| blob | 47ebe52a78afd3d8f535a0a03bd8fb2fd970c3d0 |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 #ifndef jsscope_h___
42 #define jsscope_h___
43 /*
44 * JS symbol tables.
45 */
46 #ifdef DEBUG
47 #include <stdio.h>
48 #endif
59 #ifdef _MSC_VER
60 #pragma warning(push)
61 #pragma warning(disable:4800)
62 #pragma warning(push)
64 #endif
66 /*
67 * Given P independent, non-unique properties each of size S words mapped by
68 * all scopes in a runtime, construct a property tree of N nodes each of size
69 * S+L words (L for tree linkage). A nominal L value is 2 for leftmost-child
70 * and right-sibling links. We hope that the N < P by enough that the space
71 * overhead of L, and the overhead of scope entries pointing at property tree
72 * nodes, is worth it.
73 *
74 * The tree construction goes as follows. If any empty scope in the runtime
75 * has a property X added to it, find or create a node under the tree root
76 * labeled X, and set scope->lastProp to point at that node. If any non-empty
77 * scope whose most recently added property is labeled Y has another property
78 * labeled Z added, find or create a node for Z under the node that was added
79 * for Y, and set scope->lastProp to point at that node.
80 *
81 * A property is labeled by its members' values: id, getter, setter, slot,
82 * attributes, tiny or short id, and a field telling for..in order. Note that
83 * labels are not unique in the tree, but they are unique among a node's kids
84 * (barring rare and benign multi-threaded race condition outcomes, see below)
85 * and along any ancestor line from the tree root to a given leaf node (except
86 * for the hard case of duplicate formal parameters to a function).
87 *
88 * Thus the root of the tree represents all empty scopes, and the first ply
89 * of the tree represents all scopes containing one property, etc. Each node
90 * in the tree can stand for any number of scopes having the same ordered set
91 * of properties, where that node was the last added to the scope. (We need
92 * not store the root of the tree as a node, and do not -- all we need are
93 * links to its kids.)
94 *
95 * Sidebar on for..in loop order: ECMA requires no particular order, but this
96 * implementation has promised and delivered property definition order, and
97 * compatibility is king. We could use an order number per property, which
98 * would require a sort in js_Enumerate, and an entry order generation number
99 * per scope. An order number beats a list, which should be doubly-linked for
100 * O(1) delete. An even better scheme is to use a parent link in the property
101 * tree, so that the ancestor line can be iterated from scope->lastProp when
102 * filling in a JSIdArray from back to front. This parent link also helps the
103 * GC to sweep properties iteratively.
104 *
105 * What if a property Y is deleted from a scope? If Y is the last property in
106 * the scope, we simply adjust the scope's lastProp member after we remove the
107 * scope's hash-table entry pointing at that property node. The parent link
108 * mentioned in the for..in sidebar above makes this adjustment O(1). But if
109 * Y comes between X and Z in the scope, then we might have to "fork" the tree
110 * at X, leaving X->Y->Z in case other scopes have those properties added in
111 * that order; and to finish the fork, we'd add a node labeled Z with the path
112 * X->Z, if it doesn't exist. This could lead to lots of extra nodes, and to
113 * O(n^2) growth when deleting lots of properties.
114 *
115 * Rather, for O(1) growth all around, we should share the path X->Y->Z among
116 * scopes having those three properties added in that order, and among scopes
117 * having only X->Z where Y was deleted. All such scopes have a lastProp that
118 * points to the Z child of Y. But a scope in which Y was deleted does not
119 * have a table entry for Y, and when iterating that scope by traversing the
120 * ancestor line from Z, we will have to test for a table entry for each node,
121 * skipping nodes that lack entries.
122 *
123 * What if we add Y again? X->Y->Z->Y is wrong and we'll enumerate Y twice.
124 * Therefore we must fork in such a case if not earlier, or do something else.
125 * We used to fork on the theory that set after delete is rare, but the Web is
126 * a harsh mistress, and we now convert the scope to a "dictionary" on first
127 * delete, to avoid O(n^2) growth in the property tree.
