[MERGE #5457 @pleath] OS#18076647: Invalidate prototype inline caches for properties of objects added to the prototype chain

Merge pull request #5457 from pleath:18076647

Currently we invalidate proto inline caches for properties in the old prototype chain but not in the new one. We need to invalidate properties in the new prototype chain as well to make sure that missing property caches are cleared as necessary. Since the old and new prototype chains probably overlap, do some tracking to avoid duplicated effort.

Author: pleath

lib/Runtime/Base/CrossSiteObject.h

@@ -33,8 +33,8 @@ namespace Js
         virtual DescriptorFlags GetSetter(PropertyId propertyId, Var* setterValue, PropertyValueInfo* info, ScriptContext* requestContext) override;
         virtual DescriptorFlags GetSetter(JavascriptString* propertyNameString, Var* setterValue, PropertyValueInfo* info, ScriptContext* requestContext) override;
         virtual BOOL SetAccessors(PropertyId propertyId, Var getter, Var setter, PropertyOperationFlags flags) override;
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override;
-        virtual void AddToPrototype(ScriptContext * requestContext) override;
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
         virtual void SetPrototype(RecyclableObject* newPrototype) override;
 
         virtual BOOL IsCrossSiteObject() const override { return TRUE; }
@@ -227,15 +227,15 @@ namespace Js
     }
 
     template <typename T>
-    void CrossSiteObject<T>::RemoveFromPrototype(ScriptContext * requestContext)
+    void CrossSiteObject<T>::RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        __super::RemoveFromPrototype(this->GetScriptContext());
+        __super::RemoveFromPrototype(this->GetScriptContext(), allProtoCachesInvalidated);
     }
 
     template <typename T>
-    void CrossSiteObject<T>::AddToPrototype(ScriptContext * requestContext)
+    void CrossSiteObject<T>::AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        __super::AddToPrototype(this->GetScriptContext());
+        __super::AddToPrototype(this->GetScriptContext(), allProtoCachesInvalidated);
     }
 
     template <typename T>

lib/Runtime/Language/ModuleNamespace.h

@@ -79,8 +79,8 @@ namespace Js
         virtual BOOL GetDiagValueString(StringBuilder<ArenaAllocator>* stringBuilder, ScriptContext* requestContext) override;
         virtual BOOL GetDiagTypeString(StringBuilder<ArenaAllocator>* stringBuilder, ScriptContext* requestContext) override;
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override { Assert(false); }
-        virtual void AddToPrototype(ScriptContext * requestContext) override { Assert(false); }
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override { Assert(false); }
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override { Assert(false); }
         virtual void SetPrototype(RecyclableObject* newPrototype) override { Assert(false); return; }
 
     private:

lib/Runtime/Library/JavascriptObject.cpp

@@ -227,10 +227,13 @@ using namespace Js;
 
         if (isInvalidationOfInlineCacheNeeded)
         {
+            bool allProtoCachesInvalidated = false;
+
             // Notify old prototypes that they are being removed from a prototype chain. This triggers invalidating protocache, etc.
-            JavascriptOperators::MapObjectAndPrototypes<true>(object->GetPrototype(), [=](RecyclableObject* obj)
+            JavascriptOperators::MapObjectAndPrototypesUntil<true>(object->GetPrototype(), [&](RecyclableObject* obj)->bool
             {
-                obj->RemoveFromPrototype(scriptContext);
+                obj->RemoveFromPrototype(scriptContext, &allProtoCachesInvalidated);
+                return allProtoCachesInvalidated;
             });
 
             // Examine new prototype chain. If it brings in any special property, we need to invalidate related caches.
@@ -271,17 +274,20 @@ using namespace Js;
                 object->GetLibrary()->GetTypesWithOnlyWritablePropertyProtoChainCache()->Clear();
             }
 
-            if (!objectAndPrototypeChainHasOnlyWritableDataProperties)
+            if (!allProtoCachesInvalidated)
             {
                 // Invalidate StoreField/PropertyGuards for any non-WritableData property in the new chain
-                JavascriptOperators::MapObjectAndPrototypes<true>(newPrototype, [=](RecyclableObject* obj)
+                JavascriptOperators::MapObjectAndPrototypesUntil<true>(newPrototype, [&](RecyclableObject* obj)->bool
                 {
-                    if (!obj->HasOnlyWritableDataProperties())
-                    {
-                        obj->AddToPrototype(scriptContext);
-                    }
+                    obj->AddToPrototype(scriptContext, &allProtoCachesInvalidated);
+                    return allProtoCachesInvalidated;
                 });
             }
+
+            JavascriptOperators::MapObjectAndPrototypesUntil<true>(object->GetPrototype(), [](RecyclableObject* obj)->bool
+            {
+                return obj->ClearProtoCachesWereInvalidated();
+            });
         }
 
