1. 29 Jan, 2013 1 commit
    • oliver@apple.com's avatar
      Add some hardening to methodTable() · b6b94a90
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=108253
      
      Reviewed by Mark Hahnenberg.
      
      When accessing methodTable() we now always make sure that our
      structure _could_ be valid.  Added a separate method to get a
      classes methodTable during destruction as it's not possible to
      validate the structure at that point.  This separation might
      also make it possible to improve the performance of methodTable
      access more generally in future.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::callDestructor):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSCellInlines.h:
      (JSC::JSCell::methodTableForDestruction):
      (JSC):
      (JSC::JSCell::methodTable):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141190 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b6b94a90
  2. 23 Jan, 2013 1 commit
    • oliver@apple.com's avatar
      Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC · 5598c181
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=107736
      
      Reviewed by Mark Hahnenberg.
      
      Mechanical change with no performance impact.
      
      * API/JSBlockAdaptor.mm:
      (BlockArgumentTypeDelegate::typeVoid):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::construct):
      (JSC::::call):
      * API/JSScriptRef.cpp:
      * API/ObjCCallbackFunction.mm:
      (ArgumentTypeDelegate::typeVoid):
      * assembler/ARMv7Assembler.h:
      (JSC::ARMv7Assembler::link):
      (JSC::ARMv7Assembler::replaceWithLoad):
      (JSC::ARMv7Assembler::replaceWithAddressComputation):
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::invert):
      * assembler/MacroAssemblerARM.h:
      (JSC::MacroAssemblerARM::countLeadingZeros32):
      (JSC::MacroAssemblerARM::divDouble):
      * assembler/MacroAssemblerMIPS.h:
      (JSC::MacroAssemblerMIPS::absDouble):
      (JSC::MacroAssemblerMIPS::replaceWithJump):
      (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
      * assembler/MacroAssemblerSH4.h:
      (JSC::MacroAssemblerSH4::absDouble):
      (JSC::MacroAssemblerSH4::replaceWithJump):
      (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
      * assembler/SH4Assembler.h:
      (JSC::SH4Assembler::shllImm8r):
      (JSC::SH4Assembler::shlrImm8r):
      (JSC::SH4Assembler::cmplRegReg):
      (JSC::SH4Assembler::branch):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::replaceWithLoad):
      (JSC::X86Assembler::replaceWithAddressComputation):
      * bytecode/CallLinkInfo.cpp:
      (JSC::CallLinkInfo::unlink):
      * bytecode/CodeBlock.cpp:
      (JSC::debugHookName):
      (JSC::CodeBlock::printGetByIdOp):
      (JSC::CodeBlock::printGetByIdCacheStatus):
      (JSC::CodeBlock::visitAggregate):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::usesOpcode):
      * bytecode/DataFormat.h:
      (JSC::needDataFormatConversion):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      (JSC::exitKindIsCountable):
      * bytecode/MethodOfGettingAValueProfile.cpp:
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/Opcode.h:
      (JSC::opcodeLength):
      * bytecode/PolymorphicPutByIdList.cpp:
      (JSC::PutByIdAccess::fromStructureStubInfo):
      (JSC::PutByIdAccess::visitWeak):
      * bytecode/StructureStubInfo.cpp:
      (JSC::StructureStubInfo::deref):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::beginSwitch):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::BinaryOpNode::emitBytecode):
      (JSC::emitReadModifyAssignment):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
      (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::canHandleOpcodes):
      * dfg/DFGCommon.h:
      (JSC::DFG::useKindToString):
      * dfg/DFGDoubleFormatState.h:
      (JSC::DFG::mergeDoubleFormatStates):
      (JSC::DFG::doubleFormatStateToString):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::valueOfJSConstant):
      (JSC::DFG::Node::successor):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::nodeFlagsAsString):
      * dfg/DFGNodeType.h:
      (JSC::DFG::defaultFlags):
      * dfg/DFGRepatch.h:
      (JSC::DFG::dfgResetGetByID):
      (JSC::DFG::dfgResetPutByID):
      * dfg/DFGSlowPathGenerator.h:
      (JSC::DFG::SlowPathGenerator::call):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::bitOp):
      (JSC::DFG::SpeculativeJIT::shiftOp):
      (JSC::DFG::SpeculativeJIT::integerResult):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * dfg/DFGValueSource.h:
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableEvent.cpp:
      (JSC::DFG::VariableEvent::dump):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * heap/BlockAllocator.h:
      (JSC::BlockAllocator::regionSetFor):
      * heap/GCThread.cpp:
      (JSC::GCThread::gcThreadMain):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::isLive):
      * interpreter/CallFrame.h:
      (JSC::ExecState::inlineCallFrame):
      * interpreter/Interpreter.cpp:
      (JSC::getCallerInfo):
      (JSC::getStackFrameCodeType):
      (JSC::Interpreter::execute):
      * jit/ExecutableAllocatorFixedVMPool.cpp:
      (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      (JSC::JIT::privateCompile):
      * jit/JITArithmetic.cpp:
      (JSC::JIT::emitSlow_op_mod):
      * jit/JITArithmetic32_64.cpp:
      (JSC::JIT::emitBinaryDoubleOp):
      (JSC::JIT::emitSlow_op_mod):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::isDirectPutById):
      * jit/JITStubs.cpp:
      (JSC::getPolymorphicAccessStructureListSlot):
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::jitCompileAndSetHeuristics):
      * parser/Lexer.cpp:
      (JSC::::lex):
      * parser/Nodes.h:
      (JSC::ExpressionNode::emitBytecodeInConditionContext):
      * parser/Parser.h:
      (JSC::Parser::getTokenName):
      (JSC::Parser::updateErrorMessageSpecialCase):
      * parser/SyntaxChecker.h:
      (JSC::SyntaxChecker::operatorStackPop):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/DatePrototype.cpp:
      (JSC::formatLocaleDate):
      * runtime/Executable.cpp:
      (JSC::samplingDescription):
      * runtime/Executable.h:
      (JSC::ScriptExecutable::unlinkCalls):
      * runtime/Identifier.cpp:
      (JSC):
      * runtime/InternalFunction.cpp:
      (JSC::InternalFunction::getCallData):
      * runtime/JSArray.cpp:
      (JSC::JSArray::push):
      (JSC::JSArray::sort):
      * runtime/JSCell.cpp:
      (JSC::JSCell::defaultValue):
      (JSC::JSCell::getOwnPropertyNames):
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC::JSCell::className):
      (JSC::JSCell::getPropertyNames):
      (JSC::JSCell::customHasInstance):
      (JSC::JSCell::putDirectVirtual):
      (JSC::JSCell::defineOwnProperty):
      (JSC::JSCell::getOwnPropertyDescriptor):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSNameScope.cpp:
      (JSC::JSNameScope::put):
      * runtime/JSObject.cpp:
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      * runtime/JSScope.cpp:
      (JSC::JSScope::isDynamicScope):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::putDirectVirtual):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/RegExp.cpp:
      (JSC::RegExp::compile):
      (JSC::RegExp::compileMatchOnly):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      * tools/CodeProfile.cpp:
      (JSC::CodeProfile::sample):
      * yarr/YarrCanonicalizeUCS2.h:
      (JSC::Yarr::getCanonicalPair):
      (JSC::Yarr::areCanonicallyEquivalent):
      * yarr/YarrInterpreter.cpp:
      (JSC::Yarr::Interpreter::matchCharacterClass):
      (JSC::Yarr::Interpreter::matchBackReference):
      (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
      (JSC::Yarr::Interpreter::matchParentheses):
      (JSC::Yarr::Interpreter::backtrackParentheses):
      (JSC::Yarr::Interpreter::matchDisjunction):
      * yarr/YarrJIT.cpp:
      (JSC::Yarr::YarrGenerator::generateTerm):
      (JSC::Yarr::YarrGenerator::backtrackTerm):
      * yarr/YarrParser.h:
      (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
      (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
      * yarr/YarrPattern.cpp:
      (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140594 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5598c181
  3. 11 Jan, 2013 1 commit
    • fpizlo@apple.com's avatar
      The JITThunks class should be in its own file, and doing so should not break the build · a4b4cbe9
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=105696
      
      Source/JavaScriptCore: 
      
      Rubber stamped by Sam Weinig and Geoffrey Garen.
              
      This patch was supposed to just move JITThunks into its own file. But then I
      realized that there is a horrible circular dependency chain between JSCell,
      JSGlobalData, CallFrame, and Weak, which only works because of magical include
      order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
      before it includes JSCell or JSValue.
              
      I first tried to just get JITThunks.h to just magically do the same pointless
      includes that JITStubs.h had, but then I decided to actually fix the underflying
      problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
      JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
      Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
      also gave me an opportunity to move JSValue inline methods from JSCell.h into
      JSValueInlines.h. But to make this really work, I needed to remove includes of
      *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
      which defeats the whole entire purpose of having an Inlines.h file), and I needed
      to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
      having .cpp files include Operations.h. In future, if you're adding a .cpp file
      to JSC, you'll almost certainly have to include Operations.h unless you enjoy
      link errors.
      
      * API/JSBase.cpp:
      * API/JSCallbackConstructor.cpp:
      * API/JSCallbackFunction.cpp:
      * API/JSCallbackObject.cpp:
      * API/JSClassRef.cpp:
      * API/JSContextRef.cpp:
      * API/JSObjectRef.cpp:
      * API/JSScriptRef.cpp:
      * API/JSWeakObjectMapRefPrivate.cpp:
      * JSCTypedArrayStubs.h:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayAllocationProfile.cpp:
      * bytecode/CodeBlock.cpp:
      * bytecode/GetByIdStatus.cpp:
      * bytecode/LazyOperandValueProfile.cpp:
      * bytecode/ResolveGlobalStatus.cpp:
      * bytecode/SpeculatedType.cpp:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecompiler/BytecodeGenerator.cpp:
      * debugger/Debugger.cpp:
      * debugger/DebuggerActivation.cpp:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGArrayMode.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGDriver.cpp:
      * dfg/DFGFixupPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGJITCompiler.cpp:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGPredictionPropagationPhase.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (DFG):
      (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      * dfg/DFGVariableEventStream.cpp:
      * heap/CopiedBlock.h:
      * heap/CopiedSpace.cpp:
      * heap/HandleSet.cpp:
      * heap/Heap.cpp:
      * heap/HeapStatistics.cpp:
      * heap/SlotVisitor.cpp:
      * heap/WeakBlock.cpp:
      * interpreter/CallFrame.cpp:
      * interpreter/CallFrame.h:
      * jit/ClosureCallStubRoutine.cpp:
      * jit/GCAwareJITStubRoutine.cpp:
      * jit/JIT.cpp:
      * jit/JITArithmetic.cpp:
      * jit/JITArithmetic32_64.cpp:
      * jit/JITCall.cpp:
      * jit/JITCall32_64.cpp:
      * jit/JITCode.h:
      * jit/JITExceptions.cpp:
      * jit/JITStubs.h:
      * jit/JITThunks.h:
      * jsc.cpp:
      * llint/LLIntExceptions.cpp:
      * profiler/LegacyProfiler.cpp:
      * profiler/ProfileGenerator.cpp:
      * profiler/ProfilerBytecode.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * profiler/ProfilerBytecodes.cpp:
      * profiler/ProfilerCompilation.cpp:
      * profiler/ProfilerCompiledBytecode.cpp:
      * profiler/ProfilerDatabase.cpp:
      * profiler/ProfilerOSRExit.cpp:
      * profiler/ProfilerOSRExitSite.cpp:
      * profiler/ProfilerOrigin.cpp:
      * profiler/ProfilerOriginStack.cpp:
      * profiler/ProfilerProfiledBytecodes.cpp:
      * runtime/ArgList.cpp:
      * runtime/Arguments.cpp:
      * runtime/ArrayConstructor.cpp:
      * runtime/BooleanConstructor.cpp:
      * runtime/BooleanObject.cpp:
      * runtime/BooleanPrototype.cpp:
      * runtime/CallData.cpp:
      * runtime/CodeCache.cpp:
      * runtime/Completion.cpp:
      * runtime/ConstructData.cpp:
      * runtime/DateConstructor.cpp:
      * runtime/DateInstance.cpp:
      * runtime/DatePrototype.cpp:
      * runtime/Error.cpp:
      * runtime/ErrorConstructor.cpp:
      * runtime/ErrorInstance.cpp:
      * runtime/ErrorPrototype.cpp:
      * runtime/ExceptionHelpers.cpp:
      * runtime/Executable.cpp:
      * runtime/FunctionConstructor.cpp:
      * runtime/FunctionPrototype.cpp:
      * runtime/GetterSetter.cpp:
      * runtime/Identifier.cpp:
      * runtime/InternalFunction.cpp:
      * runtime/JSActivation.cpp:
      * runtime/JSBoundFunction.cpp:
      * runtime/JSCell.cpp:
      * runtime/JSCell.h:
      (JSC):
      * runtime/JSCellInlines.h: Added.
      (JSC):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      (JSC::JSCell::structure):
      (JSC::JSCell::visitChildren):
      (JSC::allocateCell):
      (JSC::isZapped):
      (JSC::JSCell::isObject):
      (JSC::JSCell::isString):
      (JSC::JSCell::isGetterSetter):
      (JSC::JSCell::isProxy):
      (JSC::JSCell::isAPIValueWrapper):
      (JSC::JSCell::setStructure):
      (JSC::JSCell::methodTable):
      (JSC::JSCell::inherits):
      (JSC::JSCell::fastGetOwnPropertySlot):
      (JSC::JSCell::fastGetOwnProperty):
      (JSC::JSCell::toBoolean):
      * runtime/JSDateMath.cpp:
      * runtime/JSFunction.cpp:
      * runtime/JSFunction.h:
      (JSC):
      * runtime/JSGlobalData.h:
      (JSC):
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      * runtime/JSGlobalObjectFunctions.cpp:
      * runtime/JSLock.cpp:
      * runtime/JSNameScope.cpp:
      * runtime/JSNotAnObject.cpp:
      * runtime/JSONObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      * runtime/JSProxy.cpp:
      * runtime/JSScope.cpp:
      * runtime/JSSegmentedVariableObject.cpp:
      * runtime/JSString.h:
      (JSC):
      * runtime/JSStringJoiner.cpp:
      * runtime/JSSymbolTableObject.cpp:
      * runtime/JSValue.cpp:
      * runtime/JSValueInlines.h:
      (JSC::JSValue::toInt32):
      (JSC::JSValue::toUInt32):
      (JSC):
      (JSC::JSValue::isUInt32):
      (JSC::JSValue::asUInt32):
      (JSC::JSValue::asNumber):
      (JSC::jsNaN):
      (JSC::JSValue::JSValue):
      (JSC::JSValue::encode):
      (JSC::JSValue::decode):
      (JSC::JSValue::operator bool):
      (JSC::JSValue::operator==):
      (JSC::JSValue::operator!=):
      (JSC::JSValue::isEmpty):
      (JSC::JSValue::isUndefined):
      (JSC::JSValue::isNull):
      (JSC::JSValue::isUndefinedOrNull):
      (JSC::JSValue::isCell):
      (JSC::JSValue::isInt32):
      (JSC::JSValue::isDouble):
      (JSC::JSValue::isTrue):
      (JSC::JSValue::isFalse):
      (JSC::JSValue::tag):
      (JSC::JSValue::payload):
      (JSC::JSValue::asInt32):
      (JSC::JSValue::asDouble):
      (JSC::JSValue::asCell):
      (JSC::JSValue::isNumber):
      (JSC::JSValue::isBoolean):
      (JSC::JSValue::asBoolean):
      (JSC::reinterpretDoubleToInt64):
      (JSC::reinterpretInt64ToDouble):
      (JSC::JSValue::isString):
      (JSC::JSValue::isPrimitive):
      (JSC::JSValue::isGetterSetter):
      (JSC::JSValue::isObject):
      (JSC::JSValue::getString):
      (JSC::::getString):
      (JSC::JSValue::getObject):
      (JSC::JSValue::getUInt32):
      (JSC::JSValue::toPrimitive):
      (JSC::JSValue::getPrimitiveNumber):
      (JSC::JSValue::toNumber):
      (JSC::JSValue::toObject):
      (JSC::JSValue::isFunction):
      (JSC::JSValue::inherits):
      (JSC::JSValue::toThisObject):
      (JSC::JSValue::get):
      (JSC::JSValue::put):
      (JSC::JSValue::putByIndex):
      (JSC::JSValue::structureOrUndefined):
      (JSC::JSValue::equal):
      (JSC::JSValue::equalSlowCaseInline):
      (JSC::JSValue::strictEqualSlowCaseInline):
      (JSC::JSValue::strictEqual):
      * runtime/JSVariableObject.cpp:
      * runtime/JSWithScope.cpp:
      * runtime/JSWrapperObject.cpp:
      * runtime/LiteralParser.cpp:
      * runtime/Lookup.cpp:
      * runtime/NameConstructor.cpp:
      * runtime/NameInstance.cpp:
      * runtime/NamePrototype.cpp:
      * runtime/NativeErrorConstructor.cpp:
      * runtime/NativeErrorPrototype.cpp:
      * runtime/NumberConstructor.cpp:
      * runtime/NumberObject.cpp:
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      * runtime/Operations.h:
      (JSC):
      * runtime/PropertySlot.cpp:
      * runtime/RegExp.cpp:
      * runtime/RegExpCache.cpp:
      * runtime/RegExpCachedResult.cpp:
      * runtime/RegExpConstructor.cpp:
      * runtime/RegExpMatchesArray.cpp:
      * runtime/RegExpObject.cpp:
      * runtime/RegExpPrototype.cpp:
      * runtime/SmallStrings.cpp:
      * runtime/SparseArrayValueMap.cpp:
      * runtime/StrictEvalActivation.cpp:
      * runtime/StringConstructor.cpp:
      * runtime/StringObject.cpp:
      * runtime/StringRecursionChecker.cpp:
      * runtime/Structure.h:
      (JSC):
      * runtime/StructureChain.cpp:
      * runtime/TimeoutChecker.cpp:
      * testRegExp.cpp:
      
      Source/WebCore: 
      
      Rubber stamped by Sam Weinig.
      