128 *
129 * What about thread safety? If the property tree operations done by requests
130 * are find-node and insert-node, then the only hazard is duplicate insertion.
131 * This is harmless except for minor bloat. When all requests have ended or
132 * been suspended, the GC is free to sweep the tree after marking all nodes
133 * reachable from scopes, performing remove-node operations as needed.
134 *
135 * Is the property tree worth it compared to property storage in each table's
136 * entries? To decide, we must find the relation <> between the words used
137 * with a property tree and the words required without a tree.
138 *
139 * Model all scopes as one super-scope of capacity T entries (T a power of 2).
140 * Let alpha be the load factor of this double hash-table. With the property
141 * tree, each entry in the table is a word-sized pointer to a node that can be
142 * shared by many scopes. But all such pointers are overhead compared to the
143 * situation without the property tree, where the table stores property nodes
144 * directly, as entries each of size S words. With the property tree, we need
145 * L=2 extra words per node for siblings and kids pointers. Without the tree,
146 * (1-alpha)*S*T words are wasted on free or removed sentinel-entries required
147 * by double hashing.
148 *
149 * Therefore,
150 *
151 * (property tree) <> (no property tree)
152 * N*(S+L) + T <> S*T
153 * N*(S+L) + T <> P*S + (1-alpha)*S*T
154 * N*(S+L) + alpha*T + (1-alpha)*T <> P*S + (1-alpha)*S*T
155 *
156 * Note that P is alpha*T by definition, so
157 *
158 * N*(S+L) + P + (1-alpha)*T <> P*S + (1-alpha)*S*T
159 * N*(S+L) <> P*S - P + (1-alpha)*S*T - (1-alpha)*T
160 * N*(S+L) <> (P + (1-alpha)*T) * (S-1)
161 * N*(S+L) <> (P + (1-alpha)*P/alpha) * (S-1)
162 * N*(S+L) <> P * (1/alpha) * (S-1)
163 *
164 * Let N = P*beta for a compression ratio beta, beta <= 1:
165 *
166 * P*beta*(S+L) <> P * (1/alpha) * (S-1)
167 * beta*(S+L) <> (S-1)/alpha
168 * beta <> (S-1)/((S+L)*alpha)
169 *
170 * For S = 6 (32-bit architectures) and L = 2, the property tree wins iff
171 *
172 * beta < 5/(8*alpha)
173 *
174 * We ensure that alpha <= .75, so the property tree wins if beta < .83_. An
175 * average beta from recent Mozilla browser startups was around .6.
176 *
177 * Can we reduce L? Observe that the property tree degenerates into a list of
178 * lists if at most one property Y follows X in all scopes. In or near such a
179 * case, we waste a word on the right-sibling link outside of the root ply of
180 * the tree. Note also that the root ply tends to be large, so O(n^2) growth
181 * searching it is likely, indicating the need for hashing (but with increased
182 * thread safety costs).
183 *
184 * If only K out of N nodes in the property tree have more than one child, we
185 * could eliminate the sibling link and overlay a children list or hash-table
186 * pointer on the leftmost-child link (which would then be either null or an
187 * only-child link; the overlay could be tagged in the low bit of the pointer,
188 * or flagged elsewhere in the property tree node, although such a flag must
189 * not be considered when comparing node labels during tree search).
190 *
191 * For such a system, L = 1 + (K * averageChildrenTableSize) / N instead of 2.
192 * If K << N, L approaches 1 and the property tree wins if beta < .95.
193 *
194 * We observe that fan-out below the root ply of the property tree appears to
195 * have extremely low degree (see the MeterPropertyTree code that histograms
196 * child-counts in jsscope.c), so instead of a hash-table we use a linked list
197 * of child node pointer arrays ("kid chunks"). The details are isolated in
198 * jsscope.c; others must treat JSScopeProperty.kids as opaque. We leave it
199 * strongly typed for debug-ability of the common (null or one-kid) cases.
