // - None (no children)
262 // - SingleMapAndIndex (one child map, including the property index of the last
263 // property before the branch)
264 // - SharedChildrenSet (multiple children)
265 //
266 // Because SingleMapAndIndex use all bits, this relies on the HasChildrenSet
267 // flag in the map to distinguish the latter two cases.
281 }
286 }
289 // Ensures no property map tables are purged in the current zone.
299 };
301 // Hash table to optimize property lookups on larger maps. This maps from
302 // PropertyKey to PropMapAndIndex.
309 };
311 // Small lookup cache. This has a hit rate of 30-60% on most workloads and is
312 // a lot faster than the full HashSet lookup.
314 PropertyKey key;
315 PropMapAndIndex result;
316 };
321 Set set_;
328 }
329 }
330 }
335 #ifdef DEBUG
338 #endif
340 }
341 }
343 }
348 }
351 }
361 // This counts the PropMapTable object itself (which must be heap-allocated)
362 // and its HashSet.
365 }
367 // init() is fallible and reports OOM to the context.
374 #ifdef DEBUG
377 }
378 #endif
384 }
387 }
392 }
393 }
398 }
404 }
407 #ifdef JSGC_HASH_TABLE_CHECKS
409 #endif
410 };
414 // Number of properties that can be stored in each map. This must be small
415 // enough so that every index fits in a tagged PropMap* pointer (MapAndIndex).
423 // Set if this is a CompactPropMap.
426 // Set if this map has a non-null previous map pointer. Never set for
427 // compact maps because they don't have a previous field.
430 // Set if this is a DictionaryPropMap.
433 // Set if this map can have a table. Never set for compact maps. Always set
434 // for dictionary maps.
437 // If set, this SharedPropMap has a SharedChildrenSet. Else it either has no
438 // children or a single child. See SharedChildrenPtr. Never set for
439 // dictionary maps.
442 // If set, this SharedPropMap was once converted to dictionary mode. This is
443 // only used for heuristics. Never set for dictionary maps.
446 // For SharedPropMap this stores the number of previous maps, clamped to
447 // NumPreviousMapsMax. This is used for heuristics.
451 };
453 // Flags word, stored in the cell header. Note that this hides the
454 // Cell::flags() method.
466 }
470 }
500 }
504 }
508 #ifdef DEBUG
512 #endif
521 }
542 };
548 // Shared maps are stored in a tree structure. Each shared map has a TreeData
549 // struct linking the map to its parent and children. Initial maps (the ones
550 // stored in ShapeZone's initialPropMaps table) don't have a parent.
552 SharedChildrenPtr children;
553 SharedPropMapAndIndex parent;
557 }
558 };
564 PropertyInfo prop);
573 PropertyInfo prop);
576 PropertyInfo prop);
582 // Clamp to NumPreviousMapsMax. This is okay because this value is only used
583 // for heuristics.
586 }
588 }
596 }
599 // Heuristics used when adding a property via NativeObject::addProperty and
600 // friends:
601 //
602 // * If numPreviousMaps >= NumPrevMapsForAddConsiderDictionary, consider
603 // converting the object to a dictionary object based on other heuristics.
604 //
605 // * If numPreviousMaps >= NumPrevMapsForAddAlwaysDictionary, always convert
606 // the object to a dictionary object.
613 // The number of properties that can definitely be added to an object without
614 // triggering dictionary mode conversion in NativeObject::addProperty.
625 }
631 }
644 }
653 }
655 // Number of slots required for objects with this map/mapLength.
663 }
666 // The object only has custom data properties.
668 }
669 // Some builtin objects store properties in reserved slots. Make sure the
670 // slot span >= numReserved. See addPropertyInReservedSlot.
672 }
677 }
679 // Add a new property to this map. Returns the new map/mapLength, slot number,
680 // and object flags.
686 // Like addProperty, but for when the slot number is a reserved slot. A few
687 // builtin objects use this for initial properties.
694 // Like addProperty, but for when the caller already knows the slot number to
695 // use (or wants to assert this exact slot number is used).
702 // Like addProperty, but for adding a custom data property.
706 PropertyFlags flags,
709 // Freeze or seal all properties by creating a new shared map. Returns the new
710 // map and object flags.
717 // Create a new dictionary map as copy of this map.
721 };
725 TreeData treeData_;
735 }
742 }
743 }
749 }
766 }
767 };
769 // Layout shared by NormalPropMap and DictionaryPropMap.
782 };
783 Data data_;
800 }
804 }
806 }
810 }
812 }
819 }
820 }
822 #ifdef DEBUG
824 #endif
829 }
830 };
839 TreeData treeData_;
842 PropertyInfo prop)
849 }
850 }
852 }
858 }
861 }
865 }
866 }
872 }
884 }
892 }
893 };
902 // SHAPE_INVALID_SLOT or head of slot freelist in owning dictionary-mode
903 // object.
906 // Number of holes for removed properties in this and previous maps. Used by
907 // compacting heuristics.
911 PropertyInfo prop)
916 }
923 }
924 }
931 }
932 }
938 }
944 }
948 }
960 holeCount_--;
961 }
979 }
987 }
989 // Add a new property to this map. Returns the new map/mapLength and object
990 // flags. The caller is responsible for generating a new dictionary shape.
996 // Remove the property referenced by the table pointer. Returns the new
997 // map/mapLength. The caller is responsible for generating a new dictionary
998 // shape.
1004 // Turn all sparse elements into dense elements. The caller is responsible
1005 // for checking all sparse elements are plain data properties and must
1006 // generate a new shape for the object.
1011 // Freeze or seal all properties in this map. Returns the new object flags.
1012 // The caller is responsible for generating a new shape for the object.
1017 // Change a property's slot number and/or flags and return the new object
1018 // flags. The caller is responsible for generating a new shape.
1023 // Like changeProperty, but doesn't change the slot number.
1028 }
1033 }
1034 };
1039 }
1043 }
1047 }
1051 }
1055 }
1059 }
1063 }
1067 }
1071 }
1075 }
1080 }
1084 }
1088 }
1091 PropertyInfo prop) {
1096 }
1097 }
1103 }
1107 }
1109 PropertyKey key) {
1112 }
1114 // Hash policy for SharedPropMap children.
1119 PropertyKey key;
1120 PropertyInfo prop;
1127 };
1132 }
1138 }
1139 };
1143 // JS::ubi::Nodes can point to PropMaps; they're js::gc::Cell instances
1144 // with no associated compartment.
1156 }
1162 };