      All .cpp files that use the JSC internal API must now transitively include
      Operations.h, and none of the major JSC headers do it for you to avoid
      circularity. WebCore doesn't have to worry about circularity with JSC, so
      this changes all of the major WebCore JSC base headers to include
      Operations.h.
      
      * bindings/js/BindingState.h:
      * bindings/js/JSArrayBufferViewHelper.h:
      * bindings/js/JSCustomXPathNSResolver.h:
      * bindings/js/JSDOMBinding.h:
      * bindings/js/JSDOMGlobalObject.h:
      * bindings/js/JSDictionary.h:
      * bindings/js/JSMessagePortCustom.h:
      * bindings/js/JSNodeFilterCondition.h:
      * bindings/js/ScriptValue.h:
      * bindings/js/ScriptWrappable.h:
      * bindings/js/SerializedScriptValue.cpp:
      * bridge/c/c_utility.h:
      * bridge/jsc/BridgeJSC.h:
      * dom/Node.cpp:
      * html/HTMLCanvasElement.cpp:
      * html/HTMLImageLoader.cpp:
      * plugins/efl/PluginViewEfl.cpp:
      * xml/XMLHttpRequest.cpp:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139541 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a4b4cbe9
  4. 02 Nov, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      MarkedBlocks should use something other than the mark bits to indicate... · 4cbe13c3
      mhahnenberg@apple.com authored
      MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects
      https://bugs.webkit.org/show_bug.cgi?id=100877
      
      Reviewed by Filip Pizlo.
      
      Currently when we canonicalize cell liveness data in MarkedBlocks, we set the mark bit for every cell in the
      block except for those in the free list. This allows us to consider objects that were allocated since the
      previous collection to be considered live until they have a chance to be properly marked by the collector.
      
      If we want to use the mark bits to signify other types of information, e.g. using sticky mark bits for generational
      collection, we will have to keep track of newly allocated objects in a different fashion when we canonicalize cell liveness.
      
      One method would be to allocate a separate set of bits while canonicalizing liveness data. These bits would
      track the newly allocated objects in the block separately from those objects who had already been marked. We would
      then check these bits, along with the mark bits, when determining liveness.
      
      * heap/Heap.h:
      (Heap):
      (JSC::Heap::isLive): We now check for the presence of the newlyAllocated Bitmap.
      (JSC):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::specializedSweep): We clear the newlyAllocated Bitmap if we're creating a free list. This
      will happen if we canonicalize liveness data for some other reason than collection (e.g. forEachCell) and
      then start allocating again.
      (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
      (SetNewlyAllocatedFunctor):
      (JSC::SetNewlyAllocatedFunctor::operator()): We set the newlyAllocated bits for all the objects
      that aren't already marked. We undo the bits for the objects in the free list later in canonicalizeCellLivenessData.
      (JSC::MarkedBlock::canonicalizeCellLivenessData): We should never have a FreeListed block with a newlyAllocated Bitmap.
      We allocate the new Bitmap, set the bits for all the objects that aren't already marked, and then unset all of the
      bits for the items currently in the FreeList.
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::clearMarks): We clear the newlyAllocated bitmap if it exists because at this point we don't need it
      any more.
      (JSC::MarkedBlock::isEmpty): If we have some objects that are newlyAllocated, we are not empty.
      (JSC::MarkedBlock::isNewlyAllocated):
      (JSC):
      (JSC::MarkedBlock::setNewlyAllocated):
      (JSC::MarkedBlock::clearNewlyAllocated):
      (JSC::MarkedBlock::isLive): We now check the newlyAllocated Bitmap, if it exists, when determining liveness of a cell in
      a block that is Marked.
      * heap/WeakBlock.cpp:
      (JSC::WeakBlock::visit): We need to make sure we don't finalize objects that are in the newlyAllocated Bitmap.
      (JSC::WeakBlock::reap): Ditto.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133358 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4cbe13c3
  5. 15 Oct, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Make CopiedSpace and MarkedSpace regions independent · 91f79f7e
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99222
      
      Reviewed by Filip Pizlo.
      
      Right now CopiedSpace and MarkedSpace have the same block size and share the same regions,
      but there's no reason that they can't have different block sizes while still sharing the
      same underlying regions. We should factor the two "used" lists of regions apart so that
      MarkedBlocks and CopiedBlocks can be different sizes. Regions will still be a uniform size
      so that when they become empty they may be shared between the CopiedSpace and the MarkedSpace,
      since benchmarks indicate that sharing is a boon for performance.
      
      * heap/BlockAllocator.cpp:
      (JSC::BlockAllocator::BlockAllocator):
      * heap/BlockAllocator.h:
      (JSC):
      (Region):
      (JSC::Region::create): We now have a fixed size for Regions so that empty regions can continue to
      be shared between the MarkedSpace and CopiedSpace. Once they are used for a specific type of block,
      however, they can only be used for that type of block until they become empty again.
      (JSC::Region::createCustomSize):
      (JSC::Region::Region):
      (JSC::Region::~Region):
      (JSC::Region::reset):
      (BlockAllocator):
      (JSC::BlockAllocator::RegionSet::RegionSet):
      (RegionSet):
      (JSC::BlockAllocator::tryAllocateFromRegion): We change this function so that it correctly
      moves blocks between empty, partial, and full lists.
      (JSC::BlockAllocator::allocate):
      (JSC::BlockAllocator::allocateCustomSize):
      (JSC::BlockAllocator::deallocate): Ditto.
      (JSC::CopiedBlock):
      (JSC::MarkedBlock):
      (JSC::BlockAllocator::regionSetFor): We use this so that we can use the same allocate/deallocate
      functions with different RegionSets. We specialize the function for each type of block that we
      want to allocate.
      * heap/CopiedBlock.h:
      (CopiedBlock):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * heap/HeapBlock.h:
      (HeapBlock):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::MarkedBlock): For oversize MarkedBlocks, if the block size gets too big we can
      underflow the endAtom, which will cause us to segfault when we try to sweep a block. If we're a
      custom size MarkedBlock we need to calculate endAtom so it doesn't underflow.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131321 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      91f79f7e
  6. 11 Oct, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      BlockAllocator should use regions as its VM allocation abstraction · 5c018e7e
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99107
      
      Reviewed by Geoffrey Garen.
      
      Currently the BlockAllocator allocates a single block at a time directly from the OS. Our block
      allocations are on the large-ish side (64 KB) to amortize across many allocations the expense of
      mapping new virtual memory from the OS. These large blocks are then shared between the MarkedSpace
      and the CopiedSpace. This design makes it difficult to vary the size of the blocks in different
      parts of the Heap while still allowing us to amortize the VM allocation costs.
      
      We should redesign the BlockAllocator so that it has a layer of indirection between blocks that are
      used by the allocator/collector and our primary unit of VM allocation from the OS. In particular,
      the BlockAllocator should allocate Regions of virtual memory from the OS, which are then subdivided
      into one or more Blocks to be used in our custom allocators. This design has the following nice properties:
      
      1) We can remove the knowledge of PageAllocationAligned from HeapBlocks. Each HeapBlock will now
         only know what Region it belongs to. The Region maintains all the metadata for how to allocate
         and deallocate virtual memory from the OS.
      
      2) We can easily allocate in larger chunks than we need to satisfy a particular request for a Block.
         We can then continue to amortize our VM allocation costs while allowing for smaller block sizes,
         which should increase locality in the mutator when allocating, lazy sweeping, etc.
      
      3) By encapsulating the logic of where our memory comes from inside of the Region class, we can more
         easily transition over to allocating VM from a specific range of pre-reserved address space. This
         will be a necessary step along the way to 32-bit pointers.
      
      This particular patch will not change the size of MarkedBlocks or CopiedBlocks, nor will it change how
      much VM we allocate per failed Block request. It only sets up the data structures that we need to make
      these changes in future patches.
      
      Most of the changes in this patch relate to the addition of the Region class to be used by the
      BlockAllocator and the threading of changes made to BlockAllocator's interface through to the call sites.
      
      * heap/BlockAllocator.cpp: The BlockAllocator now has three lists that track the three disjoint sets of
      Regions that it cares about: empty regions, partially full regions, and completely full regions.
      Empty regions have no blocks currently in use and can be freed immediately if the freeing thread
      determines they should be. Partial regions have some blocks used, but aren't completely in use yet.
      These regions are preferred for recycling before empty regions to mitigate fragmentation within regions.
      Completely full regions are no longer able to be used for allocations. Regions move between these
      three lists as they are created and their constituent blocks are allocated and deallocated.
      (JSC::BlockAllocator::BlockAllocator):
      (JSC::BlockAllocator::~BlockAllocator):
      (JSC::BlockAllocator::releaseFreeRegions):
      (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
      (JSC::BlockAllocator::waitForRelativeTime):
      (JSC::BlockAllocator::blockFreeingThreadMain):
      * heap/BlockAllocator.h:
      (JSC):
      (DeadBlock):
      (JSC::DeadBlock::DeadBlock):
      (Region):
      (JSC::Region::blockSize):
      (JSC::Region::isFull):
      (JSC::Region::isEmpty):
      (JSC::Region::create): This function is responsible for doing the actual VM allocation. This should be the
      only function in the entire JSC object runtime that calls out the OS for virtual memory allocation.
      (JSC::Region::Region):
      (JSC::Region::~Region):
      (JSC::Region::allocate):
      (JSC::Region::deallocate):
      (BlockAllocator):
      (JSC::BlockAllocator::tryAllocateFromRegion): Helper function that encapsulates checking a particular list
      of regions for a free block.
      (JSC::BlockAllocator::allocate):
      (JSC::BlockAllocator::allocateCustomSize): This function is responsible for allocating one-off custom size
      regions for use in oversize allocations in both the MarkedSpace and the CopiedSpace. These regions are not
      tracked by the BlockAllocator. The only pointer to them is in the HeapBlock that is returned. These regions
      contain exactly one block.
      (JSC::BlockAllocator::deallocate):
      (JSC::BlockAllocator::deallocateCustomSize): This function is responsible for deallocating one-off custom size
      regions. The regions are deallocated back to the OS eagerly.
      * heap/CopiedBlock.h: Re-worked CopiedBlocks to use Regions instead of PageAllocationAligned.
      (CopiedBlock):
      (JSC::CopiedBlock::createNoZeroFill):
      (JSC::CopiedBlock::create):
      (JSC::CopiedBlock::CopiedBlock):
      (JSC::CopiedBlock::payloadEnd):
      (JSC::CopiedBlock::capacity):
      * heap/CopiedSpace.cpp:
      (JSC::CopiedSpace::~CopiedSpace):
      (JSC::CopiedSpace::tryAllocateOversize):
      (JSC::CopiedSpace::tryReallocateOversize):
      (JSC::CopiedSpace::doneCopying):
      * heap/CopiedSpaceInlineMethods.h:
      (JSC::CopiedSpace::allocateBlockForCopyingPhase):
      (JSC::CopiedSpace::allocateBlock):
      * heap/HeapBlock.h:
      (JSC::HeapBlock::destroy):
      (JSC::HeapBlock::HeapBlock):
      (JSC::HeapBlock::region):
      (HeapBlock):
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::capacity):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::freeBlock):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131132 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5c018e7e
  7. 03 Oct, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Delayed structure sweep can leak structures without bound · 30738a77
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96546
      
      Reviewed by Geoffrey Garen.
      
      This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
      allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
      those objects with destructors and with immortal structures, and those objects with destructors that don't have 
      immortal structures. All of the objects of the third type (destructors without immortal structures) now 
      inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
      the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
      
      Source/JavaScriptCore: 
      
      * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
      (JSC):
      (JSC::JSCallbackConstructor::JSCallbackConstructor):
      * API/JSCallbackConstructor.h:
      (JSCallbackConstructor):
      * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 
      JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
      (JSC):
      (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 
      the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 
      to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
      (JSC::::createStructure):
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      (JSC):
      * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
      (OpaqueJSClass::prototype):
      * API/JSObjectRef.cpp: Ditto.
      (JSObjectMake):
      (JSObjectGetPrivate):
      (JSObjectSetPrivate):
      (JSObjectGetPrivateProperty):
      (JSObjectSetPrivateProperty):
      (JSObjectDeletePrivateProperty):
      * API/JSValueRef.cpp: Ditto.
      (JSValueIsObjectOfClass):
      * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
      * JSCTypedArrayStubs.h:
      (JSC):
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * heap/Heap.cpp:
      (JSC):
      * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 
      since it's always safe to sweep Structures now.
      (JSC::Heap::allocatorForObjectWithNormalDestructor): 
      (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
      (Heap):
      (JSC::Heap::allocateWithNormalDestructor):
      (JSC):
      (JSC::Heap::allocateWithImmortalStructureDestructor):
      * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 
      IncrementalSweeper since it's always safe to sweep Structures now.
      (JSC::IncrementalSweeper::IncrementalSweeper):
      (JSC::IncrementalSweeper::sweepNextBlock):
      (JSC::IncrementalSweeper::startSweeping):
      (JSC::IncrementalSweeper::willFinishSweeping):
      (JSC):
      * heap/IncrementalSweeper.h:
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 
      tracking of the specific destructor type of allocator. 
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::destructorType):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::init):
      * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 
      We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      (JSC):
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC):
      (JSC::MarkedBlock::allocator):
      (JSC::MarkedBlock::destructorType):
      * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
      (JSC::MarkedSpace::normalDestructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
      (JSC::MarkedSpace::allocateWithNormalDestructor):
      (JSC::MarkedSpace::forEachBlock):
      * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
      * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSArray):
      * jsc.cpp: 
      (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 
      JSDestructibleObject.
      * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
      (JSC):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::Arguments):
      * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
      (JSC):
      * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
      (JSC):
      * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
      (JSC):
      (JSC::InternalFunction::InternalFunction):
      * runtime/InternalFunction.h:
      (InternalFunction):
      * runtime/JSCell.h: Added two static bools, needsDestruction and hasImmortalStructure, that classes can override 
      to indicate at compile time which part of the heap they should be allocated in.
      (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
      * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 
      accessed safely when the object is being destroyed.
      (JSC):
      (JSDestructibleObject):
      (JSC::JSDestructibleObject::classInfo):
      (JSC::JSDestructibleObject::JSDestructibleObject):
      (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
      * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 
      of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
      (JSC::JSGlobalObject::reset):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 
      for the m_rareData field when it's created.
      (JSC::JSGlobalObject::create):
      (JSC):
      * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
      (JSGlobalThis):
      (JSC::JSGlobalThis::JSGlobalThis):
      * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
      (JSC):
      * runtime/JSScope.cpp:
      (JSC):
      * runtime/JSString.h: Has an immortal Structure.
      (JSC):
      * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
      (JSWrapperObject):
      (JSC::JSWrapperObject::JSWrapperObject):
      * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
      (JSC):
      * runtime/NameInstance.h: Inherit from JSDestructibleObject.
      (NameInstance):
      * runtime/RegExp.h: Has immortal Structure.
      (JSC):
      * runtime/RegExpObject.cpp: Inheritance cleanup.
      (JSC):
      * runtime/SparseArrayValueMap.h: Has immortal Structure.
      (JSC):
      * runtime/Structure.h: Has immortal Structure.
      (JSC):
      * runtime/StructureChain.h: Ditto.
      (JSC):
      * runtime/SymbolTable.h: Ditto.
      (SharedSymbolTable):
      (JSC):
      
      Source/WebCore: 
      
      No new tests.
      