200 *
201 * One final twist (can you stand it?): the mean number of entries per scope
202 * in Mozilla is < 5, with a large standard deviation (~8). Instead of always
203 * allocating scope->table, we leave it null while initializing all the other
204 * scope members as if it were non-null and minimal-length. Until a property
205 * is added that crosses the threshold of 6 or more entries for hashing, we use
206 * linear search from scope->lastProp to find a given id, and save on the space
207 * overhead of a hash table.
208 *
209 * See jspropertytree.{h,cpp} for the actual PropertyTree implementation. This
210 * file contains object property map (historical misnomer: "scope" AKA JSScope)
211 * and property tree node ("sprop", JSScopeProperty) declarations.
212 */
216 #define SPROP_INVALID_SLOT 0xffffffff
219 {
220 #ifdef JS_THREADSAFE
222 #endif
236 /*
237 * A little information hiding for scope->lastProp, in case it ever becomes
238 * a tagged pointer again.
239 */
251 /*
252 * Private pointer to the last added property and methods to manipulate the
253 * list it links among properties in this scope. The {remove,insert} pair
254 * for DictionaryProperties assert that the scope is in dictionary mode and
255 * any reachable properties are flagged as dictionary properties.
256 *
257 * NB: these private methods do *not* update this scope's shape to track
258 * lastProp->shape after they finish updating the linked list in the case
259 * where lastProp is updated. It is up to calling code in jsscope.cpp to
260 * call updateShape(cx) after updating lastProp.
261 */
264 /* These four inline methods are defined further below in this .h file. */
270 /* Defined in jsscopeinlines.h to avoid including implementation dependencies here. */
300 /* Create a mutable, owned, empty scope. */
305 /*
306 * Return an immutable, shareable, empty scope with the same ops as this
307 * and the same freeslot as this had when empty.
308 *
309 * If |this| is the scope of an object |proto|, the resulting scope can be
310 * used as the scope of a new object whose prototype is |proto|.
311 */
323 /* Add a property whose id is not yet in this scope. */
329 /* Add a data property whose id is not yet in this scope. */
333 }
335 /* Add or overwrite a property for id in this scope. */
341 /* Change the given property into a sibling with the same id in this scope. */
346 /* Remove id from this scope. */
349 /* Clear the scope, making it empty. */
352 /* Extend this scope to have sprop as its last-added property. */
355 /*
356 * Read barrier to clone a joined function object stored as a method.
357 * Defined in jsscopeinlines.h, but not declared inline per standard style
358 * in order to avoid gcc warnings.
359 */
362 /*
363 * Write barrier to check for a method value change. Defined inline below
364 * after methodReadBarrier. Two flavors to handle JSOP_*GVAR, which deals
365 * in slots not sprops, while not deoptimizing to map slot to sprop unless
366 * flags show this is necessary. The methodShapeChange overload (directly
367 * below) parallels this.
368 */
381 /* By definition, hashShift = JS_DHASH_BITS - log2(capacity). */
382 #define SCOPE_CAPACITY(scope) JS_BIT(JS_DHASH_BITS-(scope)->hashShift)
392 /*
393 * This flag toggles with each shape-regenerating GC cycle.
394 * See JSRuntime::gcRegenShapesScopeFlag.
395 */
398 /* The anti-branded flag, to avoid overspecializing. */
400 };
406 /*
407 * Don't define clearSealed, as it can't be done safely because JS_LOCK_OBJ
408 * will avoid taking the lock if the object owns its scope and the scope is
409 * sealed.
410 */
418 }
420 /*
421 * A branded scope's object contains plain old methods (function-valued
422 * properties without magic getters and setters), and its scope->shape
423 * evolves whenever a function value changes.
424 */
435 }
439 /*
440 * Here and elsewhere "unbrand" means "make generic". We never actually
441 * clear the BRANDED bit on any object. Once branded, there's no point in
442 * being generic, since the shape has already evolved unpredictably. So
443 * obj->unbrand() on a branded object does nothing.
