OS#18076647: Invalidate prototype inline caches for properties of objects added to the prototype chain

Author: pleath

lib/Runtime/Base/CrossSiteObject.h

@@ -33,8 +33,8 @@ namespace Js
         virtual DescriptorFlags GetSetter(PropertyId propertyId, Var* setterValue, PropertyValueInfo* info, ScriptContext* requestContext) override;
         virtual DescriptorFlags GetSetter(JavascriptString* propertyNameString, Var* setterValue, PropertyValueInfo* info, ScriptContext* requestContext) override;
         virtual BOOL SetAccessors(PropertyId propertyId, Var getter, Var setter, PropertyOperationFlags flags) override;
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override;
-        virtual void AddToPrototype(ScriptContext * requestContext) override;
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
         virtual void SetPrototype(RecyclableObject* newPrototype) override;
 
         virtual BOOL IsCrossSiteObject() const override { return TRUE; }
@@ -227,15 +227,15 @@ namespace Js
     }
 
     template <typename T>
-    void CrossSiteObject<T>::RemoveFromPrototype(ScriptContext * requestContext)
+    void CrossSiteObject<T>::RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        __super::RemoveFromPrototype(this->GetScriptContext());
+        __super::RemoveFromPrototype(this->GetScriptContext(), allProtoCachesInvalidated);
     }
 
     template <typename T>
-    void CrossSiteObject<T>::AddToPrototype(ScriptContext * requestContext)
+    void CrossSiteObject<T>::AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        __super::AddToPrototype(this->GetScriptContext());
+        __super::AddToPrototype(this->GetScriptContext(), allProtoCachesInvalidated);
     }
 
     template <typename T>

lib/Runtime/Language/ModuleNamespace.h

@@ -79,8 +79,8 @@ namespace Js
         virtual BOOL GetDiagValueString(StringBuilder<ArenaAllocator>* stringBuilder, ScriptContext* requestContext) override;
         virtual BOOL GetDiagTypeString(StringBuilder<ArenaAllocator>* stringBuilder, ScriptContext* requestContext) override;
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override { Assert(false); }
-        virtual void AddToPrototype(ScriptContext * requestContext) override { Assert(false); }
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override { Assert(false); }
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override { Assert(false); }
         virtual void SetPrototype(RecyclableObject* newPrototype) override { Assert(false); return; }
 
     private:

lib/Runtime/Library/JavascriptObject.cpp

@@ -227,10 +227,13 @@ using namespace Js;
 
         if (isInvalidationOfInlineCacheNeeded)
         {
+            bool allProtoCachesInvalidated = false;
+
             // Notify old prototypes that they are being removed from a prototype chain. This triggers invalidating protocache, etc.
-            JavascriptOperators::MapObjectAndPrototypes<true>(object->GetPrototype(), [=](RecyclableObject* obj)
+            JavascriptOperators::MapObjectAndPrototypesUntil<true>(object->GetPrototype(), [&](RecyclableObject* obj)->bool
             {
-                obj->RemoveFromPrototype(scriptContext);
+                obj->RemoveFromPrototype(scriptContext, &allProtoCachesInvalidated);
+                return allProtoCachesInvalidated;
             });
 
             // Examine new prototype chain. If it brings in any special property, we need to invalidate related caches.
@@ -271,17 +274,20 @@ using namespace Js;
                 object->GetLibrary()->GetTypesWithOnlyWritablePropertyProtoChainCache()->Clear();
             }
 
-            if (!objectAndPrototypeChainHasOnlyWritableDataProperties)
+            if (!allProtoCachesInvalidated)
             {
                 // Invalidate StoreField/PropertyGuards for any non-WritableData property in the new chain
-                JavascriptOperators::MapObjectAndPrototypes<true>(newPrototype, [=](RecyclableObject* obj)
+                JavascriptOperators::MapObjectAndPrototypesUntil<true>(newPrototype, [&](RecyclableObject* obj)->bool
                 {
-                    if (!obj->HasOnlyWritableDataProperties())
-                    {
-                        obj->AddToPrototype(scriptContext);
-                    }
+                    obj->AddToPrototype(scriptContext, &allProtoCachesInvalidated);
+                    return allProtoCachesInvalidated;
                 });
             }
+
+            JavascriptOperators::MapObjectAndPrototypesUntil<true>(object->GetPrototype(), [](RecyclableObject* obj)->bool
+            {
+                return obj->ClearProtoCachesWereInvalidated();
+            });
         }
 