      * ForwardingHeaders/runtime/JSDestructableObject.h: Added.
      * bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.
      (JSDOMWrapper):
      (WebCore::JSDOMWrapper::JSDOMWrapper):
      * bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,
      e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to define needsDestruction as true.
      (GenerateHeader):
      * bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.
      (ObjcFallbackObjectImp):
      * bridge/objc/objc_runtime.mm:
      (Bindings):
      (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
      * bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.
      (JSC):
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::create):
      (JSC):
      * bridge/runtime_object.cpp: Inherit from JSDestructibleObject.
      (Bindings):
      (JSC::Bindings::RuntimeObject::RuntimeObject):
      * bridge/runtime_object.h:
      (RuntimeObject):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130303 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      30738a77
  8. 18 Sep, 2012 1 commit
    • ossy@webkit.org's avatar
      Unreviewed, rolling out r128826 and r128813. · 7c7e4274
      ossy@webkit.org authored
      Source/JavaScriptCore:
      
      * API/JSCallbackConstructor.cpp:
      (JSC):
      (JSC::JSCallbackConstructor::JSCallbackConstructor):
      * API/JSCallbackConstructor.h:
      (JSCallbackConstructor):
      * API/JSCallbackObject.cpp:
      (JSC):
      (JSC::::createStructure):
      * API/JSCallbackObject.h:
      (JSC::JSCallbackObject::create):
      (JSCallbackObject):
      * API/JSClassRef.cpp:
      (OpaqueJSClass::prototype):
      * API/JSObjectRef.cpp:
      (JSObjectMake):
      (JSObjectGetPrivate):
      (JSObjectSetPrivate):
      (JSObjectGetPrivateProperty):
      (JSObjectSetPrivateProperty):
      (JSObjectDeletePrivateProperty):
      * API/JSValueRef.cpp:
      (JSValueIsObjectOfClass):
      * API/JSWeakObjectMapRefPrivate.cpp:
      * GNUmakefile.list.am:
      * JSCTypedArrayStubs.h:
      (JSC):
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * heap/Heap.cpp:
      (JSC::Heap::isSafeToSweepStructures):
      (JSC):
      * heap/Heap.h:
      (JSC::Heap::allocatorForObjectWithDestructor):
      (Heap):
      (JSC::Heap::allocateWithDestructor):
      (JSC::Heap::allocateStructure):
      (JSC):
      * heap/IncrementalSweeper.cpp:
      (JSC::IncrementalSweeper::IncrementalSweeper):
      (JSC::IncrementalSweeper::sweepNextBlock):
      (JSC::IncrementalSweeper::startSweeping):
      (JSC::IncrementalSweeper::willFinishSweeping):
      (JSC::IncrementalSweeper::structuresCanBeSwept):
      (JSC):
      * heap/IncrementalSweeper.h:
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::cellsNeedDestruction):
      (JSC::MarkedAllocator::onlyContainsStructures):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::init):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      (JSC):
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC):
      (MarkedBlock):
      (JSC::MarkedBlock::cellsNeedDestruction):
      (JSC::MarkedBlock::onlyContainsStructures):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (Subspace):
      (JSC::MarkedSpace::allocatorFor):
      (JSC::MarkedSpace::destructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithDestructor):
      (JSC::MarkedSpace::allocateStructure):
      (JSC::MarkedSpace::forEachBlock):
      * heap/SlotVisitor.cpp:
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSArray):
      * jsc.cpp:
      (GlobalObject::create):
      * runtime/Arguments.cpp:
      (JSC):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::Arguments):
      * runtime/ErrorPrototype.cpp:
      (JSC):
      * runtime/Executable.h:
      * runtime/InternalFunction.cpp:
      (JSC):
      (JSC::InternalFunction::InternalFunction):
      * runtime/InternalFunction.h:
      (InternalFunction):
      * runtime/JSCell.h:
      (JSC):
      (JSC::allocateCell):
      * runtime/JSDestructibleObject.h: Removed.
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::createRareDataIfNeeded):
      (JSC::JSGlobalObject::create):
      * runtime/JSGlobalThis.h:
      (JSGlobalThis):
      (JSC::JSGlobalThis::JSGlobalThis):
      * runtime/JSPropertyNameIterator.h:
      * runtime/JSScope.cpp:
      (JSC):
      * runtime/JSString.h:
      (JSC):
      * runtime/JSWrapperObject.h:
      (JSWrapperObject):
      (JSC::JSWrapperObject::JSWrapperObject):
      * runtime/MathObject.cpp:
      (JSC):
      * runtime/NameInstance.h:
      (NameInstance):
      * runtime/RegExp.h:
      * runtime/RegExpObject.cpp:
      (JSC):
      * runtime/SparseArrayValueMap.h:
      * runtime/Structure.h:
      (JSC::Structure):
      (JSC::JSCell::classInfo):
      (JSC):
      * runtime/StructureChain.h:
      * runtime/SymbolTable.h:
      * testRegExp.cpp:
      (GlobalObject::create):
      
      Source/WebCore:
      
      * ForwardingHeaders/runtime/JSDestructibleObject.h: Removed.
      * bindings/js/JSDOMWrapper.h:
      (WebCore::JSDOMWrapper::JSDOMWrapper):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      * bridge/objc/objc_runtime.h:
      (ObjcFallbackObjectImp):
      * bridge/objc/objc_runtime.mm:
      (Bindings):
      (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
      * bridge/runtime_array.cpp:
      (JSC):
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::create):
      * bridge/runtime_object.cpp:
      (Bindings):
      (JSC::Bindings::RuntimeObject::RuntimeObject):
      * bridge/runtime_object.h:
      (RuntimeObject):
      
      Source/WebKit2:
      
      * WebProcess/Plugins/Netscape/JSNPObject.cpp:
      (WebKit):
      (WebKit::JSNPObject::JSNPObject):
      * WebProcess/Plugins/Netscape/JSNPObject.h:
      (JSNPObject):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128851 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7c7e4274
  9. 17 Sep, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Delayed structure sweep can leak structures without bound · 013fd88d
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96546
      
      Reviewed by Gavin Barraclough.
      
      This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
      allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
      those objects with destructors and with immortal structures, and those objects with destructors that don't have 
      immortal structures. All of the objects of the third type (destructors without immortal structures) now 
      inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
      the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
      
      Source/JavaScriptCore: 
      
      * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
      (JSC):
      (JSC::JSCallbackConstructor::JSCallbackConstructor):
      * API/JSCallbackConstructor.h:
      (JSCallbackConstructor):
      * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 
      JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
      (JSC):
      (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 
      the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 
      to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
      (JSC::::createStructure):
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      (JSC):
      * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
      (OpaqueJSClass::prototype):
      * API/JSObjectRef.cpp: Ditto.
      (JSObjectMake):
      (JSObjectGetPrivate):
      (JSObjectSetPrivate):
      (JSObjectGetPrivateProperty):
      (JSObjectSetPrivateProperty):
      (JSObjectDeletePrivateProperty):
      * API/JSValueRef.cpp: Ditto.
      (JSValueIsObjectOfClass):
      * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
      * JSCTypedArrayStubs.h:
      (JSC):
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * heap/Heap.cpp:
      (JSC):
      * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 
      since it's always safe to sweep Structures now.
      (JSC::Heap::allocatorForObjectWithNormalDestructor): 
      (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
      (Heap):
      (JSC::Heap::allocateWithNormalDestructor):
      (JSC):
      (JSC::Heap::allocateWithImmortalStructureDestructor):
      * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 
      IncrementalSweeper since it's always safe to sweep Structures now.
      (JSC::IncrementalSweeper::IncrementalSweeper):
      (JSC::IncrementalSweeper::sweepNextBlock):
      (JSC::IncrementalSweeper::startSweeping):
      (JSC::IncrementalSweeper::willFinishSweeping):
      (JSC):
      * heap/IncrementalSweeper.h:
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 
      tracking of the specific destructor type of allocator. 
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::destructorType):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::init):
      * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 
      We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      (JSC):
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC):
      (JSC::MarkedBlock::allocator):
      (JSC::MarkedBlock::destructorType):
      * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
      (JSC::MarkedSpace::normalDestructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
      (JSC::MarkedSpace::allocateWithNormalDestructor):
      (JSC::MarkedSpace::forEachBlock):
      * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
      * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSArray):
      * jsc.cpp: 
      (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 
      JSDestructibleObject.
      * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
      (JSC):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::Arguments):
      * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
      (JSC):
      * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
      (JSC):
      * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
      (JSC):
      (JSC::InternalFunction::InternalFunction):
      * runtime/InternalFunction.h:
      (InternalFunction):
      * runtime/JSCell.h: Added the NEEDS_DESTRUCTOR  macro to make it easier for classes to indicate that instead of being 
      allocated in a destructor MarkedAllocator that they will handle their destruction themselves through the 
      use of a finalizer.
      (JSC):
      (HasImmortalStructure): New template to help us determine at compile-time if a particular class 
      should be allocated in the immortal structure MarkedAllocator. The default value is false. In order 
      to be allocated in the immortal structure allocator, classes must specialize this template. Also added 
      a macro to make it easier for classes to specialize the template.
      (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
      * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 
      accessed safely when the object is being destroyed.
      (JSC):
      (JSDestructibleObject):
      (JSC::JSDestructibleObject::classInfo):
      (JSC::JSDestructibleObject::JSDestructibleObject):
      (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
      * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 
      of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
      (JSC::JSGlobalObject::reset):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 
      for the m_rareData field when it's created.
      (JSC::JSGlobalObject::create):
      (JSC):
      * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
      (JSGlobalThis):
      (JSC::JSGlobalThis::JSGlobalThis):
      * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
      (JSC):
      * runtime/JSScope.cpp:
      (JSC):
      * runtime/JSString.h: Has an immortal Structure.
      (JSC):
      * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
      (JSWrapperObject):
      (JSC::JSWrapperObject::JSWrapperObject):
      * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
      (JSC):
      * runtime/NameInstance.h: Inherit from JSDestructibleObject.
      (NameInstance):
      * runtime/RegExp.h: Has immortal Structure.
      (JSC):
      * runtime/RegExpObject.cpp: Inheritance cleanup.
      (JSC):
      * runtime/SparseArrayValueMap.h: Has immortal Structure.
      (JSC):
      * runtime/Structure.h: Has immortal Structure.
      (JSC):
      * runtime/StructureChain.h: Ditto.
      (JSC):
      * runtime/SymbolTable.h: Ditto.
      (SharedSymbolTable):
      (JSC):
      
      Source/WebCore: 
      
      No new tests.
      
      * ForwardingHeaders/runtime/JSDestructableObject.h: Added.
      * bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.
      (JSDOMWrapper):
      (WebCore::JSDOMWrapper::JSDOMWrapper):
      * bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,
      e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to use the NEEDS_DESTRUCTOR macro.
      (GenerateHeader):
      * bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.
      (ObjcFallbackObjectImp):
      * bridge/objc/objc_runtime.mm:
      (Bindings):
      (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
      * bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.
      (JSC):
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::create):
      (JSC):
      * bridge/runtime_object.cpp: Inherit from JSDestructibleObject.
      (Bindings):
      (JSC::Bindings::RuntimeObject::RuntimeObject):
      * bridge/runtime_object.h:
      (RuntimeObject):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128813 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      013fd88d
  10. 14 Sep, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Remove the Zapped BlockState · 76e50b10
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96708
      
      Reviewed by Geoffrey Garen.
      
      The Zapped block state is rather confusing. It indicates that a block is in one of two different states that we
      can't tell the difference between:
      
      1) I have run all destructors of things that are zapped, and I have not allocated any more objects. This block
         is ready for reclaiming if you so choose.
      2) I have run all the destructors of things that are zapped, but I have allocated more stuff since then, so it
         is not safe to reclaim this block.
      
      This state adds a lot of complexity to our state transition model for MarkedBlocks. We should get rid of it.
      We can replace this state by making sure mark bits represent all of the liveness information we need when running
      our conservative stack scan. Instead of zapping the free list when canonicalizing cell liveness data prior to
      a conservative scan, we can instead mark all objects in the block except for those in the free list. This should
      incur no performance penalty since we're doing it on a very small O(1) number of blocks at the beginning of the collection.
      
      For the time being we still need to use zapping to determine whether we have run an object's destructor or not.
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): Renaming stuff.
      * heap/MarkedAllocator.h: Renamed zapFreeList to canonicalizeCellLivenessData to match.
      (MarkedAllocator):
      (JSC::MarkedAllocator::canonicalizeCellLivenessData): Same as old zapFreeList, but just call canonicalize instead.
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::specializedSweep): Remove the check for Zapped block stuff. Also change the block state to Marked
      instead of Zapped if we're not producing a FreeList since that's the only other state that really makes any sense.
      (JSC::MarkedBlock::sweepHelper): Remove Zapped related code.
      (SetAllMarksFunctor): Functor to set all the mark bits in the block since there's not a simple function to call on
      the Bitmap itself.
      (JSC::SetAllMarksFunctor::operator()):
      (JSC):
      (JSC::MarkedBlock::canonicalizeCellLivenessData): Remove all the stuff for Zapped. For FreeListed, set all the mark bits
      and then clear the ones for the objects in the FreeList. This ensures that only the things that were in the FreeList
      are considered to be dead by the conservative scan, just like if we were to have zapped the FreeList like before.
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::clearMarked): Add function to clear individual mark bits, since we need that functionality now.
      (JSC):
      (JSC::MarkedBlock::isLive): Remove code for Zapped stuff. Marked handles all interesting cases now.
      (JSC::MarkedBlock::forEachCell): Add new iterator function that iterates over all cells in the block, regardless of
      whether they're live or a dead.
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::canonicalizeCellLivenessData): Change to call the renamed canonicalize function.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128563 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      76e50b10
  11. 31 Aug, 2012 3 commits
    • ggaren@apple.com's avatar
      Rolled back in a piece of <http://trac.webkit.org/changeset/127293>. · d84288e5
      ggaren@apple.com authored
          Shrink activation objects by half
          https://bugs.webkit.org/show_bug.cgi?id=95591
      
          Reviewed by Sam Weinig.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::globalData):
      (JSC):
      * heap/WeakSet.cpp:
      (JSC::WeakSet::addAllocator):
      * heap/WeakSet.h:
      (WeakSet):
      (JSC::WeakSet::WeakSet):
      (JSC::WeakSet::globalData):
      * runtime/JSGlobalData.h:
      (JSC::WeakSet::heap):
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127338 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d84288e5
    • ggaren@apple.com's avatar
      Not reviewed. · 1929b299
      ggaren@apple.com authored
      Rolled out http://trac.webkit.org/changeset/127293 because it broke
      inspector tests on Windows.
      
          Shrink activation objects by half
          https://bugs.webkit.org/show_bug.cgi?id=95591
      
          Reviewed by Sam Weinig.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127304 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1929b299
    • ggaren@apple.com's avatar
      Shrink activation objects by half · 0b44fca6
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95591
      
      Reviewed by Sam Weinig.
      
      Removed the global object, global data, and global this pointers from
      JSScope, and changed an int to a bitfield. This gets the JSActivation
      class down to 64 bytes, which in practice cuts it in half by getting it
      out of the 128 byte size class.
      