444 */
448 }
457 /*
458 * A scope has a method barrier when some compiler-created "null closure"
459 * function objects (functions that do not use lexical bindings above
460 * their scope, only free variable names) that have a correct parent value
461 * thanks to the COMPILE_N_GO optimization are stored as newly added direct
462 * property values of the scope's object.
463 *
464 * The de-facto standard JS language requires each evaluation of such a
465 * closure to result in a unique (according to === and observable effects)
466 * function object. ES3 tried to allow implementations to "join" such
467 * objects to a single compiler-created object, but this makes an overt
468 * mutation hazard, also an "identity hazard" against interoperation among
469 * implementations that join and do not join.
470 *
471 * To stay compatible with the de-facto standard, we store the compiler-
472 * created function object as the method value and set the METHOD_BARRIER
473 * flag.
474 *
475 * The method value is part of the method property tree node's identity, so
476 * it effectively brands the scope with a predictable shape corresponding
477 * to the method value, but without the overhead of setting the BRANDED
478 * flag, which requires assigning a new shape peculiar to each branded
479 * scope. Instead the shape is shared via the property tree among all the
480 * scopes referencing the method property tree node.
481 *
482 * Then when reading from a scope for which scope->hasMethodBarrier() is
483 * true, we count on the scope's qualified/guarded shape being unique and
484 * add a read barrier that clones the compiler-created function object on
485 * demand, reshaping the scope.
486 *
487 * This read barrier is bypassed when evaluating the callee sub-expression
488 * of a call expression (see the JOF_CALLOP opcodes in jsopcode.tbl), since
489 * such ops do not present an identity or mutation hazard. The compiler
490 * performs this optimization only for null closures that do not use their
491 * own name or equivalent built-in references (arguments.callee).
492 *
493 * The BRANDED write barrier, JSScope::methodWriteBarrer, must check for
494 * METHOD_BARRIER too, and regenerate this scope's shape if the method's
495 * value is in fact changing.
496 */
500 /*
501 * Test whether this scope may be branded due to method calls, which means
502 * any assignment to a function-valued property must regenerate shape; else
503 * test whether this scope has method properties, which require a method
504 * write barrier.
505 */
506 bool
522 };
523 };
526 {
533 /* The method is only called for already held objects. */
537 }
544 }
546 /*
547 * Optimized version of the drop method to use from the object finalizer
548 * to skip expensive JS_ATOMIC_DECREMENT.
549 */
551 #ifdef JS_THREADSAFE
553 #endif
558 }
559 };
563 {
565 }
569 {
572 }
574 inline uint32
576 {
579 }
583 {
586 }
590 {
593 }
608 jsid id;
614 null if sprop->hasGetterValue(); or
615 joined function object if METHOD flag
616 is set. */
618 };
622 if sprop->isMethod() */
624 null if sprop->hasSetterValue() */
626 pointer to head of freelist */
627 };
636 }
643 }
655 to many-kids data structure */
657 has a double-indirect back pointer,
658 either to sprop->parent if not last,
659 else to scope->lastProp */
660 };
664 /*
665 * Implementation-private bits stored in sprop->flags. See public: enum {}
666 * flags further below, which were allocated FCFS over time, so interleave
667 * with these bits.
668 */
670 /* GC mark flag. */
673 /*
674 * Set during a shape-regenerating GC if the shape has already been
675 * regenerated. Unlike JSScope::SHAPE_REGEN, this does not toggle with
676 * each GC. js::SweepScopeProperties clears it.
677 */
680 /* Property stored in per-object dictionary, not shared property tree. */
682 };
698 /* Public bits stored in sprop->flags. */
704 };
718 // Per ES5, decode null getterObj as the undefined value, which encodes as null.
722 }
726 }
733 // Per ES5, decode null setterObj as the undefined value, which encodes as null.