         // Set to new prototype

lib/Runtime/Library/JavascriptProxy.cpp

@@ -1507,12 +1507,12 @@ namespace Js
         return nullptr;
     }
 
-    void JavascriptProxy::RemoveFromPrototype(ScriptContext * requestContext)
+    void JavascriptProxy::RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
         Assert(FALSE);
     }
 
-    void JavascriptProxy::AddToPrototype(ScriptContext * requestContext)
+    void JavascriptProxy::AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
         Assert(FALSE);
     }

lib/Runtime/Library/JavascriptProxy.h

@@ -138,8 +138,8 @@ namespace Js
         virtual bool CanStorePropertyValueDirectly(PropertyId propertyId, bool allowLetConst) { Assert(false); return false; };
 #endif
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override;
-        virtual void AddToPrototype(ScriptContext * requestContext) override;
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
         virtual void SetPrototype(RecyclableObject* newPrototype) override;
 
         BOOL SetPrototypeTrap(RecyclableObject* newPrototype, bool showThrow, ScriptContext * requestContext);

lib/Runtime/Types/DynamicObject.h

@@ -296,8 +296,9 @@ namespace Js
         virtual bool CanStorePropertyValueDirectly(PropertyId propertyId, bool allowLetConst) override;
 #endif
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override;
-        virtual void AddToPrototype(ScriptContext * requestContext) override;
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual bool ClearProtoCachesWereInvalidated() override;
         virtual void SetPrototype(RecyclableObject* newPrototype) override;
 
         virtual BOOL IsCrossSiteObject() const { return FALSE; }

lib/Runtime/Types/DynamicType.cpp

@@ -609,14 +609,19 @@ namespace Js
     }
 #endif
 
-    void DynamicObject::RemoveFromPrototype(ScriptContext * requestContext)
+    bool DynamicObject::ClearProtoCachesWereInvalidated()
     {
-        GetTypeHandler()->RemoveFromPrototype(this, requestContext);
+        return GetTypeHandler()->ClearProtoCachesWereInvalidated();
     }
 
-    void DynamicObject::AddToPrototype(ScriptContext * requestContext)
+    void DynamicObject::RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        GetTypeHandler()->AddToPrototype(this, requestContext);
+        GetTypeHandler()->RemoveFromPrototype(this, requestContext, allProtoCachesInvalidated);
+    }
+
+    void DynamicObject::AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
+    {
+        GetTypeHandler()->AddToPrototype(this, requestContext, allProtoCachesInvalidated);
     }
 
     void DynamicObject::SetPrototype(RecyclableObject* newPrototype)

lib/Runtime/Types/RecyclableObject.h

@@ -369,9 +369,10 @@ namespace Js {
         virtual bool CanStorePropertyValueDirectly(PropertyId propertyId, bool allowLetConst) { Assert(false); return false; };
 #endif
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) { AssertMsg(false, "Shouldn't call this implementation."); }
-        virtual void AddToPrototype(ScriptContext * requestContext) { AssertMsg(false, "Shouldn't call this implementation."); }
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) { AssertMsg(false, "Shouldn't call this implementation."); }
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) { AssertMsg(false, "Shouldn't call this implementation."); }
         virtual void SetPrototype(RecyclableObject* newPrototype) { AssertMsg(false, "Shouldn't call this implementation."); }
+        virtual bool ClearProtoCachesWereInvalidated() { AssertMsg(false, "Shouldn't call this implementation."); return false; }
 
         virtual BOOL ToString(Js::Var* value, Js::ScriptContext* scriptContext) { AssertMsg(FALSE, "Do not use this function."); return false; }
 

lib/Runtime/Types/TypeHandler.cpp

@@ -64,7 +64,8 @@ using namespace Js;
         flags(flags),
         propertyTypes(PropertyTypesWritableDataOnly | PropertyTypesReserved),
         offsetOfInlineSlots(offsetOfInlineSlots),
-        unusedBytes(Js::AtomTag)
+        unusedBytes(Js::AtomTag),
+        protoCachesWereInvalidated(false)
     {
         Assert(!GetIsOrMayBecomeShared() || GetIsLocked());
         Assert(offsetOfInlineSlots != 0 || inlineSlotCapacity == 0);
@@ -263,7 +264,7 @@ using namespace Js;
     }
 
     template<bool isStoreField>
-    void DynamicTypeHandler::InvalidateInlineCachesForAllProperties(ScriptContext* requestContext)
+    bool DynamicTypeHandler::InvalidateInlineCachesForAllProperties(ScriptContext* requestContext)
     {
         int count = GetPropertyCount();
         if (count < 128) // Invalidate a propertyId involves dictionary lookups. Only do this when the number is relatively small.
@@ -276,31 +277,51 @@ using namespace Js;
                     isStoreField ? requestContext->InvalidateStoreFieldCaches(propertyId) : requestContext->InvalidateProtoCaches(propertyId);
                 }
             }
+            return false;
         }
         else
         {
             isStoreField ? requestContext->InvalidateAllStoreFieldCaches() : requestContext->InvalidateAllProtoCaches();
+            return true;
         }
     }
 