      Now, it's one extra indirection to get these pointers. These pointers
      aren't accessed by JIT code, so I thought there would be no cost to the
      extra indirection. However, some C++-heavy SunSpider tests regressed a
      bit in an early version of the patch, which added even more indirection.
      This suggests that calls to exec->globalData() and/or exec->lexicalGlobalObject()
      are common and probably duplicated in lots of places, and could stand
      further optimization in C++.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute): Test against the specific activation
      for our global object, since there's no VM-shared activation structure
      anymore. This is guaranteed to have the same success rate as the old test
      because activation scope is fixed at compile time.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::globalData):
      * heap/WeakSet.cpp:
      (JSC::WeakSet::addAllocator):
      * heap/WeakSet.h:
      (WeakSet):
      (JSC::WeakSet::WeakSet):
      (JSC::WeakSet::globalData): Store a JSGlobalData* instead of a Heap*
      because JSGlobalData->Heap is just a constant fold in the addressing
      mode, while Heap->JSGlobalData is an extra pointer dereference. (These
      objects should eventually just merge.)
      
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_resolve_global_dynamic): See DFGAbstractState.cpp.
      
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm: Load the activation structure from
      the code block instead of the global data because the structure is not
      VM-shared anymore. (See DFGAbstractState.cpp.)
      
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      * runtime/JSActivation.h:
      (JSActivation): This is the point of the patch: Remove the data.
      
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData): No longer VM-shared. (See DFGAbstractState.cpp.)
      
      (JSC::WeakSet::heap): (See WeakSet.h.)
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::JSGlobalObject):
      (JSC::JSGlobalObject::setGlobalThis):
      (JSC::JSGlobalObject::reset):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::withScopeStructure):
      (JSC::JSGlobalObject::strictEvalActivationStructure):
      (JSC::JSGlobalObject::activationStructure):
      (JSC::JSGlobalObject::nameScopeStructure):
      (JSC::JSScope::globalThis):
      (JSC::JSGlobalObject::globalThis): Data that used to be in the JSScope
      class goes here now, so it's not duplicated across all activations.
      
      * runtime/JSNameScope.h:
      (JSC::JSNameScope::JSNameScope):
      * runtime/JSScope.cpp:
      (JSC::JSScope::visitChildren): This is the point of the patch: Remove the data.
      
      * runtime/JSScope.h:
      (JSScope):
      (JSC::JSScope::JSScope):
      (JSC::JSScope::globalObject):
      (JSC::JSScope::globalData):
      * runtime/JSSegmentedVariableObject.h:
      (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
      * runtime/JSSymbolTableObject.h:
      (JSC::JSSymbolTableObject::JSSymbolTableObject):
      * runtime/JSVariableObject.h:
      (JSC::JSVariableObject::JSVariableObject):
      * runtime/JSWithScope.h:
      (JSC::JSWithScope::JSWithScope):
      * runtime/StrictEvalActivation.cpp:
      (JSC::StrictEvalActivation::StrictEvalActivation): Simplified now that
      we don't need to pass so much data to JSScope.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127293 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0b44fca6
  12. 30 Aug, 2012 1 commit
    • ggaren@apple.com's avatar
      Use one object instead of two for closures, eliminating ScopeChainNode · b11e7874
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95501
      
      Reviewed by Filip Pizlo.
      
      ../JavaScriptCore: 
      
      This patch removes ScopeChainNode, and moves all the data and related
      functions that used to be in ScopeChainNode into JSScope.
      
      Most of this patch is mechanical changes to use a JSScope* where we used
      to use a ScopeChainNode*. I've only specifically commented about items
      that were non-mechanical.
      
      * runtime/Completion.cpp:
      (JSC::evaluate):
      * runtime/Completion.h: Don't require an explicit scope chain argument
      when evaluating code. Clients never wanted anything other than the
      global scope, and other arbitrary scopes probably wouldn't work
      correctly, anyway.
      
      * runtime/JSScope.cpp:
      * runtime/JSScope.h:
      (JSC::JSScope::JSScope): JSScope now requires the data we used to pass to
      ScopeChainNode, so it can link itself into the scope chain correctly.
      
      * runtime/JSWithScope.h:
      (JSC::JSWithScope::create):
      (JSC::JSWithScope::JSWithScope): JSWithScope gets an extra constructor
      for specifically supplying your own scope chain. The DOM needs this
      interface for setting up the scope chain for certain event handlers.
      Other clients always just push the JSWithScope to the head of the current
      scope chain.
      
      ../WebCore: 
      
      Mechanical changes to update for JSC interface changes.
      
      ../WebKit/mac: 
      
      Mechanical change to update for JSC interface change.
      
      ../WebKit/qt: 
      
      Mechanical change to update for JSC interface change.
      
      * Api/qwebelement.cpp:
      (QWebElement::evaluateJavaScript):
      
      ../WebKit2: 
      
      Mechanical changes to update for JSC interface change.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127202 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b11e7874
  13. 01 Aug, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      C++ code should get ClassInfo from the Structure · f19f935f
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92892
      
      Reviewed by Geoffrey Garen.
      
      In our march to remove ClassInfo from our JSCell object headers, we can switch 
      C++ code over to grabbing the ClassInfo from the Structure since it is finally 
      safe to do so now that Structure access is safe during finalization/destruction. 
      The remaining JIT code changes can be done in a separate patch.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::callDestructor): We don't want to clear the Structure any more 
      since the Structure should still be valid at this point.
      * heap/WeakSetInlines.h:
      (JSC::WeakBlock::finalize): Ditto.
      * runtime/JSCell.h:
      (JSC):
      * runtime/Structure.h:
      (JSC::JSCell::classInfo): Move JSCell's classInfo() to Structure.h so it can be 
      inline. Use a different method of getting the JSCell's Structure based on 
      whether we're in GC_VALIDATION mode or not, since always using get() will cause 
      infinite recursion in GC_VALIDATION mode.
      (JSC):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124355 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f19f935f
  14. 31 Jul, 2012 2 commits
    • mhahnenberg@apple.com's avatar
      Structures should be swept after all other objects · 59c64f1e
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92679
      
      Reviewed by Filip Pizlo.
      
      In order to get rid of ClassInfo from our objects, we need to be able to safely get the 
      ClassInfo during the destruction of objects. We'd like to get the ClassInfo out of the 
      Structure, but currently it is not safe to do so because the order of destruction of objects 
      is not guaranteed to sweep objects before their corresponding Structure. We can fix this by 
      sweeping Structures after everything else.
      
      * heap/Heap.cpp:
      (JSC::Heap::isSafeToSweepStructures): Add a function that checks if it is safe to sweep Structures.
      If the Heap's IncrementalSweeper member is null, that means we're shutting down this VM and it is 
      safe to sweep structures since we'll always do Structures last anyways due to the ordering of 
      MarkedSpace::forEachBlock.
      (JSC):
      (JSC::Heap::didStartVMShutdown): Add this intermediate function to the Heap that ~JSGlobalData now
      calls rather than calling the two HeapTimer objects individually. This allows the Heap to null out 
      these pointers after it has invalidated them to prevent accidental use-after-free in the sweep() 
      calls during lastChanceToFinalize().
      * heap/Heap.h:
      (Heap):
      * heap/HeapTimer.h:
      (HeapTimer):
      * heap/IncrementalSweeper.cpp:
      (JSC::IncrementalSweeper::structuresCanBeSwept): Determines if it is currently safe to sweep Structures.
      This decision is based on whether we have gotten to the end of the vector of blocks that need sweeping
      the first time.
      (JSC):
      (JSC::IncrementalSweeper::doSweep): We add a second pass over the vector to sweep Structures after we 
      make our first pass. We now null out the slots as we sweep them so that we can quickly find the 
      Structures during the second pass.
      (JSC::IncrementalSweeper::startSweeping): Initialize our new Structure sweeping index.
      (JSC::IncrementalSweeper::willFinishSweeping): Callback that is called by MarkedSpace::sweep to notify 
      the IncrementalSweeper that we are going to sweep all of the remaining blocks in the Heap so it can 
      assume that everything is taken care of in the correct order. Since MarkedSpace::forEachBlock 
      iterates over the Structure blocks after all other blocks, the ordering property for sweeping Structures holds.
      (JSC::IncrementalSweeper::IncrementalSweeper): Initialize Structure sweeping index.
      * heap/IncrementalSweeper.h: Add declarations for new stuff.
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): We now check if the current block only contains structures and 
      if so and it isn't safe to sweep Structures according to the Heap, we just return early instead of doing 
      the normal lazy sweep. If this proves to be too much of a waste in the future we can add an extra clause that 
      will sweep some number of other blocks in place of the current block to mitigate the cost of the floating 
      Structure garbage.
      (JSC::MarkedAllocator::addBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::zapFreeList): When we zap the free list in the MarkedAllocator, the current block is no 
      longer valid to allocate from, so we set the current block to null.
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweepHelper): Added a couple assertions to make sure that we weren't trying to sweep Structures
      at an unsafe time.
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::sweep): Notify the IncrementalSweeper that the MarkedSpace will finish all currently remaining sweeping.
      (JSC): 
      * heap/MarkedSpace.h:
      (JSC):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::~JSGlobalData): Call the new Heap::didStartVMShutdown.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      59c64f1e
    • ggaren@apple.com's avatar
      Removed some public data and casting from the Heap · dd7793a8
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92777
      
      Reviewed by Oliver Hunt.
      
      * heap/BlockAllocator.cpp:
      (JSC::BlockAllocator::releaseFreeBlocks):
      (JSC::BlockAllocator::blockFreeingThreadMain): Use the DeadBlock class
      since HeapBlock is a template, and not a class, now. Call destroy()
      instead of monkeying around with DeadBlock's internal data because
      encapsulation is good.
      
      * heap/BlockAllocator.h:
      (DeadBlock): Added a class to represent a dead block, since HeapBlock is
      a template now, and can't be instantiated directly.
      
      (JSC::DeadBlock::DeadBlock):
      (JSC::DeadBlock::create):
      (BlockAllocator):
      (JSC::BlockAllocator::allocate):
      (JSC::BlockAllocator::deallocate): Use the DeadBlock class because
      encapsulation is good.
      
      * heap/CopiedBlock.h:
      (CopiedBlock::destroy): No need for a destroy() function, since we
      inherit one now.
      
      (JSC::CopiedBlock::CopiedBlock):
      (JSC::CopiedBlock::payloadEnd):
      (JSC::CopiedBlock::capacity): Updated for some encapsulation inside
      HeapBlock.
      
      * heap/CopiedSpace.cpp:
      (JSC::CopiedSpace::~CopiedSpace):
      (JSC::CopiedSpace::doneCopying):
      (JSC::CopiedSpace::size):
      (JSC::CopiedSpace::capacity):
      (JSC::isBlockListPagedOut): Removed a bunch of casting. This is no longer
      necessary, now that our list and its nodes have the right type.
      
      * heap/CopiedSpace.h: Use the right type in our data structures because
      it improves clarity.
      
      * heap/CopiedSpaceInlineMethods.h:
      (JSC::CopiedSpace::startedCopying): Use swap to avoid duplicating it.
      
      * heap/HeapBlock.h:
      (HeapBlock): Made this a class template so we can return the right type
      in linked list operations. Made our data private because encapsulation
      is good.
      
      (JSC::HeapBlock::destroy): Since we know our type, we can also eliminate
      duplicate destroy() functions in our subclasses.
      
      (JSC::HeapBlock::allocation): Added an accessor so we can hide our data.
      By using const, this accessor prevents clients from accidentally deleting
      our allocation.
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::isPagedOut):
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::removeBlock): Removed a bunch of casting. This is
      no longer necessary, now that our list and its nodes have the right type.
      
      * heap/MarkedAllocator.h:
      (MarkedAllocator):
      (JSC::MarkedAllocator::reset):
      (JSC::MarkedAllocator::forEachBlock): Use the right type, do less casting.
      
      * heap/MarkedBlock.cpp: 
      (JSC::MarkedBlock::destroy): Removed this function because our parent
      class provides it for us now.
      
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::capacity): Updated for encapsulation.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124250 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      dd7793a8
  15. 30 Jul, 2012 2 commits
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r124123. · 764c9fb1
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/124123
      https://bugs.webkit.org/show_bug.cgi?id=92700
      
      ASSERT crashes terminate webkit Layout tests (Requested by
      msaboff on #webkit).
      
      Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-07-30
      
      * heap/Heap.cpp:
      * heap/Heap.h:
      (Heap):
      * heap/IncrementalSweeper.cpp:
      (JSC::IncrementalSweeper::doSweep):
      (JSC::IncrementalSweeper::startSweeping):
      (JSC::IncrementalSweeper::IncrementalSweeper):
      (JSC):
      * heap/IncrementalSweeper.h:
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::addBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::zapFreeList):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedSpace.cpp:
      * heap/MarkedSpace.h:
      (JSC::MarkedSpace::sweep):
      (JSC):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::~JSGlobalData):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      764c9fb1
    • mhahnenberg@apple.com's avatar
      Structures should be swept after all other objects · 3c1699eb
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92679
      
      Reviewed by Filip Pizlo.
      
      In order to get rid of ClassInfo from our objects, we need to be able to safely get the 
      ClassInfo during the destruction of objects. We'd like to get the ClassInfo out of the 
      Structure, but currently it is not safe to do so because the order of destruction of objects 
      is not guaranteed to sweep objects before their corresponding Structure. We can fix this by 
      sweeping Structures after everything else.
      
      * heap/Heap.cpp:
      (JSC::Heap::isSafeToSweepStructures): Add a function that checks if it is safe to sweep Structures.
      If the Heap's IncrementalSweeper member is null, that means we're shutting down this VM and it is 
      safe to sweep structures since we'll always do Structures last anyways due to the ordering of 
      MarkedSpace::forEachBlock.
      (JSC):
      (JSC::Heap::didStartVMShutdown): Add this intermediate function to the Heap that ~JSGlobalData now
      calls rather than calling the two HeapTimer objects individually. This allows the Heap to null out 
      these pointers after it has invalidated them to prevent accidental use-after-free in the sweep() 
      calls during lastChanceToFinalize().
      * heap/Heap.h:
      (Heap):
      * heap/HeapTimer.h:
      (HeapTimer):
      * heap/IncrementalSweeper.cpp:
      (JSC::IncrementalSweeper::structuresCanBeSwept): Determines if it is currently safe to sweep Structures.
      This decision is based on whether we have gotten to the end of the vector of blocks that need sweeping
      the first time.
      (JSC):
      (JSC::IncrementalSweeper::doSweep): We add a second pass over the vector to sweep Structures after we 
      make our first pass. We now null out the slots as we sweep them so that we can quickly find the 
      Structures during the second pass.
      (JSC::IncrementalSweeper::startSweeping): Initialize our new Structure sweeping index.
      (JSC::IncrementalSweeper::willFinishSweeping): Callback that is called by MarkedSpace::sweep to notify 
      the IncrementalSweeper that we are going to sweep all of the remaining blocks in the Heap so it can 
      assume that everything is taken care of in the correct order. Since MarkedSpace::forEachBlock 
      iterates over the Structure blocks after all other blocks, the ordering property for sweeping Structures holds.
      (JSC::IncrementalSweeper::IncrementalSweeper): Initialize Structure sweeping index.
      * heap/IncrementalSweeper.h: Add declarations for new stuff.
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): We now check if the current block only contains structures and 
      if so and it isn't safe to sweep Structures according to the Heap, we just return early instead of doing 
      the normal lazy sweep. If this proves to be too much of a waste in the future we can add an extra clause that 
      will sweep some number of other blocks in place of the current block to mitigate the cost of the floating 
      Structure garbage.
      (JSC::MarkedAllocator::addBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::zapFreeList): When we zap the free list in the MarkedAllocator, the current block is no 
      longer valid to allocate from, so we set the current block to null.
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweepHelper): Added a couple assertions to make sure that we weren't trying to sweep Structures
      at an unsafe time.
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::sweep): Notify the IncrementalSweeper that the MarkedSpace will finish all currently remaining sweeping.
      (JSC): 
      * heap/MarkedSpace.h:
      (JSC):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::~JSGlobalData): Call the new Heap::didStartVMShutdown.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124123 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3c1699eb
  16. 26 Jul, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Allocate Structures in a separate part of the Heap · b44a7f0d
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92420
      
      Reviewed by Filip Pizlo.
      
