LibJS: Cache access to properties found in prototype chain

We already had fast access to own properties via shape-based IC. This patch extends the mechanism to properties on the prototype chain, using the "validity cell" technique from V8. - Prototype objects now have unique shape - Each prototype has an associated PrototypeChainValidity - When a prototype shape is mutated, every prototype shape "below" it in any prototype chain is invalidated. - Invalidation happens by marking the validity object as invalid, and then replacing it with a new validity object. - Property caches keep a pointer to the last seen valid validity. If there is no validity, or the validity is invalid, the cache misses and gets repopulated. This is very helpful when using JavaScript to access DOM objects, as we frequently have to traverse 4+ prototype objects before finding the property we're interested in on e.g EventTarget or Node.
Author: https://github.com/awesomekling Commit: 8ff16c1b57 Pull-request: https://github.com/SerenityOS/serenity/pull/24206 Reviewed-by: https://github.com/kennethmyhra
2025-04-28 23:39:02 +00:00 · 2024-05-04 15:48:23 +02:00 · 2024-05-04 15:48:23 +02:00 · 8ff16c1b57 · 2024-07-17 05:02:42 +09:00
commit 8ff16c1b57
parent 493a04d5fe
12 changed files with 232 additions and 52 deletions
--- a/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp
@ -350,17 +350,17 @@ void ECMAScriptFunctionObject::initialize(Realm& realm)
        Object* prototype = nullptr;
        switch (m_kind) {
        case FunctionKind::Normal:
-            prototype = vm.heap().allocate<Object>(realm, realm.intrinsics().new_ordinary_function_prototype_object_shape());
+            prototype = Object::create_prototype(realm, realm.intrinsics().object_prototype());
            MUST(prototype->define_property_or_throw(vm.names.constructor, { .value = this, .writable = true, .enumerable = false, .configurable = true }));
            break;
        case FunctionKind::Generator:
            // prototype is "g1.prototype" in figure-2 (https://tc39.es/ecma262/img/figure-2.png)
-            prototype = Object::create(realm, realm.intrinsics().generator_function_prototype_prototype());
+            prototype = Object::create_prototype(realm, realm.intrinsics().generator_function_prototype_prototype());
            break;
        case FunctionKind::Async:
            break;
        case FunctionKind::AsyncGenerator:
-            prototype = Object::create(realm, realm.intrinsics().async_generator_function_prototype_prototype());
+            prototype = Object::create_prototype(realm, realm.intrinsics().async_generator_function_prototype_prototype());
            break;
        }
        // 27.7.4 AsyncFunction Instances, https://tc39.es/ecma262/#sec-async-function-instances