         // Set to new prototype

lib/Runtime/Library/JavascriptProxy.cpp

@@ -1507,12 +1507,12 @@ namespace Js
         return nullptr;
     }
 
-    void JavascriptProxy::RemoveFromPrototype(ScriptContext * requestContext)
+    void JavascriptProxy::RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
         Assert(FALSE);
     }
 
-    void JavascriptProxy::AddToPrototype(ScriptContext * requestContext)
+    void JavascriptProxy::AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
         Assert(FALSE);
     }

lib/Runtime/Library/JavascriptProxy.h

@@ -138,8 +138,8 @@ namespace Js
         virtual bool CanStorePropertyValueDirectly(PropertyId propertyId, bool allowLetConst) { Assert(false); return false; };
 #endif
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override;
-        virtual void AddToPrototype(ScriptContext * requestContext) override;
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
         virtual void SetPrototype(RecyclableObject* newPrototype) override;
 
         BOOL SetPrototypeTrap(RecyclableObject* newPrototype, bool showThrow, ScriptContext * requestContext);

lib/Runtime/Types/DynamicObject.h

@@ -296,8 +296,9 @@ namespace Js
         virtual bool CanStorePropertyValueDirectly(PropertyId propertyId, bool allowLetConst) override;
 #endif
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) override;
-        virtual void AddToPrototype(ScriptContext * requestContext) override;
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) override;
+        virtual bool ClearProtoCachesWereInvalidated() override;
         virtual void SetPrototype(RecyclableObject* newPrototype) override;
 
         virtual BOOL IsCrossSiteObject() const { return FALSE; }

lib/Runtime/Types/DynamicType.cpp

@@ -609,14 +609,19 @@ namespace Js
     }
 #endif
 
-    void DynamicObject::RemoveFromPrototype(ScriptContext * requestContext)
+    bool DynamicObject::ClearProtoCachesWereInvalidated()
     {
-        GetTypeHandler()->RemoveFromPrototype(this, requestContext);
+        return GetTypeHandler()->ClearProtoCachesWereInvalidated();
     }
 
-    void DynamicObject::AddToPrototype(ScriptContext * requestContext)
+    void DynamicObject::RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        GetTypeHandler()->AddToPrototype(this, requestContext);
+        GetTypeHandler()->RemoveFromPrototype(this, requestContext, allProtoCachesInvalidated);
+    }
+
+    void DynamicObject::AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated)
+    {
+        GetTypeHandler()->AddToPrototype(this, requestContext, allProtoCachesInvalidated);
     }
 
     void DynamicObject::SetPrototype(RecyclableObject* newPrototype)

lib/Runtime/Types/RecyclableObject.h

@@ -369,9 +369,10 @@ namespace Js {
         virtual bool CanStorePropertyValueDirectly(PropertyId propertyId, bool allowLetConst) { Assert(false); return false; };
 #endif
 
-        virtual void RemoveFromPrototype(ScriptContext * requestContext) { AssertMsg(false, "Shouldn't call this implementation."); }
-        virtual void AddToPrototype(ScriptContext * requestContext) { AssertMsg(false, "Shouldn't call this implementation."); }
+        virtual void RemoveFromPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) { AssertMsg(false, "Shouldn't call this implementation."); }
+        virtual void AddToPrototype(ScriptContext * requestContext, bool * allProtoCachesInvalidated) { AssertMsg(false, "Shouldn't call this implementation."); }
         virtual void SetPrototype(RecyclableObject* newPrototype) { AssertMsg(false, "Shouldn't call this implementation."); }
+        virtual bool ClearProtoCachesWereInvalidated() { AssertMsg(false, "Shouldn't call this implementation."); return false; }
 
         virtual BOOL ToString(Js::Var* value, Js::ScriptContext* scriptContext) { AssertMsg(FALSE, "Do not use this function."); return false; }
 

lib/Runtime/Types/TypeHandler.cpp

@@ -64,7 +64,8 @@ using namespace Js;
         flags(flags),
         propertyTypes(PropertyTypesWritableDataOnly | PropertyTypesReserved),
         offsetOfInlineSlots(offsetOfInlineSlots),
-        unusedBytes(Js::AtomTag)
+        unusedBytes(Js::AtomTag),
+        protoCachesWereInvalidated(false)
     {
         Assert(!GetIsOrMayBecomeShared() || GetIsLocked());
         Assert(offsetOfInlineSlots != 0 || inlineSlotCapacity == 0);
@@ -263,7 +264,7 @@ using namespace Js;
     }
 
     template<bool isStoreField>
-    void DynamicTypeHandler::InvalidateInlineCachesForAllProperties(ScriptContext* requestContext)
+    bool DynamicTypeHandler::InvalidateInlineCachesForAllProperties(ScriptContext* requestContext)
     {
         int count = GetPropertyCount();
         if (count < 128) // Invalidate a propertyId involves dictionary lookups. Only do this when the number is relatively small.
@@ -276,31 +277,51 @@ using namespace Js;
                     isStoreField ? requestContext->InvalidateStoreFieldCaches(propertyId) : requestContext->InvalidateProtoCaches(propertyId);
                 }
             }
+            return false;
         }
         else
         {
             isStoreField ? requestContext->InvalidateAllStoreFieldCaches() : requestContext->InvalidateAllProtoCaches();
+            return true;
         }
     }
 