      To fix our issue with destruction/finalization of Structures before their objects, we can move Structures to a separate 
      part of the Heap that will be swept after all other objects. This first patch will just be separating Structures 
      out into their own separate MarkedAllocator. Everything else will behave identically.
      
      * heap/Heap.h: New function to allocate Structures in the Heap.
      (Heap):
      (JSC):
      (JSC::Heap::allocateStructure):
      * heap/MarkedAllocator.cpp: Pass whether or not we're allocated Structures to the MarkedBlock.
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h: Add tracking for whether or not we're allocating only Structures.
      (JSC::MarkedAllocator::onlyContainsStructures):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::init):
      * heap/MarkedBlock.cpp: Add tracking for whether or not we're allocating only Structures. We need this to be able to 
      distinguish the various MarkedBlock types in MarkedSpace::allocatorFor(MarkedBlock*).
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::onlyContainsStructures):
      (JSC):
      * heap/MarkedSpace.cpp: Include the new Structure allocator in all the places that all the other allocators are used/modified.
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      * heap/MarkedSpace.h: Add new MarkedAllocator just for Structures.
      (MarkedSpace):
      (JSC::MarkedSpace::allocatorFor):
      (JSC::MarkedSpace::allocateStructure):
      (JSC):
      (JSC::MarkedSpace::forEachBlock):
      * runtime/Structure.h: Move all of the functions that call allocateCell<Structure> down below the explicit template specialization
      for allocateCell<Structure>. The new inline specialization for allocateCell directly calls the allocateStructure() function in the
      Heap.
      (Structure):
      (JSC::Structure):
      (JSC):
      (JSC::Structure::create):
      (JSC::Structure::createStructure):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@123813 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b44a7f0d
  17. 09 Jun, 2012 1 commit
  18. 04 Jun, 2012 1 commit
    • ggaren@apple.com's avatar
      Unreviewed. · 825cc10a
      ggaren@apple.com authored
      Rolled out r119364 because it's still causing crashes (when running
      v8-earley in release builds of DRT)
      
      This time for sure!
      
      * heap/Heap.cpp:
      (JSC::Heap::collect):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweep):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::resetAllocator):
      (JSC):
      * heap/MarkedSpace.cpp:
      (JSC::ResetAllocator::operator()):
      (JSC):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::sweepWeakSets):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      * heap/WeakBlock.cpp:
      (JSC::WeakBlock::sweep):
      * heap/WeakSet.cpp:
      (JSC::WeakSet::sweep):
      (JSC::WeakSet::tryFindAllocator):
      * heap/WeakSet.h:
      (JSC::WeakSet::shrink):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119453 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      825cc10a
  19. 03 Jun, 2012 1 commit
    • ggaren@apple.com's avatar
      Weak pointer finalization should be lazy · 02dec62d
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=87599
      
      Reviewed by Sam Weinig.
      
      This time for sure!
      
      * heap/Heap.cpp:
      (JSC::Heap::collect): Don't sweep eagerly -- we'll sweep lazily instead.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweep): Sweep our weak set before we sweep our other
      destructors -- this is our last chance to run weak set finalizers before
      we recycle our memory.
      
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::resetAllocator):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::resetAllocators):
      * heap/MarkedSpace.h:
      (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
      It will happen automatically when a weak set is swept. It's simpler to
      have only one canonical way for this to happen, and it wasn't buying
      us anything to do it eagerly.
      
      * heap/WeakBlock.cpp:
      (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
      the sweep would be a no-op. If even one finalizer is pending, we need to
      run it, since we won't get another chance.
      
      * heap/WeakSet.cpp:
      (JSC::WeakSet::sweep): This loop can be simpler now that
      WeakBlock::sweep() does what we mean.
      
      Reset our allocator after a sweep because this is the optimal time to
      start trying to recycle old weak pointers.
      
      (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
      allocator because we've swept already, and forcing a new sweep would be
      wasteful.
      
      * heap/WeakSet.h:
      (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
      because the shrink may have removed the block the allocator was going to
      allocate out of.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119364 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      02dec62d
  20. 30 May, 2012 1 commit
  21. 29 May, 2012 1 commit
  22. 28 May, 2012 1 commit
  23. 27 May, 2012 1 commit
    • ggaren@apple.com's avatar
      Weak pointer finalization should be lazy · b816d751
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=87599
      
      Reviewed by Darin Adler.
      
      * heap/Heap.cpp:
      (JSC::Heap::collect): Don't force immediate finalization -- it will
      happen lazily.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweep): Sweep a block's weak set when sweeping the
      block. The weak set may not have been swept yet, and this is our last
      chance to run weak finalizers before we recycle the memory they reference.
      
      * heap/MarkedBlock.h:
      * heap/MarkedSpace.cpp:
      (JSC::MarkedBlock::sweepWeakSets):
      * heap/MarkedSpace.h:
      (JSC::MarkedSpace::sweepWeakSets): Nixed sweepWeakSets because it's unused
      now.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118646 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b816d751
  24. 26 May, 2012 1 commit
    • ggaren@apple.com's avatar
      WebKit should be lazy-finalization-safe (esp. the DOM) v2 · 72da8116
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=87581
      
      Reviewed by Oliver Hunt.
      
      ../JavaScriptCore: 
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::callDestructor):
      * heap/WeakBlock.h:
      * heap/WeakSetInlines.h:
      (JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
      it's not valid to access GC pointers like the Structure pointer during
      finalization. We NULL out the structure pointer in debug builds to try
      to make this programming mistake more obvious.
      
      * API/JSCallbackConstructor.cpp:
      (JSC::JSCallbackConstructor::destroy):
      * API/JSCallbackObject.cpp:
      (JSC::::destroy):
      (JSC::JSCallbackObjectData::finalize):
      * runtime/Arguments.cpp:
      (JSC::Arguments::destroy):
      * runtime/DateInstance.cpp:
      (JSC::DateInstance::destroy):
      * runtime/Error.cpp:
      (JSC::StrictModeTypeErrorFunction::destroy):
      * runtime/Executable.cpp:
      (JSC::ExecutableBase::destroy):
      (JSC::NativeExecutable::destroy):
      (JSC::ScriptExecutable::destroy):
      (JSC::EvalExecutable::destroy):
      (JSC::ProgramExecutable::destroy):
      (JSC::FunctionExecutable::destroy):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::destroy):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::destroy):
      * runtime/JSStaticScopeObject.cpp:
      (JSC::JSStaticScopeObject::destroy):
      * runtime/JSString.cpp:
      (JSC::JSString::destroy):
      * runtime/JSVariableObject.cpp:
      (JSC::JSVariableObject::destroy):
      * runtime/NameInstance.cpp:
      (JSC::NameInstance::destroy):
      * runtime/RegExp.cpp:
      (JSC::RegExp::destroy):
      * runtime/RegExpConstructor.cpp:
      (JSC::RegExpConstructor::destroy):
      * runtime/Structure.cpp:
      (JSC::Structure::destroy):
      * runtime/StructureChain.cpp:
      (JSC::StructureChain::destroy): Use static_cast instead of jsCast because
      jsCast does Structure-based validation, and our Structure is not guaranteed
      to be alive when we get finalized.
      
      ../WebCore: 
      
      * bindings/js/JSDOMGlobalObject.cpp:
      (WebCore::JSDOMGlobalObject::destroy):
      * bindings/js/JSDOMWindowBase.cpp:
      (WebCore::JSDOMWindowBase::destroy):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::destroy):
      * bindings/js/JSNodeCustom.cpp:
      (WebCore::JSNodeOwner::finalize):
      * bindings/js/JSWorkerContextBase.cpp:
      (WebCore::JSWorkerContextBase::destroy):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateImplementation):
      * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
      (WebCore::JSTestActiveDOMObject::destroy):
      (WebCore::JSTestActiveDOMObjectOwner::finalize):
      * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
      (WebCore::JSTestCustomNamedGetter::destroy):
      (WebCore::JSTestCustomNamedGetterOwner::finalize):
      * bindings/scripts/test/JS/JSTestEventConstructor.cpp:
      (WebCore::JSTestEventConstructor::destroy):
      (WebCore::JSTestEventConstructorOwner::finalize):
      * bindings/scripts/test/JS/JSTestEventTarget.cpp:
      (WebCore::JSTestEventTarget::destroy):
      (WebCore::JSTestEventTargetOwner::finalize):
      * bindings/scripts/test/JS/JSTestException.cpp:
      (WebCore::JSTestException::destroy):
      (WebCore::JSTestExceptionOwner::finalize):
      * bindings/scripts/test/JS/JSTestInterface.cpp:
      (WebCore::JSTestInterface::destroy):
      (WebCore::JSTestInterfaceOwner::finalize):
      * bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
      (WebCore::JSTestMediaQueryListListener::destroy):
      (WebCore::JSTestMediaQueryListListenerOwner::finalize):
      * bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
      (WebCore::JSTestNamedConstructor::destroy):
      (WebCore::JSTestNamedConstructorOwner::finalize):
      * bindings/scripts/test/JS/JSTestObj.cpp:
      (WebCore::JSTestObj::destroy):
      (WebCore::JSTestObjOwner::finalize):
      * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
      (WebCore::JSTestSerializedScriptValueInterface::destroy):
      (WebCore::JSTestSerializedScriptValueInterfaceOwner::finalize):
      * bridge/objc/objc_runtime.mm:
      (JSC::Bindings::ObjcFallbackObjectImp::destroy):
      * bridge/qt/qt_runtime.cpp:
      (JSC::Bindings::QtRuntimeMethod::destroy):
      * bridge/qt/qt_runtime_qt4.cpp:
      (JSC::Bindings::QtRuntimeMethod::destroy):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_method.cpp:
      (JSC::RuntimeMethod::destroy):
      * bridge/runtime_object.cpp:
      (JSC::Bindings::RuntimeObject::destroy):
      * bridge/runtime_root.cpp:
      (JSC::Bindings::RootObject::finalize): Use static_cast instead of jsCast because
      jsCast does Structure-based validation, and our Structure is not guaranteed
      to be alive when we get finalized.
      
      ../WebKit2: 
      
      * WebProcess/Plugins/Netscape/JSNPObject.cpp:
      (WebKit::JSNPObject::destroy):
      (WebKit::JSNPObject::leakNPObject):
      * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
      (WebKit::NPRuntimeObjectMap::finalize): Use static_cast instead of jsCast because
      jsCast does Structure-based validation, and our Structure is not guaranteed
      to be alive when we get finalized.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118616 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      72da8116
  25. 24 May, 2012 1 commit
    • ggaren@apple.com's avatar
      Made WeakSet per-block instead of per-heap · 39281e26
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=87401
      
      Reviewed by Oliver Hunt.
      
      This allows us fast access to the set of all weak pointers for a block,
      which is a step toward lazy finalization.
      
      No performance change.
      
      * heap/Heap.cpp:
      (JSC::Heap::Heap):
      (JSC::Heap::lastChanceToFinalize): Removed the per-heap weak set, since
      it's per-block now.
      
      (JSC::Heap::markRoots): Delegate weak set visiting to the marked space,
      since it knows how to iterate all blocks.
      
      (JSC::Heap::collect): Moved the reaping outside of markRoots, since it
      doesn't mark anything.
      
      Make sure to reset allocators after shrinking, since shrinking may
      deallocate the current allocator.
      
      * heap/Heap.h:
      (Heap): No more per-heap weak set, since it's per-block now.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::lastChanceToFinalize): Migrated finalization logic
      here from the heap, so the heap doesn't need to know about our internal
      data structures like our weak set.
      
      (JSC::MarkedBlock::heap):
      (JSC::MarkedBlock::weakSet):
      (JSC::MarkedBlock::shrink):
      (JSC::MarkedBlock::resetAllocator):
      (JSC::MarkedBlock::visitWeakSet):
      (JSC::MarkedBlock::reapWeakSet):
      (JSC::MarkedBlock::sweepWeakSet):
      * heap/MarkedSpace.cpp:
      (JSC::VisitWeakSet::VisitWeakSet):
      (JSC::VisitWeakSet::operator()):
      (VisitWeakSet):
      (JSC):
      (JSC::ReapWeakSet::operator()):
      (JSC::SweepWeakSet::operator()):
      (JSC::LastChanceToFinalize::operator()):
      (JSC::MarkedSpace::lastChanceToFinalize):
      (JSC::ResetAllocator::operator()):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::visitWeakSets):
      (JSC::MarkedSpace::reapWeakSets):
      (JSC::MarkedSpace::sweepWeakSets):
      (JSC::Shrink::operator()):
      (JSC::MarkedSpace::shrink):
      * heap/MarkedSpace.h:
      (MarkedSpace): Make sure to account for our weak sets when sweeping,
      shrinking, etc.
      
      * heap/WeakSet.cpp:
      (JSC):
      * heap/WeakSet.h:
      (WeakSet):
      (JSC::WeakSet::heap):
      (JSC):
      (JSC::WeakSet::lastChanceToFinalize):
      (JSC::WeakSet::visit):
      (JSC::WeakSet::reap):
      (JSC::WeakSet::shrink):
      (JSC::WeakSet::resetAllocator): Inlined some things since they're called
      once per block now instead of once per heap.
      
      * heap/WeakSetInlines.h:
      (JSC::WeakSet::allocate): Use the per-block weak set since there is no
      per-heap weak set anymore.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118416 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      39281e26
  26. 22 May, 2012 1 commit
    • ggaren@apple.com's avatar
      CopiedBlock and MarkedBlock should have proper value semantics (i.e., destructors) · a68a6509
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=87172
      
      Reviewed by Oliver Hunt and Phil Pizlo.
      
      This enables MarkedBlock to own non-trivial sub-objects that require
      destruction. It also fixes a FIXME about casting a CopiedBlock to a
      MarkedBlock at destroy time.
      
      CopiedBlock and MarkedBlock now accept an allocation chunk at create
      time and return it at destroy time. Their client is expected to
      allocate, recycle, and destroy these chunks.
      
      * heap/BlockAllocator.cpp:
      (JSC::BlockAllocator::releaseFreeBlocks):
      (JSC::BlockAllocator::blockFreeingThreadMain): Don't call MarkedBlock::destroy
      because we expect that to be called before a block is put on our free
      list now. Do manually deallocate our allocation chunk because that's
      our job now.
      
      * heap/BlockAllocator.h:
      (BlockAllocator):
      (JSC::BlockAllocator::allocate): Allocate never fails now. This is a
      cleaner abstraction because only one object does all the VM allocation
      and deallocation. Caching is an implementation detail.
      
      (JSC::BlockAllocator::deallocate): We take an allocation chunk argument
      instead of a block because we now expect the block to have been destroyed 
      before we recycle its memory. For convenience, we still use the HeapBlock
      class as our linked list node. This is OK because HeapBlock is a POD type.
      
      * heap/CopiedBlock.h:
      (CopiedBlock):
      (JSC::CopiedBlock::create):
      (JSC::CopiedBlock::destroy):
      (JSC::CopiedBlock::CopiedBlock): Added proper create and destroy functions,
      to match MarkedBlock.
      
      * heap/CopiedSpace.cpp:
      (JSC::CopiedSpace::tryAllocateOversize):
      (JSC::CopiedSpace::tryReallocateOversize):
      (JSC::CopiedSpace::doneCopying):
      (JSC::CopiedSpace::getFreshBlock):
      (JSC::CopiedSpace::freeAllBlocks):
      * heap/CopiedSpaceInlineMethods.h:
      (JSC::CopiedSpace::recycleBlock): Make sure to call destroy before
      returning a block to the BlockAllocator. Otherwise, our destructors
      won't run. (If we get this wrong now, we'll get a compile error.)
      
      * heap/HeapBlock.h:
      (JSC::HeapBlock::HeapBlock): const!
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::allocateBlock): No need to distinguish between
      create and recycle -- MarkedBlock always accepts memory allocated by
      its client now.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::create): Don't allocate memory -- we assume that we're
      passed already-allocated memory, to clarify the responsibility for VM
      recycling.
      
      (JSC::MarkedBlock::destroy): Do run our destructor before giving back
      our VM -- that is the whole point of this patch.
      
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      * heap/MarkedSpace.cpp: const!
      