-    void DynamicTypeHandler::InvalidateProtoCachesForAllProperties(ScriptContext* requestContext)
+    bool DynamicTypeHandler::InvalidateProtoCachesForAllProperties(ScriptContext* requestContext)
+    {
+        bool result = InvalidateInlineCachesForAllProperties<false>(requestContext);
+        this->SetProtoCachesWereInvalidated();
+        return result;
+    }
+
+    bool DynamicTypeHandler::InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext)
     {
-        InvalidateInlineCachesForAllProperties<false>(requestContext);
+        return InvalidateInlineCachesForAllProperties<true>(requestContext);
     }
 
-    void DynamicTypeHandler::InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext)
+    bool DynamicTypeHandler::ClearProtoCachesWereInvalidated()
     {
-        InvalidateInlineCachesForAllProperties<true>(requestContext);
+        bool done = !this->ProtoCachesWereInvalidated();
+        this->protoCachesWereInvalidated = false;
+        return done;
     }
 
-    void DynamicTypeHandler::RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext)
+    void DynamicTypeHandler::RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        InvalidateProtoCachesForAllProperties(requestContext);
+        Assert(!*allProtoCachesInvalidated);
+        *allProtoCachesInvalidated = InvalidateProtoCachesForAllProperties(requestContext);
     }
 
-    void DynamicTypeHandler::AddToPrototype(DynamicObject* instance, ScriptContext * requestContext)
+    void DynamicTypeHandler::AddToPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        InvalidateStoreFieldCachesForAllProperties(requestContext);
+        Assert(!*allProtoCachesInvalidated);
+        if (this->ProtoCachesWereInvalidated())
+        {
+            *allProtoCachesInvalidated = true;
+        }
+        else
+        {
+            *allProtoCachesInvalidated = InvalidateProtoCachesForAllProperties(requestContext);
+        }
     }
 
     void DynamicTypeHandler::SetPrototype(DynamicObject* instance, RecyclableObject* newPrototype)

lib/Runtime/Types/TypeHandler.h

@@ -49,6 +49,7 @@ namespace Js
         Field(uint16) unusedBytes;             // This always has it's lowest bit set to avoid false references
         Field(uint16) inlineSlotCapacity;
         Field(bool) isNotPathTypeHandlerOrHasUserDefinedCtor;
+        Field(bool) protoCachesWereInvalidated;
 
     public:
         DEFINE_GETCPPNAME_ABSTRACT();
@@ -58,7 +59,8 @@ namespace Js
             slotCapacity(typeHandler->slotCapacity),
             offsetOfInlineSlots(typeHandler->offsetOfInlineSlots),
             isNotPathTypeHandlerOrHasUserDefinedCtor(typeHandler->isNotPathTypeHandlerOrHasUserDefinedCtor),
-            unusedBytes(typeHandler->unusedBytes)
+            unusedBytes(typeHandler->unusedBytes),
+            protoCachesWereInvalidated(false)
         {
         }
 
@@ -528,15 +530,19 @@ namespace Js
 
     private:
         template<bool isStoreField>
-        void InvalidateInlineCachesForAllProperties(ScriptContext* requestContext);
+        bool InvalidateInlineCachesForAllProperties(ScriptContext* requestContext);
 
     public:
-        void InvalidateProtoCachesForAllProperties(ScriptContext* requestContext);
-        void InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext);
+        bool InvalidateProtoCachesForAllProperties(ScriptContext* requestContext);
+        bool InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext);
+
+        bool ProtoCachesWereInvalidated() const { return protoCachesWereInvalidated; }
+        void SetProtoCachesWereInvalidated() { protoCachesWereInvalidated = true; }
+        bool ClearProtoCachesWereInvalidated();
 
         // For changing __proto__
-        void RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext);
-        void AddToPrototype(DynamicObject* instance, ScriptContext * requestContext);
+        void RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated);
+        void AddToPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated);
         virtual void SetPrototype(DynamicObject* instance, RecyclableObject* newPrototype);
 
         virtual void ResetTypeHandler(DynamicObject * instance);