-    void DynamicTypeHandler::InvalidateProtoCachesForAllProperties(ScriptContext* requestContext)
+    bool DynamicTypeHandler::InvalidateProtoCachesForAllProperties(ScriptContext* requestContext)
+    {
+        bool result = InvalidateInlineCachesForAllProperties<false>(requestContext);
+        this->SetProtoCachesWereInvalidated();
+        return result;
+    }
+
+    bool DynamicTypeHandler::InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext)
     {
-        InvalidateInlineCachesForAllProperties<false>(requestContext);
+        return InvalidateInlineCachesForAllProperties<true>(requestContext);
     }
 
-    void DynamicTypeHandler::InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext)
+    bool DynamicTypeHandler::ClearProtoCachesWereInvalidated()
     {
-        InvalidateInlineCachesForAllProperties<true>(requestContext);
+        bool done = !this->ProtoCachesWereInvalidated();
+        this->protoCachesWereInvalidated = false;
+        return done;
     }
 
-    void DynamicTypeHandler::RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext)
+    void DynamicTypeHandler::RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        InvalidateProtoCachesForAllProperties(requestContext);
+        Assert(!*allProtoCachesInvalidated);
+        *allProtoCachesInvalidated = InvalidateProtoCachesForAllProperties(requestContext);
     }
 
-    void DynamicTypeHandler::AddToPrototype(DynamicObject* instance, ScriptContext * requestContext)
+    void DynamicTypeHandler::AddToPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated)
     {
-        InvalidateStoreFieldCachesForAllProperties(requestContext);
+        Assert(!*allProtoCachesInvalidated);
+        if (this->ProtoCachesWereInvalidated())
+        {
+            *allProtoCachesInvalidated = true;
+        }
+        else
+        {
+            *allProtoCachesInvalidated = InvalidateProtoCachesForAllProperties(requestContext);
+        }
     }
 
     void DynamicTypeHandler::SetPrototype(DynamicObject* instance, RecyclableObject* newPrototype)

lib/Runtime/Types/TypeHandler.h

@@ -49,6 +49,7 @@ namespace Js
         Field(uint16) unusedBytes;             // This always has it's lowest bit set to avoid false references
         Field(uint16) inlineSlotCapacity;
         Field(bool) isNotPathTypeHandlerOrHasUserDefinedCtor;
+        Field(bool) protoCachesWereInvalidated;
 
     public:
         DEFINE_GETCPPNAME_ABSTRACT();
@@ -58,7 +59,8 @@ namespace Js
             slotCapacity(typeHandler->slotCapacity),
             offsetOfInlineSlots(typeHandler->offsetOfInlineSlots),
             isNotPathTypeHandlerOrHasUserDefinedCtor(typeHandler->isNotPathTypeHandlerOrHasUserDefinedCtor),
-            unusedBytes(typeHandler->unusedBytes)
+            unusedBytes(typeHandler->unusedBytes),
+            protoCachesWereInvalidated(false)
         {
         }
 
@@ -528,15 +530,19 @@ namespace Js
 
     private:
         template<bool isStoreField>
-        void InvalidateInlineCachesForAllProperties(ScriptContext* requestContext);
+        bool InvalidateInlineCachesForAllProperties(ScriptContext* requestContext);
 
     public:
-        void InvalidateProtoCachesForAllProperties(ScriptContext* requestContext);
-        void InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext);
+        bool InvalidateProtoCachesForAllProperties(ScriptContext* requestContext);
+        bool InvalidateStoreFieldCachesForAllProperties(ScriptContext* requestContext);
+
+        bool ProtoCachesWereInvalidated() const { return protoCachesWereInvalidated; }
+        void SetProtoCachesWereInvalidated() { protoCachesWereInvalidated = true; }
+        bool ClearProtoCachesWereInvalidated();
 
         // For changing __proto__
-        void RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext);
-        void AddToPrototype(DynamicObject* instance, ScriptContext * requestContext);
+        void RemoveFromPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated);
+        void AddToPrototype(DynamicObject* instance, ScriptContext * requestContext, bool * allProtoCachesInvalidated);
         virtual void SetPrototype(DynamicObject* instance, RecyclableObject* newPrototype);
 
         virtual void ResetTypeHandler(DynamicObject * instance);