      (JSC::MarkedSpace::freeBlocks): Make sure to call destroy before
      returning a block to the BlockAllocator. Otherwise, our destructors
      won't run. (If we get this wrong now, we'll get a compile error.)
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118083 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a68a6509
  27. 19 Apr, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      We're collecting pathologically due to small allocations · 8b5cfd3b
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=84404
      
      Reviewed by Geoffrey Garen.
      
      No change in performance on run-jsc-benchmarks.
      
      * dfg/DFGSpeculativeJIT.h: Replacing m_firstFreeCell with m_freeList.
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * heap/CopiedSpace.cpp: Getting rid of any water mark related stuff, since it's no 
      longer useful. 
      (JSC::CopiedSpace::CopiedSpace):
      (JSC::CopiedSpace::tryAllocateSlowCase): We now only call didAllocate here rather than 
      carrying out a somewhat complicated accounting job for our old water mark throughout CopiedSpace.
      (JSC::CopiedSpace::tryAllocateOversize):  Call the new didAllocate to notify the Heap of 
      newly allocated stuff.
      (JSC::CopiedSpace::tryReallocateOversize):
      (JSC::CopiedSpace::doneFillingBlock):
      (JSC::CopiedSpace::doneCopying):
      (JSC::CopiedSpace::destroy):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * heap/CopiedSpaceInlineMethods.h:
      (JSC::CopiedSpace::startedCopying):
      * heap/Heap.cpp: Removed water mark related stuff, replaced with new bytesAllocated and 
      bytesAllocatedLimit to track how much memory has been allocated since the last collection.
      (JSC::Heap::Heap):
      (JSC::Heap::reportExtraMemoryCostSlowCase):
      (JSC::Heap::collect): We now set the new limit of bytes that we can allocate before triggering 
      a collection to be the size of the Heap after the previous collection. Thus, we still have our 
      2x allocation amount.
      (JSC::Heap::didAllocate): Notifies the GC activity timer of how many bytes have been allocated 
      thus far and then adds the new number of bytes to the current total.
      (JSC):
      * heap/Heap.h: Removed water mark related stuff.
      (JSC::Heap::notifyIsSafeToCollect):
      (Heap):
      (JSC::Heap::shouldCollect):
      (JSC):
      * heap/MarkedAllocator.cpp: 
      (JSC::MarkedAllocator::tryAllocateHelper): Refactored to use MarkedBlock's new FreeList struct.
      (JSC::MarkedAllocator::allocateSlowCase):
      (JSC::MarkedAllocator::addBlock):
      * heap/MarkedAllocator.h: 
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::allocate): 
      (JSC::MarkedAllocator::zapFreeList): Refactored to take in a FreeList instead of a FreeCell.
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      (JSC::MarkedBlock::zapFreeList):
      * heap/MarkedBlock.h:
      (FreeList): Added a new struct that keeps track of the current MarkedAllocator's
      free list including the number of bytes of stuff in the free list so that when the free list is 
      exhausted, the correct amount can be reported to Heap.
      (MarkedBlock):
      (JSC::MarkedBlock::FreeList::FreeList):
      (JSC):
      * heap/MarkedSpace.cpp: Removing all water mark related stuff.
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC):
      * heap/WeakSet.cpp:
      (JSC::WeakSet::findAllocator): Refactored to use the didAllocate interface with the Heap. This 
      function still needs work though now that the Heap knows how many bytes have been allocated 
      since the last collection.
      * jit/JITInlineMethods.h: Refactored to use MarkedBlock's new FreeList struct.
      (JSC::JIT::emitAllocateBasicJSObject): Ditto.
      * llint/LowLevelInterpreter.asm: Ditto.
      * runtime/GCActivityCallback.cpp: 
      (JSC::DefaultGCActivityCallback::didAllocate): 
      * runtime/GCActivityCallback.h:
      (JSC::GCActivityCallback::didAllocate): Renamed willAllocate to didAllocate to indicate that 
      the allocation that is being reported has already taken place.
      (DefaultGCActivityCallback):
      * runtime/GCActivityCallbackCF.cpp:
      (JSC):
      (JSC::DefaultGCActivityCallback::didAllocate): Refactored to return early if the amount of 
      allocation since the last collection is not above a threshold (initially arbitrarily chosen to 
      be 128KB). 
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@114698 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8b5cfd3b
  28. 11 Feb, 2012 1 commit
  29. 10 Feb, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Split MarkedSpace into destructor and destructor-free subspaces · c2748329
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=77761
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Switched over to use destructor-free space.
      * heap/Heap.h:
      (JSC::Heap::allocatorForObjectWithoutDestructor): Added to give clients (e.g. the JIT) the ability to 
      pick which subspace they want to allocate out of.
      (JSC::Heap::allocatorForObjectWithDestructor): Ditto.
      (Heap):
      (JSC::Heap::allocateWithDestructor): Added private function for CellAllocator to use.
      (JSC):
      (JSC::Heap::allocateWithoutDestructor): Ditto.
      * heap/MarkedAllocator.cpp: Added the cellsNeedDestruction flag to allocators so that they can allocate 
      their MarkedBlocks correctly.
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::cellsNeedDestruction):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC):
      (JSC::MarkedAllocator::init): Replaced custom set functions, which were only used upon initialization, with
      an init function that does all of that stuff in fewer lines.
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::recycle):
      (JSC::MarkedBlock::MarkedBlock):
      (JSC::MarkedBlock::callDestructor): Templatized, along with specializedSweep and sweepHelper, to make 
      checking the m_cellsNeedDestructor flag faster and cleaner looking.
      (JSC):
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::cellsNeedDestruction):
      (JSC):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::TakeIfUnmarked::operator()):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (Subspace):
      (JSC::MarkedSpace::allocatorFor): Needed function to differentiate between the two broad subspaces of 
      allocators.
      (JSC):
      (JSC::MarkedSpace::destructorAllocatorFor): Ditto.
      (JSC::MarkedSpace::allocateWithoutDestructor): Ditto.
      (JSC::MarkedSpace::allocateWithDestructor): Ditto.
      (JSC::MarkedSpace::forEachBlock):
      * jit/JIT.h:
      * jit/JITInlineMethods.h: Modified to use the proper allocator for JSFinalObjects and others.
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSFunction):
      * runtime/JSArray.cpp:
      (JSC):
      * runtime/JSArray.h:
      (JSArray):
      (JSC::JSArray::create):
      (JSC):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSCell.h:
      (JSCell):
      (JSC):
      (NeedsDestructor): Template struct that calculates at compile time whether the class in question requires 
      destruction or not using the compiler type trait __has_trivial_destructor. allocateCell then checks this 
      constant to decide whether to allocate in the destructor or destructor-free parts of the heap.
      (JSC::allocateCell): 
      * runtime/JSFunction.cpp:
      (JSC):
      * runtime/JSFunction.h:
      (JSFunction):
      * runtime/JSObject.cpp:
      (JSC):
      * runtime/JSObject.h:
      (JSNonFinalObject):
      (JSC):
      (JSFinalObject):
      (JSC::JSFinalObject::create):
      
      Source/WebCore: 
      
      No new tests.
      
      * bindings/js/JSDOMWindowShell.cpp: Removed old operator new, which was just used in the create
      function so that we can use allocateCell instead.
      (WebCore):
      * bindings/js/JSDOMWindowShell.h:
      (WebCore::JSDOMWindowShell::create):
      (JSDOMWindowShell):
      * bindings/scripts/CodeGeneratorJS.pm: Added destructor back to root JS DOM nodes (e.g. JSNode, etc)
      because their destroy functions need to be called, so we don't want the NeedsDestructor struct to 
      think they don't need destruction due to having empty/trivial destructors.
      Removed ASSERT_HAS_TRIVIAL_DESTRUCTOR from all JS DOM wrapper auto-generated objects because their 
      ancestors now have non-trivial destructors. 
      (GenerateHeader):
      (GenerateImplementation):
      (GenerateConstructorDefinition):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@107445 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c2748329
  30. 03 Feb, 2012 1 commit
  31. 19 Jan, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Implement a new allocator for backing stores · 5d0b30a2
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=75181
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore: 
      
      We want to move away from using fastMalloc for the backing stores for 
      some of our objects (e.g. JSArray, JSObject, JSString, etc).  These backing 
      stores have a nice property in that they only have a single owner (i.e. a 
      single pointer to them at any one time).  One way that we can take advantage 
      of this property is to implement a simple bump allocator/copying collector, 
      which will run alongside our normal mark/sweep collector, that only needs to 
      update the single owner pointer rather than having to redirect an arbitrary 
      number of pointers in from-space to to-space.
      
      This plan can give us a number of benefits. We can beat fastMalloc in terms 
      of both performance and memory usage, we can track how much memory we're using 
      far more accurately than our rough estimation now through the use of 
      reportExtraMemoryCost, and we can allocate arbitrary size objects (as opposed 
      to being limited to size classes like we have been historically). This is also 
      another step toward moving away from lazy destruction, which will improve our memory footprint.
      
      We start by creating said allocator and moving the ArrayStorage for JSArray 
      to use it rather than fastMalloc.
      
      The design of the collector is as follows:
      Allocation:
      -The collector allocates 64KB chunks from the OS to use for object allocation.
      -Each chunk contains an offset, a flag indicating if the block has been pinned, 
       and a payload, along with next and prev pointers so that they can be put in DoublyLinkedLists.
      -Any allocation greater than 64KB gets its own separate oversize block, which 
       is managed separately from the rest.
      -If the allocator receives a request for more than the remaining amount in the 
       current block, it grabs a fresh block.
      -Grabbing a fresh block means grabbing one off of the global free list (which is now 
       shared between the mark/sweep allocator and the bump allocator) if there is one. 
       If there isn't a new one we do one of two things: allocate a new block from the OS 
       if we're not ready for a GC yet, or run a GC and then try again. If we still don't 
       have enough space after the GC, we allocate a new block from the OS.
      
      Garbage collection:
      -At the start of garbage collection during conservative stack scanning, if we encounter 
       what appears to be a pointer to a bump-allocated block of memory, we pin that block so 
       that it will not be copied for this round of collection.
      -We also pin any oversize blocks that we encounter, which effectively doubles as a 
       "mark bit" for that block. Any oversize blocks that aren't pinned at the end of copying 
       are given back to the OS.
      -Marking threads are now also responsible for copying bump-allocated objects to newSpace
      -Each marking thread has a private 64KB block into which it copies bump-allocated objects that it encounters.
      -When that block fills up, the marking thread gives it back to the allocator and requests a new one.
      -When all marking has concluded, each thread gives back its copy block, even if it isn't full.
      -At the conclusion of copying (which is done by the end of the marking phase), we un-pin 
       any pinned blocks and give any blocks left in from-space to the global free list.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.gypi:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.vcproj/WTF/WTF.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * heap/AllocationSpace.cpp:
      (JSC::AllocationSpace::allocateSlowCase):
      (JSC::AllocationSpace::allocateBlock):
      (JSC::AllocationSpace::freeBlocks):
      * heap/AllocationSpace.h:
      (JSC::AllocationSpace::waterMark):
      * heap/BumpBlock.h: Added.
      (JSC::BumpBlock::BumpBlock):
      * heap/BumpSpace.cpp: Added.
      (JSC::BumpSpace::tryAllocateSlowCase):
      * heap/BumpSpace.h: Added.
      (JSC::BumpSpace::isInCopyPhase):
      (JSC::BumpSpace::totalMemoryAllocated):
      (JSC::BumpSpace::totalMemoryUtilized):
      * heap/BumpSpaceInlineMethods.h: Added.
      (JSC::BumpSpace::BumpSpace):
      (JSC::BumpSpace::init):
      (JSC::BumpSpace::contains):
      (JSC::BumpSpace::pin):
      (JSC::BumpSpace::startedCopying):
      (JSC::BumpSpace::doneCopying):
      (JSC::BumpSpace::doneFillingBlock):
      (JSC::BumpSpace::recycleBlock):
      (JSC::BumpSpace::getFreshBlock):
      (JSC::BumpSpace::borrowBlock):
      (JSC::BumpSpace::addNewBlock):
      (JSC::BumpSpace::allocateNewBlock):
      (JSC::BumpSpace::fitsInBlock):
      (JSC::BumpSpace::fitsInCurrentBlock):
      (JSC::BumpSpace::tryAllocate):
      (JSC::BumpSpace::tryAllocateOversize):
      (JSC::BumpSpace::allocateFromBlock):
      (JSC::BumpSpace::tryReallocate):
      (JSC::BumpSpace::tryReallocateOversize):
      (JSC::BumpSpace::isOversize):
      (JSC::BumpSpace::isPinned):
      (JSC::BumpSpace::oversizeBlockFor):
      (JSC::BumpSpace::blockFor):
      * heap/ConservativeRoots.cpp:
      (JSC::ConservativeRoots::ConservativeRoots):
      (JSC::ConservativeRoots::genericAddPointer):
      (JSC::ConservativeRoots::add):
      * heap/ConservativeRoots.h:
      * heap/Heap.cpp:
      (JSC::Heap::Heap):
      (JSC::Heap::blockFreeingThreadMain):
      (JSC::Heap::reportExtraMemoryCostSlowCase):
      (JSC::Heap::getConservativeRegisterRoots):
      (JSC::Heap::markRoots):
      (JSC::Heap::collect):
      (JSC::Heap::releaseFreeBlocks):
      * heap/Heap.h:
      (JSC::Heap::waterMark):
      (JSC::Heap::highWaterMark):
      (JSC::Heap::setHighWaterMark):
      (JSC::Heap::tryAllocateStorage):
      (JSC::Heap::tryReallocateStorage):
      * heap/HeapBlock.h: Added.
      (JSC::HeapBlock::HeapBlock):
      * heap/MarkStack.cpp:
      (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
      (JSC::SlotVisitor::drain):
      (JSC::SlotVisitor::drainFromShared):
      (JSC::SlotVisitor::startCopying):
      (JSC::SlotVisitor::allocateNewSpace):
      (JSC::SlotVisitor::copy):
      (JSC::SlotVisitor::copyAndAppend):
      (JSC::SlotVisitor::doneCopying):
      * heap/MarkStack.h:
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::recycle):
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      * heap/MarkedSpace.h:
      (JSC::MarkedSpace::allocate):
      (JSC::MarkedSpace::forEachBlock):
      (JSC::MarkedSpace::SizeClass::resetAllocator):
      * heap/SlotVisitor.h:
      (JSC::SlotVisitor::SlotVisitor):
      * heap/TinyBloomFilter.h:
      (JSC::TinyBloomFilter::reset):
      * runtime/JSArray.cpp:
      (JSC::JSArray::JSArray):
      (JSC::JSArray::finishCreation):
      (JSC::JSArray::tryFinishCreationUninitialized):
      (JSC::JSArray::~JSArray):
      (JSC::JSArray::enterSparseMode):
      (JSC::JSArray::defineOwnNumericProperty):
      (JSC::JSArray::setLengthWritable):
      (JSC::JSArray::getOwnPropertySlotByIndex):
      (JSC::JSArray::getOwnPropertyDescriptor):
      (JSC::JSArray::putByIndexBeyondVectorLength):
      (JSC::JSArray::deletePropertyByIndex):
      (JSC::JSArray::getOwnPropertyNames):
      (JSC::JSArray::increaseVectorLength):
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::visitChildren):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::compactForSorting):
      (JSC::JSArray::subclassData):
      (JSC::JSArray::setSubclassData):
      (JSC::JSArray::checkConsistency):
      * runtime/JSArray.h:
      (JSC::JSArray::inSparseMode):
      (JSC::JSArray::isLengthWritable):
      * wtf/CheckedBoolean.h: Added.
      (CheckedBoolean::CheckedBoolean):
      (CheckedBoolean::~CheckedBoolean):
      (CheckedBoolean::operator bool):
      * wtf/DoublyLinkedList.h:
      (WTF::::push):
      * wtf/StdLibExtras.h:
      (WTF::isPointerAligned):
      
      Source/JavaScriptGlue: 
      
      Added forwarding header for new CheckedBoolean used in the bump allocator.
      
      * ForwardingHeaders/wtf/CheckedBoolean.h: Added.
      
      Source/WebCore: 
      
      No new tests.
      
      Added forwarding header for new CheckedBoolean used in the bump allocator.
      