737 }
741 }
762 // JS_ASSERT(isDataDescriptor());
764 }
770 }
774 }
777 }
779 #ifdef DEBUG
782 #endif
783 };
785 /* JSScopeProperty pointer tag bit indicating a collision. */
786 #define SPROP_COLLISION ((jsuword)1)
787 #define SPROP_REMOVED ((JSScopeProperty *) SPROP_COLLISION)
789 /* Macros to get and set sprop pointer values and collision flags. */
790 #define SPROP_IS_FREE(sprop) ((sprop) == NULL)
791 #define SPROP_IS_REMOVED(sprop) ((sprop) == SPROP_REMOVED)
792 #define SPROP_IS_LIVE(sprop) ((sprop) > SPROP_REMOVED)
793 #define SPROP_FLAG_COLLISION(spp,sprop) (*(spp) = (JSScopeProperty *) \
794 ((jsuword)(sprop) | SPROP_COLLISION))
795 #define SPROP_HAD_COLLISION(sprop) ((jsuword)(sprop) & SPROP_COLLISION)
796 #define SPROP_FETCH(spp) SPROP_CLEAR_COLLISION(*(spp))
798 #define SPROP_CLEAR_COLLISION(sprop) \
799 ((JSScopeProperty *) ((jsuword)(sprop) & ~SPROP_COLLISION))
801 #define SPROP_STORE_PRESERVING_COLLISION(spp, sprop) \
802 (*(spp) = (JSScopeProperty *) ((jsuword)(sprop) \
803 | SPROP_HAD_COLLISION(*(spp))))
807 {
809 }
813 {
815 }
819 {
822 }
824 /*
825 * Note that sprop must not be null, as emptying a scope requires extra work
826 * done only by methods in jsscope.cpp.
827 */
830 {
835 }
839 {
845 }
849 {
865 }
869 {
870 /*
871 * Don't assert inDictionaryMode() here because we may be called from
872 * toDictionaryMode via newDictionaryProperty.
873 */
889 }
891 /*
892 * If SHORTID is set in sprop->flags, we use sprop->shortid rather
893 * than id when calling sprop's getter or setter.
894 */
895 #define SPROP_USERID(sprop) \
896 ((sprop)->hasShortID() ? INT_TO_JSID((sprop)->shortid) \
897 : (sprop)->id)
899 #define SLOT_IN_SCOPE(slot,scope) ((slot) < (scope)->freeslot)
900 #define SPROP_HAS_VALID_SLOT(sprop,scope) SLOT_IN_SCOPE((sprop)->slot, scope)
902 #ifndef JS_THREADSAFE
903 # define js_GenerateShape(cx, gcLocked) js_GenerateShape (cx)
904 #endif
906 extern uint32
909 #ifdef DEBUG
911 jsrefcount searches;
912 jsrefcount hits;
913 jsrefcount misses;
914 jsrefcount hashes;
915 jsrefcount steps;
916 jsrefcount stepHits;
917 jsrefcount stepMisses;
918 jsrefcount tableAllocFails;
919 jsrefcount toDictFails;
920 jsrefcount wrapWatchFails;
921 jsrefcount adds;
922 jsrefcount addFails;
923 jsrefcount puts;
924 jsrefcount redundantPuts;
925 jsrefcount putFails;
926 jsrefcount changes;
927 jsrefcount changeFails;
928 jsrefcount compresses;
929 jsrefcount grows;
930 jsrefcount removes;
931 jsrefcount removeFrees;
932 jsrefcount uselessRemoves;
933 jsrefcount shrinks;
934 };
938 # define METER(x) JS_ATOMIC_INCREMENT(&js_scope_stats.x)
939 #else
941 #endif
945 {
950 /* Not enough properties to justify hashing: search from lastProp. */
955 }
956 }
959 }
961 }
963 #undef METER
967 {
968 /*
969 * An empty scope cannot provide another empty scope, or wrongful two-level
970 * prototype shape sharing ensues -- see bug 497789.
971 */
975 }
979 {
981 }
995 }
998 };
1000 }
1002 #ifdef _MSC_VER
1003 #pragma warning(pop)
1004 #pragma warning(pop)
1005 #endif