      * ForwardingHeaders/wtf/CheckedBoolean.h: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105442 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5d0b30a2
  32. 19 Dec, 2011 1 commit
    • ggaren@apple.com's avatar
      Placement new does an unnecessary NULL check · 215589e0
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=74676
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      We can define our own version, which skips the NULL check.
              
      Not a measurable speedup, but code inspection shows better code generated,
      and I believe this is a step toward turning off -fomit-frame-pointer.
      
      * API/JSCallbackConstructor.h:
      (JSC::JSCallbackConstructor::create):
      * API/JSCallbackFunction.h:
      (JSC::JSCallbackFunction::create): Use the NotNull version of placement
      new to skip the NULL check.
      
      * API/JSCallbackObject.h: Removed a conflicting, unnecessaray placement new.
      
      (JSC::JSCallbackObject::create):
      * debugger/DebuggerActivation.h:
      (JSC::DebuggerActivation::create):
      * heap/HandleHeap.cpp:
      (JSC::HandleHeap::grow):
      * heap/HandleHeap.h:
      (JSC::HandleHeap::allocate):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::recycle):
      * jit/JITCode.h:
      (JSC::JITCode::clear):
      * jsc.cpp:
      (GlobalObject::create):
      * profiler/CallIdentifier.h:
      * runtime/Arguments.h:
      (JSC::Arguments::create):
      * runtime/ArrayConstructor.h:
      (JSC::ArrayConstructor::create):
      * runtime/ArrayPrototype.h:
      (JSC::ArrayPrototype::create):
      * runtime/BooleanConstructor.h:
      (JSC::BooleanConstructor::create):
      * runtime/BooleanObject.h:
      (JSC::BooleanObject::create):
      * runtime/BooleanPrototype.h:
      (JSC::BooleanPrototype::create):
      * runtime/DateConstructor.h:
      (JSC::DateConstructor::create):
      * runtime/DateInstance.h:
      (JSC::DateInstance::create):
      * runtime/DatePrototype.h:
      (JSC::DatePrototype::create):
      * runtime/Error.h:
      (JSC::StrictModeTypeErrorFunction::create):
      * runtime/ErrorConstructor.h:
      (JSC::ErrorConstructor::create):
      * runtime/ErrorInstance.h:
      (JSC::ErrorInstance::create):
      * runtime/ErrorPrototype.h:
      (JSC::ErrorPrototype::create):
      * runtime/ExceptionHelpers.h:
      (JSC::InterruptedExecutionError::create):
      (JSC::TerminatedExecutionError::create):
      * runtime/Executable.h:
      (JSC::NativeExecutable::create):
      (JSC::EvalExecutable::create):
      (JSC::ProgramExecutable::create):
      (JSC::FunctionExecutable::create):
      * runtime/FunctionConstructor.h:
      (JSC::FunctionConstructor::create):
      * runtime/FunctionPrototype.h:
      (JSC::FunctionPrototype::create):
      * runtime/GetterSetter.h:
      (JSC::GetterSetter::create):
      * runtime/JSAPIValueWrapper.h:
      (JSC::JSAPIValueWrapper::create):
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      * runtime/JSArray.h:
      (JSC::JSArray::create):
      * runtime/JSBoundFunction.cpp:
      (JSC::JSBoundFunction::create):
      * runtime/JSByteArray.h:
      (JSC::JSByteArray::create): Use the NotNull version of placement
      new to skip the NULL check.
      
      * runtime/JSCell.h: Removed a conflicting, unnecessaray placement new.
      
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::create):
      * runtime/JSFunction.h:
      (JSC::JSFunction::create):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::create):
      * runtime/JSGlobalThis.h:
      (JSC::JSGlobalThis::create):
      * runtime/JSNotAnObject.h:
      (JSC::JSNotAnObject::create):
      * runtime/JSONObject.h:
      (JSC::JSONObject::create):
      * runtime/JSObject.h:
      (JSC::JSFinalObject::create):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSPropertyNameIterator.h:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSStaticScopeObject.h:
      (JSC::JSStaticScopeObject::create):
      * runtime/JSString.cpp:
      (JSC::StringObject::create):
      * runtime/JSString.h:
      (JSC::RopeBuilder::createNull):
      (JSC::RopeBuilder::create):
      (JSC::RopeBuilder::createHasOtherOwner):
      * runtime/MathObject.h:
      (JSC::MathObject::create):
      * runtime/NativeErrorConstructor.h:
      (JSC::NativeErrorConstructor::create):
      * runtime/NativeErrorPrototype.h:
      (JSC::NativeErrorPrototype::create):
      * runtime/NumberConstructor.h:
      (JSC::NumberConstructor::create):
      * runtime/NumberObject.h:
      (JSC::NumberObject::create):
      * runtime/NumberPrototype.h:
      (JSC::NumberPrototype::create):
      * runtime/ObjectConstructor.h:
      (JSC::ObjectConstructor::create):
      * runtime/ObjectPrototype.h:
      (JSC::ObjectPrototype::create):
      * runtime/RegExp.cpp:
      (JSC::RegExp::createWithoutCaching):
      * runtime/RegExpConstructor.h:
      (JSC::RegExpConstructor::create):
      * runtime/RegExpMatchesArray.h:
      (JSC::RegExpMatchesArray::create):
      * runtime/RegExpObject.h:
      (JSC::RegExpObject::create):
      * runtime/RegExpPrototype.h:
      (JSC::RegExpPrototype::create):
      * runtime/ScopeChain.h:
      (JSC::ScopeChainNode::create):
      * runtime/StrictEvalActivation.h:
      (JSC::StrictEvalActivation::create):
      * runtime/StringConstructor.h:
      (JSC::StringConstructor::create):
      * runtime/StringObject.h:
      (JSC::StringObject::create):
      * runtime/StringPrototype.h:
      (JSC::StringPrototype::create):
      * runtime/Structure.h:
      (JSC::Structure::create):
      (JSC::Structure::createStructure):
      * runtime/StructureChain.h:
      (JSC::StructureChain::create):
      * testRegExp.cpp:
      (GlobalObject::create):
      * wtf/BitVector.cpp:
      (WTF::BitVector::OutOfLineBits::create): Use the NotNull version of placement
      new to skip the NULL check.
      
      * wtf/BumpPointerAllocator.h:
      (WTF::BumpPointerPool::create): Standardized spacing to make grep easier.
      
      * wtf/ByteArray.cpp:
      (WTF::ByteArray::create):
      * wtf/Deque.h:
      (WTF::::append):
      (WTF::::prepend): Use NotNull, as above.
      
      * wtf/FastAllocBase.h: Added a placement new, since this class would otherwise
      hide the name of the global placement new.
      
      (WTF::fastNew): Standardized spacing. Most of these functions don't need
      NotNull, since they check for NULL, and the optimizer can see that.
      
      * wtf/HashTable.h:
      * wtf/HashTraits.h:
      (WTF::SimpleClassHashTraits::constructDeletedValue):
      * wtf/MetaAllocator.cpp:
      (WTF::MetaAllocator::allocFreeSpaceNode): NotNull, as above.
      
      * wtf/StdLibExtras.h:
      (throw): This is our NotNull placement new. Declaring that we throw is
      the C++ way to say that operator new will not return NULL.
      
      * wtf/ThreadSpecific.h:
      (WTF::T):
      * wtf/Vector.h:
      (WTF::::append):
      (WTF::::tryAppend):
      (WTF::::uncheckedAppend):
      (WTF::::insert):
      * wtf/text/AtomicStringHash.h:
      * wtf/text/StringImpl.cpp:
      (WTF::StringImpl::createUninitialized):
      (WTF::StringImpl::reallocate):
      * wtf/text/StringImpl.h:
      (WTF::StringImpl::tryCreateUninitialized):
      * wtf/text/StringStatics.cpp:
      (WTF::AtomicString::init): Use NotNull, as above.
      
      * yarr/YarrInterpreter.cpp:
      (JSC::Yarr::Interpreter::allocDisjunctionContext):
      (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
      (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): Standardized
      spacing for easy grep.
      
      Source/WebCore: 
      
      * bindings/js/JSImageConstructor.h:
      (WebCore::JSImageConstructor::create):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      (GenerateConstructorDeclaration):
      * bridge/c/CRuntimeObject.h:
      (JSC::Bindings::CRuntimeObject::create):
      * bridge/c/c_instance.cpp:
      (JSC::Bindings::CRuntimeMethod::create):
      * bridge/jni/jsc/JavaInstanceJSC.cpp:
      (JavaRuntimeMethod::create):
      * bridge/jni/jsc/JavaRuntimeObject.h:
      (JSC::Bindings::JavaRuntimeObject::create):
      * bridge/objc/ObjCRuntimeObject.h:
      (JSC::Bindings::ObjCRuntimeObject::create):
      * bridge/objc/objc_instance.mm:
      (ObjCRuntimeMethod::create):
      * bridge/objc/objc_runtime.h:
      (JSC::Bindings::ObjcFallbackObjectImp::create):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::create):
      * bridge/runtime_method.h:
      (JSC::RuntimeMethod::create):
      * bridge/runtime_object.h:
      (JSC::Bindings::RuntimeObject::create):
      * dom/Document.h:
      (WebCore::FormElementKeyHashTraits::constructDeletedValue): Use NotNull
      placement new, as in JavaScriptCore.
      
      * platform/PODArena.h:
      (WebCore::PODArena::allocateObject): No need to check for NULL explicitly,
      since that's the built-in behavior of placement new.
      
      * platform/graphics/FontCache.cpp:
      (WebCore::FontDataCacheKeyTraits::constructDeletedValue):
      * platform/graphics/IntRectHash.h:
      * platform/graphics/IntSizeHash.h: More NotNull.
      
      * rendering/RenderObject.h: Declaring that we throw is the C++ way to say
      that operator new will not return NULL.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@103243 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      215589e0
  33. 16 Dec, 2011 1 commit
    • mhahnenberg@apple.com's avatar
      De-virtualize destructors · c58d54d7
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=74331
      
      Reviewed by Geoffrey Garen.
      
      .: 
      
      * Source/autotools/symbols.filter: Removed symbol no longer present.
      
      Source/JavaScriptCore: 
      
      This is a megapatch which frees us from the chains of virtual destructors.
      
      In order to remove the virtual destructors, which are the last of the virtual 
      functions, from the JSCell hierarchy, we need to add the ClassInfo pointer to 
      the cell rather than to the structure because in order to be able to lazily call 
      the static destroy() functions that will replace the virtual destructors, we 
      need to be able to access the ClassInfo without the danger of the object's 
      Structure being collected before the object itself.
      
      After adding the ClassInfo to the cell, we can then begin to remove our use 
      of vptrs for optimizations within the JIT and the GC.  When we have removed 
      all of the stored vptrs from JSGlobalData, we can then also remove all of 
      the related VPtrStealingHack code.
      
      The replacement for virtual destructors will be to add a static destroy function 
      pointer to the MethodTable stored in ClassInfo.  Any subclass of JSCell that has 
      a non-trivial destructor will require its own static destroy function to static 
      call its corresponding destructor, which will now be non-virtual.  In future 
      patches we will slowly move away from destructors altogether as we make more and 
      more objects backed by GC memory rather than malloc-ed memory.  The GC will now 
      call the static destroy method rather than the virtual destructor.
      
      As we go through the hierarchy and add static destroy functions to classes, 
      we will also add a new assert, ASSERT_HAS_TRIVIAL_DESTRUCTOR, to those classes 
      to which it applies.  The future goal is to eventually have every class have that assert.
      
      * API/JSCallbackConstructor.cpp:
      (JSC::JSCallbackConstructor::destroy): Add a destroy function to statically call 
      ~JSCallbackConstructor because it has some extra destruction logic.
      * API/JSCallbackConstructor.h:
      * API/JSCallbackFunction.cpp: Add trivial destructor assert for JSCallbackFunction.
      * API/JSCallbackObject.cpp: Add a destroy function to statically call ~JSCallbackObject 
      because it has a member OwnPtr that needs destruction.
      (JSC::::destroy):
      * API/JSCallbackObject.h:
      * JavaScriptCore.exp: Add/remove necessary symbols for JSC.
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Same for Windows symbols.
      * debugger/DebuggerActivation.cpp: DebuggerActivation, for some strange reason, didn't 
      have its own ClassInfo despite the fact that it overrides a number of MethodTable 
      methods.  Added the ClassInfo, along with an assertion that its destructor is trivial.
      * debugger/DebuggerActivation.h:
      * dfg/DFGOperations.cpp: Remove global data first argument to isJSArray, isJSByteArray, 
      isJSString, as it is no longer necessary.
      (JSC::DFG::putByVal):
      * dfg/DFGRepatch.cpp:  Ditto.  Also remove uses of jsArrayVPtr in favor of using the 
      JSArray ClassInfo pointer.
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:  Replace uses of the old vptrs with new ClassInfo 
      comparisons since we don't have vptrs anymore.
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
      (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h: Ditto.
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * dfg/DFGSpeculativeJIT32_64.cpp: Ditto.
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp: Ditto.
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * heap/Heap.cpp: Remove all uses of vptrs in GC optimizations and replace them with 
      ClassInfo comparisons.
      (JSC::Heap::Heap):
      * heap/MarkStack.cpp: Ditto.
      (JSC::MarkStackThreadSharedData::markingThreadMain):
      (JSC::visitChildren):
      (JSC::SlotVisitor::drain):
      * heap/MarkStack.h: Ditto.
      (JSC::MarkStack::MarkStack):
      * heap/MarkedBlock.cpp: Ditto.
      (JSC::MarkedBlock::callDestructor):
      (JSC::MarkedBlock::specializedSweep):
      * heap/MarkedBlock.h: Ditto.
      * heap/SlotVisitor.h: Ditto.
      (JSC::SlotVisitor::SlotVisitor):
      * heap/VTableSpectrum.cpp: Now that we don't have vptrs, we can't count them.  
      We'll have to rename this class and make it use ClassInfo ptrs in a future patch.
      (JSC::VTableSpectrum::count):
      * interpreter/Interpreter.cpp: Remove all global data arguments from isJSArray, 
      etc. functions.
      (JSC::loadVarargs):
      (JSC::Interpreter::tryCacheGetByID):
      (JSC::Interpreter::privateExecute):
      * jit/JIT.h: Remove vptr argument from emitAllocateBasicJSObject 
      * jit/JITInlineMethods.h: Remove vptr planting, and add ClassInfo planting, 
      remove all vtable related code.
      (JSC::JIT::emitLoadCharacterString):
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSFunction):
      * jit/JITOpcodes.cpp: Replace vptr related branch code with corresponding ClassInfo.
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emit_op_convert_this):
      * jit/JITOpcodes32_64.cpp: Ditto.
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emitSlow_op_eq):
      (JSC::JIT::emitSlow_op_neq):
      (JSC::JIT::compileOpStrictEq):
      (JSC::JIT::emit_op_convert_this):
      * jit/JITPropertyAccess.cpp: Ditto.
      (JSC::JIT::stringGetByValStubGenerator):
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePutByIdTransition):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp: Ditto.
      (JSC::JIT::stringGetByValStubGenerator):
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITStubs.cpp: Remove global data argument from isJSString, etc.
      (JSC::JITThunks::tryCacheGetByID):
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/SpecializedThunkJIT.h: Replace vptr related stuff with ClassInfo stuff.
      (JSC::SpecializedThunkJIT::loadJSStringArgument):
      * runtime/ArrayConstructor.cpp: Add trivial destructor assert.
      * runtime/ArrayPrototype.cpp: Remove global data argument from isJSArray.
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncPop):
      (JSC::arrayProtoFuncPush):
      (JSC::arrayProtoFuncShift):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncUnShift):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      * runtime/BooleanConstructor.cpp: Add trivial destructor assert.
      * runtime/BooleanObject.cpp: Ditto.
      * runtime/BooleanPrototype.cpp: Ditto.
      * runtime/ClassInfo.h: Add destroy function pointer to MethodTable.
      * runtime/DateConstructor.cpp: Add trivial destructor assert.
      * runtime/DateInstance.cpp: Add destroy function for DateInstance because it has a RefPtr 
      that needs destruction.
      (JSC::DateInstance::destroy):
      * runtime/DateInstance.h:
      * runtime/Error.cpp: Ditto (because of UString member).
      (JSC::StrictModeTypeErrorFunction::destroy):
      * runtime/Error.h:
      * runtime/ErrorConstructor.cpp: Add trivial destructor assert.
      * runtime/ErrorInstance.cpp: Ditto.
      * runtime/ExceptionHelpers.cpp: Ditto.
      * runtime/Executable.cpp: Add destroy functions for ExecutableBase and subclasses.
      (JSC::ExecutableBase::destroy):
      (JSC::NativeExecutable::destroy):
      (JSC::ScriptExecutable::destroy):
      (JSC::EvalExecutable::destroy):
      (JSC::ProgramExecutable::destroy):
      (JSC::FunctionExecutable::destroy):
      * runtime/Executable.h:
      * runtime/FunctionConstructor.cpp: Add trivial destructor assert.
      * runtime/FunctionPrototype.cpp: Ditto. Also remove global data first arg from isJSArray.
      (JSC::functionProtoFuncApply):
      * runtime/GetterSetter.cpp: Ditto.
      * runtime/InitializeThreading.cpp: Remove call to JSGlobalData::storeVPtrs since it no 
      longer exists.
      (JSC::initializeThreadingOnce):
      * runtime/InternalFunction.cpp: Remove vtableAnchor function, add trivial destructor assert, 
      remove first arg from isJSString.
      (JSC::InternalFunction::displayName):
      * runtime/InternalFunction.h: Remove VPtrStealingHack.
      * runtime/JSAPIValueWrapper.cpp: Add trivial destructor assert.
      * runtime/JSArray.cpp: Add static destroy to call ~JSArray.  Replace vptr checks in 
      destructor with ClassInfo checks.
      (JSC::JSArray::~JSArray):
      (JSC::JSArray::destroy):
      * runtime/JSArray.h: Remove VPtrStealingHack.  Remove globalData argument from isJSArray 
      and change them to check the ClassInfo rather than the vptrs.
      (JSC::isJSArray):
      * runtime/JSBoundFunction.cpp: Add trival destructor assert. Remove first arg from isJSArray.
      (JSC::boundFunctionCall):
      (JSC::boundFunctionConstruct):
      * runtime/JSByteArray.cpp: Add static destroy function, replace vptr checks with ClassInfo checks.
      (JSC::JSByteArray::~JSByteArray):
      (JSC::JSByteArray::destroy):
      * runtime/JSByteArray.h: Remove VPtrStealingHack code.
      (JSC::isJSByteArray):
      * runtime/JSCell.cpp: Add trivial destructor assert.  Add static destroy function.
      (JSC::JSCell::destroy):
      * runtime/JSCell.h: Remove VPtrStealingHack code.  Add function for returning the offset 
      of the ClassInfo pointer in the object for use by the JIT.  Add the ClassInfo pointer to 
      the JSCell itself, and grab it from the Structure.  Remove the vptr and setVPtr functions, 
      as they are no longer used.  Add a validatedClassInfo function to JSCell for any clients 
      that want to verify, while in Debug mode, that the ClassInfo contained in the cell is the 
      same one as that contained in the Structure.  This isn't used too often, because most of 
      the places where we compare the ClassInfo to things can be called during destruction.  
      Since the Structure is unreliable during the phase when destructors are being called, 
      we can't call validatedClassInfo.
      (JSC::JSCell::classInfoOffset):
      (JSC::JSCell::structure):
      (JSC::JSCell::classInfo):
      * runtime/JSFunction.cpp: Remove VPtrStealingHack code.  Add static destroy, remove vtableAnchor, 
      remove first arg from call to isJSString.
      (JSC::JSFunction::destroy):
      (JSC::JSFunction::displayName):
      * runtime/JSFunction.h: 
      * runtime/JSGlobalData.cpp: Remove all VPtr stealing code and storage, including storeVPtrs, 
      as these vptrs are no longer needed in the codebase.
      * runtime/JSGlobalData.h:
      (JSC::TypedArrayDescriptor::TypedArrayDescriptor): Changed the TypedArrayDescriptor to use 
      ClassInfo rather than the vptr.
      * runtime/JSGlobalObject.cpp: Add static destroy function.
      (JSC::JSGlobalObject::destroy):
      * runtime/JSGlobalObject.h:
      * runtime/JSGlobalThis.cpp: Add trivial destructor assert.
      * runtime/JSNotAnObject.cpp: Ditto.
      * runtime/JSONObject.cpp: Ditto. Remove first arg from isJSArray calls.
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSObject.cpp: 
      (JSC::JSFinalObject::destroy):
      (JSC::JSNonFinalObject::destroy):
      (JSC::JSObject::destroy):
      * runtime/JSObject.h: Add trivial destructor assert for JSObject, remove vtableAnchor 
      from JSNonFinalObject and JSFinalObject, add static destroy for JSFinalObject and 
      JSNonFinalObject, add isJSFinalObject utility function similar to isJSArray, remove all VPtrStealingHack code.
      (JSC::JSObject::finishCreation):
      (JSC::JSNonFinalObject::finishCreation):
      (JSC::JSFinalObject::finishCreation):
      (JSC::isJSFinalObject):
      * runtime/JSPropertyNameIterator.cpp: Add static destroy.
      (JSC::JSPropertyNameIterator::destroy):
      * runtime/JSPropertyNameIterator.h:
      * runtime/JSStaticScopeObject.cpp: Ditto.
      (JSC::JSStaticScopeObject::destroy):
      * runtime/JSStaticScopeObject.h: Ditto. 
      * runtime/JSString.cpp:
      (JSC::JSString::destroy):
      * runtime/JSString.h: Ditto. Remove VPtrStealingHack code. Also remove fixupVPtr code, 
      since we no longer need to fixup vptrs.
      (JSC::jsSingleCharacterString):
      (JSC::jsSingleCharacterSubstring):
      (JSC::jsNontrivialString):
      (JSC::jsString):
      (JSC::jsSubstring8):
      (JSC::jsSubstring):
      (JSC::jsOwnedString):
      (JSC::jsStringBuilder):
      (JSC::isJSString):
      * runtime/JSVariableObject.cpp: 
      (JSC::JSVariableObject::destroy):
      * runtime/JSVariableObject.h: Ditto.
      * runtime/JSWrapperObject.cpp:
      * runtime/JSWrapperObject.h: Add trivial destructor assert.
      * runtime/MathObject.cpp: Ditto.
      * runtime/NativeErrorConstructor.cpp: Ditto.
      * runtime/NumberConstructor.cpp: Ditto.
      * runtime/NumberObject.cpp: Ditto.
      * runtime/NumberPrototype.cpp: Ditto.
      * runtime/ObjectConstructor.cpp: Ditto.
      * runtime/ObjectPrototype.cpp: Ditto.
      * runtime/Operations.h: Remove calls to fixupVPtr, remove first arg to isJSString.
      (JSC::jsString):
      (JSC::jsLess):
      (JSC::jsLessEq):
      * runtime/RegExp.cpp: Add static destroy.
      (JSC::RegExp::destroy):
      * runtime/RegExp.h:
      * runtime/RegExpConstructor.cpp: Add static destroy for RegExpConstructor and RegExpMatchesArray.
      (JSC::RegExpConstructor::destroy):
      (JSC::RegExpMatchesArray::destroy):
      * runtime/RegExpConstructor.h:
      * runtime/RegExpMatchesArray.h:
      * runtime/RegExpObject.cpp: Add static destroy.
      (JSC::RegExpObject::destroy):
      * runtime/RegExpObject.h:
      * runtime/ScopeChain.cpp: Add trivial destructor assert.
      * runtime/ScopeChain.h:
      * runtime/StrictEvalActivation.cpp: Ditto.
      * runtime/StringConstructor.cpp:
      * runtime/StringObject.cpp: Ditto. Remove vtableAnchor.
      * runtime/StringObject.h:
      * runtime/StringPrototype.cpp: Ditto.
      * runtime/Structure.cpp: Add static destroy.
      (JSC::Structure::destroy):
      * runtime/Structure.h: Move JSCell::finishCreation and JSCell constructor into Structure.h 
      because they need to have the full Structure type to access the ClassInfo to store in the JSCell.
      (JSC::JSCell::setStructure):
      (JSC::JSCell::validatedClassInfo):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      * runtime/StructureChain.cpp: Add static destroy.
      (JSC::StructureChain::destroy):
      * runtime/StructureChain.h:
      * wtf/Assertions.h: Add new assertion ASSERT_HAS_TRIVIAL_DESTRUCTOR, which uses clangs 
      ability to tell us when a class has a trivial destructor. We will use this assert 
      more in future patches as we move toward having all JSC objects backed by GC memory, 
      which means moving away from using destructors/finalizers.
      
      Source/JavaScriptGlue: 
      
      * UserObjectImp.cpp: Add static destroy function.
      (UserObjectImp::destroy):
      * UserObjectImp.h:
      
      Source/WebCore: 
      
      No new tests.
      
      Doing everything here that was done to the JSCell hierarchy in JavaScriptCore. 
      See the ChangeLog for this commit for a more in-depth description.
      
      * WebCore.exp.in: Add/remove symbols.
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp: Remove first arg from isJSArray call.
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMBinding.cpp: Add trival destructor assert for DOMConstructorObject 
      and DOMConstructorWithDocument.
      * bindings/js/JSDOMGlobalObject.cpp: Add static destroy.  Add implementation for 
      scriptExecutionContext that dispatches to different functions in subclasses 
      depending on our current ClassInfo.  We do this so that we can get rid of the 
      virtual-ness of scriptExecutionContext, because any virtual functions will throw 
      off the layout of the object and we'll crash at runtime.
      (WebCore::JSDOMGlobalObject::destroy):
      (WebCore::JSDOMGlobalObject::scriptExecutionContext):
      * bindings/js/JSDOMGlobalObject.h:
      * bindings/js/JSDOMWindowBase.cpp: Add static destroy.
      (WebCore::JSDOMWindowBase::destroy):
      * bindings/js/JSDOMWindowBase.h: De-virtualize scriptExecutionContext.
      * bindings/js/JSDOMWindowShell.cpp: Add static destroy.
      (WebCore::JSDOMWindowShell::destroy):
      * bindings/js/JSDOMWindowShell.h:
      * bindings/js/JSDOMWrapper.cpp: Add trivial destructor assert.
      * bindings/js/JSDOMWrapper.h: Add a ClassInfo to JSDOMWrapper since it now overrides 
      a MethodTable function. Remove vtableAnchor virtual function.
      * bindings/js/JSImageConstructor.cpp: Add trivial destructor assert.
      * bindings/js/JSNodeCustom.cpp: Change implementation of pushEventHandlerScope so that 
      it dispatches to the correct function depending on the 
      identity of the class as specified by the ClassInfo.  
      See JSDOMGlobalObject::scriptExecutionContext for explanation.
      (WebCore::JSNode::pushEventHandlerScope):
      * bindings/js/JSWebSocketCustom.cpp: Remove first arg to isJSArray call.
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/JSWorkerContextBase.cpp: Add static destroy.
      (WebCore::JSWorkerContextBase::destroy):
      * bindings/js/JSWorkerContextBase.h: 
      * bindings/js/ScriptValue.cpp: Remove first arg to isJSArray call.
      (WebCore::jsToInspectorValue): 
      * bindings/js/SerializedScriptValue.cpp: Ditto.
      (WebCore::CloneSerializer::isArray):
      (WebCore::CloneSerializer::getSparseIndex):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader): Remove virtual-ness of any custom pushEventHandlerScope (see 
      JSNodeCustom::pushEventHandlerScope for explanation).  Remove virtual toBoolean 
      for anybody who masquerades as undefined, since our JSObject implementation handles 
      this based on the TypeInfo in the Structure. Add trivial destructor assert for any 
      class other than DOMWindow or WorkerContexts.
      (GenerateImplementation): Change ClassInfo definitions to use Base::s_info, since 
      typing the parent class more than once is duplication of information and increases 
      the likelihood of mistakes.  Pass ClassInfo to TypeArrayDescriptors instead of vptr. 
      (GenerateConstructorDefinition): Add trivial destructor assert for all generated constructors.
      * bridge/c/CRuntimeObject.cpp: Remove empty virtual destructor.
      * bridge/c/CRuntimeObject.h: 
      * bridge/jni/jsc/JavaRuntimeObject.cpp: Ditto.
      * bridge/jni/jsc/JavaRuntimeObject.h: 
      * bridge/objc/ObjCRuntimeObject.h: Ditto.
      * bridge/objc/ObjCRuntimeObject.mm:
      * bridge/objc/objc_runtime.h: Add static destroy for ObjcFallbackObjectImp. De-virtualize 
      toBoolean in the short term.  Need longer term fix.
      * bridge/objc/objc_runtime.mm:
      (JSC::Bindings::ObjcFallbackObjectImp::destroy):
      * bridge/qt/qt_runtime.cpp: Add static destroy to QtRuntimeMethod.
      (JSC::Bindings::QtRuntimeMethod::destroy):
      * bridge/qt/qt_runtime.h: De-virtualize ~QtRuntimeMethod.
      * bridge/runtime_array.cpp: De-virtualize destructor. Add static destroy.
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_array.h:
      * bridge/runtime_method.cpp: Remove vtableAnchor. Add static destroy.
      (JSC::RuntimeMethod::destroy):
      * bridge/runtime_method.h:
      * bridge/runtime_object.cpp: Add static destroy.
      (JSC::Bindings::RuntimeObject::destroy):
      * bridge/runtime_object.h:
      
      Source/WebKit/mac: 
      
      * Plugins/Hosted/ProxyRuntimeObject.h: Remove empty virtual destructor.
      * Plugins/Hosted/ProxyRuntimeObject.mm:
      
      Source/WebKit2: 
      
      * WebProcess/Plugins/Netscape/JSNPMethod.cpp: Add trivial destructor assert.
      * WebProcess/Plugins/Netscape/JSNPObject.cpp: Add static destroy.
      (WebKit::JSNPObject::destroy):
      * WebProcess/Plugins/Netscape/JSNPObject.h:
      * win/WebKit2.def: Add/remove necessary symbols.
      * win/WebKit2CFLite.def: Ditto.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@103083 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c58d54d7
  34. 06 Dec, 2011 1 commit
    • fpizlo@apple.com's avatar
      Zapping a block that is Marked leads to dead objects being mistaken for live ones · 748d4ca3
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=73982
      
      Reviewed by Geoff Garen.
              
      Changed the zapping code to ignore blocks that are Marked or Zapped. Additionally,
      the code asserts that:
              
      - If we zap a Marked or Zapped block then the free list is empty, because this
        can only happen if the block was never free-listed.
                
      - Zapping can only happen for Marked, Zapped, or FreeListed blocks, since Allocated
        blocks are those that cannot be referred to by SizeClass::currentBlock (since
        SizeClass::currentBlock only refers to blocks that are candidates for allocation,
        and Allocated blocks are those who have been exhausted by allocation and will not
        be allocated from again), and New blocks cannot be referred to by anything except
        during a brief window inside the allocation slow-path.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::zapFreeList):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@102220 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      748d4ca3
  35. 21 Oct, 2011 1 commit
    • mhahnenberg@apple.com's avatar
      Add finalizer to JSObject · 1f60e7ad
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=70336
      
      Reviewed by Darin Adler.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::callDestructor): Skip the call to the destructor 
      if we're a JSFinalObject, since the finalizer takes care of things.
      * runtime/JSCell.h:
      (JSC::JSCell::~JSCell): Remove the GC validation due to a conflict with 
      future changes and the fact that we no longer always call the destructor, making 
      the information provided less useful.
      * runtime/JSObject.cpp:
      (JSC::JSObject::finalize): Add finalizer for JSObject.
      (JSC::JSObject::allocatePropertyStorage): The first time we need to allocate out-of-line
      property storage, we add a finalizer to ourself.
      * runtime/JSObject.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@98123 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1f60e7ad
  36. 24 Sep, 2011 1 commit
    • ggaren@apple.com's avatar
      Some Windows build fixage. · feddf01d
      ggaren@apple.com authored
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweep):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::isLive): Show the compiler that all control paths
      return a value. There, there, compiler. Everything's going to be OK.
      
      * runtime/JSCell.h:
      (JSC::JSCell::setVPtr): Oops! Unrename this function.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95914 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      feddf01d